Sie sind auf Seite 1von 847

Huawei AR Series Access Routers

CLI-based Typical Configuration


Examples

Issue V3.2
Date 2019-08-02

HUAWEI TECHNOLOGIES CO., LTD.


Copyright © Huawei Technologies Co., Ltd. 2019. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China

Website: http://e.huawei.com
Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

Contents

1 About This Document.................................................................................................................. 1


2 Introduction and Basic Operations............................................................................................ 5
2.1 Deployment.................................................................................................................................................................... 5
2.1.1 Example for Using a U Disk to Upgrade Software and Deploy Services................................................................... 5
2.2 Logging In to the Device................................................................................................................................................ 9
2.2.1 Example for Configuring First Login Through the Console Port............................................................................... 9
2.2.2 Example for Configuring Login Through the Console Port After Password Authentication Succeeds................... 12
2.2.3 Example for Performing Basic Configurations on the Device Through the Console Port........................................13
2.2.4 Example for Logging In to the Router Using Telnet................................................................................................. 14
2.2.5 Example for Configuring Login Through Asynchronous Serial Port Redirection....................................................15
2.2.6 Example for Logging In to the Router Using STelnet (Password Authentication Mode).........................................17
2.2.7 Example for Configuring Login to the Device Through STelnet (RSA Authentication Mode)............................... 19
2.2.8 Example for Configuring Login Through RADIUS Authentication When the Device Functions as a Client......... 26
2.2.9 Displaying the Device Status.....................................................................................................................................28
2.3 Upgrade........................................................................................................................................................................ 41
2.3.1 Example for Using the BootROM Menu to Upgrade a System Software Package from an FTP Server..................41
2.3.2 Example for Using the BootROM Menu to Upgrade a System Software Package from a TFTP Server................. 44
2.3.3 Example for Using the Router as a TFTP Client to Upgrade the Router.................................................................. 47
2.3.4 Example for Using the Router as an FTP Client to Upgrade the Router...................................................................49
2.3.5 Example for Using the Router as an FTP Server to Upgrade the Router.................................................................. 50
2.4 BootROM Menu Operations........................................................................................................................................ 53
2.4.1 Example for Deleting Console Port and Telnet Passwords Through BootROM.......................................................53
2.4.2 Example for Changing the File Name Through BootROM...................................................................................... 58
2.4.3 Example for Changing the BootROM Password Through BootROM...................................................................... 61
2.5 Device Management..................................................................................................................................................... 62
2.5.1 Example for Outputting Log Information to a Log Host...........................................................................................62
2.5.2 Example for Outputting Log Information to a Log File............................................................................................ 63

3 Internet Access............................................................................................................................. 66
3.1 NAT.............................................................................................................................................................................. 66
3.1.1 Example for Connecting Intranet Users to the Internet in Easy IP Mode................................................................. 66
3.1.2 Example for Connecting Intranet Users to the Internet in NAT Address Pool Mode............................................... 67
3.1.3 Example for Configuring NAT to Enable Users to Access the Internet and Provide the WWW Service Externally
............................................................................................................................................................................................ 68

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. ii


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

3.1.4 Example for Connecting VPN Users to the Internet In NAT Mode.......................................................................... 69
3.1.5 Example for Configuring NAT to Allow the Internal Host and External Host to Access the Internal Server Using
an External IP Address....................................................................................................................................................... 71
3.1.6 Example for Configuring NAT Static and Outbound NAT to Implement Communication Between Public Network
Users and Servers............................................................................................................................................................... 73
3.1.7 Example for Configuring NAT and Redirection to Implement Two Egresses and Provide the Web Service...........74
3.1.8 Configuring Internal Users to Access the External Server with an Overlapping IP Address Through NAT............78
3.1.9 Configuring NAT to Translate Source and Destination IP Addresses Simultaneously.............................................79
3.2 Bandwidth Management...............................................................................................................................................80
3.2.1 Example for Preventing P2P Software Download.................................................................................................... 80
3.2.2 Example for Configuring Traffic Shaping to Limit the Rate of Packets Based on Internal IP Addresses................82

4 Building a LAN............................................................................................................................ 84
4.1 Example for Configuring Layer 3 Link Aggregation to Improve the Link Bandwidth and Reliability.......................84
4.2 Example for Configuring VLAN Assignment..............................................................................................................86
4.3 Example for Configuring Sub-interfaces to Implement Inter-VLAN Communication................................................88
4.4 Example for Configuring a VLANIF Interface to Implement Inter-VLAN Communication...................................... 89
4.5 Example for Configuring GVRP to Implement Automatic VLAN Registration......................................................... 91
4.6 Example for Configuring Transparent Bridging to Implement Communication on the Same Network Segment.......92
4.7 Example for Configuring Transparent Bridging to Implement Communication on Different Network Segments..... 94
4.8 Example for Configuring a Transparent Bridge to Transmit QinQ Packets.................................................................95
4.9 Example for Configuring the UDP Helper to Enable Inter-Network Users to Access Each Other Using Host Names
............................................................................................................................................................................................ 97
4.10 Example for Configuring the Proxy ARP to Implement Remote Communication of Routers on the Same Subnet
............................................................................................................................................................................................ 98

5 Using Dedicated Lines to Implement WAN Interconnection.......................................... 100


5.1 Example for Configuring Port Isolation..................................................................................................................... 101
5.2 Example for Configuring a POS Interface................................................................................................................. 102
5.3 Example for Configuring a CPOS Interface...............................................................................................................104
5.4 Example for Configuring an ATM Interface.............................................................................................................. 105
5.5 Examplefor Configuring an AR to Communicate with a Cisco Router Using SynchronousSerial Interfaces...........106
5.5.1 Overview................................................................................................................................................................. 107
5.5.2 Precautions...............................................................................................................................................................107
5.5.3 Networking Requirements....................................................................................................................................... 107
5.5.4 Configuration Procedure..........................................................................................................................................107
5.5.4.1 Configuring the AR.............................................................................................................................................. 107
5.5.4.2 Configuring the Cisco Router...............................................................................................................................108
5.5.5 Verification.............................................................................................................................................................. 109
5.5.6 Exception Handling................................................................................................................................................. 110
5.6 Example for Connecting a Bank Outlet to a Tier 2 Branch Through an E1 Link (E1 Mode).................................... 110
5.7 Example for Connecting a Bank Outlet to a Tier 2 Branch Through an E1 Link (CE1 Mode)................................. 111
5.8 Example for Configuring an Enterprise to Use a 3G Link to Access the Internet (Through a WCDMA Network). 113
5.9 Example for Configuring an Enterprise to Use a 3G Link to Access the Internet (Through a CDMA2000 Network)
.......................................................................................................................................................................................... 115

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. iii


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

5.10 Example for Configuring an Enterprise to Connect to the Internet Through LTE Links......................................... 117
5.11 Example for Configuring IPoA to Connect a LAN to the Internet...........................................................................118
5.12 Example for Configuring IPoEoA to Connect a LAN to the Internet...................................................................... 120
5.13 Example for Configuring PPPoEoA to Connect Users to the Internet Using PPP...................................................121
5.14 Example for Configuring PPPoA to Connect Users to the Internet Using PPP....................................................... 123
5.15 Example for Configuring PPPoFR to Implement LAN Interconnections................................................................ 125
5.16 Example for Configuring an FR Network to Connect LANs Using IP Protocols....................................................126
5.17 Example for Configuring an MP Group................................................................................................................... 127
5.18 Example for Binding PPP Links to a Virtual Template to Implement MP...............................................................129
5.19 Example for Binding User Names to Virtual Interface Templates to Implement MP..............................................130
5.20 Example for Configuring the Device as a PPPoE Client to Connect Device to the Internet................................... 133
5.21 Example for Configuring the Device as a PPPoE Client (IPv6) to Connect Device to the Internet........................ 134
5.22 Example for Configuring the Device as a PPPoE Server to Connect Users to the Internet..................................... 137
5.23 Example for Connecting the Router to the Internet Through the External ADSL Modem Using PPPoE............... 138
5.24 Example for Connecting the Router to the PSTN Through a Modem (in C-DCC Mode)....................................... 139
5.25 Example for Connecting the Router to the ISDN Through the ISDN PRI Interface (in RS-DCC Mode)...............141
5.26 Example for Configuring HDLC to Implement Interconnections............................................................................143

6 Using VPN to Implement WAN Interconnection............................................................... 145


6.1 L2TP........................................................................................................................................................................... 145
6.1.1 Example for Configuring L2TP to Implement Communication Between the Headquarters and Users in Different
Domains of the Branch .................................................................................................................................................... 145
6.1.2 Example for Configuring L2TP to Implement Communication Between the Headquarters and Branches and IPSec
to Encrypt Data Transmitted Between the Headquarters Servers and Branches..............................................................148
6.1.3 Example for Configuring L2TP over IPSec to Implement Secure Communication Between the Branch and
Headquarters..................................................................................................................................................................... 151
6.1.4 Example for Configuring an L2TP Tunnel for Remote Dial-Up Users to Connect to the Headquarters................154
6.1.5 Example for Establishing an L2TP Tunnel Between a Remote Dialup User and the Headquarters Based on the
Authentication Domain (Windows XP)............................................................................................................................164
6.1.6 Example for Establishing an L2TP Tunnel Between a Remote Dialup User and the Headquarters Based on the
Authentication Domain (Windows 7)...............................................................................................................................176
6.1.7 Example for Establishing an L2TP Tunnel Between a Remote Dialup User and the Headquarters Based on the
Authentication Domain (VPN Client).............................................................................................................................. 184
6.1.8 Example for Configuring L2TP over IPSec for Remote Dial-Up Users to Traverse NAT Devices and Connect to
the Headquarters over the Internet....................................................................................................................................191
6.1.9 Example for Configuring L2TP over IPSec for Remote Dial-Up Users to Connect to the Headquarters.............. 201
6.1.10 Example for Configuring PPPoE Users Connected to the LAC to Establish an L2TP Tunnel to Communicate
with the Headquarters....................................................................................................................................................... 236
6.1.11 Example for Configuring PPPoE Users Connected to the LAC to Establish an L2TP Tunnel to Access the
RADIUS Server in the Headquarters................................................................................................................................239
6.1.12 Example for Configuring the LAC to Establish an L2TP Tunnel to Communicate with the Headquarters Through
Automatic Dial-up............................................................................................................................................................ 241
6.1.13 Example for Configuring the LAC to Establish an L2TP Tunnel to Communicate with the RADIUS Server in the
Headquarters Through Automatic Dial-up....................................................................................................................... 243
6.1.14 Example for Configuring Multiple L2TP Instances to Implement Communication Between the Headquarters and
Branches........................................................................................................................................................................... 245

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. iv


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

6.1.15 Example for Configuring Multiple L2TP Instances to Implement Communication Between Branches and the
RADIUS Server in the Headquarters................................................................................................................................248
6.1.16 Example for Configuring the LAC Using a 3G Interface to Establish an L2TP Tunnel to Communicate with the
Headquarters Through Automatic Dial-up....................................................................................................................... 252
6.1.17 Example for Configuring the LAC Using a 4G Interface to Establish an L2TP Tunnel to Communicate with the
Headquarters Through Automatic Dial-up....................................................................................................................... 254
6.1.18 Example for Establishing an L2TP Tunnel to Connect a Mobile Office User to the Headquarters (Android Phone)
.......................................................................................................................................................................................... 256
6.1.19 Example for Configuring Layer 2 Network Interconnection Between Branches and the Headquarters Through
L2TP over Bridge............................................................................................................................................................. 258
6.2 GRE............................................................................................................................................................................ 261
6.2.1 Example for Configuring a GRE Tunnel and Static Routes on the Tunnel to Implement Interworking................ 261
6.2.2 Example for Configuring a GRE Tunnel and OSPF on the Tunnel to Implement Interworking............................ 263
6.2.3 Example for Configuring GRE over GRE to Implement Data Encryption............................................................. 266
6.2.4 Example for Configuring IPSec over GRE to Implement Secure Communication Between the Headquarters and
Branch...............................................................................................................................................................................268
6.2.5 Example for Configuring GRE Tunnels to Implement Communication Between the Headquarters and Branches
.......................................................................................................................................................................................... 271
6.2.6 Example for Configuring an IPv6 over IPv4 GRE Tunnel......................................................................................274
6.3 DSVPN....................................................................................................................................................................... 276
6.3.1 Example for Configuring DSVPN to Allow Branches to Learn Routes from Each Other and Implement
Communication Between the Branches (Applicable When There Are a Small Number of Branches)........................... 276
6.3.2 Example for Configuring DSVPN to Allow Branches to Learn Only Summarized Routes to the Headquarters and
Implement Communication Between the Branches (Applicable When There Are a Large Number of Branches)......... 278
6.3.3 Example for Configuring DSVPN to Implement Stable Communication Between the Branches Through Dual
Hubs in the Headquarters................................................................................................................................................. 280
6.4 IPSec........................................................................................................................................................................... 292
6.4.1 Example for Manually Establishing an IPSec Tunnel............................................................................................. 292
6.4.2 Example for Establishing an IPSec Tunnel Between Two Devices Using IKE Negotiation (Without DPD).........294
6.4.3 Example for Establishing an IPSec Tunnel Between Two Devices Using IKE Negotiation (with DPD).............. 296
6.4.4 Example for Establishing an IPSec Tunnel That Traverses NAT Devices.............................................................. 299
6.4.5 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters to Implement Separate
Protection of Multiple Access Resources in the Headquarters.........................................................................................302
6.4.6 Example for Configuring an IPSec Tunnel for Remote Dial-Up Users to Connect to the Headquarters............... 305
6.4.7 Example for Configuring Two Devices to Pass PKI Identity Authentication Before Establishing an IPSec Tunnel
.......................................................................................................................................................................................... 308
6.4.8 Example for Configuring VRRP in the Headquarters to Allow the Branch to Establish an IPSec Tunnel with the
Headquarters Using the VRRP Virtual Address...............................................................................................................313
6.4.9 Example for Establishing Multiple IPSec Tunnels Between the Headquarters and Branches Using the IPSec Policy
Template........................................................................................................................................................................... 317
6.4.10 Example for Configuring the Branch to Access the Internet Through the 3G Interface and Configuring the
Headquarters to Establish an IPSec Tunnel with the Branch Using the IPSec Policy Template..................................... 321
6.4.11 Example for Configuring GRE Over IPSec to Implement Communication Between Devices.............................324
6.4.12 Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and
Headquarters..................................................................................................................................................................... 327
6.4.13 Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and
Headquarters and NAT to Implement Communication Between Branches (Running OSPF)......................................... 332

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. v


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

6.4.14 Example for Establishing an IPSec over GRE Tunnel Between the Headquarters and Branch (Based on ACL)
.......................................................................................................................................................................................... 338
6.4.15 Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL)...................341
6.4.16 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Through IKE Negotiation in
Domain Name Mode........................................................................................................................................................ 345
6.4.17 Example for Establishing an L2TP over IPSec Tunnel for Employees on a Business Trip to Connect to the
Headquarters..................................................................................................................................................................... 348
6.4.18 Example for Configuring the Headquarters to Manage Branches (Cisco Routers) Using Efficient VPN and
Establishing IPSec Tunnels.............................................................................................................................................. 352
6.4.19 Example for Configuring the Headquarters (Cisco Router) to Manage Branches Using Efficient VPN and
Establishing IPSec Tunnels.............................................................................................................................................. 355
6.4.20 Example for Establishing an IPSec Tunnel In Manual and IKE Negotiation Modes............................................357
6.4.21 Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using a Multi-Link
Shared IPSec Policy Group.............................................................................................................................................. 362
6.4.22 Example for Configuring IPSec Reverse Route Injection.....................................................................................365
6.4.23 Example for Implementing QoS Guarantee for Traffic Passing Through the IPSec Tunnel................................ 369
6.4.24 Example for Configuring the Branch to Access Internet Using a 4G Interface and Establish IPSec Tunnel with
the Headquarters Using IPSec Policy Template............................................................................................................... 373
6.4.25 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Through Active and Standby
Links................................................................................................................................................................................. 376
6.4.26 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Using Wired Lines............. 379
6.5 BGP/MPLS IP VPN................................................................................................................................................... 382
6.5.1 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices.........................382
6.5.2 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between the Branch and
Headquarters and Between Branches............................................................................................................................... 386
6.5.3 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices on a Hierarchical
Network............................................................................................................................................................................ 391
6.5.4 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option A Mode..........................................................394
6.5.5 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option B Mode..........................................................399
6.5.6 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option C Mode..........................................................403
6.5.7 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running IS-IS
Between the PEs and CEs)............................................................................................................................................... 407
6.5.8 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running BGP
Between the PEs and CEs)................................................................................................................................................411
6.5.9 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running OSPF
Between the PEs and CEs)............................................................................................................................................... 415
6.5.10 Example for Configuring an OSPF Sham Link to Prevent Traffic Between Users in One VPN of the Same OSPF
Area from Being Forwarded Based on the OSPF Intra-Area Routes...............................................................................419
6.5.11 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running Static
Routes Between the PEs and CEs)................................................................................................................................... 424
6.5.12 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running RIP
Between the PEs and CEs)............................................................................................................................................... 428
6.5.13 Example for Configuring Route Reflection to Optimize the VPN Backbone Layer............................................ 432
6.6 VLL............................................................................................................................................................................ 436
6.6.1 Example for Configuring Martini VLL to Implement Communication Among Devices....................................... 436
6.6.2 Example for Configuring VLL to Implement Communication over a GRE Tunnel...............................................439

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. vi


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

6.7 PWE3..........................................................................................................................................................................441
6.7.1 Example for Configuring E&M Interfaces for Transmitting VHF Services in ATC Scenario (Dual Link Protection
on the Backbone Network)............................................................................................................................................... 442

7 IP Address Allocation............................................................................................................... 447


7.1 Example for Configuring the Router to Function as a DHCP Server to Dynamically Assign IP Addresses to Clients
.......................................................................................................................................................................................... 447
7.2 Example for Configuring the Router to Function as a DHCP Client to Dynamically Obtain an IP Address............ 449
7.3 Example for Configuring DHCP Relay to Enable Users to Obtain IP Addresses from a DHCP Server...................450
7.4 Example for Configuring Users to Automatically Obtain IPv6 Addresses................................................................452

8 Deploying Routing....................................................................................................................454
8.1 IP Static Route............................................................................................................................................................ 454
8.1.1 Example for Configuring IPv4 Static Routes.......................................................................................................... 454
8.1.2 Example for Configuring NQA for Static IPv4 Routes...........................................................................................456
8.1.3 Example for Configuring IPv6 Static Routes.......................................................................................................... 459
8.1.4 Example for Configuring BFD for IPv4 Static Routes............................................................................................462
8.1.5 Example for Configuring AR Routers to Be Connected to Layer 3 Switches Through IPv4 Static Routes...........464
8.1.6 Example for Configuring Fixed IP Addresses for Two Outbound Interfaces of IPv4 Static Routes...................... 466
8.2 RIP.............................................................................................................................................................................. 467
8.2.1 Example for Configuring RIP..................................................................................................................................467
8.2.2 Example for Configuring BFD for RIP................................................................................................................... 469
8.3 RIPng.......................................................................................................................................................................... 471
8.3.1 Example for Configuring RIPng..............................................................................................................................472
8.4 OSPF...........................................................................................................................................................................473
8.4.1 Example for Configuring OSPF.............................................................................................................................. 473
8.4.2 Example for Configuring an OSPF Virtual Link.....................................................................................................475
8.4.3 Example for Configuring an OSPF Stub Area........................................................................................................ 477
8.4.4 Example for Configuring an OSPF NSSA.............................................................................................................. 479
8.4.5 Example for Configuring Route Summarization in an OSPF Area.........................................................................481
8.4.6 Example for Configuring OSPF to Summarize Imported Routes........................................................................... 483
8.4.7 Example for Configuring OSPF Route Filtering..................................................................................................... 485
8.4.8 Example for Configuring BFD for OSPF................................................................................................................489
8.5 OSPFv3.......................................................................................................................................................................492
8.5.1 Example for Configuring OSPFv3.......................................................................................................................... 492
8.5.2 Example for Configuring Two OSPFv3 Processes for Communication................................................................. 494
8.5.3 Example for Configuring OSPFv3 Route Filtering................................................................................................. 496
8.6 IS-IS(IPv4)..................................................................................................................................................................500
8.6.1 Example for Configuring IS-IS Route Leaking.......................................................................................................501
8.6.2 Example for Configuring IS-IS Route Aggregation................................................................................................504
8.6.3 Example for Configuring BFD for IS-IS................................................................................................................. 505
8.7 IS-IS(IPv6)..................................................................................................................................................................508
8.7.1 Example for Configuring IS-IS IPv6.......................................................................................................................508
8.8 BGP............................................................................................................................................................................ 510

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. vii


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

8.8.1 Example for Configuring BGP................................................................................................................................ 510


8.8.2 Example for Configuring a BGP Route Reflector...................................................................................................513
8.8.3 Example for Configuring the Local Preference and Community Attribute in a BGP Route-policy.......................514
8.8.4 Example for Applying the AS-Path Attribute to a Route-Policy............................................................................ 516
8.8.5 Example for Configuring a BGP4+ Route Reflector...............................................................................................519
8.8.6 Example for Configuring BGP4+ Load Balancing................................................................................................. 521
8.8.7 Example for Configuring a BGP4+ Confederation................................................................................................. 523
8.8.8 Example for Configuring BFD for BGP..................................................................................................................526
8.9 Policy-based Routing..................................................................................................................................................530
8.9.1 Example for Configuring Interface PBR................................................................................................................. 530
8.9.2 Example for Configuring PBR................................................................................................................................ 532
8.10 Routing Policy.......................................................................................................................................................... 534
8.10.1 Example for Configuring a Route-Policy.............................................................................................................. 534

9 Deploying IP Multicast............................................................................................................ 539


9.1 Example for Configuring IGMP to Enable User Host to Receive Multicast Video Information...............................539
9.2 Example for Configuring PIM-SM to Transmit Multicast Data on a Network..........................................................541
9.3 Example for Configuring a GRE Tunnel to Transmit Multicast Data over a Unicast Network.................................543
9.4 Example for Configuring IGMP Snooping Policies to Enable Users to Receive Data of Specified Multicast Groups
.......................................................................................................................................................................................... 545
9.5 Example for Configuring Static Group Member Ports and Router Port to Implement Layer 2 Multicast.................547

10 Deploying MPLS..................................................................................................................... 550


10.1 Example for Configuring the MPLS Local Session Function on Backbone Devices to Forward Data on the MPLS
Network............................................................................................................................................................................ 550
10.2 Example for Configuring the MPLS Remote Session Function on Backbone Devices to Forward VPN Data on the
MPLS Network.................................................................................................................................................................552
10.3 Example for Configuring Static LSP to Implement Communication Between the Headquarters and Branch........ 554
10.4 Example for Configuring LDP LSP to Implement Communication Between the Headquarters and Branch..........557
10.5 Example for Configuring MPLS TE to Implement Communication Between the Headquarters and Branch.........561

11 Deploying WLAN AP............................................................................................................. 568


11.1 Example for Configuring Wireless User Access to a WLAN.................................................................................. 568
11.2 Example for Configuring WEP Open System Authentication and WEP Encryption.............................................. 570
11.3 Example for Configuring 802.1x+PEAP+TKIP(V200R003 and V200R005)......................................................... 572
11.4 Example for Configuring 802.1x+TKIP (V200R006 and V200R007).................................................................... 574
11.5 Example for Configuring 802.1x+PEAP+CCMP(V200R003 and V200R005)....................................................... 576
11.6 Example for Configuring 802.1x+CCMP (V200R006 and V200R007).................................................................. 578
11.7 Example for Configuring PSK Authentication and TKIP Encryption..................................................................... 580
11.8 Example for Configuring PSK Authentication and CCMP Encryption................................................................... 582
11.9 Example for Configuring WAPI Authentication...................................................................................................... 583
11.10 Example for Configuring a WLAN QoS Policy.....................................................................................................585

12 Deploying WLAN AC.............................................................................................................588


12.1 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC Manages APs Through Layer 2
Interfaces)(V200R006 and V200R007)............................................................................................................................588

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. viii


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

12.2 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC Manages APs Through Layer 3
Interfaces)(V200R006 and V200R007)............................................................................................................................591
12.3 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC Manages APs Through Layer 2
Interfaces)(V200R006 and V200R007)............................................................................................................................593
12.4 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC Manages APs Through Layer 3
Interfaces)(V200R006 and V200R007)............................................................................................................................596
12.5 Example for Configuring Basic WLAN Services on a Large-Scale Network(V200R006 and V200R007)............599
12.6 Example for Configuring WLAN Services on a Small-Scale Network (IPv4 Network) (V200R008 And Later
Versions)........................................................................................................................................................................... 603
12.7 Example for Configuring WLAN Services on a Medium-Scale Network (V200R008 And Later Versions)..........606
12.8 Example for Configuring WLAN Services on a Large-Scale Network (V200R008 And Later Versions).............. 608

13 Deploying Voice...................................................................................................................... 613


13.1 Versions Between V200R001C01 and V200R002C00............................................................................................ 613
13.1.1 Example for Configuring Basic Voice Features.................................................................................................... 613
13.1.2 Example for Configuring Voice Services for a Small- or Medium-sized Enterprise............................................ 617
13.1.3 Example for Configuring Voice Services Between the Headquarters and Branch Through Leased Lines...........622
13.1.4 Example for Configuring Access to the IMS Network Using a SIP AT0 Trunk...................................................629
13.1.5 Example for Configuring Voice and Internet Services for a Small- or Medium-sized Enterprise........................ 632
13.1.6 Example for Configuring Voice Services Across Areas Through an IPSec Tunnel..............................................637
13.2 Versions Between V200R002C00SPC100 and V200R003C01............................................................................... 645
13.2.1 Example for Configuring Basic Voice Features.................................................................................................... 646
13.2.2 Example for Configuring Voice Services for a Small- or Medium-sized Enterprise............................................ 648
13.2.3 Example for Configuring Voice Services Between the Headquarters and Branch Through Leased Lines...........652
13.2.4 Example for Configuring Access to the IMS Network Using a SIP AT0 Trunk...................................................657
13.2.5 Example for Configuring Voice and Internet Services for a Small- or Medium-sized Enterprise........................ 660
13.2.6 Example for Configuring Voice Services Across Areas Through an IPSec Tunnel..............................................664
13.2.7 Configuring the PBX to Use the E1R2 Trunk to Implement Voice Services Between the Headquarters and Branch
.......................................................................................................................................................................................... 670
13.2.8 Example for Using the PRA Trunk to Connect to the PSTN Network................................................................. 675
13.2.9 Example for Configuring a PRA Trunk to Connect to the Traditional TDM PBX...............................................678
13.2.10 Configuring the AR as the PSTN Gateway to Connect the LTE Network..........................................................681
13.2.11 Configuring Rerouting Analysis to Ensure Voice Call Quality for Users with a Low Priority...........................685
13.3 V200R005C10 and later versions.............................................................................................................................686
13.3.1 Example for Configuring Voice Services for Small- and Medium-sized Enterprises........................................... 686
13.3.2 Example for Configuring Distributed Networking................................................................................................691
13.3.3 Example for Expanding the Capacity of the Live-Network PBX......................................................................... 701
13.3.4 Example for Configuring PBX Sharing for Different Enterprises........................................................................ 710
13.3.5 Example for Configuring an AR as a Branch Gateway to Access UC..................................................................717

14 Deploying Reliability............................................................................................................. 727


14.1 Example for Configuring Interface Backup Between 3G Interfaces........................................................................727
14.2 Example for Configuring Interface Backup Between ADSL and 3G Interfaces......................................................729
14.3 Example for Configuring Interface Backup Between Ethernet Interfaces............................................................... 731
14.4 Example for Configuring Dynamic Route Backup to Implement IP Network Backup on the ISDN...................... 732

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. ix


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

14.5 Example for Configuring Single-hop BFD for Detecting Link Faults..................................................................... 735
14.6 Example for Configuring Multi-hop BFD for Detecting Link Faults...................................................................... 736
14.7 Example for Configuring Association Between VRRP Load Balancing and BFD to Fast Switch Services and
Detect Uplink Faults......................................................................................................................................................... 737
14.8 EExample for Configuring VRRP to Implement Gateway Redundancy................................................................. 740
14.9 Example for Deploying VRRP to Load Services on the Master and Backup Devices............................................ 742

15 User Access and Authentication........................................................................................... 746


15.1 Example for Configuring 802.1x Local Authentication to Authenticate Users....................................................... 746
15.2 Example for Configuring 802.1x Remote Authentication to Authenticate Users Through a RADIUS Server....... 748
15.3 Example for Configuring 802.1x Remote Authentication to Authenticate Users Through Active/Standby RADIUS
Servers.............................................................................................................................................................................. 750
15.4 Example for Configuring Command Line Authorization for Telnet Users Through HWTACACS........................ 752
15.5 Example for Configuring Authentication for STelnet Login Users (RADIUS Authentication).............................. 755
15.6 Example for Configuring Authentication for Telnet Login Users (HWTACACS).................................................. 758

16 Deploying Device or Network Security..............................................................................760


16.1 Example for Configuring Local Attack Defense...................................................................................................... 760
16.2 Example for Configuring ASPF to Allow the Intranet to Provide Only FTP Service............................................. 762
16.3 Example for Configuring ACL-based Packet Filtering So That Internal Users Cannot Access All External
Networks...........................................................................................................................................................................763
16.4 Example for Prohibiting External Users from Accessing the Web Platform........................................................... 764
16.5 Example for Configuring DHCP Snooping to Allow Users to Communicate with Valid DHCP Servers...............765

17 Deploying QoS.........................................................................................................................768
17.1 Example for Configuring Traffic Shaping................................................................................................................768
17.2 Example for Configuring Traffic Shaping to Limit the Rate of Packets Based on Internal IP Addresses...............770
17.3 Example for Configuring Traffic Policing to Limit All Traffic on a Network Segment..........................................772
17.4 Example for Configuring Traffic Policing to Limit the Rate of Packets from Each IP Address on a Network
Segment............................................................................................................................................................................ 773
17.5 Example for Configuring Congestion Avoidance and Congestion Management.....................................................775
17.6 Example for Preventing BT Download.................................................................................................................... 778
17.7 Example for Configuring Access Control Based on Source MAC Addresses.........................................................780
17.8 Example for Using Two Egresses to Implement Mutual Access and Redirection................................................... 782
17.9 Example for Configuring a Queue Profile to Implement Congestion Avoidance and Congestion Management.... 785
17.10 Example for Configuring CBQ (V200R001C00, V200R001C01, V200R002C00, V200R002C01).................... 787
17.11 Example for Configuring CBQ (V200R002C02 and Later Versions)....................................................................793

18 Network Management and Monitoring.............................................................................. 800


18.1 Example for Configuring the SNMP Function to Implement Communication Between the Device and the NMS
.......................................................................................................................................................................................... 800
18.2 Example for Configuring the Netstream Function to Account User Traffic............................................................ 802
18.3 Example for Configuring a UDP Jitter Test............................................................................................................. 803
18.4 Example for Configuring a TCP Test....................................................................................................................... 804
18.5 Example for Configuring RMON to Remotely Monitor and Manage the Device................................................... 806

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. x


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents

18.6 Example for Configuring the NTP Unicast Server/Client Mode with NTP Authentication Enabled to Implement
Clock Synchronization..................................................................................................................................................... 807
18.7 Example for Configuring the NTP Broadcast Mode with NTP Authentication Enabled to Implement Clock
Synchronization................................................................................................................................................................ 810
18.8 Example for Configuring the NTP Multicast Mode to Implement Clock Synchronization.....................................812
18.9 Example for Configuring Local Port Mirroring to Monitor User Behaviors........................................................... 814

19 Comprehensive Cases.............................................................................................................816
19.1 Example for Configuring DHCP and NAT to Enable Users to Dynamically Obtain IP Addresses and Access the
Internet..............................................................................................................................................................................816
19.2 Associating IPSec with NQA to Implement Rapid Switching Between Active and Standby Peers and Links....... 818
19.3 Example for Configuring SPR to Implement Smart Routing on Voice Services..................................................... 827

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. xi


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 1 About This Document

1 About This Document

This document is applicable to all product versions. The information in this document is
subject to change without notice. Every effort has been made in the preparation of this
document to ensure the accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or
implied.

Intended Audience
This document provides examples for configuring AR router features in typical usage
scenarios.

This document is intended for:

l Data configuration engineers


l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers

Symbol Conventions
The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situation


which, if not avoided, will result in death or
serious injury.

Indicates a potentially hazardous situation


which, if not avoided, could result in death
or serious injury.

Indicates a potentially hazardous situation


which, if not avoided, may result in minor
or moderate injury.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 1


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 1 About This Document

Symbol Description

Indicates a potentially hazardous situation


which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.

Calls attention to important information,


best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.

Command Conventions
The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by


vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by


vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by


vertical bars. A minimum of one item or a maximum of all
items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by


vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n


times.

# A line starting with the # sign is comments.

Interface Numbering Conventions


Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 2


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 1 About This Document

Security Conventions
l Password setting
– When configuring a password, the cipher text is recommended. To ensure device
security, change the password periodically.
– When you configure a password in plain text that starts and ends with %@%@, @
%@%, %#%#, or %^%# (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or
higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.

Reference Standards and Protocols


To obtain reference standards and protocols, log in to Huawei official website, search for
"protocol compliance list", and download the Huawei AR Series Standard and Protocol
Comply Table.

Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 3


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 1 About This Document

l In this document, public IP addresses may be used in feature introduction and


configuration examples and are for reference only unless otherwise specified.
l In this document, AR series access routers include
AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600
Series.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 4


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

2 Introduction and Basic Operations

2.1 Deployment
2.2 Logging In to the Device
2.3 Upgrade
2.4 BootROM Menu Operations
2.5 Device Management

2.1 Deployment

2.1.1 Example for Using a U Disk to Upgrade Software and


Deploy Services

Applicability
This example applies to all versions and AR routers.

Networking Requirements
Software engineers do not need to commission devices onsite for device deployment. After
installing a device, you only need to insert the USB flash drive into the USB interface on the
device and power on the device. After being started, the device automatically upgrades
software.

Assume that you need to deploy two routers using the USB flash drive:

l The index file of the USB flash drive is edited at 08:09:10 on June 28, 2011.
l The EMS is offline.
l The first device's ESN is 0000080123456789 and MAC address is 0018-0303-1234.
l The second device's ESN is 6666680123456789 and MAC address is 0018-0303-5678.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 5


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

l The system software software.cc is in the root directory of the USB flash drive. The
version is v1. The first device does not need to load the configuration file, and the second
device needs to load the configuration file config.zip.

Procedure
Step 1 Edit the index file USB_AR.ini of the USB flash drive.
To edit the index file on the PC, perform the following operations:
1. Create a text file.
2. Edit the index file in the following format:
BEGIN AR
[USB CONFIG]
SN=20110628.080910
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=2
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=0000080123456789
MAC=0018-0303-1234
VERSION=v1
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-SOFTWARE
FILENAME1=software.cc
[DEVICE2 DESCRIPTION]
OPTION=OK
ESN=6666680123456789
MAC=0018-0303-5678
VERSION=v1
DIRECTORY=DEFAULT
FILENUM=2
TYPE1=SYSTEM-SOFTWARE
FILENAME1=software.cc
TYPE2=SYSTEM-CONFIG
FILENAME2=config.zip
END AR

Table 2-1 Fields in the index file


Field Description

BEGIN AR Start flag of the index file.

USB CONFIG USB flash drive configuration.

SN Time the index file is edited, in format


YYYYMMDD.HHMMSS.
For example, if the index file is edited at 08:09:10 on
June 28, 2011, the SN is 20110628.080910.

EMS_ONLINE_STATE Whether the EMS is online:


– YES
– NO

UPGRADE INFO Upgrade information.

OPTION Upgrade mode. The value is always AUTO.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 6


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Field Description

DEVICENUM Number of devices to be upgraded:


– To upgrade the software version of one device, set
the value of DEVICENUM to 1 and use the
device's ESN and MAC address.
– To upgrade software versions of multiple devices
to the same version, set the value of
DEVICENUM to 1 and use the default ESN and
MAC address.
– To upgrade software versions of multiple devices
to different versions, set the value of
DEVICENUM to the number of devices to be
upgraded and use devices' ESNs and MAC
addresses.

DEVICEn DESCRIPTION Description header. The value of n starts from 1.

OPTION Whether a device needs to be upgraded:


– OK: The device needs to be upgraded.
NOTE
If this field is not OK, the device does not need to be
upgraded.

ESN Serial number of a device. If this field displays


DEFAULT, the index file applies to all devices.

MAC MAC address of a device. If this field displays


DEFAULT, the index file applies to all devices.

VERSION Target version.

DIRECTORY Directory where upgrade files are saved:


– If the version files are saved in the root directory
of the USB flash drive, set this field to DEFAULT.
– If the version files are saved in another directory,
set this field to the actual directory. For example,
DIRECTORY=abc.

FILENUM Number of files to be loaded.


If only the system software needs to be loaded, set this
field to 1. If the system software and patch file need to
be loaded, set this field to 2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 7


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Field Description

TYPEn File type:


– SYSTEM-SOFTWARE: system software package
– SYSTEM-CONFIG: configuration file
NOTE
n If a device supports the voice function and works as
a PBX, the configuration file is SYSTEM-
CONFIG_PBX.
n If a device supports the voice function and works as
a SIP AG, the configuration file is SYSTEM-
CONFIG_SIPAG.
– SYSTEM-PAT: patch file
– SYSTEM-LICENSE: license file
– SYSTEM-VOICE: voice file
– USER-DEFINE: user-defined file
The value of n starts from 1.

FILENAMEn Upgrade file name. If the value of TYPE1 is


SYSTEM-SOFTWARE and the system software name
is software.cc, the value of FILENAME1 is
software.cc.
The value of n starts from 1.

END AR End flag of the index file.

3. Save the text file as USB_AR.ini.


Step 2 Copy the index file USB_AR.ini, system software software.cc, and configuration file
config.zip to the root directory of the USB flash drive.
Step 3 Insert the USB flash drive into the device and power on the device.

Step 4 When the system detects that the USB flash drive is installed, it checks whether the USB flash
drive contains the index file USB_AR.ini. If the index file exists, the system checks the file
validity.
l If the index file does not exist, the ACT indicator on the SRU is off; if the index file
exists but is invalid, USB-based deployment fails and the ACT indicator on the SRU is
steady red.
l If the index file exists and is valid, USB-based deployment starts and the ACT indicator
on the SRU blinks green.
NOTE
After USB-based deployment starts, the system saves the files used for deployment from the USB
flash drive to the default storage medium according to the information in the USB_AR.ini file.
The default storage medium is the flash memory on the AR150&AR160&AR200 and AR1200 and
the SD1 card on the AR2200 and AR3200. Then the system software and configuration file are
specified as the files for next system startup.

Step 5 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 8


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

# After the device restarts, the system checks whether the USB-based deployment is
successful. If the deployment indicator is steady green, USB-based deployment succeeds.

----End

Configuration Notes
l Files used for USB-based deployment include: index file, system software, configuration
file, patch file, voice file, and license file. The index file is mandatory. The other files are
mandatory, and at least one file must be selected.
l The USB flash drive must support the FAT32 file system and comply with the USB2.0
interface standards.
l Before storing data to a USB flash drive, disable the write-protection function.
l Before using a USB flash drive to configure a router, ensure that the router is working
properly and the flash memory or SD card has sufficient space for deployment files.
l To ensure compatibility between USB flash drives and devices, use Huawei-certified
USB flash drives to configure the devices.
l Only one USB flash drive can be inserted into a device.
l The SN is an identifier used in USB-based deployment but not the device SN. A device
has a default deployment identifier. When the USB flash drive contains the .ini file, the
device checks whether the existing SN is the same as the SN in the .ini file. If the two
SNs are different, USB-based deployment is triggered, and the device starts using the
specified deployment files in the USB flash drive. After USB-based deployment
succeeds, the existing SN of the device is updated to be the same as the SN in the .ini
file.

2.2 Logging In to the Device

2.2.1 Example for Configuring First Login Through the Console


Port
Applicability
This example applies to all versions and AR routers.

Networking Requirements
When the router is powered on for the first time, log in to the router through the console port
to configure or manage the router. As shown in Figure 2-1, the console port of RouterA
connects to Host A. You need to log in to RouterA through the console port.

Figure 2-1 Logging in to the router through the console port

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 9


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Procedure
Step 1 Connect the console port of RouterA to the COM port of Host A using a console cable.

Step 2 Start the terminal emulation software on your PC, create a connection, select the connected
port, and set communication parameters. (The third-party software SecureCRT is used as an
example here.)

1. Click to create a connection, as shown in Figure 2-2.

Figure 2-2 Creating a Connection

2. Set the connected port and communication parameters, as shown in Figure 2-3.
Typically, port COM1 is selected. If you cannot log in to the device through COM1,
connect the PC to another COM port.
Communication parameter settings on the terminal emulation software must be the same
as the default values on the device, which are: 9600 bit/s baud rate, 8 data bits, 1 stop bit,
no parity check, and no flow control.

NOTE

By default, no flow control mode is configured on a switch. Because RTS/CTS is selected in the
software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 10


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-3 Setting the connected port and communication parameters

Step 3 Press Enter on the subsequent dialog boxes until the command line prompt of the user view,
such as <Huawei>, is displayed.
# V200R003C01 and earlier versions.
Please configure the login password (maximum length 16) // Set the password
for logging in through the console port(Only the V200R002C01 and later versions
display the preceding information.).
Enter Password:
Confirm Password:

# V200R005C00 to V200R005C20 versions.


Please configure the login password (<8-128>)
Enter password:
Confirm password:

# V200R005C30 and later versions


Login authentication // Prompt the user to enter the user name and password.
(The default user name and password are admin and Admin@huawei or
admin@huawei.com, respectively.)

Username:admin
Password:
<Huawei>
Info: The entered password is the same as the default. You are advised to change
it to ensure security.

You can run commands to configure the router. Enter a question mark (?) whenever you need
help.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 11


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

NOTE

When you connect to the console port of a router that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you
perform configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations
will be lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, enter y and press Enter.

If you choose n but still perform configurations through the console port, the DHCP, routing,
DNS, and VTY configurations that you have performed will be lost.

----End

Configuration Notes
The values of Bits per second, Data bits, Parity, Stop bits, and Flow control must be the
same as the default values on RouterA.

2.2.2 Example for Configuring Login Through the Console Port


After Password Authentication Succeeds
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The console port of RouterA connects to Host A. Users are required to enter the password
when they log in to RouterA through the console port.

Figure 2-4 Configuring authentication for login through the console port

Procedure
Step 1 Configuration of RouterA.
#
user-interface con 0
authentication-mode password //Set the authentication mode for users logging in
through the console to password authentication.
set authentication password cipher
#

Step 2 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 12


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

# Run the quit command to disconnect Host A from RouterA. Log in to RouterA from Host A
through the console port again. If the user view is displayed after you enter the password
Huawei@123, the configuration is successful.

----End

2.2.3 Example for Performing Basic Configurations on the Device


Through the Console Port

Specification
This example applies to all AR models of all versions.

Networking Requirements
After you log in to a device for the first time through the console port, configure basic
settings, including the time zone of the device, device name and management IP address, and
configure level 15 for users 0 to 4 who log in remotely through Telnet, and configure the
AAA authentication mode for the users.

Figure 2-5 Networking diagram for performing basic configurations through the console port

Procedure
Step 1 Log in to the device from PC1 through the console port. For details, see Example for
Configuring First Login Through the Console Port.
Step 2 Configure RouterA.
#
sysname Server // Configure the device name.
#
clock timezone BJ add 08:00:00 // Configure the time zone.
#
aaa
local-user admin1234 password irreversible-cipher // Create a local user, set
the user name to admin1234 and password to Helloworld@6789.
local-user admin1234 privilege level 15 // Set the priority level of the local
user admin1234 to 15. A larger value indicates a higher priority level.
local-user admin1234 service-type telnet // Set the access mode of the local
user admin1234 to Telnet.
#
interface GigabitEthernet1/0/0
ip address 10.137.217.159 255.255.255.0 // Assign an IP address to the
interface connected to PC2.
#
telnet server enable // Enable the Telnet server.
telnet server port 10181 // Configure the port number for the Telnet server.
#
user-interface vty 0 4 // Enter the VTY0-VTY4 user interface views.
authentication-mode aaa // Set the authentication mode for the VTY user

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 13


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

interface to AAA.
#
return

Step 3 Verify the configuration.


# Log in to RouterA from PC2 through Telnet. This example uses the telnet command in the
command line window provided by the Windows operating system. You can also use third-
party Telnet software to log in to RouterA.
C:\Documents and Settings\Administrator> telnet 10.137.217.159 10181

Login authentication

Username:admin1234
Password:
<Server>

----End

Configuration Notes
l You can successfully log in to RouterA only if the user name and password that you
enter on PC2 are the same as those configured on RouterA.
l You can successfully log in to RouterA only when you enter the correct IP address and
port number.

2.2.4 Example for Logging In to the Router Using Telnet


Applicability
This example applies to all versions and AR routers.

Networking Requirements
GE1/0/0 of RouterA connects to Host A. Users are required to enter the user name and
password when they log in to RouterA through Telnet.

Figure 2-6 Logging in to the router using Telnet

NOTE

The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.

Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the interface

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 14


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

connected to Host A.
#
aaa
local-user huawei password irreversible-cipher //Create a local user, with the
user name huawei and password Hello@123.
local-user huawei service-type telnet //Set the access type of the local user
huawei to Telnet.
local-user huawei privilege level 3 //Set the level of the local user huawei to
3.
#
telnet server enable //Enable the Telnet service.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode on VTY user interfaces 0
through 4 to AAA.
#

Step 2 Verify the configuration.

# Use Telnet to log in to RouterA from Host A. This example uses the telnet command in the
command line window provided by the Windows operating system. You can also use third-
party Telnet software to log in to RouterA.
C:\Documents and Settings\Administrator> telnet 10.1.1.1

Login authentication

Username:huawei
Password:
<RouterA>

----End

Configuration Notes
You can successfully log in to RouterA only if the user name and password that you enter on
Host A are the same as those configured on RouterA.

2.2.5 Example for Configuring Login Through Asynchronous


Serial Port Redirection

Applicability
This example applies to all versions and all AR models except the AR150&160&200 series.

Networking Requirements
In telecommunication and financial fields, some terminals provide only access through the
serial port or cannot access the Internet using Telnet. The serial port redirection of the device
enables you to configure and manage terminals connected to the device through Telnet.

As shown in Figure 2-7, the asynchronous serial port on RouterA connects to the console port
on RouterB. You can log in to RouterB through RouterA from the remote PC in vpna.
RouterA functions as the serial port server and there is a reachable route between the remote
PC and RouterA. You can log in to RouterB connected to RouterA from the remote PC using
the IP address and specified port number.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 15


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-7 Logging in to a router using Telnet redirection

Procedure
Step 1 Obtain the TTY user interface number corresponding to the asynchronous serial port.
<RouterA> display user-interface
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 15 - N -
9 TTY 9 9600 - 0 - N 2/0/0
10 TTY 10 9600 - 0 - N 2/0/1
11 TTY 11 9600 - 0 - N 2/0/2
12 TTY 12 9600 - 0 - N 2/0/3
13 TTY 13 9600 - 0 - N 2/0/4
14 TTY 14 9600 - 0 - N 2/0/5
15 TTY 15 9600 - 0 - N 2/0/6
16 TTY 16 9600 - 0 - N 2/0/7
+ 129 VTY 0 - 15 4 N -
130 VTY 1 - 15 - N -
131 VTY 2 - 15 - N -
132 VTY 3 - 15 - N -
133 VTY 4 - 15 - N -
145 VTY 16 - 0 - P -
146 VTY 17 - 0 - P -
147 VTY 18 - 0 - P -
148 VTY 19 - 0 - P -
149 VTY 20 - 0 - P -

Step 2 Configure RouterA.


#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the interface
connected to Host A.
ip binding vpn-instance vpna //Bind an Ethernet interface to the VPN
instance.
#
interface Async2/0/0
async mode flow //Configure the asynchronous serial interface to work in flow
mode.
#
telnet server enable //Enable the Telnet service.
#
user-interface tty 9
authentication-mode password
redirect enable //Enable Telnet redirection on the asynchronous serial
interface.
set authentication password cipher
redirect listen-port 2129 //Set a port number for the redirection function
on the asynchronous serial interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 16


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

redirect binding vpn-instance vpna //Bind the asynchronous serial interface to


the VPN instance.
#

Step 3 Verify the configuration.

# Use Telnet to log in to RouterB from Host A. This example uses the telnet command in the
command line window provided by the Windows operating system. You can also use third-
party Telnet software to log in to RouterB.
C:\Documents and Settings\Administrator> telnet 10.1.1.1 2129
Press CTRL_] to quit telnet mode
Trying 10.1.1.1...
Connected to 10.1.1.1...
Login authentication

Password:
<RouterB>

NOTE

l If the redirection function is not associated with the VPN instance for private users, any user on
public or private networks can log in to RouterB.
l Press Ctrl+] to return to the interface of HostA.

----End

Configuration Notes
You can successfully log in to RouterB only when you enter the correct IP address and port
number.

2.2.6 Example for Logging In to the Router Using STelnet


(Password Authentication Mode)

Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA has the STelnet service enabled and connects to Host A through GE1/0/0. Users are
required to enter the user name and password when they log in to RouterA using STelnet.

Figure 2-8 Logging in to the router using STelnet

NOTE

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 17


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Procedure
Step 1 Generate a local key pair on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] rsa local-key-pair create

Step 2 Configure RouterA.


W
#
interface GigabitEthernet1/0/0
ip address 10.137.217.223 255.255.0.0 //Assign an IP address to the interface
connected to Host A.
#
aaa
local-user client001 password irreversible-cipher %@%@6W-mT:ZGe)0B*rMm,@#
$LEyI;m_bQibe=46k.,#x$vk0EyLL%@%@ //Create a local user, with the user name
client001 and password Hello@123.The character string after password irreversible-
cipher can be in plain text or cipher text.
local-user client001 service-type ssh //Set the access type of the local
user client001 to SSH.
local-user client001 privilege level 3 //Set the level of the local user
client001 to 3.
#
stelnet server enable //Enable the STelnet service.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode on VTY user interfaces 0
through 4 to AAA.
protocol inbound ssh //Configure the VTY user interfaces to support only SSH.
#

Step 3 Verify the configuration.

# Use Secure Shell (SSH) software to connect to RouterA. This example uses the OpenSSH
software.

Figure 2-9 Using SSH software to connect to RouterA

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 18


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

----End

Configuration Notes
l You can successfully log in to RouterA only if the user name and password that you
enter on Host A are the same as those configured on RouterA.
l If the VTY user interfaces are configured to support only SSH, the Router disables the
Telnet function.

2.2.7 Example for Configuring Login to the Device Through


STelnet (RSA Authentication Mode)
Specification
This example applies to all AR models of all versions.

Networking Requirements
Users securely log in to the device through STelnet. There are reachable routes between
HostA and RouterA functioning as the SSH server, and 10.137.217.159 is the IP address of
the management interface on the SSH server. Configure the login user client001 on the SSH
server and use the account client001 on HostA to log in to the SSH server in RSA
authentication mode.

Figure 2-10 Networking diagram for configuring STelnet login (RSA authentication mode)

NOTE

STelnet V1 has security vulnerabilities. You are advised to log in to the device using STelnet V2.

Procedure
Step 1 Generate a local key pair on HostA.
1. On HostA, run puttygen.exe to generate the public and private key files.
# In Figure 2-11, select SSH-2 RSA and click Generate. You need to move the cursor
continuously in the blank area during the generation of the key pair; otherwise, the
progress bar stops, so does the generation of the key pair.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 19


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-11 PuTTY Key Generator (1)

# After the key is generated, click Save public key in the dialog box shown in Figure
2-12 to save the key as the key.pub file.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 20


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-12 PuTTY Key Generator (2)

# Click Save private key in the dialog box in Figure 2-12. In the PuTTYgen Warning
dialog box that is displayed, click Yes. The private key is saved as the private.ppk file.

Figure 2-13 PuTTY Key Generator (3)

2. After the encoding format of the RSA public key is set to .pem, configure the private key
(in .pem format) in the public key file key.pub generated by the puttygen.exe tool on the
server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 21


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Step 2 Configure RouterA.


#
sysname SSH Server // Configure the device name.
#
rsa peer-public-key rsakey001 encoding-type pem//configures an encoding format
PEM for an RSA public key
public-key-code begin
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAABJQAAAQEAm03bm5EFuIgYKWSq6HlltY/hjYhWI/bb5efN
5u9EGOYNzXLFsECW74X5SSvKHE5YvbDVhD1N/Vinh3ox8U7lY6UNKuOmQZF9OrCO
dbekrvMOuDVo8zuiZOgrLTVpTFHdgi0BbbSnGvpDzdn6ovm9ZBS+j2omm/D3pWYB
9YJTARhLILmrrBaiFiYy76F3tCwDhkZwMYOp6ueDKqdJIYYc/jZPnAICr5ByscmB
0ezlVO3jo5lHn3k5H+rUQmyOEOw8fZDI8zzRN63QOx2NWXZxDZUs9EiReVw7sJIG
g9zVoCpMsM7PhniFF0DUJoUEF6ryl54noHEmT3lcn4ulWJw1cQ==
---- END SSH2 PUBLIC KEY ----
public-key-code end
peer-public-key end // Generate a local key pair.
#
aaa
local-user client001 password irreversible-cipher // Create a local user, set
the user name to client001 and password to Helloworld@6789. The character string
after password irreversible-cipher can be in plain text or cipher text.
local-user client001 privilege level 15 // Set the priority level of the local
user client001 to 15.
local-user client001 service-type ssh // Set the access mode of the local user
client001 to STelnet.
#
interface GigabitEthernet1/0/0
ip address 10.137.217.159 255.255.255.0 // Assign an IP address to the
interface connected to HostA.
#
ssh user client001 assign rsa-key rsakey001 // Specify the host public key of
the SSH server to which the local user client001 connects.
ssh user client001 authentication-type rsa // Set the authentication mode of
the local user client001 to RSA.
stelnet server enable //Enable the SSH server.
#
user-interface vty 0 4
user privilege level 15 // Set the priority level of the user to 15.
authentication-mode aaa // Set the authentication mode for the VTY user
interface to AAA.
protocol inbound ssh // Configure the VTY user interface to support only SSH.
#
return

Step 3 Verify the configuration.


# Use Secure Shell (SSH) software on HostA to access RouterA. This example uses the
PuTTY software.
# Log in to the device using PuTTY, enter the device's IP address, and select the SSH
protocol, as shown in Figure 2-14.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 22


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-14 PuTTY Configuration - RSA authentication mode (1)

# Choose Connection > SSH in the navigation tree. The page shown in Figure 2-15 is
displayed. Select 2 under Preferred SSH protocol version.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 23


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-15 PuTTY Configuration - RSA authentication mode (2)

# Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure 2-16
is displayed. Select the private.ppk file corresponding to the public key configured on the
server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 24


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-16 PuTTY Configuration - RSA authentication mode (3)

# Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the
SSH server.The following information is for reference only.
login as: client001

Authenticating with public key "rsa-key-20150528"

<SSH Server>

----End

Configuration Notes
l If RSA authentication is used, you need to configure the public key generated by the
SSH client on the SSH server. When you log in to the SSH server on the SSH client, the
SSH client passes the authentication if the private key of the client matches the
configured public key.
l If the VTY user interfaces are configured to support only SSH, the device automatically
disables the Telnet function.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 25


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

2.2.8 Example for Configuring Login Through RADIUS


Authentication When the Device Functions as a Client
Applicability
This example applies to all versions and AR routers.

Networking Requirements
An AR functions as the SSH server and needs to provide RADIUS authentication for SSH
clients.
When an SSH client attempts to connect to the SSH server, the RADIUS server authenticates
the client and sends the authentication result to the SSH server. The SSH server determines
whether to establish a connection with the SSH client according to the authentication result.

Figure 2-17 Configuring RADIUS authentication for SSH users

Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname ssh server
[ssh server] rsa local-key-pair create

Step 2 Configuration of SSH Server varies in different versions. Note the product version when
configuring SSH Server.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode on VTY user interfaces 0
through 4 to AAA.
protocol inbound ssh //Configure the VTY user interfaces to support only SSH.
#
aaa
local-user ssh1@ssh.com password cipher %@%@0qu\:lj<uNH#kN5W/e*A_:G#%@%@ //
Create a local user, with the user name ssh1@ssh.com and password
Huawei@123
(cipher text).
local-user ssh1@ssh.com privilege level 15 //Set the level
of the local user ssh1@ssh.com to 15.
authentication-scheme newscheme //Configure an
authentication scheme newscheme.
authentication-mode radius //Set the
authentication method to RADIUS authentication.
domain ssh.com //Configure a
domain ssh.com.
authentication-scheme newscheme //Apply the
authentication scheme newscheme to the domain ssh.com.
radius-server ssh //Apply the
RADIUS server template ssh to the domain ssh.com.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 26


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

#
radius-server template ssh //Configure the RADIUS
server template ssh.
radius-server shared-key cipher N`C55QK<`=/Q=^Q`MAF4<1!! //Set the shared key
for the RADIUS server to huawei (cipher text).
radius-server authentication 10.164.6.49 1812 //Specify the
O[ address and port number of the RADIUS authentication server.
#
stelnet server enable //Enable STelnet on the SSH server.
#

Step 3 Configure the SSH client.


#
ssh client first-time enable //Enable the authentication function for the first
login of the SSH client.
#

Step 4 Verify the configuration.


# Log in to the SSH server from the SSH client in RADIUS authentication mode.
<ssh client> system-view
[ssh client] stelnet 10.164.39.222
Please input the username: ssh1@ssh.com
Trying 10.164.39.222 ...
Press CTRL+K to abort
Connected to 10.164.39.222 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name: 10.164.39.222. Please wait...
Enter password:

# Enter the password huawei. If the following information is displayed, you have logged in
successfully.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 2.

# Run the display radius-server configuration and display ssh server session commands on
the SSH server to view the RADIUS server configuration and the SSH session status. The
command output shows that the SSH client has successfully connected to the SSH server.
[ssh server] display ssh server session
--------------------------------------------------------------------
Conn Ver Encry State Auth-type Username
--------------------------------------------------------------------
VTY 0 2.0 AES run password ssh1@ssh.com
--------------------------------------------------------------------

----End

Configuration Notes
l Specify the user name of the SSH client on the RADIUS server.
l Specify the IP address and key pair of the SSH server on the RADIUS server.
l If the SSH client uses password authentication, only the SSH server needs to generate
the Rivest-Shamir-Adleman (RSA) key pair. If the SSH client uses RSA authentication,
both the SSH server and client need to generate the RSA key pair. You must specify the
public key generated by the SSH client on the SSH server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 27


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

2.2.9 Displaying the Device Status


Procedure
l Check the system software version.
Before software upgrade or fault location, you must learn about the system software
version.
Run the display version command to check router version information.
<Huawei> display version
Huawei Versatile Routing Platform
Software
VRP (R) software, Version 5.110 (AR2200 V200R002C01) //The version is
V200R002C01, which matches VRP 5.110.
Copyright (C) 2011-2012 HUAWEI TECH CO.,
LTD
Huawei AR2240 Router uptime is 0 week, 5 days, 22 hours, 21 minutes //Period
during which the device has been running
BKP 0 version information: //Backplane version
information
1. PCB Version : AR01BAK2B VER.A //Backplane PCB version n
umber
2. If Supporting PoE : No //Whether POE is
enabled.
3. Board Type : AR2240 //Backplane
type
4. MPU Slot Quantity :
1
5. LPU Slot Quantity :
8

MPU 11(Master) : uptime is 0 week, 5 days, 22 hours, 21 minutes //Period


during which the MPU has been running
SDRAM Memory Size : 2048 M
bytes
Flash Memory Size : 16 M
bytes
NVRAM Memory Size : 512 K
bytes
SD Card1 Memory Size : 1882 M
bytes
MPU version
information :
1. PCB Version : AR01SRU3A VER.B //MPU PCB version
number
2. MAB Version :
0
3. Board Type : SRU40 //MPU
type
4. CPLD0 Version :
104
5. CPLD1 Version :
104
6. BootROM Version : 404 //MPU BootROM version
number

LPU 1 : uptime is 0 week, 5 days, 22 hours, 20 minutes //Period during


which LPU has been running
SDRAM Memory Size : 256 M
bytes
Flash Memory Size : 16 M
bytes
LPU version
information :

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 28


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

1. PCB Version : AR01WDAS8A


VER.B
2. MAB Version :
0
3. Board Type :
8AS
4. BootROM Version :
301

LPU 2 : uptime is 0 week, 5 days, 22 hours, 19


minutes
SDRAM Memory Size : 256 M
bytes
Flash Memory Size : 16 M
bytes
LPU version
information :
1. PCB Version : AR01WMF9TTA
VER.B
2. MAB Version :
0
3. Board Type :
8FE1GE
4. BootROM Version :
213
5. BootLoad Version :
301

FAN version information : //Fan module version


information
1. PCB Version : -
VER.NC
2. Board Type :
FAN
3. Software Version : 0

l Check router component information.

When the router or board is faulty, check whether the router or board is installed properly
and whether the router or board status is correct.

Run the display device command to check router component information.


<Huawei> display device
AR2240's Device
status:
Slot Sub Type Online Power Register Alarm
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
2 - 8FE1GE Present PowerOn Registered Normal NA //
The 8FE1GE board is installed in slot 1.
4 - 8FE1GE Present PowerOn Registered Normal
NA
5 - 8AS Present PowerOn Registered Normal
NA
6 - 8FE1GE Present PowerOn Registered Normal
NA
11 - SRU40 Present PowerOn Registered Normal
Master
9 - PWR350A Present PowerOn Registered Normal
NA
12 - FAN Present PowerOn Unregistered - NA //
The fan module in slot 12 is installed properly and powered on, but is not
registered.

l Check the router health status.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 29


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Run the display health command to check information about the router temperature,
power module, fan module, power supply, CPU usage, and storage media.
<Huawei> display health
------------------------------------------------------------------------------
--
Slot Card Sensor No. SensorName Status Upper Lower Temperature.
(C)
------------------------------------------------------------------------------
--
1 - 1 8FE1GE TEMP NORMAL 75 0 29 //The
temperature of the 8FE1GE board in slot 1 is 29°C. The upper temperature
alarm threshold is 75°C and the lower temperature alarm threshold is
0°C.
2 - 1 8FE1GE TEMP NORMAL 75 0
31
5 - 1 8AS TEMP NORMAL 75 0
30
6 - 1 8FE1GE TEMP NORMAL 85 0
32
11 - 1 SRU40 TEMP NORMAL 70 0
38
--------------------------------------------------------------------------

PowerNo Present Mode State Current(A) Voltage(V)


Power(W)
--------------------------------------------------------------------------

9 YES AC Supply N/A 12 350 //The


power module in slot 9 uses AC power supply. The rated voltage is 12 V and
the rated power is 350 W.
10 NO N/A N/A N/A N/A N/
A
------------------------------------------------------------------

FanId FanNum Present Register Speed


Mode
------------------------------------------------------------------

12 [1-5] YES YES 35% AUTO //The fan module in


slot 12 has been registered. The fan module works in auto mode and the fan
speed is 35% of the total speed.
1
2130
2
2070
3
2070
4
2160
5
2130
The total power is :
350(W)
The used power is :
141(W)
The remain power is :
209(W)
The system used power detail
information :
------------------------------------------------------------------------------
-
SlotID BoardType Power-Used(W) Power-
Requested(W)
------------------------------------------------------------------------------
-
1 8FE1GE 7.366 14 //The rated power of the 8FE1GE
board in slot 1 is 14 W. The 2FE board has consumed 7.366
W.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 30


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

2 8FE1GE 7.366
14
5 8AS 3.968
5
6 8FE1GE 7.366
14
11 SRU40 40.400
94
System CPU Usage
Information:
System cpu usage at 2012-04-27 10:27:34 290
ms
------------------------------------------------------------------------------
-
SlotID CPU Usage Upper
Limit
------------------------------------------------------------------------------
-
5 2 % 80% //The CPU usage of the board in slot 5 is 2%. If
the CPU usage exceeds 80%, the system generates an overload
alarm.
6 4 %
80%
11 8 %
80%
System Memory Usage
Information:
System memory usage at 2012-04-27 10:27:34 370
ms
------------------------------------------------------------------------------
-
SlotID Total Memory(MB) Used Memory(MB) Used Percentage Upper
Limit
------------------------------------------------------------------------------
-
5 176 3 1 % 95% //The
total memory of the board in slot 5 is 176 MB. The board has used 3 MB
memory. The memory usage is 1%. If the memory usage exceeds 95%, the system
generates an alarm.
6 176 20 11%
95%
11 1257 186 14%
95%
System Disk Usage Information: //Storage medium
usage
System disk usage at 2012-04-27 10:27:34 450
ms
------------------------------------------------------------------------------
-
SlotID Device Total Memory(MB) Used Memory(MB) Used
Percentage
------------------------------------------------------------------------------
-
11 sd1: 1882 874
46%
flash: 2 0
6%
l Check CPU usage statistics.
CPU usage is an important index to evaluate device performance. A high CPU usage will
cause service faults, for example, BGP route flapping, frequent VRRP active/standby
switchover, and even failed device login.
Run the display cpu-usage command to check CPU usage statistics.
<Huawei> display cpu-usage
CPU Usage Stat. Cycle: 10
(Second)
CPU Usage Stat. Time : 2012-04-27 11:34:05 //Last time the CPU usage

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 31


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

statistics were collected


Control Plane //Last time the CPU usage statistics of the control plane were
collected
CPU Usage: 7% Max:
100%
CPU utilization for five seconds: 7% one minute: 5% five minutes:
5%.
Data Plane //Last time the CPU usage statistics of the forwarding plane
were
collected
CPU Usage: 1% Max:
5%
CPU utilization for five seconds: 1% one minute: 1% five minutes:
1%.

TaskName CPU Runtime(CPU Tick High/Tick Low) Task


Explanation
Core 1
0.4%
Core 2
0.3%
Core 3
0.0%
BOX 0.0% 0/ 1013d3 BOX
Output
_TIL 0.0% 0/ 0 Infinite loop event
task
_EXC 0.0% 0/ 0 Exception Agent
Task
VFSD 0.0% 0/ 0 VFSD //
File system deletion task
VIDL 93.4% 1/4e225e99 DOPRA IDLE //
WAN management task
TICK 0.6% 0/
20a1aae
CWMP 0.0% 0/
4fcc8
IPCR 0.0% 0/ 0 IPCR //
IPC packet receiving task
_S0fBCLIP 0.1% 0/ 4a8424 //
VTY service task
_S1fBCLIP 0.0% 0/ 0 //
Command line message processing task
_S0fSNMP 0.0% 0/ 0 //
SNMP management task
SNP6 0.0% 0/
0
_S0fDBWIN 0.0% 0/ 40b01 //
SOCKET management task
DBWR 0.0% 0/ 245ec //
DBWIN receiving task
DBWS 0.0% 0/ 0 //
DBWIN sending task
_S0fLOAD_DST 0.0% 0/ f4ab //
Loading task
_S0fSRM 0.0% 0/ 447b2 //
System resource asynchronous processing task
RSA 0.0% 0/ 0 //
RSA task
vt0 0.0% 0/
4ad05
_MfMON 0.0% 0/ 0
fMON
_EfMON 0.0% 0/ 0
fMON
_MfBCLI 0.0% 0/ 0 fBCLI //
Command line message processing task
_MfDIAG 0.0% 0/ 0 fDIAG //

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 32


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Diagnostic message processing task


_MfDB 0.0% 0/ 0 fDB //
Database message processing task
_MfDCM 0.0% 0/ f99a2
fDCM
_MfDEV 0.0% 0/ c0ac4 fDEV //
Device management message processing task
_MfPM 0.0% 0/ 0 fPM //
Interface management message processing task
_MfTEST 0.0% 0/ 0
fTEST
_MfINFC 0.0% 0/ 0 fINFC //
Information center message processing task
_MfSNMP 0.0% 0/ 4396f fSNMP //
NMS request processing task
_MfPAT 0.0% 0/ 0 fPAT //
Patch message processing task
_MfDBG 0.0% 0/ 0
fDBG
_MfLOAD 0.0% 0/ 0 fLOAD //
Loading message processing task
_MfFTP 0.0% 0/ 0 fFTP //
TFTP message processing task
_S0fFTP 0.0% 0/ 0 fFTP //
TFTP message processing task
_MfLANG 0.0% 0/ 0 fLANG //
Multi-lanaguage message processing task
_MDMM 0.0% 0/ 0
DMM
_MAUTO 0.0% 0/ 0
AUTO
_MBULK 0.0% 0/ 0
BULK
_MfRMM 0.0% 0/ 0 fRMM //
RMM processing task
_MfSRM 0.0% 0/ 0 fSRM //
System resource message processing task
_MfCFGR 0.0% 0/ 0
fCFGR
_MfAMP 0.0% 0/ 16b0d fAMP //
Task used to process the PON and GSHDSL line status
_MfMsc 0.0% 0/ 3c501
fMsc
_MfProduct 0.0% 0/ 0
fProduct
_MVMIF 0.0% 0/ 0 VMIF //
Voice interface management adapatation task
_MVPRODUCT 0.0% 0/ 0 VPRODUCT //
Voice module initialization and function invocation initialization task
_MSYSCFG 0.0% 0/ 0 SYSCFG //
Voice database processing task
_MH248APP 0.0% 0/ 0
H248APP
_MVCM 0.0% 0/ 0
VCM
_MH248 0.0% 0/ 0
H248
_MMGCP 0.0% 0/ 0
MGCP
_MMGCPSTACK 0.0% 0/ 0
MGCPSTACK
_MSDP 0.0% 0/ 0
SDP
_MTPA 0.0% 0/ df39
TPA
_S0TPA 0.1% 0/ 499ed6
TPA
_S1TPA 0.4% 0/ 16b08ad
TPA

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 33


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

_MVIFM 0.0% 0/ 0
VIFM
_MVCFG 0.0% 0/ 0
VCFG
_MVRM 0.0% 0/ 0
VRM
_ME2E 0.0% 0/ 0
E2E
_MVPM 0.0% 0/ 0
VPM
_MSIPAPP 0.0% 0/ 20114
SIPAPP
_MSIPSTACK 0.0% 0/ 0
SIPSTACK
_MVOLC 0.0% 0/ 0
VOLC
_MVAM 0.0% 0/ 0
VAM
_MVSPPDT 0.0% 0/ 0
VSPPDT
VPR 0.0% 0/ 0
VPR
_MfXPONDRV 0.0% 0/ 0
fXPONDRV
_MPBX 0.2% 0/ caa8ac
PBX
_MVOIPDRV 0.0% 0/ 0
VOIPDRV
_MfCWMP 0.0% 0/ 0 fCWMP //
CWMP message processing task
_MfFM 0.0% 0/ 0
fFM
Co0 0.0% 0/ 29082 //
Serial port task
FTPS 0.2% 0/ da751c FTPS Main task of FTP
server
CDR 0.0% 0/
19e9
H_IDLE 0.0% 0/
0
CFM 0.0% 0/ 0 //
Configuration recovery task
IC 0.0% 0/ ab3bb //
Information center task
SNMP trap task 0.0% 0/ 2af632 //
SNMP trap sending task
SNMP_CLIENT_SE 0.0% 0/
0
SNMP_CLIENT_RE 0.0% 0/
0
SNMP_SERVER_RE 0.0% 0/
0
PatTask 0.0% 0/ 0 //
Patch asynchronous operation processing task
AutoLoadTask 0.0% 0/ 0 //
Automatic loading task
WebT 0.1% 0/
3c0131
SessionAdminTa 0.0% 0/
25c681
SessionWorkerT 0.0% 0/
1f2c69
WebProxyTask 0.0% 0/
228055
VPS 0.0% 0/ 0
VPS
CMsg 0.0% 0/
52b33
NTPT 0.0% 0/ 28e875 //

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 34


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

NTP task
FM 0.0% 0/ 11a3a1 //
Fault management task
dcm 0.0% 0/
187a77
VSDKS 0.0% 0/
0
VSDKDIS 0.0% 0/
0
VXET 0.0% 0/ 0
VXET
3GCT 0.0% 0/ 0
3GCT
Ecm 0.0% 0/ 165bb
Ecm
IPCQ 0.1% 0/ 3f02a5
IPCQ
VP 0.0% 0/ 0
VP
RPCQ 0.0% 0/ 30c21
RPCQ
Super 0.3% 0/ fdb7e5
Super
PTS 0.2% 0/ c3b3bb
PTS
PRIN 0.0% 0/ 68faa PRINT-
FWD
FAST 0.0% 0/ 610b1 FAST-
FWD
FM_T 0.0% 0/ 1903
FM_TSK
RTMR 0.1% 0/ 7ccadf
RTMR
FECD 0.0% 0/ 42761 FECD Forward Equal Class
Develope
VT 0.0% 0/ 1463b
VT
VSOL 0.0% 0/ 0
VSOL
TSEV 0.0% 0/
2b5352
TCLI 0.0% 0/
172a8
TIO 0.0% 0/
0
_MfTRACE 0.0% 0/ 2dc0
fTRACE
tExcTask 0.0% 0/ 0
tS00
tBspPort 0.2% 0/ a8810c
tS01
EHCDI0 0.0% 0/ 0
tS02
BusM A 0.0% 0/ 13370a
tS03
EHCDI1 0.0% 0/ 0
tS04
BusM B 0.0% 0/ d356a
tS05
BULK_CLASS_IRP 0.0% 0/ 0
tS06
tBulkClnt 0.0% 0/ 0
tS07
usbAcmLib_IRP 0.0% 0/ 0
tS08
tDcacheUpd 0.0% 0/ 4f765
tS09
tSd 0.0% 0/ 6d77
tS0a

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 35


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

tNetTask 0.0% 0/ 8e6f9


tS0b
tBspAt 0.0% 0/ 142dd
tS0c
tBsp3GData 0.0% 0/ 9fbd
tS0d //3G AT command task
tShell 0.0% 0/ 0
tS0e //3G data task
root 0.0% 0/ 0
tS0f
tTftpdTask 0.0% 0/ 0
tS6d
IDLE 0.0% 0/ 0
tS6e
l2age 0.0% 0/ 0
tS6f
l2learn 0.0% 0/ 0
tS70
macreport 0.0% 0/ cdf2
tS71
linkstatus 0.0% 0/ 0
tS72
port_statistic 0.1% 0/ 41890f
tS73
linkscan 0.0% 0/ a1d8
tS74
mv_cpu_rx0 0.0% 0/ 0
tS75
mv_cpu_rx1 0.0% 0/ 0
tS76
mv_cpu_rx2 0.0% 0/ 0
tS77
mv_cpu_rx3 0.0% 0/ 0
tS78
mv_cpu_rx4 0.0% 0/ 0
tS79
mv_cpu_rx5 0.0% 0/ 0
tS7a
mv_cpu_rx6 0.0% 0/ 10634
tS7b
mv_cpu_rx7 0.0% 0/ 14216d
tS7c
SAPP 0.0% 0/ 5baf
SAPP
NQAC 0.0% 0/ 0 NQAC //
NQA client task
NQAS 0.0% 0/ 0 NQAS //
NQA server task
FIB6 0.0% 0/ 0 FIB6IPv6 FIB //
IPv6 FIB
ACLI 0.0% 0/ 0 ACLIPv6 //
IPv6 ACL module used to configure and deliver IPV6 ACL commands
BFD 0.0% 0/ 1225e1 BFD Bidirection Forwarding
Detection //BFD task
TNLM 0.0% 0/ 1ea79 TNLM //
Tunnel management task
LSPA 0.0% 0/ 0 LSPA //
MPLS management task
SNPG 0.0% 0/ 18b626 SNPG //
Layer 2 multicast task
ITSK 0.0% 0/ 45f42 ITSKIPOS common
task
DEFD 0.0% 0/ 13afe
DEFD
SECE 0.0% 0/ 4328c SECE Security //
Security module used to register, process, and deliver security commands, and
to detect packets on the control plane
L3AD 0.0% 0/ 0
L3ADP_MAIN //L3 IPv4 management task

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 36


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

L3IO 0.0% 0/ 0 L3IO //


Interface board management task
NDIO 0.0% 0/ 0 NDIO //
IPv6 interface board management task
NDMB 0.0% 0/ 0 NDMB //
IPv6 MPU management task
ANQA 0.0% 0/ 0 ANQA PDT //
NQAmanagement task
L2TP 0.0% 0/ 1dec0
L2TP
DCC 0.0% 0/ 1740c
DCC
DCPT 0.0% 0/ 0
DCPT
QADP 0.4% 0/ 188ab90 QADP //
QoS adaptation module used to adapt information delivered by the QoS
configuration module to different chips
QOS 0.1% 0/ 6642bb QOS //
QoS configuration module used to save and deliver QoS commands
MIRR 0.0% 0/ 0
MIRR
CC 0.0% 0/ 0
CC
Q921 0.0% 0/ 0
Q921
Q931 0.0% 0/ 0
Q931
PPP 0.0% 0/ 0
PPP
WAN 0.0% 0/ aa6f
WAN
DLSW 0.0% 0/ 0
DLSW
MDM 0.0% 0/ 1ce62e
MDM
G3AT 0.0% 0/ 1b8dcf
G3AT
SOCK 0.1% 0/ 4cff31 SOCKPacket schedule and
process
FIB 0.0% 0/ 0 FIB Forward Information Base //
IPv4 FIB
MFIB 0.0% 0/ a1bc MFIBMulticast forward info //
Layer 3 multicast routing task
IFNT 0.0% 0/ 0 IFNTIfnet task //
Interface management task
LoadAutoUpdate 0.0% 0/
0
UCM 0.0% 0/ 6e46
UCM
Vacl 0.0% 0/ 0
Vacl
AAA 0.0% 0/ 0
AAA
RDS 0.0% 0/ 0
RDS
TACH 0.0% 0/ 103e53
TACH
EAP 0.0% 0/ 18de EAP Extensible Authen
protocol
AM 0.0% 0/ 3810e AM Address
Management
DHCP 0.0% 0/ 1df06
DHCP
PKI 0.0% 0/ 0
PKI
VoipReset 0.0% 0/
36e6
SCTPRECV 0.3% 0/
ef9608

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 37


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

VALP 0.0% 0/ 104d3


VALP
SLOG 0.0% 0/ 0
SLOG
NHRP 0.0% 0/ 286f
NHRP
DNSE 0.0% 0/ 10129
DNSE
SVUM 0.0% 0/ 1129d
SVUM
SVWP 0.0% 0/ 0
SVWP
SVPF 0.0% 0/ 0
SVPF
SVIF 0.0% 0/ 0
SVIF
SSLA 0.0% 0/ 0
SSLA
SAC 0.0% 0/ 1d00
SAC
vt1 1.2% 0/
4359b1d
IPSC 0.0% 0/ 16d32
IPSC
IKE 0.0% 0/ 16628
IKE
IPSV 0.0% 0/ 0
IPSV
L2AD 0.0% 0/ 29d99 L2ADP //
Layer 2 management task
IFPD 0.2% 0/ a5ec7a IFPD //
Interface management task
IPSL 0.0% 0/ 0
IPSL //IP SLA task
MSYN 0.0% 0/ e6456 MSYN Mac Synchronization //
MAC address synchronization management task
ACL 0.2% 0/ b70f5c ACL //
ACL module used to configure and deliver IPv4 ACL commands
vt2 0.0% 0/
34d85
ETHA 0.0% 0/ 0 ETHA //
Ethernet Layer 3 management task
ADPM 0.0% 0/ 0 ADPM //
VRRP management task
vt3 0.0% 0/
5cb8d
LLDP 0.0% 0/ 7d002 LLDP Protocol //
LLDP management task
UDPH 0.0% 0/ 0 UDPH //
UDP Helper management task
IPMC 0.0% 0/ 0 IPMC //
Layer 3 multicast management task
ADMC 0.0% 0/ 0
ADMC
MPMB 0.0% 0/ 0 MPMB //
MPLS management task
BFDA 0.0% 0/ 0 BFDA BFD Adapter //
BFD management task
AUTO 0.0% 0/ febd
AUTO
AREM 0.0% 0/ 1d76f5
AREM
FMAR 0.0% 0/ 5cba
FMAR
FMCK 0.0% 0/ 163cd7
FMCKAR
vt5 0.0% 0/
322e0
TM 0.0% 0/ 0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 38


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

TM
SAM 0.0% 0/ 7d78
SAM
WEB 0.0% 0/ 0 WEB
Web
PTAL 0.0% 0/ 0 PTAL
Portal
ARNS 0.0% 0/ 353a
ARNS
GVRP 0.0% 0/ 0 GVRP Protocol //
GVRP management task
SFPM 0.0% 0/ 427f2 SFPM //
Optical module management task
ROUT 0.4% 0/ 14c0a9a ROUTRoute task //
Routing management task
LSPM 0.0% 0/ 1c84a LSPMLsp management //
LSP management task
RSVP 0.0% 0/ 0 RSVP task //
Multicast rouing management task
LDP 0.0% 0/ 0 LDP task //
LDP management task
CSPF 0.0% 0/ 1aabd CSPF task //
CSPF management task
GRES 0.0% 0/ 0 GRESM task //
Global resource management task
UTSK 0.0% 0/ 0 UTSK //
Unified scheduling task
APP 0.0% 0/ 0 APP //
VRRP management task
IP 0.0% 0/ 196bb
IP //IP management task
LINK 0.0% 0/ 79005 LINK //
Link layer management task
STP 0.2% 0/ ba2e4d STP //
Loop prevention protocol task
VRPT 0.0% 0/ 20842
VRPT
HOTT 0.0% 0/ 0 HOTT //
Board hot swapping management task
TNQA 0.0% 0/ 146a99
TNQAC
TTNQ 0.0% 0/ 0
TTNQAS
TARP 0.0% 0/ 0
TARPING
TTVP 0.0% 0/ 0
TTVPLS
L2 0.0% 0/ 12ee1c L2 //
Layer 2 module management task
VRRP 0.0% 0/ 24ff48 VRRP //
VRRP management task
L2_P 0.0% 0/ 4d8f1 L2_PR //
Layer 2 protocol management task
ARP 0.0% 0/ 0 ARP //
ARP management task
QXDM 0.0% 0/ 96c7
QXDM
IFLP 0.0% 0/ 10db1
IFLP
TickTask443318 0.0% 0/
1851f
PKI_KEY 0.0% 0/
0
Cell 0.0% 0/ 3d612
Cell
RMON 0.0% 0/ 243ab RMONRemote monitoring //
Remote monitoring task
MNSC 0.1% 0/ 3fbc02 MNSC //
Data receiving task

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 39


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

l Check the current configuration.


Run the display current-configuration command to check the current configuration.
<Huawei> display current-configuration
[V200R002C01] //Device
version
# //FTP server
information

ftp server
enable
# //Information about the board that is installed
recently.

board add 0/1


4G.SHDSL
board add 0/2
8FE1GE
board add 0/3
1SA
board add 0/4 2E1-
MFT
board add 0/5
8FE1GE
# //SNMP agent
configuration

snmp-agent local-engineid
800007DB0380FB063545B3
snmp-
agent
# //Interface
configuration

interface
Ethernet2/0/0
ip address 2.2.2.2 255.255.255.0
# //OSPF configuration
ospf
1
area
0.0.0.0
network 19.19.19.0
0.0.0.255
# //Static route
configuration

ip route-static 0.0.0.0 0.0.0.0


192.168.200.100
# //Voice
configuration

voice

r2 signalling-type
argentina

r2 signalling-type
brazil

r2 signalling-type
mexico

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 40


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

r2 signalling-type
standard

diagnose

return

----End

2.3 Upgrade

2.3.1 Example for Using the BootROM Menu to Upgrade a System


Software Package from an FTP Server
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The management interface of RouterA connects to Host A. You need to use the BootROM
menu on RouterA to download the upgrade system software package to RouterA from an FTP
server.

Figure 2-18 Using the BootROM menu to upgrade a system software package from an FTP
server

Procedure
Step 1 Start the FTP server on Host A.

Step 2 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 3 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 41


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Start Memory Test ? ('t' or 'T' is test):skip


Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.

Press Ctrl+B to break auto startup ... 2

NOTE

The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.

Step 4 Select choice 3 to enter the network menu.


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):3

Step 5 Select choice 2 to modify parameters.


Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):2

Step 6 Set Ftp type to 0 (indicating FTP). Then set the management interface's IP address, mask, and
gateway address, and the FTP server's IP address, user name, and password.
NOTE:
Ftp type define: 0(ftp), 1(tftp),
ENTER = no change; '.' = clear;

Ftp type : 0
File name : software.cc
Ethernet ip address : 192.168.200.174
Ethernet ip mask : ffffff00
Gateway ip address :
Ftp host ip address : 192.168.200.1
Ftp user :
huawei
Ftp password : **********

Step 7 When the system returns to the network menu, select choice 4 to download the specified
system software package from the FTP server.
Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):4

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 42


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Step 8 Select the path to save the downloaded file.


Download file to: [ 1:flash 2:sd1 ]:2
Check SD Card[1] file system. Please wait....

sd1:/ - Volume is OK

File system check OK!


Downloading ....
Get 77773440 Bytes from 192.168.200.1.
Writing file:[sd1:/software.cc] to file
system........................................
................................................................................
................................................................................
................................................................................
...............................................OK!

Step 9 After the file is downloaded successfully, return to the main menu and change the startup
configuration.
Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):4

Step 10 Specify the system software for next startup.


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return

Enter your choice(0-5):2


Select Boot File

1. Flash
2. SDCard[1]
0. Return

Enter your choice(0-2):2


NOTE: Boot file must be .cc or .CC

Current boot file: sd1:/softwarenew.cc


Press ENTER directly for no change.
Or, please input the new file name: sd1:/software.cc
Save the boot file name: sd1:/software.cc ? Yes or No(Y/N)y
Save load state word...OK!

Step 11 Return to the main menu and restart the router.


Select Boot File

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 43


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

1. Flash
2. SDCard[1]
0. Return

Enter your choice(0-2):0


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return

Enter your choice(0-5):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):7

----End

Configuration Notes
Do not perform any operation on the BootROM menu. If required, contact technical support
personnel.

2.3.2 Example for Using the BootROM Menu to Upgrade a System


Software Package from a TFTP Server

Applicability
This example applies to all versions and routers.

Networking Requirements
The management interface of RouterA connects to Host A. You need to use the BootROM
menu on RouterA to download the upgrade system software package to RouterA from a TFTP
server.

Figure 2-19 Using the BootROM menu to upgrade a system software package from a TFTP
server

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 44


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Procedure
Step 1 Start the TFTP server on Host A.

Step 2 Connect a PC to the device with a serial cable and log in to the device through the console
port.

Step 3 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.

Press Ctrl+B to break auto startup ... 2

NOTE

The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.

Step 4 Select choice 3 to enter the network menu.


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):3

Step 5 Select choice 2 to modify parameters.


Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):2

Step 6 Set Ftp type to 1 (indicating TFTP). Then set the management interface's IP address, mask,
and gateway address, and the TFTP server's IP address, user name, and password.
NOTE:
Ftp type define: 0(ftp), 1(tftp),
ENTER = no change; '.' = clear;

Ftp type : 1
File name : software.cc
Ethernet ip address : 192.168.200.174
Ethernet ip mask : ffffff00
Gateway ip address :
Ftp host ip address : 192.168.200.1
Ftp user :
Ftp password :

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 45


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Step 7 When the system returns to the network menu, select choice 4 to download the specified
system software package from the TFTP server.
Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):4

Step 8 Select the path to save the downloaded file.


Download file to: [ 1:flash 2:sd1 ]:2
Check SD Card[1] file system. Please wait....

sd1:/ - Volume is OK

File system check OK!


Downloading ....
Get 77773440 Bytes from 192.168.200.1.
Writing file:[sd1:/software.cc] to file
system........................................
................................................................................
................................................................................
................................................................................
...............................................OK!

Step 9 After the file is downloaded successfully, return to the main menu and change the startup
configuration.
Network Menu

1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return

Enter your choice(0-4):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):4

Step 10 Specify the system software for next startup.


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return

Enter your choice(0-5):2


Select Boot File

1. Flash
2. SDCard[1]
0. Return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 46


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Enter your choice(0-2):2


NOTE: Boot file must be .cc or .CC

Current boot file: sd1:/softwarenew.cc


Press ENTER directly for no change.
Or, please input the new file name: sd1:/software.cc
Save the boot file name: sd1:/software.cc ? Yes or No(Y/N)y
Save load state word...OK!

Step 11 Return to the main menu and restart the router.


Select Boot File

1. Flash
2. SDCard[1]
0. Return

Enter your choice(0-2):0


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return

Enter your choice(0-5):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):7

----End

Configuration Notes
Do not perform any operation on the BootROM menu. If required, contact technical support
personnel.

2.3.3 Example for Using the Router as a TFTP Client to Upgrade


the Router
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The AR router connects to a TFTP server and functions as a TFTP client. You need to
download the new system software package to the router using TFTP to upgrade the router.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 47


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-20 Using the router as a TFTP client to upgrade the router

Procedure
Step 1 Configure the router.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the TFTP server.

Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: flash:/software.cc
Next startup system software: flash:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: flash:/initcfg.cfg
Next startup saved-configuration file: flash:/initcfg.cfg

Step 3 Download the new system software package, and then check whether the system software
package is successfully downloaded.
<Huawei> tftp 10.1.1.1 get software_new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
77,582,080 bytes received in 241 seconds.
TFTP: Downloading the file successfully.
<Huawei> dir
Directory of flash:/

Idx Attr Size(Byte) Date Time(LMT) FileName


0 -rw- 69,363,072 Nov 21 2011 19:58:50 software.cc
5 -rw- 77,582,080 Dec 13 2011 10:41:12 software_new.cc

Step 4 Specify the system software for next startup.


<Huawei> startup system-software software_new.cc
This operation will take several minutes, please wait.........
Info: Succeeded in setting the file for booting system

Step 5 Restart the router.


<Huawei> reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...

Step 6 Verify the configuration.


<Huawei> display startup
MainBoard:
Startup system software: flash:/software_new.cc
Next startup system software: flash:/software_new.cc
Backup system software for next startup: null
Startup saved-configuration file: flash:/initcfg.cfg
Next startup saved-configuration file: flash:/initcfg.cfg

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 48


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Configuration Notes
l Before starting the upgrade, enable the TFTP server on the PC and save the new system
software package on the PC.
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.

2.3.4 Example for Using the Router as an FTP Client to Upgrade


the Router
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The AR router connects to an FTP server and functions as an FTP client. You need to
download the new system software package to the router using FTP to upgrade the router.

Figure 2-21 Using the router as an FTP client to upgrade the router

Procedure
Step 1 Configure the router.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the FTP server.

Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software.cc
Next startup system software: sd1:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg

Step 3 Download the new system software from the FTP server.
<Huawei> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(192.168.200.1:(none)):huawei
331 Give me your password, please
Enter password:
230 Logged in successfully
[Huawei-ftp]binary
200 Type is Image (Binary)

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 49


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

[Huawei-ftp]get software_new.cc
200 PORT command okay
150 "D:\ftp\software_new.cc" file ready to send (77582080 bytes) in i
mage / Binary mode
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
...............................
226 Transfer finished successfully.
FTP: 77582080 byte(s) received in 152.403 second(s) 509.05Kbyte(s)/sec.
[Huawei-ftp]quit
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
<Huawei> dir
Directory of sd1:/

Idx Attr Size(Byte) Date Time(LMT) FileName


5 -rw- 69,363,072 Nov 21 2011 19:58:50 software.cc
7 -rw- 77,582,080 Dec 14 2011 10:28:31 software_new.cc

Step 4 Specify the system software for next startup.


<Huawei> startup system-software software_new.cc
This operation will take several minutes, please wait.........
Info: Succeeded in setting the file for booting system

Step 5 Restart the router.


<Huawei> reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...

Step 6 Use Telnet to log in to the router and verify the configuration.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software_new.cc
Next startup system software: sd1:/software_new.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg

----End

Configuration Notes
l Before starting the upgrade, enable the FTP server on the PC and save the new system
software package on the PC.
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.

2.3.5 Example for Using the Router as an FTP Server to Upgrade


the Router

Applicability
This example applies to all versions and AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 50


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Networking Requirements
To upgrade the device, you must upload the system software to the device functioning as an
FTP server.

Figure 2-22 Using the router as an FTP server to upgrade the router

Procedure
Step 1 Configure FTP Server.
#
ftp server enable //Globally enable the FTP server function.
#
aaa
local-user huawei password irreversible-cipher //Create a local user.
local-user huawei privilege level 15 //Specify the FTP user level for the local
user.
local-user huawei ftp-directory sd1: //Specify the FTP working directory for the
local user.
local-user huawei service-type ftp //Set the service type of the local user to
FTP.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the interface
connected to the FTP client.

Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software.cc
Next startup system software: sd1:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg

Step 3 Upload the new system software package to the router from the FTP client, as shown in
Figure 2-23.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 51


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Figure 2-23 Uploading the new system software package from the FTP client

Step 4 On the FTP server (router), check whether the software package is successfully uploaded.
<Huawei> dir
Directory of sd1:/

Idx Attr Size(Byte) Date Time(LMT) FileName


1 -rw- 69,363,072 Nov 21 2011 19:58:50 software.cc
2 -rw- 77,582,080 Dec 13 2011 16:31:17 software_new.cc

Step 5 Specify the system software for next startup.


<Huawei> startup system-software software_new.cc
This operation will take several minutes, please wait.........
Info: Succeeded in setting the file for booting system

Step 6 Restart the router.


<Huawei> reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...

Step 7 Use Telnet to log in to the router and verify the configuration.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software_new.cc
Next startup system software: sd1:/software_new.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 52


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Configuration Notes
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.
l You must set the FTP working directory. You can use the local-user huawei ftp-
directory command to specify an FTP working directory for the FTP user, or run the set
default ftp-directory command to configure the default FTP working directory.

2.4 BootROM Menu Operations

2.4.1 Example for Deleting Console Port and Telnet Passwords


Through BootROM

Specifications
This example applies to all versions and AR routers.

Networking Requirements
The management interface of RouterA connects to the PC. The passwords for logging in
through the console port and Telnet need to be deleted through the BootROM menu.

Figure 2-24 Changing the name of the configuration file for next startup

Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.

Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.

Press Ctrl+B to break auto startup ... 2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 53


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

NOTE

The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.

Step 3 In the BootROM menu, you can clear the console port login password or Telnet login
password using a or b method.
1. Select choice 4 to enter the Startup Select menu.
Main
Menu

1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6. Password
Manager
7.
Reboot

Enter your choice(1-7):


4

a. Select choice 1 to enter the Startup Select menu.


In V200R001C01SPC300 and later versions, you can use the following method to
view the configuration file. In V200R001C01SPC300, the menu choice is Startup
Information. In versions later than V200R001C01SPC300, the menu choice is
Display Startup.
Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
0. return

Enter your choice(0-4):


1

************** Current Startup info ****************


Valid Flag State : Vaild
Boot File Name : sd1:/software.cc
Config File Name : sd1:/vrpcfg.cfg
Licence File Name :
Patch State : Deactivate
Patch File Name :
Voice File Name :

b. Rename the configuration file.


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
0. return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 54


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Enter your choice(0-4):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):5

File Menu

1. Flash file system


2. SDCard file system
0. Return

Enter your choice(0-2):2


SDCard file system MENU

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):3


Please input the file name: vrpcfg.cfg
Please input the new name: vrpcfg_cpy.cfg
Rename file[sd1:/vrpcfg.cfg] to [sd1:/vrpcfg_cpy.cfg], Yes or No(Y/N): y
Rename OK!

c. Start the device.


SDCard file system MENU

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):0


File Menu

1. Flash file system


2. SDCard file system
0. Return

Enter your choice(0-2):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot

Enter your choice(1-7):1

d. Stop Auto-Config.
In V200R002C00 and earlier version, the password does not need to be set.
In version from V200R002C01 to V200R003C01, the following is displayed:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 55


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Please configure the login password (maximum length 16):Huawei@123 //


Set the password for login through the console port for the first time.

In V200R005C00 and later versions, the following is displayed:


Please configure the login password (<8-128>) //Set the password for
login through the console port for the first time.
Enter Password:
Confirm Password:
<Huawei> Auto-Config is working. Before configuring the device, stop
Auto-Config.
If you perform configurations when Auto-Config is running, the DHCP,
routing, DNS,
and VTY configurations will be lost. Do you want to stop Auto-Config?
[y/n]:y
<Huawei>

e. Change the renamed configuration file to an executable file. Select one based on the
file format.
<Huawei>rename vrpcfg_cpy.cfg vrpcfg_cpy.bat //When the file extension
is .cfg, you need to rename file as an executable file in .bat extension.
Rename sd1:/vrpcfg_cpy.cfg to sd1:/vrpcfg_cpy.bat? (y/n)[n]:y
Info: Rename file sd1:/vrpcfg_cpy.cfg to sd1:/vrpcfg_cpy.bat ......Done
<Huawei>unzip vrpcfg_cpy.zip vrpcfg_cpy.bat //When the file extension
is .zip, you need to decompress the file into an executable file in .bat
extension.
Extract sd1:/vrpcfg_cpy.zip to sd1:/vrpcfg_cpy.bat? (y/n)[n]:y

100% complete
%Decompressed file sd1:/vrpcfg_cpy.zip sd1:/vrpcfg_cpy.bat.

f. Restore the configuration.


[Huawei]board add 0/1 1E1-MFT

^
Error: Unrecognized command found at '^' position.
[Huawei]execute vrpcfg_cpy.bat
Information:The script file has been executed completely.

NOTE

If there is failure information about "board add" during the configuration restoration, it is a
normal situation and no action is required.
g. Reset the console port login password and Telnet login password, and record the
passwords. The console port login password has been set in V200R002C01 and
later versions. Run the save command to save the configuration.
2. Enter 6 to access the Password Manager menu.
Main
Menu

1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6. Password
Manager
7.
Reboot

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 56


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Enter your choice(1-7):


6

a. Enter 2 to clear the console port login password.


PassWord
Menu

1. Modify the menu


password
2. Clear the console login
password
0.
Return

Enter your choice(0-2):2


Clear the console login password Succeed!

PassWord
Menu

1. Modify the menu


password
2. Clear the console login
password
0.
Return

Enter your choice(0-2):0

b. Enter 1 to continue the device startup. You can then log in to the device to reset the
Telnet login password and record the password. Run the save command to save the
configuration.
NOTE

Configuring the authentication mode and password for the console user interface is
mandatory; otherwise, after the device is restarted, users still need to be authenticated using
the original password when they log in to the device through the console port.
Main
Menu

1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6.
Reboot
7. Password
Manager

Enter your choice(1-7):1

----End

Configuration Notes
l When performing the step, ensure that users on the serial port are kept online.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 57


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

l The preceding method cannot be used on the AR1200 of V200R001C00SPC200 or an


earlier version. You must delete the configuration file in the BootROM menu and reset
the passwords after the system restarts.

2.4.2 Example for Changing the File Name Through BootROM


Applicability
This example applies to all versions and AR routers.

Networking Requirements
The console port of RouterA connects to the PC. The file name needs to be changed through
BootROM.

Figure 2-25 Changing the file name through BootROM

Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.

Press Ctrl+B to break auto startup ... 2

NOTE

The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.

Step 3 Select choice 5 to enter the File Manager menu.


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot

Enter your choice(1-6):5

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 58


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Step 4 Select a storage media based on the file system.


File Menu

1. Flash file system


2. SDCard file system
0. Return

Enter your choice(0-2):2

Step 5 View all the files on the storage media.


SDCard file system MENU

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):1


Files of the device:

-rwxrwxrwx 76022784 Aug 23 2011 10:46:54 software.cc


-rwxrwxrwx 77290240 Aug 23 2011 10:46:54 software1.cc
-rwxrwxrwx 5641 Jun 12 2012 19:28:46 vrpcfg.cfg
3 files found!
153318665 Byte total, 2271353591 Byte free.

Step 6 Change the file name.


SDCard file system MENU

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):3


Please input the file name: software.cc
Please input the new name: software_new.cc
Rename file[sd1:/software.cc] to [sd1:/software_new.cc], Yes or No(Y/N): y
Rename OK!

Step 7 View files on the storage media again.


SDCard file system MENU

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):1


Files of the device:

-rwxrwxrwx 76022784 Aug 23 2011 10:46:54 softwarenew.cc


-rwxrwxrwx 77290240 Aug 23 2011 10:46:54 software1.cc
-rwxrwxrwx 5641 Jun 12 2012 19:28:46 vrpcfg.cfg
3 files found!
153318665 Byte total, 2271353591 Byte free.

The file is renamed successfully.


Step 8 Specify the file with the new file name as the system software package file.
SDCard file system MENU

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 59


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

1. List file in SDCard[1]


2. Delete file in SDCard[1]
3. Rename file in SDCard[1]
4. Format SDCard[1]
5. Check SDCard[1]
0. Return

Enter your choice(0-5):0


File Menu

1. Flash file system


2. SDCard file system
0. Return

Enter your choice(0-2):0


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot

Enter your choice(1-6):4


Startup Select

1. Display Startup
2. Set Boot File
3. Set Config File
0. return

Enter your choice(0-3):2


Select Boot File

1. Flash
2. SDCard[1]
0. Return

Enter your choice(0-2):2


NOTE: Boot file must be .cc or .CC

Current boot file: sd1:/software1.cc


Press ENTER directly for no change.
Or, please input the new file name: sd1:/
softwarenew.cc
Save the boot file name: sd1:/softwarenew.cc ? Yes or No(Y/
N)y
Save load state word...OK!

----End

Configuration Notes
l Do not randomly enter the BootROM menu to perform operations. If necessary, contact
technical support personnel.
l When performing operations, ensure that users on the serial port are kept online.
l After modifying the system software package file name, specify the system software
package file with the new file name as the system software package file for next startup.
If the system software package file with the new file name is not specified as the system
software package file for next startup, the system may fail to start.
l After modifying the configuration file name, specify the configuration file with the new
file name as the configuration file for next startup. If the configuration file with the new
file name is not specified as the configuration file for next startup, the system
configuration may be lost.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 60


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

2.4.3 Example for Changing the BootROM Password Through


BootROM

Specifications
This example applies to all versions and AR routers.

Networking Requirements
The management interface of RouterA connects to the PC. The password used to access the
BootROM menu needs to be changed.

Figure 2-26 Networking diagram of changing the password used to access the BootROM
menu

Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.

Press Ctrl+B to break auto startup ... 2

NOTE

The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.

Step 3 Select choice 7 to enter the Password Manager menu.


Main Menu

1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot
7. Password Manager

Enter your choice(1-6):7

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 61


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Step 4 Select choice 1 to change the password.


PassWord Menu

1. Modify the menu password


2. Clear the console login password
0. Return

Enter your choice(0-1):1


Modify password. Press Ctrl+c to break.
Enter Old Password:******
Input new password:******
Input new password again:******
Are you sure to change password? [y/n]:y
Save new password Success.

----End

Configuration Notes
l Do not randomly enter the BootROM menu to perform operations. If necessary, contact
technical support personnel.
l When performing operations, ensure that users on the serial port are kept online.
l Keep your password secure.

2.5 Device Management

2.5.1 Example for Outputting Log Information to a Log Host


Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 2-27, the router connects to the IP network through Ethernet1/0/0.
The router collects log information and sends logs to the log host.

Figure 2-27 Sending logs to a log host

Procedure
Step 1 Configure the router.
#
info-center channel 6 name loghost1 //Set the name of channel 6 to
loghost1.
info-center source IP channel 6 log level warning //Configure the router to

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 62


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

send logs of the IP module through channel 6 and set the minimum log severity to
warning.
info-center loghost source Ethernet1/0/0 //Configure the source interface that
sends logs.
info-center loghost 10.1.1.1 channel 6 //Configure the router to send logs to a
log host.
#
interface Ethernet1/0/0
ip address 11.1.1.1 255.255.255.0 //Configure an IP address for the router
interface.
#
ip route-static 10.1.1.1 255.255.255.255 Ethernet1/0/0 11.1.1.2 //Configure a
static route between the router and log host and ensure that the route is
reachable.
#

Step 2 Configure the log host. The configuration details are not mentioned here.

# The log host can run the Unix or Linux operating system or run a third party's log software.

Step 3 Verify the configuration.

# Run the display info-center command on the router to view log host information. The
command output shows that the channel name of the Log host field is loghost1.

----End

Configuration Notes
l After the log severity is set, the router sends only the logs of the same or higher severity,
filtering logs of low severities.

2.5.2 Example for Outputting Log Information to a Log File

Specifications
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 2-28, the router connects to the Internet through Eth1/0/0. There is a
reachable router between the router and the FTP server.

The maintenance personnel want to use the FTP server to view log files generated by the
router so that the maintenance personnel can learn the running status of the router. When the
router is faulty, the maintenance personnel can quickly locate the fault.

Figure 2-28 Exporting logs into the log file

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 63


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

Procedure
Step 1 Configure the router.
#
sysname Router
#
info-center source IP channel 9 log level warning //Configure channel 9 to send
logs of the IP module. The log severity is warning.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.0.0 //Configure an IP address forthe router
interface.
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet1/0/0 10.2.1.2 //Configure a
static route and ensure that the there is a reachable route between the router
and the FTP server.
#

Step 2 Configure the router to transfer the log file to the FTP server.
# Log in to the FTP server.
<Router> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(192.168.1.100:(none)):huawei
331 Give me your password, please
Enter password:
230 Logged in successfully

# Configure the router to transfer the log file to the FTP server (Micro SD card is used as an
example of storage device).
[Router-ftp] put sd1:/logfile/log.log
200 PORT command okay
150 "D:\UPDATE\log.log" file ready to receive in ASCII mode
226 Transfer finished successfully.
FTP: 2761463 byte(s) sent in 26.062 second(s) 105.95Kbyte(s)/sec.
[Router-ftp] quit

Step 3 Verify the configuration.


# After the configuration, you can view logs in the log.log file on the FTP server.

----End

Configuration Notes
l By default, the router uses channel 9 to export logs into the log file. You can run the
info-center logfile channel { channel-number | channel-name } command to change the
channel.
l By default, the path for saving log files is as follows (the info-center logfile path path
command can change the path):
– On the AR150&AR160&AR200, log files can be saved into only the flash memory
or USB flash drive. The default log storage medium is flash memory.
– On the AR1200, log files can be saved into only the USB flash drive. The default
log storage medium is usb0. If usb0 is unavailable, the default log storage medium
is usb1. If both usb0 and usb1 are unavailable, log files cannot be saved.
– On the AR2200 and AR3200, log files can be saved into only the USB flash drive
or SD card. The system selects a storage medium in descending order of priority:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 64


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 2 Introduction and Basic Operations

sd0, sd1, usb0, and usb1. The default log storage medium is sd0. If sd0 is
unavailable, the default log storage medium is sd1. If none of sd0, sd1, usb0, and
usb1 is unavailable, log files cannot be saved.
l By default, the log file size is 8 MB. You can run the info-center logfile size size
command to set the log file size. If the size of a log file generated on the router exceeds
the configured log file size, the system decompresses the log file into a zip file. You can
also run the save logfile command to save log files to the specified path.
l By default, 200 log files are saved. You can run the info-center max-logfile-number
filenumbers command to set the maximum number of log files to be saved. If the number
of log files generated on the router exceeds the limit, the system deletes the oldest log
file so that the number of log files is not larger than the maximum value.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 65


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

3 Internet Access

3.1 NAT
3.2 Bandwidth Management

3.1 NAT

3.1.1 Example for Connecting Intranet Users to the Internet in


Easy IP Mode

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-1, the IP address of GE0/0/1 (outbound interface) on the router is
1.1.1.2/24, and the IP address of Eth0/0/1 is 192.168.0.1/24. The remote IP address of
GE0/0/1 is 1.1.1.1/24.

The intranet user uses Easy IP to access the Internet through GE0/0/1.

Figure 3-1 Easy IP configuration on the outbound interface

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 66


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Procedure
Step 1 Configure the router.
#
sysname Router //Set the device name.
#
acl number 2000 //Configure the IP address segment on which IP addresses can be
translated using NAT as 192.168.0.0/24.
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface Ethernet0/0/1
undo portswhich
ip address 192.168.0.1 255.255.255.0 //Configure an IP address for the intranet
gateway.
#
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0
nat outbound 2000 //Configure Easy IP on outbound interface GE0/0/1.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a default route between the
outbound interface to the remote interface and ensure that the route is reachable.
#

Step 2 Verify the configuration.

Run the display nat outbound command on the router to view the Easy IP configuration of
the outbound interface.

----End

Configuration Notes
l Configure an ACL to determine for which network segment NAT needs to be performed.
l Configure NAT on an outbound interface.

3.1.2 Example for Connecting Intranet Users to the Internet in


NAT Address Pool Mode

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-2, the router allows intranet users to access the Internet using IP
addresses in a NAT address pool.

Figure 3-2 Internet access configuration using a NAT address pool

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 67


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Procedure
Step 1 Configure the Router.
#
vlan batch 100
#
acl number 2000 //Specify the IP address segment on which IP addresses can be
translated using NAT.
rule 5 permit source 192.168.20.0 0.0.0.255
#
nat address-group 1 2.2.2.100 2.2.2.200 //Configure a NAT address pool.
#
interface vlanif100 //Configure an IP address for the intranet gateway.
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 1 //Configure outbound NAT on the outbound
interface.
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 //Configure a default route.

Step 2 Verify the configuration.


# Run the display nat session command on the router to view the NAT session table.
# Intranet users can use IP addresses in the NAT address pool configured on the router to
access the Internet.

----End

3.1.3 Example for Configuring NAT to Enable Users to Access the


Internet and Provide the WWW Service Externally
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-3, the router uses NAT to translate private IP addresses of intranet users
and provides the WWW service to Internet users.

Figure 3-3 Configuring the WWW service using NAT

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 68


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Procedure
Step 1 Configure the Router.
#
vlan batch 100
#
acl number 2000 //Specify the IP address segment on which IP addresses can be
translated using NAT.
rule 5 permit source 192.168.20.0 0.0.0.255
#
interface vlanif100 //Configure an IP address for the intranet gateway.
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 1 //Configure outbound NAT on the outbound
interface.
nat static protocol tcp global 2.2.2.103 www inside 192.168.20.2 8080 //
Configure the WWW service on the intranet server at 192.168.20.2 on the outbound
interface.
#
nat address-group 1 2.2.2.100 2.2.2.200 //Configure a NAT address pool.
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 //Configure a default route.

Step 2 Verify the configuration.


# Run the display nat outbound command on the router to view outbound NAT
configuration.
# Run the display nat static command to view NAT static configuration.
# Internet users can use the intranet WWW service.

----End

3.1.4 Example for Connecting VPN Users to the Internet In NAT


Mode
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-4, the router connects to two VPN instances, VPN A and VPN B. The
remote IP address of GE0/0/0 connecting the router to the Internet is 1.1.1.2/24. VPN A and
VPN B are required to access the Internet using NAT.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 69


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Figure 3-4 NAT multi-instance configuration

Procedure
Step 1 Configure the router.
#
ip vpn-instance vpna //Configure VPN instance vpna.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Configure VPN instance vpnb.
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
acl number 2000 //Configure ACL 2000 bound to outbound NAT.
rule 5 permit vpn-instance vpna source 192.168.1.0 0.0.0.255
rule 10 permit vpn-instance vpnb source 192.168.2.0 0.0.0.255
#
interface GigabitEthernet0/0/0 //Specify the outbound interface of the router.
ip address 1.1.1.1 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/1 //Specify the interface bound to VPN instance
vpna.
ip binding vpn-instance vpna
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2 //Specify the interface bound to VPN instance
vpnb.
ip binding vpn-instance vpnb
ip address 172.16.2.1 255.255.255.0
#
ip route-static 192.168.1.0 255.255.255.0 vpn-instance vpna 172.16.1.2 //
Configure a static route from the Internet to hosts in VPN instance vpna, and set
the next hop to CE1.
ip route-static 192.168.2.0 255.255.255.0 vpn-instance vpnb 172.16.2.2 //
Configure a static route from the Internet to hosts in VPN instance vpnb, and set
the next hop to CE2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 70


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 1.1.1.2 public //Configure a


default route from hosts in VPN instance vpna to the Internet.
ip route-static vpn-instance vpnb 0.0.0.0 0.0.0.0 1.1.1.2 public //Configure a
default route from hosts in VPN instance vpnb to the Internet.
#

Step 2 Verify the configuration.


# Run the ping 1.1.1.2 command on hosts in VPN A and VPN B. If the ping operations
succeed, the NAT multi-instance configuration is correct.

----End

Configuration Notes
l Specify a VPN instance when configuring ACLs for NAT.
l Configure both the route from a VPN instance to the Internet and a route from the
Internet to the VPN instance.
l CE configuration is not mentioned in this configuration example. You can configure the
CE according to networking requirements.

3.1.5 Example for Configuring NAT to Allow the Internal Host


and External Host to Access the Internal Server Using an External
IP Address
Specifications
This example applies to all AR routers of V200R003C01 and later versions.

Networking Requirements
As shown in Figure 3-5, GE1/0/0 on the router connects to the internal network and its IP
address is 192.168.1.1/24. GE2/0/0 on the router connects to the external network and its IP
address is 11.11.11.1/8. The internal server has an internal IP address 192.168.1.2/24 and an
external IP address 11.11.11.6. The internal host at 192.168.1.3/24 wants to access the internal
server.
The internal host and external host are required to use external IP address 11.11.11.6 to access
the internal server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 71


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Figure 3-5 Networking diagram for configuring NAT

Procedure
Step 1 Configure the router.
#
acl number 3000 //Configure an ACL rule to allow packets with source address
192.168.1.0 and destination address of 11.11.11.6.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 //
Configure one-to-one NAT between public address 11.11.11.6 and private address
192.168.1.2.
nat outbound 3000 //Configure Easy IP that uses IP address of GE1/0/0 as the
translated IP address. This ensures that packets exchanged between internal
servers and hosts are forwarded by the router.
#
interface GigabitEthernet2/0/0
ip address 11.11.11.1 255.0.0.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 //
Ensure that external users can use IP address 11.11.11.6 to access servers.
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 //Configure a default route to ensure
that internal users can connect to external
networks.
#
return

Step 2 Verify the configuration.


# The internal host and external host can access the internal server using a public address
11.11.11.6.

----End

Configuration Notes
l Configure an ACL to determine for which network segment NAT needs to be performed.
l On the Layer 2 interface card of the AR2220, AR2240, AR2240C, AR3200 series, 3600
series, NAT needs to be configured on the VLANIF interface. In this case, run the set

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 72


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

workmode lan-card l3centralize command in the system view to enable centralized


forwarding so that NAT on the VLANIF interface takes effect.
If users are allocated only one public IP address 11.11.11.6 and NAT needs to be performed
for translating some protocol packets, perform the following operations:
l On the router, configure the loopback interface address 11.11.11.6/8 as the gateway
address.
l Run the nat static protocol { tcp | udp } global interface loopback interface-number
global-port inside host-address [ netmask mask ] command in the system view to
configure global NAT.

NOTE
In V200R008C00 and later versions, if the NAT ALG function is configured, change the destination address
in ACL 3000 to the intranet address of the server: rule 5 permit ip source 192.168.1.0 0.0.0.255 destination
192.168.1.2 0.

3.1.6 Example for Configuring NAT Static and Outbound NAT to


Implement Communication Between Public Network Users and
Servers

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-6, an FTP server is deployed on the Internet and the router functions as
the enterprise egress gateway. To ensure security, the enterprise requires that service traffic
between public network users and FTP server be forwarded through the router and IP
addresses of the public network user and server are not detected.

Figure 3-6 Networking for configuring NAT static and outbound NAT to implement
communication between public network users and servers

Procedure
Step 1 Configure the router.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 73


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

#
sysname Router
#
acl number 2000
rule 5 permit source any
#
interface GigabitEthernet1/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 //Configure outbound NAT and map the actual IP address of the
user to the IP address of GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 1.1.1.1 255.255.255.0
nat static global current-interface inside 2.2.2.2 //Configure NAT static and
map the actual IP address of the FTP server to the IP address of GE2/0/0.
#
return

Step 2 Verify the configuration.


# Run the display nat outbound command on the router.
<Router> display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
GigabitEthernet1/0/0 2000 2.2.2.1 easyip
--------------------------------------------------------------------------
Total : 1

# Run the display nat static command on the router.


<Router> display nat static
Static Nat Information:
Interface : GigabitEthernet0/0/0
Global IP/Port : current-interface/---- (Real IP : 1.1.1.1)
Inside IP/Port : 2.2.2.2/----
Protocol : ----
VPN instance-name : ----
Acl number : ----
Vrrp id : ----
Netmask : 255.255.255.255
Description : ----

Total : 1

----End

3.1.7 Example for Configuring NAT and Redirection to


Implement Two Egresses and Provide the Web Service
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-7, the router connects to a campus network through GE1/0/0, to an
education network through GE2/0/0, and to the Internet through GE3/0/0. Intranet users
access the education network through GE2/0/0 and access the Internet through GE3/0/0 along
the default route.
The campus network server provides the web service for intranet and extranet users. The
server's private IP address is 192.168.1.2/24, domain name is www.test.edu.cn, and public IP

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 74


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

address is 1.1.1.6. Internet users and campus network users need to access the server using the
domain name www.test.edu.cn or public IP address 1.1.1.6 and campus network users access
the Internet and education network using NAT. The remote IP addresses of GE2/0/0 and
GE3/0/0 are 1.1.1.2/24 and 2.2.2.2/24.

As required by network plan, Internet users must access the education network through a
dedicated channel. Therefore, extranet users (including education network users and Internet
users) access the campus network through GE2/0/0. Packets with an IP address (1.1.1.6/24 for
example) on the education network as the source IP address will be discarded by the carrier if
they are sent out through GE3/0/0.

Figure 3-7 Networking diagram of NAT on two egresses

Procedure
Step 1 Configure the Router.
#
acl number 2000 //Configure an ACL rule to allow campus network users on the
network segment 192.168.1.0/24 to access the Internet.
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3000 //Configure an ACL rule to allow campus network users to access

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 75


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

the campus network server using 1.1.1.6. NAT is performed on GE1/0/0 only when
intranet hosts initiate access requests.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 1.1.1.6 0
#
acl number 3001 //Configure an ACL rule to prevent the data flows from the
campus network server to campus network hosts from being redirected to the
education network egress.
rule 5 permit ip source 192.168.1.2 0 destination 192.168.1.0 0.0.0.255
#
acl number 3003 //Configure an ACL rule to redirect the data flows from the
campus network server to users outside the campus network to the education
network egress.
rule 10 permit ip source 192.168.1.2 0
#
traffic classifier permitover operator or //Define the data flows that do not
need to be redirected.
if-match acl 3001
traffic classifier redirectover operator or //Define the data flows that need to
be redirected.
if-match acl 3003
#
traffic behavior permitover //Define the traffic behavior named permitover to
permit.
traffic behavior redirectover //Define the traffic behavior named redirectover
to redirect.
redirect ip-nexthop 1.1.1.2 //Redirect the data flows from the campus network
server to users outside the campus network to the education network egress.
#
traffic policy redirect //Bind traffic behavior to traffic policy.
classifier permitover behavior permitover //Configure the router to check
whether data flows are sent from the campus network server to campus network
users.
classifier redirectover behavior redirectover //Configure the router to
redirect the data flows from the campus network server to users outside the
campus network to the education network egress.
#
nat alg dns enable //Enable DNS for NAT ALG.
#
nat dns-map www.test.edu.cn 1.1.1.6 80 tcp //Configure DNS mapping to convert
the DNS resolution result to the campus network server's address.
#
nat address-group 0 2.2.2.50 2.2.2.100 //Configure NAT to be used for access to
a non-education network address.
nat address-group 1 1.1.1.50 1.1.1.100 //Configure NAT to be used for access to
an education network address.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
traffic-policy redirect inbound //Configure GE1/0/0 to redirect incoming data
flows.
nat static global 1.1.1.6 inside 192.168.1.2 netmask 255.255.255.255 //Perform
NAT when campus network users use 1.1.1.6 to access the campus network server.
nat outbound 3000 //Perform Easy IP when campus network users use 1.1.1.6 to
access the campus network server and change the source address to GE1/0/0's
address to ensure that the traffic exchanged between the campus network server
and users is forwarded by the router.
#
interface GigabitEthernet2/0/0
ip address 1.1.1.1 255.255.255.0
nat static global 1.1.1.6 inside 192.168.1.2 netmask 255.255.255.255 //
Configure NAT on the education network egress.
nat outbound 2000 address-group 1 //Perform NAT when campus network users
access the education network.
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 0 //Perform NAT when campus network users
access the non-education network.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 76


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 //Configure a default route.


#
return

Step 2 Verify the configuration.


1. Education network users and Internet users can access the campus network server using
the domain name www.test.edu.cn or public IP address 1.1.1.6.
2. Campus network users access the server using the domain name www.test.edu.cn or
public IP address 1.1.1.6.
3. Campus network users can access the Internet.
----End

Configuration Notes
l When configuring policy-based routing, ensure that traffic from the campus network
server to the Internet is sent out through the education network egress. If the traffic is not
sent out through the education network egress, the traffic is discarded by the carrier.
l When binding traffic behaviors to a traffic policy, configure the router to check whether
data flows are sent from the campus network server to campus network users. If so,
configure the router not to redirect the data flows. If not, configure the router to redirect
the data flows to the education network egress.
l Configure NAT ALG according to the service that the campus network server provides.
In this example, the campus network server provides common web services. Therefore,
NAT ALG is enabled for DNS so that campus network users can access the Internet and
education network using the domain name.
l In this example, static NAT and outbound NAT are configured on GE1/0/0 to allow
campus network users to use the public IP address 1.1.1.6 to access the campus network
server.
When a campus network user uses the campus network server's public IP address to
access the server, the router needs to translate the destination IP address of the received
HTTP request packet into the server's private IP address (changing
<192.168.1.3,1.1.1.6> to <192.168.1.3,192.168.1.2>) and then sends the HTTP request
packet to the campus network server. When receiving the HTTP request packet, the
campus network server sends the packet to 192.168.1.3. Consequently, the campus
network user cannot receive the HTTP response packet from 1.1.1.6 and fails to access
the campus network server. To ensure that the campus network user accesses the campus
network server, the router must translate the source IP address in the HTTP response
packet from the server into public IP address 1.1.1.6 and then sends the response packet
to the user. When Easy IP is configured on GE1/0/0, the router changes the source IP
address in the HTTP request packet from the campus network user to the IP address of
GE1/0/0 (changing <192.168.1.3,192.168.1.2> to <192.168.1.1,192.168.1.2>) and then
sends the packet to the campus network server. The server sends an HTTP response
packet with GE1/0/0's IP address as the destination address to the router. Then the router
searches the NAT mapping table and changes the source and destination addresses
(<192.168.1.2,192.168.1.1>) of the packet to the server's public and private IP addresses
(<1.1.1.6,192.168.1.3>). Subsequently, the user receives an HTTP response packet with
the destination IP address 1.1.1.6 and can access the server properly.
l When binding traffic behaviors to a traffic policy, bind traffic behavior permitover and
then traffic behavior redirectover to the traffic policy. Data flows from the campus
network server to campus network users are not redirected, while data flows from
campus network server to users outside the campus network must be redirected to
GE2/0/0.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 77


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

3.1.8 Configuring Internal Users to Access the External Server


with an Overlapping IP Address Through NAT

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-8, the router functions as the gateway of a company, and the internal
network segment has overlapping IP addresses with the network segment where the external
WWW server resides. The company has two public network addresses: 1.1.1.13 and 1.1.1.14.
The company requires that internal users access the WWW server using a domain name.

Figure 3-8 Networking diagram

Procedure
Step 1 Configure the router.
#
acl number 2001
rule 5 permit ip source 192.168.1.0 0.0.0.255 //Allow only users
on the specified network segment to access the external network.
#
nat alg dns enable //Enable the NAT application level
gateway (ALG) function for DNS.
#
nat address-group 1 1.1.1.13 1.1.1.14 //Configure a NAT address
pool.
#
nat overlap-address 0 192.168.1.2 2.2.2.100 pool-length 10 //
Configure the mapping between the overlapping address pool and temporary address
pool.
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
nat outbound 2001 address-group 1 //Configure outbound NAT on

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 78


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

the outbound interface.


#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route and
ensure that the next-hop address of packets from the internal network to external
network is 1.1.1.2.
#
return

Step 2 Verify the configuration.


# Run the display nat overlap-address all command to check the mapping of the
overlapping address pool.
# Run the display nat outbound command on the router to check outbound NAT
information.

----End

3.1.9 Configuring NAT to Translate Source and Destination IP


Addresses Simultaneously
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 3-9, the router functions as the gateway of a company, and the FTP
server is an internal server. The company requires that external users can access the internal
FTP server and the internal network does not need to import routes of the external network
through translation of public network addresses.

Figure 3-9 Networking diagram

Procedure
Step 1 Configure the router.
#
acl number 3000
rule 5 permit ip source 2.2.2.0 0.0.0.255 //Allow only users on the
specified network segment to access the internal server.
#
nat alg ftp enable //Enable the NAT application level gateway
(ALG) function for FTP.
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
nat outbound 3000 //Configure outbound NAT to translate the

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 79


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

source IP address used when external users access the internal network and ensure
that the internal network does not need to import routes of the external network.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
nat server protocol tcp global 1.1.1.3 ftp inside 192.168.1.2 ftp //
Configure the NAT server function on the outbound interface to ensure that
external users can access the internal server.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route and
ensure that the next-hop address of packets from the internal network to external
network is 1.1.1.2.
#
return

Step 2 Verify the configuration.

# Run the display nat server command on the router to check NAT server information.

# Run the display nat outbound command on the router to check outbound NAT
information.

----End

3.2 Bandwidth Management

3.2.1 Example for Preventing P2P Software Download

Applicability
This example applies to all AR models of V200R002C00 and later versions.

NOTE

The SAC function is used with a license. To use the SAC function, apply for and purchase the license from
the Huawei local office.

Networking Requirements
Enterprise users connect to Eth2/0/0 of RouterA through the switch. GE1/0/0 on RouterA
connects to the WAN. Download through P2P software such as BT, Thunder, and eMule
needs to be prevented to ensure proper use of enterprise network bandwidth.

Figure 3-10 Networking diagram of preventing P2P software download

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 80


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20
#
sac enable signature sd1:/sacrule.dat //V200R005 and V200R006: Enable SAC and
load the signature file sacrule.dat. engine enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable the deep
security function.
#
update restore sdb-default sa-sdb //Restore the signature database to the
factory default version.
#
sac protocol-group p2p-group //V200R005 and V200R006: Configure bittorrent,
thunder, and emule in the SAC group p2p-group.
app-protocol bittorrent
app-protocol thunder
app-protocol emule
#
traffic classifier c1 operator or
if-match protocol-group p2p-group //V200R005 and V200R006: Configure a matching
rule for traffic classification based on the SAC group p2p-group. if-match
category FileShare_P2P //V200R007,V200R008,V200R009,V200R010,V300R003 and
V300R019: Configure a matching rule in a traffic classifier based on an SA group.
#
traffic behavior b1
deny //Configure the deny action for matching packets.
#
traffic policy p1
classifier c1 behavior b1 //Create a traffic policy named p1 and bind the
traffic classifier c1 and traffic behavior b1 to the traffic policy.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
sac protocol-statistic enable //V200R005 and V200R006: Enable SAC-based traffic
statistics on VLANIF 20. sa application-statistic enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable SA-based
traffic statistics on VLANIF 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction of VLANIF 20.
#
interface GigabitEthernet1/0/0
ip address 192.168.4.1 255.255.255.0
sac protocol-statistic enable //V200R005 and V200R006: Enable SAC-based traffic
statistics on GE1/0/0. sa application-statistic enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable SA-based
traffic statistics on GE1/0/0.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction of GE1/0/0.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
return

Step 2 Verify the configuration.

V200R005 and V200R006:

# Run the display sac protocol-statistic command to check packet statistics based on the
SAC group p2p-group on VLANIF 20 and GE1/0/0.

V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 81


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

# Run the display sa application-statistic command to check packet statistics based on the
SA application protocols on VLANIF 20 and GE1/0/0.

----End

3.2.2 Example for Configuring Traffic Shaping to Limit the Rate


of Packets Based on Internal IP Addresses

Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access the server on 222.1.1.1/24 through RouterA. The rate of
packets from enterprise devices on 192.168.10.0/24 to the server needs to be limited to 64
kbit/s.

Figure 3-11 Networking for limiting the rate of packets based on internal IP addresses

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
#
qos queue-profile limit //Create a queue profile named limit.
queue 3 gts cir 64 cbs 1600 //Set the CIR of queue 3 to 64 kbit/s.
#
traffic classifier c1 operator or

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 82


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 3 Internet Access

if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b1
remark local-precedence af3 //Configure traffic behavior b1: Re-mark packets
matching the traffic classifier with AF3. When permit or deny is not specified,
the permit action is taken by default.
#
traffic policy p1
classifier c1 behavior b1 //Configure a traffic policy named p1, and bind
traffic classifier c1 to traffic behavior b1 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction on the interface.
#
interface GigabitEthernet3/0/0
ip address 222.0.1.1 255.255.255.0
qos queue-profile limit //Apply the queue profile limit to the interface.
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.0.1.2
#

Step 2 Verify the configuration.


# Run the display qos queue statistics interface gigabitethernet 3/0/0 command to check
the traffic statistics on GE3/0/0 where the queue profile limit is applied. You can see that the
rate of outgoing packets on the interface is within the rate limit. When the queue is full,
excess packets are discarded.

----End

Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 83


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

4 Building a LAN

4.1 Example for Configuring Layer 3 Link Aggregation to Improve the Link Bandwidth and
Reliability
4.2 Example for Configuring VLAN Assignment
4.3 Example for Configuring Sub-interfaces to Implement Inter-VLAN Communication
4.4 Example for Configuring a VLANIF Interface to Implement Inter-VLAN Communication
4.5 Example for Configuring GVRP to Implement Automatic VLAN Registration
4.6 Example for Configuring Transparent Bridging to Implement Communication on the
Same Network Segment
4.7 Example for Configuring Transparent Bridging to Implement Communication on
Different Network Segments
4.8 Example for Configuring a Transparent Bridge to Transmit QinQ Packets
4.9 Example for Configuring the UDP Helper to Enable Inter-Network Users to Access Each
Other Using Host Names
4.10 Example for Configuring the Proxy ARP to Implement Remote Communication of
Routers on the Same Subnet

4.1 Example for Configuring Layer 3 Link Aggregation to


Improve the Link Bandwidth and Reliability
Specifications
This example applies to all versions of AR routers.
For V200R006 and later versions, AR161, AR161W, AR169, AR169W, AR161G-L,
AR169G-L, and AR169-P-M9 do not support this function.

Networking Requirements
Router_1 and Router_2 are connected through three Layer 3 Ethernet interfaces. Link
aggregation needs to be configured between Router_1 and Router_2 to implement

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 84


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

interworking between Router_1 and Router_2, increase the link bandwidth, and improve the
link reliability.

Figure 4-1 Networking of Layer 3 link aggregation

Procedure
Step 1 Configure Router_1.

#
sysname Router_1
#
interface Eth-Trunk1 //Create an Eth-Trunk, switch the Eth-Trunk to Layer 3
mode, and configure an IP address.
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0 //Add GE1/0/0, GE2/0/0, and GE3/0/0 to Eth-
Trunk 1.
eth-trunk 1
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet3/0/0
eth-trunk 1
#
return

Step 2 Configure Router_2.

#
sysname Router_2
#
interface Eth-Trunk1
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet3/0/0
eth-trunk 1
#
return

Step 3 Verify the configuration.


# Run the display eth-trunk command on Router_1 and Router_2. The command output
shows that GE1/0/0, GE2/0/0, and GE3/0/0 are added to Eth-Trunk 1.
# Router_1 and Router_2 can ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 85


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
Interfaces that use different Ethernet types and rates cannot join the same Eth-Trunk. For
example, GE and FE interfaces cannot join the same Eth-Trunk, and GE electrical and
optical interfaces cannot join the same Eth-Trunk.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Member interfaces cannot be configured with some services. For example, the IP address
of a member interface cannot be configured.

4.2 Example for Configuring VLAN Assignment


Specifications
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 4-2, the device of a company connects to two departments. User_1 and
User_2 belong to department 1 and connect to the company network through different
devices, and User_3 and User_4 belong to department 2 and connect to the company network
through different devices.
To ensure communication security and prevent broadcast packets from being flooded, the
company requires that hosts in a department should be allowed to communicate and hosts in
different departments should be isolated.
You can configure interface-based VLAN assignment on the device so that the device adds
interfaces connected to users in the same department to the same VLAN. Users in the same
VLAN can directly communicate with each other, and users in different VLANs cannot
communicate at Layer 2.

Figure 4-2 Networking of VLAN assignment

Procedure
Step 1 Configure Router_1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 86


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

#
sysname Router_1
#
vlan batch 2 to 3 //Create VLAN 2 and VLAN 3.
#
interface Ethernet2/0/1 //Configure the interface connected to User_1 as an
access interface. The default VLAN is VLAN 2.
port link-type access
port default vlan 2
#
interface Ethernet2/0/2 //Configure the interface connected to User_3 as an
access interface. The default VLAN is VLAN 3.
port link-type access
port default vlan 3
#
interface Ethernet2/0/3 //Configure the interface connected to Router_1 and
Router_2 as a trunk interface and configure the interface to allow VLAN 2 and
VLAN 3.
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

Step 2 Configure Router_2.

#
sysname Router_2
#
vlan batch 2 to 3 //Create VLAN 2 and VLAN 3.
#
interface Ethernet2/0/1 //Configure the interface connected to User_2 as an
access interface. The default VLAN is VLAN 2.
port link-type access
port default vlan 2
#
interface Ethernet2/0/2 //Configure the interface connected to User_4 as an
access interface. The default VLAN is VLAN 3.
port link-type access
port default vlan 3
#
interface Ethernet2/0/3 //Configure the interface connected to Router_2 and
Router_1 as a trunk interface and configure the interface to allow VLAN 2 and
VLAN 3.
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return

Step 3 Verify the configuration.

# Configure User_1 and User_2 on the same network segment, for example, 10.1.100.0/24;
configure User_3 and User_4 on the same network segment, for example, 10.1.200.0/24.

# User_1 and User_2 can ping each other, but cannot ping User_3 or User_4. User_3 and
User_4 can ping each other, but cannot ping User_1 or User_2.

----End

Configuration Notes
l To ensure that packets from VLAN 2 and VLAN 3 are correctly transmitted, create
VLAN 2 and VLAN 3 on the device and configure the interface to allow VLAN 2 and
VLAN 3.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 87


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

l The interfaces connected to users do not need to distinguish VLANs. The interfaces only
receive and send untagged frames and add the default VLAN tag to untagged frames, so
the interfaces need to be configured as access interfaces.
l The interconnected interfaces between devices need to allow packets from VLAN 2 and
VLAN 3, so the interfaces need to be configured as trunk interfaces.

4.3 Example for Configuring Sub-interfaces to Implement


Inter-VLAN Communication
Specifications
This example applies to all versions of AR routers.

Networking Requirements
On the switch, a trunk interface connects to Eth1/0/0 on the router and an access interface
connects to PCs. PC1 joins VLAN 10 and PC2 joins VLAN 20.
Two sub-interfaces are created on Eth1/0/0 of the router and assigned IP addresses as gateway
addresses of the two VLANs. The two sub-interfaces use 802.1q encapsulation to implement
inter-VLAN communication.

Figure 4-3 Networking diagram of inter-VLAN communication through sub-interfaces

Procedure
Step 1 Configure the router.

#
sysname Router
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 88


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

interface Ethernet1/0/0.1
control-vid 1 dot1q-termination //Configure the dot1q termination sub-
interface. V200R002C01 and later versions do not support this command.
dot1q termination vid 10 //Configure the interface to process packets with VLAN
10.
ip address 10.10.10.1 255.255.255.0 //Configure the gateway address for VLAN 10.
arp broadcast enable // The interface can process broadcast ARP packets. In
V200R003C01 and later versions, ARP broadcast is enabled by default.
#
interface Ethernet1/0/0.2
control-vid 2 dot1q-termination
dot1q termination vid 20 //Configure the interface to process packets with VLAN
20.
ip address 10.10.20.1 255.255.255.0 //Configure the gateway address for VLAN 20.
arp broadcast enable
#
return

Step 2 Verify the configuration.


# PC1 and PC2 can successfully ping each other.

----End

Configuration Notes
l The switch downlink interface connected to a PC must be the access interface and the
switch uplink interface connected to a device must be the trunk interface.
l The gateway address configured on the PC must be the same as the sub-interface IP
address.
l ARP broadcast must be enabled on the sub-interface.
l The VLAN ID of a sub-interface must be the same as the VLAN ID of the PC.

4.4 Example for Configuring a VLANIF Interface to


Implement Inter-VLAN Communication
Specifications
This example applies to all versions of AR routers.

Networking Requirements
Layer 2 interfaces Eth2/0/1 and Eth2/0/2 of the router connect to PC1 and PC2 on different
network segments.
Two VLANs are configured so that Layer 2 packets from PC1 and PC2 are broadcast in the
VLANs that PC1 and PC2 belong to. A VLANIF interface is configured on the router so that
PC1 and PC2 in different VLANs can communicate with each other.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 89


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

Figure 4-4 Networking diagram of inter-VLAN communication through a VLANIF interface

Procedure
Step 1 Configure the router.

#
sysname Router
#
vlan batch 10 20 //Create VLANs.
#
interface Vlanif10 //Create a VLANIF interface.
ip address 10.10.10.1 255.255.255.0 //Configure the gateway address for PC
terminals in the VLAN.
#
interface Vlanif20
ip address 10.10.20.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type access //Set the link type of the interface to access.
port default vlan 10 //Add the interface to the VLAN.
#
interface Ethernet2/0/2
port link-type access
port default vlan 20
#
return

Step 2 Verify the configuration.


# PC1 and PC2 can successfully ping each other.

----End

Configuration Notes
l PCs in different VLANs are located on different network segments.
l The router interface connected to PCs must be the Layer 2 access or hybrid interface.
l The gateway address configured on the PC must be the same as the VLANIF interface IP
address.
l The VLANIF interface number must be the same as the VLAN ID.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 90


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

4.5 Example for Configuring GVRP to Implement


Automatic VLAN Registration
Specifications
This example applies to all versions of AR routers.

Networking Requirements
RouterA and RouterC connect to RouterB through Layer 2 interfaces, and VLANs 100 to 200
are manually configured on RouterA and RouterC. RouterB needs to automatically learn the
VLANs. GVRP is enabled on each router and interface so that VLAN information can be
registered and updated dynamically.

Figure 4-5 Networking diagram of GVRP

Procedure
Step 1 Configure RouterA.

#
sysname RouterA
#
vlan batch 100 to 200 //Create VLANs.
#
gvrp //Enable GVRP globally.
#
interface Ethernet2/0/0
port link-type trunk //Set the link type of the interface to trunk.
port trunk allow-pass vlan 2 to 4094 //Add the interface to all VLANs.
gvrp //Enable GVRP on the interface.
#
return

Step 2 Configure RouterC.

#
sysname RouterC
#
vlan batch 100 to 200
#
gvrp

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 91


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return

Step 3 Configure RouterB.


#
sysname RouterB
#
gvrp
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 2 to 4094 //The GVRP-enabled interface needs to be
added to all VLANs.
gvrp
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return

Step 4 Verify the configuration.

# Run the display vlan summary command on RouterB. The command output shows that
RouterB has learned VLANs 100 to 200 and the type is dynamic.

# Run the display vlan brief command. The command output shows that Eth2/0/0 and
Eth2/0/1 have joined VLANs 100 to 200.

----End

Configuration Notes
l The link type of Layer 2 interfaces must be trunk.
l The GVRP-enabled interface must be added to all VLANs.

4.6 Example for Configuring Transparent Bridging to


Implement Communication on the Same Network
Segment
Specifications
This example applies to all versions of AR routers.

Networking Requirements
PCs on LAN 1 and LAN 2 communicate through local bridging and can directly perform
network applications over the WAN.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 92


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

Figure 4-6 Networking diagram of local bridging

Procedure
Step 1 Configure RouterA.

#
sysname RouterA
#
bridge 1 //Create a bridge group and generate the virtual bridge.
#
interface Ethernet1/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.
#
interface Ethernet2/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.
#
return

Step 2 Configure RouterB.

#
sysname RouterB
#
bridge 1
#
interface Ethernet1/0/0
bridge 1
#
interface Ethernet2/0/0
bridge 1
#
return

Step 3 Verify the configuration.


# PCs on LAN 1 and LAN 2 can successfully ping each other.

----End

Configuration Notes
l Interfaces added to a bridge group must be Layer 3 interfaces of Ethernet, ATM, and
serial types.
l PCs on LAN 1 and LAN 2 are on the same network segment.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 93


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

4.7 Example for Configuring Transparent Bridging to


Implement Communication on Different Network
Segments
Specifications
This example applies to all versions of AR routers.

Networking Requirements
LAN 1 and LAN 2 use the same network segment and a route to LAN 3 is configured on the
router.
Eth1/0/0 and Eth2/0/0 are added to the same bridge group so that PCs on LAN 1 and LAN 2
can communicate.
Bridge-if 1 is created on the router. PCs on LAN 1 and LAN 2 communicate with PCs on
LAN 3 through the route on Bridge-if 1.

Figure 4-7 Networking diagram of local bridging with IP routing

Procedure
Step 1 Configure the router.

#
sysname Router
#
bridge 1 //Create a bridge group and generate a virtual bridge.
routing ip //Enable a bridge group to route IP protocol packets.
#
interface Ethernet1/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 94


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

#
interface Ethernet2/0/0
bridge 1
#
interface Ethernet3/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Bridge-if1 //Create a Bridge-if interface and bind it to the virtual
bridge interface.
ip address 192.168.1.1 255.255.255.0 //Assign an IP address to the Bridge-if
interface.
#
ip route-static 192.168.2.0 255.255.255.0 10.1.1.2
#
return

Step 2 Verify the configuration.

# PCs on LAN 1 and LAN 2 can successfully ping each other.

# PCs on LAN 1 and LAN 2 and PCs on LAN 3 can successfully ping each other.

----End

Configuration Notes
l Interfaces added to a bridge group must be Layer 3 interfaces of Ethernet, ATM, and
serial types.
l PCs on LAN 1 and LAN 2 are on the same network segment.
l The ID of the Bridge-if interface must be the same as the bridge group ID.

4.8 Example for Configuring a Transparent Bridge to


Transmit QinQ Packets
Applicability
In V200R008C20 and earlier versions, only the AR100&AR120&AR150&AR160&AR200
series support this example.

In V200R008C30 and later versions, only the AR100&AR120&AR150&AR160&AR200


series, AR1220E, AR1220EV, AR1220EVW, and AR1220F support this example.

Networking Requirements
Multiple departments of an enterprise are located in different areas. As services develop,
departments in different areas need to transmit tagged packets. Through remote bridging and
QinQ of the transparent bridge, tagged packets can be transmitted between departments in
different areas.

In Figure 4-8, Router_A and Router_B are located in different areas and connected through
an intermediate link. PC1 and PC2 belong to different LANs. Through remote bridging and
QinQ of the transparent bridge, tagged packets can be transmitted between hosts in different
areas.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 95


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

Figure 4-8 Configuring the transparent bridge to transmit QinQ packets

Procedure
Step 1 Configure Router_A.
# Router_A is used as an example. The configuration of Router_B is similar, and is not
mentioned here.

#
vlan batch 2 to 4094
#
bridge 1 //Create a bridge group and generate a
virtual bridge.
#
interface GigabitEthernet0/0/1
bridge 1 //Add the LAN-side interface to bridge 1.
bridge vlan-transmit enable //Enable the interface to transparently
transmit VLAN packets.
#
interface GigabitEthernet0/0/2
undo portswitch
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/2.1
bridge 1 //Add the WAN-side sub-interface to bridge 1.
bridge vlan-transmit enable //Enable the interface to transparently
transmit VLAN packets.
vlan allow-pass vid 3105 //Configure the VLAN allowed by the sub-
interface.
vlan dot1q-tunnel 3105 //Configure the dotlq tunnel function on the
sub-interface.
#
return

Step 2 Verify the configuration.


# PC1 and PC2 can ping each other.

----End

Configuration Notes
When the type of the WAN-side interface is VDSL or G.SHDSL, run the set workmode slot
slot-id vdsl ptm or set workmode slot slot-id shdsl ptm command to configure the interface
to work in PTM mode.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 96


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

4.9 Example for Configuring the UDP Helper to Enable


Inter-Network Users to Access Each Other Using Host
Names
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 4-9, the IP addresses of GE0/0/1 and GE0/0/2 on the router are
10.110.1.1/16 and 10.210.1.1/24. The IP address of the NetBIOS-NS name server is
10.2.1.1/16. The router and NetBIOS-NS name server are on different network segments. The
next-hop address of the route from the router to 10.2.0.0/16 is 10.210.1.2/24.
The router is configured to forward broadcast packets with destination UDP port number 137
and destination IP addresses 255.255.255.255 and 10.110.255.255 to the NetBIOS-NS name
server. When the router receives a broadcast NetBIOS-NS Register packet, it changes the
destination IP address in the IP header of the broadcast packet to the IP address of the
NetBIOS-NS name server and forwards the packet to the NetBIOS-NS name server.

Figure 4-9 UDP helper configuration

Procedure
Step 1 Configure the router.
#
udp-helper enable //Enable the UDP helper function.
#
interface GigabitEthernet0/0/1
ip address 10.110.1.1 255.255.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 97


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

udp-helper server 10.2.1.1 //Configure the destination server to which UDP


packets are forwarded.
#
interface GigabitEthernet0/0/2
ip address 10.210.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.210.1.2 //Configure a static route between
the UDP helper and destination server and ensure that the route is reachable.
#

Step 2 Verify the configuration.


# Run the display udp-helper server command on the router to view the destination server to
which UDP packets are forwarded.
# Run the display udp-helper port command on the router to view the configured UDP ports
to which packets need to be relayed.

----End

Configuration Notes
l Enable UDP helper globally.
l Ensure that the UDP helper has a reachable route to the destination server.

4.10 Example for Configuring the Proxy ARP to


Implement Remote Communication of Routers on the
Same Subnet
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA and RouterC are on the same subnet. Proxy ARP needs to be configured on RouterB
to enable RouterA and RouterC to communicate.

Figure 4-10 Proxy ARP configuration

Procedure
Step 1 Configure RouterA.

#
interface GigabitEthernet0/0/0
ip address 10.1.1.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 98


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 4 Building a LAN

255.255.0.0

Step 2 Configure RouterB.

#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
arp-proxy
enable

#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
arp-proxy
enable

Step 3 Configure RouterC.

#
interface GigabitEthernet0/0/1
ip address 10.1.2.1
255.255.0.0

Step 4 Verify the configuration.


# After proxy ARP is configured on RouterB, ping 10.1.2.1 from RouterA. The ping
operation succeeds. Run the display arp command on RouterB to view ARP entries.
<RouterB> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.2 5489-9874-b8b2 7 D-0 GE0/0/0
10.1.1.1 5489-9874-b86f I - GE0/0/0
10.1.2.1 5489-9874-b8b0 20 D-0 GE0/0/1
10.1.2.2 5489-9874-b87f I - GE0/0/1
------------------------------------------------------------------------------
Total:4 Dynamic:2 Static:0 Interface:2

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 99


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5 Using Dedicated Lines to Implement WAN


Interconnection

5.1 Example for Configuring Port Isolation


5.2 Example for Configuring a POS Interface
5.3 Example for Configuring a CPOS Interface
5.4 Example for Configuring an ATM Interface
5.5 Examplefor Configuring an AR to Communicate with a Cisco Router Using
SynchronousSerial Interfaces
5.6 Example for Connecting a Bank Outlet to a Tier 2 Branch Through an E1 Link (E1 Mode)
5.7 Example for Connecting a Bank Outlet to a Tier 2 Branch Through an E1 Link (CE1
Mode)
5.8 Example for Configuring an Enterprise to Use a 3G Link to Access the Internet (Through
a WCDMA Network)
5.9 Example for Configuring an Enterprise to Use a 3G Link to Access the Internet (Through
a CDMA2000 Network)
5.10 Example for Configuring an Enterprise to Connect to the Internet Through LTE Links
5.11 Example for Configuring IPoA to Connect a LAN to the Internet
5.12 Example for Configuring IPoEoA to Connect a LAN to the Internet
5.13 Example for Configuring PPPoEoA to Connect Users to the Internet Using PPP
5.14 Example for Configuring PPPoA to Connect Users to the Internet Using PPP
5.15 Example for Configuring PPPoFR to Implement LAN Interconnections
5.16 Example for Configuring an FR Network to Connect LANs Using IP Protocols
5.17 Example for Configuring an MP Group
5.18 Example for Binding PPP Links to a Virtual Template to Implement MP
5.19 Example for Binding User Names to Virtual Interface Templates to Implement MP

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 100


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5.20 Example for Configuring the Device as a PPPoE Client to Connect Device to the Internet
5.21 Example for Configuring the Device as a PPPoE Client (IPv6) to Connect Device to the
Internet
5.22 Example for Configuring the Device as a PPPoE Server to Connect Users to the Internet
5.23 Example for Connecting the Router to the Internet Through the External ADSL Modem
Using PPPoE
5.24 Example for Connecting the Router to the PSTN Through a Modem (in C-DCC Mode)
5.25 Example for Connecting the Router to the ISDN Through the ISDN PRI Interface (in
RS-DCC Mode)
5.26 Example for Configuring HDLC to Implement Interconnections

5.1 Example for Configuring Port Isolation


Specification
This example applies to all versions of AR routers.
The AR120&AR150&AR160&AR200&AR1200 series, AR2220E, AR2201-48FE,
AR2202-48FE, AR2204-51GE-P, AR2204-51GE-R, AR2204-27GE-P, AR2204-27GE,
AR2204E, AR2204E-D, and AR2204 support only Layer 2 isolation and Layer 3
interworking.
GE0/0/3 to GE0/0/26 on the AR2204-51GE-P cannot be isolated from GE0/0/27 to GE0/0/50.
Interfaces on the 4GE-2S, 9ES2, 4ES2G-S, and 4ES2GP-S cards do not support inter-card
port isolation.

Networking Requirements
As shown in Figure 5-1, Host A and Host B connect to Eth2/0/1 and Eth2/0/2 of the router
that connects to the Internet through GE0/0/1. The requirement is as follows: Host A and Host
B cannot exchange packets at Layer 2, but they can communicate with the Internet.

Figure 5-1 Networking for configuring port isolation

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 101


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Procedure
Step 1 Configure the router.
#
sysname Router
#
interface Ethernet2/0/1
port-isolate enable group 1 //Enable the port isolation function. Ports
are added to port isolation group 1 by default.
#
interface Ethernet2/0/2
port-isolate enable group 1 //Enable the port isolation function. Ports
are added to port isolation group 1 by default.
#
return

Step 2 Verify the configuration.


# On the router, run the display port-isolate group all command to view the port isolation
group configuration. The command output shows that Eth2/0/1 and Eth2/0/2 are added to port
isolation group 1.
# Host A and Host B cannot ping each other.

----End

Configuration Notes
l Interfaces in a port isolation group are isolated from each other, but interfaces in
different port isolation groups can communicate.
l When you enable the port isolation function, ports are added to port isolation group 1 by
default if you do not set group group-id.
l By default, ports are isolated at Layer 2 but can communicate at Layer 3. You can run the
port-isolate mode all command to isolate ports at Layer 2 and Layer 3.

5.2 Example for Configuring a POS Interface


Specification
This example applies to all AR routers of V200R003C00 and later versions that support POS
interfaces.

Networking Requirements
Two devices are connected through the SONET network, and RouterB has been configured,
as shown in Figure 5-2. To ensure successful connection, configure the POS interface of
RouterA.
Parameter settings of the POS interface of RouterB are as follows:
l The frame format is SONET.
l The link-layer protocol is HDLC.
l The clock mode is the slave mode.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 102


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

l The MTU is 1200 bytes.


l Payload data is not scrambled.
l The CRC field length is 16 bits.
l The overhead bytes are as follows: C2: 3, J0: abc (16 byte-mode), and J1: xyz (16 byte-
mode).

Figure 5-2 Networking for configuring the POS interface

Procedure
Step 1 Configure Router A.
#
sysname RouterA
#
interface Pos2/0/0
link-protocol hdlc // Set the link-layer protocol of the POS interface to
HDLC.
mtu 1200 // Set the MTU of the POS interface to 1200 bytes.
ip address 10.1.1.1 255.255.255.252
flag c2 3 // Set the overhead byte C2 of the POS interface to 3.
flag j0 16byte-mode abc // Set the overhead byte j0 of the POS interface to
abc (16 byte-mode).
flag j1 16byte-mode xyz // Set the overhead byte j1 of the POS interface to
xyz (16 byte-mode).
frame-format sonet // Set the frame format of the POS interface to SONET.
undo scramble // Disable the payload data scrambling function of the POS
interface.
crc 16 // Set the CRC field length of the POS interface to 16 bits.
#
return

Step 2 Verify the configuration.


# On RouterA, run the display interface pos command to view the status of the POS
interface on RouterA.
# Router A and Router B can ping each other.

----End

Configuration Notes
Ensure that POS interface configurations on both devices are the same. Otherwise, the two
devices cannot be connected.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 103


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5.3 Example for Configuring a CPOS Interface


Specification
This example applies to all AR routers of V200R001C01 and later versions that support
CPOS interfaces.

Networking Requirements
As shown in Figure 5-3, RouterA connects to seven routers RouterB to RouterH. Each of the
seven routers connects to RouterA using an E1 link. RouterA uses a CPOS interface to
aggregate these E1 links.
Another E1 link is added to RouterB to provide more bandwidth. The two E1 links need to be
bound using MP-Group interfaces.
The existing configurations are as follows:
l RouterA uses the clock signals transmitted from the SDH network.
l The RouterA's CPOS interface uses SDH as the frame format, and the AUG
multiplexing mode is au-4.

Figure 5-3 Networking diagram for configuring CPOS interfaces to aggregate E1 lines

Procedure
Step 1 Configure Router A.
#
sysname RouterA
#
interface Mp-group0/0/1 // Create and configure an MP-Group interface.
ip address 10.10.10.1 255.255.255.0 // Configure the IP address of the MP-
Group interface.
#
controller cpos 1/0/0
e1 1 unframed // Configure E1 channel 1 to work in unchannelized mode.
e1 2 unframed // Configure E1 channel 2 to work in unchannelized mode.
e1 1 set clock master // Configure E1 channel 1 to use the master clock mode
that is different from the clock mode on the peer E1-F interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 104


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

e1 2 set clock master // Configure E1 channel 2 to use the master clock mode
that is different from the clock mode on the peer E1-F interface.
#
interface Serial1/0/0/1:0 // Enter the logical channel generated by E1 channel
1.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial1/0/0/1:0 to the MP-Group interface.
#
interface Serial1/0/0/2:0 // Enter the logical channel generated by E1 channel
2.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial1/0/0/2:0 to the MP-Group interface.
#
return

Step 2 Configure Router B.


#
sysname RouterB
#
interface Mp-group0/0/1 // Create and configure an MP-Group interface.
ip address 10.10.10.2 255.255.255.0 // Configure the IP address of the MP-
Group interface.
#
interface Serial1/0/0
fe1 unframed // Configure the E1-F interface to work in unframed mode.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial1/0/0 to the MP-Group interface.
#
interface Serial2/0/0
fe1 unframed // Configure the E1-F interface to work in unframed mode.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial2/0/0 to the MP-Group interface.
#
return

Step 3 Verify the configuration.

# On RouterA, run the display controller cpos 1/0/0 e1 1 command to view information
about E1 channel 1 on CPOS 1/0/0.

# On RouterA, run the display interface mp-group command to view the status of the MP-
Group interface on RouterA.

# Router A and Router B can ping each other.

----End

Configuration Notes
Line attributes of the E1 channel on the CPOS port must be the same as those of the E1
channel on the peer device.

5.4 Example for Configuring an ATM Interface


Specification
This example applies to all AR routers of V200R001C00 and later versions that support ATM
interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 105


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Networking Requirements
ATM1/0/0 of RouterA and GE1/0/0 of RouterB connect to the DSLAM. RouterA needs to use
IPoA to communicate with RouterB.

Figure 5-4 Networking for IPoA configuration

Procedure
Step 1 Configure RouterA.
#
interface Atm1/0/0
ip address 1.1.0.1 255.255.255.0 // Configure the IP address of ATM1/0/0 on
RouterA.
pvc 0/35 // Create a PVC and enter the PVC view.
map ip 1.1.0.2 // Configure IPoA mapping on the PVC.
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 1.1.0.2 255.255.255.0 // Configure the IP address of GE1/0/0 on
RouterB.
#
return

Step 3 Configure the DSLAM.


# For details about how to configure the DSLAM, see the DSLAM documentation.

Step 4 Verify the configuration.

# RouterA can ping RouterB.

----End

5.5 Examplefor Configuring an AR to Communicate with a


Cisco Router Using SynchronousSerial Interfaces

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 106


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5.5.1 Overview
Synchronous serial interfaces work in data terminal equipment (DTE) or data circuit-
terminating equipment (DCE) mode. A DTE is a device on which serial interfaces are
connected to DTE cables, and a DCE is a device on which serial interfaces are connected to
DCE cables. When functioning as a DTE, the device receives clock signals from a DCE.
Synchronous serial interfaces are typically used for campus network interconnection between
an enterprise's branches and the headquarters through Point-to-Point Protocol (PPP), X.25,
Link Access Procedure Balanced (LAPB), Frame Relay (FR), and High-Level Data Link
Control (HDLC) links.

5.5.2 Precautions
l The 1SA, 2SA, and 8SA cards of access routers (ARs) can transmit FR packets over v.35
physical links for interconnection with modem (for example, Aethro) devices from
different vendors. Vendors use different chips and solutions. To ensure successful
interconnection between devices from different vendors, you need to configure the same
parameter settings on the local and remote devices.
l Table 1-1 describes the required product models and versions.

Table 5-1 Required product models and versions


Device Vendor Product Version

Huawei AR Versions later than V200R001C01

Cisco C3845 Version 15.1

5.5.3 Networking Requirements


In Figure 1-1, RouterA and RouterB are connected through serial interfaces. The serial
interface on RouterA works in DTE mode and that on RouterB works in DCE mode. RouterA
and RouterB need to communicate with each other. RouterA is an AR and RouterB is a Cisco
router.

Figure 5-5 Figure 1-1 Configuring network connectivity using synchronous serial interfaces

5.5.4 Configuration Procedure

5.5.4.1 Configuring the AR


Step 1 Configure FR and services on the serial interface.
<Huawei> system-view
[Huawei] sysname RouterA

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 107


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

[RouterA] interface Serial 1/0/1


[RouterA-Serial1/0/1] link-protocol fr
Warning: The encapsulation protocol of the link will be changed.
Continue? [Y/N]:y
[RouterA-Serial1/0/1] fr interface-type dte
[RouterA-Serial1/0/1] fr lmi type ansi
[RouterA-Serial1/0/1] ip address 10.1.11.2 24

Step 2 (Optional) Configure the device to invert clock signals received by the synchronous serial
interface.
If the DTE receives error packets, for example, the packet count is not a multiple of the byte
count, run the invert receive-clock command to configure the device to invert clock signals
received by the synchronous serial interface.
[RouterA-Serial1/0/1] invert receive-clock

Step 3 (Optional) Configure the device to invert clock signals transmitted by the synchronous serial
interface.
If the DTE does not receive error packets but the DCE receives error packets, run the invert
transmit-clockcommand to configure the device to invert clock signals transmitted by the
synchronous serial interface.
[RouterA-Serial1/0/1] invert transmit-clock

Step 4 Verify the configuration.


[RouterA]display current-configuration interface serial1/0/1
[V200R005C20SPC700]
#
interface Serial1/0/1
link-protocol fr
fr lmi type ansi
ip address 10.1.11.2 255.255.255.0
invert transmit-clock
invert receive-clock
#

----End

5.5.4.2 Configuring the Cisco Router


Step 1 Configure FR and services on the serial interface.
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname RouterB
RouterB(config)#interface serial 0/1/1
RouterB(config-if)#encapsulation frame-relay
RouterB(config-if)#clock rate 128000
RouterB(config-if)#frame-relay lmi-type ansi
RouterB(config-if)#frame-relay local-dlci 581
RouterB(config-if)#frame-relay intf-type dce
RouterB(config-if)#ip address 10.1.11.1 255.255.255.0

Step 2 (Optional) Configure the device to invert clock signals transmitted by the synchronous serial
interface.
RouterB(config-if)#invert txclock

Step 3 Verify the configuration.


RouterB#show running-config interface serial 0/1/1
Building configuration...

Current configuration : 230 bytes

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 108


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

!
interface Serial0/1/1
ip address 10.1.11.1 255.255.255.0
encapsulation frame-relay
clock rate 128000
no frame-relay inverse-arp IP 581
frame-relay lmi-type ansi
frame-relay local-dlci 581
frame-relay intf-type dce
end

----End

5.5.5 Verification
1.The physical status and protocol status of the serial interface are Up, and the message
"DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP" is displayed in the command output.
[RouterA] display interface Serial 1/0/1
Serial1/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2017-05-24 16:02:07
Description:HUAWEI, AR Series, Serial1/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.1.11.2/24
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is ANSI, frame relay DTE
LMI status enquiry sent 107, LMI status received 105
LMI status timeout 0, LMI message discarded 0
Last physical up time : 2017-05-24 16:02:07
Last physical down time : 2017-05-24 16:02:04
Current system time: 2017-05-24 16:19:32
Physical layer is synchronous, Virtualbaudrate is 64000 bps
Interface is DTE, Cable type is V35, Clock mode is DTECLK1
Last 300 seconds input rate 2 bytes/sec 16 bits/sec 0 packets/sec
Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec

Input: 2753 packets, 52399 bytes


Broadcast: 0, Multicast: 0
Errors: 0, Runts: 0
Giants: 0, CRC: 0

Alignments: 0, Overruns: 0
Dribbles: 0, Aborts: 0
No Buffers: 0, Frame Error: 0

Output: 2811 packets, 49963 bytes


Total Error: 0, Overruns: 0
Collisions: 0, Deferred: 0

DCD=UP DTR=UP DSR=UP RTS=UP


CTS=UP

Input bandwidth utilization : 0.15%


Output bandwidth utilization : 0.15%

2. RouterA can communicate with RouterB.


[RouterA] ping 10.1.11.1
PING 10.1.11.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.11.1: bytes=56 Sequence=1 ttl=255 time=13 ms
Reply from 10.1.11.1: bytes=56 Sequence=2 ttl=255 time=13 ms
Reply from 10.1.11.1: bytes=56 Sequence=3 ttl=255 time=13 ms
Reply from 10.1.11.1: bytes=56 Sequence=4 ttl=255 time=12 ms
Reply from 10.1.11.1: bytes=56 Sequence=5 ttl=255 time=13 ms

--- 10.1.11.1 ping statistics ---


5 packet(s) transmitted

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 109


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 12/12/13 ms

5.5.6 Exception Handling


If the interface does not go Up or alternates between Up and Down states frequently, you need
to check the following parameters of the interface to preliminarily determine whether it works
in DCE or DTE mode.

DTR = data terminal ready

DSR = data set ready

DCD = data carrier detect

CTS = clear to send

RTS = request to send

The DCD, DSR, and CTS parameters are related to a DCE device, and the DTR and RTS
parameters are related to a DTE device.

A DTE device obtains synchronization clock information from a DCE device, and data
transmission is normal after clock information is negotiated.

The serial interface can go Up after the preceding parameters are correctly set.

5.6 Example for Connecting a Bank Outlet to a Tier 2


Branch Through an E1 Link (E1 Mode)
Specification
This example applies to AR routers of all versions.

Networking Requirements
As shown in Figure 5-6, a router in a bank outlet connects to the aggregation device in a tier
2 branch through an E1 link leased from a carrier so that the outlet and branch can
communicate. The E1 link uses all the 32 timeslots, PPP encapsulation, and CHAP
authentication.

Figure 5-6 Networking diagram for connecting a bank outlet to a tier 2 branch through an E1
link

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 110


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
controller e1 1/0/0 //Enter the view of controller e1 interface.
using e1 //Configure the E1 interface to work in E1 mode.
#
interface serial 1/0/0:0 //Enter the view of the generated virtual serial
interface.
link-protocol ppp //Configure PPP encapsulation.
ip address 2.2.2.2 255.255.255.0
ppp chap user user1 //Configure the user name for CHAP authentication.
ppp chap password cipher %@%@#0p7U*q6k~qRN7$#9'oY&\z&%@%@ //Configure the
password for CHAP authentication.
#
return

Step 2 Verify the configuration.

# Run the display interface serial command to check the serial interface status. The
command output shows that both the physical status and link layer status of the interface are
Up.

# Ping the remote device from the router. The ping succeeds, indicating that the two devices
can communicate through the E1 link.

----End

Configuration Notes
l A carrier provides various types of WAN links. The E1 interface of the router may
connect to different types of interfaces. A protocol converter may be required to convert
protocols. Therefore, you need to select proper cable connectors and conversion adapters
based on actual situations.
NOTE
For details about E1/T1 cables supported by the device, see E1/T1 Cable in the Huawei AR Series
Access Routers Hardware Description - Cables.
l PPP authentication improves link security and the configuration mode can be set to PAP
or CHAP. Because E1 links are generally leased from a carrier and are secure, PPP
authentication is not configured on E1 links. You can configure PPP authentication based
on actual requirements.
l When PPP authentication is configured, the router functions as the supplicant.

5.7 Example for Connecting a Bank Outlet to a Tier 2


Branch Through an E1 Link (CE1 Mode)
Specification
This example applies to AR routers of all versions.

Networking Requirements
As shown in Figure 5-7, a router in a bank outlet connects to the aggregation device in a tier
2 branch through an E1 link leased from a carrier so that the outlet and branch can

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 111


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

communicate. The E1 link uses timeslots 1, 10 to 16, and 18, PPP encapsulation, and CHAP
authentication.

Figure 5-7 Networking diagram for connecting a bank outlet to a tier 2 branch through an E1
link

Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
controller e1 1/0/0 //Enter the view of controller e1 interface.
using ce1 //Configure the E1 interface to work in CE1 mode.
channel-set 1 timeslot-list 1,10-16,18 //Bind timeslots 1, 10 to 16, and 18 to
form channel interface 1.
#
interface serial 1/0/0:1 //Enter the view of the generated virtual serial
interface. :1 in the interface number 1/0/0:1 indicates channel interface 1.
link-protocol ppp
ip address 2.2.2.2 255.255.255.0
ppp chap user user1 //Configure the user name for CHAP authentication.
ppp chap password cipher %@%@#0p7U*q6k~qRN7$#9'oY&\z&%@%@ //Configure the
password for CHAP authentication.
#
return

Step 2 Verify the configuration.

# Run the display interface serial command to check the serial interface status. The
command output shows that both the physical status and link layer status of the interface are
Up.

# Ping the remote device from the router. The ping succeeds, indicating that the two devices
can communicate through the E1 link.

----End

Configuration Notes
l A carrier provides various types of WAN links. The E1 interface of the router may
connect to different types of interfaces. A protocol converter may be required to convert
protocols. Therefore, you need to select proper cable connectors and conversion adapters
based on actual situations.
NOTE
For details about E1/T1 cables supported by the device, see E1/T1 Cable in the Huawei AR Series
Access Routers Hardware Description - Cables.
l PPP authentication improves link security and the configuration mode can be set to PAP
or CHAP. Because E1 links are generally leased from a carrier and are secure, PPP
authentication is not configured on E1 links. You can configure PPP authentication based
on actual requirements.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 112


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

l When PPP authentication is configured, the router functions as the supplicant.

5.8 Example for Configuring an Enterprise to Use a 3G


Link to Access the Internet (Through a WCDMA
Network)
Specification
This example applies to AR routers of V200R001C01 and later versions.

Networking Requirements
It is difficult and costly for enterprises to lease lines from carriers. Therefore, an enterprise
uses a 3G link to access the Internet.
As shown in Figure 5-8, a router connects to downstream users on the enterprise intranet, and
dials up to the upstream Internet through the 3G link so that intranet users can access the
Internet.

Figure 5-8 Networking diagram for configuring an enterprise to use a 3G link to access the
Internet

Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
dialer-rule //Configure a rule that triggers dial-up.
dialer-rule 1 ip permit //Configure the device to trigger dial-up by all IP
packets.
#
acl number 3002 //Configure an ACL.
rule 5 permit ip source 10.10.10.0 0.0.0.255 //Configure the device to filter
packets from the intranet network segment based on the ACL.
#
apn profile 3gnet //Create an APN profile.
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@ authentication-
mode chap //Configure the user name, password, and authentication mode of the
user connecting to the external PDN.
apn 3GNET //Configure the APN. The APN is provided by the carrier.
#
interface Cellular0/0/0
link-protocol ppp
mode wcdma wcdma-precedence //Set the mode for connecting to the WCDMA network
to wcdma-precedence. The mode can also be set to gsm-only, gsm-precedence, or
wcdma-only.
ppp ipcp dns request //Configure a DNS server address through PPP
negotiation.
ip address ppp-negotiate //Configure an IP address through PPP negotiation.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 113


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

In V200R005C00 and later versions, you are advised to run the ip address
negotiate command to dynamically obtain an IP address.
dialer-group 1 //Associate the rule that triggers dial-up with the 3G
interface.
dialer enable-circular //Enable C-DCC.
dialer number *99# autodial //Configure the device to dial up to the carrier
network through automatic dial-up. Different carriers have different dialer
numbers. The dial-up succeeds only after the correct dialer number is obtained.
dialer timer autodial 10 //Set the automatic dial-up interval to 10 seconds,
that is, the device automatically dials up to the network through the 3G link
every 10 seconds.
apn-profile 3gnet //Bind the APN profile to the 3G interface for CHAP
authentication and the APN to take effect.
nat outbound 3002 //Configure outbound NAT.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Configure a static route with
the 3G interface as the outbound interface so that traffic can be forwarded to
the external network through the 3G interface.
#
return

Step 2 Verify the configuration.

# Run the display interface cellular command to view detailed information about the 3G
interface. When the interface transmits traffic, both the physical status and link layer status of
the interface are Up, LCP and IPCP are in Opened state, and the interface successfully obtains
an IP address.

----End

Configuration Notes
l The methods of configuring the APN in different versions are as follows:
– In versions earlier than V200R005C00, if the APN is 3GNET, run the profile
create command on the 3G interface to create a parameter profile and manually
configure the APN. The configuration is as follows:
#
interface Cellular0/0/0
profile create 1 static 3GNET

– In V200R005C00 and later versions, if the APN is 3GNET, create an APN profile,
set the APN to 3GNET in the APN profile, and bind the APN profile to the 3G
interface. The configuration is as follows:
#
apn profile 3gnet
apn 3GNET
#
interface Cellular0/0/0
apn-profile 3gnet

l When CHAP authentication is configured, the router functions as the supplicant. The
methods of configuring CHAP authentication on the 3G interface in different versions
are as follows:
– In versions earlier than V200R005C00, run the ppp chap user and ppp chap
password commands on the 3G interface to configure the user name and password
for CHAP authentication, respectively. The configuration is as follows:
#
interface Cellular0/0/0
ppp chap user 3guser
ppp chap password cipher %@%@9eCPJjmQR!gQxf6@q%.;,u5q%@%@

– In V200R005C00 and later versions, create an APN profile, configure the user
name, password, and authentication mode of the user connecting to the external

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 114


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

PDN in the APN profile, and bind the APN profile to the 3G interface. The
configuration is as follows:
#
apn profile 3gnet
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@
authentication-mode chap
#
interface Cellular0/0/0
apn-profile 3gnet

l If automatic dial-up is configured, the 3G link remains in the connected state after the
router properly starts. More 3G network traffic is consumed. Therefore, you can
configure automatic dial-up based on actual requirements.

5.9 Example for Configuring an Enterprise to Use a 3G


Link to Access the Internet (Through a CDMA2000
Network)
Specification
This example applies to AR routers of V200R001C01 and later versions.

Networking Requirements
It is difficult and costly for enterprises to lease lines from carriers. Therefore, an enterprise
uses a 3G link to access the Internet.
As shown in Figure 5-9, a router connects to downstream users on the enterprise intranet, and
dials up to the upstream Internet through the 3G link so that intranet users can access the
Internet.

Figure 5-9 Networking diagram for configuring an enterprise to use a 3G link to access the
Internet

Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
dialer-rule //Configure a rule that triggers dial-up.
dialer-rule 1 ip permit //Configure the device to trigger dial-up by all IP
packets.
#
acl number 3002 //Configure an ACL
rule 5 permit ip source 10.10.10.0 0.0.0.255 //Configure the device to filter
packets from the intranet network segment based on the ACL.
#
apn profile 3gnet //Create an APN profile.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 115


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@ authentication-


mode chap //Configure the user name, password, and authentication mode of the
user connecting to the external PDN.
apn 3GNET //Configure the APN. The APN is provided by the carrier.
#
interface Cellular0/0/0
link-protocol ppp
mode cdma hybrid //Set the mode for connecting to the CDMA2000 network to
hybrid. The mode can also be set to 1xrtt-only or evdo-only.
ppp ipcp dns request //Configure a DNS server address through PPP
negotiation.
ip address ppp-negotiate //Configure an IP address through PPP negotiation.
In V200R005C00 and later versions, you are advised torun the ip address negotiate
command to dynamically obtain an IP address.
dialer-group 1 //Associate the rule that triggers dial-up with the 3G
interface.
dialer enable-circular //Enable C-DCC.
dialer number *98# autodial //Configure the device to dial up to the carrier
network through automatic dial-up. Different carriers have different dialer
numbers. The dial-up succeeds only after the correct dialer number is obtained.
dialer timer autodial 10 //Set the automatic dial-up interval to 10 seconds,
that is, the device automatically dials up to the network through the 3G link
every 10 seconds.
apn-profile 3gnet //Bind the APN profile to the 3G interface for CHAP
authentication and the APN to take effect.
nat outbound 3002 //Configure outbound NAT.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Configure a static route with
the 3G interface as the outbound interface so that traffic can be forwarded to
the external network through the 3G interface.
#
return

Step 2 Verify the configuration.

# Run the display interface cellular command to view detailed information about the 3G
interface. When the interface transmits traffic, both the physical status and link layer status of
the interface are Up, LCP and IPCP are in Opened state, and the interface successfully obtains
an IP address.

----End

Configuration Notes
l When CHAP authentication is configured, the router functions as the supplicant. The
methods of configuring CHAP authentication on the 3G interface in different versions
are as follows:
– In versions earlier than V200R005C00, run the ppp chap user and ppp chap
password commands on the 3G interface to configure the user name and password
for CHAP authentication, respectively. The configuration is as follows:
#
interface Cellular0/0/0
ppp chap user 3guser
ppp chap password cipher %@%@9eCPJjmQR!gQxf6@q%.;,u5q%@%@

– In V200R005C00 and later versions, create an APN profile, configure the user
name, password, and authentication mode of the user connecting to the external
PDN in the APN profile, and bind the APN profile to the 3G interface. The
configuration is as follows:
#
apn profile 3gnet
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@
authentication-mode chap
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 116


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

interface Cellular0/0/0
apn-profile 3gnet

l If automatic dial-up is configured, the 3G link remains in the connected state after the
router properly starts. More 3G network traffic is consumed. Therefore, you can
configure automatic dial-up based on actual requirements.

5.10 Example for Configuring an Enterprise to Connect to


the Internet Through LTE Links
Specification
This example applies to all AR routers of all versions that support LTE cellular interfaces.

Networking Requirements
A remote branch of the enterprise needs to exchange large volumes of service traffic with
external networks, but it cannot obtain the wired WAN access service. As shown in Figure
5-10, the branch uses the Router as the egress gateway and uses an LTE cellular interface to
connect to the Internet through the LTE network, meeting service transmission requirements.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and
the users access external networks.
The branch has subscribed to the yearly-package service and users in the branch access the
Internet through automatic dial-up. The branch obtains the following information from the
carrier:
l The APN is 3gnet.
l The dialer number is *99#.

Figure 5-10 Enterprise connecting to the Internet through an LTE Link

Procedure
Step 1 Configure the router.
#
vlan batch 10 // Create VLAN 10.
#
dhcp enable // Enable DHCP.
#
acl number 3002 // Configure the ACL for NAT.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 117


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

rule 5 permit ip source 192.168.100.0 0.0.0.255


#
ip pool ltepool // Create the global address pool ltepool.
gateway-list 192.168.100.1 // Configure the egress gateway.
network 192.168.100.0 mask 255.255.255.0 // Configure the address range of
the global address pool.
#
interface Vlanif10
ip address 192.168.100.1 255.255.255.0 // Configure an IP address for the
interface.
dhcp select global // Enable the DHCP server function to assign IP addresses
to clients from the global address pool.
#
interface Ethernet2/0/0 // Add port Eth2/0/0 to VLAN 10.
port link-type trunk
port trunk allow-pass vlan 10
#
interface Cellular0/0/0
dialer enable-circular // Enable the C-DCC function.
apn-profile lteprofile // Bind the APN profile lteprofile to the cellular
interface.
dialer number *99# autodial // Configure the dialer number so that the port
can perform automatic dial-up.
nat outbound 3002 // Configure outbound NAT in easy IP mode.
ip address negotiate // Enable the cellular interface to dynamically obtain
an IP address.
#
apn profile lteprofile // Create the APN profile lteprofile.
apn 3gnet // Set APN to 3gnet in the APN profile.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 // Configure the default route
and specify Cellular0/0/0 as the outbound interface.
#
return

Step 2 Verify the configuration.

# On the router, run the display interface cellular 0/0/0 command to view detailed
information about the interface. The command output shows that both the physical layer
status and link layer status of the interface are Up when the interface forwards traffic.

# On the router, run the display cellular 0/0/0 all command to view information about all call
sessions on the LTE data card. The command output shows that the APN is 3gnet, the network
type is Automatic, and the network connection mode is LTE(LTE).

----End

Configuration Notes
l APNs and dialer numbers are provided by the carrier.
l After an APN is configured, it is permanently recorded in an LTE data card. If the APN
changes, reconfigure it.

5.11 Example for Configuring IPoA to Connect a LAN to


the Internet
Applicability
This example applies to all versions of AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 118


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Networking Requirements
ATM1/0/0 of RouterA and GE1/0/0 of RouterB connect to the DSLAM. RouterA needs to use
IPoA to communicate with RouterB.

Figure 5-11 Networking diagram for IPoA configuration

Procedure
Step 1 Configure RouterA.
#
interface Atm1/0/0
ip address 1.1.0.1 255.255.255.0 //Assign an IP address to ATM1/0/0.
pvc 0/35 //Create a PVC and enter the PVC
view.
map ip 1.1.0.2 //Configure IPoA mapping on the
PVC.
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 1.1.0.2 255.255.255.0 //Assign an IP address to GE1/0/0.
#
return

Step 3 Configure the DSLAM.


# See the DSLAM documentation.
Step 4 Verify the configuration.
# Ping RouterB from RouterA. RouterA can ping RouterB.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 119


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5.12 Example for Configuring IPoEoA to Connect a LAN to


the Internet
Applicability
This example applies to all versions of AR routers.

Networking Requirements
Users on an enterprise intranet the enterprise gateway RouterA through Layer 2 Ethernet
interfaces. RouterA connects to the DSLAM through the ADSL uplink interface, and the
DSLAM connects to RouterB.

Figure 5-12 Networking diagram for IPoEoA configuration

Procedure
Step 1 Configure RouterA.
#
interface Virtual-Ethernet0/0/0 //Create a virtual Ethernet (VE) interface and
enter the VE interface view.
ip address 1.1.0.1 255.255.255.0 //Assign an IP address to the VE
interface.
#
interface Atm1/0/0
pvc 25/45 //Create a PVC and enter the PVC
view.
map bridge Virtual-Ethernet 0/0/0 //Configure IPoEoA mapping on the
PVC.
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet0/0/1
ip address 1.1.0.2 255.255.255.0 //Assign an IP address to GE0/0/1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 120


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

#
return

Step 3 Configure the DSLAM.


# See the DSLAM documentation.
Step 4 Verify the configuration.
# Ping RouterB from RouterA. RouterA can ping RouterB.

----End

5.13 Example for Configuring PPPoEoA to Connect Users


to the Internet Using PPP
Applicability
This example applies to all versions of AR routers.

Networking Requirements
All PCs on an enterprise intranet use the IP address of an Ethernet interface on RouterA as the
gateway address. RouterA connects to a DSLAM through the ADSL interface, and the
DSLAM connects to the PPPoEoA server. RouterA functions as the PPPoEoA client and is
authenticated in CHAP mode.

Figure 5-13 Networking diagram for PPPoEoA configuration

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 10 ip permit //Configure dialer ACL rule 10.
#
acl 2000 //Configure an ACL.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 121


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

rule 5 permit source 192.168.0.0 0.0.0.255


#
interface Dialer16 //Enter the dialer interface view.
link-protocol ppp //Configure the link layer protocol.
ppp chap user user2@system //Configure the user name for CHAP authentication
so that the PPPoE server can authenticate the client.
ppp chap password cipher %@%@t^cV#p7O3JZd9oD{d3h8%ay3%@%@ //Configure the
password for CHAP authentication so that the PPPoE server can authenticate the
client.
ip address ppp-negotiate //Configure the dialer interface to obtain an IP
address using PPPoE negotiation.
dialer user user2@system //Configure RS-DCC.
dialer bundle 14 //Specify dialer bundle number 14.
dialer-group 10 //Configure dialer group 10 for the dialer interface.
nat outbound 2000 //Configure outbound NAT in Easy IP mode.
tcp adjust-mss 1200 //Set the maximum segment size (MSS) of TCP packets.
#
interface Virtual-Ethernet0/0/0 //Create a VE interface and enter the VE
interface view.
pppoe-client dial-bundle-number 14 //Create a PPPoE session and specify the
dialer bundle for the PPPoE session.
#
interface Atm1/0/0 //Enter the ATM interface
view.
pvc 30/90 //Create a PVC and enter the PVC
view.
map bridge Virtual-Ethernet0/0/0 //Configure PPPoEoA mapping on the PVC.
#
ip route-static 0.0.0.0 0 Dialer16 //Configure Dialer0 as the outbound
interface of the default route.

Step 2 Configure RouterB. (Take V200R005C20 as an example.)


#
ip pool 1 //Create a global IP address
pool.
gateway-list 1.1.1.1 //Configure the egress gateway IP address for the global
IP address pool.
network 1.1.1.2 mask 255.255.255.0 //Configure the range of allocable IP
addresses in the global IP address pool.
#
aaa //Configure local
authentication.
authentication-scheme system_a
domain system
authentication-scheme system_a
local-user user2@system password cipher %@%@bko\D0<pFF#XozNHQ!70OC]<%@%@ //
Configure the user name and password for the local end.
local-user user2@system privilege level 0
local-user user2@system service-type ppp //Set the service type of the local
user to PPP.
#
interface Virtual-Template0 //Create a virtual template (VT) interface and enter
the VT interface view.
ppp authentication-mode chap domain system //Set the authentication mode to
CHAP.
remote address pool 1 //Specify an IP address pool for the PPPoEoA
client.
ip address 1.1.1.1 255.255.255.0 //Assign an IP address to the VT
interface.
#
interface GigabitEthernet0/0/1 //Enter the GE interface
view.
pppoe-server bind Virtual-Template 0 //Bind the VT to the GE interface and
enable PPPoE on the GE interface.
#
return

Step 3 Configure the DSLAM.


# See the DSLAM documentation.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 122


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Step 4 Verify the configuration.

# Run the display interface dialer command to check whether the dialer interface on the
Router has been assigned a correct IP address.

The following information indicates that the dialer interface has been assigned a correct IP
address.
Internet Address is negotiated, 1.1.1.254/32

# Run the display virtual-access command to view the PPP negotiation status of the virtual
access interface created on the dialer interface.

The following information indicates that PPP negotiation is successful on the virtual access
interface.
LCP opened, IPCP opened

# Ping the PPPoEoA server (RouterB) from RouterA. RouterA can successfully ping
RouterB.

----End

Configuration Notes
l The dialer rule numbers in dialer-rule and dialer-group must be the same. The dialer
rule numbers in dialer bundle and pppoe-client dial-bundle-number must be the same.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l If the public network can be connected but web pages cannot be opened after NAT is
performed, run the tcp adjust-mss command on the public network interface. For
PPPoE applications, the recommended maximum segment size (MSS) is 1200 bytes.

5.14 Example for Configuring PPPoA to Connect Users to


the Internet Using PPP
Applicability
This example applies to all versions of AR routers.

Networking Requirements
In PPPoA application, PPP packets are encapsulated in ATM cells, and IP packets and other
protocol packets are encapsulated in PPP packets. PPPoA packet transmission is controlled by
the PPP protocol, which is flexible and supports a variety of applications.

As shown in Figure 5-14, users on an enterprise network connect to a Layer 3 Ethernet


interface of the enterprise gateway RouterA. RouterA connects to the DSLAM through the
ADSL uplink interface, and the DSLAM connects to the Internet. IP packets sent from the
enterprise network are encapsulated in PPP packets and forwarded by the ADSL interface to
the Internet.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 123


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Figure 5-14 Networking diagram for PPPoA configuration

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
# //Configure a WAN-side virtual template (VT)
interface.

interface Virtual-Template10
ppp chap user huawei
ppp chap password cipher %@%@;^p|F{9fb1IiN7U[7HoAFh8)%@%@
ip address ppp-negotiate
#
interface Atm1/0/0 //Configure a WAN-side ATM interface.
pvc 35/53
map ppp Virtual-Template10
#
interface Ethernet2/0/0 //Configure a LAN-side
interface.
ip address 1.1.0.1
255.255.255.0
#
return

Step 2 Configure the DSLAM.


# See the DSLAM documentation.

Step 3 Configure the PPPoA server. (Take V200R005C20 as an example.)


# //Configure an IP address
pool.
ip pool 1
gateway-list 2.1.1.1
network 2.1.1.2 mask 255.255.255.0
#
aaa //Configure a local
user.
local-user huawei password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template0 //Configure a WAN-side VT
interface.
ppp authentication-mode chap //Set the authentication mode to CHAP.
remote address pool 1
ip address 2.1.1.1 255.255.255.0
#
interface Ethernet1/0/0 //Configure a WAN-side

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 124


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

interface.
pppoe-server bind Virtual-Template 0
#
return

Step 4 Verify the configuration.


# Run the display interface virtual-template command to check whether the virtual template
interface on RouterA has been assigned a correct IP address.
# Ping the PPPoA server from RouterA. RouterA can successfully ping the PPPoA server.

----End

Configuration Notes
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.

5.15 Example for Configuring PPPoFR to Implement LAN


Interconnections
Applicability
This example applies to all versions of AR routers.

Networking Requirements
RouterA and RouterB are connected through an FR leased line. FR networks do not support
authentication, so access users cannot be authenticated.
The PPP protocol provides authentication and has good extensibility; therefore, the PPPoFR
solution can be implemented based on the PPP and FR protocols. In this example, CHAP
authentication is used over an FR network, and an end-to-end PPP session is set up on the FR
network. All access users are authenticated.

Figure 5-15 Networking diagram for PPPoFR configuration

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
interface Virtual-Template10 //Create a virtual template (VT) interface and enter
the VT interface view.
ip address 10.1.0.5 255.255.255.0 //Assign an IP address to the VT interface.
ppp chap user huawei //Configure the user name used for CHAP
authentication.
ppp chap password cipher %@%@;^p|F{9fb1IiN7U[7HoAFh8)%@%@ //Configure the
password used for CHAP authentication.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 125


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

#
interface Serial1/0/0
link-protocol fr //Set the link layer protocol of the interface to Frame Relay
(FR).
fr interface-type dte //Set the FR interface type to data terminal equipment
(DTE).
fr dlci 100 //Set the data link identifier for the FR
link.
fr map ppp interface Virtual-Template10 100 //Map an FR virtual circuit to a PPP
link.
#
return

Step 2 Configure RouterB. (Take V200R005C20 as an example.)


#
aaa //Enter the AAA view.
local-user huawei password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ //Configure
the user name and password for the local end.
local-user huawei privilege level 0
local-user huawei service-type ppp //Set the service type of the local user to
PPP.
#
interface Virtual-Template10 //Create a virtual template (VT) interface and enter
the VT interface view.
ip address 10.1.0.6 255.255.255.0 //Assign an IP address to the VT interface.
ppp authentication-mode chap //Set the PPP authentication mode to CHAP.
#
interface Serial1/0/0
link-protocol fr //Set the link layer protocol of the interface to FR.
fr interface-type dce //Set the FR interface type to data communications
equipment (DCE).
fr dlci 100 //Set the data link identifier for the FR link.
fr map ppp interface Virtual-Template10 100 //Map an FR virtual circuit to a PPP
link.
#
return

Step 3 Verify the configuration.

# Run the display virtual-access vt vt-number command to view the VA status of the virtual
template interface on RouterB.

# Run the display fr map-info interface interface-type interface-number command to view


FR address mapping information on RouterB.

----End

5.16 Example for Configuring an FR Network to Connect


LANs Using IP Protocols
Specification
This example applies to all AR routers of all versions.

, and AR150 series do not support frame relay (FR).

Networking Requirements
On the FR network, RouterA and RouterB function as DTEs to transmit IP packets. A public
FR network connects local area networks (LANs).

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 126


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Figure 5-16 Networking for IPoFR configuration

Procedure
Step 1 Configure RouterA.
#
interface Serial1/0/0
link-protocol fr // Configure FR as the link-layer protocol on the
interface.
fr dlci 60 // Configure the Data Link Control Identifiers (DLCIs) for FR
links.
fr map ip 10.1.0.6 60 // Configure the static mapping between the local DLCI
and destination IP address.
ip address 10.1.0.5 255.255.255.0 // Configure the IP address of the local
device.
#
return

Step 2 Configure RouterB.


#
interface Serial1/0/0
link-protocol fr // Configure FR as the link-layer protocol on the interface.
fr dlci 70 // Configure the DLCIs for FR links.
fr map ip 10.1.0.5 70 // Configure the static mapping between the local DLCI
and destination IP address.
ip address 10.1.0.6 255.255.255.0 // Configure the IP address of the local
device.
#
return

Step 3 Verify the configuration.

# Router A and Router B can ping each other.

----End

5.17 Example for Configuring an MP Group


Applicability
This example applies to all versions of AR routers.

Networking Requirements
Multiple PPP links can be bundled into an MP group to increase link bandwidth. An MP
group is an MP bundle. PPP links in an MP group are fixed. This method is efficient and the
configuration is simple, so it is widely used on networks.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 127


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

As shown in Figure 5-17, two pairs of serial interfaces on RouterA and RouterB are
connected and are added to the MP-group. The routers use CHAP authentication.

Figure 5-17 Network diagram for MP group configuration

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
aaa //Configure a local user.
authentication-scheme system_a
domain system
authentication-scheme system_a
local-user userb password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
local-user userb privilege level 0
local-user userb service-type ppp
#
interface Mp-group0/0/1
ip address 10.10.10.10 255.255.255.252
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user usera //Configure the user name and password for the remote end.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user usera //Configure the user name and password for the remote end.
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
return

Step 2 Configure RouterB. (Take V200R005C20 as an example.)


#
aaa //Configure a local user.
authentication-scheme system_b
domain system
authentication-scheme system_b
local-user usera password cipher %@%@wSj=##g9INJIZ$Ip'6f7;rd!%@%@
local-user usera privilege level 0
local-user usera service-type ppp
#
interface Mp-group0/0/1
ip address 10.10.10.11 255.255.255.252
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user userb //Configure the user name and password for the remote end.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;ldS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 128


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user userb //Configure the user name and password for the remote end.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;mdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
return

Step 3 Verify the configuration.

# Run the display ppp mp command on RouterA to view MP binding information.

The command output includes the physical status and protocol status of member links, the
number of member links, and MP member information.

# Run the display virtual-access command on RouterA to view the virtual access interface
status.

RouterB can successfully ping RouterA.

----End

Configuration Notes
l To make the configuration take effect, restart all the member interfaces after the
configuration is complete.
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.

5.18 Example for Binding PPP Links to a Virtual Template


to Implement MP
Applicability
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 5-18, two routers are connected by serial cables. The serial links form an
MP group to improve communication reliability and bandwidth. The MP group is created by
binding links to a virtual template.

Figure 5-18 Network diagram for binding links to a virtual template

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 129


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Set a system name to identify the router.
interface serial 1/0/0
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface.
#
interface serial 1/0/1
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface.
#
interface Virtual-Template1
ip address 10.10.10.10 255.255.255.252 //Assign an IP address to VT1.
return

Step 2 Configure RouterB.


#
sysname RouterB //Set a system name to identify the router.
interface serial 1/0/0
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface
#
interface serial 1/0/1
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface
#
interface Virtual-Template1
ip address 10.10.10.11 255.255.255.252 //Set the link layer protocol of the
serial interface to PPP.
return

Step 3 Verify the configuration.


# Run the display ppp mp command on RouterA to view MP binding information. The MP
group contains two serial interfaces.
# Run the display ppp mp command on RouterB to view MP binding information. The MP
group contains two serial interfaces.
# Ping RouterB from RouterA. RouterB can successfully ping RouterA.

----End

Configuration Notes
l The physical interfaces are successfully added to the MP group only after PPP
negotiation is complete. Therefore, restart all the physical interfaces in the MP group
after the configuration to trigger PPP negotiation.

5.19 Example for Binding User Names to Virtual Interface


Templates to Implement MP
Applicability
This example applies to all versions of AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 130


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Networking Requirements
As shown in Figure 5-19, two AR routers are connected by serial cables. The serial links
form an MP group to improve communication reliability and bandwidth. The MP group is
created by binding user names to virtual interface templates.

Figure 5-19 Network diagram for binding user names to virtual interface templates

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
sysname RouterA //Set a system name to identify the router.
#
ppp mp user userb bind Virtual-Template 1 //Bind the remote user name userb to
VT 1.
#
aaa
authentication-scheme system_a
domain system
authentication-scheme system_a
local-user userb@system password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
local-user userb@system privilege level 0
local-user userb@system service-type ppp //Configure the user name and password
that the remote end uses when it is authenticated by the local end.
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user usera@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp //Configure the serial interface to work in MP mode.
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user usera@system
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp //Configure the serial interface to work in MP mode.
#
interface Virtual-Template1
ppp mp binding-mode authentication //Configure MP binding based on the remote
user name.
ip address 10.10.10.10 255.255.255.252
#
return

Step 2 Configure RouterB. (Take V200R005C20 as an example.)


#
sysname RouterB //Set a system name to identify the router.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 131


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

#
ppp mp user usera bind Virtual-Template 1 //Bind the remote user name userb to
VT 1.
#
aaa
authentication-scheme system_b
domain system
authentication-scheme system_b
local-user usera@system password cipher %@%@wSj=##g9INJIZ$Ip'6f7;rd!%@%@
local-user userasystem privilege level 0
local-user usera@system service-type ppp //Configure the user name and password
that the remote end uses when it is authenticated by the local end.
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user userb@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;ldS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user userb@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;mdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp
#
interface Virtual-Template1
ppp mp binding-mode authentication //Configure MP binding based on the remote
user name.
ip address 10.10.10.11 255.255.255.252
#
return

Step 3 Verify the configuration.


# Run the display ppp mp command on RouterA to view MP binding information. The MP
group contains two serial interfaces.
# Run the display ppp mp command on RouterB to view MP binding information. The MP
group contains two serial interfaces.
# Ping RouterA from RouterB. RouterA can successfully ping RouterB.

----End

Configuration Notes
l The physical interfaces are successfully added to the MP group only after PPP
negotiation is complete. Therefore, restart all the physical interfaces in the MP group
after the configuration to trigger PPP negotiation.
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 132


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

5.20 Example for Configuring the Device as a PPPoE


Client to Connect Device to the Internet
Applicability
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 5-20, all the hosts on the enterprise intranet connect to the same PPPoE
client, and the PPPoE client is connected to the Internet through a PPPoE server. Router is the
PPPoE client and authenticated by the PPPoE server.

Figure 5-20 Networking diagram for PPPoE client configuration

Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Create dialer rule 1.
#
acl 3002 //Configure an ACL.
rule 5 permit ip source 192.168.0.0 0.0.0.255
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Set the link layer protocol of the dialer interface to PPP.
ip address ppp-negotiate //Enable the interface to obtain an IP address after
a successful PPP negotiation.
ppp chap user client //Configure the user name for PPPoE clients to use in
CHAP authentication by the PPPoE server.
ppp chap password cipher %@%@VGZIW'r|aGrQ"v8`<pEP$7uH%@%@ //Configure the user
name for PPPoE clients to use in CHAP authentication by the PPPoE server.
dialer user server //Enable RS-DCC.
dialer bundle 1 //Apply dialer bundle 1 to the dialer interface.
dialer-group 1 //Add the dialer interface to dialer bundle 1.
nat outbound 3002 //Configure outbound NAT in Easy IP mode.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 133


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

tcp adjust-mss 1200 //Set the maximum segment size (MSS) of TCP packets.

#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 //Enable the PPPoE client function on the
Ethernet interface.
#
ip route-static 0.0.0.0 0 Dialer0 //Configure a static route to the PPPoE
server, with dialer0 as the outbound interface.

Step 2 Verify the configuration.


# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The command output shows that the PPPoE session status is Up and
the PPPoE client configuration is correct.

----End

Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PPPoE client function is enabled on the Ethernet interface. If you specify the on-
demand parameter, the on-demand dial-up mode is configured. After being
disconnected, the device can create a dial-up connection only when data needs to be
transmitted. If you does not specify the on-demand parameter, the automatic dial-up
mode is configured. After being disconnected, the device will automatically attempt to
create a dial-up connection at intervals.

5.21 Example for Configuring the Device as a PPPoE


Client (IPv6) to Connect Device to the Internet
Applicability
This example applies to all versions and AR routers that support WAN interfaces.
Routers can be configured as IPv6 PPPoE clients but cannot be configured as IPv6 PPPoE
servers.

Networking Requirements
In Figure 5-21, the device functioning as a PPPoE client is connected to LAN users (hosts)
through a downlink interface GE1/0/0 and connected to the PPPoE server through an uplink
interface GE2/0/0.
It is expected that hosts share the same Internet account. During connection establishment,
hosts are authenticated by the PPPoE server through this account. After the authentication is
successful, a PPPoE session will be established. The following user requirements need to be
met:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 134


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

l The device establishes an IPv6 connection with the PPPoE server through PPP
authentication.
l After the connection is disconnected, the device periodically attempts to set up a dial-up
connection again.

Figure 5-21 Device functioning as a PPPoE client

Configuration Roadmap
The configuration roadmap is as follows:
1. For Ethernet interface access, create a PPPoE session and bind it to
GigabitEthernet2/0/0.
2. Configure CHAP authentication on the dialer interface so that the device can establish a
connection with the PPPoE server through PPP authentication.
3. To enable the dialer interface to automatically obtain an IPv6 address, enable stateless
address autoconfiguration on the device. Enable the device to apply for IPv6 address
prefixes and allocate the prefixes to hosts.
4. Set the dial-up mode to automatic dial-up. This mode enables the device to periodically
attempt to set up a dial-up connection again after the connection is disconnected.

Procedure
Step 1 Enable the IPv6 function globally.
<Huawei> system-view
[Huawei] sysname Router
[Router] ipv6

Step 2 Configure a dialer interface.


[Router] interface dialer 1
[Router-Dialer1] dialer user user2
[Router-Dialer1] dialer bundle 1
[Router-Dialer1] ppp chap user user1@system
[Router-Dialer1] ppp chap password cipher huawei123
[Router-Dialer1] ip address ppp-negotiate

Step 3 Enable the DHCPv6 client function and assign IPv6 address prefixes to hosts.
[Router-Dialer1] ipv6 enable // Enable the IPv6 function on the dialer interface.
[Router-Dialer1] ipv6 address auto link-local // Configure the device to
automatically generate a link-local address for the interface.
[Router-Dialer1] ipv6 address auto global default // Enable the device to
automatically generate an IPv6 global address through stateless autoconfiguration.
[Router-Dialer1] undo ipv6 nd ra halt // Enable the device to send RA messages.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 135


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

[Router-Dialer1] dhcpv6 client pd Huawei // Configure the DHCPv6 PD client


function.
[Router-Dialer1] quit

Step 4 Set up a PPPoE session.


[Router] interface gigabitethernet 2/0/0
[Router--2/0/0] undo portswitch
[Router--2/0/0] pppoe-client dial-bundle-number 1
[Router--2/0/0] quit

Step 5 Verify the configuration.


l Run the display dhcpv6 client command on the PPPoE client to check whether the
client has obtained an IPv6 address.
l Check whether the PPPoE client can access the IPv6 network.

----End

Configuration Files
Configuration file of the PPPoE client
#
sysname Router
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ipv6 enable
ip address ppp-negotiate
dialer user user2
dialer bundle 1
ipv6 address auto link-local
ipv6 address auto global default
undo ipv6 nd ra halt
dhcpv6 client pd Huawei
#
interface GigabitEthernet2/0/0
undo portswitch
pppoe-client dial-bundle-number 1
#
return

Configuration Notes
l The authentication mode, IP address allocation mode, and IP address or IP address pool
of the PPPoE client need to be configured on the PPPoE server. The configuration
procedure varies based on the device that functions as the IPv6 PPPoE server. For
details, see the device documentation.
l The number specified in the dialer-rule command must be the same as that specified in
the dialer-group command. The number specified in the dialer bundle command must
be the same as dial-bundle-number specified in the pppoe-client command.
l You can define a user name using the dialer user command on a dialer interface. The
dialer user command enables only the resource-shared DCC (RS-DCC) function.
l IPv6 needs to be enabled globally before being enabled on an interface.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server. The dialer interface must be Up.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 136


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

l When enabling the PPPoE client function on an Ethernet interface, if you specify the on-
demand parameter, on-demand dial-up will be performed. After the connection is
disconnected, the device sets up a dial-up connection only when data needs to be
transmitted. If you do not specify the on-demand parameter, automatic dial-up will be
performed. After the connection is disconnected, the device periodically attempts to set
up a dial-up connection again.

5.22 Example for Configuring the Device as a PPPoE


Server to Connect Users to the Internet
Applicability
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 5-22, hosts with PPPoE client installed on the enterprise intranet access
the Internet through the Router. The Router functions as the PPPoE server to perform local
authentication and allocates IP addresses to the hosts from an IP address pool.

Figure 5-22 Networking diagram for PPPoE server configuration

Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
ip pool pool2 //Create an IP address pool2.
gateway-list 192.168.10.1 //Configure the egress gateway IP address.
network 192.168.10.0 mask 255.255.255.0 //Configure the range of allocable IP
addresses in the address pool.
#
aaa //Configure local authentication.
local-user client password cipher %@%@N!}w4F\6;42P$A2'XqkP(Ix6%@%@ //Configure
the user name for PPPoE clients to use in authentication.
local-user client privilege level 0
local-user client service-type ppp //Set the service type of the PPPoE client
to PPP.
#
interface Virtual-Template1 //Create a virtual template (VT) interface and

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 137


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

enter the VT interface view.


ppp authentication-mode chap //Set the authentication mode for the PPPoE
client to CHAP.
remote address pool pool2 //Specify an IP address pool for the PPPoE client.
The PPPoE client will be allocated an IP address from the address pool.
ip address 192.168.10.1 255.255.255.0 //Assign an IP address to the VT
interface.
#
interface Ethernet1/0/0 //Enter the Ethernet interface view.
pppoe-server bind Virtual-Template 1 //Enable the PPPoE server function on the
Ethernet interface.
#

Step 2 Verify the configuration.


# Run the display pppoe-server session all command on the Router to display the PPPoE
session status and configurations. The command output shows that the PPPoE session status is
Up and the PPPoE server configuration is correct.

----End

Configuration Notes
After the PPPoE client is installed on all hosts and the client user names and passwords are
configured on the hosts, the hosts can use the PPPoE protocol to access the Internet through
the Router.

5.23 Example for Connecting the Router to the Internet


Through the External ADSL Modem Using PPPoE
Specifications
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 5-23, a Router Ethernet interface connects to the ADSL modem and and
the Router connects to the Internet using PPPoE.

Figure 5-23 Networking diagram for connecting the Router to the Internet through the
external ADSL modem

Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 138


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

dialer-rule 1 ip permit //Configure dialer ACL rule 1.


#
acl 2000 //Configure an ACL.
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Configure the link layer protocol.
ip address ppp-negotiate //Configure the dialer interface to obtain an IP
address using PPP negotiation.
ppp chap user client //Configure the user name for CHAP authentication so that
the PPPoE server can authenticate the client.
ppp chap password cipher %@%@ZpL+=<'bp;#yW'<oAkQA)%b0%@%@ //Configure the
password for CHAP authentication so that the PPPoE server can authenticate the
client.
dialer user server //Configure RS-DCC.
dialer timer idle 300 //Set the link idle time.
dialer bundle 1 //Specify dialer bundle number 1.
dialer-group 1 //Configure dialer group 1 for the dialer interface.
nat outbound 2000 //Configure outbound NAT in Easy IP mode.
tcp adjust-mss 1200 //Set the maximum segment size (MSS) of TCP packets.

#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable PPPoE client.
#
ip route-static 0.0.0.0 0 Dialer0 //Configure Dialer0 as the outbound
interface of the default route.

Step 2 Verify the configuration.


# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The following information shows that the PPPoE session status is
Up and the session configuration is correct.

PPPoE Client Session:


ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 0 Eth2/0/0 00e0fc030201 0819a6cd0680 UP

----End

Configuration Notes
l The dialer rule numbers in dialer-rule and dialer-group must be the same. The dialer
rule numbers in dialer bundle and pppoe-client dial-bundle-number must be the same.
l If the on-demand parameter is specified, run the dialer timer idle command to set the
link idle time on the dialer interface.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l If the public network can be connected but web pages cannot be opened after NAT is
performed, run the tcp adjust-mss command on the public network interface. For
PPPoE applications, the recommended maximum segment size (MSS) is 1200 bytes.

5.24 Example for Connecting the Router to the PSTN


Through a Modem (in C-DCC Mode)
Applicability
This example applies to V200R001C01 and later versions and all AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 139


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Networking Requirements
As shown in Figure 5-24, RouterA and RouterB are connected through the PSTN. Circular-
DCC (C-DCC) is configured on the routers to allow the routers to dial to each other using the
modems.

Figure 5-24 Networking for connecting the router to the PSTN through a modem in C-DCC
mode

Procedure
Step 1 Configure RouterA.
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
interface Async2/0/0 //Enter the view of Async2/0/0.
link-protocol ppp //Set the link layer protocol of Async2/0/0 to PPP.
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Async2/0/0.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add Async2/0/0 to dialer bundle 1.
dialer number 600152 //Configure the dial number used to call the remote end.
#
user-interface tty 9 //Enter the user interface view.
modem both //Grant the call-in and call-out permissions to the modem.
modem auto-answer //Configure the modem to work in non-auto answer mode.
#
ip route-static 20.1.1.1 255.255.255.255 Async2/0/0 //Configure a static route
to the remote end.
#

Step 2 Configure RouterB.


#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
interface Async2/0/0 //Enter the view of Async2/0/0.
link-protocol ppp //Set the link layer protocol of Async2/0/0 to PPP.
ip address 20.1.1.1 255.255.255.0 //Assign an IP address to Async2/0/0.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add Async2/0/0 to dialer bundle 1.
dialer number 600151 //Configure the dialer number used to call the remote end.
#
user-interface tty 9 //Enter the user interface view.
shell //In V200R007C00 and later versions, terminal services are disabled on
the TTY user interface. You need to run this command to enable terminal services
for the TTY user interface.
modem both //Grant the call-in and call-out permissions to the modem.
modem auto-answer //Configure the modem to work in non-auto answer mode.
#
ip route-static 10.1.1.1 255.255.255.255 Async2/0/0 //Configure a static route
to the remote end.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 140


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Step 3 Verify the configuration.


# Run the display user-interface command to view the TTY user interface number
corresponding to a physical interface.
# RouterA and RouterB can dial to each other using the modems.
----End

Configuration Notes
l The Async interfaces on the local and remote ends must have the same physical
attributes and link-layer attributes. It is recommended that the routers retain the default
settings. When the Async interfaces work in the flow mode, the link layer protocol
cannot be set to PPP.
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group.
l To allow both incoming and outgoing calls, run the modem both command in the user
view.
l There are two modem answer modes: auto-answer and non-auto answer. If the AA
indicator of a modem is on, the modem works in auto-answer mode. The modem answer
mode configured on the router must be the same as the answer mode of the modem
connecting to the router's asynchronous serial interface.
– If the modem works in auto-answer mode, run the modem auto-answer command
before using the dialing function.
– If the modem works in non-auto answer mode, run the undo modem auto-answer
command.

5.25 Example for Connecting the Router to the ISDN


Through the ISDN PRI Interface (in RS-DCC Mode)
Applicability
This example applies to all versions of AR routers.

Networking Requirements
As shown in Figure 5-25, RouterA and RouterB are connected through the ISDN. The routers
have resource-RS-DCC (RS-DCC) configured and authenticate each other using CHAP.

Figure 5-25 Networking for connecting the router to the ISDN through the ISDN PRI
interface in RS-DCC mode

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 141


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
aaa //Configure local authentication.
local-user userb password cipher %@%@N!}w4F\6;42P$A2'XqkP(Ix6%@%@ //Configure
the local user name and password.
local-user userb privilege level 0
local-user userb service-type ppp //Set the service type of the local user to
PPP.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Set the link layer protocol of the dialer interface to PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user usera //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the
password used for CHAP authentication.
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the dialer
interface.
dialer user userb //Enable RS-DCC and configure the user name for the remote
end.
dialer bundle 1 //Apply dialer bundle 1 to the dialer interface.
dialer number 660210 //Configure the dialer number used to call the remote end.
dialer-group 1 //Add the dialer interface to dialer group 1.
#
controller E1 1/0/0 //Configure an ISDN PRI interface.
pri-set
#
interface Serial1/0/0:15 //Enter the ISDN PRI interface view.
link-protocol ppp //Set the link layer protocol of the ISDN PRI interface to
PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user usera //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the
password used for CHAP authentication.
dialer bundle-member 1 //Apply dialer bundle 1 to the ISDN PRI interface.
#

Step 2 Configure RouterB. (Take V200R005C20 as an example.)


#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
aaa //Configure local authentication.
local-user usera password cipher %@%@N!}w5F\6;42P$A2'XqkP(Ix6%@%@ //Configure
the local user name and password.
local-user usera privilege level 0
local-user usera service-type ppp //Set the service type of the local user to
PPP.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Set the link layer protocol of the dialer interface to PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user userb //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;ldS%@%@ //Configure the
password used for CHAP authentication.
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the dialer
interface.
dialer user usera //Enable RS-DCC and configure the user name for the remote
end.
dialer bundle 1 //Apply dialer bundle 1 to the dialer interface.
dialer number 660220 //Configure the dialer number used to call the remote end.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 142


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

dialer-group 1 //Add the dialer interface to dialer group 1.


#
controller E1 1/0/0 //Configure an ISDN PRI interface.
pri-set
#
interface Serial1/0/0:15 //Enter the ISDN PRI interface view.
link-protocol ppp //Set the link layer protocol of the ISDN PRI interface to
PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user userb //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;mdS%@%@ //Configure the
password used for CHAP authentication.
dialer bundle-member 1 //Apply dialer bundle 1 to the ISDN PRI interface.
#

Step 3 Verify the configuration.

# RouterA and RouterB can communicate with each other using the ISDN and authenticate
each other.

----End

Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dialer
bundle number in dialer bundle-member.
l It is recommended that PAP or CHAP authentication be configured on the physical and
dialer interfaces of the local and remote ends.
l When PPP encapsulation is enabled on a dialer interface, run the dialer user command
to configure the user name for the remote end. The local end compares the configured
remote end user name with the user name obtained through PPP authentication to
determine the dialer interface accepting the call.

5.26 Example for Configuring HDLC to Implement


Interconnections
Applicability
This example applies to all versions of AR routers.

Networking Requirements
RouterA and RouterB use the High-level Data Link Control (HDLC) protocol to
communicate with each other.

Figure 5-26 Networking diagram for HDLC configuration

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 143


Huawei AR Series Access Routers 5 Using Dedicated Lines to Implement WAN
CLI-based Typical Configuration Examples Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface Serial1/0/0
link-protocol hdlc
ip address 10.1.1.1 255.255.255.0
#
return

Step 2 # Configure RouterB.


#
sysname RouterB
#
interface Serial1/0/0
link-protocol hdlc
ip address 10.1.1.2 255.255.255.0
#
return

Step 3 Verify the configuration.


# Run the display interface serial 1/0/0 command on RouterA to view interface status. The
physical layer status and link layer status of the interface are Up.
# RouterA and RouterB can successfully ping each other.

----End

Configuration Notes
l The IP addresses of RouterA and RouterB must be in the same network segment,
otherwise, RouterA and RouterB cannot communicate with each other.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 144


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6 Using VPN to Implement WAN


Interconnection

6.1 L2TP
6.2 GRE
6.3 DSVPN
6.4 IPSec
6.5 BGP/MPLS IP VPN
6.6 VLL
6.7 PWE3

6.1 L2TP

6.1.1 Example for Configuring L2TP to Implement


Communication Between the Headquarters and Users in
Different Domains of the Branch

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-1, users on enterprise branches LAN1 and LAN2 connect to the LAC
using PPPoE and initiate connections with enterprise headquarters LAN3.

Two domains are configured on the LAC: aaa.com and bbb.com. Users in the domain aaa.com
are located on the network segment 10.1.1.0/24 and users in the domain bbb.com are located
on the network segment 10.2.1.0/24.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 145


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

There is a reachable route from the LNS to the LAC and a tunnel is set up between the LNS
and the LAC. After access users are authenticated, the LNS allocates IP addresses and
gateway addresses to the access users.

Figure 6-1 Networking diagram of multi-domain access

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa
authentication-scheme lmt
domain aaa.com
authentication-scheme lmt
domain bbb.com
authentication-scheme lmt
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
local-user user1@aaa.com service-type ppp
local-user user1@aaa.com privilege level 0
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp //Configure local user names and
passwords on the PPPoE server.
#
interface Virtual-Template1 //Create a virtual template interface VT1 and set
parameters for the PPPoE server.
ppp authentication-mode chap //Set the authentication mode to CHAP.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1 //Enable PPPoE server on the interface,
import parameters configured on VT1, and authenticate dialup users.
#
interface GigabitEthernet3/0/0
pppoe-server bind Virtual-Template 1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 146


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
l2tp-group 1 //Create an L2TP group and set parameters for L2TP setup.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name lac1 //Set the tunnel name to lac1, which is identified by the peer
LNS.
start l2tp ip 202.1.1.1 domain aaa.com //Initiate L2TP tunnel setup to the peer
device. This example assumes that the domain name of access users is aaa.com.
#
l2tp-group 2
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable
#
ip pool 1 //Create IP address pool 1 from which IP addresses are allocated to
access users.
gateway-list 10.1.1.1 //Configure the gateway address.
network 10.1.1.0 mask 255.255.255.0 //Specify the IP address range.
#
ip pool 2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
local-user user1@aaa.com privilege level 0
local-user user1@aaa.com service-type ppp
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool 1 //Import the IP address pool. The PPPoE server then
allocates IP addresses from the IP address pool to the authenticated users.
ip address 10.1.1.1 255.255.255.0 //Configure the gateway address for the
address pool.
#
interface Virtual-Template2
ppp authentication-mode chap
remote address pool 2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
l2tp-group 1
allow l2tp virtual-template 1 remote lac1 //Specify the name of the remote end
of the tunnel and the virtual template used by the remote end.

tunnel password cipher %@%@eS*)0t-0D!,~pa;IPll=3liC%@%@


tunnel name lns
#
l2tp-group 2
allow l2tp virtual-template 2 remote lac2
tunnel password cipher %@%@Cyor,=OAk#tWwA;%2\!W3lwj%@%@
tunnel name lns
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 147


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.


# Run the display l2tp session command on the LNS. You can see that two sessions are set
up.
# PC1 and PC2 can ping PC3 successfully.

----End

Configuration Notes
l An L2TP group is created for each domain and different L2TP groups have different
tunnel names.
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.

6.1.2 Example for Configuring L2TP to Implement


Communication Between the Headquarters and Branches and
IPSec to Encrypt Data Transmitted Between the Headquarters
Servers and Branches
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-2, an enterprise has some branches located in other cities, and the
branches use the Ethernet network.
The enterprise requires that the headquarters should provide VPDN services for branch users,
so that the branch users can access the headquarters network. When branch users access
intranet servers on the headquarters network, data should be encrypted to prevent data leaks.
To meet these requirements, you can configure the LAC to initiate an L2TP connection
request to the LNS. Then you can configure IPSec to protect data exchanged between branch
users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between
the LAC and LNS.

Figure 6-2 IPSec over L2TP networking

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 148


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255
#
ipsec proposal lac //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
remote-address 10.4.1.1 //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp //Create an IPSec policy.
security acl 3000
ike-peer lac
proposal lac
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp chap user huawei //Set the user name of a virtual PPP user to huawei.
ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@ //Set the password of
the virtual PPP user to Huawei@1234.
ip address ppp-negotiate //Configure IP address negotiation.
l2tp-auto-client enable //Enable the virtual PPP user to initiate an L2TP
connection request.
ipsec policy lac //Apply an IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
tunnel password cipher %@%@7v&1O#yr\#gl]w=Rk^uY:>@"%@%@ //Enable tunnel
authentication and set the cipher-text password to huawei, which is the same as
the password specified on the remote device.
tunnel name lac
start l2tp ip 1.1.2.1 fullusername huawei
#
ip route-static 10.3.1.0 255.255.255.0 Virtual-Template1 10.1.1.1 //Configure a
static route.
ip route-static 10.4.1.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool.
gateway-list 10.1.1.1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 149


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 10.1.1.0 mask 255.255.255.0


#
aaa //Create a local user and set the user name and password to huawei and
Huawei@1234.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp authentication-mode chap
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.4.1.2 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
allow l2tp virtual-template 1 remote lac
tunnel password cipher %@%@FN15@5D_BGc=v"2~0=iJ,b+H%@%@ //Enable tunnel
authentication and set the cipher-text password to huawei, which is the same as
the password specified on the remote device.
tunnel name lns
#
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1 //Configure a static
route.
ip route-static 10.3.1.0 255.255.255.0 10.4.1.1
#
return

Step 3 Configure Router_1.


#
sysname Router_1
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.3.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal lac1 //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac1 v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
#
ipsec policy-template temp 1 //Apply the IPSec policy template.
security acl 3000
ike-peer lac1
proposal lac1
#
ipsec policy lac1 1 isakmp template temp //Configure an IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 10.4.1.1 255.255.255.0
ipsec policy lac1 //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 150


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip route-static 10.1.1.0 255.255.255.0 10.4.1.2 //Configure a static route.


ip route-static 10.2.1.0 255.255.255.0 10.4.1.2
#
return

Step 4 Verify the configuration.


# Run the display l2tp tunnel command on the LAC or LNS. You can see that an L2TP
tunnel and a session numbered 1 have been established.
# Run the display ike sa command on the LAC or Router_1. In the command output, Flag(s)
is displayed as RD, indicating that an SA has been established successfully; Phase is
displayed as 1 and 2.
# The headquarters and branch can ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l On the LAC, the IPSec policy must be bound to the VT1 interface.
l When you configure a static route on the LAC, the outbound interface in the route
destined to the headquarters network segment must be the VT1 interface.

6.1.3 Example for Configuring L2TP over IPSec to Implement


Secure Communication Between the Branch and Headquarters
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-3, users connect to the LNS to access the headquarters network though
the LAC. Data exchanged between the LAC and LNS is encrypted by IPSec.

Figure 6-3 Networking diagram of L2TP over IPSec

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 151


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

l2tp enable //Enable


L2TP.
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 12.1.1.2 0 destination 12.1.1.1 0 //Configure an ACL
rule to define the source and destination IP addresses.
#
ipsec proposal lac //Configure an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 12.1.1.1 //Configure the WAN-side interface address as the
remote address.
#
ipsec policy lac 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lac
proposal lac
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.2 255.255.255.0
ipsec policy lac //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.
ip address 192.168.1.1
255.255.255.0
#
interface Virtual-Template1 //Configure the user name and password,
authentication mode, and IP address for the virtual PPP user.
ppp chap user huawei
ppp chap password cipher

ip address ppp-negotiate //Configure an interface to obtain an IP address


through PPP negotiation.
l2tp-auto-client enable //Enable a virtual PPP user on the LAC to initiate an
L2TP tunnel.
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name LAC
start l2tp ip 12.1.1.1 fullusername huawei
#
ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1 //Configure a static
route.
#
return

Step 2 Configure the LNS.


#
sysname LNS

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 152


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
l2tp enable
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 12.1.1.1 0 destination 12.1.1.2 0
#
ipsec proposal lns //Configure an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lns v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 12.1.1.2
#
ipsec policy lns 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lns
proposal lns
#
ip pool 1 //Configure an IP address
pool.
gateway-list 13.1.1.1
network 13.1.1.0 mask 255.255.255.0
#
aaa //Configure a local
user.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Configure a virtual template interface, and
configure the authentication mode, IP address, and interface address
pool.
ppp authentication-mode chap
remote address pool 1
ip address 13.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.1 255.255.255.0
ipsec policy lns //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.
ip address 192.168.0.1 255.255.255.0
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
allow l2tp virtual-template 1 remote LAC
tunnel password cipher %@%@5j*=S&AGSK'J}kG])REK]_-o%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name LNS
#
ip route-static 192.168.1.0 255.255.255.0 Virtual-Template1 //Configure a static
route.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 153


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 3 Verify the configuration.

# Run the display ike sa command on the LAC or LNS to view SA setup.

# Run the dis l2tp session command on the LAC or LNS to view L2TP session setup.

# The LAC and LNS can successfully ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l The IPSec policy is bound to the external network interface. Packets are encapsulated
with the L2TP header, and then the IPSec header.

6.1.4 Example for Configuring an L2TP Tunnel for Remote Dial-


Up Users to Connect to the Headquarters

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-4, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users. In this
example, the PC runs Windows 7 operating system.

After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.

Figure 6-4 Networking for configuring remote dialup users to connect to the external network
through the L2TP tunnel

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 154


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei server-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ppp authentication-mode chap
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Step 2 Configure Windows 7.


# Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run and enter regedit to open the Registry Editor. Open Parameters in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\, create
DWORD and set the name and value to ProhibitIpSec and 1 respectively. After modifying
the parameters, restart the PC.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 155


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# Create an L2TP network connection.


Choose Start > Run > Network and Sharing Center, click Set Up a Connection or
Network, choose Connect to a workplace, and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 156


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Click Use my Internet connection (VPN).

Enter an Internet address which is the IP address of the LNS (202.1.1.1), enter a destination
name (for example, L2TP) as the network connection name, select Don't connect now; just
set it up so I can connect later, and click Next. You can customize a destination name.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 157


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Enter the user name huawei and password Huawei@1234 and click Create.

NOTE

You do not need to set the domain.

Click Close.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 158


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# Set authentication parameters for the L2TP connection.


Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP and choose Properties to set
connection parameters.
You do not need to modify parameters on the General tab.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 159


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Select Display progress while connecting and Prompt for name and password certificate,
etc on the Options tab.

NOTE

Do not change the parameters that are displayed after you click PPP Settings.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 160


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec for Type
of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication Protocol
[CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow these protocols.

NOTE

If you click Advanced settings, a dialog box is displayed on which you can set the IPSec pre-shared
key. Do not set the IPSec pre-shared key here.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 161


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

You do not need to modify settings on the Networking and Sharing tabs.
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP, enter the user name and password,
and click Connect.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 162


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.

# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.

----End

Example
Configuration Notes

Note the following points:


l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 163


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.1.5 Example for Establishing an L2TP Tunnel Between a Remote


Dialup User and the Headquarters Based on the Authentication
Domain (Windows XP)
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-5, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows XP operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.

Figure 6-5 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 164


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 192.168.1.0 mask 255.255.255.0


#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Step 2 Configure Windows XP.


1. Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run, enter regedit, and find the HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\services\RasMan\Parameters directory. Right-click
Parameters and choose Create. In the dialog box that is displayed, click DWORD (32
bit) Value. In the dialog box that is displayed, set Value name to ProhibitIpSec and
Value data to 1. Restart the PC after modification is complete.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 165


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

2. # Create an L2TP network connection.


a. Access Network Connections, click Create a new connection to display New
Connection Wizard, and click Next.

b. Select Connect to the network at my workplace, and click Next.

c. Select Virtual Private Network connection and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 166


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

d. Fill in the company name as the connection name. For example, fill in L2TP and
click Next.

e. Fill in the IP address 202.1.1.1 and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 167


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

f. Select My use only and click Next.

g. Click Finish. The Connect L2TP page is displayed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 168


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

3. Configure authentication parameters for the L2TP connection.


a. Click L2TP Properties to configure parameters for the connection.

Do not change parameters on the General and Options tab pages.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 169


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 170


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

b. Click the Security tab page, select Advanced (custom settings), and click
Settings.
NOTE

If you click IPSec Settings on the page, the IPSec Settings page is displayed for you to set a
pre-shared key for authentication. Do not set a pre-shared key here.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 171


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Select the following items for Allow these protocols.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 172


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

c. Click Networking, and set Type of VPN to the default Auto or L2TP IPSec VPN.
Do not change any configurations on the Advanced tab page.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 173


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 174


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

d. On the Network Connections page, double-click L2TP you have created, enter a
user name and password, and click Connect.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 175


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.


# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.

----End

Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.

6.1.6 Example for Establishing an L2TP Tunnel Between a Remote


Dialup User and the Headquarters Based on the Authentication
Domain (Windows 7)

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-6, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.

Figure 6-6 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 176


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Step 2 Configure Windows 7.


1. Modify the Windows registry and disable the digital certificate authentication function.
Choose Start > Run, enter regedit, and find the HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\services\RasMan\Parameters directory. Right-click
Parameters and choose Create. In the dialog box that is displayed, click DWORD (32
bit) Value. In the dialog box that is displayed, set Value name to ProhibitIpSec and
Value data to 1. Restart the PC after modification is complete.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 177


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

2. Create an L2TP network connection.


a. Choose Start > Run > Network and Sharing Center, click Set Up a Connection
or Network, choose Connect to a workplace, and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 178


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

b. Click Use my Internet connection (VPN).

c. Set Internet address to 202.1.1.1 (the IP address of the LNS) and Destination
name such as L2TP. The destination name is used as the network connection name.
Select Don't connect now; just set it up so I can connect later and then click
Next.

d. Enter the user name 123456789@huawei.com and password Huawei@1234 and


click Create.
NOTE

You do not need to set the domain.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 179


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

e. Click Close.

3. Set authentication parameters for the L2TP connection.


a. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP and choose
Properties to set connection parameters.
You do not need to modify parameters on the General tab.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 180


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

b. Select Display progress while connecting and Prompt for name and password
certificate, etc on the Options tab.
NOTE

Do not change the parameters that are displayed after you click PPP Settings.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 181


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

c. On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec
for Type of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication
Protocol [CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow
these protocols.
NOTE

If you click Advanced settings, a dialog box is displayed on which you can set the IPSec
pre-shared key. Do not set the IPSec pre-shared key here.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 182


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

You do not need to modify settings on the Networking and Sharing tabs.
d. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP, enter the
user name and password, and click Connect.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 183


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.


# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.

----End

Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.

6.1.7 Example for Establishing an L2TP Tunnel Between a Remote


Dialup User and the Headquarters Based on the Authentication
Domain (VPN Client)
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-7, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 184


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

headquarters gateway can identify and manage access users. In this example, the VPN client
is installed on the PC.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.

Figure 6-7 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure the authentication
mode and specify the domain name.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 185


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 192.168.1.1 255.255.255.0


#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Step 2 Configure the VPN client.


1. # Create an L2TP network connection.
a. Double-click HUAWEI VPN Client to start the program and then click New. The
New Connection Wizard page is displayed.

b. Select Create a new connection by inputting parameters and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 186


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

c. Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.

d. Set Authentication Mode to CHAP and click Next.


NOTE

If the tunnel name is required, set Tunnel Name.


If tunnel authentication is required, select Enable Tunnel Authentication and set Tunnel
Authentication Password.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 187


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

e. Set The name is to the VPN connection name such as L2TP and click Finished.

2. Modify L2TP connection parameters.


a. After creating an L2TP connection, select the connection to be modified. L2TP is
taken as an example.
Select L2TP and click Property. The L2TP Properties page is displayed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 188


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

b. Click the Basic Settings tab page and modify the user name and password based on
the actual situation.

c. Do not modify the parameters on the L2TP Settings tab page if configurations on
the LNS are not modified. The parameters must be the same as those on the LNS.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 189


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

d. In HUAWEI VPN Client, select the created L2TP and click Connect.

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 190


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.

----End

Configuration Notes
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.

6.1.8 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Traverse NAT Devices and Connect to the
Headquarters over the Internet

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-8, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users.

Traveling employees connect to the Internet through the NAT device. Traffic sent from
traveling employees to the headquarters needs to be encapsulated through IPSec to ensure
security. In addition, the LNS functions as the gateway and has the firewall service deployed.

NAT traversal in L2TP over IPSec can be configured to meet requirements. Because the L2TP
over IPSec configuration on the PC is complex, and settings such as the registry and services
need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can
visit http://support.huawei.com to obtain the software version.

Figure 6-8 Networking of NAT traversal in L2TP over IPSec

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 191


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ike local-name xp //Use the local name for IKE
negotiation. The local name must be used for NAT traversal in IPSec.
#
acl number 3001 //Configure an ACL.
rule 5 permit udp destination-port eq 1701 //Configure an ACL rule to allow
packets from a specified L2TP port.
rule 10 permit udp destination-port eq 4500 //Configure an ACL rule to allow
packets from a specified L2TP port after NAT traveral in IPSec.
rule 15 permit udp destination-port eq 500 //Configure an ACL rule to allow
packets from a specified L2TP port before NAT traveral in IPSec.
#
ipsec proposal 1
esp encryption-algorithm aes-256
#
ike peer xp v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Configure the aggressive mode. NAT
traversal can be only used in aggressive mode. In later versions of V200R005C00,
you do not need to perform this configuration.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure the authentication password in the pre-shared key
to huawei, in cipher text. This command in V200R003C00 and earlier versions is
pre-shared-key huawei, and the password is displayed in plain text.
local-id-type name //Set the local ID type to name in
IKE negotiation. In V200R008 and later versions, the name parameter is changed to
fqdn.
nat traversal //Enable NAT traversal. In V200R008
and later versions, the device supports NAT traversal by default, and this
command is not supported.
#
ipsec policy-template xptemp 2 //Configure an IPSec policy template
so that negotiation requests from multiple PCs can be processed.
ike-peer xp
proposal 1
#
ipsec policy xp 1 isakmp template xptemp //Reference an IPSec policy template
in an IPSec policy.
#
ip pool lns //Create an IP address pool named
lns from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and
password for L2TP access.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei server-type ppp
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 192


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

firewall interzone trust untrust


firewall enable
packet-filter 3001 inbound //Configure the firewall and enable
packet filtering.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
ipsec policy xp //Bind the IPSec policy to the interface.
zone untrust
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ppp authentication-mode chap
remote address pool lns
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Step 2 Configure a PC.


# Create an L2TP connection.
Double-click Secoway VPN Client and click New. The New Connection Wizard page is
displayed.

Select Create a new connection by inputting parameters and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 193


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.

Select CHAP from the Authentication Mode drop-down list box, select Enable IPSec
Protocol, select Pre-Shared-Key, set Pre-shared-key to huawei (the pre-shared key must be
the same as that on the LNS), and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 194


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Select Use LNS Server Address and click Next.

Set IPSec and IKE attributes. Set ESP Authentication Algorithm to MD5 and ESP
Encryption Algorithm to AES-256. In IKE, set Authentication Algorithm to SHA-1,
Encryption Algorithm to DES-CBC, Negotiation Mode to Aggressive mode, ID Type to
Name, Local Gateway Name to a random value, and Remote Gateway Name to xp (the
value must be the same as the local name in IKE negotiation on the LNS), and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 195


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Enter the VPN connection name in The name is. The VPN connection name can be user-
defined. Here, the value is My connection. Then click Finished.

# Modify L2TP connection parameters.


Select the L2TP connection to be modified. Here, the L2TP connection My connection is
used as an example.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 196


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Select My connection and click Property. The My connection Properties page is displayed.

Click Basic Settings. Modify the user name and password according to the actual situation.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 197


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Parameters in L2TP Settings, IPSec Settings, IKE Settings, and Advanced are the same as
those on the LNS. If parameters on the LNS are not modified, parameters on these tab pages
do not need to be modified.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 198


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 199


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 200


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

On the Secoway VPN Client page, select My connection and click Connect.

Step 3 Verify the configuration.

# After the configurations are complete, PC2 and PC3 can obtain private IP addresses and
communicate with PC1.

----End

Configuration Notes
Note the following points:
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l The settings on the dialup software and LNS must be the same; otherwise, IPSec and
L2TP tunnels may fail to be set up.
l A NAT device is deployed between enterprise users and LNS, so the aggressive mode
must be used to implement NAT traversal. In addition, use names for IKE negotiation. In
V2R5C00, there is no such limitation.
l When the firewall service is deployed on the LNS, configure an ACL to permit ports
1701, 4500, and 500 used by L2TP and IPSec.

6.1.9 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Connect to the Headquarters

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 201


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
As shown in Figure 6-9, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through L2TP dialup. To ensure
security of traveling employees, the enterprise requires that an IPSec tunnel be set up between
the traveling employee's PC and headquarters gateway.

In this example, the PC runs Windows 7 operating system.

A host-to-gateway IPSec tunnel is established between a traveling employee and the


headquarters; therefore, the IPSec tunnel is based on the transport mode.

Figure 6-9 Networking for configuring L2TP over IPSec between a PC and a router

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
l2tp enable //Enable L2TP.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool lns //Configure an IP address pool from which IP addresses are allocated
to access PCs.
gateway-list 192.168.1.1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 202


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 192.168.1.0 mask 255.255.255.0


#
aaa //Configure the local user name and service type on the LNS.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Configure the user name and password of the
virtual PPP use, authentication mode, and IP address.
ppp authentication-mode chap
remote address pool lns
ip address 192.168.1.1 255.255.255.0
#
interface
GigabitEthernet1/0/0
ip address 200.1.1.1 255.255.255.0
ipsec policy policy1
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
undo tunnel authentication
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2 //Configure a static route.
#
return

Step 2 Configure PC A.
# Modify the Windows registry.
Choose Start > Run, and enter regedit to open the registry. Find
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent, create
DWORD named AssumeUDPEncapsulationContextOnSendRule with the value of 2, and
find HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman
\Parameters, create DWORD named ProhibitIpSec with the value of 1, as shown in Figure
6-10, and then restart the PC.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 203


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-10 Creating DWORD

# Create an L2TP connection. Choose Start > Control Panel > Network and Internet >
Network and Sharing Center, and select Set up a new connection or network, as shown in
Figure 6-11.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 204


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-11 Setting up a new connection or network

On the Set up a Connection or Network page shown in Figure 6-12, select Connect to a
workplace and click Next.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 205


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-12 Set up a Connection or Network page

Select Use my Internet connection (VPN), as shown in Figure 6-13.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 206


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-13 Connect to a Workplace page

Enter the Internet address (IP address of RouterA) and click Next, as shown in Figure 6-14.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 207


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-14 Entering the Internet address

Enter the user name and password, as shown in Figure 6-15.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 208


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-15 Entering the user name and password

# Create an IPSec policy.


Choose Control Pane > System and Security > Administrative Tools > IP Security
Policies on Local Computer.
Right-click IP Security Policies on Local Computer shown in Figure 6-16. The IP security
policy wizard is displayed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 209


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-16 Creating an IPSec policy

Figure 6-17, Figure 6-18, Figure 6-19, and Figure 6-20 show how to create an IPSec policy.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 210


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-17 Welcome to the IP Security Policy Wizard page

Figure 6-18 Editing the IP Security Policy Name page

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 211


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-19 Specifying the PC to respond to requests for secure communication

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 212


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-20 Completing the IP Security Policy Wizard page

On the IPSec Properties page shown in Figure 6-21, deselect Use Add Wizard and click
Add to add rules.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 213


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-21 IPSec Properties page

# Set attributes of an IPSec policy.


1. Configure an IP filter list.
On the IP Filter List tab page shown in Figure 6-22, click Edit to edit an IP filter list.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 214


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-22 Editing the New IP Filter List page

On the IP Filter List page shown in Figure 6-23, deselect Use Add Wizard and click
Add to add an IP filter list.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 215


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-23 Adding an IP filter list

Configure IP filter attributes. On the Addresses tab page shown in Figure 6-24, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 216


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-24 Editing the Addresses tab page

On the Protocol tab page shown in Figure 6-25, select Any from the Select a protocol
type drop-down list box.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 217


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-25 Editing the Protocol tab page

On the Description tab page shown in Figure 6-26, configure a description for the IP
filter.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 218


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-26 Editing the Description tab page

Click OK. The IP Filter List page shown in Figure 6-27 is displayed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 219


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-27 IP Filter List page

Click OK. The New Rule Properties page shown in Figure 6-28 is displayed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 220


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-28 New Rule Properties page

2. Configure a filter action.


On the Filter Action tab page shown in Figure 6-29, click Edit.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 221


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-29 Editing the Filter Action tab page

The New Filter Action Properties page shown in Figure 6-30 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 222


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-30 Editing the Filter Action Properties page

The Security Methods page shown in Figure 6-31 is displayed. Select Custom and
click Settings.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 223


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-31 Editing the Security Methods page

The Custom Security Method Settings page shown in Figure 6-32 is displayed. Set
integrity and encryption algorithms, and perform session key settings.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 224


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-32 Editing the Custom Security Method Settings page

Click OK until the Filter Action tab page is displayed.


NOTE

The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 6-33, click Edit.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 225


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-33 Editing the Authentication Methods tab page

The Authentication Method Properties page shown in Figure 6-34 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 226


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-34 Editing the Authentication Method Properties page

4. Configure an encapsulation mode.


On the Tunnel Setting tab page shown in Figure 6-35, select This rule does not specify
an IPsec tunnel.. That is, the transport mode is used.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 227


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-35 Editing the Tunnel Setting tab page

5. Configure a connection mode.


On the Connection Type tab page shown in Figure 6-36, select All network
connections.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 228


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-36 Editing the Connection Type tab page

6. Configure an IKE proposal.


Click Apply. The IPSec Properties page is displayed. Click General and select
Settings, as shown in Figure 6-37.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 229


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-37 General tab page

On the Key Exchange Settings page, select Methods, as shown in Figure 6-38.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 230


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-38 Editing the Key Exchange Settings page

On the Key Exchange Security Methods page, select Add, as shown in Figure 6-39.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 231


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-39 Editing the Key Exchange Security Methods page

Add security methods, and click OK, as shown in Figure 6-40.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 232


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-40 Added key exchange methods

On the IPSec Properties page shown in Figure 6-41, click OK.


NOTE

The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 233


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-41 Completing IPSec policy setting

# Apply the IPSec policy.


On the IP Security on Local Computer page, right-click the configured IPSec policy and
click Assign, as shown in Figure 6-42. That is, apply the IPSec policy to the PC.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 234


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-42 Assigning the configured IPSec policy

Select the configured L2TP connection in Connect to network. The Figure 6-43 page is
displayed. Enter the user name and password.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 235


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-43 L2TP connection

Step 3 Verify the configuration.

# After the configurations are complete, PC A can ping RouterA successfully. Data exchanged
between PC A and RouterA is encrypted. You can run the display ipsec statistics esp
command to view packet statistics.

# Run the display ike sa and display ipsec sa commands on RouterA. You can view
information about successful IPSec tunnel setup.

----End

Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.

6.1.10 Example for Configuring PPPoE Users Connected to the


LAC to Establish an L2TP Tunnel to Communicate with the
Headquarters

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 236


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
As shown in Figure 6-44, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters.

Figure 6-44 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
communicate with the headquarters

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
start l2tp ip 1.1.1.1 fullusername huawei

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 237


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1 remote lac
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

Step 3 Verify the configuration.


# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 238


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.1.11 Example for Configuring PPPoE Users Connected to the


LAC to Establish an L2TP Tunnel to Access the RADIUS Server
in the Headquarters
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-45, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.

Figure 6-45 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
access the RADIUS server in the headquarters

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure a user name and password.
local-user l2tp@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp@huawei.com privilege level 0
local-user l2tp@huawei.com service-type ppp
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 239


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Virtual-Template1 //Create a virtual tunnel template and set dialup


parameters.
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
start l2tp ip 1.1.1.1 fullusername l2tp1@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create a global IP address pool.
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.2.1.2 1645 weight 80
#
aaa //Configure RADIUS authentication.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
authentication-scheme l2tp
radius-server l2tp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap domain huawei.com
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
#
return

Step 3 Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.

# Users in the enterprise headquarters and branch can ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 240


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.

6.1.12 Example for Configuring the LAC to Establish an L2TP


Tunnel to Communicate with the Headquarters Through
Automatic Dial-up
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-46, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS.

Figure 6-46 Configuring the LAC to establish an L2TP tunnel to communicate with the
headquarters through automatic dial-up

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 241


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ppp chap user huawei


ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
start l2tp ip 1.1.1.1 fullusername huawei
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
aaa
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1 remote lac
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
ip route-static 10.1.10.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.

# Users in the enterprise headquarters and branch can ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 242


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.

6.1.13 Example for Configuring the LAC to Establish an L2TP


Tunnel to Communicate with the RADIUS Server in the
Headquarters Through Automatic Dial-up
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-47, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.

Figure 6-47 Configuring the LAC to establish an L2TP tunnel to communicate with the
RADIUS server in headquarters through automatic dial-up

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp@huawei.com
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 243


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
start l2tp ip 1.1.1.1 fullusername l2tp@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.2.1.2 1645 weight 80
#
aaa //Configure RADIUS authentication.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
authentication-scheme l2tp
radius-server l2tp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap domain huawei.com
remote address pool 1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2
ip route-static 10.1.10.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Verify the configuration.


# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 244


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.

6.1.14 Example for Configuring Multiple L2TP Instances to


Implement Communication Between the Headquarters and
Branches
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-48, many enterprises use the same LNS, and users from different
enterprises connect to LAC_1 and LAC_2 to communicate with their own headquarters sites.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC_1 and LAC_2 simultaneously, allowing enterprise
users to access their own internal networks.

Figure 6-48 Configuring multiple L2TP instances to implement communication between the
headquarters and branches

Procedure
Step 1 Configure LAC_1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 245


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
sysname LAC_1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp1
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.9.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure LAC_2.


#
sysname LAC_2
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp2
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_2
start l2tp ip 1.1.1.1 fullusername l2tp2
#
ip route-static 1.1.1.1 255.255.255.255 1.1.3.2 //Configure a static route.
ip route-static 10.1.3.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip vpn-instance vpn1 //Configure VPN instance VPN1.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 246


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip vpn-instance vpn2 //Configure VPN instance VPN2.


ipv4-family
route-distinguisher 200:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
vpn-instance vpn1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
#
ip pool 2
vpn-instance vpn2
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Create a local user in the AAA view.
local-user l2tp1 password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp1 privilege level 0
local-user l2tp1 service-type ppp
local-user l2tp2 password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp2 privilege level 0
local-user l2tp2 service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template 1 and set dialup
parameters.
ppp authentication-mode chap
remote address pool 1
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
#
interface Virtual-Template2 //Create a virtual tunnel template 2 and set dialup
parameters.
ppp authentication-mode chap
remote address pool 2
ip binding vpn-instance vpn2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip binding vpn-instance vpn2
ip address 10.1.3.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1 remote lac_1
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lns
#
l2tp-group 2 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 2 remote lac_2
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2 //Configure static routes.
ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
ip route-static 10.1.9.0 255.255.255.0 Virtual-Template1
ip route-static 10.1.10.0 255.255.255.0 Virtual-Template2
#
return

Step 4 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 247


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.

6.1.15 Example for Configuring Multiple L2TP Instances to


Implement Communication Between Branches and the RADIUS
Server in the Headquarters
Applicability
This example applies to all AR models of V200R007C00, V200R008C50 and later versions.

Networking Requirements
As shown in Figure 6-49, an enterprise has some branches located in other cities and the
branches connect to the same L2TP network server (LNS). Branches A, B, and C
communicate with the headquarters through LAC1, LAC2, and LAC3, respectively.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC1, LAC2, and LAC3 simultaneously, allowing users
of enterprise branches to access the internal network of the enterprise. Users in the same VPN
can communicate with each other. The RADIUS server in the headquarters authenticates
users, delivers VPN instances, and assigns IP addresses to users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 248


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-49 Configuring the LACs to establish an L2TP tunnel to implement communication
between the headquarters and branches through automatic dial-up

Procedure
Step 1 Configure LAC1.
#
sysname LAC1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac1@huawei.com
ppp chap password cipher
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher
tunnel name lac1
start l2tp ip 1.2.1.1 fullusername lac1@huawei.com
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2
ip route-static 10.4.4.0 255.255.255.0 Virtual-Template1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 249


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 2 Configure LAC2.


#
sysname LAC2
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac2@huawei.com
ppp chap password cipher
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.2.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher
tunnel name lac2
start l2tp ip 2.2.1.1 fullusername lac2@huawei.com
#
ip route-static 2.2.1.0 255.255.255.0 2.2.2.3
ip route-static 10.4.4.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Configure LAC3.


#
sysname LAC3
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac3@huawei.com
ppp chap password cipher
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 3.3.3.3 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.3.3.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher
tunnel name lac3
start l2tp ip 3.2.1.1 fullusername lac3@huawei.com
#
ip route-static 3.2.1.0 255.255.255.0 3.3.3.4
ip route-static 10.5.5.0 255.255.255.0 Virtual-Template1
#
return

Step 4 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enbale L2TP.
#
ip vpn-instance vpn1 //Configure the VPN instance VPN1.
ipv4-family

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 250


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2 //Configure the VPN instance VPN2.
ipv4-family
route-distinguisher 300:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip pool 1 //Create an IP address pool and assign IP addresses to access users.
gateway-list 10.10.1.1
network 10.10.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.10.10.1 1645 weight 80
#
aaa //Set the AAA mode to RADIUS.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
authentication-scheme l2tp
radius-server l2tp
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp authentication-mode chap domain huawei.com
remote address pool 1
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 2.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 3.2.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
allow l2tp virtual-template 1
tunnel password cipher
tunnel name lns
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2
ip route-static 2.2.2.0 255.255.255.255 2.2.1.2
ip route-static 3.3.3.0 255.255.255.255 3.2.1.2
ip route-static vpn-instance vpn1 10.1.1.0 255.255.255.255 10.10.1.100 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC1 is
10.10.1.100
ip route-static vpn-instance vpn1 10.2.2.0 255.255.255.255 10.10.1.101 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC2 is
10.10.1.101
ip route-static vpn-instance vpn2 10.3.3.0 255.255.255.255 10.10.1.102 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC3 is
10.10.1.102
#
return

Step 5 Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 has been established.

# PC_1, PC_2, and PC_4 can ping each other. PC_3 and PC_5 can ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 251


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
l You need to configure the IP address assigned to the VT interfaces on the LACs on the
RADIUS server. In this example, no IP address is configured.

6.1.16 Example for Configuring the LAC Using a 3G Interface to


Establish an L2TP Tunnel to Communicate with the Headquarters
Through Automatic Dial-up
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-50, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 3G cellular
interfaces to connect the Internet through the WCDMA network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.

Figure 6-50 Configuring the LAC using a 3G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 252


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address 3.1.1.2 255.255.255.0
l2tp-auto-client enable
#
interface Cellular0/0/0 //Configure a 3G interface.
link-protocol ppp
ip address ppp-negotiate //Configure the interface to obtain an IP address
from the carrier. The interface can use the IP address to connect to the public
network.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile 3GNET
dialer timer autodial 60 //Configure the user to dial up at an interval of 60s.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile 3GNET
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
gateway-list 3.1.1.1
network 3.1.1.0 mask 255.255.255.0
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap
remote address pool 1
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 2.1.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1 remote LAC

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 253


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@


tunnel name LNS
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Create a static route.
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.

# Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.

6.1.17 Example for Configuring the LAC Using a 4G Interface to


Establish an L2TP Tunnel to Communicate with the Headquarters
Through Automatic Dial-up

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-51, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 4G cellular
interfaces to connect the Internet through the Long Term Evolution (LTE) network.

The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.

Figure 6-51 Configuring the LAC using a 4G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 254


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0 //Configure a 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile lteprofile
apn ltenet
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ip pool 1 //Create an IP address pool to allocate IP addresses to users.
gateway-list 3.1.1.1
network 3.1.1.0 mask 255.255.255.0
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp authentication-mode chap
remote address pool 1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 255


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 3.1.1.1 255.255.255.0


#
interface GigabitEthernet1/0/0
ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 2.1.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
allow l2tp virtual-template 1 remote LAC
tunnel password cipher %@%@5j*=S&AGXK'J}kG])REK]_-o%@%@
tunnel name LNS
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Create a static route.
ip route-static 10.1.1.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Verify the configuration.

# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.

# Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.

6.1.18 Example for Establishing an L2TP Tunnel to Connect a


Mobile Office User to the Headquarters (Android Phone)

Networking Requirements
As shown in Figure 6-52, traveling employees need to communicate with the headquarters
and access the headquarters gateway through the Internet to use internal resources. However,
the headquarters gateway cannot identify and manage access users. To solve this problem,
configure the headquarters gateway as the LNS to establish a virtual point-to-point connection
between the traveling employees and the headquarters gateway when the employees use
phones to initiate L2TP tunnel connections.

Figure 6-52 Example for establishing an L2TP tunnel to connect a mobile office user to the
headquarters

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 256


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

NOTE

An Android 8.0.0 phone is used in this example.


Ensure that the Android phone supports L2TP tunnel connections.

Configuration Roadmap
Configure L2TP to implement communication between the phone and the headquarters. The
configuration roadmap is as follows:
1. On Router, configure an interface IP address and a static route to the remote phone to
ensure reachable route between the two ends.
2. On Router, configure L2TP to implement connection to the phone.
3. On the phone, configure L2TP to implement connection to Router. Parameters set for the
phone must be the same as those set for Router.

Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL. The address in this
ACL is allocated by L2TP and translated using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool lns to
allocate IP addresses to users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP dial-up access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user vpdnuser password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
nat outbound 2001 //Configure NAT to permit access to the
Internet.
#
interface Virtual-Template1 //Create a VT and configure dial-up
parameters.
ppp authentication-mode chap domain huawei.com //Configure an authentication
mode and specify that the authentication requests must carry the domain name.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Assign the DNS gateway to allow
employees to visit external resources using the domain name.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //Dial up to connect to the network on
the phone. The non-authentication mode is used.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 257


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 2 Configure the phone.

NOTE
Set L2TP secret to Huawei@1234 configured on Router.

----End

Verification
1. Enable VPN connection on the phone. You can find that the VPN connection is
successful.
2. Run the display l2tp tunnel command on Router. You can find that an L2TP tunnel is
established successfully.
[Router] display l2tp tunnel
Total tunnel :
1
LocalTID RemoteTID RemoteAddress Port Sessions
RemoteName
1 1 3.3.3.3 1701 1 -

6.1.19 Example for Configuring Layer 2 Network Interconnection


Between Branches and the Headquarters Through L2TP over
Bridge

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-53, the enterprise headquarters LNS communicate with enterprise
branches LAC_1 and LAC_2, LNS provides VPDN access services for LAC_1 and LAC_2,
and L2TP VPN tunnels are established between LNS and LAC_1, and between LNS and
LAC_2. The enterprise can configure Layer 2 network interconnection between the
headquarters and branches through L2TP over bridge, establishing L2TP connections between
LAC_1 and LNS, and between LAC_2 and LNS and implementing access and mutual
communication of users in branches. After L2TP tunnels are established, traffic between the
headquarters and branches are forwarded through the Layer 2 network.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 258


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-53 Networking diagram for configuring Layer 2 network interconnection between
branches and the headquarters through L2TP over bridge

Procedure
Step 1 Configure LAC_1.
#
sysname LAC_1
#
bridge 1
#
l2tp enable //Enable the L2TP function.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dialup parameters.
bridge 1 //Create bridge 1 and add the virtual interface to bridge 1.
bridge vlan-transmit enable //Enable transparent VLAN ID transmission on
interfaces of the bridge group.
ppp chap user l2tp1
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
bridge 1
bridge vlan-transmit enable
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure LAC_2.


#
sysname LAC_2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 259


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
bridge 1
#
l2tp enable //Enable the L2TP function.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dialup parameters.
bridge 1 //Create bridge 1 and add the virtual interface to bridge 1.
bridge vlan-transmit enable //Enable transparent VLAN ID transmission on
interfaecs of the bridge group.
ppp chap user l2tp2
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
bridge 1
bridge vlan-transmit enable
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_2
start l2tp ip 1.1.1.1 fullusername l2tp2
#
ip route-static 1.1.1.1 255.255.255.255 1.1.3.2 //Configure a static route.
ip route-static 10.1.3.0 255.255.255.0 Virtual-Template1
#
return

Step 3 Configure the LNS.


#
sysname LNS
#
l2tp enable //Enable the L2TP function.
#
bridge 1
#
aaa
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1
bridge 1 //Create bridge 1 and add the virtual interface to bridge 1.
bridge vlan-transmit enable //Enable transparent VLAN ID transmission on
interfaces of the bridge group.
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
bridge 1
bridge vlan-transmit enable
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
tunnel name lns
#
ip route-static 1.1.2.1 255.255.255.255 1.1.1.2 //Configure a static route.
ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 260


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 4 Verify the configuration.


# Verify whether enterprise branches and the headquarters can successfully ping each other.
# Check L2TP tunnel establishment on LNS, LAC_1, and LAC_2. LAC_1 is used as an
example.
l Run the display l2tp tunnel command. If L2TP tunnel information is displayed in the
command output, the L2TP tunnel has been successfully established.
[LAC_1] display l2tp tunnel

Total tunnel : 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 1.1.1.1 1701 1 LNS

l Run the display l2tp session command. If L2TP session information is displayed in the
command output, the L2TP session has been successfully established.
[gginLAC_1] display l2tp session

Total session : 1
LocalSID RemoteSID LocalTID
1 1 1

----End

Precautions
l The LAC and LNS must use the same user name and password.
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.

6.2 GRE

6.2.1 Example for Configuring a GRE Tunnel and Static Routes on


the Tunnel to Implement Interworking
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-54, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 261


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-54 Configuring a static route for GRE

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 Configure a static route with
the next hop as the tunnel interface.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1 //Configure a public route.
area 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 262


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 20.1.1.0 0.0.0.255


network 30.1.1.0 0.0.0.255
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.2.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1 //Configure a static route
with the next hop as the tunnel interface.
#
return

Step 4 Verify the configuration.

# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.

# PC 1 and PC 2 can successfully ping each other.

----End

Configuration Notes
l Both ends must be configured with routes to private network segments, with the
outbound interface as the tunnel interface.
l The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.

6.2.2 Example for Configuring a GRE Tunnel and OSPF on the


Tunnel to Implement Interworking

Specifications
This example applies to all versions and routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 263


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
As shown in Figure 6-55, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.

GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.

PC1 and PC2 use RouterA and RouterC respectively as their default gateways.

OSPF is enabled on the tunnel interfaces. OSPF process 1 is used for the VPN backbone
network and OSPF process 2 is used for user access.

Figure 6-55 Using a dynamic routing protocol for GRE

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 264


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ospf 1 //Configure a public network route.


area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0 //Configure private network routes.
network 10.3.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.2.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2 //CConfigure private network routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

Step 4 Verify the configuration.

# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.

# PC 1 and PC 2 can successfully ping each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 265


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l Both ends must be configured with routes to private network segments.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.

6.2.3 Example for Configuring GRE over GRE to Implement Data


Encryption
Specifications
This example applies to all AR models of V200R006C10 and later versions.

Networking Requirements
As shown in Figure 6-56,PE0 is the headquarters gateway of a bank, while PE1 and PE2 are
the bank's branch gateways. PE1 communicates with PE0 over a carrier network; PE2
communicates with PE1 over a private network; however, PE0 cannot communicate with
PE2. The bank requires data encryption over the public network as well as the private
network; therefore, GRE over GRE can be deployed in the headquarters to implement secure
communication among PE0, PE1, and PE2. After GRE over GRE is configured, data between
PE0 and PE1 is transmitted over the GRE tunnel, and data between PE0 and PE2 is
transmitted over the GRE over GRE tunnel along the carrier network.

Figure 6-56 Configuring GRE over GRE for communication between branches and
headquarters

Procedure
Step 1 Configure PE0.
#
sysname PE0
#
interface GigabitEthernet1/0/0
ip address 10.1.5.1 255.255.255.0
#
interface GigabitEthernet2/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 266


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 10.1.2.1 255.255.255.0


#
interface LoopBack1
ip address 10.2.5.1 255.255.255.255
#
interface Tunnel0/0/100 //Configure a tunnel interface.
ip address unnumbered interface GigabitEthernet1/0/0 //Configure
Tunnel0/0/100 to borrow the IP address of GigabitEthernet1/0/0.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.
source 10.1.5.1 //Configure the source address for the tunnel.
destination 10.1.5.2 //Configure the destination address for the tunnel.
#
interface Tunnel0/0/101
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/101 to
borrow the IP address of Loopback1.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/101.
source 10.2.5.1 //Configure the source address for the tunnel.
destination 10.3.5.1 //Configure the destination address for the tunnel.
#
ip route-static 10.3.5.1 255.255.255.255 Tunnel 0/0/100 //Configure
Tunnel0/0/100 as the outbound interface in the route to PE2's Tunnel0/0/0
destination address.
ip route-static 10.1.3.0 255.255.255.0 Tunnel 0/0/101 //Configure
Tunnel0/0/101 as the outbound interface in the route to data destination on PE2.
#
return

Step 2 Configure PE1.


#
sysname PE1
#
interface GigabitEthernet1/0/0
ip address 10.1.5.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.6.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a tunnel interface.
ip address unnumbered interface GigabitEthernet1/0/0 //Configure Tunnel0/0/0
to borrow the IP address of GigabitEthernet1/0/0.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.
source 10.1.5.2 //Configure the source address for the tunnel.
destination 10.1.5.1 //Configure the destination address for the tunnel.
#
ip route-static 10.2.5.1 255.255.255.255 Tunnel0/0/0 //ConfigureTunnel0/0/0 as
the outbound interface in the route to the source address of Tunnel0/0/101.
ip route-static 10.3.5.1 255.255.255.255 10.1.6.2 //Configure the IP address
of the outbound interface in the route to the destination address of
Tunnel0/0/101 to 10.1.6.2.
#
return

Step 3 Configure PE2.


#
sysname PE2
#
interface GigabitEthernet1/0/0
ip address 10.1.6.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.3.1 255.255.255.0
#
interface Loopback1
ip address 10.3.5.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure a tunnel interface.
ip address unnumbered interface Loopback1 //Configure Tunnel0/0/0 to borrow
the IP address of Loopback1.
tunnel-protocol gre //Set the tunnel mode to GRE on Tunnel0/0/100.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 267


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

source Loopback1 //Configure the source address for the tunnel.


destination 10.2.5.1 //Configure the destination address for the tunnel.
#
ip route-static 10.2.5.1 255.255.255.255 10.1.6.1 //Configure the IP address
of the outbound interface in the route to the source address of Tunnel0/0/101 to
10.1.6.1.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure Tunnel0/0/0 as
the outbound interface in the route to data destination on PE0.
#
return

Step 4 Verify the configuration.


# The headquarters can successfully ping branch 1 and branch 2.

----End

Configuration Notes
1. The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
2. The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.

6.2.4 Example for Configuring IPSec over GRE to Implement


Secure Communication Between the Headquarters and Branch
Applicability
This example applies to all AR models of V200R005C10 and later versions.

Networking Requirements
As shown in Figure 6-57, Router_1 is the gateway of an enterprise branch, and Router_2 is
the gateway of the headquarters. Router_1 and Router_2 communicate through the public
network.
The branch communicates with the headquarters through a GRE tunnel. The enterprise wants
to protect traffic excluding multicast data between the headquarters and branch. You can use
IPSec over GRE to establish a tunnel between virtual tunnel interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 268


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-57 IPSec over GRE networking

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipsec proposal tran1 //Create an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer spub v2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0 //Create a GRE tunnel interface.
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 202.138.163.1
destination 202.138.162.1
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.1 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 269


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

destination 192.168.1.2 //Set an IP address for the destination GRE tunnel.


ipsec profile profile1 //Apply the IPSec profile.
#
interface GigabitEthernet1/0/0
ip address 202.138.163.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.1.2.0 255.255.255.0 tunnel0/0/1 //Configure a static route.
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2 //Configure a static
route.
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
ipsec proposal tran1 //Create an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128
authentication-algorithm sha2-256
#
ike peer spua v2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spua
proposal tran1
#
interface Tunnel0/0/0 //Create a GRE tunnel interface.
ip address 192.168.1.2 255.255.255.0
tunnel-protocol gre
source 202.138.163.2
destination 202.138.163.1
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.2 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.
destination 192.168.1.1 //Set an IP address for the destination GRE tunnel.
ipsec profile profile1 //Apply the IPSec profile.
#
interface GigabitEthernet1/0/0
ip address 202.138.162.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 tunnel0/0/1 //Configure a static route.
ip route-static 202.138.163.0 255.255.255.0 202.138.162.2 //Configure a static
route.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 270


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.


# Run the display ike sa command on the Router. In the command output, Flag(s) is
displayed as RD, indicating that an SA has been established successfully; Phase is displayed
as 1 and 2.
# PC_1 and PC_2 can ping each other.

----End

Configuration Notes
When you create IPSec tunnel interfaces, specify the GRE tunnel interface as the source
interface of the IPSec tunnel and the outbound interface in the route to the destination address
of the IPSec tunnel must be the GRE tunnel interface.

6.2.5 Example for Configuring GRE Tunnels to Implement


Communication Between the Headquarters and Branches
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-58, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters and branches. The service provider has allocated a public network IP address to
each gateway and the gateways can communicate with each other. The enterprise requires a
simple cost-effective mechanism to implement communication between the headquarters and
branches through private networks.
Generic Routing Encapsulation (GRE) tunnels can be established between the headquarters
and branches to meet this requirement. In this example, the Open Shortest Path First (OSPF)
protocol is configured to create routing entries with the tunnel interface as the source address
on the gateways.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 271


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-58 Configuring GRE tunnels to implement communication between the


headquarters and branches

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.4.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 1.1.1.1
#
interface Tunnel0/0/2
ip address 10.5.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 2.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 272


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 3.1.1.0 0.0.0.255


#
ospf 2
area 0.0.0.0 //Configure private network routes.
network 10.1.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.2.1.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.4.1.2 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 3.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
ospf 2 //Configure private network routes.
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.3.1.1 255.255.255.0
#
interface Tunnel0/0/2 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.5.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 3.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
network 2.1.1.0 0.0.0.255
#
ospf 2 //Configure private network routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 273


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 4 Verify the configuration.

# Run the display ip routing-table command on each router. You can find that the outbound
interface in routes to the peer is the tunnel interface.

# PC_1 can ping PC_2 and PC_3 successfully.

----End

Configuration Notes
l Routes from both ends to private network segments must be configured.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.

6.2.6 Example for Configuring an IPv6 over IPv4 GRE Tunnel

Specifications
This example applies to all routers of V200R003 and later versions.

Networking Requirements
As shown in Figure 6-59, RouterA, RouterB, and RouterC are connected through an IPv4
network. RouterA and RouterC connect to two IPv6 networks, respectively. IPv6 hosts PC1
and PC2 connect to RouterA and RouterC, respectively. It is required that an IPv6 over IPv4
GRE tunnel be configured between RouterA and RouterC so that PC1 and PC2 can
communicate with each other.

Figure 6-59 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 274


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IPv4 address for the
interface.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address FC01::1/64 //Configure an IPv6 address for the interface.
#
interface Tunnel0/0/1 //Configure a tunnel interface of the GRE tunnel, set
the tunnel mode to GRE, configure an IPv6 address for the tunnel interface, and
configure IPv4 addresses as the source and destination IP addresses of the tunnel
interface.
ipv6 enable
ipv6 address FC02::1/64
tunnel-protocol gre
source 10.1.1.1
destination 10.1.2.2
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2 //Configure an IPv4 static
route to ensure that RouterA has a reachable route to RouterC.
#
ipv6 route-static FC03:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterA has a reachable route to PC2.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address FC03::1/64
#
interface Tunnel0/0/1
ipv6 enable
ipv6 address FC02::2/64
tunnel-protocol gre
source 10.1.2.2
destination 10.1.1.1
#
ip route-static 10.1.1.0 255.255.255.0 10.1.2.1 //Configure an IPv4 static
route to ensure that RouterC has a reachable route to RouterA.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 275


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ipv6 route-static FC01:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterC has a reachable route to PC1
#
return

Step 4 Verify the configuration.


# PC1 and PC2 can successfully ping each other.
----End

Configuration Notes
l The devices on the IPv4 network have reachable routes to each other.
l The source and destination IP addresses of devices at both ends of the tunnel must be
configured. The source and destination IP addresses of the local device must be the same
as the destination and source IP addresses of the remote device, respectively.

6.3 DSVPN
6.3.1 Example for Configuring DSVPN to Allow Branches to
Learn Routes from Each Other and Implement Communication
Between the Branches (Applicable When There Are a Small
Number of Branches)
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-60, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.

Figure 6-60 Configuring DSVPN when branches learn routes from each other

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 276


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 2.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 2.1.1.0 0.0.0.255
ospf 2 //Configure OSPF.
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return

Step 2 Configure spoke2.


#
interface Ethernet1/0/0
ip address 3.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.102 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 3.1.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return

Step 3 Configure the hub.


#
interface Ethernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry multicast dynamic //Add dynamically registered branch devices to the
NHRP multicast member table of the central office device.

ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
#
ospf 1 //Configure OSPF.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 277


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

area 0.0.0.1
network 3.1.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return

Step 4 Verify the configuration.


Ping the IP address 172.16.1.102 of Spoke2 from Spoke1, you can see that Spoke1 and
Spoke2 have learned NHRP mapping entries from each other.

----End

Configuration Notes
l If OSPF is configured, the OSPF network type of the tunnel interface must be broadcast.

6.3.2 Example for Configuring DSVPN to Allow Branches to


Learn Only Summarized Routes to the Headquarters and
Implement Communication Between the Branches (Applicable
When There Are a Large Number of Branches)
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-61, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.

Figure 6-61 Configuring DSVPN when branches have only summarized routes to the central
office

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 278


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 2.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
nhrp shortcut //Enable the NHRP shortcut function.
#
rip 1 //Configure RIP.
version 2
network 172.16.0.0
#
ospf 2
area 0.0.0.1
network 2.1.1.0 0.0.0.255
#
return

Step 2 Configure spoke2.


#
interface Ethernet1/0/0
ip address 3.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.102 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
nhrp shortcut //Enable the NHRP shortcut function.
#
rip 1 //Configure RIP.
version 2
network 172.16.0.0
#
ospf 2
area 0.0.0.1
network 3.1.1.0 0.0.0.255
#
return

Step 3 Configure the hub.


#
interface Ethernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
rip version 2 multicast
rip summary-address 192.168.0.0 255.255.0.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp redirect //Enable the NHRP redirect function.
nhrp entry multicast dynamic //Add dynamically registered branch devices to the
NHRP multicast member table of the central office device.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 279


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

rip 1 //Configure RIP.


version 2
network 172.16.0.0
network 192.168.0.0
#
ospf 2
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return

Step 4 Verify the configuration.


Ping Spoke1 and Spoke2, you can see that Spoke1 and Spoke2 have learned NHRP mapping
entries from each other.

----End

Configuration Notes
l If the dynamic routing protocol RIP is used, enable the split horizon and automatic route
aggregation functions on the tunnel interface of the hub.

6.3.3 Example for Configuring DSVPN to Implement Stable


Communication Between the Branches Through Dual Hubs in the
Headquarters
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which
are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
subnets of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 280


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-62 Networking diagram for dual-Hub DSVPN configuration

Procedure
Step 1 Configure Hub1.
#
sysname Hub1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 1000 //Configure a smaller OSPF cost value on Hub1 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return

Step 2 Configure Hub2.


#
sysname Hub2
#
interface GigabitEthernet1/0/0
ip address 1.1.254.10 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 281


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface LoopBack0
ip address 192.168.0.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.254 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 3000 //Configure a larger OSPF cost value on Hub2 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.254
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return

Step 3 Configure Spoke1.


#
sysname Spoke1
#
interface GigabitEthernet1/0/0
ip address 1.1.2.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
nhrp entry 172.16.1.1 1.1.1.10 register
nhrp entry 172.16.1.254 1.1.254.10 register
#
ospf 1 router-id 172.16.1.2 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.2.0 0.0.0.255
#
return

Step 4 Configure Spoke2.


#
sysname Spoke2
#
interface GigabitEthernet1/0/0
ip address 1.1.3.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 282


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
nhrp entry 172.16.1.1 1.1.1.10 register
nhrp entry 172.16.1.254 1.1.254.10 register
#
ospf 1 router-id 172.16.1.3 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.3.0 0.0.0.255
#
return

Step 5 Verify the configuration.


l Verify the DSVPN configuration.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:35:50
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:32:49
Expire time : --

Number of nhrp peers: 2

# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 283


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:36:30
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:33:14
Expire time : --

Number of nhrp peers: 2

NOTE

If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the
NHRP mapping entry of Hub1 and Hub2.
On Hub, check the NHRP mapping entries of Spoke1 and Spoke2.
Run the display nhrp peer all command on Hub1. The command output is as follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 02:59:52
Expire time : 01:59:12
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 02:59:32
Expire time : 01:59:09

Number of nhrp peers: 2

Run the display nhrp peer all command on Hub2. The command output is as follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 284


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Created time : 00:21:09


Expire time : 01:59:51
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:14:13
Expire time : 01:59:48

Number of nhrp peers: 2

l Check OSPF routing information.


Check the OSPF routing information on Hub.
Run the display ospf 1 routing command on Hub1. The command output is as follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.1


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area
172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.2/32 1000 Stub 172.16.1.2 172.16.1.2 0.0.0.0
172.16.1.3/32 5562 Stub 172.16.1.2 172.16.1.3 0.0.0.0
172.16.1.254/32 2562 Stub 172.16.1.2 172.16.1.254 0.0.0.0
192.168.1.1/32 1000 Stub 172.16.1.2 172.16.1.2 0.0.0.0
192.168.2.1/32 5562 Stub 172.16.1.2 172.16.1.3 0.0.0.0

Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0

Run the display ospf 1 routing command on Hub2. The command output is as follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.254


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area
172.16.1.254/32 0 Stub 172.16.1.254 172.16.1.254 0.0.0.0
172.16.1.1/32 4562 Stub 172.16.1.3 172.16.1.1 0.0.0.0
172.16.1.2/32 5562 Stub 172.16.1.3 172.16.1.2 0.0.0.0
172.16.1.3/32 3000 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.1.1/32 5562 Stub 172.16.1.3 172.16.1.2 0.0.0.0
192.168.2.1/32 3000 Stub 172.16.1.3 172.16.1.3 0.0.0.0

Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0

Check the OSPF routing information on Spoke1 and Spoke2.


Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.2


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 285


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2 0.0.0.0


192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2 0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.3/32 2562 Stub 172.16.1.1 172.16.1.3 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.2.1/32 2562 Stub 172.16.1.1 172.16.1.3 0.0.0.0

Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0

Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.3


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3 0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1 0.0.0.0
172.16.1.2/32 2562 Stub 172.16.1.1 172.16.1.2 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.1.1/32 2562 Stub 172.16.1.1 172.16.1.2 0.0.0.0

Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0

l Run the ping command to check the configuration result.


Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms

--- 192.168.2.1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms

# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:42:50
Expire time : --
------------------------------------------------------------------------------
-

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 286


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Protocol-addr Mask NBMA-addr NextHop-addr Type Flag


------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:39:49
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:19
Expire time : 01:59:41
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:19
Expire time : 01:59:41
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:19
Expire time : 01:59:41

Number of nhrp peers: 5

# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:43:19
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 287


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Tunnel interface: Tunnel0/0/0


Created time : 04:40:03
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:45
Expire time : 01:59:15
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:45
Expire time : 01:59:15
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:45
Expire time : 01:59:15

Number of nhrp peers: 5

l Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
# Run the shutdown command on the interface GE1/0/0 of Hub1.
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] shutdown
[Huawei-GigabitEthernet1/0/0] quit

Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.2


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area
172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2 0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2 0.0.0.0
172.16.1.3/32 4562 Stub 172.16.1.254 172.16.1.3 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.2.1/32 4562 Stub 172.16.1.254 172.16.1.3 0.0.0.0

Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 288


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing

OSPF Process 1 with Router ID 172.16.1.3


Routing Tables

Routing for Network


Destination Cost Type NextHop AdvRouter Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3 0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3 0.0.0.0
172.16.1.2/32 4562 Stub 172.16.1.254 172.16.1.2 0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254 0.0.0.0
192.168.1.1/32 4562 Stub 172.16.1.254 172.16.1.2 0.0.0.0

Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0

l Run the ping command to check the configuration result.


Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.

Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.

# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms

--- 192.168.2.1 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/2 ms

# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:29
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 289


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:28
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38

Number of nhrp peers: 5

# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:54
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:38

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 290


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17

Number of nhrp peers: 5

NOTE

Before you run the Ping command, clear NHRP mapping entries existing on the Spokes.

----End

Configuration Notes
Different OSPF cost values must be configured on the mGRE interfaces of Hub1 and Hub2 to
ensure that the Spokes learn routes to the interface with a smaller cost value and prefer to use
the master Hub as the next hop device. When the cost value of the route to the master Hub is
larger than that to the backup Hub, Spokes prefer to forward packets through the backup Hub.

FAQ
l Q: Do I need to ensure that routes to the public network are reachable when configuring
DSVPN?
A: Yes. Ensuring reachable routes to the public network is the prerequisite for
implementing DSVPN.
l Q: Should I configure the master and backup Hubs on the same network segment?
A: No. You must not configure the master and backup Hubs on the same network
segment.
l Q: When the master Hub works normally, the backup Hub is in the Inactive state,
wasting sources. Can I configure the backup Hub as a Spoke?

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 291


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

A: Yes. When the master Hub works normally, the backup Hub is in the Inactive state. If
an enterprise has limited resources, you can configure the backup Hub as a Spoke. In this
case, the backup Hub registers with the master Hub in the same way as the other Spokes.
When the master Hub fails, the backup Hub takes over the role of the master and
transmits packets between Spokes.

6.4 IPSec

6.4.1 Example for Manually Establishing an IPSec Tunnel


Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-63, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters
subnet is 10.1.2.0/24.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters
gateway because they communicate over the Internet and only a few branches gateway need
to be maintained.

Figure 6-63 Manually establishing an IPSec tunnel

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 292


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255


#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ipsec policy map1 10 manual //Manually create an IPSec policy.
security acl 3101
proposal tran1
tunnel local 1.1.1.1
tunnel remote 2.1.1.1
sa spi inbound esp 54321
sa string-key inbound esp cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure authentication key for the inbound SA to huawei.
sa spi outbound esp 12345
sa string-key outbound esp cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^
%# //Configure authentication key for the outbound SA to huawei.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
ipsec policy map1
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route with
the destination address as the WAN-side interface of the headquarters.
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2 //Configure a static route with
the destination address as the LAN-side interface of the headquarters.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Headquarters
subnet to Branch subnet.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ipsec policy use1 10 manual //Manually create an IPSec policy.
security acl 3101
proposal tran1
tunnel local 2.1.1.1
tunnel remote 1.1.1.1
sa spi inbound esp 12345
sa string-key inbound esp cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^
%# //Configure authentication key for the inbound SA to huawei.
sa spi outbound esp 54321
sa string-key outbound esp cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^
%# //Configure authentication key for the outbound SA to huawei.
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
ipsec policy use1
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route with
the destination address as the WAN-side interface of the branch.
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route with
the destination address as the LAN-side interface of the branch.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 293


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.


Run the display ipsec sa command on RouterA to view the IPSec tunnel configuration.

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.

6.4.2 Example for Establishing an IPSec Tunnel Between Two


Devices Using IKE Negotiation (Without DPD)
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-64, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.

Figure 6-64 Network diagram for configuring IKE negotiation

Procedure
Step 1 Configure RouterA.
#
acl number 3101 //Configure an
ACL.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec
proposal.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 294


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

esp authentication-algorithm sha2-256


#
ike proposal 1 //Configure an IKE
proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike local-name huawei01
#
ike peer spub v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain
text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei02 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 1.1.1.1
remote-address 2.1.1.1
#
ipsec policy map1 10 isakmp //Configure an IPSec
policy.
security acl 3101
ike-peer spub
proposal tran1
#

ip route-static 10.1.2.0 255.255.255.0 1.1.1.2


ip route-static 2.1.1.0 255.255.255.0 1.1.1.2
#
interface Ethernet1/0/0 //Configure an external network
interface.
ip address 1.1.1.1 255.255.255.0
ipsec policy map1
#
interface Ethernet2/0/0 //Configure an internal network
interface.
ip address 10.1.1.1 255.255.255.0
#
return

Step 2 Configure RouterB.


#
acl number 3101 //Configure an
ACL.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec
proposal.
esp authentication-algorithm sha2-256
#
ike proposal 1 //Configure an IKE
proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 295


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

cbc-128 parameter is changed to aes-128.


dh group14
authentication-algorithm sha2-256
#
ike local-name huawei02
#
ike peer spua v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain
text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei01 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 2.1.1.1
remote-address 1.1.1.1
#
ipsec policy use1 10 isakmp //Configure an IPSec
policy.
security acl 3101
ike-peer spua
proposal tran1
#

ip route-static 10.1.1.0 255.255.255.0 2.1.1.2


ip route-static 1.1.1.0 255.255.255.0 2.1.1.2
#
interface Ethernet1/0/0 //Configure an external network
interface.
ip address 2.1.1.1 255.255.255.0
ipsec policy use1
#
interface Ethernet2/0/0 //Configure an internal network
interface.
ip address 10.1.2.1 255.255.255.0
#
return

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.

6.4.3 Example for Establishing an IPSec Tunnel Between Two


Devices Using IKE Negotiation (with DPD)

Specifications
This example applies to all versions and routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 296


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
The Headquarters and Branch establish an IPSec connection and both of them are configured
with DPD. DPD is configured on a branch to check whether the IPSec peers between the
Headquarters and Branch are alive. This prevents communication interruption between the
Headquarters and Branch in the case that the IPSec SA of the Branch is deleted incorrectly
from the router in the Headquarters. If DPD is not configured, the Branch still sends
encrypted data to the Headquarters, but the Headquarters cannot correctly decrypt the data,
causing communication interruption.

Figure 6-65 Networking diagram of IKE DPD

lai

Procedure
Step 1 Configure the Headquarters.
#
sysname Headquarters
#
acl number 3000 //Configure ACL 3000 to match traffic sent from Headquarters
subnet to Branch subnet.
rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer Center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 297


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

the password is displayed in plain text.


remote-address 1.2.2.1 //Configure an IP address for the remote IKE peer.
dpd type on-demand //Set the on-demand DPD mode.
ike-proposal 5
#
ipsec policy center 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer Center
proposal def
#
interface Ethernet1/0/0
ip address 1.2.1.1 255.255.255.0
ipsec policy center
#
interface Ethernet2/0/0
ip address 10.1.0.1 255.255.255.0
#
ip route-static 1.2.2.0 255.255.255.0 1.2.1.2 //Configure a static route with
the destination address as the WAN-side interface of the Branch.
ip route-static 10.2.0.0 255.255.255.0 1.2.1.2 //Configure a static route with
the destination address as the LAN-side interface of the Branch.
#
return

Step 2 Configure the Branch.


#
sysname Branch
#
acl number 3000 //Configure ACL 3000 to match traffic sent from Branch subnet to
Headquarters subnet.
rule 0 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
#
ipsec proposal def //Configure IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer Branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.2.1.2 //Configure an IP address for the remote IKE peer.
dpd type on-demand //Set the on-demand DPD mode.
ike-proposal 5
#
ipsec policy branch 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer Branch
proposal def
#
interface Ethernet1/0/0
ip address 1.2.2.1 255.255.255.0
ipsec policy branch
#
interface Ethernet2/0/0
ip address 10.2.0.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 298


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip route-static 1.2.1.0 255.255.255.0 1.2.2.2 //Configure a static route with


the destination address as the WAN-side interface of the Headquarters.
ip route-static 10.1.0.0 255.255.255.0 1.2.2.2 //Configure a static route with
the destination address as the LAN-side interface of the Headquarters.
#
return

Step 3 Verify the configuration.


1. Run the display ike sa verbose and display ipsec sa commands on the Headquarters to
view the IPSec tunnel configuration.
2. Shut down the link on the Branch and ping the Branch from the Headquarters. You can
see DPD requests initiated by the Headquarters.

----End

6.4.4 Example for Establishing an IPSec Tunnel That Traverses


NAT Devices
Specifications
This example applies to all versions and routers.

Networking Requirements
When a NAT gateway is deployed between two devices of the IPSec tunnel, the two devices
are required to support NAT traversal.
As shown in Figure 6-66, RouterA is the egress gateway of a branch network and RouterB is
the egress gateway of the headquarters network. RouterA and RouterB translate addresses
through the NATER and they establish an IPSec tunnel in aggressive mode. The IPSec tunnel
supports NAT traversal.

Figure 6-66 Networking diagram of NAT traversal

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 299


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the host name of the device.
#
ike local-name RouterA //Configure the local host name used in IKE negotiation.
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name RouterB //Configure the IKE peer name. //Configure the IKE peer
name. In V200R008 and later versions, the device does not support the remote-name
command. This command provides teh same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy-template rta_temp 1 //Create an IPSec policy template.
ike-peer rta
proposal rta
#
ipsec policy rta 1 isakmp template rta_temp //Specify the IPSec policy template
used to create SAs.
#
interface Ethernet1/0/0
ip address 1.2.0.1 255.255.255.0
ipsec policy rta
#
interface Ethernet2/0/0
ip address 10.1.0.1 255.255.255.0
#
ip route-static 10.2.0.0 255.255.255.0 1.2.0.2 //Configure a static route to
10.2.0.0
#
return

Step 2 Configure RouterB.


#
sysname RouterB //Configure the host name of the device.
#
ike local-name RouterB //Configure the local host name used in IKE
negotiation.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.0.0 0.255.255.255 destination 10.1.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 300


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

0.255.255.255
#
ipsec proposal rtb //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name RouterA //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
remote-address 1.2.0.1 //Configure the IKE peer address.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rtb
proposal rtb
#
interface Ethernet1/0/0
ip address 192.168.0.2 255.255.255.0
ipsec policy rtb
#
interface Ethernet2/0/0
ip address 10.2.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 //Configure a static route.
#
return

Step 3 Configure the NATER.


#
sysname NATER //Configure the host name of the device.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 1.2.0.0 0.0.0.255
#
interface Ethernet1/0/0
ip address 1.2.0.2 255.255.255.0
nat outbound 3000 //Configure outbound NAT.
#
interface Ethernet2/0/0
ip address 192.168.0.1 255.255.255.0
#
return

Step 4 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 301


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Run the ping command to trigger IPSec session setup. Run the display ike sa verbose and
display ipsec sa commands on RouterA to view the IPSec tunnel configuration.

----End

Configuration Notes
l Ensure that RouterA and RouterB can communicate through the NATER.
l RouterA functions as the IPSec responder and needs to be configured with an IPSec
template.
l RouterA and RouterB must support NAT traversal.

6.4.5 Example for Establishing an IPSec Tunnel Between the


Branch and Headquarters to Implement Separate Protection of
Multiple Access Resources in the Headquarters
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-67, there are multiple network segments in the headquarters. The
branch needs to use different keys to access different network segments in the headquarters.

Figure 6-67 Configuring IPSec to protect flows on multiple network segments

Procedure
Step 1 Configure RouterA.
#
sysname RouterA

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 302


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
acl number 3000 //Configure ACL 3000 to match traffic sent from 192.168.1.0/24
to 10.6.0.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 192.168.1.0/24
to 10.6.1.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.1.0 0.0.0.255
#
ipsec proposal default //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#pf$s.~E0h*hws%-7cwv&ItP3Bfw7DN`{)~~Sh'H'%^%# //
Configure the authentication password in the pre-shared key to huawei@123, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@123, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.1.1
remote-address 1.0.2.254
#
ike peer center2 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#19+-M|4}f2,%g3/9IT#C46mnQm+@3;,Eh^"3>eVI%^%# //
Configure the authentication password in the pre-shared key to huawei@321, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@321, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.1.1
remote-address 1.0.2.254
#
ipsec policy center 10 isakmp //Configure an IPSec policy center with sequence
number 10 to protect the traffic sent from the branch to network segment
10.6.0.0/24.
security acl 3000
ike-peer center1
proposal default
#
ipsec policy center 20 isakmp //Configure an IPSec policy center with sequence
number 20 to protect the traffic sent from the branch to network segment
10.6.1.0/24.
security acl 3001
ike-peer center2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
branch.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 303


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 1.0.1.1 255.255.255.0


ipsec policy center //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface of the
branch.
ip address 192.168.1.1 255.255.255.0
#
ip route-static 10.0.0.0 255.0.0.0 1.0.1.2 //Configure a static route with the
destination address as the interface IP address of the headquarters.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3000 //Configure ACL 3000 to match traffic sent from 10.6.0.0/24 to
192.168.1.0/24.
rule 0 permit ip source 10.6.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 10.6.1.0/24 to
192.168.1.0/24.
rule 0 permit ip source 10.6.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal default //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#&,/=<KeGs@/vTKYku>`HM:$CU,_!P<Ijhb~*U[PU%^%# //
Configure the authentication password in the pre-shared key to huawei@123, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@123, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.2.254
remote-address 1.0.1.1
#
ike peer branch2 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#e6'U*sl_&<I-qIL>}zr9W-r8(RR:#A*{4WC~j2|W%^%# //
Configure the authentication password in the pre-shared key to huawei@321, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@321, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.2.254
remote-address 1.0.1.1
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 304


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipsec policy branch 10 isakmp //Configure an IPSec policy branch with sequence
number 10 to protect the traffic sent from the branch to network segment
10.6.0.0/24.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Configure an IPSec policy branch with sequence
number 20 to protect the traffic sent from the branch to network segment
10.6.1.0/24.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
headquarters.
ip address 1.0.2.254 255.255.255.0
ipsec policy branch //Configure an IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure LAN-side interface 1 of the
headquarters.
ip address 10.6.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.6.1.1 255.255.255.0 //Configure LAN-side interface 2 of the
headquarters.
#
ip route-static 192.168.1.0 255.255.255.0 1.0.2.2 //Configure a static route
with the destination address as the interface IP address of the branch.
#
return

Step 3 Verify the configuration.


Run the display ike sa command to view SA information.
Devices at both ends can exchange encrypted data.

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l Both routers must be configured with IPSec policies.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l Ensure that outbound interfaces in the headquarters and branch can exchange packets.

6.4.6 Example for Configuring an IPSec Tunnel for Remote Dial-


Up Users to Connect to the Headquarters
Specifications
This example applies to all versions and routers.

Networking Requirements
An enterprise establishes multiple branches in different areas due to service expansion. The
branch gateways connect to the Internet using PPPoE. As shown in Figure 6-68, RouterA
(branch gateway) and RouterB (headquarters gateway) communicate through the Internet.
Branch devices need to access service servers in the headquarters to carry out services. Data

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 305


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

transmitted between the headquarters and branches need to be encrypted to ensure service
security.

Figure 6-68 Networking diagram for configuring IPSec on the dialer interface

NOTE

If both the branch gateway and headquarters gateway connect to the public network through PPPoE, the
remote-address host-name command must be run on them to specify the domain name for IPSec
negotiation. Otherwise, the IPSec tunnel cannot be established.

Procedure
Step 1 Configure RouterA
#
sysname RouterA
#
acl number 3003 //Configure ACL 3003 to match traffic sent from Branch to
Headquarters.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 306


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //


Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 1.1.1.6
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Configure a dialer interface.
link-protocol ppp
ppp chap user user@huawei.com //Configure CHAP authentication.
ppp chap password cipher %@%@^_PfANXK0(,Jr-(3p]"R,eOL%@%@ //Set the CHAP
authentication password to Huawei@2012.
ip address ppp-negotiate
dialer user huawei //Configure a dialer user.
dialer bundle 1 //Specify the dialer group.
dialer-group 1 //Specify a dialer ACL.
ipsec policy policy1 //Configure an IPSec policy.
#
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 //Bind dialer group 1 to the PPPoE_Client.
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an internal network interface.
#
dialer-rule //Configure a dialer ACL.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 dialer1 //Configure a default route pointing to
the dialer interface.
#
return

Step 2 Configure RouterB


#
sysname RouterB
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp1 //Configure an IPSec policy template.
ike-peer rut1
proposal prop1
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy and

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 307


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

reference the policy template.

#
interface GigabitEthernet1/0/0 //Configure a public network interface.
ip address 1.1.1.6 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0 //Configure an internal network interface.
ip address 10.1.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 //Configure a static route to the
internal network of the remote side.
#
return

Step 3 Verify the configuration.


Run the display ike sa verbose and display ipsec sa commands to view the IPSec tunnel
configuration.

----End

Configuration Notes
l The PPPoE_Server address must be specified on the PPPoE_Client.
l On the PPPoE_Client, the IKE peer address must be specified because an IPSec policy is
used. On the PPPoE_Server, you do not need to specify the IKE peer address because an
IPSec policy template is used.

6.4.7 Example for Configuring Two Devices to Pass PKI Identity


Authentication Before Establishing an IPSec Tunnel

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-69, devices in two subnets communicate with the Internet using
respective gateways and need to establish an IPSec tunnel to transmit data flows. To meet this
requirement, perform the following operations:
l Establish an IPSec tunnel between the two gateways to protect security of data flows
transmitted between subnet Group1 at 10.1.1.0/24 and subnet Group2 at 10.2.1.0/24.
l Establish a security tunnel between the two gateways using Internet Key Exchange (IKE)
negotiation. During IKE negotiation, PKI certificates are used for identity authentication.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 308


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-69 Configuring PKI in IPSec

Table 6-1 Data plan of RouterA


Item Data

PKI entity PKI entity name: routera


l Entity's common name: helloa
l Country code: CN
l Entity's province name: jiangsu
l Entity's organization name: huawei
l Entity's department name: info

PKI domain PKI domain name: testa


l Trusted CA: ca_root
l Certificate's enrollment URL: http://
10.137.145.158:8080/certsrv/mscep/mscep.dll
l Bound entity name: routera
l CA's fingerprint algorithm: SHA2
Fingerprint:
17A34D94624B1C1BCBF6D763C4A67035D17A34D9
4624B1C1BCBF6D763C4A67035D

IKE proposal l Encryption algorithm: AES-CBC-128


l Authentication mode: rsa-signature
l Authentication algorithm: AES-XCBC-MAC-96

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 309


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Item Data

IKE peer l IKE peer name: routera


l Local peer ID type: IP address
l Local IP address: 1.1.1.1
l Remote IP address: 2.2.2.1
l Negotiation mode: main

IPSec proposal l Transport protocol: ESP


l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l Encapsulation mode: tunnel

IPSec policy SA triggering mode: automatic

Table 6-2 Data plan of RouterB


Item Data

PKI entity PKI entity name: routerb


l Entity's common name: hellob
l Country code: CN
l Entity's province name: jiangsu
l Entity's organization name: huawei
l Entity's department name: marketing

PKI domain PKI domain name: testb


l Trusted CA: ca_root
l Certificate's enrollment URL: http://
10.137.145.158:8080/certsrv/mscep/mscep.dll
l Bound entity name: routerb
l CA's fingerprint algorithm: SHA2
Fingerprint:
17A34D94624B1C1BCBF6D763C4A67035D17A34D9
4624B1C1BCBF6D763C4A67035D

IKE proposal l Encryption algorithm: AES-CBC-128


l Authentication mode: rsa-signature
l Authentication algorithm: AES-XCBC-MAC-96

IKE peer l IKE peer name: routerb


l Negotiation mode: main
l Local peer ID type: IP address
l Local IP address: 2.2.2.1
l Remote IP address: 1.1.1.1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 310


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Item Data

IPSec proposal l Transport protocol: ESP


l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l Encapsulation mode: tunnel

IPSec policy SA triggering mode: automatic

Procedure
Step 1 Configure RouterA.
#
router id 10.1.1.1
#
pki entity routera //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit info
common-name helloa
#
pki realm testa //Configure a PKI
domain.
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity routera
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be
protected.
rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal routera //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
esp encryption-algorithm
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#

ike peer routera v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 311


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later


versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
local-address 1.1.1.1
remote-address 2.2.2.1
pki realm testa
#
ipsec policy routera 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routera
proposal routera
#
interface Ethernet2/0/0 //Configure an external network interface.
ip address 10.1.1.1 255.255.255.0
#

interface GigabitEthernet0/0/1 //Configure an internal network interface.


ip address 1.1.1.1 255.255.255.0
ipsec policy routera
#

ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return

Step 2 Configure RouterB.


#
router id 10.2.1.1
#
pki entity routerb //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit marketing
common-name hellob
#
pki realm testb //Configure a PKI
domain.
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity routerb
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be protected.
rule 5 permit ip source 2.2.2.1 0 destination 1.1.1.1 0
rule 10 permit ip source 10.2.1.1 0 destination 10.1.1.1 0
#
ipsec proposal routerb //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
esp encryption-algorithm

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 312


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
ike peer routerb v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
local-address 2.2.2.1
remote-address 1.1.1.1
pki realm testb
#
ipsec policy routerb 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routerb
proposal routerb
#
interface Ethernet2/0/0 //Configure an external network
interface.
ip address 10.2.1.1 255.255.255.0
#

interface GigabitEthernet0/0/1 //Configure an internal network interface.


ip address 2.2.2.1 255.255.255.0
ipsec policy routerb
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

----End

Configuration Notes
l During IKE negotiation, if RouterA and RouterB do not obtain CA certificates or local
certificates, IKE negotiation fails.
l ACLs configured on devices in the headquarters and branch must mirror each other.

6.4.8 Example for Configuring VRRP in the Headquarters to


Allow the Branch to Establish an IPSec Tunnel with the
Headquarters Using the VRRP Virtual Address
Specifications
This example applies to all versions and routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 313


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
As shown in Figure 6-70, RouterA, RouterB, and RouterC connect to one switch, RTA and
RTB constitute a VRRP group with virtual IP address 1.0.2.128. RouterA functions as the
VRRP master and RouterB functions as the backup. An IPSec session is set up between
RouterC and the virtual IP address of the VRRP group.

Figure 6-70 Networking diagram for configuring an IPSec session

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 314


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.2.128
remote-address 1.0.1.254
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure the connected
interface.
ip address 1.0.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1 and use the default
priority.
ipsec policy branch //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure an internal network
interface.
ip address 192.168.0.1 255.255.255.0
#
ip route-static 1.0.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch gateway.
ip route-static 192.168.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch network.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.2.128
remote-address 1.0.1.254
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 315


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

proposal def
#
interface Ethernet2/0/0 //Configure the internal network
interface.
ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure the connected
interface.
ip address 1.0.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1.
vrrp vrid 1 priority 80 //Set the priority of VRRP group 1 to 80 so that
RouterB becomes the backup.
ipsec policy branch //Bind the IPSec
policy.
#
ip route-static 1.0.1.0 255.255.255.0 1.0.2.4 //Configure a static route to
the branch gateway.
ip route-static 192.168.1.0 255.255.255.0 1.0.2.4 //Configure a static route to
the branch network.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.1.254
remote-address 1.0.2.128
#
ipsec policy center 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#
interface Ethernet2/0/0 //Configure the connected
interface.
ip address 1.0.1.254 255.255.255.0
ipsec policy center //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure the internal network

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 316


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface.
ip address 192.168.1.1 255.255.255.0
#
ip route-static 1.0.2.0 255.255.255.0 1.0.1.2 //Configure a static route
to the headquarters gateway.
ip route-static 192.168.0.0 255.255.255.0 1.0.2.128 //Configure a static route
to the headquarters network.
#
return

Step 4 Verify the configuration.


Run the display ike sa command on RouterA, RouterB, or RouterC to view SA information.
Run the display vrrp command on RouterA or RouterB to view the VRRP status.
The routers in the branches can successfully ping the VRRP virtual IP address.

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.

6.4.9 Example for Establishing Multiple IPSec Tunnels Between


the Headquarters and Branches Using the IPSec Policy Template
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-71, RouterA functions as the headquarters gateway, and RouterB and
RouterC function as branch gateways. Branches connect to multiple private networks and
secure channels need to be set up between the headquarters and branches. An IPSec policy
template is configured on RouterA and is used for establishing IPSec tunnels.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 317


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-71 Networking diagram for configuring access to multiple branches using an IPSec
policy template

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 318


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

local-address 1.1.1.1
#
ipsec policy-template branch 1 //Configure an IPSec policy
template.
ike-peer branch
proposal def
#
ipsec policy hk 1 isakmp template branch //Configure an IPSec
policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0 //Configure the router interface connected to
a private network.
#
interface GigabitEthernet0/0/2
ip address 10.11.1.1 255.255.255.0 //Configure the router interface connected
to another private network.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3000 //Configure ACL 3000 and define two
rules.
rule 0 permit ip source 10.2.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 5 permit ip source 10.22.2.0 0.0.0.255 destination 10.11.1.0 0.0.0.255
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.2.1.1
remote-address 1.1.1.1
#
ipsec policy hk 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 319


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Ethernet1/0/1 //Configure an interconnection interface for setting up


an IKE connection and encapsulating the outer IP address.
ip address 1.2.1.1 255.255.255.0
ipsec policy hk
#
interface GigabitEthernet0/0/0
ip address 10.22.2.1 255.255.255.0 //Configure the router interface connected
to a private network.
#
interface GigabitEthernet0/0/1
ip address 10.2.2.1 255.255.255.0 //Configure the router interface connected to
another private network.
#
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2 //Configure a static
route.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
acl number 3000 //Configure ACL 3000 and define two
rules.
rule 0 permit ip source 10.4.4.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 5 permit ip source 10.44.4.0 0.0.0.255 destination 10.11.1.0 0.0.0.255
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.4.1.1
remote-address 1.1.1.1
#
ipsec policy hk 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer center
proposal def
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 1.4.1.1 255.255.255.0
ipsec policy hk
#
interface Ethernet2/0/0
ip address 10.44.4.1 255.255.255.0 //Configure the router interface connected
to a private network.
#
interface GigabitEthernet0/0/2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 320


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 10.4.4.1 255.255.255.0 //Configure the router interface connected to


another private network.
#
ip route-static 0.0.0.0 0.0.0.0 1.4.1.2 //Configure a static
route.
#
return

Step 4 Verify the configuration.


Run the display ike sa command on the LAC or LNS to view SA information.
Devices at both ends can exchange encrypted data.

----End

Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.

6.4.10 Example for Configuring the Branch to Access the Internet


Through the 3G Interface and Configuring the Headquarters to
Establish an IPSec Tunnel with the Branch Using the IPSec Policy
Template
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 3G interface to dynamically obtain an IP address from a provider. When
deploying an IPSec policy, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
After an IPSec tunnel is established, branch users can only access internal resources of the
headquarters. The NAT function can be configured on RouterA to allow branch users to
access external networks.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 321


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-72 Establishing an SA using an IPSec policy template

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 //Configure an ACL to protect data flows to an external network.
rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 13.1.1.1 //Configure the remote address used for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
dialer-rule //Create a dilaer ACL.
dialer-rule 1 ip permit
#
apn profile 3gprofile //Create a APN profile.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 322


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

user name 3guser password cipher %@%@,)AK/L"R0'^5%YUBDqKP#^y>%@%@ authentication-


mode auto
apn 3GNET
#
interface Cellular0/0/1 //Set dial parameters for the 3G interface.
link-protocol ppp
ip address ppp-negotiate //Enable PPP negotiation to automatically obtain the
IP address allocated by the carrier and connect to the public network.
dialer enable-circular //Enable the C-DCC function.
dialer-group 1 //Add the interface to a dialer group. The number must be the
same as that in the dialer group.
apn-profile 3gprofile
dialer timer autodial 60 //Set the auto-dial interval to 60s.
dialer number *99# autodial //Enable the auto-dial function.
mode wcdma wcdma-precedence //Configure a WCDMA network connection mode for a 3G
modem.
ipsec policy rta //Bind the IPSec policy to the interface.
nat outbound 3001 //Configure NAT to enable access to the public network.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return

Step 2 Configure Router B.


#
sysname RouterB
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal rtb
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp 1 //Configure an IPSec policy template.
security acl 3000
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the IPSec policy template.
#
interface Serial1/0/0 //Configure an IP address for the WAN-side interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0
ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 323


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Verify the configuration.

After the configuration, users in the headquarters and branch can communicate with each
other.

----End

Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.

6.4.11 Example for Configuring GRE Over IPSec to Implement


Communication Between Devices

Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-73, RouterA and RouterB establish an IPSec session, a GRE tunnel is
set up, and traffic on the network segment connected to GE0/0/1 is imported to the GRE
tunnel.

Figure 6-73 Networking diagram for configuring GRE over IPSec

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 324


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
#
ipsec proposal rtb //Configure an IPSec
proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE
proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.2.2.1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rtb //Specify the IKE
peer.
proposal rtb //Specify the IPSec
proposal.
#
interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel
interface.
destination 1.2.2.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 325


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 1.2.2.1 0 destination 1.2.1.1 0
#
ipsec proposal rta //Configure an IPSec
proposal.
encapsulation-mode transport ///Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE
proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.2.1.1
#
ipsec policy rta 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rta //Specify the IKE
peer.
proposal rta //Specify the IPSec
proposal.
#
interface Ethernet1/0/1
ip address 1.2.2.1 255.255.255.252
ipsec policy rta //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.2.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 1.3.1.2 255.255.255.252
tunnel-protocol gre
source 1.2.2.1 //Specify the source address of the tunnel
interface.
destination 1.2.1.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.1.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.2.2
#
return

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 326


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Run the display ike sa command on RouterA or RouterB to view SA information.


Run the display ip routing-table command on RouterA or Router B. You can view the route
from the tunnel interface to the user-side interface.
Users at both ends can communicate.

----End

Configuration Notes
l The ACL is configured to match the WAN-side interface IP address.
l The encapsulation mode in the IPSec proposal must be transport.
l The source and destination IP addresses of the GRE tunnel interface must be the same as
those of the data flow protected by IPSec (that is, defined in the ACL referenced by the
IPSec policy).

6.4.12 Example for Configuring OSPF and GRE Over IPSec to


Implement Communication Between the Branch and
Headquarters
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-74, RouterA functions as the egress router of the headquarters network
and provides GRE over IPSec access for two branches. RouterB and RouterC are egress
routers of the two branches and connect to the headquarters network using GRE over IPSec.
OSPF is enabled on GRE tunnels of the headquarters and each branch. Traffic exchanged
between the headquarters and branches must be encrypted.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 327


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-74 Networking diagram for configuring GRE over IPSec and OSPF

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 192.168.255.255 //Configure the OSPF router
ID.
#
acl number 3000 //Configure ACL 3000 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 1.
rule 0 permit ip source 1.0.1.254 0 destination 1.0.2.1 0
#
acl number 3001 //Configure ACL 3001 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 2.
rule 0 permit ip source 1.0.1.254 0 destination 1.0.3.1 0
#
ipsec proposal default
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 328


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

dh group14
authentication-algorithm sha2-256
#
ike peer branch1 v1 //Configure an IKE peer for the egress router of branch
1.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.1.254
remote-address 1.0.2.1
#
ike peer branch2 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
local-address 1.0.1.254
remote-address 1.0.3.1
#
ipsec policy branch 10 isakmp //Create an IPSec policy branch and set the
sequence number to 10.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Create an IPSec policy branch and set the
sequence number to 20.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters.
ip address 1.0.1.254 255.255.255.0
ipsec policy branch
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 10.0.0.1 255.255.255.0
#
interface LoopBack0 //Configure the loopback interface IP address as the router
ID.
ip address 192.168.255.255 255.255.255.255
#
interface Tunnel0/0/0 //Configure the tunnel interface between the headquarters
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.2.1
#
interface Tunnel0/0/1 //Configure the tunnel interface between the headquarters
and branch 2.
ip address 192.168.0.5 255.255.255.252
tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.3.1
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 329


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 10.0.0.0 0.0.0.255


network 192.168.255.255 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.0.4 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0
1.0.1.253
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 192.168.255.1 //Configure the OSPF router
ID.
#
acl number 3000 //Configure ACL 3000 to mirror ACL 3000 configured on the egress
router of the headquarters.
rule 0 permit ip source 1.0.2.1 0 destination 1.0.1.254 0
#
ipsec proposal default //Configure an IPSec proposal to be the same as that
configured on the egress router of the headquarters.
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.2.1
remote-address 1.0.1.254
#
ipsec policy center 1 isakmp //Configure an IPSec policy center, set the
sequence number to 1, and use ISAKMP.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2 //Configure the WAN-side interface on the egress
router of the branch 1.
ip address 1.0.2.1 255.255.255.0
ipsec policy center
#
interface LoopBack0 //Configure the loopback interface IP address as the router
ID.
ip address 192.168.255.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure a tunnel

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 330


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre
source GigabitEthernet0/0/2
destination 1.0.1.254
#
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
network 192.168.255.1 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.2.2
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 192.168.255.2 //Configure the OSPF router
ID.
#
acl number 3001 //Configure ACL 3001 to mirror ACL 3001 configured on the egress
router of the headquarters.
rule 0 permit ip source 1.0.3.1 0 destination 1.0.1.254 0
#
ipsec proposal default //Configure an IPSec proposal to be the same as that
configured on the egress router of the headquarters.
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#(3fr1!&6O=)!GN#~{)n,2fq>4#4+%;lMTs5(]:c)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.3.1
remote-address 1.0.1.254
#
ipsec policy center 1 isakmp //Configure an IPSec policy center, set the
sequence number to 1, and use ISAKMP.
security acl 3001
ike-peer center
proposal default
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface on the egress
router of the branch 2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 331


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 1.0.3.1 255.255.255.0


ipsec policy center
#
interface LoopBack0 //Configure the loopback interface IP address as the router
ID.
ip address 192.168.255.2
255.255.255.255
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
source GigabitEthernet0/0/1
destination 1.0.1.254
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
network 192.168.255.2 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.2.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.3.2
#
return

Step 4 Verify the configuration.


Run the display ike sa command on RouterA or RouterB to view SA information.
Run the display ip routing-table command on RouterA or Router B. You can view the route
from the tunnel interface to the user-side interface.
Users in the headquarters and branches can communicate.
----End

Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l ACLs configured on devices in the headquarters and branches must mirror each other.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l The WAN-side interface IP addresses in the headquarters and branches can be pinged.

6.4.13 Example for Configuring GRE Over IPSec to Implement


Communication Between the Branches and Headquarters and
NAT to Implement Communication Between Branches (Running
OSPF)
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-75, the egress router in the headquarters provides IPSec VPN access
for branches. NAT devices exist between the branches and the Internet, so the aggressive

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 332


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

mode and NAT traversal are configured on egress routers of the headquarters and branches.
The headquarters egress router uses an IPSec policy template but not the ACL. The three
egress routers use loopback interface IP addresses to establish GRE over IPSec tunnels. ACLs
are configured on branch egress routers to implement communication between the
headquarters and branches through GRE over IPSec tunnels. OSPF is used on GRE over
IPSec tunnels so that traffic exchanged between branches is forwarded through the
headquarters egress router.

Figure 6-75 Networking diagram for configuring GRE over IPSec and OSPF to implement
NAT traversal

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 172.16.0.1 //Configure the OSPF router ID.
#
ike local-name rta
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 333


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy-template branch 1 //Configure an IPSec policy template branch and
set the sequence number to 1.
ike-peer branch
proposal default
#
ipsec policy policy1 1 isakmp template branch //Configure an IPSec policy
policy1 and set the sequence number to 1 based on the IPSec policy template
branch.
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters
ip address 1.0.1.60 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 172.16.0.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure the tunnel interface between the headquarters
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 192.168.1.1
#
interface Tunnel0/0/1 //Configure the tunnel interface between the headquarters
and branch 2.
ip address 192.168.0.5 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 192.168.2.1
#
ospf 1 //Configure
routes.
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 1.0.1.61 //Configure a default route.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 334


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 192.168.1.1 //Configure the OSPF router ID.
#
ike local-name rtb
#
acl number 3000
rule 0 permit gre source 192.168.1.1 0 destination 172.16.0.1 0
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
remote-address 1.0.1.60
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
1.
ip address 10.0.1.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch
1.
ip address 192.168.11.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 192.168.1.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure a tunnel
interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre
source LoopBack0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 335


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 10.0.1.1 //Configure a default route.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 192.168.2.1 //Configure the OSPF router ID.
#
ike local-name rtc
#
acl number 3000
rule 0 permit gre source 192.168.2.1 0 destination 172.16.0.1 0
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name rta //Configure the IKE peer name. In V200R008 and later versions,
the device does not support the remote-name command. This command provides teh
same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
remote-address 1.0.1.60
#
ipsec policy center 1 isakmp //Configure an IPSec policy and set the sequence
number to 1.
security acl 3000
ike-peer center
proposal default
#
interface GigabitEthernet0/0/1 //Configure the WAN-side interface in branch
2.
ip address 10.0.2.2 255.255.255.0
ipsec policy center
#
interface GigabitEthernet0/0/2 //Configure the LAN-side interface in branch

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 336


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

2.
ip address 192.168.12.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 192.168.2.1 255.255.255.255
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.12.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.0.2.1 //Configure a default route.
#
return

Step 4 Configure NAT1.


#
sysname NAT1
#
acl number 2000 //Configure rule for mapping with NAT address pool.
rule 0 permit source 10.0.2.0 0.0.0.255
#
nat address-group 0 11.0.0.1 11.0.0.10 //Configure a NAT address
pool.
#
interface Ethernet1/0/1 //Configure the WAN-side
interface.
ip address 1.0.3.1 255.255.255.0
nat outbound 2000 address-group 0
#
interface GigabitEthernet0/0/1 //Configure the NAT device interface connected to
the router in branch 2.
ip address 10.0.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.0.3.2 //Configure a default route.
#
return

Step 5 Configure NAT2.


#
sysname NAT2
#
acl number 2000 //Configure rule for mapping with NAT address pool.
rule 0 permit source 10.0.1.0 0.0.0.255
#
nat address-group 0 12.0.0.1 12.0.0.10 //Configure a NAT address
pool.
#
interface Ethernet1/0/1 //Configure the WAN-side
interface.
ip address 1.0.2.1 255.255.255.0
nat outbound 2000 address-group 0
#
interface GigabitEthernet0/0/1 //Configure the NAT device interface connected to
the router in branch 1.
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.0.2.2 //Configure a default route.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 337


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 6 Verify the configuration.


Run the display ike sa command on RouterA, RouterB, or RouterC to view SA information.
Run the display ip routing-table command on RouterA or Router B. You can view the route
from the tunnel interface to the user-side interface.
Users in the headquarters and branches can communicate.
----End

Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l There must be reachable routes between the headquarters and branches.
l When configuration a NAT address pool, ensure that routes to address segments in the
NAT address pool are reachable.

6.4.14 Example for Establishing an IPSec over GRE Tunnel


Between the Headquarters and Branch (Based on ACL)
Applicability
This example applies to all AR models of V200R008C50 and later versions.

Networking Requirements
In Figure 6-76, Router1 is the gateway of an enterprise branch, and Router2 is the gateway of
the headquarters. Router1 and Router2 communicate through the public network.
On the live network, the enterprise branch communicates with the headquarters through a
GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the
headquarters and branch. An IPSec over GRE tunnel can be established based on ACL to
protect traffic between the headquarters and branch.

Figure 6-76 Establishing an IPSec over GRE tunnel between the headquarters and branch

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 338


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure Router1.
#
sysname Router1
#
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
#
ike peer spub //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.2 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy map1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spub
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
ipsec policy map1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route to the
public network.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure a static route
to the private network.
#
return

Step 2 Configure Router2.


#
sysname Router2
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 339


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
#
ike peer spua //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy use1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spua
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 1.1.1.1
ipsec policy use1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route to the
public network.
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0 //Configure a static route
to the private network.
#
return

Step 3 Verify the configuration.


Run the display ike sa command on the routers. You can find that an SA is established
successfully.
After branch users ping the headquarters, run the display ipsec statistics command on the
routers to view statistics on IPSec packets. The value of the input/output security packets
field is not 0, indicating that communication transmitted between the branch and headquarters
is encrypted.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 340


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.

6.4.15 Example for Establishing IPSec over DSVPN Tunnels


Between Hub and Spokes (Based on ACL)
Applicability
This example applies to all AR models of V200R008C50 and later versions.

Networking Requirements
In Figure 6-77, a large-sized enterprise has the headquarters (Hub) and multiple branches
(Spoke1 and Spoke2 in this example) located in different areas, and the Spokes connect to
public networks using dynamic IP addresses obtained through DHCP. DSVPN is deployed to
enable communication between Spokes as well as between Spoke and Hub.
The enterprise requires that data transmitted between Spokes as well as between Spoke and
Hub be encrypted. IPSec over DSVPN can be configured on Hub and Spokes to provide
traffic protection.

Figure 6-77 Establishing IPSec over DSVPN tunnels between Hub and Spokes

Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10,
respectively.

Procedure
Step 1 Configure the Hub.
#
sysname Hub

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 341


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer hub //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec policy-template use1 10 //Configure an IPSec policy template and import
parameters to the template.
ike-peer hub
proposal pro1
#
ipsec policy policy1 10 isakmp template use1 //Configure an IPSec policy and
reference the policy template.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry multicast dynamic //Add a dynamically registered Spoke to the NHRP
multicast member table.
#
ospf 1 router-id 10.2.1.1 //Configure private network routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return

Step 2 Configure Spoke1.


#
sysname Spoke1
#
acl number 3101 //COnfigure the IP address segments that support IPSec
encryption.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 342


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer spoke1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke1
proposal pro1
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry 10.2.1.1 1.1.1.10 register //Configure an NHRP mapping table.
#
ospf 1 router-id 10.2.1.2 //Configure private network routes.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.2.0 0.0.0.255
#
return

Step 3 Configure Spoke2.


#
sysname Spoke2
#
acl number 3101 //COnfigure the IP address segments that support IPSec
encryption.
rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 343


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipsec proposal pro1 //Configure the authentication and encryption algorithms in


the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer spoke2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke2
proposal pro1
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
ip address 10.1.3.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry 10.2.1.1 1.1.1.10 register //Configure an NHRP mapping table.
#
ospf 1 router-id 10.2.1.3 //Configure private network routes.
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.3.0 0.0.0.255
#
return

Step 4 Verify the configuration.


Run the display ike sa command on the Hub and Spokes. You can find that SAs are
established successfully.
After users in Spoke1 ping the Hub, run the display ipsec statistics command on Spoke1 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that communication transmitted between the Hub and Spoke1 is encrypted.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 344


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

After users in Spoke2 ping the Hub, run the display ipsec statistics command on Spoke2 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that communication transmitted between the Hub and Spoke2 is encrypted.
----End

Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.

6.4.16 Example for Establishing an IPSec Tunnel Between the


Branch and Headquarters Through IKE Negotiation in Domain
Name Mode
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-78, RouterA (remote branch gateway) and RouterB (headquarters
gateway) communicate through the Internet in PPPoE mode. The branch subnet is 10.1.1.0/24
and the headquarters subnet is 10.1.2.0/24. The DNS server resolves domain names, the
DDNS server updates IP addresses mapping domain names, and the PPPoE server allocates IP
addresses.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway
because they communicate over the Internet. Because IP addresses of the branch and
headquarters are dynamic addresses, domain names can be used for IKE negotiation.

Figure 6-78 Networking for using dynamic addresses to establish an IPSec tunnel in IKE
negotiation mode between the branch and headquarters

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 345


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username1:password1@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.1.0/24 to
10.1.2.0/24.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address www.huaweib.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer
interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 346


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.255 dialer1
#
return

Step 2 Configure RouterB.


#
sysname RouterB //Configure the device name.
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username2:password2@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.2.0/24 to
10.1.1.0/24.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address www.huaweia.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 347


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#
interface Ethernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.0 dialer1
#
return

Step 3 Verify the configuration.

# After the configurations are complete, PC A can ping PC B successfully. Data exchanged
between PC A and PC B is encrypted. You can run the display ipsec statistics command to
view packet statistics.

# Run the display ike sa and display ipsec sa commands on RouterA and RouterB. You can
view the IPSec tunnel configuration.

----End

Configuration Notes
If an IPSec tunnel cannot be reestablished due to frequent IP address change of the dialer
interface, use either of the following methods:
l If IPSec policies are configured at both ends, configure DPD to detect faults on both
ends of the device.
l If an IPSec policy is configured at one end and an IPSec policy template is configured at
the other end, run the ipsec remote traffic-identical accept command (supported by
V2R3C00 and later versions) on the end where the IPSec policy template is configured.
This command allows new users with the same traffic rule as original branch users to
access the headquarters network so that the existing IPSec SAs can be rapidly aged and a
new IPSec tunnel can be established.

6.4.17 Example for Establishing an L2TP over IPSec Tunnel for


Employees on a Business Trip to Connect to the Headquarters

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-79, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through the public network. To
ensure security of traveling employees, the enterprise requires that an L2TP over IPSec tunnel
be set up between the traveling employee's PC and headquarters gateway.

In this example, the PC runs Windows 7 operating system.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 348


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-79 Networking for configuring an L2TP over IPSec tunnel between the PC and
router

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
l2tp enable //Enable L2TP.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
authentication-scheme l2tp
authentication-mode local
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 349


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
interface
GigabitEthernet1/0/0
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a static route.
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1
#
return

Step 2 Configure the personal PC for the traveler. This example describes how to set dial-up
parameters on a Windows 7 client.
1. View the IPSec service status and ensure that the IPSec service is enabled.
a. Choose Start > Run, enter services.msc, and click OK to access the Services page.
b. In the Name column, check whether the status of IPsec Policy Agent is Started. If
not, right-click IPsec Policy Agent and select Properties. In Properties, set
Startup type to Automatic and click Apply. Then select Start in Service type.
c. Close the Services page.
2. Create an L2TP over IPSec connection.
a. Choose Start > Control Panel.
b. Select Network and Internet.
c. Select Network and Sharing Center.
d. Select Set up a new connection or network.
e. Select Connect to a workplace.
f. Select Use my Internet connection(VPN).
g. Set the Internet address and target name.
Set the Internet address to the IP address of the WAN interface on the RouterA (you
can also enter the domain name if the domain name is fixed).
h. Set the user name and password.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 350


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

i. Click Connect.
j. Click Skip to skip the verification process. After a message indicating that the
connection is available is displayed, click Close.
3. Set IKE connection parameters.
a. In the left pane of Network and Sharing Center, select Change adapter setting.
b. Right-click the new VPN connection and select Properties.
c. Set Options, Security, and Networking.

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 351


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# After the configurations are complete, PC A succeeds in dialing up using the built-in
software.
Run the display l2tp tunnel command on the RouterA. You can find that an L2TP tunnel is
established successfully.
Run the display ike sa command on the RouterA. You can find that an SA is established
successfully.

----End

Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the device if the L2TP client does not support
tunnel authentication.
l A host-to-gateway IPSec tunnel is established between a traveling employee and the
headquarters; therefore, the IPSec tunnel is based on the transport mode.

6.4.18 Example for Configuring the Headquarters to Manage


Branches (Cisco Routers) Using Efficient VPN and Establishing
IPSec Tunnels
Specifications
This example applies to all routers of V200R005C10 and later versions.

Networking Requirements
As shown in Figure 6-80, RouterA is the enterprise branch gateway (Cisco router) and
RouterB is the enterprise headquarters gateway. The branch communicates with the
headquarters over the public network. IP addresses of branches and headquarters are
configured beforehand. The branch is located on the network segment 10.1.2.0/24 and the
headquarters is located on the network segment 10.1.1.0/24.
The enterprise requires to protect traffic transmitted between the enterprise branch and
headquarters over the public network, and the headquarters gateway is required to uniformly
manage the branch gateways with simple configuration.
To meet the requirements, an IPSec tunnel can be established in Efficient VPN client mode
between the branch gateway and headquarters gateway. In Efficient VPN client mode,
RouterA requests an IP address used to establish the IPSec tunnel, a DNS domain name, a
DNS server address, and a WINS server address from RouterB. The other parameters except
the IP address are used by the branch gateway.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 352


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-80 Establishing an IPSec tunnel between the device and Cisco router (remote end)
using the Efficient VPN policy

Procedure
Step 1 Configure RouterA.
!
hostname RouterA //Configure a device name.
!
!
crypto ipsec client ezvpn ezvpn1 //Configure the Easy VPN policy.
connect auto //Set the connection mode to auto.
group evpn key 6 huawei@1234 //Configure a service scheme named evpn for the
server end and set the pre-shared key to huawei@1234.
mode client //Set the Easy VPN policy mode to client.
peer 60.1.1.1 //Configure the peer address.
xauth userid mode interactive
!
!
interface GigabitEthernet0/0 //Apply the Easy VPN policy to the interface and
configure the interface as the default outbound interface.
no shutdown
ip address 60.1.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn1
!
interface GigabitEthernet0/1 //Apply the Easy VPN policy to the interface and
configure the interface as the inbound interface
no shutdown
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn1 inside
!
//The Easy VPN policy must be applied to the internal and external interface
because the remote end connects to the server end through the two interfaces.
ip route 60.1.1.0 255.255.255.0 60.1.2.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
ip route 10.1.1.0 255.255.255.0 60.1.2.2
!
end

Step 2 Configure RouterB.


#
sysname RouterB //Configure a device name.
#
ipsec proposal prop1 //Configure an IPSec proposal.
//In the Efficient VPN policy, encapsulation-mode in the IPSec proposal must be
set to tunnel (default setting).

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 353


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

//In the Efficient VPN policy, transform in the IPSec proposal must be set to esp
(default setting).
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm 3des-cbc //When the Efficient VPN policy uses IKEv1, set
encryption-algorithm to 3des-cbc and authentication-algorithm to md5 or sha1 (the
default value is sha1) in the IKE proposal.
dh group2 //In the Efficient VPN policy, the Diffie-Hellman group dh used for
IKE key negotiation must be dh group2.
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //When the Efficient VPN policy uses IKEv1, set
exchange-mode to aggressive.
pre-shared-key cipher %^%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%^%# //Set
the pre-shared key to huawei@1234.
ike-proposal 5
service-scheme evpn //Reference the service scheme to send parameters including
the IP address and DNS domain name to the remote end.
#
ipsec policy-template temp1 10 //Configure an ipsec policy template.
ike-peer peer1
proposal prop1
#
ipsec policy policy1 10 isakmp template temp1 //Apply the ipsec policy template
to the IPSec policy.
#
ip pool pool1 //Create an address pool and reference the address pool in the
service scheme to send IP addresses to the remote end.
gateway-list 100.1.1.1
network 100.1.1.0 mask 255.255.255.128
#
aaa
service-scheme evpn //Create a service scheme to send parameters to the remote
end.
dns 2.2.2.2
dns 2.2.2.3 secondary
ip-pool pool1
wins 3.3.3.2
wins 3.3.3.3 secondary
dns-name mydomain.com.cn
#
interface GigabitEthernet0/0/1 //Apply the IPSec policy to the interface.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
#
return

Step 3 Verify the configuration.

# After the configurations are complete, PC A can ping PC B successfully, and the data
transmitted between them is encrypted

# Run the show crypto isakmp sa and show crypto ipsec sa commands on RouterA. You can
view that the IPSec tunnel is successfully established.

# Run the display ipsec statistics command on RouterB to check packet statistics.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 354


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# Run the display ike sa and display ipsec sa commands on RouterB. You can view that the
IPSec tunnel is successfully established.
----End

Configuration Notes
The configuration commands about the Cisco device are used for reference only. The
recommended Cisco device version is Cisco IOS Software, C3900e Software (C3900e-
UNIVERSALK9-M), Version 15.1(4)M1, R ELEASE SOFTWARE (fc1). For details, visit
http://www.cisco.com/cisco/web/support.
The MD5, SHA-1, DES and 3DES algorithms have security risks. Exercise caution when you
use them.

6.4.19 Example for Configuring the Headquarters (Cisco Router)


to Manage Branches Using Efficient VPN and Establishing IPSec
Tunnels
Specifications
This example applies to all routers of V200R005C10 and later versions.

Networking Requirements
As shown in Figure 6-81, RouterA is the enterprise branch gateway and RouterB is the
enterprise headquarters gateway (Cisco router). IP addresses of branches and headquarters are
configured beforehand. The branch communicates with the headquarters over the public
network. The branch is located on the network segment 10.1.1.0/24 and the headquarters is
located on the network segment 10.1.2.0/24.
The enterprise requires to protect traffic transmitted between the enterprise branch and
headquarters over the public network, and the headquarters gateway is required to uniformly
manage the branch gateways with simple configuration.
To meet the requirements, an IPSec tunnel can be established in Efficient VPN client mode
between the branch gateway and headquarters gateway. In Efficient VPN client mode,
RouterA requests an IP address used to establish the IPSec tunnel, a DNS domain name, a
DNS server address, and a WINS server address from RouterB. The other parameters except
the IP address are used by the branch gateway.

Figure 6-81 Establishing an IPSec tunnel between the device and Cisco router (server end)
using the Efficient VPN policy

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 355


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure a device name.
#
ipsec efficient-vpn evpn1 mode client //Configure the Efficient VPN policy.
remote-address 60.1.2.1 v1 //Configure the peer address.
pre-shared-key cipher %^%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%^%# //Set
the pre-shared key to huawei@1234.
local-id-type key-id //When the remote end is a Cisco device, specify the key-
id type in the Efficient VPN policy.
service-scheme evpn //When the remote end is a Cisco device, specify the user
group created by the remote end in the Efficient VPN policy.
#
interface GigabitEthernet0/0/1 //Apply the Efficient VPN policy to the interface.
ip address 60.1.1.1 255.255.255.0
ipsec efficient-vpn evpn1
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
#
return

Step 2 Configure RouterB.


!
hostname RouterB //Configure a device name.
!
aaa new-model //Enable AAA authentication on the client.
!
!
aaa authentication login vpn-authen local //Configure local login authentication.
aaa authorization network local-group-author-list local //Configure local
authorization.
aaa authorization network vpn-author local
!
!
crypto isakmp policy 10 //Configure a crypto isakmp policy.
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group evpn //Configure a crypto isakmp user
group.
key 6 huawei@1234 //Set the pre-shared key to huawei@1234.
dns 2.2.2.2 2.2.2.3
wins 3.3.3.2 3.3.3.3
domain mydomain.com.cn
pool poo11 //Reference the address pool and send IP addresses to the remote end.
!
!
crypto ipsec transform-set prop1 esp-3des esp-md5-hmac //Configure an IPSec
transform set.
!
crypto dynamic-map temp1 10 //Configure a crypto policy template.
set transform-set prop1
!
crypto map evpn1 isakmp authorization list vpn-author //Perform the crypto
policy after AAA authentication is successful.
crypto map evpn1 client configuration address respond //Respond to the request.
crypto map evpn1 10 ipsec-isakmp dynamic temp1
!

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 356


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

!
interface GigabitEthernet0/0 //Apply the crypto isakmp policy to the interface.
no shutdown
ip address 60.1.2.1 255.255.255.0
duplex auto
speed auto
crypto map evpn1
!
interface GigabitEthernet0/1
no shutdown
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
!
!
ip local pool poo11 112.1.1.1 112.1.1.128 //Create an address pool.
!
ip route 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route to ensure that
there is a reachable route between the two ends.
!
end

Step 3 Verify the configuration.


# After the configurations are complete, PC A can ping PC B successfully, and the data
transmitted between them is encrypted.
# Run the display ipsec statistics command on RouterA to check packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA. You can view that the
IPSec tunnel is successfully established.
# Run the show crypto isakmp sa and show crypto ipsec sa commands on RouterB. You can
view that the IPSec tunnel is successfully established.

----End

Configuration Notes
The configuration commands about the Cisco device are used for reference only. The
recommended Cisco device version is Cisco IOS Software, C3900e Software (C3900e-
UNIVERSALK9-M), Version 15.1(4)M1, R ELEASE SOFTWARE (fc1). For details, visit
http://www.cisco.com/cisco/web/support.
The MD5, SHA-1, DES and 3DES algorithms have security risks. Exercise caution when you
use them.

6.4.20 Example for Establishing an IPSec Tunnel In Manual and


IKE Negotiation Modes
Applicability
This example applies to all AR routers of all versions.

Networking Requirements
As shown in Figure 6-82, Router_1, Router_2, and Router_3 are the municipal branch
gateway, county-level branch gateway, and headquarters gateway of an enterprise. Branches
and the headquarters communicate over the public network. The enterprise has few municipal
branches but many county-level branches.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 357


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

The enterprise wants to implement direct communication between the county-level branch
and headquarters, between county-level branch and headquarters, and between the municipal
branch and headquarters, and protect mutual traffic between branches and the headquarters.

Figure 6-82 Establishing an IPSec tunnel in manual and IKE negotiation modes

Procedure
Step 1 Configure the municipal branch gateway Router_1.
#
sysname Router_1
#
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the headquarters on Router_1.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the headquarters.
security acl 3001
proposal tran1
tunnel local 60.1.1.1
tunnel remote 60.1.3.1
sa spi inbound esp 12345 //Set the inbound SPI, which must be the same as
the outbound SPI in the headquarters.
sa string-key inbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the inbound SA to Huawei@123, which must
be the same as the authentication key for the outbound SA in the headquarters.
sa spi outbound esp 54321 //Set the outbound SPI, which must be the same as
the inbound SPI in the headquarters.
sa string-key outbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'L`eOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the outbound SA to Huawei@321, which must
be the same as the authentication key for the inbound SA in the headquarters.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 358


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#]%qh%KV&]('NP)+OE3VF"nAn7VF%/+EgfmX3BE|*%^%# //Set
the pre-shared key to Huawei@4321 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify qualified
county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and
enable IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route.
#
return

Step 2 Configure the county-level branch gateway Router_2.


#
sysname Router_2
#
ike local-name huaweirt2
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 359


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ike peer rut1 v2 //Configure an IKE peer used to negotiate with the headquarters
for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
remote-address 60.1.3.1
#
ike peer rut2 v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#F[de7*vUZ9ZT)V5UEqX(g|)XG`S)xT}:C."&>c].%^%# //Set
the pre-shared key to Huawei@4321 in ciphertext. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plaintext.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the headquarters.
security acl 3001
ike-peer rut1
proposal tran1
ipsec policy policy1 20 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the municipal branch.
security acl 3002
ike-peer rut2
proposal tran1
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.2.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected with the
service segment.
ip address 192.168.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route.
#
return

Step 3 Configure the headquarters gateway Router_3.


#
sysname Router_3
#
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the municipal branch on Router_3.
rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the municipal branch.
security acl 3001
proposal tran1
tunnel local 60.1.3.1
tunnel remote 60.1.1.1
sa spi inbound esp 54321 //Set the inbound SPI, which must be the same as
the outbound SPI in the municipal branch.
sa string-key inbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'L`eOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the inbound SA to Huawei@321, which must
be the same as the authentication key for the outbound SA in the municipal branch.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 360


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

sa spi outbound esp 12345 //Set the outbound SPI, which must be the same as
the inbound SPI in the municipal branch.
sa string-key outbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the outbound SA to Huawei@123, which must
be the same as the authentication key for the inbound SA in the municipal branch.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#SNMkBqDAZOwo!9=MwR{+h;Bp"JEU.-s!Z=Wdu7_@%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify
qualified county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.3.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.3.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.3.2 //Configure a static route.
#
return

Step 4 Verify the configuration.

After the configurations are complete:

l Ping PC_3 from PC_1 and PC_2 respectively. The ping operations succeed. Run the
display ipsec statistics command to view statistics on IPSec packets. The value of the
Inpacket decap count/Outpacket encap count (in a version earlier than V200R008) or
input/output security packets (in V200R008 or a later version) field is not 0, indicating
that data transmitted between the branches and headquarters is encrypted.
l Run the display ipsec sa command on Router_1, Router_2, and Router_3 to view
information about established SAs. The command output contains the Tunnel remote
(tunnel destination address) and Mode (security policy mode in which the IPSec tunnel
is established) fields.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 361


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

– On Router_1, the security policy mode for the tunnel with the destination address
60.1.3.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
– On Router_2, the security policy mode for the tunnels with the destination
addresses 60.1.1.1 and 60.1.3.1 is ISAKMP.
– On Router_3, the security policy mode for the tunnel with the destination address
60.1.1.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
l Run the display ike sa v2 command on Router_1, Router_2, and Router_3 to view SAs
established through IKE negotiation. (In V200R008 and later versions, the V2 parameter
is not supported.)
– Only the entry whose peer is 60.1.2.1 exists on Router_1.
– The entries whose peer is 60.1.1.1 and 60.1.3.1 exist on Router_2.
– Only the entry whose peer is 60.1.2.1 exists on Router_3.

----End

Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The IKE peers must use the same pre-shared key.
l When configuring an IPSec policy manually, you must specify the inbound and
outbound SPIs. The inbound SPI on the local end must be the same as the outbound SPI
on the remote end. The outbound SPI on the local end must be the same as the inbound
SPI on the remote end.

6.4.21 Example for Establishing an IPSec Tunnel Between the


Enterprise Headquarters and Branch Using a Multi-Link Shared
IPSec Policy Group
Specifications
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 6-83, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. RouterA uses two egress links in backup or load balancing
mode. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.
The Enterprise wants to protect traffic between the branch subnet and headquarters subnet. If
an active/standby switchover occurs or the egress link becomes faulty, IPSec services need to
be smoothly switched.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 362


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-83 Establishing an IPSec tunnel between the enterprise headquarters and branch
using a multi-link shared IPSec policy group

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#
ipsec policy policy1 shared local-interface LoopBack0 //Configure a multi-link

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 363


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

shared IPSec policy group.


#
interface GigabitEthernet1/0/0
ip address 70.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
interface GigabitEthernet2/0/0
ip address 80.1.1.1 255.255.255.0
ipsec policy policy1 //Bind the IPSec policy group.
#
interface GigabitEthernet3/0/0
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 10.1.2.0 255.255.255.0 70.1.1.2 preference 10 //Configure a
static route from GE1/0/0 of RouterA to the internal network on the headquarters
network.
ip route-static 10.1.2.0 255.255.255.0 80.1.1.2 preference 20 //Configure a
static route from GE2/0/0 of RouterA to the internal network on the headquarters
network.
ip route-static 60.1.1.0 255.255.255.0 70.1.1.2 preference 10 //Configure a
static route from GE1/0/0 of RouterA to the LAN-side interface on the
headquarters network.
ip route-static 60.1.1.0 255.255.255.0 80.1.1.2 preference 20 //Configure a
static route from GE2/0/0 of RouterA to the LAN-side interface on the
headquarters network.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Headquarters
subnet to Branch subnet.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal prop //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 1.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 364


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface GigabitEthernet1/0/0
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet3/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 60.1.1.2 //Configure a static route with
the destination address as the Loopback interface of the peer.
ip route-static 10.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface of the branch.
ip route-static 70.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface GE1/0/0 of the branch.
ip route-static 80.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface GE2/0/0 of the branch.
#
return

Step 3 Verify the configuration.


Run the display ike sa verbose and display ipsec sa commands on RouterA to view the
IPSec tunnel configuration.

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.

6.4.22 Example for Configuring IPSec Reverse Route Injection


Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-84, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters, branch 1, and branch 2, and they communicate over the public network.
Because the branch gateways connect to multiple private networks, a large number of static
routes need to be configured on the headquarters gateway to direct data destined for branches
to the IPSec tunnel. Besides, the static route configuration on the headquarters gateway needs
to be adjusted when the internal network planning of enterprise branches changes. This results
in heavy workload and configuration errors may easily occur.
The enterprise wants to provide security protection for traffic between the headquarters and
branches, and reduce the configuration and maintenance workload on the headquarters
gateway.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 365


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-84 Configuring IPSec reverse route injection

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
local-address 1.1.1.1
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 366


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipsec policy-template center 1 //Configure an IPSec policy template.


ike-peer center
proposal def
route inject dynamic //Configure the dynamic route injection function to
automatically add static routes from the headquarters to branch subnets.
#
ipsec policy hk 1 isakmp template center //Configure an IPSec policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0 //Configure an interface connected to the
service segment.
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2 //Configure a static route from
the headquarters to branch 1 extranet.
ip route-static 1.4.1.0 255.255.255.0 1.1.1.2 //Configure a static route from
the headquarters to branch 2 extranet.
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
acl number 3000 //Configure ACL 3000 and define two data flows.
rule 0 permit ip source 10.2.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 5 permit ip source 10.22.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
local-address 1.2.1.1
remote-address 1.1.1.1
#
ipsec policy hk 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.2.1.1 255.255.255.0
ipsec policy hk
#
interface GigabitEthernet0/0/0
ip address 10.22.2.1 255.255.255.0 //Configure an interface connected to

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 367


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

service segment 1.
#
interface GigabitEthernet0/0/1
ip address 10.2.2.1 255.255.255.0 //Configure an interface connected to service
segment 2.
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters extranet.
ip route-static 10.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters intranet.
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
acl number 3000 //Configure ACL 3000 and define two data flows.
rule 0 permit ip source 10.4.4.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
rule 5 permit ip source 10.44.4.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
local-address 1.4.1.1
remote-address 1.1.1.1
#
ipsec policy hk 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer branch
proposal def
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 1.4.1.1 255.255.255.0
ipsec policy hk
#
interface Ethernet2/0/0
ip address 10.44.4.1 255.255.255.0 //Configure an interface connected to
service segment 1.
#
interface GigabitEthernet0/0/2
ip address 10.4.4.1 255.255.255.0 //Configure an interface connected to service
segment 2.
#
ip route-static 1.1.1.0 255.255.255.0 1.4.1.2 //Configure a static route from
branch 2 to the headquarters extranet.
ip route-static 10.1.1.0 255.255.255.0 1.4.1.2 //Configure a static route from
branch 2 to the headquarters intranet.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 368


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 4 Verify the configuration.

After the configurations are complete:


l Ping the host in the headquarters from the hosts in the branches. The ping operations
succeed. Run the display ipsec statistics command to view statistics on IPSec packets.
The value of the Inpacket decap count/Outpacket encap count (in a version earlier
than V200R008) or input/output security packets (in V200R008 or a later version)
field is not 0, indicating that data transmitted between the branches and headquarters is
encrypted.
l Run the display ike sa command on the headquarters and branch gateways to view SA
information.
l Run the display ip routing-table command on the headquarters gateway. The command
output shows the routing entries from the headquarters to the branch subnets, where the
destination addresses are 10.2.2.0/24, 10.22.2.0/24, 10.4.4.0/24, and 10.44.4.0/24, the
next-hop address is 1.1.1.1, and the value of the Proto field is Unr indicating injected
routes.

----End

Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
l There must be reachable routes between the headquarters and branches.
l Only an SA established using dynamic IKE negotiation supports route injection; a
manually established SA does not support route injection.

6.4.23 Example for Implementing QoS Guarantee for Traffic


Passing Through the IPSec Tunnel

Applicability
This example applies to all AR models of V200R003C00 and later versions.

Networking Requirements
As shown in Figure 6-85, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters, and they communicate over the public network. The bandwidth between the
branch egress and public network is 2 Mbit/s. VoIP, production, and office service flows are
transmitted between the headquarters and branch.

The enterprise wants to protect service flows transmitted between the enterprise branch and
headquarters and provide QoS guarantee for the VoIP, production, and office service flows.
l For the VoIP service flow, the IP priority must be set to 5 to ensure low latency and 500
kbit/s bandwidth.
l For the production service flow, the IP priority must be set to 4 to ensure 600 kbit/s
bandwidth.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 369


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

l For the office service flow, the IP priority must be set to 2 to ensure 800 kbit/s
bandwidth.

Figure 6-85 Implementing QoS guarantee for traffic passing through the IPSec tunnel

Procedure
Step 1 Configure Router_1.
NOTE

Configure the downlink interfaces of the LSW connecting to terminals as access interfaces and add the
interfaces to VLANs of the VoIP, production, and office services. Configure the uplink interface of the LSW
connecting to Router_1 as trunk interfaces and configure the interfaces to allow packets from the VoIP,
production, and office service VLANs to pass. For detailed configurations, see the LSW configuration
manual.
#
sysname Router_1
#
ike local-name huawei01
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3002 //Create an ACL rule to define the production service flow.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3003 //Create an ACL rule to define the office service flow.
rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 370


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei02 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 20.1.1.1
remote-address 30.1.1.1
#
ipsec policy map1 10 isakmp //Create an IPSec policy for the VoIP service flow.
security acl 3001
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 20 isakmp //Create an IPSec policy for the production service
flow.
security acl 3002
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer branch
proposal tran1
qos pre-classify
#
traffic classifier tc2 operator or
if-match acl 3001
traffic classifier tc1 operator or
if-match acl 3002
traffic classifier tc3 operator or
if-match acl 3003
#
traffic behavior tb1
car cir 500 cbs 94000 pbs 156500 mode color-blind green pass yellow pass red
discard
remark local-precedence ef
traffic behavior tb3
car cir 800 cbs 150400 pbs 250400 mode color-blind green pass yellow pass red
discard
remark local-precedence af2
traffic behavior tb2
car cir 600 cbs 112800 pbs 187800 mode color-blind green pass yellow pass red
discard
remark local-precedence af4
#
traffic policy tp1
classifier tc1 behavior tb1
classifier tc2 behavior tb2
classifier tc3 behavior tb3
#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 20.1.1.1 255.255.255.0
traffic-policy tp1 outbound
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
#
interface Ethernet2/0/0.1
dot1q termination vid 10 //Configure the sub-interface to terminate
the VLAN ID of the VoIP service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface. (ARP broadcast is enabled by default.)
ip address 10.1.1.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 371


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Ethernet2/0/0.2
dot1q termination vid 20 //Configure the sub-interface to terminate
the VLAN ID of the production service flow and run the arp broadcast enable
command to enable ARP broadcast on the sub-interface. (ARP broadcast is enabled
by default.)
ip address 10.1.2.1 255.255.255.0
#
interface Ethernet2/0/0.3
dot1q termination vid 30 //Configure the sub-interface to terminate the
VLAN ID of the office service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface.
ip address 10.1.3.1 255.255.255.0
#
ip route-static 192.168.2.0 255.255.255.0 20.1.1.2 //Configure a static route
from the branch to the headquarters intranet.
ip route-static 30.1.1.0 255.255.255.0 20.1.1.2 //Configure a static route
from the branch to the headquarters extranet.
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
ike local-name huawei02
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
acl number 3002 //Create an ACL rule to define the production service flow.
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
acl number 3003 //Create an ACL rule to define the office service flow.
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei01 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 30.1.1.1
remote-address 20.1.1.1
#
ipsec policy map1 10 isakmp //Create an IPSec policy for the VoIP service flow.
security acl 3001
ike-peer center
proposal tran1
ipsec policy map1 20 isakmp //Create an IPSec policy for the production service

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 372


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

flow.
security acl 3002
ike-peer center
proposal tran1
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer center
proposal tran1
#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 30.1.1.1 255.255.255.0
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
ip address 192.168.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's VoIP service segment.
ip route-static 10.1.2.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's production service segment.
ip route-static 10.1.3.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's office service segment.
ip route-static 20.1.1.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch extranet.
#
return

Step 3 Verify the configuration.

After the configurations are complete, send VoIP, production, and office service flows to
ETH2/0/0 on Router_1 at a rate of 10,000 kbit/s respectively.

l The bandwidth for VoIP, production, and office service flows from ETH1/0/0 is no less
than 500 kbit/s, 600 kbit/s, and 800 kbit/s respectively.
l Run the capture-packet interface ethernet 1/0/0 destination terminal command in the
system view on Router_1. The command output shows that the DSCP values of VoIP,
production, and office service packets sent from ETH1/0/0 are 5, 4, and 2.
l Run the display ipsec statistics command on Router_1 and Router_2 to view statistics
on IPSec packets. The value of the Inpacket decap count/Outpacket encap count (in a
version earlier than V200R008) or input/output security packets (in V200R008 or a
later version) field is not 0, indicating that data transmitted between the branches and
headquarters is encrypted.

----End

Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.
l There must be reachable routes between the headquarters and branches.

6.4.24 Example for Configuring the Branch to Access Internet


Using a 4G Interface and Establish IPSec Tunnel with the
Headquarters Using IPSec Policy Template

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 373


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When
IPSec policies are used, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.

Figure 6-86 Establishing an SA using an IPSec policy template

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
ike-proposal 5
remote-address 13.1.1.1 //Configure a peer IP address for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 374


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

security acl 3000


ike-peer rta
proposal rta
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Cellular0/0/1 //Set dial parameters for the 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
ipsec policy rta //Bind an IPSec policy to the interface to initiate IPSec
negotiation.
#
dialer-rule //Create a dialer ACL that defines conditions to initiate calls.
dialer-rule 1 ip permit
#
apn profile lteprofile //Create an APN profile.
apn ltenet
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal rtb
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp 1 //Configure an IPSec policy template and reference
parameters to the template.
security acl 3000
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the policy template.
#
interface Ethernet1/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 375


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 192.168.2.1 255.255.255.0


#
interface Serial1/0/0 //Configure a public network interface and set a fixed IP
address for the interface.
link-protocol ppp
ip address 13.1.1.1 255.255.255.0
ipsec policy rtb
#
ip route-static 0.0.0.0 0.0.0.0 Serial1/0/0
#
return

Step 3 Verify the configuration.


Run the display ike sa command on the device, you can view information about the SA.
After the configuration, users in the headquarters and branch can ping each other.

----End

Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote address of the IKE peer for the end using an IPSec
policy template.
l You can choose not to configure an ACL on the headquarters using an IPSec policy
template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.

6.4.25 Example for Establishing an IPSec Tunnel Between the


Branch and Headquarters Through Active and Standby Links
Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-87, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. The branch communicates with the headquarters over the Internet and uses a 3G
link as the standby link. When the active link is faulty, traffic is switched to the standby link
to ensure traffic continuity.
The enterprise requires to protect traffic transmitted over the Internet between the enterprise
branch and headquarters. The enterprise branch and headquarters communicate through the
Internet. An IPSec tunnel can be established between the branch gateway and headquarters
gateway to protect data flows between them. In addition, the NAT function can be configured
on Router_1 to allow branch users to access external networks.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 376


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-87 Establishing an IPSec tunnel between the branch and headquarters through active
and standby links

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 // Configure an address segment to supports NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3010 // Configure an address segment that supports IPSec encryption.
rule 2 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
dpd msg seq-hash-notify
remote-address 2.1.1.1
#
ipsec policy rt1 1 isakmp //Configure an IPSec policy.
security acl 3010
ike-peer rta
proposal rta
ipsec policy rt2 1 isakmp
security acl 3010
ike-peer rta
proposal rta
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
ipsec policy rt1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 377


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

standby interface Cellular0/0/1 //Configure a standby interface for the main


interface.
nat outbound 3000 //Configure the NAT function to allow users to access
external networks.
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/1 //Configure dial-up parameters for the 3G interface.
link-protocol ppp
ip address ppp-negotiate //Automatically obtain the IP address allocated by
the carrier to access the Internet.
dialer enable-circular // Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dial control list. The
interface ID is the same as the rule ID in the control list.
dialer timer autodial 15
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ipsec policy rt2 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
nat outbound 3000
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 preference 40 //Configure a static
route to use the link as the active link.
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1 preference 80
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
acl number 3010 //Configure an address segment that supports IPSec encryption.
rule permit ip source 10.2.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal rtb //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
dpd msg seq-hash-notify
#
ipsec policy-template temp 1 //Configure an IPSec policy template and set
parameters in the template.
security acl 3010
ike-peer rtb
proposal rtb
#
ipsec policy rtb 1 isakmp template temp //Configure an IPSec policy and
reference the policy template.
#
interface GigabitEthernet1/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 378


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip address 2.1.1.1 255.255.255.0


ipsec policy rtb //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 //Configure a static route.
#
return

Step 3 Verify the configuration.

Run the display ike sa command to view SA information.

After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.

----End

Configuration Notes

l The pre-shared key used for IKE negotiation at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured to protect data flows, the destination address in
the ACL must cover all the source addresses in ACLs on branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.

6.4.26 Example for Establishing an IPSec Tunnel Between the


Branch and Headquarters Using Wired Lines

Specifications
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 6-88, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. Router_1 and Router_2 communicate through the public network.

The enterprise requires to protect traffic transmitted over the public network between the
enterprise branch and headquarters. The enterprise branch and headquarters communicate
through the public network. An IPSec tunnel can be established between the branch gateway
and headquarters gateway to protect data flows between them. In addition, the NAT function
can be configured on Router_1 to allow branch users to access external networks.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 379


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-88 Establishing an IPSec tunnel between the branch and headquarters using wired
lines

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 //Configure an address segment to support NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3101 //Configure an address segment that supports IPSec encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 // Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer spub v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
remote-address 2.1.1.1
#
ipsec policy map1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spub
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
ipsec policy map1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
nat outbound 3000 //Configure the NAT function to allow users to access
external networks.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 380


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
acl number 3101 //Configure the address segment that supports IPSec encryption.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer spua v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%#
ike-proposal 5
remote-address 1.1.1.1
#
ipsec policy use1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spua
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
ipsec policy use1 //Bind the IPSec policy to the interface.
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route.
ip route-static 10.1.1.0 255.255.255.0 2.1.1.2
#
return

Step 3 Verify the configuration.

Run the display ike sa command to view SA information.

After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.

----End

Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l There must be reachable routes between the headquarters and branches.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 381


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

l ACLs configured on devices in the headquarters and branches must mirror each other.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.

6.5 BGP/MPLS IP VPN

6.5.1 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-89:
l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1, and the VPN target of vpnb is 222:2.
l Users in different VPNs cannot communicate.

Figure 6-89 Networking diagram for configuring BGP/MPLS IP VPN

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 382


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure PE1.
#
sysname PE1
#
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9 //Configure MPLS.
mpls
#
mpls ldp //Configure LDP.
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb //Bind the VPN instance to the interface.
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1 //Enable MPLS on the interface.
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Configure an MP-IBGP peer.
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1 /Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 383


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 2 Configure the P.


#
sysname P
#
mpls lsr-id 2.2.2.9 //Configure MPLS.
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

Step 3 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Ethernet2/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Ethernet2/0/1 //Enable MPLS on the interface.
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 384


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
bgp 100 //Configure an MP-IBGP peer.
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

Step 4 Configure CE1.


#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 10.1.1.2 enable
#
return

Step 5 Configure CE2.


#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 10.2.1.2 enable
#
return

Step 6 Configure CE3.


#
sysname CE3
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 385


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Ethernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65430 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 10.3.1.2 enable
#
return

Step 7 Configure CE4.


#
sysname CE4
#
interface Ethernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
bgp 65440 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 10.4.1.2 enable
#
return

----End

Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.

6.5.2 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between the Branch and Headquarters and
Between Branches
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-90, the Hub-CE in the central site controls communication between
Spoke-CEs. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE but not by
the Hub-PE.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 386


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-90 Networking diagram for configuring Hub and Spoke

Procedure
Step 1 Configure Spoke-CE1.
#
sysname Spoke-CE1
#
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 100.1.1.2 enable
#
return

Step 2 Configure Spoke-PE1.


#
sysname Spoke-PE1
#
ip vpn-instance vpna //Configure a VPN instance.
ipv4-family
route-distinguisher 100:1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 387


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

vpn-target 100:1 export-extcommunity


vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface Ethernet2/0/0 //Enable MPLS on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
import-route direct //Import direct routes.
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return

Step 3 Configure Spoke-PE2.


#
sysname Spoke-PE2
#
ip vpn-instance vpna //Configure a VPN instance.
ipv4-family
route-distinguisher 100:3
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 120.1.1.2 255.255.255.0
#
interface Ethernet2/0/0 //Enable MPLS on the interface.
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 388


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct //Import direct routes.
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return

Step 4 Configure Spoke-CE2.


#
sysname Spoke-CE2
#
interface Ethernet1/0/0
ip address 120.1.1.1 255.255.255.0
#
bgp 65420 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
peer 120.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 120.1.1.2 enable
#
return

Step 5 Configure the Hub-CE.


#
sysname Hub-CE
#
interface Ethernet1/0/0
ip address 110.1.1.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 110.2.1.1 255.255.255.0
#
bgp 65430 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 110.2.1.2 enable
peer 110.1.1.2 enable
#
return

Step 6 Configure the Hub-PE.


#
sysname Hub-PE
#
ip vpn-instance vpn_in //Configure a VPN instance vpn_in.
ipv4-family

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 389


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out //Configure a VPN instance vpn_out.
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0 //Enable MPLS on the interface.
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet3/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Ethernet4/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100 //Establish an EBGP peer relationship between the Hub-PE and the CE.
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in //Import VPN routes.
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out //Import VPN routes.
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 390


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.

6.5.3 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices on a Hierarchical Network
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-91, CE1 and CE2 belong to the same VPN and have the same VPN
target. CE1 connects to the UPE, and CE2 connects to the PE. UPE, SPE, and PE
communicate using OSPF.

Figure 6-91 Networking diagram for configuring HoVPN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Configure EBGP between the PE and the CE.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 391


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

Step 2 Configure the UPE.


#
sysname UPE
# //Create and configure a VPN instance.
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the UPE and the SPE.
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
# //Configure routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 3 Configure the SPE.


#
sysname SPE
# //Create and configure a VPN instance.
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 392


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish MP-IBGP peer relationships between the UPE and the SPE, and
between the PE and the SPE.
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
# //Configure routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return

Step 4 Configure the PE.


#
sysname PE
# //Create and configure a VPN instance.
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 172.2.1.2 255.255.255.0
mpls //Enable MPLS on the interface
mpls ldp

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 393


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

# //Establish an MP-IBGP peer relationship between the PE and the SPE.


interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
# //Configure routes.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return

Step 5 Configure CE2.


#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
# //Configure BGP between the PE and the CE.
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

----End

6.5.4 Example for Configuring Inter-AS BGP/MPLS IP VPN in


Option A Mode

Specifications
This example applies to all versions.

This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-92, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.

Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 394


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-92 Networking diagram for configuring Inter-AS VPN Option A

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

Step 2 Configure PE1.


#
sysname PE1
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 395


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.1.1.1 as-number 65001
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 3 Configure ASBR1.


#
sysname ASBR1
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 396


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 192.1.1.2 as-number 200
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 4 Configure ASBR2.


#
sysname ASBR2
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
# //Configure the MPLS LSR.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 192.1.1.1 as-number 100
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Step 5 Configure PE2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 397


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
sysname PE2
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.2.1.1 as-number 65002
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Step 6 Configure CE2.


#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 398


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.5.5 Example for Configuring Inter-AS BGP/MPLS IP VPN in


Option B Mode

Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-93, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option B:
l ASBR1 and ASBR2 exchange VPNv4 routes using MP-EBGP.
l ASBRs do not filter the VPN-IPv4 routes received from each other based on VPN
targets.

Figure 6-93 Networking diagram for configuring Inter-AS VPN Option B

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a CE and a PE.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 399


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

Step 2 Configure PE1.


#
sysname PE1
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.1.1.1 as-number 65001
import-route direct
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 3 Configure ASBR1.


#
sysname ASBR1
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 400


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
peer 192.1.1.2 enable
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 4 Configure ASBR2.


#
sysname ASBR2
# //Enable MPLS.
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.1 enable
peer 4.4.4.9 enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 401


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Step 5 Configure PE2.


#
sysname PE2
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Configure the MPLS LSR.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.2.1.1 as-number 65002
import-route direct
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Step 6 Configure CE2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 402


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

----End

6.5.6 Example for Configuring Inter-AS BGP/MPLS IP VPN in


Option C Mode
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-94, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option C.

Figure 6-94 Networking diagram for configuring Inter-AS VPN Option C

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 403


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001 //Establish an EBGP peer relationship between a CE and a PE.
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return

Step 2 Configure PE1.


#
sysname PE1
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100 //Establish an IBGP peer relationship between PE1
and ASBR1.
peer 2.2.2.9 connect-interface LoopBack1
peer 4.4.4.9 as-number 200 //Establish an MP-EBGP peer relationship between PE1
and PE2.
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 2.2.2.9 label-route-capability //Enable the ability to exchange VPN IPv4
routes with ASBR1.
peer 4.4.4.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between PE1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 404


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

and a CE and configure PE1 to import VPN routes from the CE.
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return

Step 3 Configure ASBR1.


#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 1.1.1.9 as-number 100 //Establish an IBGP peer relationship between ASBR1
and PE1.
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export //Apply a routing policy to the
routes advertised to ASBR2, and enable labeled IPv4 route exchange with ASBR2.
peer 192.1.1.2 label-route-capability
peer 1.1.1.9 enable
peer 1.1.1.9 route-policy policy2 export //Apply a routing policy to the
routes advertised to PE1, and enable labeled IPv4 route exchange with PE1.
peer 1.1.1.9 label-route-capability
# //Configure routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
# //Configure a route-policy.
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return

Step 4 Configure ASBR2.


#
sysname ASBR2
# //Enable MPLS.
mpls lsr-id 3.3.3.9

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 405


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Configure labeled IPv4 route exchange.
bgp 200
peer 192.1.1.1 as-number 100 //Establish an EBGP peer relationship between
ASBR2 and ASBR1.
peer 4.4.4.9 as-number 200 //Establish an IBGP peer relationship between ASBR2
and PE1.
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export //Apply a routing policy to the
routes advertised to ASBR1, and enable labeled IPv4 route exchange with ASBR1.
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export //Apply a routing policy to the
routes advertised to PE2, and enable labeled IPv4 route exchange with PE2.
peer 4.4.4.9 label-route-capability
# //Configure routes.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
# //Create a route-policy.
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return

Step 5 Configure PE2.


#
sysname PE2
# //Create an configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 406


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ip binding vpn-instance vpn1


ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100 //Establish an MP-IBGP peer relationship between PE1
and PE2.
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
peer 3.3.3.9 label-route-capability
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between PE1
and CE and configure PE1 to import VPN routes from the CE.
peer 10.2.1.1 as-number 65002
import-route direct
# //Configure routes.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return

Step 6 Configure CE2.


#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002 //Configure an EBGP peer relationship between the CE and the PE.
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return

----End

6.5.7 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices (Running IS-IS Between the
PEs and CEs)
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 407


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use IS-IS to exchange routes.

Figure 6-95 Networking diagram for configuring BGP/MPLS IP VPN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
isis 1 //Configure an IS-IS process.
network-entity 10.0000.1111.1112.00
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
return

Step 2 Configure CE2.


#
sysname CE2
#
is 1 //Configure an IS-IS process.
network-entity 10.0000.1111.0001.00
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.137.2.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 408


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
isis 1 vpn-instance vpn1 //Bind the IS-IS process to the VPN
instance.
network-entity 10.0000.1111.1111.00
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the remote PE to IS-IS.
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
isis enable 1 //Enable IS-IS on the
interface.
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route isis 1 //Import IS-IS routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1 //Create a VPN instance.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 409


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
isis 1 vpn-instance vpn1 //Bind the IS-IS process to the VPN instance.
network-entity 10.0000.1111.0002.00
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the remote PE to IS-IS.
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route isis 1 //Import IS-IS routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

Step 5 Verify the configuration.


1. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.

Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2


GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 20 RD 2.2.2.2
GigabitEthernet0/0/1

Use the display on PE2 as an example.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 410


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
10.137.1.0/24 IBGP 255 20 RD 1.1.1.1
GigabitEthernet0/0/1

2. Run the display ip routing-table protocol isis command on CEs. CE1 and CE2 can
learn routes from each other.

Use the display on CE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.2.0/24 ISIS-L2 15 74 D 10.1.1.1


GigabitEthernet0/0/1
10.137.2.0/24 ISIS-L2 15 74 D 10.1.1.1
GigabitEthernet0/0/1

Use the display on CE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.1.0/24 ISIS-L2 15 74 D 10.1.2.1


GigabitEthernet0/0/1
10.137.1.0/24 ISIS-L2 15 74 D 10.1.2.1
GigabitEthernet0/0/1

CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.

----End

Configuration Notes
l When PEs and CEs use IS-IS to exchange routes, bind the IS-IS process to the VPN
instance.
l PEs need to import routes advertised by BGP and IS-IS routes from each other.

6.5.8 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices (Running BGP Between the
PEs and CEs)

Specifications
This example applies to all versions.

This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use BGP to exchange routes.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 411


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-96 Networking diagram for configuring BGP/MPLS IP VPN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
bgp 65101
peer 10.1.1.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.1 enable
#
return

Step 2 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.2.1 255.255.255.0
#
bgp 65102
peer 10.1.2.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.2.1 enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 412


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable

ipv4-family vpn-instance vpn1


import-route direct
peer 10.1.1.2 as-number 65101 //Configure the CE as a VPN peer.
#
ospf 1 //Enable OSPF to advertise routes to the loopback
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 413


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

vpn-target 1:1 import-extcommunity


#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.2.2 as-number 65102 //Configure the CE as a VPN peer.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

Step 5 Verify the configuration.


1. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.

Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2


GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 0 RD 2.2.2.2
GigabitEthernet0/0/1

Use the display on PE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
10.137.1.0/24 IBGP 255 0 RD 1.1.1.1
GigabitEthernet0/0/1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 414


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.
Use the display on CE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 EBGP 255 0 D 10.1.1.1 GigabitEthernet


0/0/1

10.137.2.0/24 EBGP 255 0 D 10.1.1.1 GigabitEthernet


0/0/2

Use the display on CE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 EBGP 255 0 D 10.1.2.1


GigabitEthernet0/0/1
10.137.1.0/24 EBGP 255 0 D 10.1.2.1
GigabitEthernet0/0/2

CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.

----End

Configuration Notes
l PEs and CEs can use IBGP or EBGP to exchange routes. This example uses EBGP.
l You must configure the CE as a VPN peer in the BGP-VPN instance IPv4 address family
view on the connected PE.

6.5.9 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices (Running OSPF Between the
PEs and CEs)
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 415


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-97 Networking diagram for configuring BGP/MPLS IP VPNN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.137.1.0 0.0.0.255
#
return

Step 2 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.137.2.0 0.0.0.255
#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 416


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable

ipv4-family vpn-instance vpn1


import-route ospf 3 //Import OSPF routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ospf 3 vpn-instance vpn1 //Create an OSPF process and bind the OSPF process to
the VPN instance.
import-route bgp //Configure the local PE to importe VPNv4 routes learned from
the peer PE to OSPF.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 417


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 2 //Import OSPF routes into the VRF table of the BGP-VPN
instance IPv4 address
family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the peer PE to OSPF.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

Step 5 Verify the configuration.


1. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2


GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 3 RD 2.2.2.2
GigabitEthernet0/0/1

Use the display on PE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 418


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

10.1.1.0/24 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
10.137.1.0/24 IBGP 255 3 RD 1.1.1.1
GigabitEthernet0/0/1

2. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other.

Use the display on CE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.2.0/24 O_ASE 150 1 D 10.1.1.1


GigabitEthernet0/0/1
10.137.2.0/24 OSPF 10 4 D 10.1.1.1
GigabitEthernet0/0/1

Use the display on CE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.1.0/24 O_ASE 150 1 D 10.1.2.1


GigabitEthernet0/0/1
10.137.1.0/24 OSPF 10 4 D 10.1.2.1
GigabitEthernet0/0/1

CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.

----End

Configuration Notes
l When PEs and CEs use OSPF to exchange routes, bind the OSPF process to the VPN
instance.
l PEs need to import routes advertised by BGP and OSPF from each other.

6.5.10 Example for Configuring an OSPF Sham Link to Prevent


Traffic Between Users in One VPN of the Same OSPF Area from
Being Forwarded Based on the OSPF Intra-Area Routes

Specifications
This example applies to all versions.

This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes. CE1 and CE2 belong to the same OSPF area. VPN traffic
between CE1 and CE2 is forwarded over the MPLS backbone network but not OSPF intra-
area routes.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 419


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-98 Networking diagram for configuring BGP MPLS/IP VPN and OSPF sham link

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 192.168.2.2 255.255.255.0
ospf cost 10
#
interface Ethernet1/0/1
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

Step 2 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 420


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface Ethernet1/0/0
ip address 100.1.2.2 255.255.255.0
#
interface Ethernet1/0/1
ip address 192.168.2.1 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Ethernet1/0/1
ip binding vpn-instance vpn1
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack11
ip binding vpn-instance vpn1 //Bind the loopback interface used to establish a
sham link to the VPN instance.
ip address 11.11.11.11
255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route direct //Import the end address of a sham link. The end address
of a sham link is advertised as the VPN-IPv4 address.
import-route ospf 2
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 421


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
ospf 2 vpn-instance vpn1
import-route bgp
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 11.11.11.11 22.22.22.22 //Specify the source and destination
addresses of the sham link.
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpn1
ip address 100.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack22
ip binding vpn-instance vpn1 //Bind the loopback interface used to establish a
sham link to the VPN instance.
ip address 22.22.22.22
55.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route direct //Import the end address of a sham link. The end address
of a sham link is advertised as the VPN-IPv4 address
import-route ospf 2
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp
area 0.0.0.0
network 100.1.2.0 0.0.0.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 422


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

sham-link 22.22.22.22 11.11.11.11 //Specify the source and destination


addresses of the sham link.
#
return

Step 5 Verify the configuration.


1. Run the display ospf 2 sham-link command on PEs to view the sham link.
Use the display on PE2 as an example.

Area NeighborId Source-IP Destination-IP State


Cost
0.0.0.0 100.1.1.1 22.22.22.22 11.11.11.11 P-2-P 1

2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

11.11.11.11/32 Direct 0 0 D 127.0.0.1


LoopBack0
22.22.22.22/32 IBGP 255 0 RD 2.2.2.2
GigabitEthernet0/0/1
100.1.1.0/24 Direct 0 0 D 100.1.1.1
Ethernet1/0/1
100.1.1.1/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/1
100.1.1.255/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/1
100.1.2.0/24 IBGP 255 0 RD 2.2.2.2
GigabitEthernet0/0/1
192.168.1.0/24 OSPF 10 2 D 100.1.1.2
Ethernet1/0/1
192.168.2.0/24 OSPF 10 11 D 100.1.1.2
Ethernet1/0/1
192.168.3.0/24 IBGP 255 3 RD 2.2.2.2
GigabitEthernet0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Use the display on PE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

11.11.11.11/32 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
22.22.22.22/32 Direct 0 0 D 127.0.0.1
LoopBack0
100.1.1.0/24 IBGP 255 0 RD 1.1.1.1
GigabitEthernet0/0/1
100.1.2.0/24 Direct 0 0 D 100.1.2.1
Ethernet1/0/0
100.1.2.1/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/0
100.1.2.255/32 Direct 0 0 D 127.0.0.1
Ethernet1/0/0
192.168.1.0/24 IBGP 255 3 RD 1.1.1.1
GigabitEthernet0/0/1
192.168.2.0/24 OSPF 10 11 D 100.1.2.2
Ethernet1/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 423


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

192.168.3.0/24 OSPF 10 2 D 100.1.2.2


Ethernet1/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1
InLoopBack0

3. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other and the outbound interface is the CE interface connected to
the PE.
Use the display on CE1 as an example.

100.1.2.0/24 OSPF 10 3 D 100.1.1.1 Ethernet1/0/1


192.168.3.0/24 OSPF 10 4 D 100.1.1.1 Ethernet1/0/1

Use the display on CE2 as an example.

100.1.1.0/24 OSPF 10 3 D 100.1.2.1 Ethernet1/0/0


192.168.1.0/24 OSPF 10 4 D 100.1.2.1 Ethernet1/0/0

----End

Configuration Notes
l The route of the sham link address cannot be advertised to the peer PE through an OSPF
process bound to a VPN instance. If the route of the sham link address is advertised to
the peer PE through an OSPF process bound to a VPN instance, the peer PE has two
routes to the sham link address. The two routes are learned from OSPF and MP-BGP
respectively. The OSPF route takes precedence over the BGP route, so the peer PE uses
the OSPF route. As a result, the sham link fails to be established.
l A PE must use the loopback interface address with a 32-bit mask to establish a sham
link.
l To forward VPN traffic through the MPLS backbone network, configure the cost of the
sham link to be smaller than the cost of the OSPF route used for forwarding VPN traffic
over the user network.

6.5.11 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices (Running Static Routes
Between the PEs and CEs)
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use static routes to communicate.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 424


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-99 Networking diagram for configuring BGP/MPLS IP VPN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return

Step 2 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.2.1
#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 425


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route static //Import static routes.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static vpn-instance vpn1 10.137.1.0 255.255.255.0 10.1.1.2
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 426


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route static //Import static routes.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static vpn-instance vpn1 10.137.2.0 255.255.255.0 10.1.2.2
#
return

Step 5 Verify the configuration.


# Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN routing
table on the local PE has a route to the peer PE. CE2 can ping IP address 10.137.1.1 and CE1
can ping IP address 10.137.2.1.
# Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2


GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 20 RD 2.2.2.2
GigabitEthernet0/0/1

# Use the display on PE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
10.137.1.0/24 IBGP 255 20 RD 1.1.1.1
GigabitEthernet0/0/1

----End

Configuration Notes
l BGP on PEs needs to import static VPN routes.
l Static routes to other VPNs must be configured on CEs.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 427


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.5.12 Example for Configuring BGP/MPLS IP VPN to Implement


Communication Between Devices (Running RIP Between the PEs
and CEs)
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use RIP to exchange routes.

Figure 6-100 Networking diagram for configuring BGP/MPLS IP VPN

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
rip 1 //Create a RIP
process.
version 2
network 10.0.0.0
#
return

Step 2 Configure CE2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 428


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.137.2.1 255.255.255.0
#
rip 1 //Create a RIP process.
version 2
network 10.0.0.0
#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable

ipv4-family vpn-instance vpn1


import-route rip 1 //Import RIP routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback
interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 429


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

network 192.168.1.0 0.0.0.255


#
rip 1 vpn-instance vpn1 //Crete a RIP process and bind it to the VPN
instance.
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the peer PE to RIP.
version 2
network 10.0.0.0
#
return

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1 //Create a VPN instance.
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to build an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route rip 1 //Import RIP routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
rip 1 vpn-instance vpn1
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the peer PE to RIP.
version 2
network 10.0.0.0
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 430


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 5 Verify the configuration.


1. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.

Use the display on PE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.2.0/24 IBGP 255 0 RD 2.2.2.2


GigabitEthernet0/0/1
10.137.2.0/24 IBGP 255 1 RD 2.2.2.2
GigabitEthernet0/0/1

Use the display on PE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 IBGP 255 0 RD 1.1.1.1


GigabitEthernet0/0/1
10.137.1.0/24 IBGP 255 1 RD 1.1.1.1
GigabitEthernet0/0/1

2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.

Use the display on CE1 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.2.0/24 RIP 100 1 D 10.1.1.1


GigabitEthernet0/0/2
10.137.2.0/24 RIP 100 1 D 10.1.1.1
GigabitEthernet0/0/2

Use the display on CE2 as an example.

Destination/Mask Proto Pre Cost Flags NextHop


Interface

10.1.1.0/24 RIP 100 1 D 10.1.2.1


GigabitEthernet0/0/2
10.137.1.0/24 RIP 100 1 D 10.1.2.1
GigabitEthernet0/0/2

CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.

----End

Configuration Notes
l When PEs and CEs use RIP to exchange routes, bind the RIP process to the VPN
instance.
l PEs need to import routes advertised by BGP and RIP from each other.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 431


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.5.13 Example for Configuring Route Reflection to Optimize the


VPN Backbone Layer

Specifications
This example applies to all versions.

This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, MP-IBGP
connections between PE1 and the RR, and between PE2 and the RR are set up, and VPN
routes are reflected by the RR.

Figure 6-101 Networking diagram for configuring route reflection to optimize the VPN
backbone layer

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 192.168.4.2 255.255.255.0
#
bgp 65001 //Establish an EBGP relationship with PE1.
peer 192.168.4.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.4.1 enable
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 432


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 2 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet0/0/2
ip address 192.168.3.2 255.255.255.0
#
bgp 65002 //Establish an EBGP relationship with PE2.
peer 192.168.3.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.3.1 enable
#
return

Step 3 Configure PE1.


#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip binding vpn-instance vpn1
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 //Specify the RR as the IBGP
peer.
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
peer 192.168.4.2 as-number
65001
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 433


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 4 Configure PE2.


#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip binding vpn-instance vpn1
ip address 192.168.3.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 //Specify the RR as the IBGP
peer.
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

Step 5 Configure the RR.


#
sysname RR
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/2
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 434


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100 //Specify PE2 as the IBGP peer of
RR.
peer 3.3.3.3 connect-interface LoopBack0
peer 1.1.1.1 as-number 100 //Specify PE1 as the IBGP peer of
RR.
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
peer 1.1.1.1 enable
#
ipv4-family vpnv4
undo policy vpn-target //Configure the RR not to filter the received VPNv4
routes based on VPN targets.
peer 3.3.3.3 enable
peer 3.3.3.3 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE2 is the client.
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE1 is the client.
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return

Step 6 Verify the configuration.


1. Run the dis bgp vpnv4 all peer command on a PE or RR to view the BGP VPNv4 peer
setup.
The display on PE1 is as follows:
Peer V AS MsgRcvd MsgSent OutQ Up/Down State
Pre
fRcv

2.2.2.2 4 100 13 11 0 00:08:10 Established


1

The display on PE2 is as follows:


Peer V AS MsgRcvd MsgSent OutQ Up/Down State
Pre
fRcv

2.2.2.2 4 100 18 19 0 00:13:44 Established


1

The display on the RR is as follows:


Peer V AS MsgRcvd MsgSent OutQ Up/Down State
Pre
fRcv

3.3.3.3 4 100 19 19 0 00:14:13 Established

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 435


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

1
1.1.1.1 4 100 16 19 0 00:13:36 Established
1

2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.

The display on PE1 is as follows:

Destination/Mask Proto Pre Cost Flags NextHop


Interface

192.168.3.0/24 IBGP 255 0 RD 3.3.3.3


GigabitEthernet0/0/2

The display on PE2 is as follows:

Destination/Mask Proto Pre Cost Flags NextHop


Interface
...
192.168.4.0/24 IBGP 255 0 RD 1.1.1.1
GigabitEthernet0/0/1
...

----End

Configuration Notes
l The PEs only need to establish MP-IBGP peer relationships with the RR.
l The VPN instance does not need to be configured on the RR.

6.6 VLL

6.6.1 Example for Configuring Martini VLL to Implement


Communication Among Devices

Applicability
This example applies to all AR models of V200R003C00 and later versions.

This example does not apply to the AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 6-102, the MPLS network of an ISP provides the L2VPN service for
users. Many users connect to the MPLS network through PE1 and PE2, and users connected
to PE1 and PE2 change frequently. A proper VPN solution is required to provide secure VPN
services for users and to simplify configuration when new users connect to the network.

A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 436


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Figure 6-102 Martini VLL networking

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
return

Step 2 Configure PE1.


#
sysname PE1
#
mpls lsr-id 10.10.10.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls l2vpn //Enable MPLS L2VPN functions.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer 10.10.10.3 //Create a remote LDP session.
remote-ip 10.10.10.3
#
interface GigabitEthernet1/0/0 //Create a VLL in Martini mode.
mpls l2vc 10.10.10.3 101
#
interface GigabitEthernet2/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.10.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.10.10.1 0.0.0.0
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 437


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 3 Configure the P.


#
sysname P
#
mpls lsr-id 10.10.10.2 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet2/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.10.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
network 10.10.10.2 0.0.0.0
#
return

Step 4 Configure PE2.


#
sysname PE2
#
mpls lsr-id 10.10.10.3 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls l2vpn //Enable MPLS L2VPN functions.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer 10.10.10.1 //Create a remote LDP session.
remote-ip 10.10.10.1
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0 //Create a VLL in Martini mode.
mpls l2vc 10.10.10.1 101
#
interface LoopBack1
ip address 10.10.10.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.10.10.3 0.0.0.0
#
return

Step 5 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.3.1.2 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 438


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

#
return

Step 6 Verify the configuration.


# Run the display mpls l2vc brief command on the PE devices to check L2VPN connection
information. You can see that an LDP VC is set up and is in Up state.
# CE1 and CE2 can ping each other.

----End

6.6.2 Example for Configuring VLL to Implement Communication


over a GRE Tunnel
Applicability
This example applies to all AR models of V200R003C00 and later versions.
This example does not apply to the AR120&AR150&AR160&AR200 series routers.

Networking Requirements
The MPLS network of an ISP provides the L2VPN service for users. Many users connect to
the MPLS network through PE1 and PE2, and users connected to PE1 and PE2 change
frequently. A proper VPN solution is required to provide secure VPN services for users and to
simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements. By
default, PE1 and PE2 set up one LSP tunnel and do not load balance traffic among multiple
tunnels. When the P device does not support MPLS, Martini VLL cannot be implemented.
To solve this problem, you can apply a tunnel policy to a Martini VLL so that VLL services
can be transmitted over the GRE tunnel.

Figure 6-103 Networking diagram for configuring VLL to use a GRE tunnel

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 439


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
return

Step 2 Configure PE1.


#
sysname PE1
#
mpls lsr-id 10.10.1.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls l2vpn //Enable MPLS L2VPN functions.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer 10.10.2.1 //Create a remote LDP session.
remote-ip 10.10.2.1
#
interface GigabitEthernet1/0/0
mpls l2vc 10.10.2.1 39 tunnel-policy gre1 //Create a VLL in Martini mode and
specify the tunnel policy name.
#
interface GigabitEthernet2/0/0
ip address 172.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
interface Tunnel0/0/1 //Create a GRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 10.10.1.1
destination 10.10.2.1
#
ospf 1
area 0.0.0.0
network 10.10.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
#
tunnel-policy gre1 //Configure a tunnel policy.
tunnel select-seq gre load-balance-number 1
#
return

Step 3 Configure the P.


#
sysname P
#
interface GigabitEthernet2/0/0
ip address 172.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 172.2.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 440


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Step 4 Configure PE2.


#
sysname PE2
#
mpls lsr-id 10.10.2.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls l2vpn //Enable MPLS L2VPN functions.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer 10.10.1.1 //Create a remote LDP session.
remote-ip 10.10.1.1
#
interface GigabitEthernet1/0/0
ip address 172.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Create a VLL in Martini mode and specify the
tunnel policy name.
mpls l2vc 10.10.1.1 39 tunnel-policy gre1
#
interface LoopBack1
ip address 10.10.2.1 255.255.255.255
#
interface Tunnel0/0/1 //Create a GRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre
source 10.10.2.1
destination 10.10.1.1
#
ospf 1
area 0.0.0.0
network 10.10.2.1 0.0.0.0
network 172.2.1.0 0.0.0.255
#
tunnel-policy gre1 //Configure a tunnel policy.
tunnel select-seq gre load-balance-number 1
#
return

Step 5 Configure CE2.


#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
#
return

Step 6 Verify the configuration.


# Run the display mpls l2vc brief command on the PE devices to check L2VPN connection
information. You can see that a VC is set up and is in Up state.
# CE1 and CE2 can ping each other.

----End

6.7 PWE3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 441


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

6.7.1 Example for Configuring E&M Interfaces for Transmitting


VHF Services in ATC Scenario (Dual Link Protection on the
Backbone Network)

Specifications
This example applies to AR2220, AR2240, AR2240C, AR3260 and AR3670 routers of
V200R005C20 and later versions.

Networking Requirements
In an Air Traffic Control (ATC) scenario, the Area Control Center (ACC) connects to a
broadcasting system over the backbone network as shown in Figure 6-104. PE1 on the
backbone network uses an E&M interface to connect to the Voice Communication System of
the ACC, and PE2 uses an E&M interface to connect to the broadcasting system. The
customer requires that very high frequency (VHF) services can be normally transmitted
between the ACC and broadcasting system, so that the pilots can talk with the air traffic
controller.
In addition, communication between the ACC and broadcasting system is very important and
signal interruption is not allowed. The customer uses two E1 links to ensure communication
stability and reliability.

Figure 6-104 Configuring E&M interfaces for transmitting VHF services in ATC scenario

Requirement Analysis
l VHF services between the ACC and broadcasting system need to be transmitted through
E&M interface. PWE3 is required to set up a tunnel over the backbone network for
transmitting VHF service data.
l The customer uses two E1 links over the backbone network to ensure communication
stability and reliability. Among the current tunneling technologies, MPLS TE is
preferred due to the high reliability and fast switching capability. In addition, MPLS TE
can be used with BFD to speed up fault detection and switching between primary and
backup CR-LSPs. The primary and backup CR-LSPs set up using MPLS TE use one E1
explicit path respectively. After the primary link fails, service data is fast switched to the
hot backup CR-LSP without traffic loss or delay.
NOTE

The PWE3 function is used with a license. To use the PWE3 functions, apply for and purchase the license
from the Huawei local office.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 442


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

Procedure
Step 1 Configure PE1.
#
sysname PE1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf //Enable CSPF and create an MPLS TE tunnel.
#
mpls l2vpn
#
explicit-path backup //Specify an explicit path for the backup CR-LSP.
next hop 173.1.1.2
next hop 2.2.2.9
#
explicit-path main //Specify an explicit path for the primary CR-LSP.
next hop 172.1.1.2
next hop 2.2.2.9
#
pw-template pe2pe //Set up PWE3 using the PW template.
peer-address 2.2.2.9 //Specify the remote address of the PW.
jitter-buffer depth 8 //Set the jitter buffer depth. The deeper the jitter
buffer is, the stronger the anti-jitter capabilities are, but a long transmission
delay will be introduced when data flows are reconstructed. An improper jitter
buffer depth will degrade service transmission quality.
tdm-encapsulation-number 8 //Set the number of TDM frames encapsulated into each
PW packet. If you encapsulate a small number of TDM frames into a packet, network
delay will be small, but encapsulation overhead will be high. If you encapsulate
a large number of TDM frames into a packet, the bandwidth usage will be high, but
network delay will be large.
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9 //Specify the MPLS LDP peer.
remote-ip 2.2.2.9
#
controller E1 1/0/0
using e1
clock master //Configure the interface to work in master clock
mode to ensure correct data transmission.
#
controller E1 1/0/1
using e1
clock master
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial1/0/1:0
link-protocol ppp
ip address 173.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0 //Configure an AC interface to create a tunnel for
transmitting high frequency services.
link-protocol tdm

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 443


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

mpls l2vc pw-template pe2pe 300 tunnel-policy te


em passthrough enable //Enable transparent data transmission to transmit E&M
data through the MPLS tunnel.
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel0/0/0 //Create an MPLS TE tunnel.
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 2.2.2.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main //Configure the explicit path used by the
primary CR-LSP.
mpls te path explicit-path backup secondary //Configure the explicit path used
by the backup CR-LSP.
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1 router-id 1.1.1.9 //Advertise routing information to set up an MPLS TE
tunnel.
opaque-capability enable
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 173.1.1.0 0.0.0.255
mpls-te enable
#
tunnel-policy te //Configure a tunnel policy to enable the PWE3 to use the
MPLS TE tunnel and LDP LSP.
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd a bind mpls-te interface Tunnel0/0/0 te-lsp //Configure BFD to fast switch
service data between the primary and backup CR-LSPs.
discriminator local 10
discriminator remote 10
min-tx-interval 10
min-rx-interval 10
process-pst
notify neighbor-down
commit
#
return

Step 2 Configure PE2.


#
sysname PE2
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls l2vpn
#
explicit-path backup
next hop 173.1.1.1
next hop 1.1.1.9
#
explicit-path main
next hop 172.1.1.1
next hop 1.1.1.9
#
pw-template pe2pe

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 444


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

peer-address 1.1.1.9
jitter-buffer depth 8
tdm-encapsulation-number 8
#
mpls ldp
#
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
controller E1 1/0/0
using e1
#
controller E1 1/0/1
using e1
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial1/0/1:0
link-protocol ppp
ip address 173.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0
link-protocol tdm
mpls l2vc pw-template pe2pe 300 tunnel-policy te
em passthrough enable
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Tunnel0/0/0
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 1.1.1.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main
mpls te path explicit-path backup secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1 router-id 2.2.2.9
opaque-capability enable
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 173.1.1.0 0.0.0.255
mpls-te enable
#
tunnel-policy te
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd a bind mpls-te interface Tunnel0/0/0 te-lsp
discriminator local 10
discriminator remote 10
min-tx-interval 10
min-rx-interval 10
process-pst

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 445


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 6 Using VPN to Implement WAN Interconnection

notify neighbor-down
commit
#
return

Step 3 Verify the Configuration


#After the configurations are complete, check whether an MPLS TE tunnel has been set up
between the two PE devices and whether the VCs are in Up state. The command output on
PE1 is used as an example.
[PE1] display mpls te tunnel-interface tunnel 0/0/0
----------------------------------------------------------------
Tunnel0/0/0
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 100
Ingress LSR ID : 1.1.1.9 Egress LSR ID: 2.2.2.9
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 10
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32773
[PE1] display mpls l2vc interface serial 4/0/0
*client interface : Serial4/0/0 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Label state : 0
Token state : 0
VC ID : 300
VC type : CESoPSN basic mode
destination : 2.2.2.9
......

# When music is played in the ACC, the broadcasting system transmits voices properly and
clearly. When the primary E1 link is cut off, services are fast switched to the backup link and
pilots are not aware of interruption or delay. When the primary E1 link recovers, services are
fast switched back to the primary link and pilots are not aware of interruption or delay.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 446


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

7 IP Address Allocation

7.1 Example for Configuring the Router to Function as a DHCP Server to Dynamically
Assign IP Addresses to Clients
7.2 Example for Configuring the Router to Function as a DHCP Client to Dynamically Obtain
an IP Address
7.3 Example for Configuring DHCP Relay to Enable Users to Obtain IP Addresses from a
DHCP Server
7.4 Example for Configuring Users to Automatically Obtain IPv6 Addresses

7.1 Example for Configuring the Router to Function as a


DHCP Server to Dynamically Assign IP Addresses to
Clients
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The router functions as the DHCP server to dynamically allocate IP addresses to the clients on
the network segment 10.10.1.0/24. This network segment consists of two subnet segments:
10.10.1.0/25 and 10.10.1.128/25. The IP addresses of GE0/0/0 and GE0/0/1 on the router are
10.10.1.1/25 and 10.10.1.129/25, respectively. On the network segment 10.10.1.0/25, the IP
address lease is 10 days and 12 hours, the domain name is huawei.com, the DNS server
address is 10.10.1.2, the NetBIOS server address is 10.10.1.4, and the egress gateway address
is 10.10.1.1. It is required that the fixed IP address 10.10.1.5 be assigned to the office PC
(PC_AD) to meet service requirements. On the network segment 10.10.1.128/25, the IP
address lease is 5 days, the domain name is huawei.com, the DNS server address is 10.10.1.2,
no NetBIOS server address is configured, and the egress gateway address is 10.10.1.129.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 447


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

Figure 7-1 Networking diagram for configuring DHCP server

Procedure
Step 1 Configure the router.
#
sysname Router
#
dhcp enable //Enable the DHCP
function.
#
ip pool ip-pool1
gateway-list 10.10.1.1 //Configure a gateway
address.
network 10.10.1.0 mask 255.255.255.128 //Specify the range of IP addresses that
can be dynamically allocated from the global IP address
pool.
excluded-ip-address 10.10.1.2 //Specify the IP address (10.10.1.2) that cannot
be automatically allocated from an IP address pool.
excluded-ip-address 10.10.1.4 //Specify the IP address (10.10.1.4) that cannot
be automatically allocated from an IP address pool.
dns-list 10.10.1.2 //Configure a DNS server address for the DHCP
client.
nbns-list 10.10.1.4 //Configure a NetBIOS server address for the DHCP
client.
lease day 10 hour 12 minute 0 //Set the lease of IP addresses to 10 days and 12
hours.
domain-name huawei.com //Set the domain name to
huawei.com.
static-bind ip-address 10.10.1.5 mac-address fc12-2567-ce34 //Assign a fixed IP
address to PC_AD.
#
ip pool ip-pool2
gateway-list 10.10.1.129 //Configure a gateway
address.
network 10.10.1.128 mask 255.255.255.128 //Specify the range of IP addresses
that can be dynamically allocated from the global IP address pool.
dns-list 10.10.1.2 //Configure a DNS server address for the DHCP
client.
lease day 5 hour 0 minute 0 //Set the lease of IP addresses to 5 days.
domain-name huawei.com //Set the domain name to
huawei.com.
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.128
dhcp select global //Configure the interface to use the global IP address
pool.
#
interface GigabitEthernet0/0/1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 448


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

ip address 10.10.1.129
255.255.255.128
dhcp select global //Configure the interface to use the global IP address
pool.
#

Step 2 Verify the configuration.


# Run the display ip pool command on the router to view the IP address pool configuration.

----End

7.2 Example for Configuring the Router to Function as a


DHCP Client to Dynamically Obtain an IP Address
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA functions as the DHCP client and dynamically obtains IP addresses of interfaces.

Figure 7-2 DHCP client configuration

Procedure
Step 1 Configure RouterA.

#
dhcp enable //Enable the DHCP
function.
#
interface GigabitEthernet0/0/0
ip address dhcp-alloc
#

Step 2 Configure RouterB.

#
dhcp enable //Enable the DHCP
function.
#
ip pool ip-pool1
gateway-list 10.202.1.1 //Configure a gateway
address.
network 10.202.1.0 mask 255.255.255.0 //Specify the range of IP addresses that
can be dynamically allocated from the global IP address
pool.
#
interface GigabitEthernet0/0/0
ip address 10.202.1.1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 449


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

255.255.255.0
dhcp select global //Configure the interface to use the global IP address pool.
#

Step 3 Verify the configuration.


# Run the display ip interface brief command on RouterA to view the IP address that
GE0/0/0 has obtained.

----End

7.3 Example for Configuring DHCP Relay to Enable Users


to Obtain IP Addresses from a DHCP Server
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 7-3, RouterA functions as a DHCP relay agent, and RouterB functions as
a DHCP server. DHCP packet needs to be relayed through RouterA so that PCs can obtain IP
addresses from RouterB.

Figure 7-3 DHCP relay configuration

Procedure
Step 1 Configure RouterA.
#
vlan batch 100
#
dhcp enable //Enable DHCP globally.
#
dhcp server group dhcpgroup1 //Create a DHCP server group.
dhcp-server 10.10.10.1 //Add a DHCP server to the DHCP server group.
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay //Enable DHCP relay on an interface.
dhcp relay server-select dhcpgroup1 //Specify a DHCP server group for the
interface.
#
interface Ethernet 2/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 450


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

#
interface GigabitEthernet3/0/0
ip address 10.10.20.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 //Configure a default route and
set the next-hop address to 10.10.20.2.

Step 2 Configure RouterB.


#
dhcp enable //Enable DHCP globally.
#
ip pool pool1 //Create a global IP address pool.
network 10.20.20.0 mask 255.255.255.0 //Specify the range of IP addresses
that can be dynamically allocated from the global IP address pool.
gateway-list 10.20.20.1 //Configure the egress gateway address for the DHCP
client.
#
interface GigabitEthernet1/0/0
ip address 10.10.10.1 255.255.255.0
dhcp select global //Configure the interface to use the global IP address
pool.
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2 //Configure a default route and
set the next-hop address to 10.10.10.2.

Step 3 Verify the configuration.


# Run the display dhcp relay command on RouterA to view the DHCP relay configuration
on a specified interface.
[RouterA] display dhcp relay interface vlanif 100
** Vlanif100 DHCP Relay Configuration **
DHCP server group name : dhcpgroup1
DHCP server IP [0] :10.10.10.1

# PCs can obtain IP addresses from RouterB through RouterA.


[RouterB] display ip pool
-----------------------------------------------------------------------
Pool-name : pool1
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.20.20.1
Mask : 255.255.255.0
Vpn instance : --

IP address Statistic
Total :250
Used :0 Idle :248
Expired :0 Conflict :0 Disable :2

----End

Configuration Notes
l Ensure that the PC and DHCP relay both have a reachable route to the DHCP server.
l Ensure that the DHCP relay and DHCP client are on the same subnet.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 451


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

7.4 Example for Configuring Users to Automatically


Obtain IPv6 Addresses
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
A PC can automatically obtain an IPv6 address after directly connecting to the router's
interface. A default gateway is automatically generated so that the PC can communicate with
the router. In this configuration example, when the router is configured to send router
advertisement (RA) messages, the PC can automatically configure an IP address according to
the received RA message and generate the default route with the router as the next hop.

Figure 7-4 Networking diagram of IPv6 stateless auto-configuration

Procedure
Step 1 Configure the router.

#
ipv6 //Enable
IPv6.
#
interface GigabitEthernet0/0/0
ipv6
enable

ipv6 address fc01::1/64


undo ipv6 nd ra halt
#

Step 2 Verify the configuration.


# Open the command line window on PC A and run the ipconfig command to view the IP
address of the PC.
C:\> ipconfig

Windows IP Configuration

Ethernet adapter local connection:

Connection-specific DNS Suffix . :


IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
IP Address. . . . . . . . . . . . : fc01::bdc5:2448:dc6b:bbe0 (1)
IP Address. . . . . . . . . . . . : fc01::215:e9ff:feac:2df2 (2)

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 452


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 7 IP Address Allocation

IP Address. . . . . . . . . . . . : fe80::215:e9ff:feac:2df2%5 (3)


Default Gateway . . . . . . . . . : fe80::a19:a6ff:fecd:a896%5 (4)

NOTE

(1) Automatically configured global unicast IPv6 address, which has the same prefix as the IPv6 address
of GE0/0/0
(2) EUI-64 address generated using a MAC address
(3) Link-local address
(4) Automatically generated default gateway address, which is the link-local IPv6 address of the
interface directly connecting the PC to the router
Ping GE0/0/0 from the PC. The ping operation succeeds.
C:\> ping fc01::1

Pinging fc01::1 with 32 bytes of data:

Reply from fc01::1: time<1ms


Reply from fc01::1: time<1ms
Reply from fc01::1: time<1ms
Reply from fc01::1: time<1ms

Ping statistics for fc01::1:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

The preceding information shows that IPv6 stateless auto-configuration is configured


successfully.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 453


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8 Deploying Routing

8.1 IP Static Route


8.2 RIP
8.3 RIPng
8.4 OSPF
8.5 OSPFv3
8.6 IS-IS(IPv4)
8.7 IS-IS(IPv6)
8.8 BGP
8.9 Policy-based Routing
8.10 Routing Policy

8.1 IP Static Route

8.1.1 Example for Configuring IPv4 Static Routes


Applicability
This example applies to all versions and AR routers.

Networking Requirements
Static routes need to be configured to ensure that any two hosts can communicate with each
other. Figure 8-1 shows the IP addresses and masks of hosts and routers' interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 454


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-1 Networking diagram of configuring static routes

Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.4.1 255.255.255.252
#
ip route-static 10.1.2.0 255.255.255.0 10.1.4.2
ip route-static 10.1.3.0 255.255.255.0 10.1.4.2 //Configure static routes on
Router A.
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 455


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ip address 10.1.4.2 255.255.255.252


#
interface GigabitEthernet3/0/0
ip address 10.1.4.5 255.255.255.252
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.6 //Configure static routes on
Router B.
#
return

Step 3 Configure RouterC.


#
interface GigabitEthernet1/0/0
ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.4.6 255.255.255.252
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.5
ip route-static 10.1.2.0 255.255.255.0 10.1.4.5 //Configure static routes on
Router C.
#
return

Step 4 Configure hosts.


Set the default gateway of hosts in VLAN 10 to 10.1.1.1, default gateway of hosts in VLAN
20 to 10.1.3.1, and default gateway of VLAN 30 to 10.1.2.1.
Step 5 Configure switches.
Configure switches to allow hosts to communicate with their respective gateways.
Step 6 Verify the configuration.
# Run the display ip routing-table command to view the IP routing table.
# Run the ping command to verify the router connectivity.

----End

Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IP addresses on the same network segment for the interfaces connecting two
routers together.
l Configure default gateways for hosts.

8.1.2 Example for Configuring NQA for Static IPv4 Routes


Applicability
This example applies to all versions and AR routers.

Networking Requirements
NQA for static IPv4 routes can quickly detect network faults and control advertisement of
static routes. As shown in Figure 8-2, RouterA connects to RouterB through GE2/0/0 and
connects to RouterC through GE1/0/0. Two links are available from RouterA to RouterD:
RouterA-->RouterB-->RouterD (primary link) and RouterA-->RouterC-->RouterD (backup

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 456


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

link).Configure an NQA ICMP test intance on RouterA to detect the active link. When the
active link becomes faulty, packets sent from RouterA to RouterD are switched to the standby
link.

Figure 8-2 Networking diagram of configuring NQA for static IPv4 routes

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.6.1 255.255.255.0
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2
ip route-static 192.168.3.0 255.255.255.0 192.168.4.2
ip route-static 192.168.5.0 255.255.255.0 192.168.1.2 preference 100 //Set the
preference of static routes to 100 so that the static routes can be used as
backup routes.
ip route-static 192.168.5.0 255.255.255.0 GigabitEthernet2/0/0 192.168.4.2 track
nqa admin icmp //Configure a static route to associate it with an NQA test
instance.
#
nqa test-instance admin icmp //Configure an NQA test instance named admin icmp.
test-type icmp //Set the test type to ICMP.
destination-address ipv4 192.168.3.1 //Set the destination address of the NQA
test instance to 192.168.3.1.
frequency 10 //Set the interval between two NQA tests to 10s.
probe-count 2 //Set the number of test probes of an NQA test instance to 2.
start now //Start the NQA test instance immediately.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 457


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 192.168.3.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.4.2 255.255.255.0
#
ip route-static 192.168.5.0 255.255.255.0 192.168.3.1
ip route-static 192.168.6.0 255.255.255.0 192.168.4.1
#

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.1 255.255.255.0
#
ip route-static 192.168.5.0 255.255.255.0 192.168.2.2
ip route-static 192.168.6.0 255.255.255.0 192.168.1.1
#

Step 4 Configure RouterD.


#
sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.5.1 255.255.255.0
#
ip route-static 192.168.1.0 255.255.255.0 192.168.2.1
ip route-static 192.168.4.0 255.255.255.0 192.168.3.2
ip route-static 192.168.6.0 255.255.255.0 192.168.3.2
ip route-static 192.168.6.0 255.255.255.0 192.168.2.1
#

Step 5 Verify the configuration.


# Run the display nqa results test-instance admin icmp command on RouterA to view the
NQA test result. The command output displays "Lost packet ratio: 0 %", indicating that the
link status is normal. Run the display ip routing-table command on RouterA to view the IP
routing table. The routing table contains the static route with destination network segment
192.168.5.0/24 and next-hop address 192.168.4.2. There is no static route with preference 100
in the routing table.
# Run the shutdown command in the view of GE1/0/0 or GE2/0/0 on RouterB to simulate a
link failure. Run the display nqa results test-instance admin icmp command on RouterA to
view the NQA test result. The command output displays "Completion:failed" and "Lost
packet ratio: 100 %, indicating that a link failure has been detected. Then run the display ip
routing-table command on RouterA to view the IP routing table. The routing table contains
the static route with preference 100. There is no static route with destination network segment
192.168.5.0/24 and next-hop address 192.168.4.2.
----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 458


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Configuration Notes
l The static route associated with an NQA test instance is deleted from the routing table
only when the NQA test fails. You can run the display nqa results command to view the
NQA test result.
l Before modifying the configuration of an NQA test instance, stop the NQA test instance.
l If the static route associated with one NQA test instance is associated with another NQA
test instance, the association between the static route and the former NQA test instance is
removed.
l Only the NQA ping test instance is used so that RouterA switches services based on the
test result. There is no requirement for the peer device configuration.

8.1.3 Example for Configuring IPv6 Static Routes


Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
Static routes need to be configured to ensure that any two hosts can communicate with each
other. Figure 8-3 shows the IPv6 addresses and masks of hosts and routers' interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 459


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-3 Networking diagram of configuring IPv6 static routes

Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1::1 64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::2 64
#
ipv6 route-static 3:: 64 2::1
ipv6 route-static 4:: 64 2::1
ipv6 route-static 5:: 64 2::1 //Configure static routes on RouterA.
#
return

Step 2 Configure RouterB.


#
ipv6

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 460


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 3::1 64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::1 64
#
interface GigabitEthernet3/0/0
ipv6 enable
ipv6 address 4::1 64
#
ipv6 route-static 1:: 64 2::2
ipv6 route-static 5:: 64 4::2
#
return

Step 3 Configure RouterC.


#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 5::1 64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 4::2 64
#
ipv6 route-static 1:: 64 4::1
ipv6 route-static 2:: 64 4::1
ipv6 route-static 3:: 64 4::1
#
return

Step 4 Configure hosts.


Set the default gateway of hosts in VLAN 10 to 1::1, default gateway of hosts in VLAN 20 to
5::1, and default gateway of VLAN 30 to 3::1.
Step 5 Configure switches.
Configure switches to allow hosts to communicate with their respective gateways.
Step 6 Verify the configuration.
# Run the display ipv6 routing-table command to view the IP routing table.
# Run the ping ipv6 command to verify the router connectivity.

----End

Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l Configure IPv6 addresses for routers' interfaces correctly.
l Configure default gateways for hosts.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 461


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8.1.4 Example for Configuring BFD for IPv4 Static Routes


Specifications
This example applies to all AR models of all versions.

Networking Requirements
On a company's internal network shown in Figure 8-4, there are two forwarding paths from
Router_1 and Router_2 and with next hops Router_2 and Router_3 respectively. Router_1 and
Router_2 are far from each other, and the L2 Switch acts as the relay agent between Router_1
and Router_2. In this example, Router_2 does not support bidirectional forwarding detection
(BFD). BFD for IPv4 static routes needs to be configured on Router_1 to ensure that
Router_1 can fast detect the failure (for example the Down state) of the link between
Router_2 and the L2 Switch and switch traffic to the link of Router_3.

Figure 8-4 Networking diagram of configuring BFD for IPv4 static routes

Device Interface IP Address

Router_1 GE2/0/1 10.10.10.101/24

GE2/0/2 10.10.20.101/24

GE2/0/3 10.10.40.101/24

Router_2 GE2/0/1 10.10.10.102/24

GE2/0/2 10.10.30.101/24

GE2/0/3 10.10.50.101/24

Router_3 GE2/0/1 10.10.20.102/24

GE2/0/2 10.10.30.102/24

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 462


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1 //Configure an IP address for
GigabitEthernet2/0/1 on Router_1.
ip address 10.10.10.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.20.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.10.40.101 255.255.255.0
#
bfd aa bind peer-ip 10.10.10.102 interface GigabitEthernet0/0/1 one-arm-echo //
Configure the BFD session between Router_1 and Router_2.
discriminator local 1
min-echo-rx-interval 100
commit
#
ip route-static 10.10.50.0 24 GigabitEthernet2/0/1 10.10.10.102 track bfd-
session aa //Configure a static route from Router_1 to 10.10.50.0/24. Ensure
that traffic from Router_1 to Router_2 is first forwarded along the link Router_1
–> L2 Switch –> Router_2. When the link fails, the traffic is switched to the
link Router_1 –> Router_3 –> Router_2.
ip route-static 10.10.50.0 24 GigabitEthernet2/0/2 10.10.20.102 preference 65
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
interface GigabitEthernet2/0/1 //Configure an IP address for
GigabitEthernet2/0/1 on Router_2.
ip address 10.10.10.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.30.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.10.50.101 255.255.255.0
#
ip route-static 10.10.40.0 24 GigabitEthernet2/0/1 10.10.10.101 //Configure a
static route from Router_2 to 10.10.40.0/24. Ensure that traffic from Router_2 to
Router_1 is first forwarded along the link Router_2 –> L2 Switch –> Router_1.
When the link fails, the traffic is switched to the link Router_2 –> Router_3 –>
Router_1.
ip route-static 10.10.40.0 24 GigabitEthernet2/0/2 10.10.30.102 preference 65
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
interface GigabitEthernet2/0/1 //Configure an IP address for
GigabitEthernet2/0/1 on Router_3.
ip address 10.10.20.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.30.102 255.255.255.0
#
ip route-static 10.10.40.0 24 GigabitEthernet2/0/1 10.10.20.101 //Configure

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 463


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

static routes from Router_3 to 10.10.40.0/24 and 10.10.50.0/24.


ip route-static 10.10.50.0 24 GigabitEthernet2/0/2 10.10.30.101
#
return

Step 4 Verify the configuration.


# When Router_1, Router_2, and the links between Router_1 and Router_2 are working
normally:
l Run the display ip routing-table protocol static command on Router_1 to check static
route information. The command output shows that there are reachable routes between
Router_1 and Router_2.
l Run the display bfd session all command on Router_1. The command output shows that
a BFD session has been set up.
# When the link between Router_2 and the L2 switch is faulty, run the display ip routing-
table protocol static command on Router_1. The command output shows that routes are
reachable between Router_1 and Router_3.

----End

8.1.5 Example for Configuring AR Routers to Be Connected to


Layer 3 Switches Through IPv4 Static Routes
Specifications
This example applies to all AR models of all versions.

Networking Requirements
Figure 8-5 shows IP addresses and masks of hosts and routers' interfaces. Static routes need
to be configured to ensure that any two hosts can communicate with each other.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 464


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-5 Configuring IPv4 static routes

Procedure
Step 1 Configure the switch.
#
vlan batch 10 20 100
#
interface vlanif 10
ip address 192.168.10.1 255.255.255.0
#
interface vlanif 20
ip address 192.168.20.1 255.255.255.0
#
interface vlanif 100
ip address 1.1.1.2 255.255.255.0
#
interface gigabitEthernet0/0/1
port link-type access
port default vlan 100 //Add GigabitEthernet0/0/1 to VLAN 100 as an access
interface. This interface connects to the router.
#
interface gigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface gigabitEthernet0/0/3
port link-type access
port default vlan 20
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a default static route.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 465


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 2 Configure the Router.


#
interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.0 //Configure an IP address for
GigabitEthernet0/0/1. This interface connects to the switch.
#
interface loopback 0
ip address 202.99.192.66 255.255.255.0 //Configure an IP address for the local
loopback interface for tests.
#
ip route-static 192.168.0.0 255.255.0.0 1.1.1.2 //Configure a static route so
that data can reach the switch.
#
return

Step 3 Configure PCs.

Run the route add 1.1.1.0 mask 24 192.168.10.1 command to configure an IP address for
PC1 and run the route add 1.1.1.0 mask 24 192.168.20.1 command to configure an IP
address for PC2.

Step 4 Verify the configuration.

# Run the display ip routing-table command to view the IP routing table of the Router.

# Run the ping command to test the connectivity.

----End

Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IPv4 default gateways for hosts.

8.1.6 Example for Configuring Fixed IP Addresses for Two


Outbound Interfaces of IPv4 Static Routes

Specifications
This example applies to all AR models of all versions.

Networking Requirements
Figure 8-6 shows IP addresses and masks of hosts and routers' interfaces. Fixed IP addresses
need to be configured for two outbound interfaces of IPv4 static routes so that users can
access the Internet using the other backup route after one route is lost.

Figure 8-6 Configuring fixed IP addresses for two outbound interfaces of IPv4 static routes

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 466


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure the Router.
# sysname Router //Change the device name.
#
acl number 2000
rule 5 permit
#
acl number 2001
rule 5 permit
#
interface gigabitethernet
1/0/0
ip address 10.10.1.1 24 //Configure the external network interface 1.
nat outbound 2000
#
interface gigabitethernet 2/0/0
ip address 10.10.2.1 24 //Configure the external network interface 2.
nat outbound 2001
#
interface gigabitethernet 3/0/0
ip address 192.168.0.1 24 //Configure the internal network interface 1.
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
ip route-static 0.0.0.0 0.0.0.0 10.10.2.2
#

Step 2 Configure PCs.


Configure 192.168.0.1 as the default gateway address of PC1.
Step 3 Verify the configuration.
# Run the display ip routing-table command to view the IP routing table of the Router.
# Run the ping command to test the connectivity.

----End

Configuration Notes
l Configure an ACL to determine for which network segments NAT needs to be
performed.
l Configure NAT in the outbound interface view.

8.2 RIP

8.2.1 Example for Configuring RIP

Applicability
This example applies to all versions and AR routers.

Networking Requirements
RIP needs to be configured to ensure that two hosts can communicate with each other. Figure
8-7 shows the IP addresses and masks of hosts and routers' interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 467


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-7 Networking diagram of configuring RIP

Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
rip 1
version 2 //Set the RIP version.
network 192.168.1.0 //Enable RIP on the specified network segment.
network 10.0.0.0
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
#
rip 1
version 2
network 172.16.0.0
network 10.0.0.0
#
return

Step 3 Configure hosts.

Set the default gateway of hosts in VLAN 10 to 192.168.1.1 and the default gateway of hosts
in VLAN 20 to 172.16.1.1.

Step 4 Configure switches.


Configure switches to allow hosts to communicate with their respective gateways.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 468


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 5 Verify the configuration.


# Run the display rip process-id route command to view the RIP routing table. The RIP
routing table shows that the routes advertised by RIPv2 contain accurate subnet masks.
# Run the ping command to verify the router connectivity.

----End

Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IP addresses on the same network segment for interfaces connecting two
routers together.
l Configure default gateways for hosts.
l Enable RIP on a natural network segment.

8.2.2 Example for Configuring BFD for RIP


Specifications
This example applies to all AR models of all versions.

Networking Requirements
In Figure 8-8, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Routing Information Protocol
(RIP) and establish RIP neighbor relationships to ensure that they are reachable at the network
layer.
Router_3 does not support bidirectional forwarding detection (BFD). The company wants to
configure BFD for RIP on Router_1 and use BFD echo packets to ensure that BFD can fast
detect and notify RIP of the link failure between Router_1 (or Router_3) and the L2 Switch.
The company wants to configure BFD for RIP on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify RIP of the link failure and switch
traffic to the link of Router_2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 469


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-8 Networking diagram of configuring BFD for RIP

Device Interface IP Address

Router_1 GE2/0/1 10.1.0.101/24

GE2/0/2 10.10.0.101/24

GE2/0/3 10.20.1.1/24

Router_2 GE2/0/1 10.10.0.102/24

GE2/0/2 10.40.1.101/24

Router_3 GE2/0/1 10.1.0.102/24

GE2/0/2 10.40.1.102/24

GE2/0/3 10.30.1.1/24

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
rip bfd static
#
interface GigabitEthernet2/0/2
ip address 10.10.0.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.20.1.1 255.255.255.0
#
rip 1 //Configure basic RIP functions on Router_1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 470


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

version 2
network 10.0.0.0
#
bfd 1 bind peer-ip 10.10.0.102 interface GigabitEthernet2/0/1 one-arm-echo //
Configure the BFD echo function on Router_1.
discriminator local 1
min-echo-rx-interval 200
commit
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
interface GigabitEthernet2/0/1
ip address 10.10.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.101 255.255.255.0
#
rip 1 //Configure basic RIP functions on Router_2.
version 2
network 10.0.0.0
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
interface GigabitEthernet2/0/1
ip address 10.1.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.102 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.30.1.1 255.255.255.0
#
rip 1 //Configure basic RIP functions on Router_3.
version 2
network 10.0.0.0
#
return

Step 4 Verify the configuration.


# Run the display rip 1 bfd session all command on Router_1 to check BFD session
information. The command output shows that a BFD session has been set up and is in Up
state.
# Run the display ip routing-table command on Router_1 to check routes to 10.30.1.0/24.
The command output shows that packets from Router_1 are forwarded to Router_3 through
the L2 Switch.

----End

8.3 RIPng

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 471


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8.3.1 Example for Configuring RIPng


Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
RIPng needs to be configured to ensure that two hosts can communicate with each other.
Figure 8-9 shows the IPv6 addresses and masks of hosts and routers' interfaces.

Figure 8-9 Networking diagram of configuring RIPng

Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1::1 64
ripng 1 enable //Enable RIPng on the specified interface.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::2 64
ripng 1 enable
#
ripng 1 //Enable RIPng process 1.
#
return

Step 2 Configure RouterB.


#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 472


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ipv6 address 3::1 64


ripng 1 enable
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::1 64
ripng 1 enable
#
ripng 1
#
return

Step 3 Configure hosts.

Set the default gateway of hosts in VLAN 10 to 1::1 and the default gateway of hosts in
VLAN 20 to 3::1.

Step 4 Configure switches.


Configure switches to allow hosts to communicate with their respective gateways.

Step 5 Verify the configuration.

# Run the display ripng process-id route command to view the RIPng routing table. The
RIPng routing table contains the routes advertised by RIPng.

# Run the ping ipv6 command to verify the router connectivity.

----End

Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l Configure IPv6 addresses for routers' interfaces.
l Configure IP addresses on the same network segment for interfaces connecting two
routers together.
l Configure default gateways for hosts.

8.4 OSPF

8.4.1 Example for Configuring OSPF

Applicability
This example applies to all versions and AR routers.

Networking Requirements
OSPF needs to be configured to ensure that PC1 and PC2 communicate with each other
through RouterA and RouterB.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 473


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-10 Networking diagram of configuring OSPF

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet3/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.1.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.1.0/24 and the area to which the
interface belongs as Area 0.
network 192.168.0.0 0.0.0.255
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
vlan batch 20
#
interface Vlanif20

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 474


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ip address 192.168.2.1 255.255.255.0


#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet3/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#

Step 3 Configure hosts.

Set the default gateway of PC1 to 192.168.1.1 and the default gateway of PC2 to 192.168.2.1.

Step 4 Configure switches.


Configure switches to allow hosts to communicate with their respective gateways.

Step 5 Verify the configuration.

# PC1 can successfully ping the IP address of PC2.

----End

Configuration Notes
l Configure the interface of SwitchA connected to RouterA as a trunk interface and add it
to VLAN 10.
l Configure the interface of SwitchB connected to RouterB as a trunk interface and add it
to VLAN 20.
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l GE3/0/0 interfaces on RouterA and RouterB must belong to the same OSPF area.

8.4.2 Example for Configuring an OSPF Virtual Link

Applicability
This example applies to all versions and AR routers.

Networking Requirements
Area 2 is not directly connected to Area 0. Area 1 functions as a transit area to connect Area 2
and Area 0. A virtual link needs to be established between RouterA and RouterB so that
RouterA can learn routes from Area 2. OSPF area authentication needs to be performed on all
OSPF neighbors and OSPF interface authentication needs to be performed on all interfaces.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 475


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-11 Networking diagram of configuring an OSPF virtual link

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
ospf authentication-mode hmac-sha256 //Set the authentication mode to hmac-
sha256 authentication.
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
ospf authentication-mode hmac-sha256
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
area 0.0.0.0
authentication-mode hmac-sha256 //Set the authentication mode to hmac-sha256
authentication.
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
area 0.0.0.1
authentication-mode hmac-sha256
network 192.168.1.0 0.0.0.255
vlink-peer 2.2.2.2 //Create a virtual link with the remote router ID as
2.2.2.2.
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
ip address 192.168.3.1 255.255.255.0
ospf authentication-mode hmac-sha256
#
interface GigabitEthernet2/0/0
ip address 192.168.1.1 255.255.255.0
ospf authentication-mode hmac-sha256

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 476


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.1
authentication-mode hmac-sha256
network 192.168.1.0 0.0.0.255
vlink-peer 1.1.1.1
area 0.0.0.2
authentication-mode hmac-sha256
network 192.168.3.0 0.0.0.255
#

Step 3 Verify the configuration.


# Run the display ip routing-table command on RouterA to view the IP routing table. The
command output shows that there are OSPF routes to network segment 192.168.3.0/24.

----End

Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l When area authentication is used, all the routers in an area must have the same
authentication mode and password.
l When interface authentication is used, interfaces on the same network segment must
have the same authentication mode and password. The interface authentication mode
takes precedence over the area authentication mode.
l Routers on two ends must have the same virtual link authentication mode and password.

8.4.3 Example for Configuring an OSPF Stub Area


Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. Area 1 needs to be configured as a stub area so that RouterC can use the default route
advertised by ABR to access the network outside the area.

Figure 8-12 Networking diagram of configuring an OSPF stub area

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 477


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
import-route direct //Configure the router to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub //Configure Area 1 as a stub area.
#

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 3.3.3.3
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 2
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 478


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 4 Verify the configuration.


# Run the ping command on RouterC. The command output shows that RouterC can
communicate with devices on network segments 192.168.0.0/24 and 192.168.2.0/24.
# Run the display ip routing-table command on RouterB to view the IP routing table. The
routing table contains the direct route imported by RouterA.

----End

Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l All the routers in a stub area must be configured with stub attributes.

8.4.4 Example for Configuring an OSPF NSSA


Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. Area 1 needs to be configured as an NSSA so that RouterC can use the default route
advertised by the ABR to access the network outside the area.

Figure 8-13 Networking diagram of configuring an OSPF NSSA

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 479


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
import-route direct //Configure the router to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa default-route-advertise //Configure Area 1 as a NSSA and configure
default Type7 LSAs to be generated on the ABR and advertised to the NSSA.
#

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 3.3.3.3
#
interface GigabitEthernet1/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 2
import-route direct
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa //Configure Area 1 as an NSSA.
#

Step 4 Verify the configuration.

# Run the ping command on RouterC. The command output shows that RouterC can
communicate with devices on network segments 192.168.0.0/24 and 192.168.2.0/24.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 480


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Run the display ip routing-table command on RouterB to view the IP routing table. The
routing table contains the direct routes imported by RouterA and RouterC.

----End

Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l All the routers in an NSSA must be configured with NSSA attributes.

8.4.5 Example for Configuring Route Summarization in an OSPF


Area

Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. RouterB is required to summarize routes of specified network segments that are learned
from RouterA and advertise the summarized routes to RouterC.

Figure 8-14 Networking diagram of configuring OSPF area route summarization

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 481


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ip address 192.168.3.1 255.255.255.0


#
interface GigabitEthernet3/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.0
abr-summary 192.168.2.0 255.255.254.0 //Configure route summarization on the
ABR.
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 3.3.3.3
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 2
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#

Step 4 Verify the configuration.


# Run the display ip routing-table command on RouterC to view the IP routing table. The
routing table contains the OSPF routes to network segments 192.168.2.0/23 and
192.168.0.0/24 that are advertised from RouterB.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 482


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.

8.4.6 Example for Configuring OSPF to Summarize Imported


Routes
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterA is an
ASBR and RouterB is an ABR. RouterA is required to summarize imported direct routes and
advertise the summarized routes to other routers in the same OSPF AS.

Figure 8-15 Networking diagram of configuring OSPF to summarize imported routes

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
asbr-summary 192.168.2.0 255.255.254.0 //Configure the ASBR to summarize

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 483


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

imported routes.
import-route direct //Configure the ASBR to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#

Step 3 Configure RouterC.


#
sysname RouterC
#
router id 3.3.3.3
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 2
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#

Step 4 Verify the configuration.

# Run the display ip routing-table command on RouterB to view the IP routing table. The
routing table contains the imported direct route of network segment 192.168.2.0/23 that is
advertised by RouterA.

# Run the display ip routing-table command on RouterC to view the IP routing table. The
routing table contains the imported direct route of network segment 192.168.2.0/23 that is
advertised by RouterA.

----End

Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l Imported intra-area routes must be summarized by an ASBR but not an ABR.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 484


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8.4.7 Example for Configuring OSPF Route Filtering

Specifications
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 8-16, Company A uses Open Shortest Path First (OSPF) to implement
interconnection between all devices. Company A merges with Company B that uses the
Routing Information Protocol (RIP), requiring OSPF and RIP to import routes to each other
so that departments can communicate. Router_1 and Router_2 function as core devices to
ensure communication between departments. To meet service requirements, Company A
needs to control and adjust network routes by taking the following measures:
l Filter the imported routes on Router_5 to prevent R&D department 2 from accessing
Marketing department 1, R&D department 1, and After-sales Service department.
l Filter routes on Router_3 to prevent Marketing department 1 from accessing R&D
department 1.
l Filter routes on Router_4 to prevent R&D department 1 and After-sales Service
department from accessing Marketing department 2.

Figure 8-16 Networking diagram of configuring OSPF route filtering

Device Interface IP Address Device Interface IP Address

Router_1 GE2/0/1 10.1.1.1/24 Router_2 GE2/0/1 10.1.1.2/24

GE2/0/2 10.2.1.1/24 GE2/0/2 10.3.1.1/24

GE2/0/3 10.4.1.1/24

Router_3 GE2/0/1 10.2.1.2/24 Router_4 GE2/0/1 10.3.1.2/24

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 485


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Device Interface IP Address Device Interface IP Address

GE2/0/2 10.10.3.1/24 GE2/0/2 10.10.1.1/24


(network (network
segment segment
where where After-
Marketing sales Service
department 1 department
resides) resides)

GE2/0/3 10.10.2.1/24
(network
segment
where R&D
department 1
resides)

Router_5 GE2/0/1 10.4.1.2/24 Router_6 GE2/0/1 10.5.1.2/24

GE2/0/2 10.5.1.1/24 GE2/0/2 10.10.4.1/24


(network
segment
where R&D
department 2
resides)

GE2/0/3 10.10.5.1/24
(network
segment
where
Marketing
department 2
resides)

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.4.1.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
area 0.0.0.1
network 10.4.1.0 0.0.0.255
area 0.0.0.2
network 10.2.1.0 0.0.0.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 486


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
interface GigabitEthernet2/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.3.1.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
area 0.0.0.3
network 10.3.1.0 0.0.0.255
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
acl number 2000 //Create a basic ACL to deny packets with the source IP
address 10.10.2.0/24.
rule 0 deny source 10.10.2.0 0.0.0.255
rule 5 permit
#
interface GigabitEthernet2/0/1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.3.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
filter-policy 2000 import //Use ACL 2000 to filter the routes to be added to
the routing table.
area 0.0.0.2
network 10.2.1.0 0.0.0.255
network 10.10.3.0 0.0.0.255
#
return

Step 4 Configure Router_4.


#
sysname Router_4
#
acl number 2000 //Create a basic ACL to deny packets with the source IP
address 10.10.5.0/24.
rule 0 deny source 10.10.5.0 0.0.0.255
rule 5 permit
#
interface GigabitEthernet2/0/1
ip address 10.3.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.10.2.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
filter-policy 2000 import //Use ACL 2000 to filter the routes to be added to
the routing table.
area 0.0.0.3
network 10.3.1.0 0.0.0.255
network 10.10.1.0 0.0.0.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 487


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

network 10.10.2.0 0.0.0.255


#
return

Step 5 Configure Router_5.


#
sysname Router_5
#
acl number 2000 //Create a basic ACL to deny packets with the source IP
address 10.10.4.0/24.
rule 0 deny source 10.10.4.0 0.0.0.255
rule 5 permit
#
interface GigabitEthernet2/0/1
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.5.1.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
import-route direct //Import direct routes into the OSPF network.
import-route rip 1 //Import RIP routes into the OSPF network.
filter-policy 2000 export rip 1 //Use ACL 2000 to filter the RIP routes to be
imported into OSPF.
area 0.0.0.1
network 10.4.1.0 0.0.0.255
#
rip 1 //Enable RIP on the specified network segment.
undo summary
version 2
network 10.5.1.0
import-route direct //Import direct routes into the RIP network.
import-route ospf 1 //Import OSPF routes into the RIP network.
#
return

Step 6 Configure Router_6.


#
sysname Router_6
#
interface GigabitEthernet2/0/1
ip address 10.5.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.4.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.10.5.1 255.255.255.0
#
rip 1 //Enable RIP on the specified network segment.
undo summary
version 2
network 10.5.1.0
network 10.10.4.0
network 10.10.5.0
#
return

Step 7 Verify the configuration.

# On Router_3, ping the destination address 10.10.2.1 from the source address 10.10.3.1. The
ping operation fails, indicating that Marketing department 1 cannot access R&D department
1.

# On Router_4, ping the destination address 10.10.5.1 from source addresses 10.10.1.1 and
10.10.2.1. The ping operations fail, indicating that R&D department 1 and After-sales Service
department cannot access Marketing department 2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 488


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Check information about Router_3 and Router_4 routing tables. The two routing tables do
not contain routes to 10.10.4.0/24, indicating that R&D department 2 cannot access Marketing
department 1, R&D department 1, and After-sales Service department.

----End

Configuration Notes
l When filtering routes, you need to specify the export keyword to filter imported external
routes. This keyword is only applicable to an autonomous system boundary router
(ASBR).
l The route filtering function filters only the routes in routing tables but not the LSAs
advertised in OSPF.
l Routing communication is bidirectional. After you filter routes from a router to a
specified destination network segment, other network segments connected to the router
cannot access devices on the destination network segment and devices on the destination
network segment cannot access devices on the source network segment.
l When using ACLs to implement the route filtering function, you must set the last ACL
to permit the packets sent from all source addresses to avoid filtering the routes of all
network segments.

8.4.8 Example for Configuring BFD for OSPF


Specifications
This example applies to all AR models of all versions.

Networking Requirements
In Figure 8-17, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Open Shortest Path First
(OSPF) and establish OSPF neighbor relationships to ensure that they are reachable at the
network layer.
Router_1, Router_2, and Router_3 support bidirectional forwarding detection (BFD). The
company wants to use BFD for OSPF and BFD control packets to ensure that BFD can fast
detect and notify OSPF of the failure (for example the Down state) of the link between
Router_1 or Router_3 and the L2 Switch.
The company wants to configure BFD for OSPF on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify OSPF of the link failure and switch
traffic to the link of Router_2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 489


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-17 Networking diagram of configuring BFD for OSPF

Device Interface IP Address

Router_1 GE2/0/1 10.1.0.101/24

GE2/0/2 10.10.0.101/24

GE2/0/3 10.20.1.1/24

Host A - 10.20.1.2/24

Router_2 GE2/0/1 10.10.0.102/24

GE2/0/2 10.40.1.101/24

Router_3 GE2/0/1 10.1.0.102/24

GE2/0/2 10.40.1.102/24

GE2/0/3 10.30.1.1/24

Host C - 10.30.1.2/24

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
ospf bfd enable //Enable BFD on an interface.
ospf bfd min-tx-interval 100 min-rx-interval 100
#
interface GigabitEthernet2/0/2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 490


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ip address 10.10.0.101 255.255.255.0


#
interface GigabitEthernet2/0/3
ip address 10.20.1.1 255.255.255.0
#
ospf 1 //Configure basic OSPF functions on Router_1, and enable BFD for OSPF.
bfd all-interfaces enable
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.10.0.0 0.0.0.255
network 10.20.1.0 0.0.0.255
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
bfd
#
acl number 2000 //Create ACL 2000 to permit the packets with the source IP
address 10.20.0.0/24.
rule 0 permit source 10.20.0.0 0.0.0.255
#
interface GigabitEthernet2/0/1
ip address 10.10.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.101 255.255.255.0
#
ospf 1 //Configure basic OSPF functions on Router_2.
bfd all-interfaces enable
area 0.0.0.0
network 10.10.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
bfd
#
interface GigabitEthernet2/0/1
ip address 10.1.0.102 255.255.255.0
ospf bfd enable //Configure BFD on an interface.
ospf bfd min-tx-interval 100 min-rx-interval 100
#
interface GigabitEthernet2/0/2
ip address 10.40.1.102 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.30.1.1 255.255.255.0
#
ospf 1 //Configure basic OSPF functions on Router_3, and enable BFD for OSPF.
bfd all-interfaces enable
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.30.1.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
return

Step 4 Verify the configuration.


# Run the ping command to check whether there are reachable routes from Host A at
10.20.1.2 connected to Router_1 to Host C at 10.30.1.2 connected to Router_3. The command
output shows that there are reachable routes from Host A to Host C.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 491


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Run the display ospf peer command on Router_1 to check OSPF neighbor information.
The command output shows that Router_1 and Router_3 have established an OSPF neighbor
relationship.

# Run the display ospf bfd session all command on Router_1 and Router_3 to check BFD
session information. The command output shows that a BFD session has been set up between
Router_1 and Router_3 and is in Up state.

# Run the display ip routing-table 10.30.1.0 verbose command on Router_1 to check routes
to 10.30.1.0/24. The command output shows that Router_1 and Router_3 communicate
through the L2 Switch.

----End

8.5 OSPFv3

8.5.1 Example for Configuring OSPFv3

Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
OSPFv3 runs on RouterA, RouterB, and RouterC. RouterA and RouterC import direct routes.
PC1 and PC2 connect to RouterA and RouterC respectively. It is required that PC1 and PC2
successfully ping each other.

Figure 8-18 Networking diagram of configuring OSPFv3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 492


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
ospfv3 2
router-id 10.10.10.10 //Set the router ID of the router running OSPFv3 process
2 to 10.10.10.10.
import-route direct //Configure the router to import external routes.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1999::1/64
#
interface GigabitEthernet2/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 2000::1/64
ospfv3 2 area 0.0.0.0 //Configure OSPFv3 process 2 on the interface and specify
the area to which the interface belongs as Area 0.

Step 2 Configure RouterB.


#
sysname RouterB
#
ipv6
#
ospfv3 2
router-id 20.20.20.20
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2001::1/64
ospfv3 2 area 0.0.0.1
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::2/64
ospfv3 2 area 0.0.0.0
#

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
ospfv3 2
router-id 30.30.30.30
import-route direct
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2002::1/64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2001::2/64
ospfv3 2 area 0.0.0.1
#

Step 4 Verify the configuration.


# PC1 and PC2 can successfully ping each other.
----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 493


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Configuration Notes
l The OSPFv3 router ID must be manually configured. If no router ID is configured,
OSPFv3 cannot run properly.
l You must configure different router IDs for routers in an AS and specify different router
IDs for multiple OSPFv3 processes running on the same router.
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.

8.5.2 Example for Configuring Two OSPFv3 Processes for


Communication
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
OSPFv3 process 2 runs on RouterA and RouterB, and OSPFv3 process 3 runs on RouterB and
RouterC. It is required that GE1/0/0 interfaces on RouterA and RouterC successfully ping
each other.

Figure 8-19 Networking diagram of configuring two OSPFv3 processes for communication

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
ospfv3 2
router-id 10.10.10.10 //Set the router ID of the router running OSPFv3 process
2 to 10.10.10.10.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1999::1/64
ospfv3 2 area 0.0.0.0 //Configure OSPFv3 process 2 on the interface and specify
the area to which the interface belongs as Area 0.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 494


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::1/64
ospfv3 2 area 0.0.0.0
#

Step 2 Configure RouterB.


#
sysname RouterB
#
ipv6
#
ospfv3 2
router-id 22.22.22.22
import-route ospfv3 3 //Configure the router to import routes from OSPFv3
process 3.
#
ospfv3 3
router-id 23.23.23.23
import-route ospfv3 2
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2001::1/64
ospfv3 3 area 0.0.0.0
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::2/64
ospfv3 2 area 0.0.0.0
#

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
ospfv3 3
router-id 30.30.30.30
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2002::1/64
ospfv3 3 area 0.0.0.0
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2001::2/64
ospfv3 3 area 0.0.0.0
#

Step 4 Verify the configuration.

# Run the ping ipv6 -a 1999::1 2002::1 command on RouterA. The command output shows
that GE1/0/0 interfaces on RouterA and RouterC successfully ping each other.

----End

Configuration Notes
l The OSPFv3 router ID must be manually configured. If no router ID is configured,
OSPFv3 cannot run properly.
l You must configure different router IDs for routers in an AS and specify different router
IDs for multiple OSPFv3 processes running on the same router.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 495


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.

8.5.3 Example for Configuring OSPFv3 Route Filtering


Specifications
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 8-20, Company A uses Open Shortest Path First version 3 (OSPFv3) to
implement interconnection between all devices. Company A merges with Company B that
uses the Routing Information Protocol next generation (RIPng), requiring OSPFv3 and RIPng
to import routes to each other so that departments can communicate. Router_1 and Router_2
function as core devices to ensure communication between departments. To meet service
requirements, Company A needs to control and adjust network routes by taking the following
measures:
l Filter the imported routes on Router_5 to prevent R&D department 2 from accessing
Marketing department, R&D department 1, and After-sales Service department.
l Filter routes on Router_3 to prevent Marketing department 1 from accessing R&D
department 1.
l Filter routes on Router_4 to prevent R&D department 1 and After-sales Service
department from accessing Marketing department 2.

Figure 8-20 Networking diagram of configuring OSPFv3 route filtering

Device Interface IPv6 Device Interface IPv6


Address Address

Router_1 GE2/0/1 FC01::1/64 Router_2 GE2/0/1 FC01::2/64

GE2/0/2 FC02::1/64 GE2/0/2 FC03::1/64

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 496


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Device Interface IPv6 Device Interface IPv6


Address Address

GE2/0/3 FC04::1/64

Router_3 GE2/0/1 FC02::2/64 Router_4 GE2/0/1 FC03::2/64

GE2/0/2 FC13::1/64 GE2/0/2 FC11::1/64


(network (network
segment segment
where where After-
Marketing sales Service
department 1 department
resides) resides)

GE2/0/3 FC12::1/64
(network
segment
where R&D
department 1
resides)

Router_5 GE2/0/1 FC04::2/64 Router_6 GE2/0/1 FC05::2/64

GE2/0/2 FC05::1/64 GE2/0/2 FC14::1/64


(network
segment
where R&D
department 2
resides)

GE2/0/3 FC15::1/64
(network
segment
where
Marketing
department 2
resides)

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC01::1/64
ospfv3 1 area 0.0.0.0
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC02::1/64
ospfv3 1 area 0.0.0.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 497


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC04::1/64
ospfv3 1 area 0.0.0.1
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_1 interfaces.
router-id 6.6.6.6
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC01::2/64
ospfv3 1 area 0.0.0.0
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC03::1/64
ospfv3 1 area 0.0.0.3
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_2 interfaces.
router-id 5.5.5.5
area 0.0.0.0
area 0.0.0.3
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
acl ipv6 number 2000 //Create a basic IPv6 ACL to deny packets with the source
IPv6 address FC12::1/64.
rule 0 deny source FC12::/64
rule 5 permit
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC02::2/64
ospfv3 1 area 0.0.0.2
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC13::1/64
ospfv3 1 area 0.0.0.2
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_3 interfaces.
router-id 4.4.4.4
filter-policy 2000 import //Use IPv6 ACL 2000 to filter the routes to be
added to the routing table.
area 0.0.0.2
#
return

Step 4 Configure Router_4.


#
sysname Router_4

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 498


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
acl ipv6 number 2000 //Create a basic IPv6 ACL to deny packets with the source
IPv6 address FC15::1/64.
rule 0 deny source FC15::/64
rule 5 permit
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC03::2/64
ospfv3 1 area 0.0.0.3
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC11::1/64
ospfv3 1 area 0.0.0.3
#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC12::1/64
ospfv3 1 area 0.0.0.3
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_4 interfaces.
router-id 3.3.3.3
filter-policy 2000 import //Use IPv6 ACL 2000 to filter the routes to be
added to the routing table.
area 0.0.0.3
#
return

Step 5 Configure Router_5.


#
sysname Router_5
#
acl ipv6 number 2000 //Create a basic IPv6 ACL to deny packets with the source
IPv6 address FC14::1/64.
rule 0 deny source FC14::/64
rule 5 permit
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC04::2/64
ospfv3 1 area 0.0.0.1
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC05::1/64
ripng 1 enable
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_5 interfaces.
router-id 2.2.2.2
filter-policy 2000 export ripng 1 //Use IPv6 ACL 2000 to filter the RIPng
routes to be imported into OSPFv3.
import-route direct //Import direct routes into the OSPFv3 network.
import-route ripng 1 //Import RIPng routes into the OSPFv3 network.
area 0.0.0.1
#
ripng 1 //Create a RIPng process, and enable RIPng on Router_5 interfaces.
import-route direct //Import direct routes into the RIPng network.
import-route ospfv3 1 //Import OSPFv3 routes into the RIPng network.
#
return

Step 6 Configure Router_6.


#
sysname Router_6

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 499


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC05::2/64
ripng 1 enable
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC14::1/64
ripng 1 enable
#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC15::1/64
ripng 1 enable
#
ripng 1 //Create a RIPng process, and enable RIPng on Router_6 interfaces.
#
return

Step 7 Verify the configuration.

# On Router_3, ping the destination address FC12::1 from the source address FC13::1. The
ping operation fails, indicating that Marketing department 1 cannot access R&D department
1.

# On Router_4, ping the destination address FC15::1 from source addresses FC11::1 and
FC12::1. The ping operations fail, indicating that R&D department 1 and After-sales Service
department cannot access Marketing department 2.

# Check information about Router_3 and Router_4 routing tables. The two routing tables do
not contain routes to FC14::/64, indicating that R&D department 2 cannot access Marketing
department 1, R&D department 1, and After-sales Service department.

----End

Configuration Notes
l When filtering routes, you need to specify the export keyword to filter imported external
routes. This keyword is only applicable to an autonomous system boundary router
(ASBR).
l The route filtering function filters only the routes in routing tables but not the LSAs
advertised in OSPFv3.
l Routing communication is bidirectional. After you filter routes from a router to a
specified destination network segment, other network segments connected to the router
cannot access devices on the destination network segment and devices on the destination
network segment cannot access devices on the source network segment.
l When using ACLs to implement the route filtering function, you must set the last ACL
to permit the packets sent from all source addresses to avoid filtering the routes of all
network segments.
l When configuring OSPFv3, you must specify the router ID.

8.6 IS-IS(IPv4)

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 500


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8.6.1 Example for Configuring IS-IS Route Leaking

Specifications
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 8-21, the company headquarters and branch 1 use Intermediate System to
Intermediate System (IS-IS) for communication. An independent network has been deployed
for the Marketing department and Finance department in the headquarters. Branch 2 uses
Open Shortest Path First (OSPF). The company has the following requirements:
l The Marketing department and Finance department in the headquarters can
communicate. The route leaking function is configured so that branches can
communicate normally with the headquarters and Marketing department but cannot
communicate with the Finance department and cannot view routes of the Finance
department.
l OSPF routes of branch 2 are imported into the branch network so that the Marketing
department can communicate with branch 2.
l Communication is not interrupted when the IS-IS process of the headquarter gateway
Router_3 restarts.

Figure 8-21 Networking diagram of configuring IS-IS route leaking

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 501


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
isis 1 //Configure basic IS-IS functions.
is-level level-1
network-entity 10.0000.0000.1001.00
#
interface GigabitEthernet2/0/1
ip address 1.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 10.100.1.1 255.255.255.0
isis enable 1
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
isis 1 //Configure basic IS-IS functions.
is-level level-1
network-entity 10.0000.0000.2001.00
#
interface GigabitEthernet2/0/1
ip address 1.1.2.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 10.100.2.1 255.255.255.0
isis enable 1
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
isis 1 //Configure basic IS-IS functions.
graceful-restart //Enable IS-IS GR.
network-entity 10.0000.0001.0001.00
import-route isis level-1 into level-2 filter-policy ip-prefix 1 //Configure
IS-IS route leaking and use the IP prefix list 1 to advertise only routes of the
network segment 10.100.1.0/24 from level-1 area to level-2 area.
#
interface GigabitEthernet2/0/1
ip address 1.1.1.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 1.1.2.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/3
ip address 1.1.10.1 255.255.255.0
isis enable 1
#
ip ip-prefix 1 index 10 permit 10.100.1.0 24
#
return

Step 4 Configure Router_4.


#
sysname Router_4

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 502


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
isis 1 //Configure basic IS-IS functions.
is-level level-2
network-entity 20.0000.0002.0001.00
import-route direct //Configure the IS-IS process to import direct routes.
import-route ospf 1 //Configure the IS-IS process to import routes of the
OSPF process.
#
interface GigabitEthernet2/0/1
ip address 1.1.10.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 1.1.20.1 255.255.255.0
isis enable 1
#
ospf 1 //Configure basic IS-IS functions.
import-route direct //Configure the OSPF process to import direct routes.
import-route isis 1 //Configure the OSPF process to import routes of the IS-
IS process.
area 0.0.0.0
network 1.1.20.0 0.0.0.255
#
return

Step 5 Configure Router_5.


#
sysname Router_5
#
interface GigabitEthernet2/0/1
ip address 1.1.20.2 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.200.1.1 255.255.255.0
#
ospf 1 //Configure basic IS-IS functions.
area 0.0.0.0
network 10.200.1.0 0.0.0.255
network 1.1.20.0 0.0.0.255
#
return

Step 6 Verify the configuration.

# Check the IS-IS routing table on Router_4. The routing table contains routes of the
Marketing department (10.100.1.0/24) but does not contain routes of the Finance department
(10.100.2.0/24). This indicates that branches can communicate only with the Marketing
department.

# Check the IS-IS routing table on Router_3. The routing table contains routes of the network
segment 10.200.1.0/24. Ping 10.200.1.1 from Router_3. The ping operation succeeds,
indicating that the Marketing department can communicate normally with branch 2.

# Ping Router_2 from Router_1, and restart the IS-IS process on Router_3 during the ping
operation. Communication is not interrupted during the restart of the IS-IS process on
Router_3. You can view the IS-IS graceful restart (GR) status on Router_3 in the display isis
graceful-restart status command output.

----End

Configuration Notes
Do not change the network topology during the GR of devices. Otherwise, a routing blackhole
may occur.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 503


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

8.6.2 Example for Configuring IS-IS Route Aggregation


Specifications
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 8-22, IS-IS is configured on three routers. RouterA is the Level-1 router,
RouterB is the Level-1-2 router, and RouterA and RouterB belong to area 10. RouterC is the
Level-2 router and belongs to area 20. All routes in area 10 need to be aggregated and sent to
RouterC.

Figure 8-22 Networking diagram of configuring IS-IS route aggregation

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
isis 10 //Enable IS-IS process 10.
is-level level-1 //Set the router level to Level-1.
network-entity 10.0000.0000.0001.00 //Set a NET for the IS-IS process.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
isis enable 10 //Enable IS-IS on the interface.
#
interface GigabitEthernet2/0/0
ip address 192.168.3.1 255.255.255.0
isis enable 10
#
interface GigabitEthernet3/0/0
ip address 192.168.2.1 255.255.255.0
isis enable 10
#

Step 2 Configure RouterB.


#
sysname RouterB
#
isis 10

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 504


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

network-entity 10.0000.0000.0002.00
summary 192.168.0.0 255.255.0.0 level-1-2 //Configure IS-IS to aggregate routes.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
isis enable 10
#
interface GigabitEthernet2/0/0
ip address 192.168.3.2 255.255.255.0
isis enable 10
#

Step 3 Configure RouterC.


#
sysname RouterC
#
isis 10
is-level level-2
network-entity 20.0000.0000.0003.00
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
isis enable 10
#

Step 4 Verify the configuration.


# Run the display isis route command on RouterC. All the routes in area 10 are aggregated to
one route destined for 192.168.0.0/16.

----End

Configuration Notes
l When using the network-entity command to set a NET for an IS-IS process, configure
the same area ID for routers in an area.

8.6.3 Example for Configuring BFD for IS-IS


Specifications
This example applies to all AR models of all versions.

Networking Requirements
In Figure 8-23, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Intermediate System to
Intermediate System (IS-IS) and establish IS-IS neighbor relationships to ensure that they are
reachable to each other at the network layer.
Router_1, Router_2, and Router_3 support bidirectional forwarding detection (BFD). The
company wants to use BFD for IS-IS and BFD control packets to ensure that BFD can fast
detect and notify IS-IS of the failure (for example the Down state of the link between
Router_1 or Router_3 and the L2 Switch).
The company wants to configure BFD for IS-IS on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify IS-IS of the link failure and switch
traffic to the link of Router_2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 505


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-23 Networking diagram of configuring BFD for IS-IS

Device Interface IP Address

Router_1 GE2/0/1 10.1.0.101/24

GE2/0/2 10.10.0.101/24

GE2/0/3 10.20.1.1/24

Router_2 GE2/0/1 10.10.0.102/24

GE2/0/2 10.40.1.101/24

Router_3 GE2/0/1 10.1.0.102/24

GE2/0/2 10.40.1.102/24

GE2/0/3 10.30.1.1/24

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
isis 1 //Configure basic IS-IS functions on Router_1, and enable BFD for IS-IS.
is-level level-2
bfd all-interfaces enable
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 //Set the minimum interval

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 506


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

for sending and receiving single-hop BFD control packets to 100 ms.
#
interface GigabitEthernet2/0/2
ip address 10.10.0.101 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/3
ip address 10.20.1.1 255.255.255.0
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
bfd
#
isis 1
is-level level-2
bfd all-interfaces enable
network-entity 10.0000.0000.0003.00
#
interface GigabitEthernet2/0/1
ip address 10.10.0.102 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 10.40.1.101 255.255.255.0
isis enable 1
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
bfd
#
isis 1
is-level level-2
bfd all-interfaces enable
network-entity 10.0000.0000.0002.00
#
interface GigabitEthernet2/0/1
ip address 10.1.0.102 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 //Set the minimum interval
for sending and receiving single-hop BFD control packets to 100 ms.
#
interface GigabitEthernet2/0/2
ip address 10.40.1.102 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/3
ip address 10.30.1.1 255.255.255.0
isis enable 1
#
return

Step 4 Verify the configuration.


# Run the display isis peer verbose command on Router_1 to check IS-IS neighbor
information. When the State field displays Up, Router_1 and Router_3 have established an
IS-IS neighbor relationship.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 507


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Run the display isis bfd session all command on Router_1 and Router_3 to check BFD
session information. The command output shows that a BFD session has been set up and
Session State is in Up state.
# Run the display ip routing-table 10.30.1.0 verbose command on Router_1 to check routes
to 10.30.1.0/24. The command output shows that Router_1 and Router_3 communicate
through the L2 Switch.

----End

8.7 IS-IS(IPv6)

8.7.1 Example for Configuring IS-IS IPv6


Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 8-24:
l RouterA, RouterB, RouterC, and RouterD belong to the same AS. The four routers need
to run IS-IS to implement IPv6 interworking.
l RouterA, RouterB, and RouterC belong to Area 10, and RouterD belongs to Area 20.
l RouterA and RouterB are Level-1 routers, RouterC is a Level-1-2 router, and RouterD is
a Level-2 router.

Figure 8-24 Networking diagram of configuring IS-IS IPv6

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 508


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
isis 1 //Enable IS-IS process 1.
is-level level-1 //Set the router as a Level-1 router.
network-entity 10.0000.0000.0001.00 //Set the NET for IS-IS process 1.
#
ipv6 enable topology standard //Enable the IPv6 capability for IS-IS process 1.
#
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 10:1::2/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1 //Enable the IPv6 capability for IS-IS process 1 on the
interface.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
ipv6
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00 //Set the NET for IS-IS process 1.
#
ipv6 enable topology standard
#
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 10:2::2/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
isis 1
network-entity 10.0000.0000.0003.00 //Set the NET for IS-IS process 1.
#
ipv6 enable topology standard
#
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 30::1/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
isis circuit-level level-2 //Set the circuit type as Level-2, allowing only
Level-2 adjacencies to be established on the interface.
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 10:1::1/64 //Configure a global unicast IPv6 address for the

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 509


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

interface.
isis ipv6 enable 1
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 10:2::1/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
#
return

Step 4 Configure RouterD.


#
sysname RouterD
#
ipv6
#
isis 1
is-level level-2 //Set the router as a Level-2 router.
network-entity 20.0000.0000.0004.00 //Set the NET for IS-IS process 1.
#
ipv6 enable topology standard
#
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 30::2/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 20::1/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
#
return

Step 5 Verify the configuration.

# Run the display isis route command on each router to view IS-IS routes.

# Interfaces on RouterA, RouterB, RouterC, and RouterD can successfully ping each other.

----End

Configuration Notes
l IPv6 must be enabled in the system view and interface view.
l The IPv6 capability must be enabled for IS-IS on interfaces.
l When using the network-entity command to set a NET for an IS-IS process, configure
the same area ID for routers in an area.

8.8 BGP

8.8.1 Example for Configuring BGP

Applicability
This example applies to all versions and AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 510


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Networking Requirements
Multiple ASs exist in a region. To access each other, these ASs must exchange their local
routes. As multiple routers exist in the ASs, there are a large number of routes that change
frequently. How to efficiently transmit a great deal of routing information between ASs
without consuming lots of bandwidth resources has become a problem. BGP can be used to
solve this problem.

RouterA and RouterB belong to AS100, and RouterC belongs to AS 200. After BGP is
enabled on the routers, the routers can exchange routing information. When routes of one
router changes, the router will send Update messages carrying only changed routing
information to its peers, and will not send its entire routing table. This greatly reduces
bandwidth consumption. Figure 8-25 shows the IP addresses and masks of hosts and routers'
interfaces.

Figure 8-25 Networking diagram of configuring basic BGP functions

Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 10.1.2.2 as-number 100 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast //Enter the IPv4 unicast address family view.
undo synchronization
network 10.1.1.0 24 //Add routes in the local routing table to the BGP routing
table statically and advertise the routes to a peer.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 511


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

peer 10.1.2.2 enable


#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.3.1 255.255.255.0
#
bgp 100
router-id 2.2.2.2
peer 10.1.2.1 as-number 100
peer 10.1.3.2 as-number 200
#
ipv4-family unicast
undo synchronization
peer 10.1.2.1 enable
peer 10.1.3.2 enable
#
return

Step 3 Configure RouterC.


#
interface GigabitEthernet1/0/0
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.3.2 255.255.255.0
#
bgp 200
router-id 3.3.3.3
peer 10.1.3.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 10.1.4.0 24
peer 10.1.3.1 enable
#
return

Step 4 Configure hosts.


Set the default gateway of hosts in VLAN 10 to 10.1.1.1 and the default gateway of hosts in
VLAN 20 to 10.1.4.1.
Step 5 Verify the configuration.
# Run the display bgp routing-table command to view the BGP routing table.
# Run the ping command to verify the router connectivity.

----End

Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l You must configure default gateways for hosts.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 512


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.

8.8.2 Example for Configuring a BGP Route Reflector


Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA, RouterB, and RouterC belong to AS 100. RouterB is a route reflector (RR), RouterC
is its client, and RouterA is a non-client. RouterC does not establish a BGP connection with
RouterA but needs to learn the routes advertised by RouterA through RouterB. Figure 8-26
shows the IP addresses and masks of hosts and routers' interfaces.

Figure 8-26 Networking diagram of configuring a BGP RR

Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 10.1.2.2 as-number 100 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast //Enter the IPv4 unicast address family view.
undo synchronization
network 10.1.1.0 24 //Add routes in the local routing table to the BGP routing
table statically and advertise the routes to a peer.
peer 10.1.2.2 enable
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 10.1.2.2 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 513


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

interface GigabitEthernet2/0/0
ip address 10.1.3.1 255.255.255.0
#
bgp 100
router-id 2.2.2.2
peer 10.1.2.1 as-number 100
peer 10.1.3.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.1.2.1 enable
peer 10.1.3.2 enable
peer 10.1.3.2 reflect-client //Configure an RR and its clients.
#
return

Step 3 Configure RouterC.


#
interface GigabitEthernet1/0/0
ip address 10.1.4.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.3.2 255.255.255.0
#
bgp 100
router-id 3.3.3.3
peer 10.1.3.1 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.1.3.1 enable
#
return

Step 4 Verify the configuration.

# Run the display bgp routing-table command on RouterC to view the BGP routing table.
The command output shows that RouterC has learned from RouterB the routes advertised by
RouterA. You can also view the Originator and Cluster_ID attributes of a specified route.

----End

Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.

8.8.3 Example for Configuring the Local Preference and


Community Attribute in a BGP Route-policy

Applicability
This example applies to all versions and AR routers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 514


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Networking Requirements
BGP runs on RouterA and RouterB. RouterA imports two static blackhole routes. RouterB
needs to change the local preference and add the community attribute of routes of
192.168.10.0/24.

Figure 8-27 Networking diagram of configuring the local preference and community attribute
in a BGP route-policy

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advertised to set the IP address
of Loopback 0 as the router ID.
peer 192.168.0.2 as-number 10 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast
undo synchronization
import-route static //Configure the router to import static routes.
peer 192.168.0.2 enable
#
ip route-static 192.168.10.0 255.255.255.0 NULL0 //Configure static blackhole
routes.
ip route-static 192.168.20.0 255.255.255.0 NULL0
#

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 2001
rule 2 permit source 192.168.10.0 0.0.0.255 //Add a rule in ACL 2001 to permit
the packets from 192.168.10.0/24 to pass through.
#
interface GigabitEthernet1/0/0
ip address 192.168.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 515


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
bgp 10
router-id 2.2.2.2
peer 192.168.0.1 as-number 10
#
ipv4-family unicast
undo synchronization
peer 192.168.0.1 enable
peer 192.168.0.1 route-policy admin import //Configure a route-policy admin to
filter the routes of peers.
#
route-policy admin permit node 10 //Configure a route-policy admin and set the
index of the node in the route-policy to 10 and the matching mode to permit.
if-match acl 2001 //Configure a matching rule based on ACL 2001.
apply local-preference 120 //Set the local preference of BGP routes to 120.
apply community 10:1 //Set the BGP community attribute of BGP routes to 10:1.
#
route-policy admin permit node 20 //Configure a route-policy admin and set the
index of the node in the route-policy to 20 and the matching mode to permit.
#

Step 3 Verify the configuration.

# Run the display bgp routing-table command on RouterB to view the BGP routing table.
The routing table contains routes of 192.168.10.0/24 and 192.168.20.0/24. Run the display
bgp routing-table 192.168.10.0 24 command on RouterB. You can view detailed information
about routes of 192.168.10.0/24, including the local preference 120 and community attribute
10:1.

----End

Configuration Notes
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.
l A permit node without contents must be appended to a route-policy so that the routes
that do not match the previous nodes can be added to the BGP routing table.
l The local preference is only used for route selection within an AS and is not advertised
outside the AS. Therefore, the apply local-preference command does not take effect
when a route-policy is configured for an EBGP peer.

8.8.4 Example for Applying the AS-Path Attribute to a Route-


Policy

Specifications
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 8-28, four routers belong to different ASs and establish EBGP
connections. When RouterD sends routes to RouterA, the AS-Path attribute needs to be
changed so that route from RouterA to 192.168.6.1/24 is changed.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 516


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-28 Networking diagram of applying the AS-Path attribute to a route-policy

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1 //Configure the router ID as Loopback0 interface IP address.
peer 192.168.1.2 as-number 200 //Specify the peer IP address and AS number.
peer 192.168.2.2 as-number 400
#
ipv4-family unicast
undo synchronization
peer 192.168.1.2 enable
peer 192.168.2.2 enable
#

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 517


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

bgp 200
router-id 2.2.2.2
peer 192.168.2.1 as-number 100
peer 192.168.3.2 as-number 300
#
ipv4-family unicast
undo synchronization
peer 192.168.2.1 enable
peer 192.168.3.2 enable
#

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 192.168.3.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.4.2 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 300
router-id 3.3.3.3
peer 192.168.3.1 as-number 200
peer 192.168.4.1 as-number 400
#
ipv4-family unicast
undo synchronization
peer 192.168.3.1 enable
peer 192.168.4.1 enable
#

Step 4 Configure RouterD.


#
sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.6.1 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
bgp 400
router-id 4.4.4.4
peer 192.168.1.1 as-number 100
peer 192.168.4.2 as-number 300
#
ipv4-family unicast
undo synchronization
network 192.168.6.0 255.255.255.0 //Configure BGP to advertise local routes.
peer 192.168.1.1 enable
peer 192.168.1.1 route-policy t1 export //Apply a route-policy to the
advertised routes.
peer 192.168.4.2 enable
#
route-policy t1 permit node 5 //Create a route-policy.
apply as-path 400 400 400 additive //Add AS number 400 400 400 to the AS-Path
list.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 518


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 5 Verify the configuration.


# Before a route-policy is applied to RouterD, run the display bgp routing-table command
on RouterA. You can see that there are two BGP routes destined for 192.168.6.0/24. A route
with next-hop address 192.168.2.2 has AS-Path 200 300 400, and the other route with next-
hop address 192.168.1.2 has AS-Path 400. Then run the display ip routing-table command.
You can see that the route with next-hop address 192.168.1.2 is preferred.
# After a route-policy is applied to RouterD, run the display bgp routing-table command on
RouterA. You can see that there are two BGP routes destined for 192.168.6.0/24. A route with
next-hop address 192.168.2.2 has AS-Path 200 300 400, and the other route with next-hop
address 192.168.1.2 has AS-Path 400,400,400,400. Then run the display ip routing-table
command. You can see that the route with next-hop address 192.168.2.2 is preferred.

----End

Configuration Notes
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.

8.8.5 Example for Configuring a BGP4+ Route Reflector

Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 8-29, RouterB receives a route update from RouterA using EBGP and
forwards the route update to RouterC. RouterC is configured as a route reflector, which has
two clients, RouterB and RouterD.
RouterB and RouterD do not need to establish an IBGP connection. After receiving a route
update from RouterB, RouterC reflects the route update to RouterD. Similarly, RouterC
reflects the route update received from RouterD to RouterB.

Figure 8-29 Networking diagram of configuring a BGP4+ RR

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 519


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 100::1 96
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 100::2 as-number 200 //Set an IPv6 address and an AS number for a peer.
#
ipv6-family unicast //Enter the IPv6 unicast address view.
undo synchronization
network 100:: 96 //Add the routes in the local routing table to the BGP
routing table statically and advertise the routes to the peer.
peer 100::2 enable //Enable peers to exchange routing information.
#
return

Step 2 Configure RouterB.


#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 101::2 96
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 100::2 96
#
bgp 200
router-id 2.2.2.2
peer 100::1 as-number 100
peer 101::1 as-number 200
#
ipv6-family unicast
undo synchronization
network 100:: 96
network 101:: 96
peer 100::1 enable
peer 101::1 enable
#
return

Step 3 Configure RouterC.


#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 101::1 96
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 102::1 96
#
bgp 200
router-id 3.3.3.3
peer 101::2 as-number 200
peer 102::2 as-number 200
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 520


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ipv6-family unicast
undo synchronization
network 101:: 96
network 102:: 96
peer 101::2 enable
peer 101::2 reflect-client //Configure RouterC as the route reflector and
RouterB as the client.
peer 102::2 enable
peer 102::2 reflect-client
#
return

Step 4 Configure RouterD.


#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 102::2 96
#
bgp 200
router-id 4.4.4.4
peer 102::1 as-number 200
#
ipv6-family unicast
undo synchronization
network 102:: 96
peer 102::1 enable
#
return

Step 5 Verify the configuration.


# Run the display bgp ipv6 routing-table command on RouterD to view the BGP IPv6
routing table. The routing tables show that RouterD has learned from RouterC the routes
advertised by RouterA.

----End

Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.

8.8.6 Example for Configuring BGP4+ Load Balancing


Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
RouterA establishes EBGP connections with RouterB and RouterC. RouterB and RouterC
import static routes to 3000::/64. Load balancing needs to be implemented between RouterB
and RouterC.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 521


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-30 Networking diagram of configuring BGP4+ load balancing

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1000::1/64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::1/64
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback 0 as the router ID.
peer 1000::2 as-number 20 //Set an IP address and an AS number for a peer.
peer 2000::2 as-number 20
#
ipv6-family unicast
undo synchronization
maximum load-balancing 2 //Set the maximum number of equal-cost routes to 2.
peer 1000::2 enable //Enable peers to exchange routing information.
peer 2000::2 enable
#

Step 2 Configure RouterB.


#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2000::2/64
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 20
router-id 2.2.2.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 522


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

peer 2000::1 as-number 10


#
ipv6-family unicast
undo synchronization
import-route static //Configure the router to import IPv6 static routes.
peer 2000::1 enable
#
ipv6 route-static 3000:: 64 NULL0 //Configure an IPv6 static route.
#

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 1000::2/64
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 20
router-id 3.3.3.3
peer 1000::1 as-number 10
#
ipv6-family unicast
undo synchronization
import-route static
peer 1000::1 enable
#
ipv6 route-static 3000:: 64 NULL0 //Configure an IPv6 static route.
#

Step 4 Verify the configuration.

# Run the display bgp ipv6 routing-table command on RouterA to view the BGP IPv6
routing table. The routing table contains two routes to 3000::/64. The two routes have next-
hop addresses 1000::2 and 2000::2.

----End

Configuration Notes
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.

8.8.7 Example for Configuring a BGP4+ Confederation

Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 8-31. AS 20 is divided into three sub-ASs: AS 65001, AS 65002, and AS
65003. EBGP and IBGP need to be configured to allow routers in the two ASs to
communicate.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 523


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-31 Networking diagram of configuring a BGP4+ confederation

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1000::1/64
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback 0 as the router ID.
peer 1000::2 as-number 20 //Set an IP address and an AS number for a peer.
#
ipv6-family unicast
undo synchronization
peer 1000::2 enable //Enable peers to exchange routing information.
#

Step 2 Configure RouterB.


#
sysname RouterB
#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 1000::2/64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::2/64
#
interface GigabitEthernet3/0/0
ipv6 enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 524


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

ipv6 address 3000::2/64


#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 65002
router-id 2.2.2.2
confederation id 20 //Set the confederation ID to 20.
confederation peer-as 65001 65003 //Set the sub-AS number of peers in the
confederation.
peer 1000::1 as-number 10
peer 2000::1 as-number 65001
peer 3000::1 as-number 65003
#
ipv6-family unicast
undo synchronization
import-route direct //Configure the router to import direct routes.
peer 1000::1 enable
peer 2000::1 enable
peer 3000::1 enable
#

Step 3 Configure RouterC.


#
sysname RouterC
#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2000::1/64
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 65001
router-id 3.3.3.3
confederation id 20
confederation peer-as 65002
peer 2000::2 as-number 65002
#
ipv6-family unicast
undo synchronization
peer 2000::2 enable
#

Step 4 Configure RouterD.


#
sysname RouterD
#
ipv6
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 3000::1/64
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
bgp 65003
router-id 4.4.4.4
confederation id 20
confederation peer-as 65002
peer 3000::2 as-number 65002
#
ipv6-family unicast
undo synchronization
peer 3000::2 enable
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 525


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Step 5 Verify the configuration.


# Run the ping ipv6 2000::1 command on RouterD. The command output shows that
RouterD can successfully ping RouterC. Run the ping ipv6 1000::1 command on RouterD.
The command output shows that RouterD can successfully ping RouterA.

----End

Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.
l RouterB advertises only the existing routes in the local routing table. Therefore, direct
routes must be imported to RouterB using BGP4+. Otherwise, RouterA, RouterC, and
RouterD cannot communicate.

8.8.8 Example for Configuring BFD for BGP


Specifications
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 8-32, Departments A and B of the company are far from each other.
Router_1 and Router_6 function as egress devices of Departments A and B respectively.
Border Gateway Protocol (BGP) has been deployed to ensure that the two departments can
communicate. Router_2 and Router_4 support bidirectional forwarding detection (BFD). The
company wants to use BFD for BGP and use BFD control packets to detect the active link
between autonomous system (AS) 200 and AS 300. When the link between Router_2 and
Router_4 fails, for example, the link becomes Down, BFD can fast detect and notify BGP of
the link failure. The following requirements must be met:
l Use Open Shortest Path First (OSPF) as an Interior Gateway Protocol (IGP) in AS 100.
l Configure the link Router_2 <->Router_3 <-> Router_4 as the active link that forwards
traffic between Router_1 and Router_6, and use BFD control packets to detect the active
link status.

Figure 8-32 Networking diagram of configuring BFD for BGP

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 526


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Device Interface IP Address Device Interface IP Address

Router_1 GE2/0/1 10.20.0.1/24 Router_4 GE2/0/1 10.2.0.101/2


4

Router_2 GE2/0/1 10.1.0.101/2 GE2/0/2 10.40.1.101/


4 24

GE2/0/2 10.30.0.101/ GE2/0/3 10.50.0.2/24


24

GE2/0/3 10.20.0.2/24 Router_5 GE2/0/1 10.30.0.102/


24

Router_3 GE2/0/1 10.1.0.102/2 GE2/0/2 10.40.1.102/


4 24

GE2/0/2 10.2.0.102/2 Router_6 GE2/0/1 10.50.0.1/24


4

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.20.0.1 255.255.255.0
#
bgp 200 //Enable BGP and set the local AS number to 200.
router-id 1.1.1.1
peer 10.20.0.2 as-number 100 //Configure Router_1 and Router_2 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.20.0.0 255.255.255.0
peer 10.20.0.2 enable
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
bfd
#
acl number 2000
rule 0 permit source 10.20.0.0 0.0.0.255
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.30.0.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.20.0.2 255.255.255.0
#
bgp 100 //Enable BGP and set the local AS number to 100.
router-id 2.2.2.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 527


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

peer 10.2.0.101 as-number 100


peer 10.2.0.101 bfd enable
peer 10.20.0.1 as-number 200 //Configure Router_2 and Router_1 to set up an
EBGP connection.
peer 10.40.1.101 as-number 100 //Configure Router_2 and Router_4 to set up an
IBGP connection.
#
ipv4-family unicast
undo synchronization
preference 255 100 130
import-route ospf 1
peer 10.2.0.101 enable
peer 10.2.0.101 route-policy local-pre export
peer 10.2.0.101 next-hop-local
peer 10.20.0.1 enable
peer 10.40.1.101 enable
peer 10.40.1.101 next-hop-local
#
ospf 1 //Configure OSPF in AS 100 to ensure that there are reachable routes
between devices.
import-route bgp
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.30.0.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes to the peer at 10.2.0.101, and set the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
interface GigabitEthernet2/0/1
ip address 10.1.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.2.0.102 255.255.255.0
#
ospf 1 //Configure OSPF in AS 100 to ensure that there are reachable routes
between devices.
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.2.0.0 0.0.0.255
#
return

Step 4 Configure Router_4.


#
sysname Router_4
#
bfd
#
acl number 2000 //Create ACL 2000 to permit packets with the source IP address
10.50.0.0/24.
rule 0 permit source 10.50.0.0 0.0.0.255
#
interface GigabitEthernet2/0/1
ip address 10.2.0.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.50.0.2 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 528


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

bgp 100 //Enable BGP and set the local AS number to 100.
router-id 4.4.4.4
peer 10.1.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
peer 10.1.0.101 bfd min-tx-interval 100 min-rx-interval 100
peer 10.1.0.101 bfd enable //Configure BFD.
peer 10.30.0.101 as-number 100
peer 10.50.0.1 as-number 300 //Configure Router_4 and Router_6 to set up an
EBGP connection.
peer 10.50.0.1 ebgp-max-hop 255
#
ipv4-family unicast
undo synchronization
preference 255 100 130
peer 10.1.0.101 enable
peer 10.1.0.101 route-policy local-pre export
peer 10.1.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.1.0.101.
peer 10.30.0.101 enable
peer 10.30.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.30.0.101.
peer 10.50.0.1 enable
#
ospf 1 //Configure OSPF in AS 100 to ensure that there are reachable routes
between devices.
import-route direct
area 0.0.0.0
network 10.2.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes to the peer at 10.1.0.101, and set the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return

Step 5 Configure Router_5.


#
sysname Router_5
#
interface GigabitEthernet2/0/1
ip address 10.30.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.102 255.255.255.0
#
ospf 1 //Configure OSPF in AS 100 to ensure that there are reachable routes
between devices.
area 0.0.0.0
network 10.30.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
return

Step 6 Configure Router_6.


#
sysname Router_6
#
interface GigabitEthernet2/0/1
ip address 10.50.0.1 255.255.255.0
#
bgp 300 //Enable BGP and set the local AS number to 300.
router-id 6.6.6.6
peer 10.50.0.2 as-number 100 //Configure Router_6 and Router_4 to set up an
EBGP connection.
peer 10.50.0.2 ebgp-max-hop 255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 529


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
ipv4-family unicast
undo synchronization
network 10.50.0.0 255.255.255.0
peer 10.50.0.2 enable
#
return

Step 7 Verify the configuration.


# Run the ping command on Router_1. The command output shows that there is a reachable
route from Router_1 to Router_6.
# Run the display bgp peer command on Router_2 to check BGP peer information. The
command output shows that Router_2 has set up an Internal Border Gateway Protocol (IBGP)
connection and External Border Gateway Protocol (EBGP) connection with Router_4 and
Router_1 respectively, and the two connections are in Established state.
# Run the display bgp bfd session all command on Router_2 to check BFD session
information. The command output shows that a BFD session has been set up and is Session
State in Up state.
# Run the display ip routing-table command on Router_2 to check routes to 10.50.0.0/24.
The command output shows that Router_2 communicates with the network segment
10.50.0.0/24 through the link Router_2 <-> Router_3 <-> Router_4.

----End

8.9 Policy-based Routing

8.9.1 Example for Configuring Interface PBR


Specifications
This example applies to all AR models of all versions.

Networking Requirements
In Figure 8-33, by default, the Router forwards the packets that are received from GE2/0/0
and destined for the Server through the next hop at 10.4.1.2. according to the routing table.
Local policy-based routing (PBR) needs to be configured on the Router to meet the following
requirements:
l Redirect the packets that are received from GE2/0/0 and destined for the Server and have
the source IP address 10.2.1.1 to the next hop at 10.5.1.2. The flow policy call for this
interface has a higher priority.
l Redirect the HTTP packets that are received from GE2/0/0 and destined for the Server
the next hop at 10.3.1.2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 530


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Figure 8-33 Networking diagram of configuring local PBR

Procedure
Step 1 Configure the router.
#
sysname Router
#
acl number 3005 //Create ACL 3005 to permit packets with the source IP address
10.2.1.1.
rule 0 permit ip source 10.2.1.1 0
#
acl number 3006 //Create ACL 3006 to permit HTTP packets.
rule 0 permit tcp destination-port eq www
#
traffic classifier 10.2.1.1 operator or
if-match acl 3005
traffic classifier www operator or
if-match acl 3006
#
traffic behavior 10.2.1.1
redirect ip-nexthop 10.5.1.2
traffic behavior www
redirect ip-nexthop 10.3.1.2
#
Traffic policy pbr
Classifier 10.2.1.1 behavior 10.2.1.1 precedence 5
Classifier www behavior www precedence 10
#
interface GigabitEthernet2/0/0 ////Configure an IP address for GE2/0/0
ip address 10.1.2.1 255.255.255.0
traffic-policy pbr inbound
#
interface GigabitEthernet2/0/1
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.5.1.1 255.255.255.0
#
ip route-static 192.168.1.0 24 10.3.1.2 //Configure static routes and ensure
that the three paths are reachable and the default next hop is at 10.4.1.2
ip route-static 192.168.1.0 24 10.4.1.2 preference 40
ip route-static 192.168.1.0 24 10.5.1.2
#
return

Step 2 Verify the configuration.


# Run the display traffic classifier user-defined [ classifier-name ] command. The command
displays the traffic classifier configuration on the device.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 531


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Run the display traffic behavior { system-defined | user-defined } [ behavior-name ]


command. The command displays the traffic behavior configuration on the device.
# Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ]
command. The command displays the traffic policy configuration on the device.
# Run the display traffic-policy applied-record [ policy-name ] command. The command
displays traffic policy records.

----End

8.9.2 Example for Configuring PBR


Specifications
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 8-34, RouterA, RouterB, and RouterC use OSPF to ensure routes
between them are reachable. In the routing table of RouterA, the next-hop address of the route
to 10.0.0.0 is the IP address of GE1/0/0 on RouterC.
PBR is configured on RouterA so that traffic from RouterA to 10.0.0.0/24 is redirected to
RouterB.

Figure 8-34 Networking diagram for configuring PBR

Procedure
Step 1 Configure RouterA.
#
acl number 3001 //Configure an ACL to match packets with source address
10.0.2.0/24 and destination address 10.0.0.0/24.
rule 5 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
traffic classifier rdt operator or //Configure a traffic classifier.
if-match acl 3001
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 532


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

traffic behavior rdt //Configure a traffic behavior, with the next hop address
as the IP address of GE1/0/0 on RouterB.
redirect ip-nexthop 10.181.10.2
#
traffic policy rdt //Bind the traffic policy.
classifier rdt behavior rdt
#
interface GigabitEthernet 1/0/0
ip address 10.181.20.1 255.255.255.0
#
interface GigabitEthernet
2/0/0
ip address 10.181.10.1 255.255.255.0
#
interface GigabitEthernet
3/0/0
ip address 10.0.2.1 255.255.255.0
traffic-policy rdt inbound //The traffic sent from 10.0.2.0/24 to 10.0.0.0/24
is redirected toRouterB.
#
ospf 1 //Configure
OSPF.
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.181.20.0 0.0.0.255
network 10.181.10.0 0.0.0.255
#
return

Step 2 Configure RouterB.


#
interface GigabitEthernet
1/0/0
ip address 10.181.10.2 255.255.255.0
#
interface GigabitEthernet
2/0/0
ip address 10.184.10.1 255.255.255.0
#
ospf 1 //Configure
OSPF.
area 0.0.0.0
network 10.181.10.0 0.0.0.255
network 10.184.10.0 0.0.0.255
#
return

Step 3 Configure RouterC.


#
interface GigabitEthernet 1/0/0
ip address 10.181.20.2 255.255.255.0
#
interface GigabitEthernet
2/0/0
ip address 10.184.10.2 255.255.255.0
#
ospf 1 //Configure
OSPF.
area 0.0.0.0
network 10.184.10.0 0.0.0.255
network 10.181.20.0 0.0.0.255
network 10.0.0.0 0.0.0.255
#
return

Step 4 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 533


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

# Run the tracert command on the device on 10.0.2.0/24 to check the path from 10.0.2.0/24
to 10.0.0.0/24. The traffic from 10.0.2.0/24 to 10.0.0.0/24 is redirected to RouterB.

----End

Configuration Notes
None.

8.10 Routing Policy

8.10.1 Example for Configuring a Route-Policy

Specifications
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 8-35, Departments A and B of the company are far from each other.
Router_1 and Router_6 function as egress devices of Departments A and B respectively.
Devices in AS 100 use Open Shortest Path First (OSPF) as an Interior Gateway Protocol
(IGP). The company has the following requirements:
l The Border Gateway Protocol (BGP) is deployed to enable Departments A and B to
communicate.
l A route-policy is configured to make the link Router_2 <-> Router_3 <-> Router_4
become the active link that forwards traffic between Router_1 and Router_6. When the
active link is disconnected, traffic is automatically switched to the standby link Router_2
<-> Router_5 <-> Router_4.

Figure 8-35 Networking diagram of configuring a route-policy

Device Interface IP Address Device Interface IP Address

Router_1 GE2/0/1 10.20.0.1/24 Router_4 GE2/0/1 10.2.0.101/2


4

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 534


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

Device Interface IP Address Device Interface IP Address

Router_2 GE2/0/1 10.1.0.101/2 GE2/0/2 10.40.1.101/


4 24

GE2/0/2 10.30.0.101/ GE2/0/3 10.50.0.2/24


24

GE2/0/3 10.20.0.2/24 Router_5 GE2/0/1 10.30.0.102/


24

Router_3 GE2/0/1 10.1.0.102/2 GE2/0/2 10.40.1.102/


4 24

GE2/0/2 10.2.0.102/2 Router_6 GE2/0/1 10.50.0.1/24


4

Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.20.0.1 255.255.255.0
#
bgp 200 //Enable BGP, set the local AS number to 200, and set the BGP router
ID to 1.1.1.1.
router-id 1.1.1.1
peer 10.20.0.2 as-number 100 //Configure Router_1 and Router_2 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.20.0.0 255.255.255.0 //In the BGP IPv4 unicast address family
view, add routes to the network segment 10.20.0.0/24 in the IP routing table to
the BGP routing table.
peer 10.20.0.2 enable
#
return

Step 2 Configure Router_2.


#
sysname Router_2
#
acl number 2000 //Create ACL 2000 to permit packets with the source IP address
10.20.0.0/24.
rule 0 permit source 10.20.0.0 0.0.0.255
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.30.0.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.20.0.2 255.255.255.0
#
bgp 100 //Enable BGP, set the local AS number to 100, and set the BGP router
ID to 2.2.2.2.
router-id 2.2.2.2
peer 10.2.0.101 as-number 100 //Configure Router_2 and Router_4 to set up an

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 535


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

IBGP connection.
peer 10.40.1.101 as-number 100
peer 10.20.0.1 as-number 200 //Configure Router_2 and Router_1 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
preference 255 100 130 //Set the EBGP route priority to 255, IBGP route
priority to 100, and local route priority 130 to ensure that IBGP routes are
preferred over OSPF routes.
peer 10.2.0.101 enable
peer 10.2.0.101 route-policy local-pre export //Set the route-policy used to
advertise routes to the peer at 10.2.0.101 to local-pre.
peer 10.2.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.2.0.101.
peer 10.20.0.1 enable
peer 10.40.1.101 enable
peer 10.40.1.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.40.1.101.
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.30.0.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes learned from the peer at 10.20.0.1 to the peer at 10.2.0.101, and set
the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return

Step 3 Configure Router_3.


#
sysname Router_3
#
interface GigabitEthernet2/0/1
ip address 10.1.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.2.0.102 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.2.0.0 0.0.0.255
#
return

Step 4 Configure Router_4.


#
sysname Router_4
#
acl number 2000 //Create ACL 2000 to permit packets with the source IP address
10.50.0.0/24.
rule 0 permit source 10.50.0.0 0.0.0.255
#
interface GigabitEthernet2/0/1
ip address 10.2.0.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.50.0.2 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 536


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

#
bgp 100 //Enable BGP, set the local AS number to 100, and set the BGP router
ID to 4.4.4.4.
router-id 4.4.4.4
peer 10.1.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
peer 10.50.0.1 as-number 300 //Configure Router_4 and Router_6 to set up an
EBGP connection.
peer 10.30.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
#
ipv4-family unicast
undo synchronization
preference 255 100 130 //Set the EBGP route priority to 255, IBGP route
priority to 100, and local route priority 130 to ensure that IBGP routes are
preferred over OSPF routes.
peer 10.1.0.101 enable
peer 10.1.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.1.0.101.
peer 10.1.0.101 route-policy local-pre export
peer 10.30.0.101 enable
peer 10.30.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.30.0.101.
peer 10.50.0.1 enable
#
ospf 1
import-route direct
area 0.0.0.0
network 10.2.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes learned from the peer at 10.50.0.1 to the peer at 10.1.0.101, and set
the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return

Step 5 Configure Router_5.


#
sysname Router_5
#
interface GigabitEthernet2/0/1
ip address 10.30.0.102 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.40.1.102 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.40.1.0 0.0.0.255
network 10.30.0.0 0.0.0.255
#
return

Step 6 Configure Router_6.


#
sysname Router_6
#
interface GigabitEthernet2/0/1
ip address 10.50.0.1 255.255.255.0
#
bgp 300 //Enable BGP, set the local AS number to 300, and set the BGP router
ID to 6.6.6.6.
router-id 6.6.6.6
peer 10.50.0.2 as-number 100 //Configure Router_6 and Router_4 to set up an

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 537


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 8 Deploying Routing

EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.50.0.0 255.255.255.0 //In the BGP IPv4 unicast address family
view, add routes to the network segment 10.50.0.0/24 in the IP routing table to
the BGP routing table.
peer 10.50.0.2 enable
#
return

Step 7 Verify the configuration.


# Ping Router_6 from Router_1. The ping operation succeeds, indicating that Router_1 and
Router_6 can communicate.
# Run the display ip routing-table protocol bgp command on Router_2 to check the BGP
routing table. The BGP routing table contains two routes with the destination network
segment 10.50.0.0/24 and local route priority 100 and 200.
# Tracert Router_6 from Router_1. Packets are transmitted along the link Router_1 <->
Router_2 <-> Router_3 <-> Router_4 <-> Router_6.
# Check the BGP routing table of Router_2 after the active link is disconnected. The BGP
routing table contains only one route to 10.50.0.0/24.
# Tracert Router_6 from Router_1 again. Packets are transmitted along the link Router_1 <->
Router_2 <-> Router_5 <-> Router_4 <-> Router_6. This indicates that traffic has been
successfully switched from the active link to the standby link.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 538


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

9 Deploying IP Multicast

9.1 Example for Configuring IGMP to Enable User Host to Receive Multicast Video
Information
9.2 Example for Configuring PIM-SM to Transmit Multicast Data on a Network
9.3 Example for Configuring a GRE Tunnel to Transmit Multicast Data over a Unicast
Network
9.4 Example for Configuring IGMP Snooping Policies to Enable Users to Receive Data of
Specified Multicast Groups
9.5 Example for Configuring Static Group Member Ports and Router Port to Implement Layer
2 Multicast

9.1 Example for Configuring IGMP to Enable User Host to


Receive Multicast Video Information
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA connects to a multicast source through GE0/0/1 and connects to RouterB through
GE0/0/0. RouterB connects to RouterA through GE0/0/1, and connects to host A through
GE0/0/0. Host A needs to receive multicast data, so the multicast function needs to be
configured on the network.

Figure 9-1 IGMP networking diagram

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 539


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Procedure
Step 1 Configure RouterA.
#
multicast routing-enable //Globally enable multicast routing.
#
interface GigabitEthernet0/0/0
ip address 10.0.4.1 255.255.255.0 //Assign an IP address to the interface
connected to RouterB.
pim dm //Enable PIM-DM on the interface.
#
interface GigabitEthernet0/0/1
ip address 10.0.5.1 255.255.255.0 //Assign an IP address to the interface
connected to the multicast source.
pim dm //Enable PIM-DM on the interface.
#
ip route-static 10.0.3.0 255.255.255.0 10.0.4.2 //Configure a route to the
network segment of the receiver.
#

Step 2 Configure RouterB.


#
multicast routing-enable //Globally enable multicast routing.
#
interface GigabitEthernet0/0/0
ip address 10.0.3.1 255.255.255.0 //Assign an IP address to the interface
connected to Host A.
igmp enable //Enable IGMP on the interface.
#
interface GigabitEthernet0/0/1
ip address 10.0.4.2 255.255.255.0 //Assign an IP address to the interface
connected to RouterA.
pim dm //Enable PIM-DM on the interface.
#
ip route-static 10.0.5.0 255.255.255.0 10.0.4.1 //Configure a route to the
multicast source. (The route is used for multicast RPF check.)
#

Step 3 Verify the configuration.


# Run the display igmp interface command to check the IGMP configuration and running
status on each interface of RouterB. If the IGMP state is Up, Host A can receive multicast
data.

----End

Configuration Notes
l Enable multicast globally on RouterA and RouterB.
l Ensure that there are reachable routes between the multicast source and multicast
receivers. Enable PIM-DM on all router interfaces along the transmission path to ensure
successful reverse path forwarding (RPF).
l Enable IGMP on the interfaces connected to multicast receivers.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 540


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

9.2 Example for Configuring PIM-SM to Transmit


Multicast Data on a Network
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA connects to a multicast source, and RouterB and RouterC connect to multicast
receivers. To enable multicast receivers to receive multicast data from the multicast source,
perform the following configuration: Enable PIM-SM on RouterA's interface connected to the
multicast source and the interfaces connecting RouterA, RouterB, and RouterC. Enable IGMP
on interfaces of RouterB and RouterC connected to multicast receivers.

Figure 9-2 PIM-SM networking diagram

Procedure
Step 1 Configure RouterA.
#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.0.6.1 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.0.4.1 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.0.3.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 541


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

pim sm //Enable PIM-SM on the interface.


#
ospf 1
area 0
network 10.0.3.0 0.0.0.255
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
#
pim
static-rp 10.0.3.1 //Configure Static RP
#

Step 2 Configure RouterB.


#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.0.2.1 255.255.255.0
pim sm //Enable PIM-SM on the interface connected to a multicast receiver.
igmp enable //Enable IGMP on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.0.3.2 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.0.5.2 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
ospf 1
area 0
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 10.0.5.0 0.0.0.255
#
pim
static-rp 10.0.3.1 //Configure Static RP
#

Step 3 Configure RouterC.


#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.0.1.1 255.255.255.0
pim sm //Enable PIM-SM on the interface connected to a multicast receiver.
igmp enable //Enable IGMP on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.0.4.2 255.255.255.0
pim sm //Enable IGMP on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.0.5.1 255.255.255.0
pim sm //Enable IGMP on the interface.
#
ospf 1
area 0
network 10.0.1.0 0.0.0.255
network 10.0.4.0 0.0.0.255
network 10.0.5.0 0.0.0.255
#
pim
static-rp 10.0.3.1 //Configure Static RP
#

Step 4 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 542


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

# Run the display pim interface command on each router to check the PIM configuration and
status. The PIM state is Up.
# Run the display pim routing-table command on each router to check the PIM multicast
routing table. The routing table contains a (10.0.6.2, 227.0.0.1) entry.

----End

Configuration Notes
l Enable IGMP on the interfaces connected to multicast receivers.
l To use a dynamic rendezvous point (RP), configure candidate bootstrap router (C-BSR)
and candidate PR (C-RP) on the routers that may become an RP.
l To use a static RP, configure the same static RP on all the routers in the PIM-SM
domain.

9.3 Example for Configuring a GRE Tunnel to Transmit


Multicast Data over a Unicast Network
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA connects to a multicast source, and RouterB connects to a multicast receiver.
RouterA and RouterB establish a Generic Routing Encapsulation (GRE) tunnel using
loopback interfaces. PIM-SM needs to be configured on the GRE tunnel interfaces so that
multicast data flows can be sent to the receiver through the GRE tunnel.

Figure 9-3 Multicast over GRE networking diagram

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 543


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Procedure
Step 1 Configure RouterA.
#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the multicast source.
pim sm //Enable IGMP on the interface.
#
interface GigabitEthernet1/0/0
ip address 192.168.12.1 255.255.255.0
#
interface loopback0
ip address 10.10.1.1 255.255.255.255
#
interface tunnel0/0/1
tunnel-protocol gre //Set the tunnel encapsulation type to GRE.
ip address 192.168.1.1 255.255.255.0
source 10.10.1.1
destination 10.10.1.2
pim sm //Enable PIM-SM on the tunnel interface.
#
ospf 1
area 0
network 10.10.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
# //Configure a C-RP and C-BSR. (Use the IP address of the tunnel interface as
the C-RP IP
address.)

pim
c-bsr Tunnel0/0/1
c-rp Tunnel0/0/1
#

Step 2 Configure RouterB.


#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.2.1.1 255.255.255.0 //Assign an IP address to the interface
connected to a multicast receiver.
pim sm //Enable PIM-SM on the interface.
igmp enable //Enable IGMP on the interface.
#
interface GigabitEthernet1/0/0
ip address 192.168.13.1 255.255.255.0
#
interface loopback0
ip address 10.10.1.2 255.255.255.255
#
interface tunnel0/0/1
tunnel-protocol gre //Set the tunnel encapsulation type to GRE.
ip address 192.168.1.2 255.255.255.0
source 10.10.1.2
destination 10.10.1.1
pim sm //Enable PIM-SM on the tunnel interface.
#
ospf 1
area 0
network 10.10.1.2 0.0.0.0
network 10.2.1.0 0.0.0.255
network 192.168.1.0
0.0.0.255
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 544


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Step 3 Verify the configuration.


# Run the display pim interface command on each router to check the PIM configuration and
status. The PIM state is Up.
# Run the display igmp group command on RouterB. The command output shows that the
receiver has joined the multicast group.
Interface group report information
GigabitEthernet0/0/1(10.2.1.1):
Total 1 IGMP Group reported
Group Address Last Reporter Uptime Expires
225.1.1.2 10.2.1.2 00:02:04 00:01:17

# Run the display pim routing-table command on each router to check the PIM multicast
routing table. The routing table contains a (10.1.1.1, 225.1.1.2) entry.
(10.1.1.1, 225.1.1.2)
RP:
192.168.1.1
Protocol: pim-sm, Flag: ACT
UpTime: 00:04:32
Upstream interface: Tunnel0/0/1
Upstream neighbor:
192.168.1.1
RPF prime neighbor:
192.168.1.1
Downstream interface(s) information:
Total number of downstreams: 1
1: GigabitEthernet0/0/1
Protocol: pim-sm, UpTime: 00:04:32, Expires: -

----End

Configuration Notes
l Establish a GRE tunnel between RouterA and RouterB using loopback interfaces, and
enable PIM-SM on the GRE tunnel interfaces.
l Enable IGMP on the interface connected to the multicast receiver.
l When configuring the C-RP and C-BSR, use the tunnel interface IP address as the IP
address of the C-RP and C-BSR.

9.4 Example for Configuring IGMP Snooping Policies to


Enable Users to Receive Data of Specified Multicast
Groups
Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 9-4, a user network (VLAN 10) connects to a Protocol Independent
Multicast (PIM) network through RouterB. The multicast source (Source) sends data to
multicast groups 225.1.1.1-225.1.1.5. In VLAN 10, receivers HostA, HostB, and HostC want
to receive only data sent to groups 225.1.1.1-225.1.1.3 and do not want data sent to 225.1.1.4
and 225.1.1.5. To meet this requirement, you need to enable Internet Group Management
Protocol (IGMP) snooping and configure a multicast group filter policy on RouterB.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 545


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Figure 9-4 Networking for configuring IGMP snooping and multicast group filter policy

Procedure
Step 1 Configure RouterB.
#
sysname RouterB //Configure the system name.
#
vlan batch 10 //Create VLAN 10.
#
igmp-snooping enable //Enable global IGMP snooping.
#
vlan 10 //Enable IGMP snooping in VLAN 10.
igmp-snooping enable
igmp-snooping group-policy 2000 //Apply multicast group filter policy 2000 in
VLAN 10.
#
acl number 2000 //Configure multicast group filter policy 2000 to reject data
sent to groups 225.1.1.4 and 225.1.1.5, and accepts only data sent to groups
225.1.1.1-225.1.1.3.
rule 5 deny source 225.1.1.4 0
rule 10 deny source 225.1.1.5 0
rule 15 permit source 225.1.1.1 0
rule 20 permit source 225.1.1.2 0
rule 25 permit source 225.1.1.3 0
#
interface Ethernet2/0/1 //Add interface Eth2/0/1 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet2/0/2 //Add interface Eth2/0/2 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet2/0/3 //Add interface Eth2/0/3 to VLAN 10.
port hybrid pvid vlan 10

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 546


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

port hybrid untagged vlan 10


#
return

Step 2 Verify the configuration.


# Run the display igmp-snooping port-info command on RouterB to view information about
group member ports. You can see that RouterB has dynamically bound multicast groups
225.1.1.1-225.1.1.3 to member ports Eth2/0/1 and Eth2/0/2.
# Run the display l2-multicast forwarding-table vlan 10 command on RouterB to view the
IGMP snooping forwarding table in VLAN 10. The forwarding table contains only entries of
groups 225.1.1.1-225.1.1.3. Multicast data of 225.1.1.4 to 225.1.1.5 will not be forwarded to
the receiver hosts.

----End

Configuration Notes
l Interfaces Eth2/0/1, Eth2/0/2, Eth2/0/3 of RouterB must be added to VLAN 10.
l IGMP snooping must be enabled globally and in VLAN 10.

9.5 Example for Configuring Static Group Member Ports


and Router Port to Implement Layer 2 Multicast
Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 9-5, RouterA connects to a user network (VLAN 10) through a Layer 2
device RouterB. The user-side Layer 3 VLANIF interface of RouterA has static Internet
Group Management Protocol (IGMP) groups 225.1.1.1-225.1.1.5 configured and does not run
the IGMP protocol. There are four receivers on the user network: HostA, HostB, HostC, and
HostD. HostA and HostB want to receive data of multicast groups 225.1.1.1-225.1.1.3 for a
long time, whereas HostC and HostD want to receive data of multicast groups
225.1.1.4-225.1.1.5 for a long time.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 547


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Figure 9-5 Networking for Layer 2 multicast implementation based on static group member
ports and router port

Procedure
Step 1 Configure RouterB.
#
sysname RouterB //Configure the system name.

vlan batch 10 //Create VLAN 10.


#
igmp-snooping enable //Enable global IGMP snooping.
#
vlan 10 //Enable IGMP snooping in VLAN 10.
igmp-snooping enable
#
interface Ethernet2/0/1 //Add interface Eth2/0/1 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
l2-multicast static-group group-address 225.1.1.1 to 225.1.1.3 vlan 10 //
Statically bind groups 225.1.1.1-225.1.1.3 to Eth2/0/1.
#
interface Ethernet2/0/2 //Add interface Eth2/0/2 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
l2-multicast static-group group-address 225.1.1.4 to 225.1.1.5 vlan 10 //
Statically bind groups 225.1.1.4 and 225.1.1.5 to Eth2/0/2.
#
interface Ethernet2/0/3 //Add interface Eth2/0/3 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
igmp-snooping static-router-port vlan 10 //Configure Eth2/0/3 as a static
router port.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 548


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 9 Deploying IP Multicast

Step 2 Verify the configuration.


Run the display igmp-snooping router-port command on RouterB to view router port
information in VLAN 10. You can see that Eth2/0/3 has been become a static router port.
# Run the display igmp-snooping port-info command on RouterB to view information about
group member ports. You can see that multicast groups 225.1.1.1-225.1.1.3 have static
member port Eth2/0/1, and multicast groups 225.1.1.4-225.1.1.5 have static member port
Eth2/0/2.
# Run the display l2-multicast forwarding-table vlan 10 command on RouterB to view the
IGMP snooping forwarding table in VLAN 10. You can see that RouterB has generated
forwarding entries for groups 225.1.1.1-225.1.1.5.

----End

Configuration Notes
l Interfaces Eth2/0/1, Eth2/0/2, Eth2/0/3 of RouterB must be added to VLAN 10.
l IGMP snooping must be enabled globally and in VLAN 10.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 549


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

10 Deploying MPLS

10.1 Example for Configuring the MPLS Local Session Function on Backbone Devices to
Forward Data on the MPLS Network
10.2 Example for Configuring the MPLS Remote Session Function on Backbone Devices to
Forward VPN Data on the MPLS Network
10.3 Example for Configuring Static LSP to Implement Communication Between the
Headquarters and Branch
10.4 Example for Configuring LDP LSP to Implement Communication Between the
Headquarters and Branch
10.5 Example for Configuring MPLS TE to Implement Communication Between the
Headquarters and Branch

10.1 Example for Configuring the MPLS Local Session


Function on Backbone Devices to Forward Data on the
MPLS Network
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 10-1, LSRA, LSRB, and LSRC are core devices on the MPLS network.
Data traffic is transmitted over the PE on the MPLS network. To forward data flows in the
MPLS domain, configure local LDP sessions on LSRA, LSRB, and LSRC to swap labels and
establish LDP LSPs.
IP addresses of LSRA, LSRB, and LSRC are planned, as shown in Figure 10-1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 550


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

Figure 10-1 Networking diagram for configuring local LDP sessions

Procedure
Step 1 Configure LSRA.
#
sysname LSRA
#
mpls lsr-id 1.1.1.9 //Configure the IP address of Loopback1 as the LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
mpls //Enable MPLS on the interface.
mpls ldp //Enable MPLS LDP on the interface.
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1 //Configure OSPF.
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#

Step 2 Configure LSRB.


#
sysname LSRB
#
mpls lsr-id 2.2.2.9 //Configure the IP address of Loopback1 as the LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.252
mpls //Enable MPLS on the interface.
mpls ldp //Enable MPLS LDP on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.252
mpls //Enable MPLS on the interface.
mpls ldp //Enable MPLS LDP on the interface.
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 //Configure OSPF.
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 551


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

Step 3 Configure LSRC.


#
sysname LSRC
#
mpls lsr-id 3.3.3.9 //Configure the IP address of Loopback1 as the LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.252
mpls //Enable MPLS on the interface.
mpls ldp //Enable MPLS LDP on the interface.
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1 //Configure OSPF.
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.3
#

Step 4 Verify the configuration.


# After the configuration, run the display mpls ldp session command. You can see that the
status of local LDP sessions between LSRA and LSRB and between LSRB and LSRC is
Operational.

----End

Configuration Notes
l You must configure LSR IDs before running MPLS commands.

10.2 Example for Configuring the MPLS Remote Session


Function on Backbone Devices to Forward VPN Data on
the MPLS Network
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 10-2, LSRA and LSRC are deployed at the border of the backbone
network. To deploy VPN services on the network and establish LDP LSPs between VPNs,
you need to establish a remote LDP session between LSRA and LSRC to transmit VPN
services.
IP addresses of LSRA, LSRB, and LSRC are planned, as shown in Figure 10-2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 552


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

Figure 10-2 Networking diagram for remote LDP session configuration

Procedure
Step 1 Configure LSRA.
#
sysname LSRA
#
mpls lsr-id 1.1.1.9 //Set the LSR ID to the IP address of Loopback1.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer LSRC //Set the remote peer for LSRA to LSRC.
remote-ip 3.3.3.9 //Specify the IP address of the remote peer.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1 //Configure OSPF to ensure that LSRA can communicate other
routers on the network.
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#

Step 2 Configure LSRB.


#
sysname LSRB
#
mpls lsr-id 2.2.2.9 //Set the LSR ID to the IP address of Loopback1.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1 //Configure OSPF to ensure that LSRB can communicate other
routers on the network.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 553


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#

Step 3 Configure LSRC.


#
sysname LSRC
#
mpls lsr-id 3.3.3.9 //Set the LSR ID to the IP address of Loopback1.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer LSRA //Set the remote peer for LSRC to LSRA.
remote-ip 1.1.1.9 //Specify the IP address of the remote peer.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1 //Configure OSPF to ensure that LSRC can communicate other
routers on the network.
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.3
#

Step 4 Verify the configuration.


# After completing the configuration, run the display mpls ldp session command on the
LSRs. The command output shows that the local LDP session between LSRA and LSRB, and
the local LDP session between LSRB and LSRC are both in Operational state. The command
output also shows that the remote LDP session between LSRA and LSRC are both in
Operational state.
# Run the display mpls ldp remote-peer command on LSRA and LSRC. Information about
the remote peer of each LSR is displayed.
----End

Configuration Notes
l You must configure LSR IDs before running MPLS commands.

10.3 Example for Configuring Static LSP to Implement


Communication Between the Headquarters and Branch
Applicability
This example applies to all AR models of V200R002C00 and later versions. It does not apply
to the AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 10-3, LSR_1, LSR_2, and LSR_3 are devices on the Multiprotocol Label
Switching (MPLS) backbone network. It is required that a static label switched path (LSP)

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 554


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

tunnel be established between the headquarters and branch to transmit packets over the MPLS
network.

Figure 10-3 Configuring static LSP to implement communication between the headquarters
and branch

Procedure
Step 1 Configure LSR_1.
#
sysname LSR_1
#
mpls lsr-id 10.10.1.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
mpls //Enable MPLS on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
ospf 1 //Configure routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
static-lsp ingress LSP1 destination 10.4.1.0 24 nexthop 10.1.1.2 out-label 20 //
Configure this node as the ingress of LSP1.
static-lsp egress LSP2 incoming-interface GigabitEthernet1/0/0 in-label 60 //
Configure this node as the egress of LSP2.
#
return

Step 2 Configure LSR_2.


#
sysname LSR_2
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 555


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

mpls lsr-id 10.10.1.2


mpls
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 10.10.1.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.10.1.2 0.0.0.0
#
static-lsp transit LSP1 incoming-interface GigabitEthernet1/0/0 in-label 20
nexthop 10.2.1.2 out-label 40 //Configure this node as the transit node of LSP1.
static-lsp transit LSP2 incoming-interface GigabitEthernet2/0/0 in-label 30
nexthop 10.1.1.1 out-label 60 //Configure this node as the transit node of LSP2.
#
return

Step 3 Configure LSR_3.


#
sysname LSR_3
#
mpls lsr-id 10.10.1.3
mpls
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 10.10.1.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.10.1.3 0.0.0.0
#
static-lsp ingress LSP2 destination 10.3.1.0 24 nexthop 10.2.1.1 out-label 30 //
Configure this node as the ingress of LSP2.
static-lsp egress LSP1 incoming-interface GigabitEthernet1/0/0 in-label 40 //
Configure this node as the egress of LSP1.
#
return

Step 4 Verify the configuration.


Run the display mpls static-lsp command on each LSR. You can find that the LSP status is
Up.
Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l Follow this principle when you configure a static LSP: The outgoing label on the
previous node is equal to incoming label on its next hop.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 556


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

l When you configure a static LSP, the static LSP route must match routing information
exactly.
– If you specify the next hop when configuring a static LSP, you must also specify the
next hop when configuring the static IP route matching the LSP. Otherwise, the
static LSP cannot be set up.
– If a dynamic routing protocol is used between LSRs, the IP address of the next hop
along the LSP must be the same as the IP address of the next hop in the routing
table.

10.4 Example for Configuring LDP LSP to Implement


Communication Between the Headquarters and Branch
Applicability
This example applies to all AR models of V200R002C00 and later versions. It does not apply
to the AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 10-4, the PE and P devices are located on the MPLS backbone network,
and there are reachable routers between PE_1 and PE_2.
The enterprise requires that traffic between the headquarters and branch be forwarded through
the MPLS network, and traffic be switched to the secondary LSP fast to minimize traffic loss
if the primary LSP fails. In addition, to reduce the number of LSPs and ensure device
performance, only the routing entries with the destination addresses 10.10.1.x/32, 10.6.1.0/24,
and 10.7.1.0/24 on all the devices can trigger LSP establishment.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 557


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

Figure 10-4 Configuring LDP LSP to implement communication between the headquarters
and branch

Procedure
Step 1 Configure PE_1.
#
sysname PE_1
#
bfd //Enable BFD globally.
#
mpls lsr-id 10.10.1.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
lsp-trigger ip-prefix pe1 //Trigger the establishment of LSPs based on the IP
prefix list.
mpls bfd enable //Enable BFD.
mpls bfd-trigger fec-list tortc //Trigger LDP BFD sessions in the FEC list mode.
mpls bfd min-tx-interval 100 min-rx-interval 100
#
fec-list tortc //Create an FEC list.
fec-node 10.10.1.2
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
mpls
mpls ldp
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 558


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

interface GigabitEthernet3/0/0
ip address 10.6.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
ip ip-prefix pe1 index 10 permit 10.10.1.1 32 //Create an IP prefix list.
ip ip-prefix pe1 index 20 permit 10.10.1.2 32
ip ip-prefix pe1 index 30 permit 10.10.1.3 32
ip ip-prefix pe1 index 40 permit 10.10.1.4 32
ip ip-prefix pe1 index 50 permit 10.10.1.5 32
ip ip-prefix pe1 index 60 permit 10.6.1.0 24
ip ip-prefix pe1 index 70 permit 10.7.1.0 24
#
return

Step 2 Configure P_1.


#
sysname P_1
#
mpls lsr-id 10.10.1.3 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.3 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.10.1.3 0.0.0.0
#
return

Step 3 Configure P_2.


#
sysname P_2
#
mpls lsr-id 10.10.1.4 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.4.1.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 559


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.4 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.10.1.4 0.0.0.0
#
return

Step 4 Configure P_3.


#
sysname P_3
#
mpls lsr-id 10.10.1.5 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.4.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.5.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.5 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.10.1.5 0.0.0.0
#
return

Step 5 Configure PE_2.


#
sysname PE_2
#
bfd //Enable BFD globally.
mpls-passive //Enable the egress node of an LSP to passively create a BFD
session.
#
mpls lsr-id 10.10.1.2 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
lsp-trigger ip-prefix pe2 //Trigger the establishment of LSPs based on the IP
prefix list.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.5.1.2 255.255.255.0
mpls
mpls ldp
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 560


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

interface GigabitEthernet3/0/0
ip address 10.7.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.2 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.1.2 0.0.0.0
#
ip ip-prefix pe2 index 10 permit 10.10.1.1 32 //Create an IP prefix list.
ip ip-prefix pe2 index 20 permit 10.10.1.2 32
ip ip-prefix pe2 index 30 permit 10.10.1.3 32
ip ip-prefix pe2 index 40 permit 10.10.1.4 32
ip ip-prefix pe2 index 50 permit 10.10.1.5 32
ip ip-prefix pe2 index 60 permit 10.6.1.0 24
ip ip-prefix pe2 index 70 permit 10.7.1.0 24
#
return

Step 6 Verify the configuration.

# Run the display mpls ldp lsp command on each LSR. You can find that an LSP to the
destination address has been established. Connect Port1 and Port2 of the same tester to PE_1
and PE_2 respectively, and send MPLS traffic from Port1 to Port2. Shut down GE1/0/0 on
P_1 to simulate a failure of the primary LSP. You can find that traffic is switched to the
secondary LSP quickly.

# Users in the enterprise headquarters and branch can ping each other.

----End

Configuration Notes
l You must configure LSR IDs before running MPLS commands.
l MPLS establishes LSPs based on routes; therefore, you must ensure the route
reachability.

10.5 Example for Configuring MPLS TE to Implement


Communication Between the Headquarters and Branch
Applicability
This example applies to all AR models of V200R002C01 and later versions. It does not apply
to the AR120&AR150&AR160&AR200 series routers.

Networking Requirements
As shown in Figure 10-5, the enterprise headquarters and branch are connected over an
MPLS network. The enterprise wants to create an explicit path
LSR_1→LSR_2→LSR_3→LSR_4 as the primary tunnel. The enterprise also wants to
configure traffic engineering fast reroute (TE FRR) to create a bypass tunnel with the path
LSR_2→LSR_5→LSR_3 on the transit node LSR_2 and an ordinary backup CR-LSP with
the patch LSR_1→LSR_6→LSR_3→LSR_4 on the ingress node LSR_1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 561


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

After the link between LSR_2 and LSR_3 is faulty (the primary CR-LSP is in FRR-in-use
state), the system starts the TE FRR bypass tunnel and attempts to restore the primary CR-
LSP. At the same time, the system attempts to set up the secondary CR-LSP.

Figure 10-5 Configuring MPLS TE to implement communication between the headquarters


and branch

Procedure
Step 1 Configure LSR_1.
#
sysname LSR_1
#
bfd //Enable BFD.
#
mpls lsr-id 10.10.1.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path backup-path //Configure an explicit path for the secondary CR-LSP.
next hop 10.6.1.2
next hop 10.7.1.2
next hop 10.3.1.2
next hop 10.10.4.9
#
explicit-path pri-path //Configure an explicit path for the primary CR-LSP.
next hop 10.1.1.2
next hop 10.2.1.2
next hop 10.3.1.2
next hop 10.10.4.9

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 562


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.6.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
interface Tunnel0/0/1 //Configure an MPLS TE tunnel interface for the primary
CR-LSP.
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 10.10.4.9
mpls te tunnel-id 100
mpls te bfd enable //Enable dynamic BFD for CR-LSP.
mpls te bfd min-tx-interval 500 min-rx-interval 500
mpls te record-route label
mpls te path explicit-path pri-path
mpls te path explicit-path backup-path secondary
mpls te fast-reroute //Enable TE FRR.
mpls te backup ordinary
mpls te backup frr-in-use
mpls te commit
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
network 10.10.1.9 0.0.0.0
mpls-te enable
#
return

Step 2 Configure LSR_2.


#
sysname LSR_2
#
mpls lsr-id 10.10.2.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path by-path //Configure an explicit path for the bypass CR-LSP.
next hop 10.4.1.2
next hop 10.5.1.2
next hop 10.10.3.9
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 563


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

interface GigabitEthernet3/0/0
ip address 10.4.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.2.9 255.255.255.255
#
interface Tunnel0/0/2 //Configure a tunnel interface for the bypass CR-LSP.
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 10.10.3.9
mpls te tunnel-id 300
mpls te record-route
mpls te path explicit-path by-path
mpls te bypass-tunnel
mpls te protected-interface GigabitEthernet2/0/0
mpls te commit
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.10.2.9 0.0.0.0
mpls-te enable
#
return

Step 3 Configure LSR_3.


#
sysname LSR_3
#
bfd //Enable the egress node of an LSP to passively create a BFD session.
mpls-passive
#
mpls lsr-id 10.10.3.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet3/0/0
ip address 10.5.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet4/0/0
ip address 10.7.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.3.9 255.255.255.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 564


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.3.9 0.0.0.0
mpls-te enable
#
return

Step 4 Configure LSR_4.


#
sysname LSR_4
#
mpls lsr-id 10.10.4.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.3.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.4.9 255.255.255.255
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.10.4.9 0.0.0.0
mpls-te enable
#
return

Step 5 Configure LSR_5.


#
sysname LSR_5
#
mpls lsr-id 10.10.5.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.4.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.5.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.5.9 255.255.255.255
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 565


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

network 10.10.5.9 0.0.0.0


mpls-te enable
#
return

Step 6 Configure LSR_6.


#
sysname LSR_6
#
mpls lsr-id 10.10.6.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.6.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.7.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.6.9 255.255.255.255
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.6.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.6.9 0.0.0.0
mpls-te enable
#
return

Step 7 Verify the configuration.

# After shutting down GE2/0/0 of LSR_2, run the display mpls te tunnel-interface
command on LSR_1. You can find that the tunnel status is Up, indicating that the primary
tunnel is in the FRR in-use state and the ordinary secondary CR-LSP is being set up. When
the primary CR-LSP is faulty, the system starts the TE FRR bypass tunnel and attempts to
restore the primary CR-LSP. At the same time, the system attempts to set up a secondary CR-
LSP.

----End

Configuration Notes
l When Resource Reservation Protocol-Traffic Engineering (RSVP-TE) is used to
dynamically establish CR-LSPs, TE extension for Interior Gateway Protocol (IGP) must
be configured. Currently, Open Shortest Path First-Traffic Engineering (OSPF TE) and
Intermediate System to Intermediate System Traffic Engineering (ISIS TE) are
supported. If IGP TE is not configured, paths are calculated based on IGP routes but not
using CSPF.
l Only the MPLS TE tunnel established using the RSVP-TE signaling protocol supports
FRR.
l One tunnel interface cannot be the end point of both the bypass tunnel and secondary
tunnel simultaneously.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 566


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 10 Deploying MPLS

l One tunnel interface cannot be the end point of both the bypass tunnel and primary
tunnel simultaneously.
l Bypass tunnels are established on selected links or nodes that are not on the protected
primary tunnel. If a link or node on the protected primary tunnel is used for a bypass
tunnel and fails, the bypass tunnel also fails to protect the primary tunnel.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 567


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

11 Deploying WLAN AP

11.1 Example for Configuring Wireless User Access to a WLAN


11.2 Example for Configuring WEP Open System Authentication and WEP Encryption
11.3 Example for Configuring 802.1x+PEAP+TKIP(V200R003 and V200R005)
11.4 Example for Configuring 802.1x+TKIP (V200R006 and V200R007)
11.5 Example for Configuring 802.1x+PEAP+CCMP(V200R003 and V200R005)
11.6 Example for Configuring 802.1x+CCMP (V200R006 and V200R007)
11.7 Example for Configuring PSK Authentication and TKIP Encryption
11.8 Example for Configuring PSK Authentication and CCMP Encryption
11.9 Example for Configuring WAPI Authentication
11.10 Example for Configuring a WLAN QoS Policy

11.1 Example for Configuring Wireless User Access to a


WLAN
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-1, an enterprise provides the WLAN service for users. The device
functions as a Fat AP, serves as a DHCP server to allocate IP addresses to users, and provides
wireless network access service using NAT.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 568


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

NAT is configured on GigabitEthernet1/0/0. The public address of AR GigabitEthernet1/0/0 is


1.1.1.1/24 and the interface address of the AR connected to the carrier device is 1.1.1.2/24.

Figure 11-1 Networking diagram of WLAN service configurations

Procedure
Step 1 Configure the Router.
#
dhcp enable
#
vlan batch 100
#
dot1x enable //Enable 802.1X. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif100
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 100
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain the
default parameter settings.
security-profile name security id 1 //Create a security profile.
security-policy wpa2 //Configure the WPA2 security policy.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Set the
data encryption mode to CCMP.
service-set name huawei id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to WLAN-BSS 1.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic
profile.
security-profile id 1 //Bind the service set to the security
profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM
profile.

#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio interface to the radio profile.
service-set id 0 wlan 1 //Bind the radio interface to the service set.
#
acl number 2000 //Configure ACL 2000.
rule 1 permit source 192.168.0.0 0.0.0.255 //Configure rule 1 to permit packets
with the source IP address of 192.168.0.0.
#
nat address-group 1 1.1.1.100 1.1.1.200 //Configure a public address pool.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0 //Configure a public IP address.
nat outbound 2000 address-group 1 //Bind the ACL to the address pool.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 569


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route.
#

Step 2 Verify the configuration.

The WLAN with the SSID huawei is available for STAs connected to the AP, and these STAs
can connect to the WLAN.

Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values.
l After a traffic profile is created, parameters in the profile use default values.
l After a security profile is created, you can select the security policy based on actual
networking. The security policy mode can be WEP, WPA, WPA2, or WAPI.

11.2 Example for Configuring WEP Open System


Authentication and WEP Encryption
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-2, the device functions as the Fat AP to provide WLAN services and
uses WEP open system authentication and WEP encryption. The WLAN with the SSID
huawei is available for STAs connected to the AR.

Figure 11-2 Networking of WEP open system authentication and WEP encryption

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 570


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Procedure
Step 1 Configure the router.
#
vlan 10
#
dhcp enable //Enable DHCP.
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 10.
#
interface Wlan-Bss0 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 10
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WEP open system authentication and WEP-40 encryption.
security-policy wep //Configure WEP shared key authentication.
wep authentication-method open-system data-encrypt
wep key wep-40 pass-phrase 0 cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU
%^%# //Configure WEP-40 encryption. Only later versions of ARV200R002C01
support cipher.
wep default-key 0 //Set the default key ID for WEP
encryption.
service-set name service-set id 0 //Create a service set.
Wlan-Bss 0 //Bind the service set to the WLAN-BSS 0 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. Users can
use WLAN services with WEP share key.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 571


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

11.3 Example for Configuring 802.1x+PEAP


+TKIP(V200R003 and V200R005)
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-3, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+TKIP. The WLAN with the SSID huawei is available for STAs
connected to the device.

Figure 11-3 Networking of 802.1x+PEAP+TKIP

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 572


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

dot1x authentication-method eap //Set the authentication mode to EAP.


#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+PEAP+TKIP.
security-policy wpa
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.
# Run the display security-profile { id profile-id | name profile-name } command on the
router to view the security profile.
Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 573


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.

11.4 Example for Configuring 802.1x+TKIP (V200R006 and


V200R007)
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-4, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.

NOTE

In V200R006 and later versions, the router does not support PEAP authentication.

Figure 11-4 Networking of 802.1x+TKIP

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 574


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+TKIP.
security-policy wpa
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 575


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.

11.5 Example for Configuring 802.1x+PEAP


+CCMP(V200R003 and V200R005)
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-5, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+CCMP. The WLAN with the SSID huawei is available for STAs
connected to the device.

Figure 11-5 Networking of 802.1x+PEAP+CCMP

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 576


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
radius-server shared-key simple huawei //Configure teh shared key.
The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+PEAP+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 577


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.

11.6 Example for Configuring 802.1x+CCMP (V200R006


and V200R007)
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-6, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+CCMP. The WLAN with the SSID huawei is available for STAs connected to
the device.

NOTE

In V200R006 and later versions, the router does not support PEAP authentication.

Figure 11-6 Networking of 802.1x+CCMP

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 578


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.

#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
radius-server shared-key simple huawei //Configure teh shared key.
The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 579


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.

11.7 Example for Configuring PSK Authentication and


TKIP Encryption
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-7, the device functions as the Fat AP to provide WLAN services and
uses PSK+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.

Figure 11-7 Networking of PSK authentication and TKIP encryption

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 580


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Procedure
Step 1 Configure the Router.
#
vlan 102
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA+PSK+TKIP.
security-policy wpa
wpa authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method tkip
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. Users must
enter the preshared key 0123456789 to use WLAN services.
# Run the display security-profile { id profile-id | name profile-name } command on the
router to view the security profile.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 581


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

11.8 Example for Configuring PSK Authentication and


CCMP Encryption
Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-8, the device functions as the Fat AP to provide WLAN services and
uses PSK+CCMP. The WLAN with the SSID huawei is available for STAs connected to the
device.

Figure 11-8 Networking of PSK authentication and CCMP encryption

Procedure
Step 1 Configure the Router.
#
vlan 101
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA2+PSK+CCMP.
security-policy wpa2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 582


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!


<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.


# The WLAN with the SSID huawei is available for STAs connected to the AR. Users must
enter the preshared key to use WLAN services.
# Run the display security-profile { id profile-id | name profile-name } command on the
router to view the security profile.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.

11.9 Example for Configuring WAPI Authentication


Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-9, the device functions as the Fat AP to provide WLAN services and
uses WAPI. The WLAN with the SSID huawei is available for STAs connected to the device.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 583


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Figure 11-9 Networking of WAPI authentication

Procedure
Step 1 Configure the Router.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 0 //Create a security profile named
security.
security-policy wapi //Configure WAPI authentication.
wapi asu ip 10.10.10.1 //Set the ASU server IP address to
10.10.10.1.
wapi import certificate ap file-name flash:/huawei-ap.cer //Specify
the certificate file path and file name.
wapi import certificate asu file-name flash:/huawei-asu.cer //Specify
the ASU certificate file path and file name.
wapi import certificate issuer file-name flash:/huawei-issuer.cer //Specify
the issuer certificate file path and file name.
wapi import private-key file-name flash:/huawei-ap.cer //Specify
the private key file path and file name.
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.

Step 2 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 584


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

# Run the display security-profile { id profile-id | name profile-name } command on the


router to view the security profile.

# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]


command on the router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There is a reachable route from the router to the ASU server.
l The ASU server needs to be configured.
l Before configuring the policies of security, the AP certificate huawei-ap.cer, ASU
server certificate huawei-asu.cer, issuer certificate huawei-issuer.cer, and AP private
key certificate huawei-ap.cer have been stored on the device.

11.10 Example for Configuring a WLAN QoS Policy


Specifications
This example applies only to the AR121W, AR129W, AR129CVW, AR121GW-L,
AR129GW-L, AR129CGVW-L, AR109W, AR109GW-L, AR151W-P, AR156W, AR157W,
AR157VW, AR158EVW, AR161W, AR161EW, AR161EW-M1, AR161FGW-L,
AR161FGW-Lc, AR169W, AR161FW, AR161FW-P-M5, AR161FGW-La, AR169FVW,
AR169FVW-8S, AR169JFVW-4B4S, AR169JFVW-2S, AR169CVW-4B4S, AR169EGW-L,
AR169EW, AR169CVW, AR169FGVW-L, AR169FGW-L, AR169W-P-M9, AR169RW-P-
M9, AR201VW-P, AR207VW, AR1220W, AR1220EVW, and AR1220VW.

Networking Requirements
As shown in Figure 11-10, STA1 and STA2 are connected to the network through the Router.
The Router functions as a Fat AP, and STA2 is a VIP customer. The requirements are as
follows:
l Video service requirements of STA1 and STA2 are met first.
l Communication requirements of STA2 are met first when the network bandwidth is
insufficient.

Figure 11-10 Networking diagram of WLAN QoS policy configurations

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 585


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

Procedure
Step 1 Configure the Router.
#
dhcp enable //Enable DHCP.
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on the VLANIF interface.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 101
#
interface Wlan-Bss2
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmmf id 0
wmm-profile name huawei-vi id 1 // Create a WMM profile huawei-vi.
wmm edca ap ac-vi aifsn 1 ecw ecwmin 1 ecwmax 1 txoplimit 36 //Modify EDCA
parameters for video queues on an
AP to increase
the priority of video services.
wmm edca client ac-vi aifsn 1 ecw ecwmin 1 ecwmax 3 txoplimit 36 //Modify EDCA
parameters for video queues on
a STA to
increase the priority of video services.
traffic-profile name traf id 0
traffic-profile name huawei id 1 //Create a traffic profile huawei.
rate-limit client up 512 //Limit the STA upstream rate to 512 kbit/s.
rate-limit vap up 1024 //Limit the VAP upstream rate to 1024
kbit/s.
traffic-profile name huawei-vip id 2 //Create a traffic profile huawei-vip.
rate-limit client up 1024 //Limit the STA upstream rate to 1024
kbit/s.
rate-limit vap up 2048 //Limit the VAP upstream rate to 2048
kbit/s.
security-profile name secf id 0
security-profile name huawei id 1 //Crate a security profile huawei and use
default parameters.
service-set name huawei-1 id 0 //Create a service set huawei-1.
Wlan-Bss 1
ssid huawei-1 //Configure an SSID huawei-1.
traffic-profile id 1 //Bind the traffic profile huawei to the service set.
security-profile id 1
service-set name huawei-2 id 1 //Create a service set huawei-2.
Wlan-Bss 2
ssid huawei-2 //Configure an SSID huawei-2.
traffic-profile id 2 //Bind the traffic profile huawei-vip to the service set.
security-profile id 1
radio-profile name radiof id 0
wmm-profile id 0
radio-profile name huawei-vi id 1
wmm-profile id 1
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile huawei-vi to the radio
interface.
service-set id 0 wlan 1 //Bind the service set huawei-1 to the radio interface.
service-set id 1 wlan 2 //Bind the service set huawei-2 to the radio interface.

Step 2 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 586


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 11 Deploying WLAN AP

# Two WLANs with SSIDs huawei-1 and huawei-2 are available for STAs connected to the
Router. STA 1 and STA2 select WLANs with SSIDs huawei-1 and huawei-2.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the Router to view information about all STAs associated with a radio or service
set on a radio.

----End

Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l You can improve the priority of video services by modifying the following parameters
for the AC_VI queue in the WMM profile: arbitration inter frame spacing number
(AIFSN), exponent form of minimum contention window (ECWmin), exponent form of
maximum contention window (ECWmax), and transmission opportunity limit
(TXOPlimit).

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 587


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

12 Deploying WLAN AC

12.1 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC
Manages APs Through Layer 2 Interfaces)(V200R006 and V200R007)
12.2 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC
Manages APs Through Layer 3 Interfaces)(V200R006 and V200R007)
12.3 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC
Manages APs Through Layer 2 Interfaces)(V200R006 and V200R007)
12.4 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC
Manages APs Through Layer 3 Interfaces)(V200R006 and V200R007)
12.5 Example for Configuring Basic WLAN Services on a Large-Scale Network(V200R006
and V200R007)
12.6 Example for Configuring WLAN Services on a Small-Scale Network (IPv4 Network)
(V200R008 And Later Versions)
12.7 Example for Configuring WLAN Services on a Medium-Scale Network (V200R008 And
Later Versions)
12.8 Example for Configuring WLAN Services on a Large-Scale Network (V200R008 And
Later Versions)

12.1 Example for Configuring Basic WLAN Services on a


Small-Scale Network (AC Manages APs Through Layer 2
Interfaces)(V200R006 and V200R007)
Specifications
This example applies to all AR routers of V200R006C00 and V200R007C00 versions.

Networking Requirements
As shown in Figure 12-1, the AC directly connects to the AP through a Layer 2 Ethernet
interface. An enterprise branch needs to deploy a WLAN to implement mobile office so that
the enterprise employees can access the Internet anywhere at any time.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 588


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

The enterprise has the following requirements:


l The wireless network named huawei-1 should be provided.
l Enterprise employees are assigned IP addresses on 10.10.11.0/24.

Figure 12-1 Configuring basic WLAN services on a small-scale network (AC manages an AP
through a Layer 2 interface)

Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101 (service
VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101.
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of Ethernet2/0/0 to VLAN
100.
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and
VLAN 101.
port-isolate enable group 1 //Enable port isolation.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface to the service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS interface
to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101 in
tagged mode.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 589


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

capwap source interface vlanif100 //Specify the AC's source interface. The
command applies only to V200R6C10 and later versions. In versions earlier than
V200R6C10, run the wlan ac source interface vlanif100 command in the WLAN AC view
to specify the AC's source interface.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add the AP
offline. Set the AP ID to 0. The AP type is AP6010DN-AGN, the AP type ID is 19,
and the MAC address of the AP is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and use the default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use the
default settings.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Set the security policy to
WPA2.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption and display the password in cipher text.
service-set name test id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS 1.
ssid huawei-1 //Set the SSID to huawei-1.
traffic-profile id 1 //Bind the traffic profile to the service set.
security-profile id 1 //Bind the security profile to the service set.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the WMM profile to the radio profile.
ap 0 radio 0 //Configure the 2.4 GHz frequency band of AP0.
radio-profile id 1 //Apply the radio profile.
service-set id 1 wlan 1 //Apply the service set.
#
return

Step 2 Verify the configuration.


# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration.
# After a while, the WLAN with the SSID huawei-1 is available for STAs, and these STAs
can connect to the WLAN.
# Run the display station assoc-info ap 0 radio 0 command on the AC to check information
of STAs associated with the 2.4G frequency band of AP0.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP is added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 590


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

12.2 Example for Configuring Basic WLAN Services on a


Small-Scale Network (AC Manages APs Through Layer 3
Interfaces)(V200R006 and V200R007)
Specifications
This example applies to all AR routers of V200R006C00 and V200R007C00 versions.

Networking Requirements
In Figure 12-2, an AC directly connects to an AP through a Layer 3 Ethernet interface. An
enterprise branch needs to deploy WLAN services for mobile office so that branch users can
access the Internet from anywhere at any time.
The enterprise has the following requirements:
l A WLAN with the SSID huawei-1 is available.
l Branch users are assigned IP addresses on 10.10.11.0/24.

Figure 12-2 Configuring basic WLAN services on a small-scale network (AC manages an AP
through a Layer 3 interface)

Procedure
Step 1 Configure the AC.

#
sysname AC
#
vlan batch 101 //Create a service VLAN (VLAN
101).
#
dot1x enable //Enable 802.1x authentication.
#
wlan ac-global carrier id other ac id 1 //Configure the AC ID and carrier ID.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 591


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

#
dhcp enable //Enable DHCP.
#

interface GigabitEthernet0/0/1 //Enter the Ethernet interface


view.
ip address 10.10.10.1 255.255.255.0 //Configure an IP address for the
Ethernet interface.
dhcp select interface //Enable the DHCP server function
on the Ethernet interface so that the AC can assign IP addresses to the
AP.
#
interface GigabitEthernet0/0/1.1 //Enter the Ethernet interface
view.
dot1q termination vid 101 //Configure a Dot1q termination sub-
interface and add it to VLAN 101.
ip address 10.10.11.1 255.255.255.0 //Configure an IP address for the
Ethernet interface.
dhcp select interface //Enable the DHCP server function
on the Ethernet interface so that the AC can assign IP addresses to
STAs.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface to the
service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-
ESS interface to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to
VLAN 101 in tagged mode.
#
interface LoopBack0 //Configure an IP address for the
loopback interface.
ip address 1.1.1.1
255.255.255.255

#
capwap source interface loopback0 //Specify the loopback interface
as the source interface for the AC. Only V200R006C10 and later versions support
this command. In earlier versions of V200R006C10, the wlan ac source interface
loopback0 command is used in the WLAN AC view to specify the source interface for
the
AC.

#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add an AP
offline and set the AP ID to 0. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and retain default
settings in the profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain
default settings in the profile.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Configure WPA2 security
policy.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption, and configure the password in cipher text.
service-set name service id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS interface 1.
ssid huawei-1 //Specify the SSID huawei-1.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
ap 0 radio 0 //Configure 2.4 GHZ frequency band for AP0.
radio-profile id 1 //Bind the radio profile.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 592


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

service-set id 1 wlan 1 //Bind the service set.


#
return

Step 2 Verify the configuration.

# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration
and wait for a period of time.

# The WLAN with the SSID huawei-1 is available for STAs connected to the AP, and these
STAs can connect to the WLAN.

# Run the display station assoc-info ap 0 radio 0 command on the AC to check information
about associated STAs at the 2.4 GHz frequency band of AP0.

----End

Configuration Notes
l The default country code of the router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a traffic profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a security profile is created, you can configure an authentication mode based on
actual networking. The authentication mode can be WEP, WPA, WPA2, or WAPI.
l After an AP is added offline, ensure that the AP status is normal. If the AP status is not
normal, locate the fault.
l When an AC uses Layer 3 interfaces to manage the AP and assign IP addresses to the AP
or STAs from the interface address pools, configure the AC to assign IP addresses to the
AP from the Layer 3 interface address pool and to STAs from the Layer 3 sub-interface
address pool.

12.3 Example for Configuring Basic WLAN Services on a


Medium-Scale Network (AC Manages APs Through Layer
2 Interfaces)(V200R006 and V200R007)
Specifications
This example applies to all AR routers of V200R006C00 and V200R007C00 versions.

Networking Requirements
As shown in Figure 12-3, the AC (Router) serves as the egress gateway of the campus and
uses a Layer 2 Ethernet interface to connect to the AP through the switch. The AC assigns IP
addresses to the AP and STAs.

The enterprise requires that a WLAN named huawei-1 be deployed to provide ubiquitous
access to users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 593


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

Figure 12-3 Configuring basic WLAN services on a medium-scale network (AC manages an
AP through a Layer 2 interface)

Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101.
#
interface Ethernet2/0/0
port link-type trunk

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 594


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and VLAN
101.
port-isolate enable group 1 //Enable port isolation.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface to the service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS interface
to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101 in tagged
mode.
#
capwap source interface vlanif100 //Specify the AC's source interface. The
command applies only to V200R6C10 and later versions. In versions earlier than
V200R6C10, run the wlan ac source interface vlanif100 command in the WLAN AC view
to specify the AC's source interface.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add the AP
offline. Set the AP ID to 0. The AP type is AP6010DN-AGN, the AP type ID is 19,
and the MAC address of the AP is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and use the default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use the
default settings.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Set the security policy to
WPA2.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption and display the password in cipher text.
service-set name service id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS 1.
ssid huawei-1 //Set the SSID to huawei-1
traffic-profile id 1 //Bind the traffic profile to the service set.
security-profile id 1 //Bind the security profile to the service set.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the WMM profile to the radio profile.
ap 0 radio 0 //Configure the 2.4 GHz frequency band of AP0.
radio-profile id 1 //Apply the radio profile.
service-set id 1 wlan 1 //Apply the service set.
#
return

Step 2 Switch configuration file


#
sysname Switch
#
vlan batch 100 to 101 //Create VLAN 100 and VLAN 101.
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/1 to VLAN 100.
port trunk allow-pass vlan 100 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Configure port isolation.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 101 //Add GE0/0/2 to VLAN 100 and VLAN 101.
#
return

Step 3 Verify the configuration.

# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration.

# After a while, the WLAN with the SSID huawei-1 is available for STAs, and these STAs
can connect to the WLAN.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 595


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

# Run the display station assoc-info ap 0 radio 0 command on the router to check
information of STAs associated with the 2.4G frequency band of AP0.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.

12.4 Example for Configuring Basic WLAN Services on a


Medium-Scale Network (AC Manages APs Through Layer
3 Interfaces)(V200R006 and V200R007)
Specifications
This example applies to all AR routers of V200R006C00 and V200R007C00 versions.

Networking Requirements
As shown in Figure 12-4, the AC (Router) serves as the egress gateway of the campus. The
AC does not have Layer 2 interfaces and interface cards. Therefore, it uses Layer 3 Ethernet
interfaces to connect to the AP through the switch. The AC assigns IP addresses to the AP and
STAs.
The enterprise requires that a WLAN named huawei-1 be deployed to provide ubiquitous
access to users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 596


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

Figure 12-4 Configuring basic WLAN services on a medium-scale network (AC manages an
AP through a Layer 3 interface)

Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 101 //Create VLAN 101 (service VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#

interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on the GE interface so that the AC
can assign IP addresses to the
AP.
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 101 //Configure a Dot1q termination sub-interface and
add the sub-interface to VLAN 101.
ip address 10.10.11.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 597


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

dhcp select interface //Enable DHCP on the GE sub-interface so that the


AC can assign IP addresses to STAs.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface the service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS interface
to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101 in tagged
mode.
#

interface LoopBack0 //Configure the loopback


interface.
ip address 1.1.1.1 255.255.255.0
#
capwap source interface loopback0 //Set the AC's source interface to the loopback
interface. The command applies only to V200R6C10 and later versions. In versions
earlier than V200R6C10, run the wlan ac source interface loopback0 command in the
WLAN AC view to specify the AC's source interface.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add the AP
offline. Set the AP ID to 0. The AP type is AP6010DN-AGN, the AP type ID is 19,
and the MAC address of the AP is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and use the default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use the
default settings.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Set the security policy to
WPA2.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption and display the password in cipher text.
service-set name service id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS 1.
ssid huawei-1 //Set the SSID to huawei-1
traffic-profile id 1 //Bind the traffic profile to the service set.
security-profile id 1 //Bind the security profile to the service set.
service-vlan 101 /Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the WMM profile to the radio profile.
ap 0 radio 0 //Configure the 2.4 GHz frequency band of AP0.
radio-profile id 1 //Apply the radio profile.
service-set id 1 wlan 1 //Apply the service set.
#
return

Step 2 Switch configuration file


#
sysname Switch
#
vlan batch 100 to 101 //Create VLAN 100 and VLAN 101.
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/1 to VLAN 100.
port trunk allow-pass vlan 100 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Configure port isolation.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/2 to VLAN 100.
port trunk allow-pass vlan 100 101 //Add GE0/0/2 to VLAN 100 and VLAN 101.
#
return

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 598


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration.
# After a while, the WLAN with the SSID huawei-1 is available for STAs, and these STAs
can connect to the WLAN.
# Run the display station assoc-info ap 0 radio 0 command on the AC to check information
of STAs associated with the 2.4G frequency band of AP0.

----End

Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
l When an AC uses Layer 3 interfaces to manage the AP and assign IP addresses to the AP
or STAs from the interface address pools, configure the AC to assign IP addresses to the
AP from the Layer 3 interface address pool and to STAs from the Layer 3 sub-interface
address pool.

12.5 Example for Configuring Basic WLAN Services on a


Large-Scale Network(V200R006 and V200R007)
Specifications
This example applies to all AR routers of V200R006C00 and V200R007C00 versions.

Networking Requirements
In Figure 12-5, the AC is the campus egress gateway. The AC connects to APs through
SwitchA and SwitchB and dynamically allocates IP addresses to APs and STAs.
The WLAN with SSID huawei-1 is required so that STAs can access the Internet from
anywhere at any time.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 599


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

Figure 12-5 Configuring basic WLAN services on a large-scale network

Procedure
Step 1 Configure the AC.
#
sysname
AC

#
vlan batch 100 to 102 //Create VLAN 100 (mVLAN), and VLAN 101 and VLAN
102 (service VLANs).
#
dot1x enable //Enable global 802.1x authentication.
#
wlan ac-global carrier id other ac id 1 //Configure the AC ID and carrier ID.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 600


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

#
dhcp enable //Enable
DHCP.

#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 100 so that
the AC can assign IP addresses to AP1 and
AP2.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 101 so that
the AC can assign IP addresses to STAs connected to AP1.
#
interface Vlanif102
ip address 10.10.12.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 102 so that
the AC can assign IP addresses to STAs connected to
AP2.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add Eth2/0/0 to VLAN 100, VLAN 101,
and VLAN 102.
#

interface Wlan-Ess1 //Add WLAN-ESS1 to the service


VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS
interface to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101
in tagged mode.
#

interface Wlan-Ess2 //Add WLAN-ESS2 to the service


VLAN.
port hybrid pvid vlan 102 //Set the default VLAN of the WLAN-ESS
interface to VLAN 102.
port hybrid tagged vlan 102 //Add the WLAN-ESS interface to VLAN 102
in tagged
mode.

#
capwap source interface vlanif100 //Specify the source interface for the AC.
Only V200R006C10 and later versions support this command. In earlier versions of
V200R006C10, the wlan ac source interface vlanif100 command is used in the WLAN
AC view to specify the source interface for the
AC.

#
wlan ac
ap id 0 type-id 19 mac 643e-8cb5-f420 sn 2102354196W0EB001158 //Add an AP
offline and set the AP ID to 0. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 643e-8cb5-f420.
region-id 10 //Add AP0 to AP region 10.
ap id 1 type-id 19 mac 644e-8cc5-f421 sn 2103354196W0EB001159 //Add an AP
offline and set the AP ID to 1. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 644e-8cc5-f421.
region-id 10 //Add AP1 to AP region 10.
wmm-profile name wmm id 1 //Create a WMM profile and retain default
settings in the profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain
default settings in the profile.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Configure WPA2 security
policy.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 601


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!


<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption, and configure the password in cipher text.
service-set name service1 id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS interface 1.
ssid huawei-1 //Specify the SSID huawei-1.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
service-vlan 101 //Set the service VLAN to VLAN 101.
service-set name service2 id 2 //Create a service
set.
wlan-ess 2 //Bind the service set to WLAN-ESS interface 2.
ssid huawei-1 //Specify the SSID huawei-1.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
service-vlan 102 //Set the service VLAN to VLAN 102.
radio-profile name radio id 1 //Create a radio
profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
ap 0 radio 0 //Configure 2.4 GHZ frequency band for
AP0.
radio-profile id 1 //Bind the radio
profile.
service-set id 1 wlan 1 //Bind the service set
service1.
ap 1 radio 0 //Configure 2.4 GHZ frequency band for
AP1.
radio-profile id 1 //Bind the radio
profile.
service-set id 2 wlan 1 //Bind the service set
service2.
#
return

Step 2 Configure SwitchB.


#
sysname
SwtichB

#
interface
GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/1 to VLAN100, VLAN101, and
VLAN102.
#
interface
GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/2 to VLAN100, VLAN101,
and VLAN102.
#
return

Step 3 Configure SwitchA.


#
sysname
SwitchA

#
interface
GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/1 to VLAN
100.
port trunk allow-pass vlan 100 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Configure port
isolation.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 602


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

interface
GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/2 to VLAN
100.
port trunk allow-pass vlan 100 102 //Add GE0/0/2 to VLAN 100 and VLAN 102.
port-isolate enable group 1 //Configure port
isolation.
#

interface
GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/3 to VLAN 100, VLAN 101,
and VLAN102.
#
return

Step 4 Verify the configuration.


# Run the commit ap all command in the WLAN view of the AC to commit the
configuration.
# After a while, the WLAN with the SSID huawei-1 is available for STAs connected to AP1
and AP2, and these STAs can connect to the WLAN.
# Run the display station assoc-info all command on the AC to check information about
associated STAs at the 2.4 GHz frequency band of AP0 and AP1.

----End

Configuration Notes
l The default country code of the router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a traffic profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a security profile is created, you can configure an authentication mode based on
actual networking. The authentication mode can be WEP, WPA, WPA2, or WAPI.
l After an AP is added offline, ensure that the AP status is normal. If the AP status is not
normal, locate the fault. The possible cause is that the VLAN configuration is incorrect.

12.6 Example for Configuring WLAN Services on a Small-


Scale Network (IPv4 Network) (V200R008 And Later
Versions)
Specifications
This example applies to AR routers of V200R008C00 and later versions.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 603


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

Networking Requirements
As shown in Figure 12-6, the AP is directly connected to the AC. An enterprise branch needs
to deploy WLAN services for mobile office so that branch users can access the enterprise
internal network from anywhere at any time.
The following requirements must be met:
l A WLAN named wlan-net is available.
l Branch users are assigned IP addresses on 10.10.11.0/24.

Figure 12-6 Networking diagram of configuring WLAN services on a small-scale network

Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100 so that the AC can assign
IP addresses to APs.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101 so that the AC can assign
IP addresses to STAs associated with APs.
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100 //Configure VLAN 100 as the default
VLAN of Ethernet2/0/0.
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and
VLAN 101.
port-isolate enable group 1
#
capwap source interface vlanif100 //Specify the AC's source interface.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 604


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

wlan ac
security-profile name wlan-security //Create a security profile.
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%#
aes //Configure PSK authentication and AES encryption, and display the user
password in ciphertext.
ssid-profile name wlan-ssid //Create an SSID profile.
ssid wlan-net //Set the SSID to wlan-net.
vap-profile name wlan-vap //Create a VAP profile.
service-vlan vlan-id 101 //Configure VLAN 101 as a service VLAN.
ssid-profile wlan-ssid //Bind the SSID profile to the VAP profile.
security-profile wlan-security //Bind the security profile to the
VAP profile.
regulatory-domain-profile name domain1 //Create a regulatory domain profile
and configure the country code. The default country code is CN.
ap-group name ap-group1 //Create an AP
group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP
group.
radio 0
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
radio 1
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
radio 2
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 //Add
an AP offline.
ap-name area_1 //Configure a name for the
AP.
ap-group ap-group1 //Add the AP to the AP group.
#

return

Step 2 Verify the configuration.

# Run the display ap all command to check the AP state. If the State field displays nor, the
AP has gone online.

# After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.

# Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run
the display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.

# After a STA access the WLAN wlan-net, run the display access-user command in they
system view to check the IP address assigned to the STA.

----End

Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 605


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

12.7 Example for Configuring WLAN Services on a


Medium-Scale Network (V200R008 And Later Versions)
Specifications
This example applies to AR routers of V200R008C00 and later versions.

Networking Requirements
As shown in Figure 12-7, an AC manages the AP connected to it through Switch_A.
A medium-sized enterprise needs to deploy a WLAN in office areas to meet mobile office
service needs and requires that users be centrally controlled and managed on the AC.

Figure 12-7 Networking diagram of configuring WLAN services on a medium-scale network

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 606


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

Procedure
Step 1 Configure the switch.
#
sysname Switch
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Configure VLAN 100 as the default VLAN of GE0/0/1.
port trunk allow-pass vlan 100 to 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Enable port isolation on GE0/0/1.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101 //Add GE0/0/2 to VLAN 100 and VLAN 101.
#
return

Step 2 Configure the AC.


#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100 so that the AC can assign
IP addresses to APs.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101 so that the AC can assign
IP addresses to STAs associated with APs.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and
VLAN 101.
port-isolate enable group 1 //Enable port isolation on
Ethernet2/0/0.
#
capwap source interface vlanif100 //Specify the AC's source interface.
#
wlan ac
security-profile name wlan-security //Create a security profile.
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%#
aes //Configure PSK authentication and AES encryption, and display the user
password in ciphertext.
ssid-profile name wlan-ssid //Create an SSID profile.
ssid wlan-net //Set the SSID to wlan-net.
vap-profile name wlan-vap //Create a VAP profile.
service-vlan vlan-id 101 //Configure VLAN 101 as a service VLAN.
ssid-profile wlan-ssid //Bind the SSID profile to the VAP profile.
security-profile wlan-security //Bind the security profile to the
VAP profile.
regulatory-domain-profile name domain1 //Create a regulatory domain profile
and configure the country code. The default country code is CN.
ap-group name ap-group1 //Create an AP
group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP
group.
radio 0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 607


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

vap-profile wlan-vap wlan 1 //Bind the VAP profile to the


radio.
radio 1
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
radio 2
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 //Add
an AP offline.
ap-name area_1 //Configure a name for the
AP.
ap-group ap-group1 //Add the AP to the AP group.
#
return

Step 3 Verify the configuration.

# Run the display ap all command to check the AP state. If the State field displays nor, the
AP has gone online.

# After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.

# Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run
the display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.

# After a STA access the WLAN wlan-net, run the display access-user command in they
system view to check the IP address assigned to the STA.

----End

Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.

12.8 Example for Configuring WLAN Services on a Large-


Scale Network (V200R008 And Later Versions)
Specifications
This example applies to AR routers of V200R008C00 and later versions.

Networking Requirements
On a network of a large enterprise in Figure 12-8, an aggregation switch Switch_B connects
to an access switch Switch_A and an upstream Router. The enterprise needs to deploy a
WLAN, with as few changes to the current network structure as possible.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 608


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

The enterprise requirements are as follows:


l A WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for visitors.
l A WLAN with the SSID employee is deployed in office areas to provide wireless access
services for employees.

Figure 12-8 Networking diagram of configuring WLAN services on a large-scale network

Procedure
Step 1 Configure Switch_A.
#
sysname Switch_A
#
vlan batch 100 to 102 //Create VLAN 100 (management VLAN), VLAN 101

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 609


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

(service VLAN), and VLAN 102 (service VLAN).


#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Configure VLAN 100 as the default VLAN of
GE0/0/1.
port trunk allow-pass vlan 100 to 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Enable port isolation on GE0/0/1.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 102 //Add GE0/0/2 to VLAN 100 and VLAN 102.
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/3 to VLANs 100, 101, and
102.
#
return

Step 2 Configure Switch_B.


#
sysname Switch_B
#
vlan batch 100 to 102 //Create VLAN 100 (management VLAN), VLAN 101
(service VLAN), and VLAN 102 (service VLAN).
#
interface
GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/1 to VLANs 100, 101, and
102.
#
interface
GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/2 to VLANs 100, 101, and
102.

#
return

Step 3 Configure the AC.


#
sysname AC
#
vlan batch 100 to 102 //Create VLAN 100 (management VLAN), VLAN 101 (service
VLAN), and VLAN 102 (service VLAN).
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100 so that the AC can assign
IP addresses to APs.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101 so that the AC can assign
IP addresses to STAs associated with APs.
#
interface Vlanif102
ip address 10.10.12.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 102 so that the AC can assign
IP addresses to STAs associated with
APs.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 610


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add Ethernet2/0/0 to VLANs 100,
101, and 102.
#
capwap source interface vlanif100 //Specify the AC's source interface.
#
wlan ac
security-profile name guest //Create a security profile.
security wep share-key //Configure the shared-key WEP authentication
method.
wep key 0 wep-40 pass-phrase %^%#z*z]6]#!|%n:n}Xz'mhKE{PfN|cIj*eU$jJYH48S%^
%# //Configure a WEP key.
security-profile name employee //Create a security profile.
security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^%#
aes //Configure PSK authentication and AES encryption, and display the user
password in ciphertext.
ssid-profile name guest //Create an SSID profile.
ssid guest //Set the SSID to guest.
ssid-profile name employee //Create an SSID profile.
ssid employee //Set the SSID to employee.
vap-profile name guest //Create a VAP profile named guest.
service-vlan vlan-id 101 //Configure VLAN 101 as a service VLAN.
ssid-profile guest //Bind the SSID profile guest to the VAP profile
guest.
security-profile guest //Bind the security profile guest to the VAP profile
guest.
vap-profile name employee //Create a VAP profile named employee.
service-vlan vlan-id 102 //Configure VLAN 102 as a service VLAN.
ssid-profile employee //Bind the SSID profile employee to the VAP
profile employee.
security-profile employee //Bind the security profile employee to the VAP
profile employee.
regulatory-domain-profile name domain1 //Create a regulatory domain profile.
ap-group name guest //Create an AP group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP
group.
radio 0
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
radio 1
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
radio 2
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
ap-group name default //Create an AP group named default.
ap-group name employee //Create an AP group named
employee.
regulatory-domain-profile domain1 //Bind the domain profile to the
AP group.
radio 0
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
radio 1
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
radio 2
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 //Add
an AP offline.
ap-name area_1 //Configure a name for the AP.
ap-group guest //Add the AP to the AP group guest.
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235554710CB000075 //Add
an AP offline.
ap-name area_2 //Configure a name for the AP.
ap-group employee //Add the AP to the AP group employee.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 611


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 12 Deploying WLAN AC

#
return

Step 4 Verify the configuration.


# After the service configuration is complete, run the display vap ssid guest and display vap
ssid employee commands. If Status in the command output is displayed as ON, the VAPs
have been successfully created on AP radios.
# Connect STAs to the WLANs with SSIDs guest and employee and enter the passwords
a1234 and b1234567 respectively. Run the display station ssid guest and display station
ssid employee commands on the AC. The command output shows that the STAs are
connected to the WLANs guest and employee.

----End

Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 612


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

13 Deploying Voice

13.1 Versions Between V200R001C01 and V200R002C00


13.2 Versions Between V200R002C00SPC100 and V200R003C01
13.3 V200R005C10 and later versions

13.1 Versions Between V200R001C01 and V200R002C00

13.1.1 Example for Configuring Basic Voice Features

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).

Networking Requirements
As shown in Figure 13-1, Router A functions as a PBX and Router B functions as a voice
gateway. Voice services are configured on Router A and Router B to meet the following
requirements:
l Users connected to RouterA can call each other.
l Users connected to RouterB can call each other.
l Users connected to RouterA and RouterB can call each other.
On the network, SIP UE 1 is a VoIP phone.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 613


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-1 Networking for basic voice feature configurations on AR routers

Procedure
Step 1 Configure Router A.
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx
#
enterprise hw //Create an enterprise
hw.
dn-set local //Create a DN set
local.
#
callprefix 2 //Create a call prefix profile
2.
enterprise hw //Bind the enterprise hw to the call
prefix.
dn-set local //Bind the DN set local to the call
prefix.
centrex - //Set the call prefix type to
centrex.
prefix 2 //Configure the call prefix profile
2.
call-type category 0 attribute 0 //Set the call type to
local.
maximum-length 4 //Set the longest digit length to
4.
minimum-length 4 //Set the shortest digit length to 4 and
4.
#
callprefix 3
enterprise hw
dn-set local
centrex -
prefix 3
call-type category 0 attribute 0
maximum-length 4
minimum-length 4
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 614


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

sipserver //Configure RouterA as the SIP


server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain name of the SIP server to
huawei.com.
#
pbxuser 2222 //Configure a PBX user
2222.
type sipue 2222 //Set the PBX user type to SIP
UE.
enterprise hw //Set the enterprise to
hw.
#
pbxuser 2223
type sipue 2223
enterprise hw
#
pbxuser 3000
type port 1/0/0 //Set the user type to the POTS user and bind the physical
interface to the
user.
enterprise hw
#
pbxuser 3001
type port 1/0/1
enterprise hw
#
pbxuser 3002
type sipue 3002
enterprise hw
#
dialno 2222 //Set the user identifier of the PBX
user.
pbxuser 2222 //Bind the user identifier to user
2222.
telno 86 25 2222 //Set the telephone number of the PBX user.
dn-set local //Set the DN set of the PBX user to
local.
callout-right 3 //Set the call-out right of the PBX user to international toll
call.
callin-right 3 //Set the call-in right of the PBX user to international toll
call.
#
dialno 2223
pbxuser 2223
telno 86 25 2223
dn-set local
callout-right 3
callin-right 3
#
dialno 3000
pbxuser 3000
telno 86 25 3000
dn-set local
callout-right 3
callin-right 3
#
dialno 3001
pbxuser 3001
telno 86 25 3001
dn-set local
callout-right 3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 615


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

callin-right 3
#
dialno 3002
pbxuser 3002
telno 86 25 3002
dn-set local
callout-right 3
callin-right 3
#
return

Step 2 Configure Router B.


sysname RouterB
#
interface Ethernet2/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
//Set the signaling IP address to
192.168.1.2.
voip-address signalling interface Ethernet 2/0/0 192.168.1.2
//Set the media IP address to 192.168.1.2.
voip-address media interface Ethernet 2/0/0 192.168.1.2
#
sipag 1 Create a SIP AG
1.
signalling-ip 192.168.1.2 //Set the signaling IP address of the SIP AG to
192.168.1.2.
signalling-port 5060 //Set the signaling port of the SIP AG to
5060.
media-ip 192.168.1.2 //Set the media IP address of the SIP AG to
192.168.1.2.
primary-proxy-ip 192.168.1.1 //Set the IP address of the primary proxy server
to 192.168.1.1.
primary-proxy-port 5060 //Set the signaling port of the primary proxy server to
5060.
home-domain huawei.com //Set the home domain name of the SIP AG to
huawei.com.
#
sipaguser 1 //Create a SIP AG
user.
port 1/0/0 //Bind the physical interface to the SIP AG
user.
base-telno 2222 //Set a telephone number for the SIP AG
user.
mgid 1 //Set the SIP AG ID of the SIP AG user to
1.
#
sipaguser 2
port 1/0/1
base-telno 2223
mgid 1
#
return

Step 3 Verify the configuration.


l Users connected to RouterA can call each other.
l Users connected to RouterB can call each other.
l Users connected to RouterA and RouterB can call each other.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 616


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example. The devices do not
support user-defined country codes and area codes.
l Users connected to the SIP AG are configured on the PBX and the user type must be set
to SIP UE.
l The media IP address and the proxy IP address configured on the SIP AG must be
reachable to each other.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l After configuring a SIP server, reset the SIP server for the configuration to take effect.

13.1.2 Example for Configuring Voice Services for a Small- or


Medium-sized Enterprise

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).

Networking Requirements
As shown in Figure 13-2, an enterprise has POTS users: User A, User B, User C and User D.
Where,
l RouterA functions as a PBX and RouterB functions as a SIP AG.
l Internal calls of the enterprise are connected through the PBX, and outgoing calls from
the enterprise are connected to external users through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE

This example uses the voice tone "Please dial the extension number, or dial zero for the operator."

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 617


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-2 Configuring voice services for a small- or medium-sized enterprise

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx /Enter the PBX view.
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area code.
#
enterprise hw //Create an enterprise hw.
crbt-file flash:/sss.wav status 1 //Specify the RBT file for the enterprise.
dn-set local //Create a DN set local.
#
callprefix 8 //Create a call prefix profile 8.
enterprise hw //Configure an enterprise hw.
dn-set local //Configure a DN set local.
centrex - //Configure a call prefix type centrex
prefix 8 //Configure the call prefix profile 8.
call-type category 0 attribute 0 //Configure the call type and the basic
service attribute.
maximum-length 3 //Configure longest digit length.
minimum-length 3 //Configure the shortest digit length.
#
callprefix 9
enterprise hw
dn-set local
centrex -

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 618


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office //Specify the inter-office attribute.
#
sipserver //Configure a SIP
server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to
huawei.com.
#
pbxuser 800 //Create a PBX user.
type port 1/0/0 //Set the PBX user type to POTS.
enterprise hw //Configure the enterprise hw.
#
pbxuser 801
type port 1/0/1
enterprise hw
#
pbxuser 802
type port 1/0/2
enterprise hw
#
pbxuser 803
type sipue 803
enterprise hw
#
dialno 800 //Set the user identifier of the PBX user.
pbxuser 800 //Bind the user identifier to the PBX user.
telno 86 25 800 //Set the telephone number of the PBX user.
dn-set local //Set the DN set of the PBX user to local.
callout-right 3 //Set the call-out right of the PBX user.
callin-right 3 //Set the call-in right of the PBX user.
service-right call-transfer enable //Enable the call transfer service.
#
dialno 801
pbxuser 801
telno 86 25 801
dn-set local
callout-right 3
callin-right 3
#
dialno 802
pbxuser 802
telno 86 25 802
dn-set local
callout-right 3
callin-right 3
#
dialno 803
pbxuser 803
telno 86 25 803
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0 //Configure an AT0 trunk group.
signalling fxo //Configure the signaling type of the trunk
group.
enterprise hw //Bind the enterprise hw to the trunk group.
dn-set local //Bind the DN set local to the trunk group.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 619


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

callin-right 3 //Configure the call-in right to international toll


call.
callout-right 3 //Configure the call-out right to international toll
call.
#
ivr-group ivr1 //Create an IVR group.
enterprise hw //Bind the enterprise hw to the IVR group.
dn-set local //Bind the DN set local to the IVR group.
access-telno 86 25 800 //Configure a country code and an area code for the IVR
group.
condition caller-telno disable //Configure call route 9 for all callers.
condition time-period disable //Set the validity period of the IVR group.
condition time-repeat disable //Configure the calling number not to change.
console-telno 0 //Configure a switchboard number for the IVR
group.
tone-id file flash:/sss.wav //Set the tone ID of the IVR group to sss.wav.
#
groupmember ivr1 //Create a group
member.
enterprise hw //Create an enterprise that the group member belongs
to.
group-name ivr1 //Configure a service group bound to the member
group.
telno 86 25 800 //Configure the registration number for the group
member.
condition time-period disable
condition time-repeat disable
member-index 1
#
trunk-at0 at0 //Configure an AT0 trunk group.
port fxo 1/0/4 //Bind the physical interface to the AT0 trunk group.
trunkgroup at0 //Bind a trunk to the AT0 trunk group.
default-called-telno 800 //Set the default called number to 800.
reversepole-detect false //Configure the reverse pole signal function.
#
callroute 9 //Configure a call route 9.
enterprise hw //Bind the enterprise hw to the call route.
dn-set local //Bind the DN set local to the call route.
centrex - //Configure the call route type to centrex.
callprefix 9 //Bind call prefix 9 to the call route.
condition time-period disable //Set the validity period of the call route.
condition time-repeat disable //Set the calling number not to change.
condition caller-telno disable //Configure call route 9 for all callers.
trunkgroup at0 //Bind the call route to the AT0 trunk group.
#
afterroute-change 9 //Create a post-routing number change.
enterprise hw //Set the enterprise to hw after post-routing number
change.
dn-set local //Set the DN set to local after post-routing number change.
centrex - //Set the call route type to centrex.
callprefix 9 //Bind call prefix 9 to the call route.
condition caller-telno disable //Configure the calling number change for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk group.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return

Step 2 Configure Router B.


sysname RouterB
#
interface Ethernet2/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
//Configure the signaling IP address to
192.168.1.2.
voip-address signalling interface Ethernet 2/0/0 192.168.1.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 620


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

//Configure the media IP address to 192.168.1.2.


voip-address media interface Ethernet 2/0/0 192.168.1.2
#
sipag 1 Create a SIP AG
1.
signalling-ip 192.168.1.2 //Set the signaling IP address of the SIP AG to
192.168.1.2.
signalling-port 5060 //Set the signaling port of the SIP AG to
5060.
media-ip 192.168.1.2 //Set the media IP address of the SIP AG to
192.168.1.2.
primary-proxy-ip 192.168.1.1 //Set the IP address of the primary proxy server
to 192.168.1.1.
primary-proxy-port 5060 //Set the signaling port of the primary proxy server to
5060.
home-domain huawei.com //Set the home domain name of the SIP AG to
huawei.com.
#
sipaguser 1 //Create a SIP AG
user.
port 1/0/0 //Bind the physical interface to the SIP AG
user.
base-telno 803 //Set a telephone number for the SIP AG
user.
mgid 1 //Set the SIP AG ID of the SIP AG user to
1.
#
return

Step 3 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A, User B, User C and User D can call each other.
3. User A, User B, User C and User D can make inter-office calls.

----End

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 621


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

13.1.3 Example for Configuring Voice Services Between the


Headquarters and Branch Through Leased Lines
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).

Networking Requirements
As shown in Figure 13-3, the headquarters and branch of enterprise A (hw) are located in
different areas. RouterA and RouterB function as gateways and are connected through the E1
leased line. After voice services are deployed on RouterA and RouterB, enterprise users can
use the voice services across areas. Internal users use the AT0 trunk to call external users.
Where,
l RouterA and RouterB use SIP IP trunks to implement voice services across areas.
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Serial 2/0/0 on RouterA is 192.168.1.1/24 and the IP address of Serial
2/0/0 on RouterB is 192.168.1.2/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.1.2 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 622


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-3 Configuring voice services between the headquarters and branch through leased
lines

Procedure
Step 1 Configure RouterA.

#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1
255.255.255.0
#
voice
voip-address signalling interface Serial 2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Serial 2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area
code.
#
enterprise hw //Configure an enterprise
hw.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 623


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

dn-set local //Configure a DN set


local.
#
callprefix 9 //Create a call prefix profile
9.
enterprise hw //Bind the enterprise hw to the call
prefix.
dn-set local //Bind the DN set local to the call
prefix.
centrex - //Configure the call prefix type to
centrex.
prefix 9 //Configure the call prefix profile
9.
call-type category 0 attribute 0 //Configure the call type and the basic
service attribute.
maximum-length 15 //Configure the longest digit
length.
minimum-length 1 //Configure the shortest digit
length.
destination-location inter-office //Specify the inter-office
attribute.
#
callprefix 2222
enterprise hw
dn-set local
centrex -
prefix 2222
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver //Configure a SIP
server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to
huawei.com.
#
pbxuser 22223000 //Configure a PBX user
22223000.
type port 1/0/0 //Bind the physical port to the PBX user.
enterprise hw //Bind the enterprise hw to the PBX
user.
#
pbxuser 22223001
type port 1/0/1
enterprise hw
#
dialno 22223000 //Configure a PBX user identifier
22223000.
pbxuser 22223000 //Bind the user identifier 22223000 to the PBX user
22223000.
telno 86 25 22223000 //Set the telephone number of the PBX user.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 624


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

dn-set local //Set the DN set of the PBX user to


local.
callout-right 3 //Set the call-out right of the PBX user to international toll
call.
callin-right 3 //Set the call-in right of the PBX user to international toll
call.
service-right call-transfer enable //Enable the call transfer
service.
#
dialno 22223001
pbxuser 22223001
telno 86 25 22223001
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0 //Create an AT0 trunk
group.
signalling fxo //Set the signaling type of the AT0 trunk group to
FXO.
enterprise hw //Bind the enterprise hw to the AT0 trunk
group.
dn-set local //Bind the DN set local to the AT0 trunk
group.
callin-right 3 //Set the call-in right of the AT0 trunk group to international
toll call.
callout-right 3 //Set the call-out right of the AT0 trunk group to
international toll call.
#
trunkgroup sipip //Create a SIP trunk
group.
signalling sip //Set the signaling type of the SIP trunk group to
SIP.
enterprise hw //Bind the enterprise hw to the SIP trunk
group.
dn-set local //Bind the DN set local to the SIP trunk
group.
callin-right 3 //Set the call-in right of the SIP trunk group to international
toll call.
callout-right 3 //Set the call-out right of the SIP trunk group to
international toll
call.
sip reg-mode 0 //Configure the SIP trunk registration
mode.
sip mgc-type 1 //Configure the SIP trunk adaptation
mode.
sip signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP trunk
group to 192.168.1.1.
sip signalling-port 5070 //Set the signaling port of the SIP trunk group to
5070.
sip media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
sip peer static 192.168.1.2 5070 //Set the peer signaling IP address of the SIP
trunk group to 192.168.1.2 and the signaling port to
5070.
sip register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
sip home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
#
trunk-at0 at0 //Create an AT0
trunk.
port fxo 1/0/4 //Bind the physical interface to the AT0
trunk.
trunkgroup at0 //Bind the trunk to the AT0 trunk
group.
default-called-telno 22223000 //Set the default called number to
22223000.
reversepole-detect false //Configure the reverse pole signal

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 625


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

function.
#
callroute 9 //Configure a call route
9.
enterprise hw //Bind the enterprise hw to the call
route.
dn-set local //Bind the DN set local to the call
route.
centrex - //Configure the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition time-period disable //Set the validity period of the call
route.
condition time-repeat disable //Set the calling number not to
change.
condition caller-telno disable //Configure call route 9 for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9 //Create a post-routing number
change.
enterprise hw //Set the enterprise to hw after post-routing number
change.
dn-set local //Set the DN set to local after post-routing number
change.
centrex - //Set the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition caller-telno disable //Configure the calling number change for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
caller no-change //Set the caller number change rule to no
change.
called del 7 1 //Delete the seventh digit from the called
number.
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 7 5
#
return

Step 2 Configure RouterB.

interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 626


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

voip-address media interface Serial 2/0/0 192.168.1.2


voip-address signalling interface Serial 2/0/0 192.168.1.2
#
pbx
#
enterprise hw
dn-set local
#
callprefix 9
enterprise hw
dn-set local
centrex -
prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office
#
callprefix 3333
enterprise hw
dn-set local
centrex -
prefix 3333
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver
signalling-ip 192.168.1.2
signalling-port 5060
media-ip 192.168.1.2
register-uri huawei.com
home-domain huawei.com
#
pbxuser 33333000
type port 1/0/0
enterprise hw
#
pbxuser 33333001
type port 1/0/1
enterprise hw
#
dialno 33333000
pbxuser 33333000
telno 86 755 33333000
dn-set local
callout-right 3
callin-right 3
service-right call-transfer enable
#
dialno 33333001
pbxuser 33333001
telno 86 755 33333001
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0
signalling fxo

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 627


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

enterprise hw
dn-set local
callin-right 3
callout-right 3
#
trunkgroup sipip
signalling sip
enterprise hw
dn-set local
callin-right 3
callout-right 3
sip reg-mode 0
sip mgc-type 1
sip signalling-ip 192.168.1.2
sip signalling-port 5070
sip media-ip 192.168.1.2
sip peer static 192.168.1.1 5070
sip register-uri huawei.com
sip home-domain huawei.com
#
trunk-at0 at0
port fxo 1/0/4
trunkgroup at0
default-called-telno 33333000
reversepole-detect false
#
callroute 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup at0
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition caller-telno disable
trunkgroup at0
caller no-change
called del 8 1
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 8 5
#
return

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 628


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

1. User A and User B can talk with each other.


2. User C and User D can talk with each other.
3. User A, User B, User C, and User D can call external users.
4. When dialing the number 56623000, external users can talk with User A and User B.
5. When dialing the number 28963000, external users can talk with User C and User D.

----End

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.

13.1.4 Example for Configuring Access to the IMS Network Using


a SIP AT0 Trunk

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Versions
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).

Networking Requirements
As shown in Figure 13-4, User A and User B belong to enterprise A. Enterprise A accesses
the IMS network using a SIP AT0 trunk.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 629


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

The carrier allocates the number 56623000 to enterprise A. If external users dial the number
56623000, the phone of User A rings and the call transfer service is enabled. When external
users call other internal users, the phone of User A transfers the calls.

Figure 13-4 Networking diagram

Procedure
Step 1 Configure the voice service.
#
voice
voip-address media interface Ethernet 2/0/0 192.168.1.3 //Configure a media
address pool.
voip-address signalling interface Ethernet 2/0/0 192.168.1.3 //Configure a
signaling address pool.
#
pbx /Enter the PBX view.
pbx string-parameter 0 86 //Configure a country code.
pbx string-parameter 1 25 //Configure an area code.
#
enterprise hw //Configure an enterprise.
dn-set local //Configure a DN set.
#
callprefix 2
enterprise hw
dn-set local
centrex -
prefix 2
call-type category 0 attribute 0
maximum-length 8
minimum-length 4
#
callprefix 8
enterprise hw
dn-set local
centrex -
prefix 8
call-type category 0 attribute 0
maximum-length 15
minimum-length 1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 630


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

destination-location inter-office //Specify the home area attribute of a call


prefix to inter-office.
#
sipserver
signalling-ip 192.168.1.3
signalling-port 5060
media-ip 192.168.1.3
register-uri huawei.com
home-domain huawei.com
#
pbxuser 2000
type port 1/0/0
enterprise hw
#
pbxuser 2001
type port 1/0/1
enterprise hw
#
dialno 2000
pbxuser 2000
telno 86 25 2000
dn-set local
callout-right 3
callin-right 3
service-right call-transfer enable //Enable the call transfer service.
#
dialno 2001
pbxuser 2001
telno 86 25 2001
dn-set local
callout-right 3
callin-right 3
#
trunkgroup sipat0 //Create a SIP AT0 trunk.
signalling sip //Set the signaling type to SIP.
enterprise hw
dn-set local
callin-right 3
callout-right 3
default-caller-telno 86 25 2000
sip reg-mode 2
sip mgc-type 0
sip signalling-ip 192.168.1.3
sip signalling-port 5070
sip media-ip 192.168.1.3
sip peer static 192.168.1.1 5060
sip register-uri huawei.com
sip home-domain huawei.com
sip regid 56623000 //Configure the registration number.
#
trunk-sipat0 sipat0 //Create a SIP AT0 trunk.
trunkgroup sipat0
register 56623000 //Configure the registration number.
default-called-telno 2000
#
callroute 8
enterprise hw
dn-set local
centrex -
callprefix 8
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipat0
#
afterroute-change 8
enterprise hw
dn-set local
centrex -

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 631


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

callprefix 8
condition caller-telno disable
trunkgroup sipat0
caller no-change
called del 7 1
#
return

Step 2 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A and User B can call each other.
3. User A and User B can make inter-office calls.

----End

Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l Run the display voice country-code command to view the default country code and area
code in the system before deleting the call prefix that the user has entered. N indicates
the start digit to be deleted, while M indicates the total number of digits to be deleted. N
is calculated using the formula:
N = Number of country code digits + Number of prefix digits + Number of area code
digits + 1
M specifies the number of call prefix digits. For example, when a user needs to dial 9
before dialing an external number, N is 7 and M is 1 (inter-office call prefix: 9)
N = 2 (country code: 86) + 2 (prefix: 00) + 2 (area code: 25) + 1 = 7

13.1.5 Example for Configuring Voice and Internet Services for a


Small- or Medium-sized Enterprise

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 632


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l Versions
Versions from V200R001C01 to V200R002C00

Networking Requirements
As shown in Figure 13-5:
l Ethernet2/0/1 accesses the LAN within an enterprise. The IP address of Ethernet2/0/1 is
192.168.1.1/24.
l Ethernet2/0/0 connects to the carrier's device. Dial-up and NAT need to be configured on
the router so that users can access the external network.
l Internal users of an enterprise call each other through the PBX and call the external users
through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE

This example uses the voice tone "Please dial the extension number, or dial zero for the operAT0r."

Figure 13-5 Networking diagram

Procedure
Step 1 Configure NAT and dial-up.
#
dialer-rule //Enter the dialer-rule view.
dialer-rule 1 ip permit //Set the number of dialer ACL to 1.
#
interface Dialer0 //Enter the dialer interface view.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 633


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

link-protocol ppp //Configure the link layer protocol of the dialer interface.
ip address ppp-negotiate //Configure IP addresses for client interfaces through
PPP IP address negotiation.
ppp chap user client //Configure a user name for CHAP authentication.
ppp chap password cipher client //Configure a password for CHAP authentication.
dialer user server //Enable the RS-DCC function and configure a user name for
PPPoE server.
dialer bundle 1 //Specify the dialer bundle number as 1.
dialer-group 1 //Configure a dialer access group for dialer interfaces and set
the dialer access group number to 1.
nat outbound 2000 //Enable NAT on interfaces.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable the PPPoE client on the
Ethernet interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure external network access
through static routes and specify Dialer 0 as the outbound interface.

Step 2 Configure the voice service.


sysname RouterA
voice //Enter the voice view.
#
pbx //Enter the PBX view.
pbx string-parameter 0 86 //Configure a country code.
pbx string-parameter 1 25 //Configure an area code.
#
enterprise hw //Create an enterprise huawei.
crbt-file flash:/sss.wav status 1 //Specify the RBT file for the enterprise.
dn-set local //Configure a DN set.
#
callprefix 8 //Create a call prefix profile.
enterprise hw //Create an enterprise huawei.
dn-set local //Configure a DN set.
centrex - //Configure a Centrex group.
prefix 8 //Configure a call prefix profile.
call-type category 0 attribute 0 //Configure the call category and call
attribute of a call prefix.
maximum-length 3 //Configure the maximum length of a number that can be parsed.
minimum-length 3 //Configure the minimum length of a number that can be parsed.
#
callprefix 9
enterprise hw
dn-set local
centrex -
prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office //Specify the inter-office attribute.
#
pbxuser 800 //Configure a PBX user.
type port 1/0/0 //Set the user type of PBX to POTS.
enterprise hw //Configure an enterprise.
#
pbxuser 801
type port 1/0/1
enterprise hw
#
pbxuser 802
type port 1/0/2
enterprise hw
#
dialno 800 //Create PBX user identifier 800.
pbxuser 800 //Bind the user identifier 800 to PBX user 800.
telno 86 25 800 //Set the country code to 86, area code to 25, and number to 800.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 634


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

dn-set local //Set the DN set for PBX users.


callout-right 3 //Set the call-out rights for international
calls.
callin-right 3 //Set the call-in rights for international calls.
service-right call-transfer enable //Enable the call transfer service.
#
dialno 801
pbxuser 801
telno 86 25 801
dn-set local
callout-right 3
callin-right 3
#
dialno 802
pbxuser 802
telno 86 25 802
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0 //Configure an AT0 trunk group.
signalling fxo //Set the signaling type to FXO for the trunk
group.
enterprise hw //Set the enterprise that is bound to the trunk group to
huawei.
dn-set local //Set the DN set that is bound to the trunk group to
local.
callin-right 3 //Set the call-out rights for international
calls.
callout-right 3 //Set the call-in rights for international
calls.
#
ivr-group ivr1 //Create an IVR group.
enterprise hw //Configure the enterprise huawei for the IVR
group.
dn-set local //Configure a DN set for the IVR group.
access-telno 86 25 800 //Configure the access number for the IVR group.
condition caller-telno disable //Configure users meeting the condition to use
call route 9.
condition time-period disable //Configure the IVR group to be always valid.
condition time-repeat disable //Configure the calling number not to change.
console-telno 0 //Configure a switchboard number for the IVR
group.
tone-id file flash:/sss.wav //Set the tone ID of the IVR group to sss.wav.
#
groupmember ivr1 //Create a group
member.
enterprise hw //Create an enterprise that the group member belongs
to.
group-name ivr1 //Configure a service group bound to the member
group.
telno 86 25 800 //Configure the registration number for the group
member.
condition time-period disable
condition time-repeat disable
member-index 1
#
trunk-at0 at0
port fxo 1/0/4 //Set the port that is bound to AT0 trunk to fxo 1/0/4.
trunkgroup at0 //Set the trunk group to AT0.
default-called-telno 800 //Set the called number of incoming calls on the AT0
trunk to 800.
reversepole-detect false //Enable polarity reversal signal.
#
callroute 9 //Create call route 9.
enterprise hw //Configure the enterprise huawei for the call
route.
dn-set local //Configure the DN set for the call route.
centrex - //Configure the router not to bind the Centrex group to the call

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 635


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

route.
callprefix 9 //Set the call prefix that is bound to the call route to
9.
condition time-period disable //Configure the call route to be always valid.
condition time-repeat disable //Configure the call route to be always valid.
condition caller-telno disable //Configure users meeting the condition to use
call route 9.
trunkgroup at0 //Configure AT0 trunk group for the call
route.
#
afterroute-change 9 //Create a post-routing number change.
enterprise hw //Bind enterprise huawei to the post-routing number change
plan.
dn-set local //Bind the DN set to the number change plan.
centrex - //Configure the router not to bind the Centrex group to the call
route.
callprefix 9 //Configure the router not to bind the call prefix to the call
route.
condition caller-telno disable //Configure users meeting the condition to use
call route 9.
trunkgroup at0 //Configure AT0 trunk group for the call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return

Step 3 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A, User B, and User C can call each other.
3. User A, User B, and User C can make inter-office calls.
4. Users connect to Ethernet2/0/1 can access the external network.

----End

Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l When PPP encapsulation is enabled on a dialer interface, run the dialer user command
to configure the user name for the remote end.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l Run the display voice country-code command to view the default country code and area
code in the system before deleting the call prefix that the user has entered. N indicates

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 636


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

the start digit to be deleted, while M indicates the total number of digits to be deleted. N
is calculated using the formula:
N = Number of country code digits + Number of prefix digits + Number of area code
digits + 1
M specifies the number of call prefix digits. For example, when a user needs to dial 9
before dialing an external number, N is 7 and M is 1 (inter-office call prefix: 9)
N = 2 (country code: 86) + 2 (prefix: 00) + 2 (area code: 25) + 1 = 7

13.1.6 Example for Configuring Voice Services Across Areas


Through an IPSec Tunnel
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).

Networking Requirements
As shown in Figure 13-6, two departments of an enterprise are located in different areas.
RouterA and RouterB are used as their gateways. RouterA and RouterB are connected
through an IPSec tunnel to implement voice services between two departments. After voice
services are deployed on RouterA and RouterB through SIP trunks, enterprise users can use
the voice services across areas. Internal users use the AT0 trunk to call external users. Where,
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterA are 10.138.163.2/30 and
192.168.1.1/24. The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterB are
10.138.162.2/30 and 192.168.2.1/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.2.1 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 637


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-6 Configuring voice services across areas through an IPSec tunnel

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Create a data flow protected by the ACL 3000 defined IPSec
tunnel.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal a //Configure an IPSec proposal
a.
#
ike peer a v1 //Configure an IKE peer
a.
pre-shared-key huawei123 //Set the shared key to
huawei123.
remote-address 10.138.162.2 //Set the IP address of a remote IKE peer to
10.138.162.2.
#
ipsec policy a 10 isakmp //Configure an IPSec policy
a.
security acl 3000 //Associate the IPSec policy with ACL 3000.
ike-peer a //Associate the IKE peer a with ACL
3000.
proposal a //Associate the IPSec proposal with ACL
3000.
#
interface Ethernet2/0/0
ip address 10.138.163.2 255.255.255.252
ipsec policy a //Apply the IPSec policy on an
interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.163.1 //Configure an IP route to visit
external networks.
#
return
system-view
voice
voip-address signalling interface Ethernet 2/0/1 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet 2/0/1 192.168.1.1 //Configure a media IP
address.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 638


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

pbx
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area
code.
#
enterprise hw //Configure an enterprise
hw.
dn-set local //Configure a DN set
local.
#
callprefix 9 //Create a call prefix profile
9.
enterprise hw //Bind the enterprise hw to the call
prefix.
dn-set local //Bind the DN set local to the call
prefix.
centrex - //Configure the call prefix type to
centrex.
prefix 9 //Configure the call prefix profile
9.
call-type category 0 attribute 0 //Set the call type to
local.
maximum-length 15 //Set the longest digit length to
15.
minimum-length 1 //Set the shortest digit length to
1.
destination-location inter-office //Specify the inter-office
attribute.
#
callprefix 2222
enterprise hw
dn-set local
centrex -
prefix 2222
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver //Configure a SIP
server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to
huawei.com.
#
pbxuser 22223000 //Create a PBX user
22223000.
type port 1/0/0 //Set the PBX user type to POTS and bind the physical interface
to the user.
enterprise hw //Bind the enterprise hw to the PBX
user.
#
pbxuser 22223001

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 639


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

type port 1/0/1


enterprise hw
#
pbxuser 22223002 //Create a PBX user
22223000.
type sipue 22223002 //Set the PBX user type to SIP UE and the user identifier
to 22223002.
enterprise hw
#
dialno 22223000 //Create a PBX user identifier
22223000.
pbxuser 22223000 //Bind the user identifier 22223000 to the PBX user
22223000.
telno 86 25 22223000 //Set a telephone number for the PBX user.
dn-set local //Bind the DN set local to the PBX
user.
callout-right 3 //Set the call-out right of the PBX user to international toll
call.
callin-right 3 //Set the call-in right of the PBX user to international toll
call.
service-right call-transfer enable //Enable the call transfer
service.
#
dialno 22223001
pbxuser 22223001
telno 86 25 22223001
dn-set local
callout-right 3
callin-right 3
#
dialno
22223002
pbxuser
22223002
telno 86 25
22223002
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0 //Configure an AT0 trunk
group.
signalling fxo //Configure the signaling type of the AT0 trunk
group.
enterprise hw //Bind the enterprise hw to the AT0 trunk
group.
dn-set local //Bind the DN set local to the AT0 trunk
group.
callin-right 3 //Configure the call-in right of the AT0 trunk group to
international toll call.
callout-right 3 //Configure the call-in right of the AT0 trunk group to
international toll call.
#
trunkgroup sipip //Configure a SIP trunk
group.
signalling sip //Configure the signaling type of the SIP trunk
group.
enterprise hw //Bind the enterprise hw to the SIP trunk
group.
dn-set local //Bind the DN set local to the SIP trunk
group.
callin-right 3 //Configure the call-in right of the SIP trunk group to
international toll call.
callout-right 3 //Configure the call-out right of the SIP trunk group to
international toll
call.
sip reg-mode 0 //Configure the SIP trunk group registration
mode.
sip mgc-type 1 //Configure the SIP trunk group adaptation

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 640


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

mode.
sip signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP trunk
group to 192.168.1.1.
sip signalling-port 5070 //Set the signaling port of the SIP trunk group to
5070.
sip media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
sip peer static 192.168.2.1 5070 //Set the peer signaling IP address of the SIP
trunk group to 192.168.2.1 and the signaling port to
5070.
sip register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
sip home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
#
trunk-at0 at0 //Configure an AT0 trunk
group.
port fxo 1/0/4 //Bind the physical interface to the AT0 trunk
group.
trunkgroup at0 //Bind the trunk to the AT0 trunk
group.
default-called-telno 22223000 //Set the default called number to
22223000.
reversepole-detect false //Configure the reverse pole signal
function.
#
callroute 9 //Configure a call route
9.
enterprise hw //Bind the enterprise hw to the call
route.
dn-set local //Bind the DN set local to the call
route.
centrex - //Configure the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition time-period disable //Set the validity period of the call
route.
condition time-repeat disable //Set the calling number not to
change.
condition caller-telno disable //Configure call route 9 for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9 //Create a post-routing number
change.
enterprise hw //Set the enterprise to hw after post-routing number
change.
dn-set local //Set the DN set to local after post-routing number
change.
centrex - //Set the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition caller-telno disable //Configure the calling number change for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 641


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

caller no-change //Set the caller number change rule to no


change.
called del 7 1 //Delete the seventh digit from the called
number.
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 7 5
#
return

Step 2 Configure RouterB.


sysname RouterB
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal b
#
ike peer b v1
pre-shared-key
huawei123
remote-address 10.138.163.2
#
ipsec policy b 10 isakmp
security acl 3000
ike-peer b
proposal b
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher *********** //The password is admin@12345
local-user admin service-type http
#
interface Ethernet2/0/0
ip address 10.138.162.2 255.255.255.252
ipsec policy b
#
interface Ethernet2/0/1
ip address 192.168.2.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.162.1
return
system-view
voice
voip-address media interface Ethernet 2/0/1 192.168.2.1
voip-address signalling interface Ethernet 2/0/1 192.168.2.1
#
pbx
pbx string-parameter 0 86
pbx string-parameter 1 25
#
enterprise hw
dn-set local
#
callprefix 9
enterprise hw

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 642


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

dn-set local
centrex -
prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office
#
callprefix 3333
enterprise hw
dn-set local
centrex -
prefix 3333
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver
signalling-ip 192.168.2.1
signalling-port 5060
media-ip 192.168.2.1
register-uri huawei.com
home-domain huawei.com
#
pbxuser 33333000
type port 1/0/0
enterprise hw
#
pbxuser 33333001
type port 1/0/1
enterprise hw
#
pbxuser
33333002
type sipue
33333002
enterprise hw
#
dialno 33333000
pbxuser 33333000
telno 86 755 33333000
dn-set local
callout-right 3
callin-right 3
service-right call-transfer enable
#
dialno 33333001
pbxuser 33333001
telno 86 755 33333001
dn-set local
callout-right 3
callin-right 3
#
#
dialno
33333002
pbxuser
33333002
telno 86 25

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 643


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

33333002
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0
signalling fxo
enterprise hw
dn-set local
callin-right 3
callout-right 3
#
trunkgroup sipip
signalling sip
enterprise hw
dn-set local
callin-right 3
callout-right 3
sip reg-mode 0
sip mgc-type 1
sip signalling-ip 192.168.2.1
sip signalling-port 5070
sip media-ip 192.168.2.1
sip peer static 192.168.1.1 5070
sip register-uri huawei.com
sip home-domain huawei.com
#
trunk-at0 at0
port fxo 1/0/4
trunkgroup at0
default-called-telno 33333000
reversepole-detect false
#
callroute 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup at0
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition caller-telno disable
trunkgroup at0
caller no-change
called del 8 1
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 644


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

trunkgroup sipip
caller no-change
called del 8 5
#
return

Step 3 Verify the configuration.


1. User A, User B, User C, User D, User E, and User F can talk with each other.
2. User A, User B, User C, User D, User E, and User F can call external users.
3. When dialing the number 56623000, external users can talk with User A, User B and
User E.
4. When dialing the number 28963000, external users can talk with User C, User D and
User F.

----End

Configuration Notes
l Both ends of the IPSec tunnel must use the same key.
l Configure an ACL to define the data flows to be protected.
l When an external user calls another external user on the other end of the tunnel, the next
hop IP address of the route must be the IP address of the peer interface to which the
IPSec policy is applied.
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.

13.2 Versions Between V200R002C00SPC100 and


V200R003C01

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 645


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

13.2.1 Example for Configuring Basic Voice Features


Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-7, RouterA functions as a PBX and RouterB functions as a SIP AG.
Voice services are configured on RouterA and RouterB to meet the following requirements:
l Users connected to RouterA can call each other
l Users connected to RouterB can call each other
l Users connected to RouterA and RouterB can call each other.
On the network, SIP UE1 is a VoIP phone.

Figure 13-7 Networking for basic voice feature configurations on AR routers

Procedure
Step 1 Configure RouterA.
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1
voip-address media interface Ethernet2/0/0 192.168.1.1
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 646


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

enterprise hw //Create an enterprise hw.


dn-set local //Create a DN set local.
#
sipserver //Configure a SIP server.
signalling-address ip 192.168.1.1 port 5060 //Set the signaling IP address of
the SIP server to 192.168.1.1 and the signaling port to 5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to huawei.com.
#
callprefix 2 //Create a call prefix profile 2.
prefix 2
enterprise hw dn-set local //Bind the enterprise hw and the DN set local to the
call prefix.
call-type category basic-service attribute 0 //Set the call type to local.
digit-length 4 4 //Set the longest and shortest digit length to 4 and 4.
#
callprefix 3
prefix 3
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 4 4
#
pbxuser 2222 sipue enterprise hw //Configure a PBX user 2222, set its user type
to SIP UE and the enterprise to hw.
sipue 2222 //Set the user identifier of the SIP UE user.
telno country-code 86 area-code 25 2222 //Set the telephone number of the SIP
UE user.
dn-set local //Set the DN set of the SIP UE user to local.
call-right in international-toll out international-toll //Set the call-in and
call-out rights of the PBX user.
#
pbxuser 2223 sipue enterprise hw
sipue 2223
telno country-code 86 area-code 25 2223
dn-set local
call-right in international-toll out international-toll
#
pbxuser 3000 pots enterprise hw //Configure a PBX user 3000, set its user type
to POTS and set the enterprise to hw.
port 1/0/0 //Bind the physical port to the POTS user.
telno country-code 86 area-code 25 3000
dn-set local
call-right in international-toll out international-toll
#
pbxuser 3001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 3001
dn-set local
call-right in international-toll out international-toll
#
pbxuser 3002 sipue enterprise hw
sipue 3002
telno country-code 86 area-code 25 3002
dn-set local
call-right in international-toll out international-toll
#
return

Step 2 Configure Router B.


sysname RouterB
#
interface Ethernet2/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address signalling interface Ethernet 2/0/0 192.168.1.2
voip-address media interface Ethernet 2/0/0 192.168.1.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 647


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
sipag 1 //Create a SIP AG 1.
signalling-addr 192.168.1.2 5060 //Set the signaling IP address of the SIP AG
to 192.168.1.2 and the signaling port to 5060.
media-addr 192.168.1.2 //Set the media IP address of the SIP AG to 192.168.1.2.
primary-proxy-addr static 192.168.1.1 5060 //Set the IP address of the primary
proxy server to 192.168.1.1 and the signaling port to 5060.
home-domain huawei.com //Set the home domain name of the SIP AG to huawei.com.
#
sipaguser 1 port 1/0/0 //Create a SIP AG user and specify its interface number.
base-telno 2222 //Set a telephone number for the SIP AG user.
agid 1 //Set the SIP AG ID for the SIP AG user to 1.
#
sipaguser 2 port 1/0/1
base-telno 2223
agid 1
#
return

Step 3 Verify the configuration.


l Users connected to RouterA can call each other.
l Users connected to RouterB can call each other.
l Users connected to RouterA and RouterB can call each other.

----End

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example. The devices do not
support user-defined country codes and area codes.
l Users connected to the SIP AG are configured on the PBX and the user type must be set
to SIP UE.
l The media IP address and the proxy IP address configured on the SIP AG must be
reachable to each other.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l After configuring a SIP server, reset the SIP server for the configuration to take effect.

13.2.2 Example for Configuring Voice Services for a Small- or


Medium-sized Enterprise

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 648


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-8, an enterprise has POTS users: User A, User B, User C, and User D.
Where,
l RouterA functions as a PBX and RouterB functions as a SIP AG.
l Internal calls of the enterprise are connected through the PBX, and outgoing calls from
the enterprise are connected to external users through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE

This example uses the voice tone "Please dial the extension number, or dial zero for the operator."

Figure 13-8 Configuring voice services for a small- or medium-sized enterprise

Procedure
Step 1 Configure RouterA.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 649


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
pbx default-country-code 86 //Configure a default country code.
pbx default-area-code 25 //Configure a default area code.
#
enterprise hw //Create an enterprise hw.
crbt-file flash:/sss.wav status pass //Specify the RTB file for the enterprise.
dn-set local //Configure a DN set local.
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 800 reversepole-detect disable
#
callprefix 8 //Create a call prefix profile 8.
prefix 8 //Configure the call prefix profile 8.
enterprise hw dn-set local //Configure an enterprise hw and a DN set local.
call-type category basic-service attribute 0 /Configure the call type and the
basic service attribute.
digit-length 3 3 //Configure the shortest and longest digit length.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the inter-office attribute.
callroute trunkgroup1 at0
#
pbxuser 800 pots enterprise hw //Configure a PBX user, set the user type and
enterprise.
port 1/0/0 //Bind the physical port to the PBX user.
telno country-code 86 area-code 25 800 //Set a telephone number for the PBX
user.
dn-set local //Set a DN set local for the PBX user.
call-right in international-toll out international-toll //Set the call-in and
call-out rights of the PBX user.
service-right call-transfer enable //Enable the call transfer service.
#
pbxuser 801 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 801
dn-set local
call-right in international-toll out international-toll
#
pbxuser 802 pots enterprise hw
port 1/0/2
telno country-code 86 area-code 25 802
dn-set local
call-right in international-toll out international-toll
#
pbxuser 803 sipue enterprise hw
sipue 803

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 650


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

telno country-code 86 area-code 25 803


dn-set local
call-right in international-toll out international-toll
#
pbxusergroup ivr1 ivr enterprise hw //Create an IVR group.
dn-set local //Configure a DN set local for the IVR group.
access-telno country-code 86 area-code 25 800 //Configure a country code and an
area code for the IVR group.
console-telno 0 //Configure a switchboard number for the IVR group.
tone-id file flash:/sss.wav //Set the tone ID of the IVR group to sss.wav.
group-member pbxuser 800 //Configure a group member.
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9 //Configure a call prefix for the post-routing number change.
trunk-group at0 //Configure a trunk group to a call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return

Step 2 Configure RouterB.


sysname RouterB
#
interface Ethernet2/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address signalling interface Ethernet 2/0/0 192.168.1.2
voip-address media interface Ethernet 2/0/0 192.168.1.2
#
sipag 1 //Create a SIP AG 1.
signalling-addr 192.168.1.2 5060 //Set the signaling IP address of the SIP AG
to 192.168.1.2 and the signaling port to 5060.
media-addr 192.168.1.2 //Set the media IP address of the SIP AG to 192.168.1.2.
primary-proxy-addr static 192.168.1.1 5060 //Set the IP address of the primary
proxy server to 192.168.1.1 and the signaling port to 5060.
home-domain huawei.com //Set the home domain name of the SIP AG to huawei.com.
#
sipaguser 1 port 1/0/0 //Create a SIP AG user and specify its interface number.
base-telno 803 //Set a telephone number for the SIP AG user.
agid 1 //Set the SIP AG ID for the SIP AG user to 1.
#
return

Step 3 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A, User B, User C, and User D can call each other.
3. User A, User B, User C, and User D can make inter-office calls.
----End

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 651


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.

13.2.3 Example for Configuring Voice Services Between the


Headquarters and Branch Through Leased Lines
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-9, the headquarters and branch of enterprise A (hw) are located in
different areas. RouterA and RouterB function as gateways and are connected through the E1
leased line. After voice services are deployed on RouterA and RouterB, enterprise users can
use the voice services across areas. Internal users use the AT0 trunk to call external users.
Where,
l RouterA and RouterB use SIP IP trunks to implement voice services across areas.
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 652


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Serial 2/0/0 on RouterA is 192.168.1.1/24 and the IP address of Serial
2/0/0 on RouterB is 192.168.1.2/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.1.2 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.

Figure 13-9 Configuring voice services between the headquarters and branch through leased
lines

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 653


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Procedure
Step 1 Configure RouterA.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Serial 2/0/0 192.168.1.1
voip-address media interface Serial 2/0/0 192.168.1.1
pbx default-country-code 86
pbx default-area-code 25
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo //Configure an AT0 trunk group.
enterprise hw dn-set local
call-right in international-toll //Configure the call-in right.
call-right out international-toll //Configure the call-out right.
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable //Bind
a trunk to the trunk group.
#
trunk-group sipip sip no-register //Configure a SIP trunk group.
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.1 port 5070 //Set the signaling IP address of
the SIP trunk group to 192.168.1.1 and the signaling port to 5070.
media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
peer-address static 192.168.1.2 5070 //Set the remote IP address of the SIP
trunk group to 192.168.1.2 and the signaling port to 5070.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 2222
prefix 2222
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 654


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip //Configure a call route.
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25 22223000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9
trunk-group at0 //Configure a trunk group to a call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
afterroute-change 20000
callprefix 20000
trunk-group sipip
caller no-change
called del 7 5
#
return

Step 2 Configure RouterB.

interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface Serial 2/0/0 192.168.1.2
voip-address signalling interface Serial 2/0/0 192.168.1.2
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group sipip sip no-register
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.2 port 5070
media-ip 192.168.1.2
home-domain huawei.com
register-uri huawei.com

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 655


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

peer-address static 192.168.1.1 5070


#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 3333
prefix 3333
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8
#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 755 33333000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 755 33333001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 8 1
#
afterroute-change 20000
callprefix 20000
trunk-group sipip
caller no-change
called del 8 5
#
return

Step 3 Verify the configuration.


1. User A and User B can talk with each other.
2. User C and User D can talk with each other.
3. User A, User B, User C, and User D can call external users.
4. When dialing the number 56623000, external users can talk with User A and User B.
5. When dialing the number 28963000, external users can talk with User C and User D.
----End

Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 656


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l The country code and area code in China are used as an example.
l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.

13.2.4 Example for Configuring Access to the IMS Network Using


a SIP AT0 Trunk
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-10, User A and User B belong to enterprise A. Enterprise A accesses
the IMS network using a SIP AT0 trunk.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 657


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

The carrier allocates the number 56623000 to enterprise A. If external users dial the number
56623000, the phone of User A rings and the call transfer service is enabled. When external
users call other internal users, the phone of User A transfers the calls.

Figure 13-10 Networking diagram

Procedure
Step 1 Configure the voice service.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
voice
voip-address media interface Ethernet 2/0/0 192.168.1.3 //Configure a media
address pool.
voip-address signalling interface Ethernet 2/0/0 192.168.1.3 //Configure a
signaling address pool.
pbx default-country-code 86 //Configure a country code.
pbx default-area-code 25 //Configure an area code.
#
enterprise hw //Configure an enterprise.
dn-set local //Configure a DN set.
#
sipserver
signalling-address ip 192.168.1.3 port 5060
media-ip 192.168.1.3
register-uri huawei.com
home-domain huawei.com
#
trunk-group sipat0 sip trunk-circuit //Create a SIP AT0 trunk.
enterprise hw dn-set local

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 658


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

call-right in international-toll
call-right out international-toll
country-code 86 area-code 25
default-caller-telno 2000
signalling-address ip 192.168.1.3 port 5070
media-ip 192.168.1.3
home-domain huawei.com
register-uri huawei.com
register-id 56623000 //Configure the registration number.
trunk-sipat0 56623000 default-called-telno 2000
peer-address static 192.168.1.1 5060
#
callprefix 2
prefix 2
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 4 8
#
callprefix 8
prefix 8
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the home area attribute of a call
prefix to inter-office.
callroute trunkgroup1 sipat0
#
pbxuser 2000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25 2000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable ////Enable the call transfer service.
#
pbxuser 2001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 2001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 8
callprefix 8
trunk-group sipat0
caller no-change
called del 7 1
#
return

Step 2 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A and User B can call each other.
3. User A and User B can make inter-office calls.

----End

Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 659


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.

13.2.5 Example for Configuring Voice and Internet Services for a


Small- or Medium-sized Enterprise

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-11:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 660


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l Ethernet2/0/1 accesses the LAN within an enterprise. The IP address of Ethernet2/0/1 is


192.168.1.1/24.
l Ethernet2/0/0 connects to the carrier's device. Dial-up and NAT need to be configured on
the router so that users can access the external network.
l Internal users of an enterprise call each other through the PBX and call the external users
through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE

This example uses the voice tone "Please dial the extension number, or dial zero for the operator."

Figure 13-11 Networking diagram

Procedure
Step 1 Configure NAT and dial-up.
#
dialer-rule //Enter the dialer-rule view.
dialer-rule 1 ip permit //Set the number of dialer ACL to 1.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Configure the link layer protocol of the dialer interface.
ip address ppp-negotiate //Configure IP addresses for client interfaces
through PPP IP address negotiation.
ppp chap user client //Configure a user name for CHAP authentication.
ppp chap password cipher client //Configure a password for CHAP authentication.
dialer user server //Enable the RS-DCC function and configure a user name for
PPPoE server.
dialer bundle 1 //Specify the dialer bundle number as 1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 661


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

dialer-group 1 //Configure a dialer access group for dialer interfaces and set
the dialer access group number to 1.
nat outbound 2000 //Enable NAT on interfaces.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable the PPPoE client on
Ethernet interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure external network access
through static routes and specify Dialer 0 as the outbound interface.

Step 2 Configure the voice service.


NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
voice
pbx default-country-code 86 default-area-code 25 //Configure a country code and
an area code.
#
enterprise hw//Create an enterprise hw.
crbt-file flash:/sss.wav status pass //Specify the RBT file for the enterprise.
dn-set local //Configure a DN set.
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 800 reversepole-detect disable
#
callprefix 8 //Create a call prefix profile.
prefix 8 //Configure a call prefix.
enterprise hw dn-set local //Configure an enterprise hw and a DN set.
call-type category basic-service attribute 0 //Configure the call type and the
basic service attribute.
digit-length 3 3 //Configure the shortest and longest digit length.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the inter-office attribute.
callroute trunkgroup1 at0
#
pbxuser 800 pots enterprise hw //Configure a PBX user, set the user type and
enterprise.
port 1/0/0 //Bind the physical port to the PBX user.
telno country-code 86 area-code 25 800 //Configure a telephone number for users.
dn-set local //Configure a DN set.
call-right in international-toll out international-toll //Set the call-in and
call-out rights.
service-right call-transfer enable //Enable the call transfer service.
#
pbxuser 801 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 801
dn-set local
call-right in international-toll out international-toll

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 662


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
pbxuser 802 pots enterprise hw
port 1/0/2
telno country-code 86 area-code 25 802
dn-set local
call-right in international-toll out international-toll
#
pbxusergroup ivr1 ivr enterprise hw //Create an IVR group
dn-set local //Configure a DN set for the IVR group.
access-telno country-code 86 area-code 25 800 //Configure the access number for
IVR groups.
console-telno 0 //Configure a switchboard number for the IVR group.
tone-id file flash:/sss.wav //Set the tone ID of the IVR group to sss.wav.
group-member pbxuser 800 //Configure a group member.
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9 //Configure a call prefix for the post-routing number change.
trunk-group at0 //Configure AT0 trunk group for the call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return

Step 3 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A, User B, and User C can call each other.
3. User A, User B, and User C can make inter-office calls.
4. Users connect to Ethernet2/0/1 can access the external network.

----End

Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l To configure PPP encapsulation on the dialer interface, run the dialer user command to
configure the user name for the PPPoE server.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 663


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.

13.2.6 Example for Configuring Voice Services Across Areas


Through an IPSec Tunnel

Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-12, two departments of an enterprise are located in different areas.
RouterA and RouterB are used as their gateways. RouterA and RouterB are connected
through an IPSec tunnel to implement voice services between two departments. After voice
services are deployed on RouterA and RouterB through SIP trunks, enterprise users can use
the voice services across areas. Internal users use the AT0 trunk to call external users. Where,
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 664


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterA are 10.138.163.2/30 and


192.168.1.1/24. The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterB are
10.138.162.2/30 and 192.168.2.1/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.1.2 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.

Figure 13-12 Configuring voice services across areas through an IPSec tunnel

Procedure
Step 1 Configure RouterA.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
sysname RouterA
#
acl number 3000 //Create a data flow protected by the ACL 3000 defined IPSec
tunnel.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal a //Configure an IPSec proposal
a.
#
ike peer a v1 //Configure an IKE peer
a.
pre-shared-key huawei123 //Set the shared key to
huawei123.
remote-address 10.138.162.2 //Set the IP address of a remote IKE peer to
10.138.162.2.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 665


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
ipsec policy a 10 isakmp //Configure an IPSec policy
a.
security acl 3000 //Associate the IPSec policy with ACL 3000.
ike-peer a //Associate the IKE peer a with ACL
3000.
proposal a //Associate the IPSec proposal with ACL
3000.
#
interface Ethernet2/0/0
ip address 10.138.163.2 255.255.255.252
ipsec policy a //Apply the IPSec policy on an
interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.163.1 //Configure an IP route to visit
external networks.
#
return
system-view
voice
voip-address signalling interface Ethernet 2/0/1 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet 2/0/1 192.168.1.1 //Configure a media IP
address.
pbx default-country-code 86
pbx default-area-code 25
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo //Configure an AT0 trunk group.
enterprise hw dn-set local
call-right in international-toll //Configure the call-in right.
call-right out international-toll //Configure the call-out right.
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable //Bind
a trunk to the trunk group.
#
trunk-group sipip sip no-register //Configure a SIP trunk group.
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.1 port 5070 //Set the signaling IP address of
the SIP trunk group to 192.168.1.1 and the signaling port to 5070.
media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
peer-address static 192.168.2.1 5070 //Set the remote IP address of the SIP
trunk group to 192.168.2.1 and the signaling port to 5070.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 666


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

callroute trunkgroup1 at0


#
callprefix 2222
prefix 2222
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8
#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip //Configure a call route.
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25 22223000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 22223001
dn-set local
call-right in international-toll out international-toll
#
pbxuser 22223002 sipue enterprise hw
sipue 22223002
telno country-code 86 area-code 25 22223002
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9
trunk-group at0 //Configure a trunk group to a call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
afterroute-change 20000
callprefix 20000
trunk-group sipip
caller no-change
called del 7 5
#
return

Step 2 Configure RouterB.


sysname RouterB
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal b
#
ike peer b v1
pre-shared-key
huawei123
remote-address 10.138.163.2
#
ipsec policy b 10 isakmp
security acl 3000
ike-peer b
proposal b
#
aaa
authentication-scheme default

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 667


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher *********** //The password is
admin@12345
local-user admin service-type http
#
interface Ethernet2/0/0
ip address 10.138.162.2 255.255.255.252
ipsec policy b
#
interface Ethernet2/0/1
ip address 192.168.2.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.162.1
return
system-view
voice
voip-address media interface Ethernet 2/0/1 192.168.2.1
voip-address signalling interface Ethernet 2/0/1 192.168.2.1
pbx default-country-code 86
pbx default-area-code 755
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.2.1 port 5060
media-ip 192.168.2.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group sipip sip no-register
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.2.1 port 5070
media-ip 192.168.2.1
home-domain huawei.com
register-uri huawei.com
peer-address static 192.168.1.1 5070
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 3333
prefix 3333
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8
#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 668


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 755 33333000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 755 33333001
dn-set local
call-right in international-toll out international-toll
#

pbxuser 33333002 sipue enterprise hw


sipue 33333002
telno country-code 86 area-code 755 33333002
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 8 1
#
afterroute-change 20000
callprefix 20000
trunk-group sipip
caller no-change
called del 8 5
#
return

Step 3 Verify the configuration.


1. User A, User B, User C, User D, User E and User F can talk with each other.
2. User A, User B, User C, User D, User E and User F can call external users.
3. When dialing the number 56623000, external users can talk with User A, User B and
User E.
4. When dialing the number 28963000, external users can talk with User C, User D and
User F.

----End

Configuration Notes
l Both ends of the IPSec tunnel must use the same key.
l Configure an ACL to define the data flows to be protected.
l When an external user calls another external user on the other end of the tunnel, the next
hop IP address of the route must be the IP address of the peer interface to which the
IPSec policy is applied.
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 669


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.

13.2.7 Configuring the PBX to Use the E1R2 Trunk to Implement


Voice Services Between the Headquarters and Branch
Specifications
Related Products and versions:
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-13, the headquarters and branch of enterprise A are located in
different areas. RouterA and RouterB are connected through the E1 trunk. After voice
services are deployed on RouterA and RouterB, enterprise users can use the voice services
across areas. Internal users use the AT0 trunk to call external users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 670


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l RouterA and RouterB use the E1R2 trunk to implement voice services across areas.
l User A and User B belong to enterprise hw, the DN set is local, the call prefix is 2222,
the inter-office prefix of the AT0 trunk is 9, and the inter-office prefix between the
headquarters and branch is 20000.
NOTE

If the PBX has only one enterprise and DN set, default settings of the enterprise and DN set can be
used.
l User C and User D belong to enterprise hw, the DN set is local, the call prefix is 3333,
the inter-office prefix of the AT0 trunk is 9, and the inter-office prefix between the
headquarters and branch is 20000.
l The IP addresses of Serial 2/0/0 interfaces on RouterA and RouterB are 192.168.1.1/24
and 192.168.1.2/24.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.

Figure 13-13 Configuring the PBX to use the E1R2 trunk to implement voice services
between the headquarters and branch

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 671


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Procedure
Step 1 Configure RouterA.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C01 is used.

#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
#
voice
pbx default-country-code 86 default-area-code 25
#
port ve1 2/0/0
signal CAS //Configure the VE1 interface to work in CAS mode. By default, a VE1
interface uses the common channel signaling (CCS) mode. When you configure the
E1R2 trunk, the VE1 interface must work in CAS mode.

#
enterprise hw
dn-set local
#
r2 profile e1r2
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll out international-toll
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable
#
trunk-group e1r2 e1-r2
enterprise hw dn-set local
call-right in international-toll out international-toll
r2-profile e1r2
trunk-e1r2 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 2222
enterprise hw dn-set local
prefix 2222
call-type category basic-service attribute 0
digit-length 8 9
#
callprefix 20000
enterprise hw dn-set local

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 672


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

prefix 20000
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 e1r2
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
22223000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 7 1
#
afterroute-change 20000
callprefix 20000
trunk-group e1r2
caller no-change
called del 7 5

Step 2 Configure RouterB.

#
sysname RouterB
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice
pbx default-country-code 86 default-area-code
755
#
port ve1 2/0/0
signal CAS
#
enterprise hw
dn-set local
#
r2 profile e1r2
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group e1r2 e1-r2
enterprise hw dn-set local
call-right in international-toll out international-toll
r2-profile e1r2
trunk-e1r2 2/0/0
#
callprefix 9

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 673


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

enterprise hw dn-set local


prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 3333
enterprise hw dn-set local
prefix 3333
call-type category basic-service attribute 0
digit-length 8 9
#
callprefix 20000
enterprise hw dn-set local
prefix 20000
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 e1r2
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 755
33333000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 755
33333001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 8 1
#
afterroute-change 20000
callprefix 20000
trunk-group e1r2
caller no-change
called del 8 5

Step 3 Verify the configuration.


1. User A and User B can talk with each other.
2. User C and User D can talk with each other.
3. User A, User B, User C, and User D can call external users.
4. When dialing the number 56623000, external users can talk with User A and User B.
5. When dialing the number 28963000, external users can talk with User C and User D.

----End

Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 674


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After the SIP server or SIP trunk is configured, reset the SIP server or SIP trunk to make
the setting take effect.

13.2.8 Example for Using the PRA Trunk to Connect to the PSTN
Network

Specifications
Related Products and versions:
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-14, User A and User B belong to enterprise A. Enterprise A uses the
PRA trunk to connect to the PSTN network.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 675


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l The carrier allocates the number 56623000 to User A and 56623001 to User B.
l The inter-office call prefix is 9.

Figure 13-14 Using the PRA trunk to connect to the PSTN network

Procedure
Step 1 Perform voice service configuration.
NOTE

The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C01 is used.
#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
voice
pbx default-country-code 86 default-area-code
25
#
port ve1 2/0/0
signal CCS //Configure the VE1 interface to work in CCS mode. By default, a
VE1 interface uses the common channel signaling (CCS) mode. When you configure
the PRA trunk, the VE1 interface must work in CCS mode.

#
enterprise hw
dn-set local
#
r2 signalling-type argentina
#
r2 signalling-type brazil
#
r2 signalling-type mexico

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 676


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
r2 signalling-type standard
#
trunk-group pra qsig-user
enterprise hw dn-set local
call-right in international-toll out international-toll
country-code 86 area-code 25
trunk-pra 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 pra
#
callprefix 2222
enterprise hw dn-set local
prefix 2222
call-type category basic-service attribute 0
digit-length 8 9
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
22223000
dn-set local
call-right in international-toll out international-toll
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group pra
caller no-change
called del 7 1

Step 2 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A and User B can call each other.
3. User A and User B can make inter-office calls.

----End

Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media
l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 677


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.

13.2.9 Example for Configuring a PRA Trunk to Connect to the


Traditional TDM PBX
Specifications
Related Products and versions:
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).

Networking Requirements
As shown in Figure 13-15, RouterA is a PBX and User 1 to User 28 connect to traditional
PBX users. To save enterprise investment and implement communication between users
connected to RouterA and the traditional PBX, enterprise A uses a PRA trunk to connect the
traditional PBX to RouterA.
l The numbers of User A and User B are 33333000 and 33333001.
l User 1 to User 28 are allocated numbers 56623001 to 56623028.
l When User A and User B call traditional PBX users, they want to dial the inter-office
call prefix 9.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 678


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-15 Configuring a PRA trunk to connect to the traditional TDM PBX

Procedure
Step 1 Perform voice service configuration on RouterA.

#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
voice
pbx default-country-code 86 default-area-code
25
#
port ve1 2/0/0
signal CCS //Configure the VE1 interface to work in CCS mode. By default, a
VE1 interface uses the common channel signaling (CCS) mode. When you configure
the PRA trunk, the VE1 interface must work in CCS
mode.
#
enterprise hw
dn-set local
#
r2 signalling-type argentina
#
r2 signalling-type brazil
#
r2 signalling-type mexico
#
r2 signalling-type standard
#
trunk-group pra qsig-net
enterprise hw dn-set local
call-right in international-toll out international-
toll
trunk-pra 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 679


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

destination-location inter-office
callroute trunkgroup1 pra
#
callprefix 3333
enterprise hw dn-set local
prefix 3333
call-type category basic-service attribute 0
digit-length 8 9
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
33333000
dn-set local
call-right in international-toll out international-toll
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
33333001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group pra
caller no-change
called del 7 1

Step 2 Verify the configuration.


1. When external users dial the number 56623000, they can dial extension numbers to
communicate with internal users.
2. User A and User B can call each other.
3. User A and User B can make inter-office calls.

----End

Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media
l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 680


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.

13.2.10 Configuring the AR as the PSTN Gateway to Connect the


LTE Network

Networking Requirements
An enterprise's external number allocated by the carrier is 99900002.
LTE user A calls PSTN user C. The MDC checks the internally configured office route and
detects that call 2000 is sent to the AR PSTN gateway. The AR is running properly. The
called number is sent to the AR. The AR receives the call message and detects that the
outgoing prefix is directed to the PSTN through the AT0 trunk, as shown in Figure 13-16.
PSTN user D calls public number 3000. The AR calls local IVR access number 12345
through the AT0 trunk, and triggers the IVR service to play a two-stage dial tone prompting
user D to dial 1000. The AR sends called number 1000 to the MDC, and changes calling
number 2001 to 99900002, as shown in Figure 13-17.

Figure 13-16 An LTE user is calling a PSTN user

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 681


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-17 A PSTN user is calling an LTE user

Data Plan

Table 13-1 SIP PRA trunk plan


Signaling Port Peer IP Peer Port Register Registratio
and Media Address Number Flag n Password
IP Address

10.240.255.1 5063 10.240.255.1 5060 99900002 123456


5 1

Table 13-2 AT0 trunk plan


Slot/Subcard/Port Default Access Code
Number

2/0/4 12345

Table 13-3 Prefix plan


Prefix Type Route

0-8 Outer-office pstn

9 Outer-office ttt

12345 IVR -

Procedure
Step 1 Router configuration
#
voice
voip-address signalling interface Vlanif 10 10.240.255.15 //Add the VLAN
address to media and signaling IP addresses respectively.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 682


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

voip-address media interface Vlanif 10 10.240.255.15


country-code 44 national-prefix //Configure the country code.
pbx default-country-code 44 default-area-code
#
trunk-group pstn fxo //Configure an AT0 trunk group.
call-right in international-toll out international-toll //Grant incoming and
outgoing international toll call rights to the user.
trunk-at0 2/0/4 default-called-telno 12345 reversepole-detect disable //
Configure the bound trunk circuit of the trunk group.
#
trunk-group ttt sip trunk-group //Create and enter the SIP PRA trunk group
view.
call-right in international-toll out international-toll //Grant incoming and
outgoing international toll call rights to the user.
signalling-address ip 10.240.255.15 port 5063 //Configure the local
signaling IP address and port number.
media-ip 10.240.255.15 //Configure the local media IP address.
peer-address static 10.240.255.11 5060 //Configure the peer IP address and
port number.
register-uri 10.240.255.11 //Configure the URI of the registration server.
home-domain 10.240.255.11 //Configure the home domain name of a peer trunk
group.
register-id 99900002 password cipher //Configure a register flag and
authentication password for a group.
Please input user password(8-32 chars):*********
number-parameter 27 0 //Configure the trunk group to disable number
normalization.
number-parameter 42 0 //Configure the trunk group to disable dual-homing.
number-parameter 80 0 //Configure the SIP trunk group not to send the PAI
or PPI header field.
#
callprefix 0 //Create a call prefix template.
prefix 0 //Configure a call prefix.
call-type category basic-service attribute 0 //Configure the call type and
attributes for the prefix.
digit-length 1 35 //Configure the minimum and maximum number analysis
lengths.
destination-location inter-office //Configure the location of the call prefix
to inter-office calls.
callroute trunkgroup1 pstn //Configure the bound trunk group of the call
route.
#
callprefix 1
prefix 1
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 2
prefix 2
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 3
prefix 3
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 4
prefix 4
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 683


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
callprefix 5
prefix 5
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 6
prefix 6
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 7
prefix 7
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 8
prefix 8
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 900x
prefix 9
call-type category basic-service attribute 0
digit-length 4 4
destination-location inter-office
callroute trunkgroup1 ttt
#
callprefix ivr
prefix 12345
call-type category basic-service attribute 0
digit-length 5 5
#
pbxusergroup ivr ivr //Create an IVR group.
access-telno 12345 //Configure the access code for the IVR group.
#
afterroute-change elte //Create post-routing number conversion.
callprefix 900x //Configure the bound prefix of number conversion.
trunk-group ttt //Configure the bound trunk group of the call route.
caller del-then-Insert 5 4 99900002 //Configure conversion rules for calling
numbers.
called no-change //Configure not to convert called numbers.

Step 2 Verify the configuration.


Item Expected Result

Outgoing PSTN user D calls public number 3000. The AR plays a two-stage dial tone
call prompting user D to dial 1000. User D talks with user A, and the called
number is displayed as 99900002 on the called party's phone.

Incoming LTE user A calls PSTN user C. The two parties talk with each other after user
call C picks up the phone.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 684


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

13.2.11 Configuring Rerouting Analysis to Ensure Voice Call


Quality for Users with a Low Priority

Networking Requirements
To ensure sufficient bandwidth for established voice calls and for users with a high priority to
access at any time, configure the Call Admission Control (CAC) function on the AR.
CAC uses the SIP protocol to control the codec type carried by packets and remaining voice
bandwidth, and determines whether to allow new calls on the AR. On a live network, the total
voice bandwidth on the AR is determined by the minimal DSLM upstream/downstream
activation rate. In principle, the total voice bandwidth on the AR does not exceed the minimal
value. Otherwise, the voice quality of established calls may be compromised. After the CAC
function is configured on the AR and a new call is made, the AR senses the status of the voice
user, and allocates bandwidth from the remaining bandwidth for the current user. If the
bandwidth is insufficient, the call is rejected. By doing so, the CAC function ensures voice
quality of established calls.

Figure 13-18 CAC networking

Procedure
Step 1 Router configuration
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 //Configure the NAT policy
for voice users on a private network.
#
NAT cac enable bandwidth 100 //Enable the CAC function.
#
interface Ethernet0/0/0
undo portswitch
ip address 172.16.1.2 255.255.255.0
NAT outbound 3000 //Configure NAT outbond on the WAN side, and perform
source NAT for private network users.
#
interface Ethernet0/0/1
port link-type access
port default vlan 192
#
interface Vlanif192
ip address 192.168.1.1 255.255.255.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 685


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
ip route-static 1.1.1.0 255.255.255.0 172.16.1.1 //Configure default routing
to the SBC.

----End

13.3 V200R005C10 and later versions

13.3.1 Example for Configuring Voice Services for Small- and


Medium-sized Enterprises

Networking Requirements
The PBX configures the external number allocated to an enterprise by the carrier as the
automatic switchboard number. An outer-office user dials the external number and then dials
an extension number as prompted to connect to an intra-office user. Intra-office users make
calls to each other by dialing short numbers. Figure 13-19 shows the voice service network.
This topic assumes that you want to implement the following requirements:
l The country code is 86, and the area code is 571.
l The internal numbers of users A, B, and C are 7000, 7001, and 7100 respectively.
l Users A, B, and C belong to enterprise hw. The DN set is local. The intra-office call
prefix is 7. The outgoing call prefix is 9. The incoming and outgoing call rights of all
users are all.
l Both the signaling IP address and media IP address are 192.168.1.2.
l The automatic switchboard name is ivr. A number allocated by the PSTN is used as the
automatic switchboard number, such as 28980808.
l Post-routing number change scheme 9 is configured to retain calling numbers and delete
the first digit of called numbers when PBX users make outgoing calls through the FXO
port.

Figure 13-19 Voice service network

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 686


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Prerequisites
The IVR configuration has been completed. For details, see IVR. vu-service-name
configured for the automatic switchboard is service for the IVR.

Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.

Table 13-4 User number plan


POTS User SIP User Remarks

7000–7004 7100–7104 PBX users

Table 13-5 AT0 trunk plan


Slot ID/Subcard ID/Port Default Access Code Route ID
ID

3/0/4 28980808 0

Table 13-6 Prefix plan


Prefix Type Route

7 Intra-office N/A

9 Outgoing 0

Table 13-7 Post-routing number change plan


Prefix Outgoing Trunk Called Number Change

9 AT0 Deleting the first digit

Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[Huawei-voice] service-mode pbx
[Huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 687


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...

Step 2 Set the Ethernet IP address of interface GE0/0/0 to 192.168.1.2, and add 192.168.1.2 to the
media IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2

Step 3 Configure the SIP server.


[Huawei-voice] sipserver
[Huawei-voice-sipserver] signalling-address ip 192.168.1.2 port 5060
[Huawei-voice-sipserver] media-ip 192.168.1.2
[Huawei-voice-sipserver] register-uri abcd.com
[Huawei-voice-sipserver] home-domain abcd.com
[Huawei-voice-sipserver] reset
[Huawei-voice-sipserver] quit

Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.

[Huawei-voice] pbx default-country-code 86 default-area-code 571

Step 5 Configure the enterprise and DN set for numbers.


[Huawei-voice] enterprise hw
[Huawei-voice-enterprise-hw] dn-set local
[Huawei-voice-enterprise-hw] quit

Step 6 Set the enterprise and DN set of prefixes to hw and local, and configure intra-office call
prefix 7 whose call attribute is 0 and local call prefix 9 whose call attribute is 1. Configure
national toll call prefix 90 whose call attribute is 2 and international toll call prefix 900 whose
call attribute is 3.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set local
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 3 32
[Huawei-voice-callprefix-7] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] enterprise hw dn-set local
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callprefix 90
[Huawei-voice-callprefix-90] enterprise hw dn-set local
[Huawei-voice-callprefix-90] prefix 90
[Huawei-voice-callprefix-90] call-type category basic-service attribute 2
[Huawei-voice-callprefix-90] digit-length 2 32
[Huawei-voice-callprefix-90] quit
[Huawei-voice] callprefix 900
[Huawei-voice-callprefix-900] enterprise hw dn-set local
[Huawei-voice-callprefix-900] prefix 900
[Huawei-voice-callprefix-900] call-type category basic-service attribute 3
[Huawei-voice-callprefix-900] digit-length 3 32
[Huawei-voice-callprefix-900] quit

Step 7 Configure the automatic switchboard.


Set the automatic switchboard name to ivr and automatic switchboard number to 28980808.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 688


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice] callprefix ivr


[Huawei-voice-callprefix-ivr] prefix 28980808
[Huawei-voice-callprefix-ivr] enterprise hw dn-set local
[Huawei-voice-callprefix-ivr] call-type category vu-service vu-service-name
vudefault
[Huawei-voice-callprefix-ivr] digit-length 8 32
[Huawei-voice-callprefix-ivr] save
[Huawei-voice-callprefix-ivr] quit

Step 8 Configure a SIP user whose user number is 7100, authentication password is a123456, and
incoming and outgoing call rights are all.
[Huawei-voice] pbxuser 7100 sipue enterprise hw
[Huawei-voice-pbxuser-7100] dn-set local
[Huawei-voice-pbxuser-7100] sipue 7100
[Huawei-voice-pbxuser-7100] telno 7100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7100] quit

Step 9 Configure POTS users whose user numbers are 7000 and 7001 and incoming and outgoing
call rights are all.
[Huawei-voice] pbxuser 7000 pots enterprise hw
[Huawei-voice-pbxuser-7000] dn-set local
[Huawei-voice-pbxuser-7000] port 3/0/0
[Huawei-voice-pbxuser-7000] telno 7000
[Huawei-voice-pbxuser-7000] call-right in all
[Huawei-voice-pbxuser-7000] call-right out all
[Huawei-voice-pbxuser-7000] quit
[Huawei-voice] pbxuser 7001 pots enterprise hw
[Huawei-voice-pbxuser-7001] dn-set local
[Huawei-voice-pbxuser-7001] port 3/0/1
[Huawei-voice-pbxuser-7001] telno 7001
[Huawei-voice-pbxuser-7001] call-right in all
[Huawei-voice-pbxuser-7001] call-right out all
[Huawei-voice-pbxuser-7001] quit

Step 10 Configure an AT0 trunk group.


[Huawei-voice] trunk-group at0 fxo
[Huawei-voice-trunkgroup-at0] enterprise hw dn-set local
[Huawei-voice-trunkgroup-at0] trunk-at0 3/0/4 default-called-telno 28980808
[Huawei-voice-trunkgroup-at0] quit

Step 11 Configure a call route and post-routing number change.


[Huawei-voice] callroute 9
[Huawei-voice-calldroute-9] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] callroute 9
[Huawei-voice-callprefix-9] quit
[Huawei-voice] trunk-group at0
[Huawei-voice-trunkgroup-at0] callroute 9
[Huawei-voice-trunkgroup-at0] quit
[Huawei-voice] afterroute-change 9
[Huawei-voice-afterroute-change-9] callprefix 9
[Huawei-voice-afterroute-change-9] trunk-group at0
[Huawei-voice-afterroute-change-9] caller no-change
[Huawei-voice-afterroute-change-9] called del 1 1
[Huawei-voice-afterroute-change-9] save

Step 12 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 689


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Item Expected Result Possible Fault Cause

Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.

Outgoing call Calls can be made properly, l The outgoing call prefix
and the calling number is is incorrectly configured.
correctly displayed. For l The outgoing trunk is
example, user 7000 can incorrectly configured.
make an outgoing call
through the AT0 trunk, and
the calling number
displayed to the called party
is 28980808.

Incoming call Calls can be made properly. N/A


For example, an outer-office
user can dial 28980808 and
then dial 7000 as prompted
to connect to user 7000.

----End

Configuration Files
l Router configuration
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
#
callroute 9
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group at0 fxo
enterprise hw dn-set local
trunk-at0 3/0/4 default-called-telno 28980808
callroute 9
#
callprefix 7
enterprise hw dn-set local

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 690


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

prefix 7
call-type category basic-service attribute 0
digit-length 3 32
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 9
#
callprefix 90
enterprise hw dn-set local
prefix 90
call-type category basic-service attribute 2
digit-length 2 32
#
callprefix 900
enterprise hw dn-set local
prefix 900
call-type category basic-service attribute 3
digit-length 3 32
#
callprefix ivr
enterprise hw dn-set local
prefix 28980808
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
pbxuser 7000 pots enterprise hw
telno 7000
dn-set local
port 3/0/0
call-right out all
#
pbxuser 7001 pots enterprise hw
telno 7001
dn-set local
port 3/0/0
call-right out all
#
pbxuser 7100 sipue enterprise hw
sipue 7100
telno 7100
dn-set local
call-right out all
eid-para password cipher %@%@nGE1Y)
%q*~n14{5/1l2@,._1TrX7Eeq(Y>/,=AT'V"\~._4,%@%@
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 1 1
#

13.3.2 Example for Configuring Distributed Networking

Networking Requirements
To reduce toll call costs, an enterprise connects two branches in different cities through a SIP
trunk. Each branch connects to the IMS through a SIP AT0 trunk or connects to the PSTN
through a PRA trunk.
When an intra-office user in city A dials a PSTN number in city B, the call is routed by the
PBX to the IP PBX through the SIP IP trunk, routed by the IP PBX to the PSTN through the

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 691


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

PRA trunk, and finally connected to the outer-office user in city B. When an intra-office user
in city B dials a local number in city A, the call process is similar, in which the call is first
routed to the PBX.

This scenario reduces toll call costs. Figure 13-20 shows the distributed networking.

This topic assumes that you want to implement the following requirements:

l The country code is 86, the area code of city A is 571, and the area code of city B is 577.
l The IP address of the IMS is 192.168.1.4, and the port number is 5060.
l The automatic switchboard number of the PBX is 83787005, and the automatic
switchboard number of the IP PBX is 83786005.
l PBX users and IP PBX users make calls to each other by dialing short numbers.
l When a PBX user or an IP PBX user dials a local number in city B, the call is routed
through the IP PBX. If the calling user has a long number, the long number is displayed
as the calling number. If the calling user does not have a long number, 83786005 is
displayed as the calling number.
l When an IP PBX user or a PBX user dials a local number in city A, the call is routed
through the PBX. If the calling user has a long number, the long number is displayed as
the calling number. If the calling user does not have a long number, 83787005 is
displayed as the calling number.

Figure 13-20 Distributed networking

Prerequisites
The IVR configuration has been completed. For details, see IVR. The value of vu-service-
name configured for the automatic switchboard is the value of service for the IVR.

Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 692


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-8 User number plan


Short Number Segment Long Number Segment Local Device

7000–7004 83787000–83787004 PBX

7100–7104 N/A

N/A 83786005 Automatic switchboard of


the PBX

6000–6004 83786000–83786004 IP PBX

6100–6104 N/A

N/A 83787005 Automatic switchboard of


the IP PBX

Table 13-9 IP address plan


NE IP Address Subnet Mask

PBX 192.168.1.2 255.255.255.0

IP PBX 192.168.1.3 255.255.255.0

Table 13-10 PRA trunk plan


Slot ID/Subcard ID/Port Route Peer Office
ID

3/0/0 0 PSTN

Table 13-11 SIP IP trunk plan


Signaling Port Media IP Peer IP Peer Port Route
IP Address Number Address Address Number

192.168.1.2 5062 192.168.1.2 192.168.1.3 5062 1

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 693


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-12 SIP AT0 trunk plan


Signali Port Media Peer IP Peer Route Registr Registr
ng IP Numbe IP Addres Port ation ation
Addres r Addres s Numbe ID Passwo
s s r rd

192.168. 5061 192.168. 192.168. 5060 3 +862083 123456


1.2 1.2 1.4 787005
@abcd.c
om

Table 13-13 Prefix plan


Prefix Type Route Calling Called Local
Number Number Device
Change Change

7 Intra-office N/A N/A N/A PBX

83787 Intra-office N/A N/A N/A

9 Outgoing 3 Changing Deleting the


the number first digit
to 83786005

6 Outgoing 1 N/A N/A

90577 Outgoing 1 N/A N/A

6 Intra-office N/A N/A N/A IP PBX

83786 Intra-office N/A N/A N/A

9 Outgoing 0 Changing Deleting the


the number first digit
to 83787005

7 Outgoing 2 N/A N/A

90571 Outgoing 2 N/A N/A

Table 13-14 Post-routing number change plan


Prefix Outgoing Trunk Calling Number Called Number
Change Change

9 PRA 83786005 Deleting the first


digit

SIP AT0 83787005 Deleting the first


digit

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 694


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[Huawei-voice] service-mode pbx
[Huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...

Step 2 Set the Ethernet IP address of interface GE0/0/0 to 192.168.1.2, and add 192.168.1.2 to the
media IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2

Step 3 Configure the SIP server.


[Huawei-voice] sipserver
[Huawei-voice-sipserver] signalling-address ip 192.168.1.2 port 5060
[Huawei-voice-sipserver] media-ip 192.168.1.2
[Huawei-voice-sipserver] register-uri abcd.com
[Huawei-voice-sipserver] home-domain abcd.com
[Huawei-voice-sipserver] reset
[Huawei-voice-sipserver] quit

Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.

[Huawei-voice] pbx default-country-code 86 default-area-code 571


[Huawei-voice] pbx enable-country-area-transform enable

Step 5 Configure the enterprise and DN set for numbers.


[Huawei-voice] enterprise hw
[Huawei-voice-enterprise-hw] dn-set hwdnset
[Huawei-voice-enterprise-hw] save
[Huawei-voice-enterprise-hw] quit

Step 6 Configure prefixes.


1. Configure intra-office call prefix 7 whose call attribute is 0.
The procedure for configuring outgoing call prefix 83787 is similar. You only need to
change the minimum number length to 8.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 4 32
[Huawei-voice-callprefix-7] quit

2. Configure prefix 9 whose call attribute is 1 and call route is 3.

Configure national toll call prefix 90 whose call attribute is 2 and call route is 0, and
configure international toll call prefix 900 whose call attribute is 3 and call route is 0.
For details, see the configuration of prefix 9.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 695


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callroute 3
[Huawei-voice-calldroute-3] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] callroute 3
[Huawei-voice-callprefix-9] quit

3. Configure prefix 6 whose call attribute is 1 and call route is 1.


Configure outgoing call prefix 90577 whose call attribute is 1 and call route is 1. For
details, see the configuration of prefix 6.
[Huawei-voice] callprefix 6
[Huawei-voice-callprefix-6] prefix 6
[Huawei-voice-callprefix-6] call-type category basic-service attribute 1
[Huawei-voice-callprefix-6] digit-length 4 32
[Huawei-voice-callprefix-6] quit
[Huawei-voice] callroute 1
[Huawei-voice-calldroute-1] quit
[Huawei-voice] callprefix 6
[Huawei-voice-callprefix-6] callroute 1
[Huawei-voice-callprefix-6] quit

4. Configure the automatic switchboard.


Set the automatic switchboard name to ivr and automatic switchboard number to
83786005.
[Huawei-voice] callprefix ivr
[Huawei-voice-callprefix-ivr] prefix 83786005
[Huawei-voice-callprefix-ivr] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-ivr] call-type category vu-service vu-service-name
vudefault
[Huawei-voice-callprefix-ivr] digit-length 8 32
[Huawei-voice-callprefix-ivr] save
[Huawei-voice-callprefix-ivr] quit

Step 7 Configure user numbers.


1. Configure a SIP user whose user number is 7000, authentication password is a123456,
and incoming and outgoing call rights are all.
[Huawei-voice] pbxuser 7000 sipue
[Huawei-voice-pbxuser-7000] sipue 7000
[Huawei-voice-pbxuser-7000] telno 7000 long-telno 83787000
[Huawei-voice-pbxuser-7000] call-right in all
[Huawei-voice-pbxuser-7000] call-right out all
[Huawei-voice-pbxuser-7000] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7000] quit

2. Configure a POTS user whose user number is 7100 and incoming and outgoing call
rights are all.
[Huawei-voice] pbxuser 7100 pots
[Huawei-voice-pbxuser-7100] port 2/0/0
[Huawei-voice-pbxuser-7100] telno 7100 long-telno 83787100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] quit

Step 8 Configure trunk groups.


1. Configure a PRA trunk group.
<Huawei> system-view
[Huawei] set workmode slot 3 e1t1 e1-voice
Changing the working mode will reset the board in slot 3. Continue? [y/n]:y
INFO: Resetting board[3] succeeded.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 696


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei] voice
[Huawei-voice] port ve1 3/0/0
[Huawei-voice-ve1-3/0/0] signal ccs
Set signal type successfully
[Huawei-voice-ve1-3/0/0] quit
[Huawei-voice] quit
[Huawei] clock source 0 3/0/0
[Huawei] voice
[Huawei-voice] callroute 0
[Huawei-voice-calldroute-0] quit
[Huawei-voice] trunk-group pra dss1-user
[Huawei-voice-trunkgroup-pra] trunk-pra 3/0/0
[Huawei-voice-trunkgroup-pra] callroute 0
[Huawei-voice-trunkgroup-pra] quit

2. Configure a SIP AT0 trunk group.


[Huawei-voice] trunk-group sipat0 sip trunk-circuit
[Huawei-voice-trunkgroup-sipat0] signalling-address ip 192.168.1.2 port 5061
[Huawei-voice-trunkgroup-sipat0] media-ip 192.168.1.2
[Huawei-voice-trunkgroup-sipat0] peer-address static 192.168.1.4 5060
[Huawei-voice-trunkgroup-sipat0] register-uri abcd.com
[Huawei-voice-trunkgroup-sipat0] home-domain abcd.com
[Huawei-voice-trunkgroup-sipat0] trunk-sipat0 +862083787005@abcd.com default-
called-telno 83787005 password cipher
Please input user password(1-32 chars):******
[Huawei-voice-trunkgroup-sipat0] number-parameter 19 1
[Huawei-voice-trunkgroup-sipat0] callroute 3
[Huawei-voice-trunkgroup-sipat0] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipat0] quit

3. Configure a SIP IP trunk group.


[Huawei-voice] trunk-group sipip01 sip no-register
[Huawei-voice-trunkgroup-sipip01] signalling-address ip 192.168.1.2 port 5062
[Huawei-voice-trunkgroup-sipip01] media-ip 192.168.1.2
[Huawei-voice-trunkgroup-sipip01] peer-address static 192.168.1.3 5062
[Huawei-voice-trunkgroup-sipip01] home-domain abcd.com
[Huawei-voice-trunkgroup-sipip01] register-uri abcd.com
[Huawei-voice-trunkgroup-sipip01] callroute 1
[Huawei-voice-trunkgroup-sipip01] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipat0] quit

Step 9 Configure post-routing number change for the PBX.


The procedure for configuring post-routing number change for the IP PBX is similar. You
only need to change the trunk to PRA and calling number to 83786005.
[Huawei-voice] afterroute-change 9_6xxx_sipat0
[Huawei-voice-afterroute-change-9_6xxx_sipat0] callprefix 9
[Huawei-voice-afterroute-change-9_6xxx_sipat0] trunk-group sipat0
[Huawei-voice-afterroute-change-9_6xxx_sipat0] condition caller-telno 6xxx
[Huawei-voice-afterroute-change-9_6xxx_sipat0] caller del-then-insert 1 32
83786005
[Huawei-voice-afterroute-change-9_6xxx_sipat0] called del 1 1
[Huawei-voice-afterroute-change-9_6xxx_sipat0] quit
[Huawei-voice] afterroute-change 9_7xxx_sipat0
[Huawei-voice-afterroute-change-9_7xxx_sipat0] callprefix 9
[Huawei-voice-afterroute-change-9_7xxx_sipat0] trunk-group sipat0
[Huawei-voice-afterroute-change-9_7xxx_sipat0] condition caller-telno 7xxx
[Huawei-voice-afterroute-change-9_7xxx_sipat0] caller del-then-insert 1 32
83787005
[Huawei-voice-afterroute-change-9_7xxx_sipat0] called del 1 1
[Huawei-voice-afterroute-change-9_7xxx_sipat0] quit

Step 10 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 697


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Item Expected Result Possible Fault Cause

Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.

Outgoing call made by an Calls can be made properly, l The outgoing call prefix
intra-office user with a long and the calling number is is incorrectly configured.
number correctly displayed. For l The outgoing trunk is
example: incorrectly configured,
l User 7000 can dial 6000 or the reset command is
to make a call to user not executed after the
6000, and the calling configuration.
number displayed to user
6000 is 7000.
l User 7000 can make an
outgoing call through the
SIP AT0 trunk, and the
calling number displayed
to the called party is
83787000.
l User 7000 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
83787000.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 698


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Item Expected Result Possible Fault Cause

Outgoing call made by an Calls can be made properly, -


intra-office user without a and the calling number is
long number correctly displayed. For
example:
l User 7100 can dial 6000
to make a call to user
6000, and the calling
number displayed to user
6000 is 7100.
l User 7100 can make an
outgoing call through the
SIP AT0 trunk, and the
calling number displayed
to the called party is
83787005.
l User 7100 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
83786005.

Incoming call Calls can be made properly. N/A


For example, an outer-office
user can dial 83787005 and
then dial 7000 as prompted
to connect to user 7000.

----End

Configuration Files
l Router configuration
#
clock source 0 3/0/0 priority 9
#
set workmode slot 3 e1t1 e1-voice
#
interface GigabitEthernet0/0/0
ip address 192.168.200.155 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
port ve1 3/0/0
signal CCS
#
callroute 0
#
callroute 1
#
callroute 3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 699


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
enterprise hw
dn-set hwdnset
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group pra dss1-user
callroute 0
trunk-pra 3/0/0
#
trunk-group sipat0 sip trunk-circuit
callroute 3
signalling-address ip 192.168.1.2 port 5061
media-ip 192.168.1.2
peer-address static 192.168.1.4 5060
register-uri abcd.com
home-domain abcd.com
number-parameter 19 1
trunk-sipat0 +862083787005@abcd.com password cipher %^%#sh1hK7Y[vIDIo]@
%y)"(^`xyQQLvuFT&:]Fob_b5%^%#
#
trunk-group sipip01 sip no-register
callroute 1
signalling-address ip 192.168.1.2 port 5062
media-ip 192.168.1.2
peer-address static 192.168.1.3 5062
register-uri abcd.com
home-domain abcd.com
#
callprefix 6
prefix 6
call-type category basic-service attribute 1
digit-length 4 32
callroute 1
#
callprefix 7
prefix 7
call-type category basic-service attribute 0
digit-length 4 32
#
callprefix 9
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 3
#
pbxuser 7000 sipue
sipue 7000
telno 7000 long-telno 83787000
call-right out all
eid-para password cipher %^%#%')'%i~C[2>B0.~$l6E@D)H|+:L0I!`Dg@,2>qjJ%^%#
#
pbxuser 7100 pots
port 2/0/0
telno 7100 long-telno 83787100
call-right out all
#
afterroute-change 9_6xxx_sipat0
callprefix 9
trunk-group at0
condition caller-telno 6xxx
caller del-then-Insert 1 32 83786005
called del 1 1
#
afterroute-change 9_7xxx_sipat0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 700


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

callprefix 9
trunk-group at0
condition caller-telno 7xxx
caller del-then-Insert 1 32 83787005
called del 1 1
#

13.3.3 Example for Expanding the Capacity of the Live-Network


PBX

Networking Requirements
Connect the live-network PBX to a new PBX to meet the requirements of expanding the
capacity based on the live-network PBX and retaining the original long and short user
numbers, automatic switchboard number, and users' dialing habit. Figure 13-21 shows the
typical network for connecting the live-network PBX to the PBX.
This topic assumes that you want to implement the following requirements:
l The country code is 86, and the area code is 571.
l The enterprise is hw, and the DN set is hwdnset.
l PBX users and live-network PBX users make calls to each other by dialing short
numbers.
l The PBX connects to the live-network PBX through an H.323 trunk, and the call route is
2.
l The live-network PBX connects to the PBX through an H.323 trunk, and the call route is
3.
l The PBX connects to carrier A through an AT0 trunk, and connects to carrier B through
a PRA trunk. The outgoing call routing mode based on load balancing is used, and both
trunks are bound to call route 0.
l Outgoing calls to the PSTN of carrier B are routed through a PRA trunk. If the calling
user has a long number, the long number is displayed as the calling number. If the calling
user does not have a long number, 28980808 is displayed as the calling number.
l Outgoing calls to the PSTN of carrier A are routed through an AT0 trunk. If the calling
user has a long number, the long number is displayed as the calling number. If the calling
user does not have a long number, 83780808 is displayed as the calling number.
l Users of carrier A or B dial the automatic switchboard of the PBX to make incoming
calls.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 701


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-21 Typical network for connecting the live-network PBX to the PBX

Prerequisites
The IVR configuration has been completed. For details, see IVR. The value of vu-service-
name configured for the automatic switchboard is the value of service for the IVR.

Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.

Table 13-15 User number plan


Short Number Segment Long Number Segment Remarks

7000–7004 28987000–28987004 New PBX users

7100–7104 N/A

- 28980808 Automatic switchboard of


the new PBX

6000–6004 83786000–83786004 Live-network PBX users

6100–6104 N/A

N/A 83780808 Automatic switchboard of


the live-network PBX

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 702


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-16 IP address plan


NE IP Address Subnet Mask

New PBX 192.168.1.2 255.255.255.0

Live-network PBX 192.168.1.3 255.255.255.0

Table 13-17 PRA trunk plan


Slot ID/Subcard ID/Port Route Peer Office
ID

1/0/0 0 PSTN

Table 13-18 AT0 trunk plan


Slot ID/Subcard ID/Port Default Access Code Route ID
ID

3/0/4 83780808 0

Table 13-19 H.323 trunk plan


Media IP Port Number Peer IP Peer Port Route ID
Address Address Number

192.168.1.2 1720 192.168.1.3 1720 2

Table 13-20 Prefix plan


Prefix Type Route Local Device

6 Outgoing 2 New PBX

7 Intra-office N/A

2898 Intra-office N/A

8378 Outgoing 2

6 Intra-office N/A Live-network PBX

7 Outgoing 3

9 Outgoing 3

8378 Intra-office N/A

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 703


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-21 Post-routing number change plan


Prefix Outgoing Trunk Calling Number Called Number
Change Change

9 PRA 28980808 Deleting the first


digit

AT0 N/A Deleting the first


digit

Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...

Step 2 Set the Ethernet IP address of interface 0/0/0 to 192.168.1.2, and add 192.168.1.2 to the media
IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2

Step 3 Configure the SIP server.


[Huawei-voice] sipserver
[Huawei-voice-sipserver] signalling-address ip 192.168.1.2 port 5060
[Huawei-voice-sipserver] media-ip 192.168.1.2
[Huawei-voice-sipserver] register-uri abcd.com
[Huawei-voice-sipserver] home-domain abcd.com
[Huawei-voice-sipserver] reset
[Huawei-voice-sipserver] quit

Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.

[Huawei-voice] pbx default-country-code 86 default-area-code 571


[Huawei-voice] pbx enable-country-area-transform enable

Step 5 Configure the enterprise and DN set for numbers.


[Huawei-voice] enterprise hw
[Huawei-voice-enterprise-hw] dn-set hwdnset
[Huawei-voice-enterprise-hw] save
[Huawei-voice-enterprise-hw] quit

Step 6 Configure prefixes.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 704


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

1. Configure intra-office call prefix 7 whose call attribute is 0, and set the enterprise and
DN set to hw and hwdnset.
NOTE
The procedure for configuring intra-office call prefix 2898 is similar. You only need to change the
minimum number length to 8.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 4 32
[Huawei-voice-callprefix-7] quit

2. Configure prefix 6 whose call attribute is 1 and call route is 2.


NOTE
The procedure for configuring outgoing call prefix 8378 is similar. You only need to change the
minimum number length to 8.
[Huawei-voice] callprefix 6
[Huawei-voice-callprefix-6] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-6] prefix 6
[Huawei-voice-callprefix-6] call-type category basic-service attribute 1
[Huawei-voice-callprefix-6] digit-length 4 32
[Huawei-voice-callprefix-6] quit
[Huawei-voice] callroute 2
[Huawei-voice-calldroute-2] quit
[Huawei-voice] callprefix 6
[Huawei-voice-callprefix-6] callroute 2
[Huawei-voice-callprefix-6] quit

3. Configure prefix 9 whose call attribute is 1 and call route is 0.


NOTE
Configure national toll call prefix 90 whose call attribute is 2 and call route is 0, and configure
international toll call prefix 900 whose call attribute is 3 and call route is 0. For details, see the
configuration of prefix 9.
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callroute 0
[Huawei-voice-calldroute-0] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] callroute 0
[Huawei-voice-callprefix-9] quit

4. Configure the automatic switchboard.


Set the automatic switchboard name to ivr and automatic switchboard number to
28980808.
[Huawei-voice] callprefix ivr
[Huawei-voice-callprefix-ivr] prefix 28980808
[Huawei-voice-callprefix-ivr] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-ivr] call-type category vu-service vu-service-name
vudefault
[Huawei-voice-callprefix-ivr] digit-length 8 32
[Huawei-voice-callprefix-ivr] save
[Huawei-voice-callprefix-ivr] quit

Step 7 Configure user numbers.


1. Configure a SIP user whose user number is 7000, authentication password is a123456,
and incoming and outgoing call rights are all.
[Huawei-voice] pbxuser 7000 sipue enterprise hw
[Huawei-voice-pbxuser-7000] dn-set hwdnset

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 705


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice-pbxuser-7000] sipue 7000


[Huawei-voice-pbxuser-7000] telno 7000 long-telno 28987000
[Huawei-voice-pbxuser-7000] call-right in all
[Huawei-voice-pbxuser-7000] call-right out all
[Huawei-voice-pbxuser-7000] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7000] quit

2. Configure a POTS user whose user number is 7100 and incoming and outgoing call
rights are all.
[Huawei-voice] pbxuser 7100 pots enterprise hw
[Huawei-voice-pbxuser-7100] dn-set hwdnset
[Huawei-voice-pbxuser-7100] port 3/0/0
[Huawei-voice-pbxuser-7100] telno 7100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] return

Step 8 Configure trunk groups.


1. Configure a PRA trunk group.
<Huawei> system-view
[Huawei] set workmode slot 1 e1t1 e1-voice
Changing the working mode will reset the board in slot 1. Continue? [y/n]:y
INFO: Resetting board[1] succeeded.
[Huawei] voice
[Huawei-voice] port ve1 1/0/0
[Huawei-voice-ve1-1/0/0] signal ccs
Set signal type successfully
[Huawei-voice-ve1-1/0/0] quit
[Huawei-voice] quit
[Huawei] clock source 0 1/0/0
[Huawei] voice
[Huawei-voice] callroute 0
[Huawei-voice-calldroute-0] quit
[Huawei-voice] trunk-group pra dss1-user
[Huawei-voice-trunkgroup-pra] trunk-pra 1/0/0
[Huawei-voice-trunkgroup-pra] enterprise hw dn-set hwdnset
[Huawei-voice-trunkgroup-pra] quit

2. Configure an AT0 trunk group.


[Huawei-voice] trunk-group AT0 fxo
[Huawei-voice-trunkgroup-AT0] trunk-AT0 3/0/4 default-called-telno 83780808
[Huawei-voice-trunkgroup-AT0] enterprise hw dn-set hwdnset
[Huawei-voice-trunkgroup-AT0] quit

3. Configure an H.323 trunk group.


[Huawei-voice] h323-attribute
[Huawei-voice-h323-attribute] localip 192.168.1.2
Note: Mandatory parameter of h323 system completed, please reset h323 system.
[Huawei-voice-h323-attribute] reset
H323 system parameters reset successfully!
[Huawei-voice-h323-attribute] quit
[Huawei-voice] trunk-group h323 h323 symmetrical
[Huawei-voice-trunkgroup-h323] media-ip 192.168.1.2
[Huawei-voice-trunkgroup-h323] peer-address static 192.168.1.3 1720
Note: Mandatory parameter of the trunkgroup completed, please reset the
trunkgroup.
[Huawei-voice-trunkgroup-h323] enterprise hw dn-set hwdnset
[Huawei-voice-trunkgroup-h323] callroute 2
[Huawei-voice-trunkgroup-h323] reset
[Huawei-voice-trunkgroup-h323] save
[Huawei-voice-trunkgroup-h323] quit

Step 9 Configure intelligent routing based on load balancing.


[Huawei-voice] callroute 0
[Huawei-voice-callroute-0] selecttype loadshare
[Huawei-voice-callroute-0] quit
[Huawei-voice] trunk-group pra

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 706


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice-trunkgroup-pra] callroute 0
[Huawei-voice-trunkgroup-pra] quit
[Huawei-voice] trunk-group AT0
[Huawei-voice-trunkgroup-AT0] callroute 0
[Huawei-voice-trunkgroup-AT0] quit

Step 10 Configure post-routing number change.


[Huawei-voice] afterroute-change 9_6xxx_pra
[Huawei-voice-afterroute-change-9_6xxx_pra] callprefix 9
[Huawei-voice-afterroute-change-9_6xxx_pra] trunk-group pra
[Huawei-voice-afterroute-change-9_6xxx_pra] condition caller-telno 6xxx
[Huawei-voice-afterroute-change-9_6xxx_pra] caller del-then-insert 1 32 28980808
[Huawei-voice-afterroute-change-9_6xxx_pra] called del 1 1
[Huawei-voice-afterroute-change-9_6xxx_pra] quit
[Huawei-voice] afterroute-change 9_71xx_pra
[Huawei-voice-afterroute-change-9_7xxx_pra] callprefix 9
[Huawei-voice-afterroute-change-9_7xxx_pra] trunk-group pra
[Huawei-voice-afterroute-change-9_7xxx_pra] condition caller-telno 71xx
[Huawei-voice-afterroute-change-9_7xxx_pra] caller del-then-insert 1 32 28980808
[Huawei-voice-afterroute-change-9_7xxx_pra] called del 1 1
[Huawei-voice-afterroute-change-9_7xxx_pra] quit
[Huawei-voice] afterroute-change 9_at0
[Huawei-voice-afterroute-change-9_at0] callprefix 9
[Huawei-voice-afterroute-change-9_at0] trunk-group AT0
[Huawei-voice-afterroute-change-9_at0] caller no-change
[Huawei-voice-afterroute-change-9_at0] called del 1 1
[Huawei-voice-afterroute-change-9_at0] quit
[Huawei-voice] afterroute-change 9_pra
[Huawei-voice-afterroute-change-9_at0] callprefix 9
[Huawei-voice-afterroute-change-9_at0] trunk-group pra
[Huawei-voice-afterroute-change-9_at0] caller no-change
[Huawei-voice-afterroute-change-9_at0] called del 1 1
[Huawei-voice-afterroute-change-9_at0] quit

Step 11 Verify the configuration.


Item Expected Result Possible Fault Cause

Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 707


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Item Expected Result Possible Fault Cause

Outgoing call made by an Calls can be made properly, l The outgoing call prefix
intra-office user with a long and the calling number is is incorrectly configured.
number correctly displayed. For l The outgoing trunk is
example: incorrectly configured,
l User 7000 can dial 6000 or the reset command is
to make a call to user not executed after the
6000, and the calling configuration.
number displayed to user
6000 is 7000.
l User 7000 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
28987000.
l For example, user 7000
can make an outgoing
call through the AT0
trunk, and the calling
number displayed to the
called party is 28987000.

Outgoing call made by an Calls can be made properly, N/A


intra-office user without a and the calling number is
long number correctly displayed. For
example:
l User 7100 can dial 6000
to make a call to user
6000, and the calling
number displayed to user
6000 is 7100.
l User 7100 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
28980808.
l For example, user 7100
can make an outgoing
call through the AT0
trunk, and the calling
number displayed to the
called party is 83780808.

Incoming call Calls can be made properly. N/A


For example, an outer-office
user can dial 28980808 and
then dial 7000 as prompted
to connect to user 7000.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 708


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

----End

Configuration Files
l Router configuration
#
clock source 0 1/0/0 priority 9
#
set workmode slot 1 e1t1 e1-voice
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
port ve1 1/0/0
signal CCS
#
h323-attribute
localip 192.168.1.2
#
callroute 0
selecttype loadshare
#
callroute 2
#
enterprise hw
dn-set hwdnset
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group at0 fxo
trunk-AT0 3/0/4 default-called-telno 83780808
enterprise hw dn-set hwdnset
callroute 0
#
trunk-group h323 h323 symmetrical
enterprise hw dn-set hwdnset
callroute 2
media-ip 192.168.1.2
peer-address static 192.168.1.3 1720
#
trunk-group pra dss1-user
trunk-pra 1/0/0
enterprise hw dn-set hwdnset
callroute 0
#
callprefix 6
enterprise hw dn-set hwdnset
prefix 6
call-type category basic-service attribute 1
digit-length 4 32
callroute 2
#
callprefix 7
enterprise hw dn-set hwdnset
prefix 7
call-type category basic-service attribute 0
digit-length 4 32

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 709


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

#
callprefix 9
enterprise hw dn-set hwdnset
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 0
#
callprefix ivr
enterprise hw dn-set hwdnset
prefix 28980808
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
pbxuser 7000 sipue enterprise hw
sipue 7000
telno 7000 long-telno 28987000
dn-set hwdnset
call-right out all
eid-para password cipher %^%#"(sq-~Wu6YD^RCIcKx:'6]z--N|iKU6DyrM4m&*X%^%#
#
pbxuser 7100 pots enterprise hw
telno 7100
port 3/0/0
dn-set hwdnset
call-right out all
#
afterroute-change 9_6xxx_pra
callprefix 9
trunk-group pra
condition caller-telno 6xxx
caller del-then-Insert 1 32 28980808
called del 1 1
#
afterroute-change 9_71xx_pra
callprefix 9
trunk-group pra
condition caller-telno 71xx
caller del-then-Insert 1 32 28980808
called del 1 1
#
afterroute-change 9_at0
callprefix 9
trunk-group AT0
caller no-change
called del 1 1
#
afterroute-change 9_pra
callprefix 9
trunk-group pra
caller no-change
called del 1 1
#

13.3.4 Example for Configuring PBX Sharing for Different


Enterprises

Networking Requirements
Users A and B belong to enterprise 1. Users C and D belong to enterprise 2. Enterprises 1 and
2 are in the same industrial campus. By configuring different enterprises on the device, you
can logically isolate multiple enterprises' voice services, implementing PBX sharing.
Enterprises 1 and 2 can use virtual PBXs to implement voice services for intra-office users
and use a unified egress to implement voice services between intra-office and outer-office

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 710


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

users. This reduces enterprise costs as well as the carrier's access points. Figure 13-22 shows
the PBX sharing network.
This topic assumes that you want to implement the following requirements:
l The external number allocated by the carrier to enterprise 1 is 56623000. When an outer-
office user dials 56623000, user B's phone rings. If the outer-office user wants to make a
call to an intra-office user other than user B, the call can be transferred by user B to the
target user.
l The external number allocated by the carrier to enterprise 2 is 56623001. When an outer-
office user dials 56623001, user C's phone rings. If the outer-office user wants to make a
call to an intra-office user other than user C, the call can be transferred by user C to the
target user.
l The country code is 86, and the area code is 571.
l The internal numbers of users A, B, C, and D are 7100, 7000, 6000, and 6100
respectively.
l Both the signaling IP address and media IP address are 192.168.1.2.
l Users A and B belong to enterprise hw. The DN set is local. The intra-office call prefix
is 7. The outgoing call prefix is 8. Users C and D belong to enterprise hw1. The DN set
is local1. The intra-office call prefix is 6. The outgoing call prefix is 9.
l A SIP AT0 trunk is used to route outgoing calls. The IP address of the IMS is
192.168.10.10, and the port number is 5060.
l Post-routing number change scheme 8 is configured to retain calling numbers and delete
the first digit of called numbers when users of enterprise 1 make outgoing calls through
the SIP AT0 trunk. Post-routing number change scheme 9 is configured to retain calling
numbers and delete the first digit of called numbers when users of enterprise 2 make
outgoing calls through the SIP AT0 trunk.
l Figure 13-22 PBX sharing network

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 711


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Configuration Roadmap
The configuration procedure is as follows:
1. Set the service mode of the router to PBX, and set public parameters. Configure
enterprises 1 and 2, and connect the enterprises to the router.
2. Configure the users, call prefixes, trunk group, call route, and post-routing number
change for enterprise 1 so that intra-office users of enterprise 1 can make intra-office and
outgoing calls.
3. Configure the users, call prefixes, trunk group, call route, and post-routing number
change for enterprise 2 so that intra-office users of enterprise 2 can make intra-office and
outgoing calls.

Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.

Table 13-22 User number plan


Short Number Segment Long Number Segment Remarks

7000–7004 N/A Enterprise 1

7100–7104 N/A

N/A 56623000

6000–6004 N/A Enterprise 2

6100–6104 N/A

N/A 56623001

Table 13-23 SIP AT0 trunk plan


Signal Port Media Peer Peer Route Remar Regist Regist
ing IP Numb IP IP Port ks ration ration
Addre er Addre Addre Numb ID Passw
ss ss ss er ord

192.16 5061 192.16 192.16 5060 0 Enterpr 566230 123456


8.1.2 8.1.2 8.1.10 ise 1 00

192.16 5062 192.16 192.16 5060 0 Enterpr 566230 123456


8.1.2 8.1.2 8.1.10 ise 2 01

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 712


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-24 Prefix plan

Prefix Type Route Remarks

7 Intra-office N/A Enterprise 1

8 Outgoing 0

6 Intra-office N/A Enterprise 2

9 Outgoing 0

Table 13-25 Post-routing number change plan

Prefix Outgoing Trunk Called Number Remarks


Change

8 SIP AT0 Deleting the first Enterprise 1


digit

9 SIP AT0 Deleting the first Enterprise 2


digit

Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] quit
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...

Step 2 Set the Ethernet IP address of interface 0/0/0 to 192.168.1.2, and add 192.168.1.2 to the media
IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] quit

Step 3 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.
[Huawei] voice
[Huawei-voice] pbx default-country-code 86 default-area-code 571
[Huawei-voice] pbx enable-country-area-transform enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 713


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Step 4 Configure the SIP server.


[Huawei-voice] sipserver
[Huawei-voice-sipserver] signalling-address ip 192.168.1.2 port 5060
[Huawei-voice-sipserver] media-ip 192.168.1.2
[Huawei-voice-sipserver] register-uri abcd.com
[Huawei-voice-sipserver] home-domain abcd.com
[Huawei-voice-sipserver] reset
[Huawei-voice-sipserver] quit

Step 5 Configure the enterprise and DN set for numbers.


[Huawei-voice] enterprise hw
[Huawei-voice-enterprise-hw] dn-set local
[Huawei-voice-enterprise-hw] quit
[Huawei-voice] enterprise hw1
[Huawei-voice-enterprise-hw1] dn-set local1
[Huawei-voice-enterprise-hw1] quit

Step 6 Set the enterprise of users A and B to hw, the DN set to local, the intra-office call prefix to 7,
and the outgoing call prefix to 8.
NOTE
Set the enterprise of users C and D to hw1, the DN set to local1, the intra-office call prefix to 6, and the
outgoing call prefix to 9.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set local
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 4 32
[Huawei-voice-callprefix-7] quit
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] enterprise hw dn-set local
[Huawei-voice-callprefix-8] prefix 8
[Huawei-voice-callprefix-8] call-type category basic-service attribute 1
[Huawei-voice-callprefix-8] digit-length 1 32
[Huawei-voice-callprefix-8] quit
[Huawei-voice] callroute 8
[Huawei-voice-callroute-8] quit
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] callroute 8
[Huawei-voice-callprefix-8] quit

Step 7 Configure SIP user A whose user number is 7100 and authentication password is a123456.
NOTE
Configure users D whose enterprise is hw1 and user number is 6100. For details, see the configuration
of user 7100.
[Huawei-voice] pbxuser 7100 sipue enterprise hw
[Huawei-voice-pbxuser-7100] dn-set local
[Huawei-voice-pbxuser-7100] sipue 7100
[Huawei-voice-pbxuser-7100] telno 7100
[huawei-voice-pbxuser-7100] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7100] quit

Step 8 Configure user B 7000.


NOTE
Configure users C whose enterprise is hw1 and user number is 6000. For details, see the configuration of
user 7000.
[Huawei-voice] pbxuser 7000 pots enterprise hw
[Huawei-voice-pbxuser-7000] dn-set local
[Huawei-voice-pbxuser-7000] port 2/0/0
[Huawei-voice-pbxuser-7000] telno 7000
[Huawei-voice-pbxuser-7000] call-right in idd enable
[Huawei-voice-pbxuser-7000] call-right out idd enable
[Huawei-voice-pbxuser-7000] quit

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 714


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Step 9 Configure a SIP AT0 trunk group.


[Huawei-voice] trunk-group sipat0 sip trunk-circuit
[Huawei-voice-trunkgroup-sipat0] signalling-address ip 192.168.1.2 port 5061
[Huawei-voice-trunkgroup-sipat0] enterprise hw dn-set local
[Huawei-voice-trunkgroup-sipat0] media-ip 192.168.1.2
[Huawei-voice-trunkgroup-sipat0] peer-address static 192.168.10.10 5060
[Huawei-voice-trunkgroup-sipat0] register-uri abcd.com
[Huawei-voice-trunkgroup-sipat0] home-domain abcd.com
[Huawei-voice-trunkgroup-sipat0] trunk-sipat0 56623000 default-called-telno 7000
password cipher
Please input user password(1-32 chars):******
[Huawei-voice-trunkgroup-sipat0] number-parameter 19 0
[Huawei-voice-trunkgroup-sipat0] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipat0] quit
[Huawei-voice] trunk-group sipat01 sip trunk-circuit
[Huawei-voice-trunkgroup-sipat01] signalling-address ip 192.168.1.2 port 5062
[Huawei-voice-trunkgroup-sipat01] enterprise hw1 dn-set local1
[Huawei-voice-trunkgroup-sipat01] media-ip 192.168.1.2
[Huawei-voice-trunkgroup-sipat01] peer-address static 192.168.10.10 5060
[Huawei-voice-trunkgroup-sipat01] register-uri abcd.com
[Huawei-voice-trunkgroup-sipat01] home-domain abcd.com
[Huawei-voice-trunkgroup-sipat01] trunk-sipat0 56623001 default-called-telno 6000
password cipher
Please input user password(1-32 chars):******
[Huawei-voice-trunkgroup-sipat0] number-parameter 19 0
[Huawei-voice-trunkgroup-sipat01] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipat0] quit

Step 10 Configure a call route and post-routing number change.


Configure post-routing number change scheme 8 to retain calling numbers and delete the first
digit of called numbers when users of enterprise 1 make outgoing calls through the SIP AT0
trunk.

NOTE
Configure post-routing number change scheme 9 to retain calling numbers and delete the first digit of
called numbers when users of enterprise 2 make outgoing calls through the SIP AT0 trunk.
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] callroute 8
[Huawei-voice-callprefix-8] quit
[Huawei-voice] trunk-group sipat0
[Huawei-voice-trunkgroup-sipat0] callroute 8
[Huawei-voice-trunkgroup-sipat0] quit
[Huawei-voice] afterroute-change 8
[Huawei-voice-afterroute-change-8] callprefix 8
[Huawei-voice-afterroute-change-8] trunk-group sipat0
[Huawei-voice-afterroute-change-8] caller no-change
[Huawei-voice-afterroute-change-8] called del 1 1
[Huawei-voice-afterroute-change-8] save

Step 11 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 715


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Item Expected Result Possible Fault Cause

Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.

Outgoing call Calls can be made properly, l The outgoing call prefix
and the calling number is is incorrectly configured.
correctly displayed. For l The outgoing trunk is
example, user 7000 can incorrectly configured.
make an outgoing call
through the SIP AT0 trunk,
and the calling number
displayed to the called party
is 56623000.

Incoming call Calls can be made properly. N/A


For example, an outer-office
user can dial 56623000 and
be transferred to the target
user through user 7000.

----End

Configuration Files
l Router configuration
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
callroute 8
#
enterprise hw
dn-set local
#
enterprise hw1
dn-set local1
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group sipat0 sip trunk-circuit
enterprise hw dn-set local
callroute 8

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 716


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

signalling-address ip 192.168.1.2 port 5061


media-ip 192.168.1.2
peer-address static 192.168.10.10 5060
register-uri abcd.com
home-domain abcd.com
trunk-sipat0 56623000 default-called-telno 7000
trunk-sipat0 56623000 password cipher %^%#wlyf~LstT9[[t|HjP*N3>t{Q3!
f8>2e#PDM@Ga-:%^%#
#
trunk-group sipat1 sip trunk-circuit
enterprise hw1 dn-set local1
signalling-address ip 192.168.1.2 port 5062
media-ip 192.168.1.2
peer-address static 192.168.10.10 5060
register-uri abcd.com
home-domain abcd.com
trunk-sipat0 56623001 default-called-telno 6000
trunk-sipat0 56623001 password cipher %^%##;d~MTyB}'|
b2:@A=Rg25*=-5s^[<12[K8-M9pm5%^%#
#
callprefix 7
enterprise hw dn-set local
prefix 7
call-type category basic-service attribute 0
digit-length 4 32
#
callprefix 8
enterprise hw dn-set local
prefix 8
call-type category basic-service attribute 1
digit-length 1 32
callroute 8
#
pbxuser 7000 pots enterprise hw
telno 7000
port 2/0/0
dn-set local
call-right out idd enable
#
pbxuser 7100 sipue enterprise hw
sipue 7100
telno 7100
dn-set local
eid-para password cipher %^%#Y;QQB*rk9,$7=K5av']G_[YWC~knl!4X[%Dvz%Q<%^%#
#
afterroute-change 8
callprefix 8
trunk-group sipat0
caller no-change
called del 1 1
#

13.3.5 Example for Configuring an AR as a Branch Gateway to


Access UC

Networking Requirements
l When the central node is correctly connected to the AR local node:
– All users at the headquarters and branches register with the central node.
– The central node processes all internal calls.
l When the central node is faulty or disconnects from the local node, local users register
with the local node, and the local node processes service requests (including intra-office
calls and incoming and outgoing calls) from local users. This is known as local
regeneration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 717


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Figure 13-23 shows the typical network.


The unified gateway is connected to the AR to achieve the following objectives:
l Intra-office calls can be made by dialing short numbers between IP phones, POTS
phones, and fax machines at the headquarters, branch 1, and branch 2.
l The central node can be connected to local nodes through SIP trunks and to the PSTN to
implement incoming and outgoing calls.

Figure 13-23 Typical network

Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 718


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Table 13-26 User numbers


Endpoint Short Number Long number

IP phone 86000 28886000

POTS phone 88001 -

Automatic switchboard - 28888999


access code

Table 13-27 SIP trunk group


Locatio NE Peer Trunk Trunk Media Local Peer
n Office Type Group and Port Port
Name Signali Numbe Numbe
ng IP r r

Branch 2 Local Central SIP IP sipip 172.16.1 5063 5060


Node 2 Node .2

SIP AT0 sipat0 172.16.1 5061


.2

Table 13-28 PRA trunk group


Location NE Peer Trunk Type Slot/ Rout
Office Subcard/
Port
Number

Branch 2 Local Node PSTN PRA DSS1 1/0/0 0


2

Table 13-29 Prefix and number change


Loc NE Prefix Prefix Office Called Callin Remarks
atio Type Route Numbe g
n Select r Numb
ion Change er
Code Chang
e

Bran Loca Intra- 8 - - - Intra-office prefix


ch 2 l office
Nod call
e2 prefix

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 719


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Loc NE Prefix Prefix Office Called Callin Remarks


atio Type Route Numbe g
n Select r Numb
ion Change er
Code Chang
e

Intra- 2888 - - - Intra-office prefix


office
call
prefix

National 90 Rout: Delete Change Outgoing calls to


toll call 1 the first s the the local PSTN.
prefix digit. number
to the
Internati 900 automat
onal toll ic
call switchb
prefix oard
Outgoing 9 access
call code
prefix 288889
99 of
Outgoing 9021 branch
call 2.
prefix

Table 13-30 Board

Location NE Board Type Slot Number

Branch 2 Local Node 2E1/T1–F 1


2
4FXS1FXO 2

Procedure
Step 1 Configure the service mode to IP PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei> reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 720


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

Step 2 Set the IP address of interface 0/0/0 to 172.16.1.2, and add 172.16.1.2 to the media and
signaling IP address pools of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 172.16.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 172.16.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 172.16.1.2

Step 3 Configure the SIP server.


[Huawei-voice] sipserver
[Huawei-voice-sipserver] signalling-address ip 172.16.1.2 port 5060
[Huawei-voice-sipserver] media-ip 172.16.1.2
[Huawei-voice-sipserver] register-uri abcd.com
[Huawei-voice-sipserver] home-domain abcd.com
[Huawei-voice-sipserver] reset
[Huawei-voice-sipserver] quit

Step 4 Set the default country code to 86 and default area code to 021. Enable country/area code
transformation.
[Huawei-voice] pbx default-country-code 86 default-area-code 021
[Huawei-voice] pbx enable-country-area-transform enable

Step 5 Configure prefixes.


1. Configure intra-office prefix 8 whose call attribute is 0.
The method for configuring intra-office prefix 2888 is similar. Set the minimal number
length to 8.
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] prefix 8
[Huawei-voice-callprefix-8] call-type category basic-service attribute 0
[Huawei-voice-callprefix-8] digit-length 5 32
[Huawei-voice-callprefix-8] quit

2. Configure inter-office prefix 9 whose call attribute is 1 and route is 1.


Use the same method to configure inter-office prefix 9021 whose call attribute is 1,
national inter-office prefix 90 whose call attribute is 2, and international inter-office
prefix 900 whose call attribute is 3.
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callroute 1
[Huawei-voice-callroute-1] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] callroute 1
[Huawei-voice-callprefix-9] quit

3. Configure the automatic switchboard. The automatic switchboard name is ivr, and
number is 28888999.
NOTE

Before configuring the automatic switchboard, perform IVR configuration by referring to the AR
Product Documentation. Use the same value for vu-service-name of the automatic switchboard and
service of the IVR.
[Huawei-voice] callprefix ivr
[Huawei-voice-callprefix-ivr] prefix 28888999
[Huawei-voice-callprefix-ivr] call-type category vu-service vu-service-name
vudefault
[Huawei-voice-callprefix-ivr] digit-length 8 32

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 721


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice-callprefix-ivr] save
[Huawei-voice-callprefix-ivr] quit

Step 6 Configure user numbers.


1. Configure the SIP user whose number is 86000.
SIP users at branches have been configured on the central node, and SIP user numbers
have been synchronized to the local node, so user numbers do not need to be allocated to
the SIP users on the local node.
2. Configure the POTS user whose number is 88001 and call rights to all.
[Huawei-voice] pbxuser 88001 pots
[Huawei-voice-pbxuser-88001] port 2/0/1
[Huawei-voice-pbxuser-88001] telno 88001
[Huawei-voice-pbxuser-88001] proxyreg-id 88001
[Huawei-voice-pbxuser-88001] proxyreg-password cipher
Please input user password(8-64 chars):*********
//The password is the same as the authentication password for adding the POTS
user of local node AR on the U1900 central node.
[Huawei-voice-pbxuser-88001] call-right in all
[Huawei-voice-pbxuser-88001] call-right out all
[Huawei-voice-pbxuser-88001] quit
//When a POTS user registers with the central node through the AR local
agent, configure the header field on the AR, enabling the unified gateway at
the central node to identify the POTS user.
[Huawei-voice] sip
[Huawei-voice-sip] field-header user-agent HUAWEI-eSpace-UCExpress

Step 7 Configure trunk groups.


1. Configure the PRA trunk group.
<Huawei> system-view
[Huawei] set workmode slot 1 e1t1 e1-voice
Changing the working mode will reset the board in slot 1. Continue? [y/n]:y
INFO: Resetting board[1] succeeded.
[Huawei] voice
[Huawei-voice] port ve1 1/0/0
[Huawei-voice-ve1-1/0/0] signal ccs
Set signal type successfully
[Huawei-voice-ve1-1/0/0] quit
[Huawei-voice] quit
[Huawei] clock source 0 1/0/0
[Huawei] voice
[Huawei-voice] callroute 1
[Huawei-voice-callroute-1] quit
[Huawei-voice] trunk-group pra dss1-user
[Huawei-voice-trunkgroup-pra] trunk-pra 1/0/0
[Huawei-voice-trunkgroup-pra] callroute 1
[Huawei-voice-trunkgroup-pra] quit

2. Configure the SIP AT0 trunk group.


[Huawei-voice] trunk-group sipat0 sip trunk-circuit
[Huawei-voice-trunkgroup-sipat0] signalling-address ip 172.16.1.2 port 5061
[Huawei-voice-trunkgroup-sipat0] media-ip 172.16.1.2
[Huawei-voice-trunkgroup-sipat0] peer-address static 10.10.10.2 5060
[Huawei-voice-trunkgroup-sipat0] register-uri abcd.com
[Huawei-voice-trunkgroup-sipat0] home-domain abcd.com
[Huawei-voice-trunkgroup-sipat0] trunk-sipat0 28888001 default-called-telno
88001
[Huawei-voice-trunkgroup-sipat0] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipat0] quit

3. Configure the SIP IP trunk group.


[Huawei-voice] callroute 2
[Huawei-voice-callroute-2] quit
[Huawei-voice] trunk-group sipip sip no-register
[Huawei-voice-trunkgroup-sipip] callroute 2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 722


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

[Huawei-voice-trunkgroup-sipip] signalling-address ip 172.16.1.2 port 5063


[Huawei-voice-trunkgroup-sipip] media-ip 172.16.1.2
[Huawei-voice-trunkgroup-sipip] peer-address static 10.10.10.2 5060
[Huawei-voice-trunkgroup-sipip] home-domain abcd.com
[Huawei-voice-trunkgroup-sipip] register-uri abcd.com
[Huawei-voice-trunkgroup-sipip] reset
Note: Trunkgroup reset succeeds.
[Huawei-voice-trunkgroup-sipip] quit

Step 8 Configure the post-routing number change.


[Huawei-voice] afterroute-change 9
[Huawei-voice-afterroute-change-9] callprefix 9
[Huawei-voice-afterroute-change-9] trunk-group pra
[Huawei-voice-afterroute-change-9] caller del-then-insert 1 32 28888999
[Huawei-voice-afterroute-change-9] called del 1 1
[Huawei-voice-afterroute-change-9] quit

Step 9 Configure local regeneration.


[Huawei-voice] local-survival
[Huawei-voice-local-survival] dataserver ip 10.10.10.2 port 8099
[Huawei-voice-local-survival] dataservertype u1900
[Huawei-voice-local-survival] primary-trunk-group sipip proxyreg-trunk-group
sipat0
[Huawei-voice-local-survival] local-address ip 172.16.1.2 port 8000
[Huawei-voice-local-survival] password cipher
Please input user password(16-32 chars):*********
//Assume that the local regeneration BIN channel authentication password is
a12345678987654321 which is the same as the authentication password for adding
the local node AR on the U1900 central node.
[Huawei-voice-local-survival] sync-interval 2
[Huawei-voice-local-survival] transfer tls
[Huawei-voice-local-survival] reset
[Huawei-voice-local-survival] save

Step 10 Import certificate and private key files.


NOTE

Skip this step if the transmission mode in step 9 is configured to TCP. However, non-encrypted TCP
transmission has security risks. It is recommended that you use TLS transmission.
1. Obtain the servercert.pem certificate file and serverkey.pem private key file from the
U1900 series unified gateway host software package (if you do not have the software
package, download it from http://support.huawei.com/enterprise).
Certificate and private key files are credentials for TLS transmission authentication.
Matched certificate and private key files are preconfigured when the U1900 series
unified gateways are delivered.
It is recommended that you replace the preconfigured files with certificate and private
key files generated by the customer or issued by an official authority. After certificate
and private key files are replaced on the AR, import matched certificate and private key
files to the U1900 series unified gateway.
2. Upload certificate and private key files to the AR.
3. Configure the policy.
[Huawei] pki realm u1900
[Huawei-pki-realm-u1900] quit
[Huawei] ssl policy u1900 type server
[Huawei-ssl-policy-u1900] pki-realm u1900
[Huawei-ssl-policy-u1900] quit

4. Import the files.


[Huawei] pki import-certificate local u1900 pem
Please enter the name of certificate file <length 1-127>: servercert.pem
You are importing a local certificate, the current private keyis

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 723


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

required.
Please enter the name of private key file <length 1-127>:
serverkey.pem
Please enter the type of private key file(pem , p12):
pem
The current password is required, please enter your password <length 1-31
>:********
Successfully imported the certificate.

NOTE

You can obtain the decryption password for the private key file attached with the U1900 series unified
gateway from Configuration > Configuration Guide > Advanced Configuration > Configuring
Signaling Encryption in the eSpace U1900 series unified gateway product documentation.
5. Access the local-survival view and bind the policy.
[Huawei-voice] local-survival
[Huawei-voice-local-survival] transfer tls
[Huawei-voice-local-survival] ssl-server-policy u1900
[Huawei-voice-local-survival] reset
[Huawei-voice-local-survival] save

Step 11 Configuration Files

No. Action Expected Result

1 Verifying intra-office calls made by 1. IP phone 81000 rings. The call is set
short numbers between SIP users up after the IP phone is picked up.
and POTS users 2. POTS phone 88001 rings. The call is
1. Pick up the IP phone 86000 at set up after the POTS phone is picked
branch 1 and call IP phone up.
81000 at the headquarters.
2. Pick up IP phone 86000 at
branch 1 and call POTS phone
88001 at branch 1.

2 Verifying outgoing calls 1. PSTN user B's phone rings. The call is
1. Pick up IP phone 86000 at set up after the phone is picked up.
branch 2 and dial 2. PSTN user A's phone rings. The call is
9XXXXXXXX to call PSTN set up after the phone is picked up.
user B at branch 2.
2. Pick up IP phone 86000 at
branch 2 and dial
9010XXXXXXXX to call
PSTN user A at the
headquarters.

3 Verifying incoming calls 1. IP phone 28886000 rings. The call is


1. Pick up the phone of PSTN user set up after the IP phone is picked up.
B at branch 2 and dial the long 2. POTS phone 88001 rings. The call is
number 28886000 to call IP set up after the POTS phone is picked
phone 86000 at branch 2. up.
2. Pick up the phone of PSTN user
B at branch 2 and dial the
enterprise switchboard number
28888999 and then the
extension number 88001.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 724


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

No. Action Expected Result

4 Verifying local regeneration calls 1. POTS phone 88001 rings. The call is
by disconnecting from the central set up after the POTS phone is picked
node up.
1. Pick up IP phone 86000 at 2. PSTN user B's phone rings. The call is
branch 2 and call POTS phone set up after the phone is picked up.
88001 at branch 2. 3. IP phone 28886000 rings. The call is
2. Pick up IP phone 86000 at set up after the IP phone is picked up.
branch 2 and dial 4. POTS phone 88001 rings. The call is
9XXXXXXXX to call PSTN set up after the POTS phone is picked
user B at branch 2. up.
3. Pick up the phone of PSTN user
B at branch 2 and dial the long
number 28886000 to call IP
phone 86000 at branch 2.
4. Pick up the phone of PSTN user
B at branch 2 and dial the
enterprise switchboard number
28888999 and then the
extension number 88001.

----End

Verify the configuration.


l Router configuration
#
clock source 0 1/0/0 priority 9
#
set workmode slot 1 e1t1 e1-voice
#
pki realm u1900
#
ssl policy u1900 type server
pki-realm u1900
#
interface GigabitEthernet0/0/0
ip address 172.16.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 172.16.1.2
voip-address signalling interface GigabitEthernet 0/0/0 172.16.1.2
pbx default-area-code 021
pbx enable-country-area-transform enable
#
port ve1 1/0/0
signal CCS
#
sip
field-header user-agent HUAWEI-eSpace-UCExpress
#
callroute 1
#
callroute 2
#
sipserver
signalling-address ip 172.16.1.2 port 5060

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 725


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 13 Deploying Voice

media-ip 172.16.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group pra dss1-user
trunk-pra 1/0/0
callroute 1
#
trunk-group sipat0 sip trunk-circuit
signalling-address ip 172.16.1.2 port 5061
media-ip 172.16.1.2
peer-address static 10.10.10.2 5060
register-uri abcd.com
home-domain abcd.com
trunk-sipat0 28888001 default-called-telno 88001
#
trunk-group sipip sip no-register
callroute 2
signalling-address ip 172.16.1.2 port 5063
media-ip 172.16.1.2
peer-address static 10.10.10.2 5060
register-uri abcd.com
home-domain abcd.com
#
callprefix 8
prefix 8
call-type category basic-service attribute 0
digit-length 5 32
#
callprefix 9
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 1
#
callprefix ivr
prefix 28888999
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
local-survival
dataserver ip 10.10.10.2
dataservertype u1900
local-address ip 172.16.1.2
sync-interval 2
password cipher %^%#nw@y%OP0$#],HR"wQH/3`|.@A7+ZttF2*1D!)C~.or3f~>0ZB#EX,
3dEoR%^%#
ssl-server-policy u1900
primary-trunk-group sipip proxyreg-trunk-group sipat0
#
pbxuser 88001 pots
telno 88001
port 2/0/1
call-right out all
#
afterroute-change 9
callprefix 9
trunk-group pra
caller del-then-Insert 1 32 28888999
called del 1 1
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 726


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

14 Deploying Reliability

14.1 Example for Configuring Interface Backup Between 3G Interfaces


14.2 Example for Configuring Interface Backup Between ADSL and 3G Interfaces
14.3 Example for Configuring Interface Backup Between Ethernet Interfaces
14.4 Example for Configuring Dynamic Route Backup to Implement IP Network Backup on
the ISDN
14.5 Example for Configuring Single-hop BFD for Detecting Link Faults
14.6 Example for Configuring Multi-hop BFD for Detecting Link Faults
14.7 Example for Configuring Association Between VRRP Load Balancing and BFD to Fast
Switch Services and Detect Uplink Faults
14.8 EExample for Configuring VRRP to Implement Gateway Redundancy
14.9 Example for Deploying VRRP to Load Services on the Master and Backup Devices

14.1 Example for Configuring Interface Backup Between


3G Interfaces
Applicability
This example applies to V200R001C01 and later versions, and routers supporting 3G cellular
interfaces.

Networking Requirements
RouterA connects to a 3G network. It uses Cellular0/0/0 as the primary interface and
Cellular0/0/1 as the backup interface to transmit data on the 3G network.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 727


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Figure 14-1 Backup between cellular interfaces

Procedure
Step 1 Configure RouterA.

# //Configure the active


interface.

interface Cellular0/0/0
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular //Enable circular
DCC.
dialer-group 1
dialer timer autodial 60 //Set the interval for automatic
dialup.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
standby interface Cellular0/0/1 //Configure Cellular0/0/1 as the standby
interface.
#
interface Cellular0/0/1 //Configure the standby 3G
interface.
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular
dialer-group 1
dialer timer autodial 60
dialer number *99# autodial
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 40
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1 preference 80
#

Step 2 Verify the configuration.


# Run the display ip interface brief command to check the status of the Cellular interfaces.
Cellular0/0/0 is in Up state and has obtained an IP address through negotiation. Cellular0/0/1
is in Down state and its IP address field displays unassigned. When RouterA pings the
gateway address, the number of received packets on Cellular0/0/0 increases.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 728


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

# When Cellular0/0/0 is shut down, Cellular0/0/1 goes to Up state and obtains an IP address.
When RouterA pings the gateway address, the number of received packets on Cellular0/0/1
increases.

----End

Configuration Notes
l Cellular interfaces support only circular DCC.
l The primary and backup interfaces must have reachable routes to the destination network
segment.
l It takes some time for a cellular interface to dial to the 3G interface. Therefore, some
data packets may be lost during an active/standby switchover.

14.2 Example for Configuring Interface Backup Between


ADSL and 3G Interfaces
Applicability
This example applies to V200R002C01 and later versions.

Networking Requirements
RouterA connects to the IP network through two links:
l Primary link: An ADSL interface on the 1ADSL-A/M interface card connects to the
ADPD card of the DSLAM, and the DSLAM connects to RouterB through an interface
on the main board.
l Backup link, RouterA connects to a NodeB through a cellular interface, and
communicates with the IP network through the 3G network.

NOTE

In this example, the DSLAM is an MA5600T, and its configuration is provided for reference.

Figure 14-2 Backup between ADSL and cellular interfaces

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 729


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Procedure
Step 1 Configure RouterA.

#
interface Atm1/0/0 //Configure the ATM interface connected to the ADSL
link.
ip address 10.1.0.5 255.255.255.252 //Assign an IP address to the ATM
interface. Ensure that the IP address is on same network segment as GE1/0/0
of
RouterB.
pvc ipoa 20/80 //Create a PVC, and set the VPI to 20 and the VCI to
80.
map ip 10.1.0.6 //Configure IPoA mapping for the
PVC.
standby interface Cellular0/0/0 //Configure the 3G as the standby
interface.
#
interface Cellular0/0/0 //Configure the standby
interface.
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular //Enable circular
DCC.
dialer-group 1
dialer timer autodial 60 //Set the interval for automatic
dialup.
dialer number *99# autodial //Enable the 3G interface to automatically dial up
using the dialer number *99#.
#
dialer-rule //Specify a dialer access control
list.
dialer-rule 1 ip permit
# //Configure static routes to the gateway. (Configure a default route if you do
not know the gateway IP address.)
ip route-static 200.168.2.0 255.255.255.0 10.1.0.6 preference 40
ip route-static 200.168.2.0 255.255.255.0 Cellular0/0/0 preference 80
#

Step 2 Configure the DSLAM.


#
vlan 100 smart
port vlan 100 0/8 3 //Add the uplink interface connected to RouterB to VLAN 100.
#
interface scu
0/8

native-vlan 3 vlan 100 //Specify the native VLAN for the uplink interface.
#
service-port 40 vlan 100 adsl 0/4/32 vpi 20 vci 80 //Add ADSL interface 0/4/32
to the service interface.
#
mac-pool 3 0000-0000-0001 //Create MAC address pool 3 and set the start MAC
address to 0000-0000-0001.
ipoa enable
encapsulation 0/4/32 vpi 20 vci 80 type ipoa llc srcIP 10.1.0.5 dstIP 10.1.0.6
// Configure the IPoA encapsulation mode for ADSL interface 0/4/32. The VPI and
VCI must be the same as those of the uplink ATM interface.
#

Step 3 Configure RouterB.


#
interface GigabitEthernet1/0/0
ip address 10.1.0.6 255.255.255.252
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 730


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Step 4 Verify the configuration.


# Run the display ip interface brief command to check the status of the ADSL and cellular
interface. The ADSL interface ATM1/0/0 is in Up state, and Cellular0/0/0 is in Down state.
When RouterA pings the gateway address, the number of received packets on ATM1/0/0
increases.
# When ATM1/0/0 is shut down, Cellular0/0/0 goes to Up state. When RouterA pings the
gateway address, the number of received packets on Cellular0/0/0 increases.

----End

Configuration Notes
l Cellular interfaces support only circular DCC.
l The primary and backup interfaces must have reachable routes to the destination network
segment.
l The VPI and VCI used on the DSLAM must be the same as those used on RouterA.
When configuring IPoA on the DSLAM for the first time, configure a MAC address
pool.
l It takes some time for a cellular interface to dial to the 3G interface. Therefore, some
data packets may be lost during an active/standby switchover.

14.3 Example for Configuring Interface Backup Between


Ethernet Interfaces
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-3, RouterA connects to the IP network through Ethernet1/0/0 and
Ethernet2/0/0.
Ethernet1/0/0 is the primary interface, and Ethernet2/0/0 is the backup interface.

Figure 14-3 Networking diagram of interface backup

Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 731


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

ip address 1.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/0, which


is the active interface connected to the IP network.
standby interface Ethernet2/0/0 30 //Configure Ethernet2/0/0 as the standby
interface and set its priority to 30.
#
interface Ethernet2/0/0
ip address 2.1.1.1 255.255.255.0 //Assign an IP address to Ethernet2/0/0.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 0.0.0.0 0.0.0.0 2.1.1.2
#

Step 2 Verify the configuration.


# Run the display standby state command on RouterA to check the status of Ethernet1/0/0
and Ethernet2/0/0. Ethernet1/0/0 is in Up state and Ethernet2/0/0 is in standby state.

----End

Configuration Notes
l Only WAN interfaces support interface backup.
l A primary interface can have a maximum of three backup interfaces.
l An interface can be used as the backup interface of only one primary interface.
l A maximum of 10 primary interfaces can be configured on a router simultaneously.
l When the primary interface is faulty, backup interfaces are selected based on priorities.
When backup interfaces have the same priority, they are selected in the configuration
order.

14.4 Example for Configuring Dynamic Route Backup to


Implement IP Network Backup on the ISDN
Applicability
This example applies to all versions and all AR routers except AR150/200.

Networking Requirements
As shown in Figure 14-4, RouterA functions as the gateway of the branch, and RouterB
functions as the gateway of the headquarters.
The IP network provides the primary communication path for the headquarters and branch.
The integrated services digital network (ISDN) provides the backup link for the headquarters
and branch.
The access codes of the branch and headquarters are 660220 and 660210 respectively.
RouterA monitors the status of the route to 10.1.2.0/24 (headquarters). When the primary link
becomes unavailable, RouterA uses the backup dial-up link.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 732


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Figure 14-4 Networking diagram of dial-up backup

Procedure
Step 1 Configure RouterA.
#
standby routing-rule 1 ip 10.1.2.0 255.255.255.0 //Create a dynamic routing
backup group and add the monitored network segment to the
group.
#
controller E1 1/0/0 //Configure the physical interface E1
1/0/0.
pri-set
#
interface Serial1/0/0:15
link-protocol ppp
ip address 20.1.1.1 255.255.255.0 //Assign an IP address to the dialup
interface.
dialer enable-circular //Enable circular
DCC.
dialer-group 1 //Configure dialer group 1 for the dialup
group.
dialer route ip 20.1.1.2 broadcast 660210 //Configure the destination IP
address and dialer number in the dialer
group.
standby routing-group 1 //Enable routing backup on the standby dialup
interface.
#
interface Ethernet2/0/0
ip address 30.1.1.1 255.255.255.0 //Assign an IP address to Ethernet2/0/0,
which connects to the branch network through the active link.
#
dialer-rule
dialer-rule 1 ip permit //Configure a dialer rule for dialer group 1 and
configure the condition that triggers DCC dialup.
#
ospf 1 router-id 1.1.1.1 //Enable
OSPF.
area 0.0.0.0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 733


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

network 20.1.1.0 0.0.0.255


network 30.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#

Step 2 Configure RouterB.


#
controller E1 1/0/0 //Configure the physical interface E1
1/0/0.
pri-set
#
interface Serial1/0/0:15
link-protocol ppp
ip address 20.1.1.2 255.255.255.0 //Assign an IP address to the dialup
interface.
dialer enable-circular //Enable circular
DCC.
dialer-group 1 //Configure dialer group 1 for the dialup
group.
dialer route ip 20.1.1.1 broadcast 660220 ///Configure the destination IP
address and dialer number in the dialer
group.
#
interface Ethernet2/0/0
ip address 40.1.1.1 255.255.255.0 //Assign an IP address to Ethernet2/0/0,
which connects to the headquarters network through the active
link.
#
dialer-rule
dialer-rule 1 ip permit //Configure a dialer rule for dialer group 1 and
configure the condition that triggers DCC dialup.
#
ospf 1 router-id 2.2.2.2 //Enable
OSPF.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#

Step 3 Configure RouterC and RouterD.


For details, see the OSPF configuration on RouterA and RouterB. Ensure that RouterA and
RouterB have reachable routes to each other.
Step 4 Verify the configuration.
# Check the routing table on RouterA. When the primary route is reachable, the outbound
interface of the route to 10.1.2.0/24 is Ethernet2/0/0, and no data traffic is transmitted on
dialup interface Serial1/0/0:15.
# When the primary route is unreachable, the outbound interface of the route to 10.1.2.0/24 is
Serial1/0/0:15, and data traffic is transmitted on dialup interface Serial1/0/0:15.

----End

Configuration Notes
l The AR supports a maximum of 255 standby routing groups and each group contains
only one network segment.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 734


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

14.5 Example for Configuring Single-hop BFD for


Detecting Link Faults

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-5, RouterA is directly connected to RouterB through a Layer 3
physical link. Faults on the link between RouterA and RouterB need to be fast detected.

Figure 14-5 Networking diagram for configuring single-hop BFD on a Layer 3 physical link

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
bfd
#
interface GigabitEthernet 1/0/0
ip address 10.1.1.1 255.255.255.0
#
bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet 1/0/0 //Create a single-
hop BFD session named atob.
discriminator local 1 //Set the local discriminator to 1.
discriminator remote 2 //Set the remote discriminator to 2.
commit
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
bfd
#
interface GigabitEthernet 1/0/0
ip address 10.1.1.2 255.255.255.0
#
bfd atob bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0 //Create a single-
hop BFD session named atob.
discriminator local 2 //Set the local discriminator to 2.
discriminator remote 1 //Set the remote discriminator to 1.
commit
#
return

Step 3 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 735


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

# After the configuration is complete, run the display bfd session all verbose command on
RouterA and RouterB. You can view that a single-hop BFD session is set up and its status is
Up.

----End

Configuration Notes
l When creating a single-hop BFD session for the first time, bind the single-hop BFD
session to the peer IP address and the local address.
l The local discriminator of the local system must be the same as the remote discriminator
of the remote system; the remote discriminator of the local system must be the same as
the local discriminator of the remote system.

14.6 Example for Configuring Multi-hop BFD for


Detecting Link Faults
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-6, RouterA is indirectly connected to RouterC. Static routes are
configured so that RouterA can communicate with RouterC. Faults on the link between
RouterA and RouterB need to be fast detected.

Figure 14-6 Networking diagram for configuring multi-hop BFD

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
bfd
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to RouterA interface.
#
bfd atoc bind peer-ip 10.2.1.2 //Confiugre a multi-hop BFD session.
discriminator local 10 //Set the local discriminator to 10.
discriminator remote 20 //Set the remote discriminator to 20.
commit
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 736


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to RouterB interface.
#
interface GigabitEthernet2/0/0 //Assign an IP address to RouterB interface.
ip address 10.2.1.1 255.255.255.0
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
bfd
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0 //Assign an IP address to RouterC interface.
#
bfd ctoa bind peer-ip 10.1.1.1 //Confiugre a multi-hop BFD session.
discriminator local 20 //Set the local discriminator to 20.
discriminator remote 10 //Set the remote discriminator to 20.
commit
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1 ///Configure a static route.
#
return

Step 4 Verify the configuration.


# After the configuration, run the display bfd session all verbose command on RouterA and
RouterC. You can see that a Multi-hop BFD session is set up and (Multi Hop) State field
displays Up.
----End

Configuration Notes
l When creating a multi-hop BFD session for the first time, bind the BFD session to the
peer IP address.
l The local discriminator of the local system must be the same as the remote discriminator
of the remote system; the remote discriminator of the local system must be the same as
the local discriminator of the remote system.

14.7 Example for Configuring Association Between VRRP


Load Balancing and BFD to Fast Switch Services and
Detect Uplink Faults

Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-7, RouterA is directly connected to RouterB on a company network.
Both RouterA and RouterB connect to a downstream switch. The company requires that

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 737


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Internet access and email services be transmitted by RouterA, and video and core services be
transmitted by RouterB. When the link of RouterA or RouterB fails, all services are switched
to another router.

Figure 14-7 Networking diagram for configuring multi-hop BFD

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3100
rule 5 permit ip destination 1.1.1.3 0
#
bfd
#
traffic classifier 0 operator or
if-match acl 3100
#
traffic behavior 0
redirect ip-nexthop 192.168.2.253 track nqa internet icmp //Associate
redirection with NQA.
#
traffic policy 0
classifier 0 behavior 0
#
ip pool 1
gateway-list 192.168.0.2

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 738


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

network 192.168.0.0 mask 255.255.255.0


#
interface Vlanif1
ip address 192.168.0.253 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.0.1
vrrp vrid 1 priority 90
vrrp vrid 1 track bfd-session 20 increased 20 //Associate VRRP with BFD to
implement fast switching.
vrrp vrid 2 virtual-ip 192.168.0.2 //Configure VRRP group 1 and VRRP group 2 to
implement load balancing.
vrrp vrid 2 track bfd-session 20 reduced 20
traffic-policy 0 inbound //Configure a traffic policy to differentiate
services.
dhcp select global
#
interface GigabitEthernet0/0/0
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
#
bfd vrrp bind peer-ip 192.168.0.254 interface Vlanif1 //Configure BFD to detect
the link quality of the interface connected to the switch.
discriminator local 20
discriminator remote 10
commit
#
nqa test-instance internet icmp //Configure NQA to detect the link from RouterA
to RouterB.
test-type icmp
destination-address ipv4 2.2.2.1
frequency 12
timeout 1
start now
#
ip route-static 2.2.2.0 255.255.255.0 192.168.2.253
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
acl number 3100
rule 5 permit ip destination 2.2.2.1 0
#
bfd
#
traffic classifier 0 operator or
if-match acl 3100
#
traffic behavior 0
redirect ip-nexthop 192.168.2.254 track nqa internet icmp //Associate
redirection with NQA.
#
traffic policy 0
classifier 0 behavior 0
#
ip pool 1
gateway-list 192.168.0.1
network 192.168.0.0 mask 255.255.255.0
#
interface Vlanif1
ip address 192.168.0.254 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.0.1
vrrp vrid 1 track bfd-session 10 reduced 20
vrrp vrid 2 virtual-ip 192.168.0.2 //Configure VRRP group 1 and VRRP group 2 to
implement load balancing.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 739


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

vrrp vrid 2 priority 90


vrrp vrid 2 track bfd-session 10 increased 20 //Associate VRRP with BFD to
implement fast switching.
traffic-policy 0 inbound //Configure a traffic policy to differentiate
services.
dhcp select global
#
interface GigabitEthernet0/0/0
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.2.253 255.255.255.0 //Assign an IP address to an interface
of RouterB.
#
bfd vrrp bind peer-ip 192.168.0.253 interface Vlanif1 //Configure BFD to detect
the link quality of the interface connected to the switch.
discriminator local 10
discriminator remote 20
commit
#
nqa test-instance internet icmp //Configure NQA to detect the link from RouterB
to RouterA.
test-type icmp
destination-address ipv4 1.1.1.1
frequency 12
timeout 1
start now
#
ip route-static 1.1.1.0 255.255.255.0 192.168.2.254
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 //Configure a static route.
#
return

----End

14.8 EExample for Configuring VRRP to Implement


Gateway Redundancy
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-8, Host A communicates with Host B through the default gateway.
RouterA and RouterB form a VRRP group, which functions as the default gateway of Host A.
RouterA serves as the master router, and RouterB functions as the backup router. When
RouterA fails, RouterB functions as the gateway.
After RouterA is restored, it becomes the master router within 20 seconds by preemption.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 740


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Figure 14-8 VRRP backup group in master/backup mode

Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/0,
which is connected to Host A.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address.
vrrp vrid 1 priority 120 //Set the priority of RouterA to 120 in the VRRP
backup group. By default, the priority of a router is 100, and a larger value
indicates a higher priority.
vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay time to 20
seconds.
#
interface Ethernet1/0/1
ip address 11.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/1,
which is connected to Host B.
#

Step 2 Configure RouterB.


#
interface Ethernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to Ethernet1/0/0,
which is connected to Host A.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address.
#
interface Ethernet1/0/1
ip address 11.1.1.2 255.255.255.0 //Assign an IP address to Ethernet1/0/1,
which is connected to Host B.
#

Step 3 Verify the configuration.


# Run the display vrrp command on RouterA to check the status of Ethernet1/0/0 in the
VRRP group. Ethernet1/0/0 is in master state.
# Run the display vrrp command on RouterB to check the status of Ethernet1/0/0 in the
VRRP group. Ethernet1/0/0 is in backup state.
----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 741


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Configuration Notes
l Configure the same virtual IP address for RouterA and RouterB.
l Configure priorities for RouterA and RouterB to determine the master/backup routers in
the VRRP group. By default, the priority of a router is 100, and a larger value indicates a
higher priority.
l Host B must have reachable routes to RouterA and RouterB.

14.9 Example for Deploying VRRP to Load Services on the


Master and Backup Devices
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 14-9, two VRRP groups need to be configured on RouterA and RouterB.
The two VRRP groups load balance traffic and back up each other.
RouterA functions as the master router in VRRP group 1 and the backup router in VRRP
group 2.
RouterB functions as the master router in VRRP group 2 and the backup router in VRRP
group 1.
Host A uses VRRP group 1 as the gateway, and host C uses VRRP group 2 as the gateway.

Figure 14-9 VRRP groups in load balancing mode

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 742


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/0,
which is connected to Host A.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address
for VRRP group 1.
vrrp vrid 1 priority 120 //Set the priority of RouterA to 120 in VRRP
group 1.
vrrp vrid 2 virtual-ip 10.1.1.112 //Configure the virtual gateway IP address
for VRRP group 2.
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#

Step 2 Configure RouterB.


#
interface Ethernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to Ethernet2/0/0,
which is connected to Host C.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address
for VRRP group 1.
vrrp vrid 2 virtual-ip 10.1.1.112 //Configure the virtual gateway IP address
for VRRP group 2.
vrrp vrid 2 priority 120 ///Set the priority of RouterB to 120 in VRRP
group 2.
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#

Step 3 Configure RouterC.


#
interface Ethernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 192.168.2.2 255.255.255.0
#
interface Ethernet3/0/0
ip address 20.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#

Step 4 Verify the configuration.


# Perform a tracert test on Host A to check connectivity between Host A and Host B. The
following command output shows that the route from Host A to Host B passes through
RouterA and RouterC.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 743


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

<HostA> tracert 20.1.1.100


traceroute to 20.1.1.100(20.1.1.100), max hops: 30, packet length: 40
1 10.1.1.1 120ms 50 ms 60 ms
2 192.168.1.2 100 ms 60 ms 60 ms
3 20.1.1.100 130 ms 90 ms 90 ms

# Perform a tracert test on Host C to check connectivity between Host C and Host B. The
following command output shows that the route from Host C to Host B passes through
RouterB and RouterC.
<HostC> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100), max hops: 30, packet length: 40
1 10.1.1.2 30 ms 60 ms 40 ms
2 192.168.2.2 90 ms 60 ms 60 ms
3 20.1.1.100 70 ms 60 ms 90 ms

# Run the display vrrp command on RouterA. VRRP group 1 is in master state, and VRRP
group 2 is in backup state. This indicates that RouterA functions as the master router in VRRP
group 1 and the backup router in VRRP group 2.
<RouterA> display vrrp
Ethernet2/0/0 | Virtual Router 1
state : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:02:21
Last change time : 2007-11-22 16:02:25
Ethernet2/0/0 | Virtual Router 2
state : Backup
Virtual IP : 10.1.1.112
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:03:05
Last change time : 2007-11-22 16:03:09

# Run the shutdown command on Ethernet2/0/0 of RouterB to simulate a failure of VRRP


group 2. Run the display vrrp command on RouterA. VRRP group 1 and VRRP group 2 are
both in master state. This indicates that RouterA functions as the master router in VRRP
group 1 and VRRP group 2. RouterA functions the gateway in both the two VRRP groups.
<RouterA> display vrrp
Ethernet2/0/0 | Virtual Router 1
state : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 744


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 14 Deploying Reliability

TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:02:21
Last change time : 2007-11-22 16:02:25
Ethernet2/0/0 | Virtual Router 2
state : Master
Virtual IP : 10.1.1.112
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:03:05
Last change time : 2007-11-22 16:03:09

----End

Configuration Notes
l RouterA and RouterB must have the same virtual IP address in the same VRRP group.
l Configure priorities for RouterA and RouterB in the VRRP groups to determine the
master/backup routers in the VRRP groups. By default, the priority of a router is 100.
l Before performing tracert, run the icmp port-unreachable send command on RouterA,
RouterB, and RouterC to enable devices to send ICMP Unreachable packets.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 745


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

15 User Access and Authentication

15.1 Example for Configuring 802.1x Local Authentication to Authenticate Users


15.2 Example for Configuring 802.1x Remote Authentication to Authenticate Users Through
a RADIUS Server
15.3 Example for Configuring 802.1x Remote Authentication to Authenticate Users Through
Active/Standby RADIUS Servers
15.4 Example for Configuring Command Line Authorization for Telnet Users Through
HWTACACS
15.5 Example for Configuring Authentication for STelnet Login Users (RADIUS
Authentication)
15.6 Example for Configuring Authentication for Telnet Login Users (HWTACACS)

15.1 Example for Configuring 802.1x Local Authentication


to Authenticate Users
Applicability
This example applies to all versions and AR routers.

Networking Requirements
PC1 (10.10.10.2/30) is directly connected to RouterA through Eth2/0/1. The gateway IP
address for PC1 is 10.10.10.1/30, which is the IP address of VLANIF10 on RouterA. 802.1x
local authentication needs to be configured on RouterA.

Figure 15-1 Networking diagram of 802.1x local authentication

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 746


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Procedure
Step 1 Configure RouterA.
In earlier versions of V200R007:

#
vlan batch 10
#
dot1x enable //Globally enable 802.1x authentication.
#
aaa
local-user huawei password cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure the password of a local user to huawei@123
local-user huawei privilege level 0
local-user huawei service-type 8021x //Configure a local
user.
#

interface Ethernet2/0/1
port link-type access
port default vlan 10
dot1x enable //Enable 802.1x authentication on the interface.
dot1x port-method port //Set the access mode on the interface to port-based
authentication.
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#

In V200R008 or later versions:

#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1
#
aaa
local-user huawei password cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure the password of a local user to huawei@123
local-user huawei privilege level 0
local-user huawei service-type 8021x //Configure a local
user.
#

interface Ethernet2/0/1
port link-type access
port default vlan 10
authentication-profile p1 //Bind the authentication profile p1 to Eth2/0/1
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
dot1x-access-profile name d1
#

Step 2 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 747


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Start the 802.1x client software on PC1 and enter the user name huawei and password
huawei@123. PC1 goes online successfully. Run the display access-user command on
RouterA. The command output shows information about user huawei.

----End

Configuration Notes
By default, access users are authenticated based on MAC addresses on an interface. Each user
is authenticated individually. When port-based 802.1x authentication is configured, all the
other users on the interface can go online without authentication after the first user is
authenticated.

15.2 Example for Configuring 802.1x Remote


Authentication to Authenticate Users Through a RADIUS
Server
Applicability
This example applies to all versions and AR routers.

Networking Requirements
PCA connects to the Internet through RouterA. RouterA and the RADIUS server have
reachable routes to each other. To ensure network security, users must be authenticated before
connecting to the Internet.

Figure 15-2 Networking diagram of 802.1x remote authentication

Procedure
Step 1 Configure RouterA.
In earlier versions of V200R007:

#
vlan batch 10

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 748


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

#
dot1x enable //Globally enable 802.1x authentication.
#
radius-server template radius1 //Create a RADIUS server template.
radius-server shared-key cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure a shared key used by the router and the RADIUS server.
radius-server authentication 10.11.1.1 1645 //Configure a RADIUS authentication
server.
radius-server accounting 10.11.1.1 1646 ///Configure a RADIUS accounting server.
#
aaa
authentication-scheme radius1 ///Configure an authentication
scheme.
authentication-mode radius //Set the authentication mode to RADIUS
authentication.
accounting-scheme radius1 //Configure an accounting scheme.
accounting-mode radius //Set the accounting mode to RADIUS accounting.
domain huawei //Create a user domain.
authentication-scheme radius1 //Apply the RADIUS authentication scheme to the
user domain.
accounting-scheme radius1 //Apply the RADIUS accounting scheme to the user
domain.
radius-server radius1 //Apply the RADIUS server template to the user
domain.
#

interface Ethernet2/0/1
port link-type access
port default vlan 10
dot1x enable //Enable 802.1x on the interface.
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#

In V200R008 or later versions:

#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1
#
radius-server template radius1 //Create a RADIUS server template.
radius-server shared-key cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure a shared key used by the router and the RADIUS server.
radius-server authentication 10.11.1.1 1645 //Configure a RADIUS authentication
server.
radius-server accounting 10.11.1.1 1646 ///Configure a RADIUS accounting server.
#
aaa
authentication-scheme radius1 ///Configure an authentication
scheme.
authentication-mode radius //Set the authentication mode to RADIUS
authentication.
accounting-scheme radius1 //Configure an accounting scheme.
accounting-mode radius //Set the accounting mode to RADIUS accounting.
domain huawei //Create a user domain.
authentication-scheme radius1 //Apply the RADIUS authentication scheme to the
user domain.
accounting-scheme radius1 //Apply the RADIUS accounting scheme to the user
domain.
radius-server radius1 //Apply the RADIUS server template to the user
domain.
#

interface Ethernet2/0/1
port link-type access

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 749


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

port default vlan 10


authentication-profile p1 //Bind the authentication profile p1 to Eth2/0/1
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
dot1x-access-profile name d1
#

Step 2 Verify the configuration.


On the primary RADIUS server, add user user1@huawei, set the password user1@123, and
configure the shared key as radius, which is the same as the shared key on the router. After
the user is authenticated successfully, run the display access-user command to view the
Username field, there is a user named user1 @ huawei, and the corresponding Status field
displays Success.

----End

Configuration Notes
l The default port number of the RADIUS authentication server is 1645 or 1812, and the
default port number of the RADIUS accounting server is 1646 or 1813. The port
numbers of the authentication and accounting servers configured on the router must be
the same as those on the RADIUS server.
l The router and RADIUS server must use the same shared key.
l The router and RADIUS server must have reachable routes to each other.

15.3 Example for Configuring 802.1x Remote


Authentication to Authenticate Users Through Active/
Standby RADIUS Servers
Specifications
This example applies to all versions and AR routers.

Networking Requirements
PCs connect to the Internet through the router. To ensure network security, 802.1x
authentication must be performed on users before they access the Internet. The IP addresses of
the primary and secondary RADIUS servers are 10.10.10.1/24 and 10.10.10.2/24 respectively.
When the primary RADIUS server is faulty, the router can switch services to the secondary
RADIUS server within 3s.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 750


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Figure 15-3 Networking diagram for configuring 802.1x authentication

Procedure
Step 1 Configure the router.

In earlier versions of V200R007:

#
vlan batch 10
#
dot1x enable
#
radius-server template shiva //Configure a RADIUS server template
shiva.
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS
authentication server.
radius-server authentication 10.10.10.2 1812 secondary //Configure the secondary
RADIUS authentication server.
#
aaa
authentication-scheme scheme0 //Create an authentication scheme
scheme0.
authentication-mode
radius

domain huawei //Configure a domain


huawei.
authentication-scheme
scheme0
radius-server shiva
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
dot1x enable
#

In V200R008 or later versions:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 751


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1.
#
radius-server template shiva //Configure a RADIUS server template
shiva.
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS
authentication server.
radius-server authentication 10.10.10.2 1812 secondary //Configure the secondary
RADIUS authentication server.
#
aaa
authentication-scheme scheme0 //Create an authentication scheme
scheme0.
authentication-mode
radius

domain huawei //Configure a domain


huawei.
authentication-scheme
scheme0
radius-server shiva
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 10
authentication-profile p1 //Bind the authentication profile p1 to Eth2/0/0
#
dot1x-access-profile name d1
#

Step 2 Verify the configuration.


On the primary RADIUS server, add user user1@huawei, set the password Huawei@2012,
and configure the shared key as radius, which is the same as the shared key on the router.
After the user is authenticated successfully, run the display access-user command to view the
Username field, there is a user named user1 @ huawei, and the corresponding Status field
displays Success.
----End

Configuration Notes
l The router and the primary RADIUS server must use the same port number.
l The router and the primary RADIUS server must use the same shared key.
l There must be a reachable route between the router and the primary RADIUS server.

15.4 Example for Configuring Command Line


Authorization for Telnet Users Through HWTACACS
Specification
This example applies to all AR models of all versions.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 752


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Networking Requirements
As shown in Figure 15-4, a user accesses the network through the Router. The user belongs to
the domain huawei.com and the user level is 3. The user does not need to use some level-3
commands. To implement refined management and ensure device security, configure the
Router to perform command line authorization for the user through HWTACACS and record
the commands executed by the user.
The IP address of the HWTACACS server is 10.1.6.6/24, authentication port number is 49,
and authorization port number is 49.

Figure 15-4 HWTACACS-based command line authorization

Procedure
Step 1 Configure the Router.

#
sysname Router
#
hwtacacs-server template 1 //Configure an HWTACACS server template.
hwtacacs-server authentication 10.1.6.6 weight 80 //Configure an HWTACACS
authentication server.
hwtacacs-server authorization 10.1.6.6 weight 80 //Configure an HWTACACS
authorization server.
hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^
%# //Set the shared key between router and HWTACACS server to Hello@1234.
#
aaa
authentication-scheme sch1 //Create the authentication scheme
sch1.
authentication-mode hwtacacs
authorization-scheme ht //Create the authorization scheme ht.
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs //Configure command line authorization for users
at level 3.
recording-scheme scheme0 //Create the record scheme scheme0.
recording-mode hwtacacs 1 //Associate an HWTACACS server template with the
record scheme scheme0.
cmd recording-scheme scheme0 //Configure scheme0 to record the commands
executed on the device.
service-scheme sch1 //Create the service scheme sch1.
admin-user privilege level 15
domain huawei.com //Create the domain
huawei.com.
authentication-scheme sch1 //Specify the HWTACACS authentication scheme for
the users in this domain.
authorization-scheme ht //Specify the HWTACACS authorization scheme for the
users in this domain.
service-scheme sch1 //Specify the service scheme for the users in this
domain.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 753


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

hwtacacs-server 1 //Specify the HWTACACS server template for the users in this
domain.
#
interface GigabitEthernet1/0/1
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.6.10 255.255.255.0
#
telnet server enable //Enable the Telnet
server.
#
user-interface maximum-vty 15 //Set the maximum number of login users on the VTY
user interface to 15.
user-interface vty 0 14
authentication-mode aaa //Set the authentication mode for VTY user interface to
AAA.
#
return

Step 2 Verify the configuration.


# Choose Start > Run on your computer and enter cmd to open the cmd window. Run the
telnet command and enter the user name user1@huawei.com and password Huawei@1234
to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1@huawei.com
Password:***********
<Router>//The administrator successfully logs in to the device.
# Run the display authorization-scheme ht command. The command output shows that
command line authorization is configured for level-3 users.
<Huawei> display authorization-scheme ht
---------------------------------------------------------------------------
Authorization-scheme-name :
ht
Authorization-method :
HWTACACS
Authorization-cmd level 0 :
Disabled
Authorization-cmd level 1 :
Disabled
Authorization-cmd level 2 :
Disabled
Authorization-cmd level 3 : Enabled
( HWTACACS )
Authorization-cmd level 4 :
Disabled
Authorization-cmd level 5 :
Disabled
Authorization-cmd level 6 :
Disabled
Authorization-cmd level 7 :
Disabled
Authorization-cmd level 8 :
Disabled
Authorization-cmd level 9 :
Disabled
Authorization-cmd level 10 :
Disabled
Authorization-cmd level 11 :
Disabled
Authorization-cmd level 12 :
Disabled
Authorization-cmd level 13 :
Disabled
Authorization-cmd level 14 :
Disabled
Authorization-cmd level 15 :
Disabled

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 754


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Authorization-cmd no-response-policy : Online


---------------------------------------------------------------------------

----End

Configuration Notes
l The Router and HWTACACS server must use the same authentication port number.
l The Router and HWTACACS server must use the same shared key.
l There must be a reachable route between the Router and HWTACACS server.

15.5 Example for Configuring Authentication for STelnet


Login Users (RADIUS Authentication)
Specification
This example applies to all AR models of all versions.

Networking Requirements
Users connect to the Router through STelnet. During SSH authentication, the Router supports
remote RADIUS authentication for SSH users.
When authentication a user, the RADIUS server returns authentication result to the Router.
The Router determines whether the user can access the network depending on the
authentication result.

Figure 15-5 Networking diagram of configuring RADIUS authentication for SSH users

Procedure
Step 1 Generate a local key pair on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] rsa local-key-pair create
The key name will be: Host
RSA keys defined for Host already exist.
Confirm to replace them? (y/n):y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
..................................................................................
....+++
....+++

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 755


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

.......................................++++++++
..............++++++++

Step 2 Configure AAA on Router.


#
radius-server template ssh //Specify the RADIUS template ssh for the server end.
radius-server shared-key cipher %^%#b8M{Q8]h|Xf(7*;+<N@IIq{c*g6x9%o`~R&/ok/X%^
% //Set the shared key Huawei@123 in cipher text on the RADIUS server.
radius-server authentication 10.164.6.49 1812 weight 80 //Configure the IP
address and port number of the RADIUS authentication server.
#
aaa
authentication-scheme newscheme //Set the authentication scheme newscheme on
the SSH server.
authentication-mode radius //Set the authentication mode in newscheme to
RADIUS.
domain ssh.com //Set the RADIS domain name on the SSH server to ssh.com.
authentication-scheme newscheme //Specify the RADIUS authentication scheme for
the users in this domain.
radius-server ssh //Specify the RADIUS server template for the users in this
domain.
local-user admin password irreversible-cipher $1a$QjpV-qYo;E
$Eq,ZXUKmiBQsnn@#V_8H'XFcN/OEaVdFQ/%#$St;$ //Set the SSH user name to admin and
password to Huawei@1234.
local-user admin privilege level 15 //Set the level for the SSH user.
local-user admin service-type ssh //Set the service type for the SSH user.
#
interface GigabitEthernet1/0/1
ip address 10.137.217.203 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.164.6.10 255.255.255.0
#
ssh user admin authentication-type password //Set the authentication mode for
the SSH user to password.
stelnet server enable //Enable the STelnet server on the SSH server.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode for VTY0-4 users to AAA.
The old password of the local user is required.
user privilege level 15 //Set the level of VTY 0-4 users to 15.
protocol inbound ssh //Configure VTY users to support only SSH.
#
return

Step 3 Verify the configuration.


Use the SSH client software to log in to the Router through STelnet from a terminal. The
third-party software PuTTY is used as an example here.
# Use the PuTTY software to log in to the Router, enter the device IP address, and select the
SSH protocol type.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 756


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

Figure 15-6 Logging in to the SSH server through PuTTY in password authentication mode

# Click Open. On the displayed page, enter the user name admin and password
Huawei@1234 and press Enter to log in to the SSH server. (The following information is for
reference only.)
login as: admin
Sent username "admin"

admin@10.137.217.203's password:

<SSH Server>

----End

Configuration Notes
l The Router and RADIUS server must use the same authentication port number.
l The Router and RADIUS server must use the same shared key.
l If an SSH user uses password authentication, only the SSH server needs to generate the
Rivest-Shamir-Adleman (RSA) key pair.
l There must be a reachable route between the Router and RADIUS server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 757


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

15.6 Example for Configuring Authentication for Telnet


Login Users (HWTACACS)
Specifications
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 15-7, an HWTACACS server is deployed on a network, and the
administrator Telnets to the device to remotely manage it. The specific requirements are as
follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.

Figure 15-7 Example for configuring authentication for telnet login users (HWTACACS)

Procedure
Step 1 Configure the Router.

#
sysname Router
#
hwtacacs-server template 1 //Configure a HWTACACS server template.
hwtacacs-server authentication 10.1.6.6 weight 80 //Configure the HWTACACS
authentication server.
hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^
%# //Set the shared key used between router and HWTACACS server to Hello@1234.
#
aaa
authentication-scheme sch1 //Create an authentication scheme named
sch1.
authentication-mode hwtacacs //Set the authentication mode to
HWTACACS.
service-scheme sch1 //Create a service scheme named sch1.
admin-user privilege level 15
domain huawei.com //Create a domain named
huawei.com.
authentication-scheme sch1 //Set HWTACACS authentication for the users in the
domain.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 758


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 15 User Access and Authentication

service-scheme sch1 //Specify the service scheme for the users in the domain.
hwtacacs-server 1 //Specify the HWTACACS server template for the users in the
domain.
#
interface GigabitEthernet1/0/1
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.6.10 255.255.255.0
#
telnet server enable //Enable the Telnet
server.
#
user-interface maximum-vty 15 //Set the maximum number of login users in VTY
user interface to 15.
user-interface vty 0 14
authentication-mode aaa //Set AAA authentication for the VTY user
interface.
#
return

Step 2 Verify the configuration.


Choose Start > Run on your computer running Windows operating system and enter cmd to
open the cmd window. Run the telnet command and enter the user name user1@huawei.com
and password Huawei@1234 to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.1.2.10
Username:user1@huawei.com
Password:***********
<Router>//The administrator successfully logs in.

----End

Configuration Notes
l The router and the HWTACACS server must use the same port number.
l The router and the HWTACACS server must use the same shared key.
l There must be a reachable route between the router and the HWTACACS server.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 759


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

16 Deploying Device or Network Security

16.1 Example for Configuring Local Attack Defense


16.2 Example for Configuring ASPF to Allow the Intranet to Provide Only FTP Service
16.3 Example for Configuring ACL-based Packet Filtering So That Internal Users Cannot
Access All External Networks
16.4 Example for Prohibiting External Users from Accessing the Web Platform
16.5 Example for Configuring DHCP Snooping to Allow Users to Communicate with Valid
DHCP Servers

16.1 Example for Configuring Local Attack Defense


Applicability
This example applies to all versions and routers.

Networking Requirements
As shown in Figure 16-1, users on different LANs access the Internet through RouterA. To
locate attacks on RouterA, attack source tracing needs to be configured to trace the attack
source. The following situations occur:
l A user on network segment Net1 frequently initiates attacks to RouterA.
l The attacker sends a large number of ARP Request packets, degrading CPU
performance.
l The administrator needs to upload files to RouterA using FTP. However, no FTP
connection has been set up between the administrator's host and RouterA.
l Most LAN users obtain IP addresses through DHCP, whereas RouterA does not first
process DHCP client packets sent to the CPU.
Configurations should be performed on RouterA to solve the preceding problems.

NOTE

This section provides only the configuration procedures related to local attack defense. For details about
routing configurations, see the Configuration Guide - IP Routing.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 760


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

Figure 16-1 Networking diagram of attack defense policy configurations

Procedure
Step 1 Configure the router.
#
acl number 4001 //Configure the ACL to be referenced by the blacklist of local
attack defense.
rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety //Create a local attack defense policy.
auto-defend enable //Enable the attack source tracing capability.
auto-defend threshold 50 //Set the attack source tracing threshold to 50 pps.
blacklist 1 acl 4001 //Specify the blacklist.
packet-type arp-request rate-limit 64 //Set the rate limit for ARP request
packets sent to the CPU to 64 pps.
application-apperceive packet-type ftp rate-limit 2000 //Set the rate limit for
FTP packets to 2000 pps.
packet-type dhcp-client priority 3 //Set the priority of the DHCP-client
packets sent to the CPU to 3.
#
cpu-defend-policy devicesafety //Apply the attack defense policy to the MPU.
#
return

Step 2 Verify the configuration.


Run the display cpu-defend policy command on router A to view information about the
attack defense policy.
Run the display cpu-defend configuration command on router A to view rate limit on
protocol packets.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 761


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

16.2 Example for Configuring ASPF to Allow the Intranet


to Provide Only FTP Service
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The Router functions as the gateway for LAN 10 and LAN 20. The firewall on the Router
must reject all data flows from LAN 20 to LAN 10, except the flows that the FTP server in
LAN 20 sends in response to access requests from LAN 10.

Figure 16-2 Networking diagram of ASPF firewall configuration

Procedure
Step 1 Configure the Router.

#
firewall-nat session ftp aging-time 300 //Set the aging time of FTP sessions to
300s.
#
acl number 3102
rule 5 deny ip //Configure a rule in ACL 3102 to deny all
packets.
#

firewall zone trust


priority 15 //Set the priority of the zone trust to
15.
#
firewall zone untrust
priority 1 //Set the priority of the zone untrust to
1.
#
firewall interzone trust untrust //Create an interzone between the zones trust
and untrust.
firewall enable //Enable the firewall function in the
interzone.
packet-filter 3102 inbound //Apply ACL 3102 to the inbound direction in the
interzone to filter packets.
detect aspf ftp //Enable ASPF for the FTP
application.
#
interface
GigabitEthernet1/0/0
ip address 1.1.1.1
255.0.0.0
zone trust //Add the interface to the zone

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 762


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

trust.
#

interface GigabitEthernet2/0/0
ip address 2.2.2.2
255.0.0.0
zone untrust //Add the interface to zone
untrust.
#

Step 2 Verify the configuration.


Run the display firewall interzone command on the Router to check the firewall
configuration in the interzone.
Run the display firewall zone command on the Router to check information about the
interzone.

----End

FAQ
How are the inbound and outbound directions in an interzone defined?
Inbound is the direction from a low-priority zone to a high-priority zone. Outbound is the
direction from a high-priority zone to a low-priority zone. In this example, inbound refers to
the direction from the untrust zone to the trust zone.

16.3 Example for Configuring ACL-based Packet Filtering


So That Internal Users Cannot Access All External
Networks
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
The PC at 192.168.1.12/24 is prohibited from accessing all websites.

Figure 16-3 Configuring ACL-based Packet Filtering So That Internal Users Cannot Access
All External Networks

Procedure
Step 1 Configure the Router.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 763


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

#
dhcp enable //Globally enable DHCP.
#
acl number 2000 //Create ACL 2000 and configure a rule that permits packets with
source IP addresses on the
network segment 192.168.1.0/24 to pass.
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3005 //Configure ACL 3005 for packet filtering.
description deny_souce_ip_www
rule 5 deny tcp source 192.168.1.12 0 destination-port eq www
rule 10 permit tcp source 192.168.1.12 0
#
ip pool pool1 //Create a global IP address
pool.
gateway-list 192.168.1.2 //Configure the egress gateway address for DHCP
clients.
network 192.168.1.0 mask 255.255.255.0 //Configure the range of allocable IP
addresses in the global IP
address pool.
dns-list 10.106.0.20 10.106.46.151 //Specify the IP address of the DNS server
for DHCP clients.
#
interface Serial2/0/0
link-protocol ppp
ip address 219.143.125.234 255.255.255.252
nat outbound 2000 //Enable NAT for hosts on network segment 192.168.1.0/24.
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
traffic-filter inbound acl 3005 //Apply ACL 3005 to the interface to filter
packets on the interface.
dhcp select global //Configure the interface to use the global IP address
pool.
#
ip route-static 0.0.0.0 0.0.0.0 Serial2/0/0 //Configure a default route.
#

Step 2 Verify the configuration.


# Run the display traffic-filter statistics command on the Router to view statistics about
packets matching the ACL on the interface.

----End

16.4 Example for Prohibiting External Users from


Accessing the Web Platform
Applicability
This example applies to all AR models of V200R002C01 and later versions.

Networking Requirements
GE1/0/0 of RouterA connects to HostA. The hosts in the network segment 10.1.1.0/24 need to
be allowed to access device of the web platform and the hosts in other network segments need
to be prohibited from accessing the devices the web platform.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 764


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

Figure 16-4 Networking diagram of accessing the web platform

Procedure
Step 1 Configure RouterA.
#
http acl 2000
http server enable
acl number 2000 //Configure an ACL to permit packets from devices of the web
platform.
rule 1 permit source 10.1.1.0 0.0.0.255
rule 10 deny
#
aaa
local-user huawei password cipher %@%@Dyb;#tOxsEBO@H@Jy'IX_:HK%@%@ //Create a
local user with the user name huawei and cipher text password Huawei@123.
local-user huawei service-type http //Configure the HTTP service for the local
user.
local-user huawei privilege level 3 //Set the priority of the local user to 3.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IP address for an interface
connected to HostA.
#

Step 2 Verify the configuration.

HostA can access RouterA of the web platform and the hosts in other network segments
cannot access RouterA.

----End

Configuration Notes
# You can successfully log in to RouterA only if the user name and password that you enter
on HostA are the same as those configured on RouterA.

# When you attempt to access the web platform using a host in other network segments, the
login page can be displayed, but the message indicating invalid IP address is displayed after
you click Login.

16.5 Example for Configuring DHCP Snooping to Allow


Users to Communicate with Valid DHCP Servers
Applicability
The AR150&AR200&AR1200 series routers do not support this feature in the versions earlier
than ARV2R5C10.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 765


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

Networking Requirements
Eth2/0/0 of RouterB is a trusted interface. Therefore, DHCP reply messages from the DHCP
server connected to Eth2/0/0 are forwarded. DHCP reply messages sent from untrusted
interfaces are discarded.

Figure 16-5 DHCP snooping networking diagram

Procedure
Step 1 Configure RouterA.

#
dhcp enable
#
ip pool pool1 //Create a global IP address
pool.
gateway-list 10.1.1.2
network 10.1.1.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
dhcp select
global

Step 2 Configure RouterB.

#
dhcp enable //Globally enable
DHCP.
dhcp snooping enable //Globally enable DHCP
snooping.
#
interface Ethernet2/0/0
dhcp snooping trusted //Configure the interface as a trusted interface.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 766


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 16 Deploying Device or Network Security

interface Ethernet2/0/1
dhcp snooping enable
#
interface Ethernet2/0/2
dhcp snooping enable
#

Step 3 Verify the configuration.


Run the display dhcp snooping global command on RouterB to check the global DHCP
snooping configuration.
Run the display dhcp snooping interface command on RouterB to check the DHCP
snooping configuration and the statistics on discarded messages on an interface.

----End

Configuration Notes
None.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 767


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

17 Deploying QoS

17.1 Example for Configuring Traffic Shaping


17.2 Example for Configuring Traffic Shaping to Limit the Rate of Packets Based on Internal
IP Addresses
17.3 Example for Configuring Traffic Policing to Limit All Traffic on a Network Segment
17.4 Example for Configuring Traffic Policing to Limit the Rate of Packets from Each IP
Address on a Network Segment
17.5 Example for Configuring Congestion Avoidance and Congestion Management
17.6 Example for Preventing BT Download
17.7 Example for Configuring Access Control Based on Source MAC Addresses
17.8 Example for Using Two Egresses to Implement Mutual Access and Redirection
17.9 Example for Configuring a Queue Profile to Implement Congestion Avoidance and
Congestion Management
17.10 Example for Configuring CBQ (V200R001C00, V200R001C01, V200R002C00,
V200R002C01)
17.11 Example for Configuring CBQ (V200R002C02 and Later Versions)

17.1 Example for Configuring Traffic Shaping


Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 17-1, the LAN of an enterprise connects to Eth2/0/0 of RouterA through
Switch. RouterA connects to the WAN through GE3/0/0. The voice, video, and data services
are deployed on the LAN.
Packets of different services are identified by 802.1p priorities on the LAN. RouterA sends
service packets to queues based on 802.1p priorities. When packets reach the WAN through

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 768


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

GE3/0/0, jitter may occur. To prevent jitter and ensure bandwidth for services, perform the
following configuration:
l Set the CIR on each interface to 8000 kbit/s.
l Set the CIR for voice service packets to 256 kbit/s and the CBS to 6400 bytes.
l Set the CIR for video service packets to 4000 kbit/s and the CBS to 100000 bytes.
l Set the CIR for data service packets to 2000 kbit/s and the CBS to 50000 bytes.

Figure 17-1 Traffic shaping networking diagram

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10
#
qos queue-profile qp1 // Create a queue profile qp1.
queue 2 gts cir 2000 cbs 50000 // Set the CIR for queue 2 to 2000 kbit/s and
the CBS to 50000 bytes.
queue 5 gts cir 4000 cbs 100000 // Set the CIR for queue 5 to 4000 kbit/s and
the CBS to 100000 bytes.
queue 6 gts cir 256 cbs 6400 // Set the CIR for queue 6 to 256 kbit/s and the
CBS to 6400 bytes.
schedule wfq 0 to 5 pq 6 to 7 // Set the scheduling mode to queues 0 to 5 to
weighted fair
queuing (WFQ), and set the scheduling mode
for queue 6 and
queue 7 to priority queuing (PQ).
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 10 // Add the trunk interface to VLAN 10.
trust 8021p // Trust 802.1p priorities of packets on the interface.
#
interface GigabitEthernet3/0/0
ip address 192.168.4.1 255.255.255.0
qos queue-profile qp1 // Apply the queue profile qp1 to the interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 769


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

qos gts cir 8000 cbs 200000 // Set CIR for the interface to 8000 kbit/s and the
CBS to 200000 bytes.

Step 2 Verify the configuration.

# Run the display qos queue statistics interface gigabitethernet 3/0/0 command on
RouterA to check packet statistics in queues on GE3/0/0. You can see that the output rate of
each queue is within the configured limit. When a queue is full, excess packets are discarded.

----End

Configuration Notes
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l The traffic shaping CIR value configured on an interface must be larger than or equal to
the sum of CIR values of all queues on the interface. Otherwise, packets in high-priority
queues may fail to be scheduled.

17.2 Example for Configuring Traffic Shaping to Limit the


Rate of Packets Based on Internal IP Addresses
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access the server on 222.1.1.1/24 through RouterA. The rate of
packets from enterprise devices on 192.168.10.0/24 to the server needs to be limited to 64
kbit/s.

Figure 17-2 Networking for limiting the rate of packets based on internal IP addresses

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 770


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
#
qos queue-profile limit //Create a queue profile named limit.
queue 3 gts cir 64 cbs 1600 //Set the CIR of queue 3 to 64 kbit/s.
#
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b1
remark local-precedence af3 //Configure traffic behavior b1: Re-mark packets
matching the traffic classifier with AF3. When permit or deny is not specified,
the permit action is taken by default.
#
traffic policy p1
classifier c1 behavior b1 //Configure a traffic policy named p1, and bind
traffic classifier c1 to traffic behavior b1 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction on the interface.
#
interface GigabitEthernet3/0/0
ip address 222.0.1.1 255.255.255.0
qos queue-profile limit //Apply the queue profile limit to the interface.
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.0.1.2
#

Step 2 Verify the configuration.

# Run the display qos queue statistics interface gigabitethernet 3/0/0 command to check
the traffic statistics on GE3/0/0 where the queue profile limit is applied. You can see that the
rate of outgoing packets on the interface is within the rate limit. When the queue is full,
excess packets are discarded.

----End

Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 771


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.

17.3 Example for Configuring Traffic Policing to Limit All


Traffic on a Network Segment
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and connect to the Internet through RouterA.
Traffic policing needs to be configured on RouterA to limit the rate of all the traffic on the
network segment 192.168.1.0/24 to 512 kbit/s, and limit the rate of all the traffic on the
network segment 192.168.2.0/24 to 128 kbit/s.

Figure 17-3 Traffic policing networking diagram

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 2000 // Create ACL 2000.
rule 0 permit source 192.168.1.0 0.0.0.255 // Configure rule 0, which permits
packets with source
addresses on network segment
192.168.1.0 to pass.
acl number 2001 // Create ACL 2001.
rule 0 permit source 192.168.2.0 0.0.0.255 // Configure rule 0, which permits
packets with source
addresses on network segment
192.168.2.0 to pass.
#
interface Vlanif10

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 772


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

ip address 192.168.1.1 255.255.255.0


#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 10 20 // Add the trunk interface to VLAN 10 and VLAN
20.
#
interface GigabitEthernet3/0/0
ip address 1.1.1.1 255.255.255.0
qos car outbound acl 2000 cir 512 cbs 96256 pbs 160256 green pass yellow pass
red discard
// Configure traffic policing for outgoing packets that match ACL 2000 on the
interface. Set the CIR to 512 kbit/s.
qos car outbound acl 2001 cir 128 cbs 24064 pbs 40064 green pass yellow pass red
discard
// Configure traffic policing for outgoing packets that match ACL 2001 on the
interface. Set the CIR to 128 kbit/s.
#

Step 2 Verify the configuration.


# Run the display qos car statistics interface GigabitEthernet 3/0/0 outbound command to
check the traffic statistics on GE3/0/0 where traffic policing is configured. You can see that
the rate of outgoing packets on the interface is within the rate limit and excess packets are
discarded.

----End

Configuration Notes
l On the Switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l This example configures traffic policing for outgoing packets on a WAN-side interface.
You can also configure traffic policing for incoming packets on a LAN-side interface.

17.4 Example for Configuring Traffic Policing to Limit the


Rate of Packets from Each IP Address on a Network
Segment
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and connect to the Internet through RouterA. Traffic policing needs
to be configured on RouterA to limit the rate of traffic from each IP address on network
segment 192.168.1.0/24 to the Internet to 64 kbit/s, and limit the rate of traffic from each IP
address on network segment 192.168.2.0/24 to the Internet to 128 kbit/s.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 773


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Figure 17-4 Traffic policing networking diagram

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
qos car inbound source-ip-address range 192.168.1.2 to 192.168.1.254 per-address
cir 64 cbs 12032 pbs 20032 green pass yellow pass red discard
//Configure traffic policing for ingoing packets with source addresses in the
range of 192.168.1.2 to 192.168.1.254 and set the CIR to 64 kbit/s.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
qos car inbound source-ip-address range 192.168.2.2 to 192.168.2.254 per-address
cir 128 cbs 24064 pbs 40064 green pass yellow pass red discard
//Configure traffic policing for ingoing packets with source addresses in the
range of 192.168.2.2 to 192.168.2.254 and set the CIR to 128 kbit/s.
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to Trunk.
port trunk allow-pass vlan 10 20 // Add the trunk interface to VLAN 10 and VLAN
20.
#
interface GigabitEthernet3/0/0
ip address 1.1.1.1 255.255.255.0
#

Step 2 Verify the configuration.

# Run the display qos car statistics interface Vlanif 10 inbound command and display qos
car statistics interface Vlanif 20 inbound command to check the traffic statistics where
traffic policing is configured. You can see that the rate of outgoing packets on the interface is
within the rate limit and excess packets are discarded.

----End

Configuration Notes
l On the Switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 774


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l If per-address is not specified in the qos car command, the rate of all the packets with
source IP addresses in the specified range is limited.

17.5 Example for Configuring Congestion Avoidance and


Congestion Management
Applicability
This example applies to all versions and AR routers. (The interface providing eight queues is
used as an example.)

Networking Requirements
As shown in Figure 17-5, voice, video, and data terminals on the enterprise's LAN connect to
Eth2/0/0 and Eth2/0/1 of RouterA through SwitchA and SwitchB. These terminals connect to
the WAN through GE3/0/0 of RouterA.
SwitchA and SwitchB set DSCP values of voice, video, and data packets to 46 (ef), 38 (af43),
28 (af32), and 26 (af31) respectively. RouterA places packets into different queues based on
their DSCP queues. GE3/0/0 may be congested by outgoing packets because the link
bandwidth provided by the service provider may be insufficient. To reduce the impact of
network congestion and ensure bandwidth for high-priority and delay-sensitive services, set
QoS parameters according to the following table.

Table 17-1 Congestion avoidance parameters


Service DSCP Queue Scheduli Drop Method
Type Value Index ng Mode

Voice 46 5 PQ Tail drop

Video 38 4 WFQ WRED:


l Lower drop threshold (%): 60
l Upper drop threshold (%): 80
l Drop probability (%): 20

Data 28 3 WFQ WRED:


26 l DSCP = 28
– Lower drop threshold (%): 50
– Upper drop threshold (%): 70
– Drop probability (%): 30
l DSCP = 26
– Lower drop threshold (%): 40
– Upper drop threshold (%): 60
– Drop probability (%): 40

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 775


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Figure 17-5 Networking diagram of congestion avoidance and congestion management


configurations

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20 30
#
drop-profile data // Create a WRED drop profile data.
wred dscp // Configure DSCP-based drop mode in the profile.
dscp af31 low-limit 40 high-limit 60 discard-percentage 40 // For packets with
DSCP value 26, set the lower
drop threshold
to 40%, the upper drop threshold
to 60%, and the
drop probability to 40%.
dscp af32 low-limit 50 high-limit 70 discard-percentage 30 // For packets with
DSCP value 28, set the lower
drop threshold
to 50%, the upper drop threshold
to 70%, and the
drop probability to 30%.
#
drop-profile video // Create a WRED drop profile video.
wred dscp // Configure DSCP-based drop mode in the profile.
dscp af43 low-limit 60 high-limit 80 discard-percentage 20 // For packets with
DSCP value 38, set the lower
drop threshold to
60%, the upper drop threshold
to 80%, and the
drop probability to 20%.
#
qos queue-profile queue-profile1 // Create a queue profile queue-profile1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 776


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

queue 3 drop-profile data // Bind queue 3 to the drop profile data.


queue 4 drop-profile video // Bind queue 4 to the drop profile video.
schedule wfq 3 to 4 pq 5 // Set the scheduling mode for queue 3 and queue 4 to
WFQ, and the scheduling mode
for queue 5 to PQ.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
trust dscp // Trust DSCP priorities of packets on the interface.
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
trust dscp // Trust DSCP priorities of packets on the interface.
#
interface GigabitEthernet3/0/0
ip address 192.168.4.1 255.255.255.0
qos queue-profile queue-profile1 // Apply the queue profile queue-profile1 to
the interface.
#

Step 2 Verify the configuration.


# Run the display qos queue statistics interface gigabitethernet 3/0/0 command on
RouterA to check packet statistics in queues on GE3/0/0. Run the display qos queue
statistics interface gigabitethernet 3/0/0 queue 3 command to check packet statistics in
queue 3 on GE3/0/0. The command outputs shows the statistics about forwarded and dropped
packets with different DSCP values.

----End

Configuration Notes
l Configure the interfaces of SwitchA and SwitchB connected to RouterA as trunk
interfaces and add the interfaces to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l The queue profile uses the trust command to specify the priority to be mapped for
packets. The packets then enter different queues based on mapped local priorities. If the
trust command is not set, packets enter queues based on the interface priority.
l Different interfaces on the AR support different scheduling modes, as shown in the
following table.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 777


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Table 17-2 Scheduling modes supported by each interface


Interface Scheduling Mode

LAN interface l PQ
l DRR
l WRR
l PQ+DRR
l PQ+WRR
NOTE
l Layer 2 interfaces on the AR150&AR160
(except the AR161, AR161EW,
AR161EW-M1, AR161G-L, AR161G-Lc,
AR161W, AR169, AR169CVW,
AR169CVW-4B4S, AR169JFVW-4B4S,
AR169JFVW-2S, AR169EGW-L,
AR169EW, AR169G-L, AR169-P-M9,
AR169RW-P-M9 and AR169W-P-
M9)&AR200 series support only PQ,
WRR, and PQ+WRR, but do not support
DRR.
l Layer 2 interfaces on the AR1200 (except
the AR1220C, AR1220F, AR1220E,
AR1220EV, AR1220EVW and
AR1220-8GE) series SRU support only
PQ, WRR, and PQ+WRR, but do not
support DRR.
l Layer 2 VE interfaces only support PQ,
WFQ and PQ+WFQ.

WAN interface l PQ
l WFQ
l PQ+WFQ

l Layer 2 FE interfaces of the AR150&200 and FE interfaces on the AR1200's SRU


support four queues in the outbound direction, and the other interfaces support eight
queues in the outbound direction.

17.6 Example for Preventing BT Download


Applicability
This example applies to all AR models of V200R002C00 and later versions.

NOTE

The SAC function is used with a license. To use the SAC function, apply for and purchase the license from
the Huawei local office.

Networking Requirements
As shown in Figure 17-6, enterprise users connect to Eth2/0/0 of RouterA through the
Switch. RouterA connects to the WAN through GE0/0/1.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 778


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Smart Application Control (SAC) needs to be configured on RouterA to prevent BitTorrent


(BT) download.

Figure 17-6 Networking diagram of SAC

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20
#
engine enable //Enable the deep security function.
#
update restore sdb-default sa-sdb //Restore the signature database to the
factory default version.
#
traffic classifier c1 operator or // Create a traffic classifier c1.
if-match application BT //Configure a rule that matches the BT application.
#
traffic behavior b1 // Create a traffic behavior b1.
deny // Configure the traffic behavior to deny packets matching the associated
traffic classifier.
#

traffic policy p1 // Create a traffic policy p1.


classifier c1 behavior b1 // Bind the traffic classifier to the traffic
behavior.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
sa application-statistic enable // Enable the function that collects statistics
based on SA on the interface.
traffic-policy p1 inbound // Apply the traffic policy p1 to incoming packets on
the interface.
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 20 // Add the trunk interface to VLAN 20.
#
interface GigabitEthernet0/0/1
ip address 192.168.4.1
255.255.255.0
sa application-statistic enable // Enable the function that collects statistics
based on SA on the interface.
traffic-policy p1 inbound // Apply the traffic policy p1 to incoming packets on
the interface.
#

Step 2 Verify the configuration.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 779


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

# Run the display sa application-statistic command to check packet statistics based on the
SA application protocols on Eth2/0/0 and GE0/0/1.
----End

Configuration Notes
l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l When specifying the name of a signature file, enter the complete path and name of the
file to ensure that the configuration can be restored when the AR router restarts.

17.7 Example for Configuring Access Control Based on


Source MAC Addresses
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 17-7, the Router functions as the gateway of the enterprise. Users in the
enterprise connect to the Internet through the Router. The enterprise does not allow some
hosts on the LAN to connect to the Internet. However, users can still connect to the Internet
from these hosts by changing host IP addresses. Firewalls cannot prevent such unauthorized
access. You can configure access control based on source MAC addresses to solve this
problem. The configuration performed in this example prevents some hosts from connecting
to the Internet but allows them to access the gateway.

Figure 17-7 Network diagram of access control based on source MAC addresses

Procedure
Step 1 Configure the Router.
#
sysname Router

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 780


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

#
vlan batch 10
#
acl number 3001 // Create ACL 3001.
rule 1 permit ip destination 10.1.1.0 0.0.0.255 // Configure rule 1, which
permits packets with the destination
IP address 10.1.1.1/24
gateway address to pass.
#
traffic classifier gate operator and
if-match acl 3001 // Create a traffic classifier gate and reference ACL 3001 in
the classifier.
traffic classifier mac1 operator and
if-match source-mac 0015-c50d-0001 // Create a traffic classifier mac1 and
configure a rule that matches
source MAC address 0015-c50d-0001.
traffic classifier mac2 operator and
if-match source-mac 0015-c50d-0002 // Create a traffic classifier mac2 and
configure a rule that matches
source MAC address 0015-c50d-0002.
traffic classifier mac3 operator and
if-match source-mac 0015-c50d-0003 // Create a traffic classifier mac3 and
configure a rule that matches
source MAC address 0015-c50d-0003.
#
traffic behavior p1
permit // Create a traffic behavior p1 and configure it to permit packets
matching the associated classifier
to pass.
traffic behavior d1
deny // Create a traffic behavior d1 and configure it to drop packets matching
the associated classifier.
#
traffic policy myqos // Create a traffic policy myqos.
classifier gate behavior p1 // Bind the traffic classifier gate to the behavior
p1.
classifier mac1 behavior d1 // Bind the traffic classifier mac1 to the behavior
d1.
classifier mac2 behavior d1 // Bind the traffic classifier mac2 to the behavior
d1.
classifier mac3 behavior d1 // Bind the traffic classifier mac3 to the behavior
d1.
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
traffic-policy myqos inbound // Apply the traffic policy myqos to the inbound
direction of the interface.
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 10 // Add the trunk interface to VLAN 10.
#

Step 2 Verify the configuration.

# Run the display traffic policy user-defined command to check the traffic policy
configuration.

# The restricted hosts can ping the gateway address successfully but cannot ping IP addresses
out of the LAN.

----End

Configuration Notes
l Configure the interface of the Switch connected to the Router as a trunk interface and
add it to VLAN 10.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 781


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

l After a traffic policy is applied to an interface, the system matches packets on the
interface with the traffic classifiers in the policy based on the configuration order.
Therefore, when configuring the traffic policy myqos, you must first configure the
classifier and behavior that permit packets sent to the gateway address, and then
configure the classifiers and behaviors that deny packets sent from restricted hosts to the
Internet.

17.8 Example for Using Two Egresses to Implement


Mutual Access and Redirection
Applicability
This example applies to all versions and AR routers.

Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access ServerA (222.1.1.1/24) and ServerB (111.1.1.1/24)
through RouterA. Data flows from user groups on 192.168.10.0/24 need to reach the WAN
through ServerB, and user groups on 192.168.10.0/24 and 192.168.20.0/24 need to
communicate.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 782


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

Figure 17-8 Networking of using dual egresses to implement mutual access and redirection

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0
0.0.0.255 //Configure rule 5 to allow packets with the source address on
192.168.10.0 and destination address on 192.168.20.0 to pass through.
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.0
0.0.0.255 //Configure rule 10 to allow packets with source and destination
addresses on 192.168.10.0 to pass through.
acl number 3003 //Configure ACL 3003.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 783


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

#
traffic classifier c2 operator or
if-match acl 3003 //Configure a traffic classifier named c2 to match ACL 3003.
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b2
redirect ip-nexthop 111.1.1.1 //Configure a traffic behavior named b2 to
redirect matching packets to 111.1.1.1.
traffic behavior b1 //Configure a traffic behavior named b1 to permit packets to
pass through so that departments can communicate with each other.
#
traffic policy pp
classifier c1 behavior b1
classifier c2 behavior b2 //Configure a traffic policy named pp, and bind
traffic classifier c1 to traffic behavior b1, and traffic classifier c2 to
traffic behavior b2 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy pp inbound //Apply the traffic policy pp to the inbound
direction on the interface.
#
interface GigabitEthernet2/0/0
ip address 222.1.1.2 255.255.255.0
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
interface GigabitEthernet1/0/0
ip address 111.1.1.2 255.255.255.0
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.1.1.1
#

Step 2 Verify the configuration.

# Run the display traffic policy user-defined command to check the traffic policy
configuration, and run the display traffic-policy applied-record command to check whether
the traffic policy is applied successfully.

# User groups on 192.168.10.0/24 can communicate with each other and user groups on
192.168.20.0/24.

----End

Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l After a traffic policy is applied to an interface, the system matches packets on the
interface with the traffic classifiers in the policy based on the configuration order.
Therefore, when configuring the traffic policy pp, you must first configure the classifier
and behavior that permit packets, and then configure the classifier and behavior that
redirect packets.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 784


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

17.9 Example for Configuring a Queue Profile to


Implement Congestion Avoidance and Congestion
Management
Applicability
This example applies to all versions and AR routers.

Networking Requirements
The enterprise connects to Eth2/0/0 of RouterA through the switch. RouterA connects to the
WAN through GE3/0/0. The voice, video, and data services are deployed on the enterprise
network. Packets of different services are differentiated based on source IP addresses. Voice,
video, and data packets come from 192.168.10.2/24, 192.168.20.2/24, and 192.168.30.2/24
respectively. Bandwidth guarantee is required for packets of the three services: voice, video,
and data packets occupy 50%, 40%, and 5% bandwidths of actual interface bandwidth
respectively.

Figure 17-9 Networking for configuring queues to implement congestion management and
congestion avoidance

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20 30
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
rule 15 permit ip source 192.168.30.0 0.0.0.255 //Configure rule 15 to allow
packets on 192.168.30.0 to pass through.
acl number 3002 //Configure ACL 3002.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 785


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow


packets on 192.168.10.0 to pass through.
acl number 3003 //Configure ACL 3003.
rule 5 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.20.0 to pass through.
acl number 3004 //Configure ACL 3004.
rule 5 permit ip source 192.168.30.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.30.0 to pass through.
#
traffic classifier c3 operator or
if-match acl 3004 //Configure a traffic classifier named c3 to match ACL 3004.
traffic classifier c2 operator or
if-match acl 3003 //Configure a traffic classifier named c2 to match ACL 3003.
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
traffic classifier data operator or
if-match dscp af31 //Configure a traffic classifier named data to match packets
with the DSCP value of AF31.
traffic classifier video operator or
if-match dscp af41 //Configure a traffic classifier named video to match
packets with the DSCP value of AF41.
traffic classifier voice operator or
if-match dscp ef //Configure a traffic classifier named voice to match packets
with the DSCP value of EF.
#
traffic behavior b3
remark dscp af31 //Configure a traffic behavior named b3 to re-mark the DSCP
priority of matching packets with AF31.
traffic behavior b2
remark dscp af41 //Configure a traffic behavior named b2 to re-mark the DSCP
priority of matching packets with AF41.
traffic behavior b1
remark dscp ef //Configure a traffic behavior named b1 to re-mark the DSCP
priority of matching packets with EF.
traffic behavior data
queue af bandwidth pct 5 //Configure a traffic behavior named data. Configure
AF or matching packets and set the percentage of the minimum bandwidth to actual
interface bandwidth to 5%.
traffic behavior video
queue af bandwidth pct 40 //Configure a traffic behavior named video. Configure
AF or matching packets and set the percentage of the minimum bandwidth to actual
interface bandwidth to 40%.
traffic behavior voice
queue ef bandwidth pct 50 //Configure a traffic behavior named voice. Configure
EF or matching packets and set the percentage of the minimum bandwidth to actual
interface bandwidth to 50%.
#
traffic policy schedule
classifier data behavior data
classifier video behavior video
classifier voice behavior voice //Configure a traffic policy named schedule,
and bind traffic classifier data to traffic behavior data, traffic classifier
video to traffic behavior video, and traffic classifier voice to traffic behavior
voice in the traffic policy.
traffic policy p1
classifier c1 behavior b1
classifier c2 behavior b2
classifier c3 behavior b3 ///Configure a traffic policy named p1, and bind
traffic classifier c1 to traffic behavior b1, traffic classifier c2 to traffic
behavior b2, and traffic classifier c3 to traffic behavior b3 in the traffic
policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 786


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

ip address 192.168.30.1 255.255.255.0


#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10 20 30
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction on the interface.
#
interface GigabitEthernet3/0/0
ip address 222.1.1.2 255.255.255.0
traffic-policy schedule outbound //Apply the traffic policy schedule to the
outbound direction on the interface.
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.1.1.1
#

Step 2 Verify the configuration.

# Run the display traffic policy user-defined command to check the traffic policy
configuration, and run the display traffic-policy applied-record command to check whether
the traffic policy is applied successfully.

# Run the display traffic policy statistics interface GigabitEthernet3/0/0 outbound


verbose classifier command to check packets statistics based on traffic classifiers on the
interface.

----End

Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.

17.10 Example for Configuring CBQ (V200R001C00,


V200R001C01, V200R002C00, V200R002C01)
Applicability
This example applies to the following versions:
l V200R001C00
l V200R001C01
l V200R002C00
l V200R002C01

This example does not apply to the AR150&200 and devices that do not support MPLS.

Networking Requirements
As shown in Figure 17-10, users in the enterprise connect to RouterA and RouterB through
the switches. They connect to the WAN through RouterA and RouterB.

The requirements are:

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 787


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

l On the LAN side:


The switches connect to the routers through FE interfaces and identify real-time and non-
real-time services by VLANs. The switches re-mark the EXP value of real-time service
packets to 4 and EXP value of non-real-time service packets to 3.
l On the WAN side:
On each router, the two CE1/PRI interfaces working in E1 mode are bound to an MP
group. The routers connect to the WAN through the MP groups.
Real-time and non-real-time services are isolated by VPN instances vpn-rt and vpn-nrt
on the routers. Real-time services are guaranteed 60% of interface bandwidth and low
latency, and non-real-time services are guaranteed 30% of interface bandwidth.

Figure 17-10 Networking diagram of CBQ

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30
#
ip vpn-instance vpn-nrt // Create a VPN instance vpn-nrt for transmitting non-

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 788


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

real-time service packets.


ipv4-family
route-distinguisher 21825:2
vpn-target 21825:200 export-extcommunity
vpn-target 21825:200 import-extcommunity
#
ip vpn-instance vpn-rt // Create a VPN instance vpn-rt for transmitting real-
time service packets.
ipv4-family
route-distinguisher 21825:1
vpn-target 21825:100 export-extcommunity
vpn-target 21825:100 import-extcommunity
#
mpls lsr-id 1.1.1.1 // Set the MPLS LSR ID to the IP address of LoopBack0.
mpls // Globally enable MPLS.
#
mpls ldp // Globally enable MPLS LDP
#
traffic classifier vpn-nrt operator or // Configure a traffic classifier vpn-nrt
that matches packets with
EXP value 3.
if-match mpls-exp 3
traffic classifier lan-rt operator or // Configure a traffic classifier lan-rt
that matches all packets.
if-match any
traffic classifier vpn-rt operator or // Configure a traffic classifier vpn-rt
that matches packets with
EXP value 4.
if-match mpls-exp 4
traffic classifier lan-nrt operator or // Configure a traffic classifier lan-nrt
that matches all packets.
if-match any
#
traffic behavior vpn-nrt // Create a traffic behavior vpn-nrt and configure it
to perform assured forwarding
for packets matching the associated classifier. Set
the minimum assured bandwidth for
these packets to 30% of the interface bandwidth.
queue af bandwidth pct 30
traffic behavior lan-rt // Create a traffic behavior lan-rt and configure it to
set EXP values of packets
matching the associated classifier
to 4.
remark mpls-exp 4
traffic behavior vpn-rt // Create a traffic behavior vpn-rt and configure it to
perform expedited forwarding
for packets matching the associated classifier. Set
the minimum maximum bandwidth for
these packets to 60% of the interface bandwidth.
queue ef bandwidth pct 60
traffic behavior lan-nrt // Create a traffic behavior lan-nrt and configure it
to set EXP values of packets
matching the associated classifier to 3.
remark mpls-exp 3
#
traffic policy lan-rt // Create a traffic policy lan-rt.
classifier lan-rt behavior lan-rt // Bind the traffic classifier lan-rt to the
traffic behavior lan-rt
so that the system sets the EXP value of
all packets passing through
the interface to 3.
traffic policy vpn // Create a traffic policy vpn.
classifier vpn-nrt behavior vpn-nrt // Bind the traffic classifier vpn-nrt to
the traffic behavior vpn-nrt
so that the system performs assured
forwarding for packets with EXP value 3
and provides a minimum of 30% of
interface bandwidth for these packets.
classifier vpn-rt behavior vpn-rt // Bind the traffic classifier vpn-rt to the

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 789


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

traffic behavior vpn-rt so


that the system performs expedited
forwarding for packets with EXP value 4 and
provides a maximum of 60% of interface
bandwidth for these packets.
traffic policy lan-nrt // Create a traffic policy lan-nrt.
classifier lan-nrt behavior lan-nrt // Bind the traffic classifier lan-nrt to
the traffic behavior lan-nrt
so that the system sets EXP value of all
packets passing through the interface
to 4.
#
controller E1 3/0/0
using e1 // Set the working mode of the CE1/PRI interface to E1.
#
controller E1 3/0/1
using e1 // Set the working mode of the CE1/PRI to E1.
#
interface Vlanif20
ip binding vpn-instance vpn-nrt // Bind Vlanif20 to VPN instance vpn-nrt.
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance vpn-rt // Bind Vlanif30 to VPN instance vpn-rt.
ip address 10.1.2.1 255.255.255.0
#
interface Mp-group0/0/0
ip address 10.1.1.1 255.255.255.0
qos gts cir 400 cbs 100000 // Set the CIR for outgoing packets on Mp-group0/0/0
to 400 kbit/s and the CBS to 100000
bytes.
traffic-policy vpn outbound // Apply the traffic policy vpn to outgoing packets
on the interface.
mpls // Enable MPLS on the interface.
mpls ldp // Enable MPLS LDP on the interface.
#
interface Serial3/0/0:0
link-protocol ppp // Set the link layer protocol of the interface to PPP.
ppp mp Mp-group 0/0/0 // Add interface Serial3/0/0:0 to Mp-group 0/0/0.
#
interface Serial3/0/1:0
link-protocol ppp // Set the link layer protocol of the interface to PPP.
ppp mp Mp-group 0/0/0 // Add Serial3/0/0:1 to Mp-group 0/0/0.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy lan-nrt inbound // Apply the traffic policy lan-nrt to incoming
packets on the interface.
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy lan-rt inbound // Apply the traffic policy lan-rt to incoming
packets on the interface.
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 // Set the AS number of IPv4 peer 2.2.2.2 to 100.
peer 2.2.2.2 connect-interface LoopBack0 // Specify the source interface and
source IP address of BGP packets.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 // Enable the VPNv4 routing capability for BGP.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 790


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

policy vpn-target // Configure the local device to filter received VPNv4


routes by VPN target.
peer 2.2.2.2 enable // Enable the local device to exchange VPNv4 routing
information with peer 2.2.2.2.
#
ipv4-family vpn-instance vpn-nrt
network 10.1.1.0 255.255.255.0 // Advertise local network segment 10.1.1.0/24
in the VPN instance vpn-nrt.
import-route direct // Import direct routes.
#
ipv4-family vpn-instance vpn-rt
network 10.1.2.0 255.255.255.0 // Advertise local network segment 10.1.2.0/24
in the VPN instance vpn-rt.
import-route direct // Import direct routes.
#
ospf 100 // Configure OSPF so that RouterA and RouterB can communicate with each
other.
import-route direct
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30
#
ip vpn-instance vpn-nrt
ipv4-family
route-distinguisher 21825:2
vpn-target 21825:200 export-extcommunity
vpn-target 21825:200 import-extcommunity
#
ip vpn-instance vpn-rt
ipv4-family
route-distinguisher 21825:1
vpn-target 21825:100 export-extcommunity
vpn-target 21825:100 import-extcommunity
#
mpls lsr-id 2.2.2.2 // Set the MPLS LSR ID to the IP address of LoopBack0.
mpls
#
mpls ldp
#
traffic classifier vpn-nrt operator or
if-match mpls-exp 3
traffic classifier lan-rt operator or
if-match any
traffic classifier vpn-rt operator or
if-match mpls-exp 4
traffic classifier lan-nrt operator or
if-match any
#
traffic behavior vpn-nrt
queue af bandwidth pct 30
traffic behavior lan-rt
remark mpls-exp 4
traffic behavior vpn-rt
queue ef bandwidth pct 60
traffic behavior lan-nrt
remark mpls-exp 3
#
traffic policy lan-rt

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 791


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

classifier lan-rt behavior lan-rt


traffic policy vpn
classifier vpn-nrt behavior vpn-nrt
classifier vpn-rt behavior vpn-rt
traffic policy lan-nrt
classifier lan-nrt behavior lan-nrt
#
controller E1 3/0/0
using e1
#
controller E1 3/0/1
using e1
#
interface Vlanif20
ip binding vpn-instance vpn-nrt
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance vpn-rt
ip address 10.1.4.1 255.255.255.0
#
interface Mp-group0/0/0
ip address 10.1.2.1 255.255.255.0
qos gts cir 400 cbs 100000
traffic-policy vpn outbound
mpls
mpls ldp
#
interface Serial3/0/0:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Serial3/0/1:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy lan-nrt inbound
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy lan-rt inbound
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100 // Set the AS number of IPv4 peer 1.1.1.1 to 100.
peer 1.1.1.1 connect-interface LoopBack0 // Specify the source interface and
source IP address of BGP packets.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn-nrt
network 10.1.3.0 255.255.255.0 // Advertise local network segment 10.1.3.0/24
in VPN instance vpn-nrt.
import-route direct // Import direct route.
#
ipv4-family vpn-instance vpn-rt
network 10.1.4.0 255.255.255.0 // Advertise local network segment 10.1.4.0/24

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 792


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

in VPN instance vpn-rt.


import-route direct // Import direct route.
#
ospf 100 // Configure OSPF so that RouterA and RouterB can communicate with each
other.
import-route direct
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

Step 3 Verify the configuration.


# Run the display mpls ldp session command to check LDP session information on the
routers. The LDP session is Operational.
# Run the display bgp vpnv4 all peer command to check information about VPNv4 peers on
the routers. The VPNv4 peer status is Established.
# Run the display traffic-policy vpn applied-record, display traffic-policy lan-nrt applied-
record, and display traffic-policy lan-rt applied-record commands to check configuration
and application records of the traffic policies. The traffic policies have been applied to the
interfaces successfully.

----End

Configuration Notes
l It is recommended that you set the router ID and MPLS LSR ID to the IP address of the
same loopback interface.
l MPLS and MPLS LDP must be enabled in both the system view and interface view.
l When configuring BGP, use the routers' loopback0 interfaces to establish BGP peers.
l Configure the switch interfaces connected to the routers as trunk interfaces and add the
interfaces to service VLANs.
l CBQ classifies packets based on the IP precedence or DSCP priority, inbound interface,
or 5-tuple (protocol type, source IP address and mask, destination IP address and mask,
source port range, and destination port range). Then CBQ sends packets matching traffic
classification rules to EF and AF queues. The packets that do not match any configured
classifier are added to the default class and enter BE queues based on session
information of flows.

17.11 Example for Configuring CBQ (V200R002C02 and


Later Versions)
Applicability
This example applies to V200R002C02 and later versions.
This example is inapplicable to the AR150&AR160&AR200 and devices that do not support
MPLS.

Networking Requirements
As shown in Figure 17-11, users in the enterprise connect to RouterA and RouterB through
the switches. They connect to the WAN through RouterA and RouterB.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 793


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

The requirements are:


l On the LAN side:
The switches connect to the routers through FE interfaces and identify real-time and non-
real-time services by VLANs. The switches re-mark the EXP value of real-time service
packets to 4 and EXP value of non-real-time service packets to 3.
l On the WAN side:
On each router, the two CE1/PRI interfaces working in E1 mode are bound to an MP
group. The routers connect to the WAN through the MP groups.
Real-time and non-real-time services are isolated by VPN instances vpn-rt and vpn-nrt
on the routers. Real-time services are guaranteed 60% of interface bandwidth and low
latency, and non-real-time services are guaranteed 30% of interface bandwidth.

Figure 17-11 Networking diagram of CBQ

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 794


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

#
ip vpn-instance vpn-nrt // Create a VPN instance vpn-nrt for transmitting non-
real-time service packets.
ipv4-family
route-distinguisher 21825:2
vpn-target 21825:200 export-extcommunity
vpn-target 21825:200 import-extcommunity
#
ip vpn-instance vpn-rt // Create a VPN instance vpn-rt for transmitting real-
time service packets.
ipv4-family
route-distinguisher 21825:1
vpn-target 21825:100 export-extcommunity
vpn-target 21825:100 import-extcommunity
#
mpls lsr-id 1.1.1.1 // Set the MPLS LSR ID to the IP address of LoopBack0.
mpls // Globally enable MPLS.
#
mpls ldp // Globally enable MPLS LDP
#
traffic classifier vpn-nrt operator or // Configure a traffic classifier vpn-nrt
that matches packets with
EXP value 3.
if-match mpls-exp 3
traffic classifier lan-rt operator or // Configure a traffic classifier lan-rt
that matches all packets.
if-match any
traffic classifier vpn-rt operator or // Configure a traffic classifier vpn-rt
that matches packets with
EXP value 4.
if-match mpls-exp 4
traffic classifier lan-nrt operator or // Configure a traffic classifier lan-nrt
that matches all packets.
if-match any
#
traffic behavior vpn-nrt // Create a traffic behavior vpn-nrt and configure it
to perform assured forwarding
for packets matching the associated classifier. Set
the minimum assured bandwidth for
these packets to 30% of the interface bandwidth.
queue af bandwidth pct 30
traffic behavior lan-rt // Create a traffic behavior lan-rt and configure it to
set EXP values of packets
matching the associated classifier
to 4.
remark mpls-exp 4
traffic behavior vpn-rt // Create a traffic behavior vpn-rt and configure it to
perform LLQ
for packets matching the associated classifier. Set
the minimum maximum bandwidth for
these packets to 60% of the interface bandwidth.
queue llq bandwidth pct 60
traffic behavior lan-nrt // Create a traffic behavior lan-nrt and configure it
to set EXP values of packets
matching the associated classifier to 3.
remark mpls-exp 3
#
traffic policy lan-rt // Create a traffic policy lan-rt.
classifier lan-rt behavior lan-rt // Bind the traffic classifier lan-rt to the
traffic behavior lan-rt
so that the system sets the EXP value of
all packets passing through
the interface to 3.
traffic policy vpn // Create a traffic policy vpn.
classifier vpn-nrt behavior vpn-nrt // Bind the traffic classifier vpn-nrt to
the traffic behavior vpn-nrt
so that the system performs assured
forwarding for packets with EXP value 3
and provides a minimum of 30% of

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 795


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

interface bandwidth for these packets.


classifier vpn-rt behavior vpn-rt // Bind the traffic classifier vpn-rt to the
traffic behavior vpn-rt so
that the system sends packets with the EXP
priority of 4 to LLQ queues and
provides a maximum of 60% of interface
bandwidth for these packets.
traffic policy lan-nrt // Create a traffic policy lan-nrt.
classifier lan-nrt behavior lan-nrt // Bind the traffic classifier lan-nrt to
the traffic behavior lan-nrt
so that the system sets EXP value of all
packets passing through the interface
to 4.
#
controller E1 3/0/0
using e1 // Set the working mode of the CE1/PRI interface to E1.
#
controller E1 3/0/1
using e1 // Set the working mode of the CE1/PRI to E1.
#
interface Vlanif20
ip binding vpn-instance vpn-nrt // Bind Vlanif20 to VPN instance vpn-nrt.
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance vpn-rt // Bind Vlanif30 to VPN instance vpn-rt.
ip address 10.1.2.1 255.255.255.0
#
interface Mp-group0/0/0
ip address 10.1.1.1 255.255.255.0
qos gts cir 400 cbs 100000 // Set the CIR for outgoing packets on Mp-group0/0/0
to 400 kbit/s and the CBS to 100000
bytes.
traffic-policy vpn outbound // Apply the traffic policy vpn to outgoing packets
on the interface.
mpls // Enable MPLS on the interface.
mpls ldp // Enable MPLS LDP on the interface.
#
interface Serial3/0/0:0
link-protocol ppp // Set the link layer protocol of the interface to PPP.
ppp mp Mp-group 0/0/0 // Add interface Serial3/0/0:0 to Mp-group 0/0/0.
#
interface Serial3/0/1:0
link-protocol ppp // Set the link layer protocol of the interface to PPP.
ppp mp Mp-group 0/0/0 // Add Serial3/0/0:1 to Mp-group 0/0/0.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy lan-nrt inbound // Apply the traffic policy lan-nrt to incoming
packets on the interface.
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy lan-rt inbound // Apply the traffic policy lan-rt to incoming
packets on the interface.
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100 // Set the AS number of IPv4 peer 2.2.2.2 to 100.
peer 2.2.2.2 connect-interface LoopBack0 // Specify the source interface and
source IP address of BGP packets.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 796


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

#
ipv4-family vpnv4 // Enable the VPNv4 routing capability for BGP.
policy vpn-target // Configure the local device to filter received VPNv4
routes by VPN target.
peer 2.2.2.2 enable // Enable the local device to exchange VPNv4 routing
information with peer 2.2.2.2.
#
ipv4-family vpn-instance vpn-nrt
network 10.1.1.0 255.255.255.0 // Advertise local network segment 10.1.1.0/24
in the VPN instance vpn-nrt.
import-route direct // Import direct routes.
#
ipv4-family vpn-instance vpn-rt
network 10.1.2.0 255.255.255.0 // Advertise local network segment 10.1.2.0/24
in the VPN instance vpn-rt.
import-route direct // Import direct routes.
#
ospf 100 // Configure OSPF so that RouterA and RouterB can communicate with each
other.
import-route direct
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
router id 2.2.2.2 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30
#
ip vpn-instance vpn-nrt
ipv4-family
route-distinguisher 21825:2
vpn-target 21825:200 export-extcommunity
vpn-target 21825:200 import-extcommunity
#
ip vpn-instance vpn-rt
ipv4-family
route-distinguisher 21825:1
vpn-target 21825:100 export-extcommunity
vpn-target 21825:100 import-extcommunity
#
mpls lsr-id 2.2.2.2 // Set the MPLS LSR ID to the IP address of LoopBack0.
mpls
#
mpls ldp
#
traffic classifier vpn-nrt operator or
if-match mpls-exp 3
traffic classifier lan-rt operator or
if-match any
traffic classifier vpn-rt operator or
if-match mpls-exp 4
traffic classifier lan-nrt operator or
if-match any
#
traffic behavior vpn-nrt
queue af bandwidth pct 30
traffic behavior lan-rt
remark mpls-exp 4
traffic behavior vpn-rt
queue llq bandwidth pct 60
traffic behavior lan-nrt
remark mpls-exp 3

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 797


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

#
traffic policy lan-rt
classifier lan-rt behavior lan-rt
traffic policy vpn
classifier vpn-nrt behavior vpn-nrt
classifier vpn-rt behavior vpn-rt
traffic policy lan-nrt
classifier lan-nrt behavior lan-nrt
#
controller E1 3/0/0
using e1
#
controller E1 3/0/1
using e1
#
interface Vlanif20
ip binding vpn-instance vpn-nrt
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance vpn-rt
ip address 10.1.4.1 255.255.255.0
#
interface Mp-group0/0/0
ip address 10.1.2.1 255.255.255.0
qos gts cir 400 cbs 100000
traffic-policy vpn outbound
mpls
mpls ldp
#
interface Serial3/0/0:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Serial3/0/1:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy lan-nrt inbound
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy lan-rt inbound
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100 // Set the AS number of IPv4 peer 1.1.1.1 to 100.
peer 1.1.1.1 connect-interface LoopBack0 // Specify the source interface and
source IP address of BGP packets.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn-nrt
network 10.1.3.0 255.255.255.0 // Advertise local network segment 10.1.3.0/24
in VPN instance vpn-nrt.
import-route direct // Import direct route.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 798


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 17 Deploying QoS

ipv4-family vpn-instance vpn-rt


network 10.1.4.0 255.255.255.0 // Advertise local network segment 10.1.4.0/24
in VPN instance vpn-rt.
import-route direct // Import direct route.
#
ospf 100 // Configure OSPF so that RouterA and RouterB can communicate with each
other.
import-route direct
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return

Step 3 Verify the configuration.


# Run the display mpls ldp session command to check LDP session information on the
routers. The LDP session is Operational.
# Run the display bgp vpnv4 all peer command to check information about VPNv4 peers on
the routers. The VPNv4 peer status is Established.
# Run the display traffic-policy vpn applied-record, display traffic-policy lan-nrt applied-
record, and display traffic-policy lan-rt applied-record commands to check configuration
and application records of the traffic policies. The traffic policies have been applied to the
interfaces successfully.

----End

Configuration Notes
l It is recommended that you set the router ID and MPLS LSR ID to the IP address of the
same loopback interface.
l MPLS and MPLS LDP must be enabled in both the system view and interface view.
l When configuring BGP, use the routers' loopback0 interfaces to establish BGP peers.
l Configure the switch interfaces connected to the routers as trunk interfaces and add the
interfaces to service VLANs.
l LLQ queues are special type of EF queues and have shorter delay than EF queues.
l CBQ classifies packets based on the IP precedence or DSCP priority, inbound interface,
or 5-tuple (protocol type, source IP address and mask, destination IP address and mask,
source port range, and destination port range). Then CBQ sends packets matching traffic
classification rules to EF and AF queues. The packets that do not match any configured
classifier are added to the default class and enter BE queues based on session
information of flows.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 799


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

18 Network Management and Monitoring

18.1 Example for Configuring the SNMP Function to Implement Communication Between
the Device and the NMS
18.2 Example for Configuring the Netstream Function to Account User Traffic
18.3 Example for Configuring a UDP Jitter Test
18.4 Example for Configuring a TCP Test
18.5 Example for Configuring RMON to Remotely Monitor and Manage the Device
18.6 Example for Configuring the NTP Unicast Server/Client Mode with NTP Authentication
Enabled to Implement Clock Synchronization
18.7 Example for Configuring the NTP Broadcast Mode with NTP Authentication Enabled to
Implement Clock Synchronization
18.8 Example for Configuring the NTP Multicast Mode to Implement Clock Synchronization
18.9 Example for Configuring Local Port Mirroring to Monitor User Behaviors

18.1 Example for Configuring the SNMP Function to


Implement Communication Between the Device and the
NMS
Applicability
This example applies to all versions and AR routers.

Networking Requirements
Router A connects to the NMS through GE1/0/0. SNMP needs to be deployed to ensure that
the NMS and managed network devices communicate properly.

Figure 18-1 SNMP configuration

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 800


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Procedure
Step 1 Configure Router A.
In V200R003C00 earlier versions.
#
interface GigabitEthernet1/0/0
ip address 10.1.2.1 255.255.255.0
#
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent sys-info version v1 //Set the SNMP version to V1.
snmp-agent community read admin@123 //Set the community name to admin@123 and
permit read-only access.
snmp-agent target-host trap-hostname nms address 10.1.1.2 udp-port 162 trap-
paramsname trapnms2 //Set the destination address of trap messages to 10.1.1.2,
target host name to nms, and name of the list containing parameters for sending
trap messages to trapnms2.
snmp-agent target-host trap-paramsname trapnms2 v1 securityname admin@123 //Set
the name of the list containing parameters for sending trap messages to trapnms2,
SNMP version to V1, and community name to admin@123.
snmp-agent trap enable //Enable RouterA to send trap messages to the NMS.
snmp-agent
#

In V200R003C00 and V200R003C01 versions.


#
interface GigabitEthernet1/0/0
ip address 10.1.2.1 255.255.255.0
#
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent sys-info version v1 //Set the SNMP version to V1.
snmp-agent community read %$%$"P`i!cWKAC7oLC/^{1SM,V&#%$%$ //Set the community
name to admin@123 (displayed in cipher text) and permit read-only access.
snmp-agent target-host trap-hostname nms address 10.1.1.2 udp-port 162 trap-
paramsname trapnms2 //Set the destination address of trap messages to 10.1.1.2,
target host name to nms, and name of the list containing parameters for sending
trap messages to trapnms2.
snmp-agent target-host trap-paramsname trapnms2 v1 securityname admin@123 //Set
the name of the list containing parameters for sending trap messages to trapnms2,
SNMP version to V1, and community name to admin@123.
snmp-agent trap enable //Enable RouterA to send trap messages to the NMS.
snmp-agent
#

In V200R005C00 and later versions.


#
interface GigabitEthernet1/0/0
ip address 10.1.2.1 255.255.255.0
#
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent community read %@%@$X!5#d+t+OJOXL1[{O2!&0UZv'@a;R/`Y+kK$4BUGFe)&2YLuM/
kMF!HPG5Mzz3DXe223%@%@ //Set the community name to admin@123 (displayed in
cipher text) and permit read-only access.
snmp-agent sys-info version v1 //Set the SNMP version to V1.
snmp-agent target-host trap-hostname nms address 10.1.1.2 udp-port 162 trap-
paramsname trapnms2 //Set the destination address of trap messages to 10.1.1.2,
target host name to nms, and name of the list containing parameters for sending
trap messages to trapnms2.
snmp-agent target-host trap-paramsname trapnms2 v1 securityname %@
%@_=XqAFC_94uCS,3'<gYC*ZU6%@%@ //Set the name of the list containing parameters
for sending trap messages to trapnms2, SNMP version to V1, and community name to
admin@123 (displayed in cipher text).
snmp-agent trap enable //Enable RouterA to send trap messages to the NMS.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 801


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

snmp-agent
#

Step 2 Verify the configuration.


# Run the display snmp-agent target-host command to view the list of target hosts of trap
messages.
# When an alarm is generated, you can run the display trapbuffer command to view alarm
information.

----End

Configuration Notes
l Ensure that the NMS and RouterA use the same SNMP version and community name.

18.2 Example for Configuring the Netstream Function to


Account User Traffic
Applicability
This example applies to all versions and AR routers.

Networking Requirements
As shown in Figure 18-2, HostA connects to GE1/0/0 of RouterA. The NetStream function is
enabled on RouterA. NSC&NDA collects statistics about incoming and outgoing traffic on
GE1/0/0 of RouterA. The statistics serve as a basis for accounting.

Figure 18-2 NetStream configuration

Procedure
Step 1 Configure Router A.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
ip netstream inbound //Configure the statistics function of
incoming traffic.
ip netstream outbound //Configure the statistics function of
outgoing traffic.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 802


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

ip netstream export version 9 //Set the format of the exported


statistics of the original IPv4 stream to Version 9.
ip netstream export source 10.2.1.1 //Set the source IPv4 address of the
statistics about IPv4 original flows.
ip netstream export host 10.2.1.2 6000 //Set the destination address to which
the NetStream statistics about IPv4 original flows are output to 10.2.1.2 and the
port number to 6000.
#

Step 2 Verify the configuration.


# Run the display ip netstream all command to view all NetStream configurations.

----End

Configuration Notes
l Ensure that Router A and the NSC&NDA use the same destination port number of
NetStream packets.

18.3 Example for Configuring a UDP Jitter Test


Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 18-3, RouterA functions as an NQA client and RouterC functions as an
NQA server. A UDP Jitter test needs to be configured to measure the jitter time of packets
transmitted between RouterA and RouterC.

Figure 18-3 UDP Jitter test networking diagram

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterA.
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route from
RouterA to the specified network segment.
#
nqa test-instance admin jitter //Create an NQA test instance and enter the NQA
test instance view.
test-type jitter //Set the test instance type to Jitter.
destination-address ipv4 10.2.1.2 //Configure a destination address.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 803


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

destination-port 9000 //Configure a destination port number.


#
return

Step 2 Configure RouterB.


#
sysname RouterB //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterB.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0 //Assign an IP address to GE2/0/0 of RouterB.
#
return

Step 3 Configure RouterC.


#
sysname RouterC //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterC.
#
nqa-server udpecho 10.2.1.2 9000 //Configure the IP address and port number for
the NQA server.
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1 //Configure a static route from
RouterC to the specified network segment.
#
return

Step 4 Verify the configuration.


# Run the start now command in the NQA test instance view of RouterA to start the test.
# Run the display nqa results test-instance admin jitter command in any view of RouterA
to check the jitter time. The Average of Jitter indicates the average jitter time of packets
transmitted between the two routers.

----End

18.4 Example for Configuring a TCP Test


Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 18-4, RouterA functions as an NQA client and RouterC functions as an
NQA server. An NQA TCP test needs to be configured to measure the TCP connection setup
time between RouterA and RouterC.

Figure 18-4 TCP test networking diagram

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 804


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterA.
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route from
RouterA to the specified network segment.
#
nqa test-instance admin tcp //Create an NQA test instance and enter the NQA test
instance view.
test-type tcp //Set the test instance type to TCP.
destination-address ipv4 10.2.1.2 //Configure a destination address.
destination-port 9000 //Configure a destination port number.
#
return

Step 2 Configure RouterB.


#
sysname RouterB //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterB.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0 //Assign an IP address to GE2/0/0 of RouterB.
#
return

Step 3 Configure RouterC.


#
sysname RouterC //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterC.
#
nqa-server tcpconnect 10.2.1.2 9000 //Configure the IP address and port number
for the NQA server.
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1 //Configure a static route from
RouterC to the specified network segment.
#
return

Step 4 Verify the configuration.


# Run the start now command in the NQA test instance view of RouterA to start the test.
# Run the display nqa results test-instance admin tcp command in any view of RouterA to
check the NQA test result. The Min/Max/Average Completion Time field indicates the
minimum, maximum, and average time of TCP connection setup.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 805


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

18.5 Example for Configuring RMON to Remotely


Monitor and Manage the Device
Applicability
This example applies to all AR models, of all versions.

Networking Requirements
As shown in Figure 18-5, a subnet connects to the network through GE2/0/0 of the router.
The network management system (NMS) needs to monitor the subnet, including:
l Collecting real-time and history statistics on traffic and each type of packets
l Recording logs when the traffic rate exceeds the threshold
l Monitoring broadcast and multicast traffic rate on the subnet and sending traps to the
NMS when the traffic rate exceeds the threshold

Figure 18-5 Networking diagram for configuring RMON

Procedure
Step 1 Configure the router.
#
sysname Router
#
interface GigabitEthernet1/0/0
ip address 10.2.2.1 255.255.255.0 //Configure an IP address for GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 10.3.3.1 255.255.255.0 //Configure an IP address for GE2/0/0.
rmon-statistics enable //Enable RMON statistics collection on GE2/0/0.
rmon statistics 1 owner Test300 //Configure a statistical table with table index
1 and creator Test300.
rmon history 1 buckets 10 interval 30 owner Test300 //Configure a historical
control table. Configure RMON to sample traffic on subnets at an interval of 30s.
Save the latest 10 records.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.2.2.0 0.0.0.255 //Configure the network segment where OSPF is run.
network 10.3.3.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
snmp-agent target-host trap-hostname hwnm address 10.1.1.1 udp-port 162 trap-
paramsname hw //Configure the device to send traps to the specified NMS.
snmp-agent target-host trap-paramsname hw v1 securityname %@%@_=XqAFC_94uCS,

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 806


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

3'<gYC*ZU6%@%@
snmp-agent trap enable //Enable SNMP trap sending.
#
rmon event 1 description null log owner Test300 //Set the handling method of
RMON event 1 to recording logs.
rmon event 2 description forUseofPrialarm trap public owner Test300 //Set the
handling method of RMON event 2 to sending traps to NMS.
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1 falling-
threshold 100 1 owner Test300 //Configure the trap table, sampling interval, and
threshold to trigger trap 1 (OID: 1.3.6.1.2.1.16.1.1.1.6.1).
rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2
entrytype forever owner Test300 //Configure extended trap table, and configure
RMON to sample broadcast and multicast packets once every 30 seconds. When the
sampling delta is higher than upper threshold 1000 or below the lower threshold
0, event 2 is triggered and a trap is sent to the NMS.
#
return

Step 2 Verify the configuration.

# Run the display rmon statistics gigabitethernet 2/0/0 command to view traffic statistics on
the subnet.

# Run the display rmon history gigabitethernet 2/0/0 command to view historical statistics.

# Run the display rmon event command to view RMON event configurations.

# Run the display rmon alarm 1 command to view configurations of the RMON alarm
function.

# Run the display rmon prialarm 1 command to view RMON extended alarm configuration.

# Run the display rmon eventlog command to view details about the RMON event logs.

----End

18.6 Example for Configuring the NTP Unicast Server/


Client Mode with NTP Authentication Enabled to
Implement Clock Synchronization
Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 18-6, RouterB, RouterC, and RouterD are on a local area network
(LAN), and are connected to RouterA through a network. To ensure normal service, all
routers on the LAN must synchronize their system clocks to a standard clock. The
requirements are as follows:
l RouterA functions as the master clock server and the stratum is 2.
l RouterA and RouterB use the NTP unicast server/client mode to synchronize clocks.
RouterA functions as a server and RouterB functions as a client.
l RouterB uses the NTP unicast server/client mode to synchronize clock with RouterC and
RouterD. RouterB functions as a server, and RouterC and RouterD function as clients.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 807


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

l NTP authentication function is required to strengthen network security.

Figure 18-6 Networking diagram for configuring the NTP unicast server/client mode

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0 //Configure an IP address for GE1/0/0.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.2.2.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 42 //Claim reliability of NTP
authentication cipher.
ntp-service refclock-master 2 //Configure RouterA as the NTP master clock and
set stratum to 2.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 10.0.0.1 255.255.255.0 //Configure an IP address for GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 10.0.1.1 255.255.255.0 //Configure an IP address for GE2/0/0.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.0.0.0 0.0.0.255 //Configure the network segment where OSPF is run.
network 10.0.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 42 //Claim reliability of NTP
authentication cipher.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 808


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

ntp-service unicast-server 10.2.2.2 authentication-keyid 42 //Configure RouterA


as the NTP server for RouterB and to use the configured authentication cipher.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 10.0.0.2 255.255.255.0 //Configure an IP address for GE1/0/0.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.0.0.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 42 //Claim reliability of NTP
authentication cipher.
ntp-service unicast-server 10.0.0.1 authentication-keyid 42 //Configure RouterB
as the NTP server for RouterC and to use the configured authentication cipher.
#
return

Step 4 Configure RouterD.


#
sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 10.0.0.3 255.255.255.0 //Configure an IP address for GE1/0/0.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.0.0.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 42 //Claim reliability of NTP
authentication cipher.
ntp-service unicast-server 10.0.0.1 authentication-keyid 42 //Configure RouterB
as the NTP server for RouterD and to use the configured authentication cipher.
#
return

Step 5 Verify the configuration.

# Run the display ntp-service status command on RouterB to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterB has synchronized clock with RouterA.

# Run the display ntp-service status command on RouterC to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterB,
RouterC has synchronized clock with RouterB.

# Run the display ntp-service status command on RouterD to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterB,
RouterD has synchronized clock with RouterB.

----End

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 809


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Configuration Notes
l When configuring NTP authentication in the unicast server/client mode, enable the NTP
authentication on the client, and then specify the NTP server address and the
authentication cipher to be sent to the server. If these operations are not performed, the
NTP server and client directly synchronize their clocks without NTP authentication.
l The server and the client must be configured with the same authentication cipher.
l To ensure successful authentication, configure the NTP client and server properly.

18.7 Example for Configuring the NTP Broadcast Mode


with NTP Authentication Enabled to Implement Clock
Synchronization
Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 18-7, RouterB, RouterC, and RouterD are located on the same LAN.
RouterA is directly connected to RouterB. RouterC directly synchronizes its clock to a
standard clock by radio. All routers except routerA on the LAN must synchronize their clocks
to the standard clock. The requirements are as follows:
l RouterC functions as the master clock server and uses its local clock as the NTP master
clock, and its clock stratum is 3.
l RouterC functions the NTP broadcast server that sends broadcast packets from interface
GE1/0/0.
l RouterA, RouterD and RouterB function as NTP broadcast clients. RouterA uses
GE1/0/0 to listen to the broadcast packets. RouterD uses GE1/0/0 to listen to the
broadcast packets. RouterB uses GE2/0/0 to listen to the broadcast packets.
l NTP authentication function is required to strengthen network security.

Figure 18-7 Networking diagram for configuring NTP broadcast mode

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 810


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.11 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service broadcast-client //Configure RouterA as the NTP broadcast client.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.1.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 16 //Claim reliability of NTP
authentication cipher.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Configure an IP address for GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 10.3.1.2 255.255.255.0 //Configure an IP address for GE2/0/0.
ntp-service broadcast-client //Configure RouterB as the NTP broadcast client.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.1.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
network 10.3.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 16 //Claim reliability of NTP
authentication cipher.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 10.3.1.31 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service broadcast-server authentication-keyid 16 //Configure RouterC as the
NTP broadcast server.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.3.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 16 //Claim reliability of NTP
authentication cipher.
ntp-service refclock-master 3 //Set the stratum of NTP master clock on RouterC
to 3.
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 811


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Step 4 Configure RouterD.


#
sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 10.3.1.32 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service broadcast-client //Configure RouterD as the NTP broadcast client.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.3.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 16 //Claim reliability of NTP
authentication cipher.
#
return

Step 5 Verify the configuration.

# Run the display ntp-service status command on RouterA to view NTP status. When the
value of clock status is displayed as unsynchronized, RouterA does not synchronize clock
with RouterC. RouterA and RouterC are on different network segments, so RouterA cannot
receive broadcast packets from RouterC.

# Run the display ntp-service status command on RouterD to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterC,
RouterD has synchronized clock with RouterC. RouterD and RouterC are on the network
segment, so RouterD can receive broadcast packets from RouterC.

----End

18.8 Example for Configuring the NTP Multicast Mode to


Implement Clock Synchronization
Applicability
This example applies to all AR models of all versions.

Networking Requirements
As shown in Figure 18-8, RouterA, RouterB, and RouterC are located on the same LAN.
RouterA directly synchronizes its clock to a standard clock by radio. The clocks of all routers
on the network need to be synchronized to the standard clock. The requirements are as
follows:
l RouterA functions as the master clock server and uses its local clock as the NTP master
clock, and its clock stratum is 2.
l RouterA functions as the NTP multicast server that sends multicast packets from
interface GE1/0/0.
l RouterB and RouterC function as NTP multicast clients. RouterB uses GE1/0/0 to listen
to the multicast packets. RouterC uses GE1/0/0 to listen to the multicast packets.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 812


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

Figure 18-8 Networking diagram for configuring the NTP multicast mode

Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service multicast-server //Configure RouterA as an NTP multicast server.
#
ntp-service refclock-master 2 //Configure RouterA as the NTP master clock and
set stratum to 2.
#
return

Step 2 Configure RouterB.


#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service multicast-client //Configure RouterB as an NTP client.
#
return

Step 3 Configure RouterC.


#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 10.1.1.3 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service multicast-client //Configure RouterC as an NTP multicast client.
#
return

Step 4 Verify the configuration.

# Run the display ntp-service status command on RouterB to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterB has synchronized clock with RouterA.

# Run the display ntp-service status command on RouterC to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 813


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterC has synchronized clock with RouterA.

----End

18.9 Example for Configuring Local Port Mirroring to


Monitor User Behaviors
Applicability
This example applies to all AR models of V200R002C00 and later versions.

Networking Requirements
As shown in Figure 18-9, the router functions as the egress gateway of an enterprise. The
R&D department and marketing department of the enterprise connect to Ethernet2/0/0 and
Ethernet2/0/1 on the router. The server (a data monitoring device) that has the monitoring
software installed connects to Ethernet2/0/2 on the router to analyze the captured packets. To
ensure enterprise information security, configure local port mirroring on the router to help the
server monitor all the packets sent by the R&D department and marketing department.

Figure 18-9 Local port mirroring networking

Procedure
Step 1 Configure the router.
#
observe-port interface Ethernet2/0/2 //Configure the local observing
port.
#
interface Ethernet2/0/0
mirror to observe-port inbound //Configure Ethernet2/0/0 as the local mirrored
port, and mirror only incoming packets on a
port.
#
interface Ethernet2/0/1
mirror to observe-port inbound //Configure Ethernet2/0/1 as the local mirrored
port, and mirror only incoming packets on a

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 814


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 18 Network Management and Monitoring

port.
#

Step 2 Verify the configuration.


# Run the display observe-port command on the router to view the observing port
configuration. In the command output, the Interface field displays Ethernet2/0/2.
# Run the display mirror-port command on the router to view the mirrored port
configuration. In the command output, the Mirror-port field displays Ethernet2/0/0 and
Ethernet2/0/1.
# Run the display interface command on the router to view packet statistics on Ethernet2/0/0,
Ethernet2/0/1, and Ethernet2/0/2. The command output shows that the number of outgoing
packets on Ethernet2/0/2 equals the total number of incoming packets on Ethernet2/0/0 and
Ethernet2/0/1. You can also view all the packets received by Ethernet2/0/0 and Ethernet2/0/1
on the server, indicating that packets on Ethernet2/0/0 and Ethernet2/0/1 have been mirrored
by the router.

----End

Configuration Notes
l A router can have only one observing port, which must be a LAN-side Ethernet port.
l On the router, the packets on multiple ports can be mirrored to one observing port.
l When you configure the observing port and mirrored port, correctly allocate bandwidth
to the ports. If a GE interface is used as the mirrored port and an Ethernet interface is
used as the observing port, the observing port bandwidth is insufficient. This may result
in the loss of mirrored packets.
l After an interface is configured as the observing port, do not perform other
configurations on the interface. Otherwise, the local port mirroring function may be
affected. For example, if the observing port transmits both mirrored packets and other
service traffic, the observing port cannot identify the source of the packets. When the
observing port becomes congested, mirrored packets may be discarded because these
packets have lower priority than service traffic.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 815


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

19 Comprehensive Cases

19.1 Example for Configuring DHCP and NAT to Enable Users to Dynamically Obtain IP
Addresses and Access the Internet
19.2 Associating IPSec with NQA to Implement Rapid Switching Between Active and
Standby Peers and Links
19.3 Example for Configuring SPR to Implement Smart Routing on Voice Services

19.1 Example for Configuring DHCP and NAT to Enable


Users to Dynamically Obtain IP Addresses and Access the
Internet
Specifications
This example applies to AR routers of all versions.

Networking Requirements
The router functions as the egress gateway of an enterprise. The enterprise has departments A
and B, and plans two address network segments (10.10.1.0/25 and 10.10.1.128/25) and
gateway addresses (10.10.1.1/25 and 10.10.1.129/25) for terminals in the two departments
respectively. In department A, PCs are used as office terminals, with the address lease of 30
days, domain name huawei.com, and DNS server address 10.10.1.2. In department B,
portable computers of employees on business trips are mostly used, with the address lease of
2 days, domain name huawei.com, and DNS server address 10.10.1.2. The internal addresses
of the enterprise are planned as private network addresses and the terminals need to access the
Internet. Therefore, NAT needs to be configured to implement translation from private
network addresses to public network addresses. The remote IP address of the outbound
interface GE0/0/3 connected to the router is 2.1.1.1/24.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 816


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Figure 19-1 Networking diagram of configuring DHCP and NAT to enable users to
dynamically obtain IP addresses and access the Internet

Procedure
Step 1 Configure the router.

#
sysname Router //Modify the device name.
#
dhcp enable //Enable the DHCP
function.
#
acl number 2000 //Configure the internal network address segment 10.10.1.0/24 on
which NAT is allowed.
rule 5 permit source 10.10.1.0 0.0.0.255
#
ip pool ip-pool1
gateway-list 10.10.1.1 //Configure the gateway
address.
network 10.10.1.0 mask 255.255.255.128 //Configure the range of IP addresses
that can be dynamically allocated in the global address
pool.
excluded-ip-address 10.10.1.2 //Configure 10.10.1.2 in the address pool not to
be automatically allocated.
dns-list 10.10.1.2 //Configure the IP address of the DNS server used by the DHCP
client.
lease day 30 hour 0 minute 0 //Configure the IP address lease to 30 days.
domain-name huawei.com //Configure the domain name
huawei.com.
#
ip pool ip-pool2
gateway-list 10.10.1.129 //Configure the gateway
address.
network 10.10.1.128 mask 255.255.255.128 //Configure the range of IP addresses
that can be dynamically allocated in the global address pool.
dns-list 10.10.1.2 //Configure the IP address of the DNS server used by the DHCP
client.
lease day 2 hour 0 minute 0 //Configure the IP address lease to 2 days.
domain-name huawei.com //Configure the domain name
huawei.com.
#
interface GigabitEthernet0/0/1
ip address 10.10.1.1 255.255.255.128

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 817


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

dhcp select global //The interface works in global address pool


mode.
#
interface GigabitEthernet0/0/2
ip address 10.10.1.129
255.255.255.128
dhcp select global //The interface works in global address pool
mode.
#
interface GigabitEthernet0/0/3
ip address 2.1.1.2 255.255.255.0
nat outbound 2000 //Configure NAT in easy IP mode on the outbound interface
GE0/0/3 to implement translation from private network addresses to public network
addresses.
#
ip route-static 0.0.0.0 0.0.0.0 2.1.1.1 //Configure the default route to ensure
that the route from the outbound interface to the peer is reachable.
#
return

Step 2 Verify the configuration.


# Run the display ip pool command on the router to check allocation of the IP address pool.
Run the display nat outbound command to check NAT configuration on GE0/0/3. After the
configuration is successful, the terminals can dynamically obtain IP addresses and access the
Internet.

----End

Configuration Notes
Configure an ACL to determine for which network segment NAT needs to be performed.

19.2 Associating IPSec with NQA to Implement Rapid


Switching Between Active and Standby Peers and Links
IPSec Introduction
As shown in Figure 19-2, IPSec VPN allows users to connect to the VPN over the Internet in
any mode with no geographical limitations. IPSec VPN applies to the access of mobile office
users and partners, and is used for communication between enterprise the enterprise
headquarters and branch.
The data flows between sites are encrypted and securely transmitted through IPSec tunnels,
though they are transmitted on the public network.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 818


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Figure 19-2 Networking of IPSec VPN

As shown in Figure 19-3, to ensure the reliability of devices in the headquarters, the
headquarters uses two or more devices to establish VRRP groups and establishes an IPSec
tunnel with the branch. The branch gateway needs to establish an IPSec tunnel with the
headquarters by configuring two addresses or domain names for one peer. The branch
gateway uses the first address or domain name to establish an IPSec tunnel with the
headquarters gateway. If the IPSec tunnel fails to be set up or dead peer detection (DPD) fails,
the second address or domain name is used. However, the switching process requires a long
time. In addition, after the fault is rectified, the traffic cannot be switched back to the original
peer.
You can associate IPSec with NQA to check whether the peer address is invalid based on the
NQA test. If the peer address is invalid, the traffic is rapidly switched to the other peer. This
ensures that traffic is rapidly switched to another headquarters gateway when one
headquarters gateway fails. In addition, you can configure revertive switching to ensure that
traffic can be switched back after the original headquarters gateway recovers.
To increase the reliability of branch links, the branch gateway connects to the Internet using
two interfaces. The branch gateway uses the active link to establish an IPSec tunnel with the
headquarters gateway. If the active link fails, the branch gateway uses the standby link to
establish an IPSec tunnel. The switching process requires a long time. After the failure is
rectified, traffic cannot be switched back to the active link. Therefore, you can also associate
IPSec with NQA to check whether the active link works properly according to the NQA test.
If the active link fails, traffic is rapidly switched to the standby link. In addition, after the
active link recovers, traffic can be switched back.

Figure 19-3 Associating IPSec with NQA to implement rapid switching

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 819


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Configuration Notes
1. Devices in the VRRP group must be configured with the same virtual router ID (VRID).
2. The authentication and encryption algorithms of the branch and headquarters gateways
must be the same.
3. The ACLs on the branch and headquarters gateways must mirror each other. If ACL
rules between peers do not mirror each other, an SA can be established successfully only
when the range defined by the ACL rule of the initiator is a subset of the range defined
by the ACL rule of the responder.
4. When both IPSec and NAT are configured on a device, check whether data flows
encapsulated by IPSec needs to be translated using NAT.
– If NAT is required, the security ACL needs to match the NAT-translated address.
– If NAT is not required, the security ACL needs to match the address that is not
translated using NAT. In addition, define the deny action in the ACL for the data
flows that need to be transmitted using the IPSec tunnel.
5. When configuring IPSec, ensure that the public network route is reachable.

Networking Requirements
As shown in Figure 19-4, HQ1 and HQ2 are headquarters gateways, and AR1 is the branch
gateway. The DNS server parses domain names, and the DDNS server updates IP addresses
mapping domain names.
To improve the reliability of the enterprise headquarters gateway, HQ1 and HQ2 establish a
VRRP group, and HQ1 is the master. To enhance the reliability of the branch link and service
security, ARI establishes an IPSec VPN with the headquarters using two links. The 3G dial-up
link is the standby link. The requirements are as follows:
l When the link between HQ1 and AR1fails, the VRRP group can detect it and perform an
active/standby switchover. HQ2 then takes over services to reduce the impact of a link
fault on service forwarding.
l When HQ1 fails, AR1 can rapidly establish an IPSec tunnel with HQ2 through
negotiation to reduce traffic loss. In addition, when HQ1 recovers, traffic can be
switched back.
l When the active link of AR1 fails, services on the IPSec tunnel can be rapidly switched
back to the standby link to reduce traffic loss. At the same time, when the active link
recovers, traffic can be rapidly switched back.

Figure 19-4 Associating IPSec with NQA to implement rapid switching

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 820


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Configuration Roadmap
The configuration roadmap is as follows:
1. To implement gateway backup, configure a VRRP group on HQ1 and HQ2. Set the
priority of HQ1 to 120 and preemption delay to 20 seconds, and configure HQ1 as the
master; set the priority of HQ2 to 90 and configure it as backup.
2. To ensure a rapid VRRP active/standby switchover and reduce the traffic loss, associate
VRRP with NQA to monitor the connectivity of the active link of the headquarters.
When NQA detection fails, data flows can be switched from HQ1 to HQ2.
3. To implement secure communication between the branch and headquarters, configure
IPSec on HQ1, HQ2, and AR1.
4. To implement rapid switching between the branch and HQ1/HQ2 and reduce service
loss, associate IPSec with NQA on AR1to check whether the peer address is valid and
ensure that traffic can be rapidly switched to another headquarters gateway when one
headquarters gateway fails. In addition, you can also configure revertive switching of
peers to ensure that traffic can be switched back when the original headquarters gateway
recovers.
5. To implement rapid switching of active and standby branch links and reduce service loss,
associate IPSec with NQA on AR1 to monitor the connectivity of the IPSec tunnel in
real time and ensure that traffic can be rapidly switched back to the standby link when
the active branch link fails. After the active link recovers, traffic can be switched back.

Data Plan

Table 19-1 Data Plan Table


Item Parameter Description

IP address HQ1: The GE1/0/0 interfaces of


l GE2/0/0: 10.1.0.1/24 HQ1 and HQ2 obtain
address through PPPoE.
HQ2:
The domain name of HQ1 is
l GE2/0/0: 10.1.0.2/24 store1.huawei.com, and the
AR1: corresponding address is
l GE1/0/0: 10.2.1.2/24 3.1.1.1/24.
l GE2/0/0: 10.0.1.1/24 The domain name of HQ2 is
store2.7huawei.com, and the
l Cellular0/0/0: 2.1.1.2/24 address is 4.1.1.1/24.
NAT:
l GE1/0/0: 1.0.3.1/24
l GE2/0/0: 10.2.1.1/24
DNS server: 5.1.1.2/24

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 821


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Item Parameter Description

VRRP group Virtual IP address: None


10.1.0.10/24
Master: HQ1; priority: 120;
preemption delay: 20
seconds
Backup: HQ2; priority: 90

IKE proposal Authentication algorithm: The configuration of the


sha2-256 headquarters and branch
Encryption algorithm: aes- must be same.
cbc-128

IPSec proposal Authentication algorithm:


sha2-256
Encryption algorithm:
aes-192

Pre-shared key Authentication field:


huawei1234

NQA test instance Administrator: user None


Test instance name: test,
test1
Test type: ICMP
Number of test probes for
one test: 5
Interval at which packets are
sent: 20 seconds

Configuration Files
l Configure HQ1.
#
sysname HQ1
#
dns resolve //Enable DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
ddns policy ddnspolicy1 //Configure a DDNS policy to update the IP address
mapping the domain name.
url oray://username1:password1@phddnsdev.oray.net //Configure a URL of the
DDNS server.
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128
authentication-algorithm sha2-256

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 822


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

#
ike peer branch v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
#
ipsec policy-template use1 10 //Configure an IPSec policy template.
ike-peer branch
proposal def
#
ipsec policy branch 1 isakmp template use1 //Reference the IPSec policy
template in the IPSec policy.
#
interface Dialer0 //Configure paremeters of the dialer interface.
link-protocol ppp
ppp pap local-user user@huawei.com password cipher %@%@ZX}=YK.{rUa.K#7W\==O)+
[c%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1 //Specify a Dialer bundle for the RS-DCC dialer interface.
dialer-group 1 //Specify a dailer group for the dailer interface.
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface, so
that the dialer interface can forward dynamic update to the DDNS server when
the interface IP address changes.
ipsec policy branch //Bind the IPSec policy.
#
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 //Bind the dialer interface and establish
a PPPoE session.
#
interface GigabitEthernet2/0/0
ip address 10.1.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.0.10 //Set the virtual address of VRRP group 1
to 10.1.0.10.
vrrp vrid 1 priority 120 //Configure the priority of the device in the VRRP
group.
vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay for the
device in the VRRP group.
vrrp vrid 1 track nqa user test reduced 40 //Associate VRRP with NQA to
monitor the connectivity of the active link of the headquarters.
#
dialer-rule //Configure a dialer rule that permits all IPv4 packets.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure a static route.
#
nqa test-instance user test //Configure an NQA test instance.
test-type icmp //Configure the test type of the NQA test instance as
ICMP.
destination-address ipv4 5.1.1.2
frequency 20 //Configure the interval of automatic NQA test.
probe-count 5 //Set the number of probes for one test.
source-interface Dialer0 //Configure the source interface that forwards
NQA packets.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 823


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

start now //Start the test instance immediately.


#
return

l Configure HQ2.
#
sysname HQ2
#
dns resolve //Enable an DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
ddns policy ddnspolicy1 //Configure a DDNS policy to update the the IP
address mapping the domain name.
url oray://username1:password1@phddnsdev.oray.net //Configure a URL of the
DDNS server.
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128
authentication-algorithm sha2-256
#
ike peer branch v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
#
ipsec policy-template use1 10 //Configure an IPSec policy. template
ike-peer branch
proposal def
#
ipsec policy branch 1 isakmp template use1 //Reference the IPSec policy
template in the IPSec policy.
#
interface Dialer0 //Configure paremeters of the dialer interface.
link-protocol ppp
ppp pap local-user user@huawei.com password cipher %@%@ZX}=YK.{rUa.K#7W\==O)+
[c%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1 //Specify a Dialer bundle for the RS-DCC dialer interface.
dialer-group 1 //Specify a dailer group for the dailer interface.
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface, so
that the dialer interface can forward dynamic update to the DDNS server when
the interface IP address changes.
ipsec policy branch //Bind the IPSec policy.
#
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 //Bind the dialer interface and establish
a PPPoE session.
#
interface GigabitEthernet2/0/0

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 824


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

ip address 10.1.0.2 255.255.255.0


vrrp vrid 1 virtual-ip 10.1.0.10 //Set the virtual address of VRRP group 1
to 10.1.0.10.
vrrp vrid 1 priority 90 //Set the priority of VRRP group 1 to 90 and
configure HQ2 as backup.
vrrp vrid 1 track nqa user test reduced 40 //Associate VRRP with NQA to
monitor the connectivity of the active link of the headquarters.
#
dialer-rule //Configure a dialer rule that permits all IPv4 packets.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configuer a static route.
#
nqa test-instance user test //Configure an NQA test instance.
test-type icmp //Configure the test type of the NQA test instance as
ICMP.
destination-address ipv4 5.1.1.2
frequency 20 //Configure the interval of automatic NQA tests.
probe-count 5 //Set the number of probes for one test
source-interface Dialer0 //Configure the source interface that forwards
NQA packets.
start now //Start the test instance immediately.
#
return

l Configure AR1.
#
sysname AR1
#
dns resolve //Enable DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128
authentication-algorithm sha2-256
#
ike peer center v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
remote-address store1.huawei.com track nqa user test1 up //When the status
of the NQA test instance is Up, the domain name can be used as the remote
address for negotiation.
remote-address store2.huawei.com track nqa user test1 down //When the status
of the NQA test instance is Down, the domain name can be used as the remote
address for negotiation.
switch-back enable

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 825


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

#
ipsec policy center1 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer center
proposal def
connect track nqa user test up //When the status of the NQA test instance
is Up, establish an IPSec tunnel using the IPSec policy.
disconnect track nqa user test down //When the status of the NQA test
instance is Down, terminate the IPSec tunnel established using the IPSec
policy.
#
ipsec policy center2 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer center
proposal def
connect track nqa user test down //When the status of the NQA test instance
is Down, establish an IPSec tunnel using the IPSec policy.
disconnect track nqa user test up //When the state of the NQA test instance
is Up, terminate the IPSec tunnel estabilshed using the IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0
ipsec policy center1 //Bind the IPSec policy.
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0
dialer enable-circular
dialer-group 1
dialer timer idle 180
dialer timer autodial 10
dialer number *99#
ipsec policy center2
ip address negotiate
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 200 //Configure the
static route as the standby route.
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1 track nqa user test //Configure the
static route as active route and configure the NQA test.
ip route-static 5.1.1.2 255.255.255.0 10.2.1.1 //Configure the static route
to ensure connectivity with the address 5.1.1.2 .
#
dialer-rule //Configure a dialer rule that permits all IPv4 packets.
dialer-rule 1 ip permit
#
nqa test-instance user test //Configure an NQA test instance.
test-type icmp //Configure the test type of the NQA test instance as
ICMP.
destination-address ipv4 5.1.1.2 //Specify a stable IP address for the
public network to check connectivity.
frequency 20 //Configure the interval of automatic NQA tests.
probe-count 5 //Set the number of probes for one test.
source-interface GigabitEthernet1/0/0 //Configure a source interface that
forwards test packets.
nqa test-instance user test1
test-type icmp
destination-address ipv4 3.1.1.1 // Specify the HQ1 public network address.
frequency 20
probe-count 5
#
return

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 826


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

19.3 Example for Configuring SPR to Implement Smart


Routing on Voice Services
SPR Overview
Smart policy routing (SPR) is developed to meet service requirements. As network service
requirements vary widely and service data is stored in a centralized manner, network services
increasingly depend on high link quality. More users shift their attention from network
connectivity to service availability, such as service response speed and service quality.
Diversified service requirements pose a challenge to traditional per-hop-based routing
protocols. These routing protocols are unaware of link quality and service requirements. As
long as routes are reachable, the routing protocols will select a link to forward packets even
though the link quality is poor or even cannot support normal packet forwarding.
Subsequently, these routing protocols cannot deliver satisfying service experience.

SPR addresses this problem. It actively detects the link quality and matches service
requirements to select an optimal link to forward service data. SPR prevents network
blackholes and flappings.

Generally, SPR selects an optimal link for different service data flows (such as data, voice,
and video services) based on link quality. As shown in Figure 19-5, an enterprise branch
connects to the enterprise data center over two Internet service provider (ISP) networks (ISP1
and ISP2), and a 3G outbound interface is configured on RouterA to provide a best-effort link.
RouterA connects to ISP1 through the link group named group1 and connects to ISP2 through
the link group named group2. ISP1 provides advanced network service at a high cost, while
ISP2 provides common network service at a low cost. The enterprise branch exchanges voice,
video, FTP and HTTP services with the data center. Voice and video services require high link
quality. Therefore, group1 and group2 function as the primary and backup link groups,
respectively, for voice and video services. FTP and HTTP services do not require high link
quality. Therefore, group2 and group1 function as the primary and backup link groups,
respectively, for FTP and HTTP services. When no suitable link in group1 and group2 is
available to voice, video, FTP, and HTTP services, the 3G best-effort link can be used.

Figure 19-5 SPR networking

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 827


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

The functions that associate interface backup with network quality analysis (NQA),
bidirectional forwarding fetection (BFD), or routes select links based on link connectivity and
are unaware of link quality and service requirements. As long as routes are reachable, these
functions select a link to transmit services even though the link quality is poor. Unlike these
functions, SPR selects links based on different service requirements on the latency, jitter, and
packet loss ratio. It can actively detect the link quality and match service requirements based
on the link quality to select an optimal link to forward service data.

Configuration Notes
1. This example applies to all AR routers running V200R005C00 and later versions. This
example uses AR169G-L series routers.
2. Only ADSL interfaces, VDSL interfaces in ATM mode, and G.SHDSL interfaces in
ATM mode support the ATM feature. These interfaces can function as ATM interfaces to
have services such as IPoA, IPoEoA, PPPoA, or PPPoEoA services configured.
– 1ADSL-A/M and 1ADSL-B/J cards can provide ADSL interfaces; 4G.SHDSL and
1GBIS4W cards can provide G.SHDSL interfaces; VDSL2 cards, 1V35B-AM can
provide VDSL interfaces.
– Among AR150&AR160&AR200 series routers, only AR156, AR156W, AR157
series, AR206, and AR207 series routers support the configuration of ADSL
interfaces.
– Among AR150&AR160&AR200 series routers, only AR129, AR169, AR169F,
AR169BF, AR169FVW, AR169FGW-L, AR169FGVW-L, AR169G-L, AR169-P-
M9, support the configuration of VDSL interfaces.
– Among AR150&AR160&AR200 series routers, only AR158E, AR158EVW,
AR168F, and AR208E support the configuration of G.SHDSL interfaces.
NOTE

This example does not provide the interface attribute configuration.

Networking Requirements
As shown in Figure 19-6, the Router functions as the enterprise egress gateway, connects to
PCs and IP phones through downlink interfaces, and connects to the data/IP multimedia
subsystem (IMS) network through an uplink ATM interface and an uplink 3G interface.

Figure 19-6 Figure 1-2 SPR for wired and wireless convergence

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 828


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

To meet service development requirements, the enterprise wants the Router to transmit both
data and voice services. Because the leased ATM link is unstable, to ensure voice and data
service transmission quality, the enterprise also has the following requirements:
1. The Router can assign IP addresses to PCs and IP phones in the enterprise internal
network.
2. Data traffic and voice traffic have their own backup links to ensure traffic transmission
reliability.
3. Transmission links can be dynamically switched for voice traffic based on the link
latency, jitter, and packet loss ratio to ensure high link quality.
4. Transmission links can be dynamically switched for data traffic based on the link status
to improve transmission reliability.

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP server function on the Router to assign IP addresses to PCs and IP
phones in the enterprise internal network.
2. To save the cost, configure two ATM sub-interfaces as the primary links to transmit data
packets and voice packets respectively.
3. Configure SPR for voice services and configure the delay, jitter, packet loss ratio, and
composite measure indicator (CMI) thresholds as link quality indicators in the SPR
service profile to ensure high reliability for voice services. When the delay, jitter, packet
loss ratio, or CMI of an ATM voice sub-interface does not meet link quality indicators,
traffic is automatically switched to a 3G voice channel interface. When the delay, jitter,
packet loss ratio, and CMI become normal, the Router shuts down the 3G voice channel
interface so that voice services can be switched back to the ATM voice sub-interface.
4. Considering that data services are delay-insensitive, configure association between
interface backup and NQA on the 3G data channel interface to detect the connectivity of
primary links in real time. When the link detection in an NQA test instance fails, data
traffic is switched from an ATM data sub-interface to the 3G data channel interface.
When the link detection succeeds, the 3G data channel interface is set to the standby
state, and then data services are switched back to the ATM data sub-interface.

Data Plan
Service Parameter Description

DHCP l IP phones: VLAN 20, network Configure the global


segment 10.1.2.0/24, and DNS server address pool.
address 4.4.4.4
l User PCs: VLAN 30, network
segment 10.1.3.0/24, and DNS server
address 5.5.5.5

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 829


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Service Parameter Description

QoS l ACL3000: matches voice packets The enterprise adjusts QoS


l DSCP priorities of voice packets: re- traffic behavior parameters
marked with expedited forwarding according to its network
(EF) plan.
l Maximum allowed bandwidth for the
ATM link to transmit voice packets:
120 kbit/s
l Maximum allowed bandwidth for the
3G link to transmit voice packets: 128
kbit/s
l DSCP priorities of data packets: re-
marked with assured forwarding af31

ATM(IPoEoA) l ATM0/0/0.1 as a voice channel: Enable the outbound NAT


VPI/VCI 10/35, VE0/0/1 IP address function on the ATM sub-
1.1.1.1/24 interface to translate
l ATM0/0/0.2 as a data channel: between the private and
VPI/VCI 10/36, VE0/0/2 IP address public network addresses,
2.2.2.2/24 and configure the NAT pre-
classification function to
enable packets sent from an
outbound interface to carry
the private network IP
address used before NAT
translation.

3G l Cellular0/0/0:1 as a 3G voice channel Enable the outbound NAT


interface: dialer number *99***1#, function on the ATM sub-
APN imsbackup, and PPP dialup interface to translate
mode between the private and
l Cellular0/0/0:2 as a 3G data channel public network addresses,
interface: dialer number *99***1#, and configure the NAT pre-
APN webdsl, and wireless wide area classification function to
network (WWAN) dialup mode enable the NAT-enabled
device to carry the private
network IP address used
before NAT translation to
the outbound interface.
Enable association between
interface backup with an
NQA test instance named
data wan_connected_check
on the 3G data channel
interface.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 830


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Service Parameter Description

NQA l NQA test instance data Use the NQA test instance
wan_connected_check: test type data wan_connected_check
ICMP, destination address 8.8.8.8, is for association between a
probe failure percentage 33%, interval 3G data channel interface
(4 seconds) between packets, probe Cellular0/0/0:2 and NQA
timeout time 2 seconds, 15 probes, and configure
and interval (35 seconds) of automatic Cellular0/0/0:2 as the
NQA tests backup interface of
l NQA test instance degrad ATM0/0/0.2.
voice_linkcheck: test type UDP jitter, Associate the voice wired
destination address 9.9.9.9, detection link ATM0/0/0.1
destination port number 10000, using with the NQA test instance
the hardware forwarding engine to degrad voice_linkcheck,
transmit packets and add timestamp to and associate the voice
packets, code type g729a for the wireless detection link
simulated voice test, probe packet size Cellular0/0/0:1 with the
64 bytes, source port VE0/0/1, and NQA test instance degrad
interval (900 seconds) of automatic voice_linkcheck_3G.
NQA tests
l NQA test instance degrad
voice_linkcheck_3G: test type UDP
jitter, destination address 9.9.9.9,
destination port number 10000, using
the hardware forwarding engine to
transmit packets and add timestamp to
packets, code type g729a for the
simulated voice test, probe packet size
64 bytes, source port Cellular0/0/0:1,
and interval (900 seconds) of
automatic NQA tests

SPR SPR switchover period 1200 seconds, Add VE0/0/1 to the primary
flapping suppression period 2400 link group, and associate
seconds, delay (600 seconds) after which VE0/0/1 with the NQA test
an interface is automatically shut down instance degrad
when SPR does not select the link of the voice_linkcheck. Add
interface, delay threshold 100, packet loss Cellular0/0/0:1 to the
ratio threshold 30, and jitter threshold 30 backup link group, and
associate Cellular0/0/0:1
with the NQA test instance
degrad
voice_linkcheck_3G.
Configure the thresholds of
the delay, jitter, packet loss
ratio, and CMI in the SPR
service profile as link
quality indicators to define
link quality.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 831


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

Configuration File
#
#
sysname Router
#
dhcp enable // Enable the DHCP function.
#
vlan 20 //Create a VLAN for IP phones.
vlan 30 //Create a VLAN for user PCs.
#
acl 3000 //Configure an ACL to match voice packets, indicating that UDP
packets from network segment 10.1.2.0/24 and with destination port number ranging
from 10000 to 32766 are voice packets.
rule 0 permit udp source 10.1.2.0 0.0.0.255 destination-port range 10000 32766
acl 3001 //Configure an ACL to be referenced by outbound NAT. The ACL defines
the rules for NAT translation.
rule 0 permit ip
#
traffic classifier 3G_voice operator or //Configure a traffic classifier for 3G
voice services.
if-match acl 3000
traffic classifier voice operator or // Configure a traffic classifier for
ATM voice services.
if-match acl 3000
#
traffic behavior voice_behavior //Configure a traffic behavior for ATM
voice services.
remark dscp ef //Configure the device to re-mark the DSCP priorities
of IP packets with EF.
statistic enable
queue ef bandwidth 120 cbs 3000 //Set the maximum allowed bandwidth of ATM
voice traffic to 120 kbit/s.
traffic behavior 3G_voice_behavior //Configure a traffic behavior for 3G
voice services.
remark dscp ef //Configure the device to re-mark the DSCP priorities of
IP packets with EF.
statistic enable
queue ef bandwidth 128 cbs 3200 //Set the maximum allowed bandwidth of 3G voice
traffic to 128 kbit/s.
traffic behavior default_behavior //Configure a traffic behavior for data
services.
remark dscp af31 //Configure the device to re-mark the DSCP priorities of
IP packets with AF31.
statistic enable
#
traffic policy traffic_policy //Configure a traffic policy for ATM services.
classifier voice behavior voice_behavior //Bind the voice traffic classifier to
the traffic behavior.
classifier default-class behavior default_behavior // Bind the data traffic
classifier to the traffic behavior. The data traffic classifier is the system
default traffic classifier default-class.
traffic policy 3G_policy //Configure a traffic policy for 3G services.
classifier 3G_voice behavior 3G_voice_behavior //Bind the voice traffic
classifier to the traffic behavior.
classifier default-class behavior default_behavior //Bind the data traffic
classifier to the traffic behavior. The data traffic classifier is the system
default traffic classifier default-class.
#
ip pool pool_voice //Configure an IP address pool to assign IP addresses
to IP phones.
gateway-list 10.1.2.1
network 10.1.2.0 mask 255.255.255.0 //Set the IP address pool range to
10.1.2.0/24.
lease day 0 hour 0 minute 30 //Set the IP address lease to 30 minutes.
dns-list 4.4.4.4 //Configure the DNS server address 4.4.4.4.
domain-name ims.it //Configure a domain name suffix.
#
ip pool pool_data //Configure an IP address pool to assign IP addresses to
user PCs.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 832


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

gateway-list 10.1.3.1
network 10.1.3.0 mask 255.255.255.0 //Set the IP address pool range to
10.1.3.0/24.
lease day 5 hour 0 minute 0 //Set the IP address lease to 5 days.
dns-list 5.5.5.5 //Configure the DNS server address 5.5.5.5.
#
interface Vlanif20 //Create VLANIF 20.
description *** VLAN VOICE***
ip address 10.1.2.1 255.255.255.0
dhcp select global //Enable the DHCP server function to assign IP
addresses to clients from the global address pool.
#
interface Vlanif30 //Create VLANIF 30.
description *** VLAN DATA ***
ip address 10.1.3.1 255.255.255.0
dhcp select global //Enable the DHCP server function to assign IP addresses
to clients from the global address pool.
#
interface Cellular0/0/0 //Enter the 3G interface.
link-protocol ppp
traffic-policy 3G_policy outbound //Apply the 3G traffic policy in the outbound
direction of the 3G interface.
multi-apn enable //Enable the multi-APN function.
#
interface Cellular0/0/0:1 //Enter the 3G channel interface numbered 1.
description *** 3G VOICE ***
link-protocol ppp
ip address ppp-negotiate //Obtain IP addresses dynamically through PPP
negotiation.
dialer enable-circular //Enable the circular DCC function.
dialer-group 1 //Associate the dialer ACL numbered 1 with the 3G channel
interface.
dialer timer idle 20
dialer timer autodial 10 //Set the interval for automatic dialup.
dialer number *99***1# //Configure a dialer number.
qos pre-nat //Enable the NAT pre-classification function.
apn-profile imsbackup //Bind the APN profile to the 3G channel interface.
nat outbound 3001 //Configure the outbound NAT function.
#
interface Cellular0/0/0:2
description *** 3G DATA***
ip address negotiate //Obtain IP addresses dynamically through WWAN
negotiation.
dialer enable-circular //Enable the circular DCC function.
dialer-group 1 //Associate the dialer ACL numbered 1 with the 3G channel
interface.
dialer timer idle 20
dialer timer autodial 10
dialer number *99***1# //Configure a dialer number.
qos pre-nat //Enable the NAT pre-classification function.
standby track nqa data wan_connected_check //Configure association between
interface backup and NQA to monitor the primary link in real time.
apn-profile webdsl //Bind the APN profile to the 3G channel interface.
nat outbound 3001 //Configure the outbound NAT function.
#
interface Atm0/0/0 //Enter the ATM interface.
traffic-policy traffic_policy outbound //Apply the traffic policy in the
outbound direction of the ATM interface.
#
interface Atm0/0/0.1 p2p //Enter an ATM sub-interface. The sub-interface
transmits voice traffic.
description *** PVC ADSL VOICE ***
pvc 10/35 //Create a PVC with VPI/VCI 10/35.
map bridge Virtual-Ethernet0/0/1 //Reference IPoEoA mapping created on VE0/0/1
in the PVC view.
#
interface Atm0/0/0.2 p2p //Enter the other ATM sub-interface. The sub-
interface transmits data traffic.
description *** PVC ADSL DATA***

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 833


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

pvc 10/36 //Create a PVC with VPI/VCI 10/36.


map bridge Virtual-Ethernet0/0/2 //Reference IPoEoA mapping created on VE0/0/2
in the PVC view.
#
interface Virtual-Ethernet0/0/1 //Configure VE0/0/1.
description *** WAN VOICE ***
ip address 1.1.1.1 255.255.255.0
qos pre-nat //Enable the NAT pre-classification function.
nat outbound 3001 //Configure the outbound NAT function.
#
interface Virtual-Ethernet0/0/2 //Configure VE0/0/2.
description *** WAN DATA ***
ip address 2.2.2.2 255.255.255.0
qos pre-nat //Enable the NAT pre-classification function.
nat outbound 3001 //Configure the outbound NAT function.
#
dialer-rule
dialer-rule 1 ip permit //Configure a dialer ACL numbered 1 to allow all IP
packets to pass through.
#
apn profile webdsl //Create an APN profile named webdsl (also the APN) for data
traffic.
apn profile imsbackup //Create an APN profile named imsbackup (also the APN) for
voice traffic.
#
nqa test-instance data wan_connected_check //Create an NQA test instance.
This test instance will be referenced by Cellular0/0/0:2 to detect the
connectivity of the data primary link ATM0/0/0.2.
test-type icmp //Set the test instance type to ICMP.
destination-address ipv4 8.8.8.8 //Specify the destination address for the NQA
test instance.
probe-failtimes 5
fail-percent 33
frequency 30
interval seconds 4
timeout 2
probe-count 5
source-interface Virtual-Ethernet0/0/2 //Configure VE0/0/2 as the source
interface for the test instance.
start now
#
nqa test-instance degrad voice_linkcheck //Create an NQA test instance for ATM
voice traffic.
test-type jitter //Set the test instance type to Jitter.
destination-address ipv4 9.9.9.9 //Specify the destination address for the
NQA test instance.
destination-port 10000
hardware-based enable //Use the hardware forwarding engine on an LPU to
transmit packets and add timestamp to packets when performing a Jitter test.
frequency 900
jitter-codec g729a
datasize 64
source-interface Virtual-Ethernet0/0/1 //Configure VE0/0/1 as the source
interface for the test instance.
start now
#
nqa test-instance degrad voice_linkcheck_3G //Create an NQA test instance for
3G voice traffic.
test-type jitter //Set the test instance type to Jitter.
destination-address ipv4 9.9.9.9 //Specify the destination address for the NQA
test instance.
destination-port 10000
hardware-based enable //Use the hardware forwarding engine on an LPU to
transmit packets and add timestamp to packets when performing a Jitter test.
frequency 900
jitter-codec g729a
datasize 64
source-interface Cellular0/0/0:1 //Configure 3G channel interface numbered 1
as the source interface for the test instance.

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 834


Huawei AR Series Access Routers
CLI-based Typical Configuration Examples 19 Comprehensive Cases

start now
#
smart-policy-route //Create a smart-policy-route and enter the smart-policy-
route view.
period 1200
wtr period hours 2 //Set the SPR switchover period.
route flapping suppression 2400
prober Virtual-Ethernet0/0/1 nqa degrad voice_linkcheck //Configure a
detection link in SPR and associate VE0/0/1 with the NQA test instance degrad
voice_linkcheck.
prober Cellular0/0/0:1 nqa degrad voice_linkcheck_3G //Configure a detection
link in SPR and associate Cellular0/0/0:1 with the NQA test instance degrad
voice_linkcheck_3G.
standby-interface Cellular0/0/0:1 //Configure the function that automatically
shuts down Cellular0/0/0:1 when SPR does not select the link of Cellular0/0/0:1.
standby-limit-time 600
link-group group1 //Create a link group named group1.
link-member Virtual-Ethernet0/0/1 //Add the detection link interface VE0/0/1
to the link group group1.
link-group group2 //Create a link group named group2.
link-member Cellular0/0/0:1 //Add the detection link interface Cellular0/0/0:1
to the link group group2.
service-map voice //Create an SPR service profile and enter the SRP service
profile view.
cmi-method d+l+j //Configure the CMI calculation formula. The CMI depends
on the link delay, jitter, and packet loss ratio. In the formula, d indicates the
delay, j indicates the jitter, and l indicates the packet loss ratio.
match acl 3000 //Bind ACL3000 to the SPR service profile to differentiate
voice service traffic.
set delay threshold 100 //Set the delay threshold for services in SPR. When
the link delay is larger than the threshold, the link quality is unsatisfied.
set loss threshold 30 //Set the packet loss ratio threshold for services in
SPR. When the link packet loss ratio is larger than the threshold, the link
quality is unsatisfied.
set jitter threshold 30 //Set the jitter threshold for services in SPR. When
the link jitter is larger than the threshold, the link quality is unsatisfied.
set cmi threshold 8840 //Set the CMI threshold. When the CMI is smaller than
the threshold, the link CMI is unsatisfied.
set link-group group1 //Configure group1 as the primary link group.
set link-group group2 backup //Configure group2 as the backup link group.
#

Issue V3.2 (2019-08-02) Copyright © Huawei Technologies Co., Ltd. 835

Das könnte Ihnen auch gefallen