Beruflich Dokumente
Kultur Dokumente
Issue V3.2
Date 2019-08-02
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Huawei AR Series Access Routers
CLI-based Typical Configuration Examples Contents
Contents
3 Internet Access............................................................................................................................. 66
3.1 NAT.............................................................................................................................................................................. 66
3.1.1 Example for Connecting Intranet Users to the Internet in Easy IP Mode................................................................. 66
3.1.2 Example for Connecting Intranet Users to the Internet in NAT Address Pool Mode............................................... 67
3.1.3 Example for Configuring NAT to Enable Users to Access the Internet and Provide the WWW Service Externally
............................................................................................................................................................................................ 68
3.1.4 Example for Connecting VPN Users to the Internet In NAT Mode.......................................................................... 69
3.1.5 Example for Configuring NAT to Allow the Internal Host and External Host to Access the Internal Server Using
an External IP Address....................................................................................................................................................... 71
3.1.6 Example for Configuring NAT Static and Outbound NAT to Implement Communication Between Public Network
Users and Servers............................................................................................................................................................... 73
3.1.7 Example for Configuring NAT and Redirection to Implement Two Egresses and Provide the Web Service...........74
3.1.8 Configuring Internal Users to Access the External Server with an Overlapping IP Address Through NAT............78
3.1.9 Configuring NAT to Translate Source and Destination IP Addresses Simultaneously.............................................79
3.2 Bandwidth Management...............................................................................................................................................80
3.2.1 Example for Preventing P2P Software Download.................................................................................................... 80
3.2.2 Example for Configuring Traffic Shaping to Limit the Rate of Packets Based on Internal IP Addresses................82
4 Building a LAN............................................................................................................................ 84
4.1 Example for Configuring Layer 3 Link Aggregation to Improve the Link Bandwidth and Reliability.......................84
4.2 Example for Configuring VLAN Assignment..............................................................................................................86
4.3 Example for Configuring Sub-interfaces to Implement Inter-VLAN Communication................................................88
4.4 Example for Configuring a VLANIF Interface to Implement Inter-VLAN Communication...................................... 89
4.5 Example for Configuring GVRP to Implement Automatic VLAN Registration......................................................... 91
4.6 Example for Configuring Transparent Bridging to Implement Communication on the Same Network Segment.......92
4.7 Example for Configuring Transparent Bridging to Implement Communication on Different Network Segments..... 94
4.8 Example for Configuring a Transparent Bridge to Transmit QinQ Packets.................................................................95
4.9 Example for Configuring the UDP Helper to Enable Inter-Network Users to Access Each Other Using Host Names
............................................................................................................................................................................................ 97
4.10 Example for Configuring the Proxy ARP to Implement Remote Communication of Routers on the Same Subnet
............................................................................................................................................................................................ 98
5.10 Example for Configuring an Enterprise to Connect to the Internet Through LTE Links......................................... 117
5.11 Example for Configuring IPoA to Connect a LAN to the Internet...........................................................................118
5.12 Example for Configuring IPoEoA to Connect a LAN to the Internet...................................................................... 120
5.13 Example for Configuring PPPoEoA to Connect Users to the Internet Using PPP...................................................121
5.14 Example for Configuring PPPoA to Connect Users to the Internet Using PPP....................................................... 123
5.15 Example for Configuring PPPoFR to Implement LAN Interconnections................................................................ 125
5.16 Example for Configuring an FR Network to Connect LANs Using IP Protocols....................................................126
5.17 Example for Configuring an MP Group................................................................................................................... 127
5.18 Example for Binding PPP Links to a Virtual Template to Implement MP...............................................................129
5.19 Example for Binding User Names to Virtual Interface Templates to Implement MP..............................................130
5.20 Example for Configuring the Device as a PPPoE Client to Connect Device to the Internet................................... 133
5.21 Example for Configuring the Device as a PPPoE Client (IPv6) to Connect Device to the Internet........................ 134
5.22 Example for Configuring the Device as a PPPoE Server to Connect Users to the Internet..................................... 137
5.23 Example for Connecting the Router to the Internet Through the External ADSL Modem Using PPPoE............... 138
5.24 Example for Connecting the Router to the PSTN Through a Modem (in C-DCC Mode)....................................... 139
5.25 Example for Connecting the Router to the ISDN Through the ISDN PRI Interface (in RS-DCC Mode)...............141
5.26 Example for Configuring HDLC to Implement Interconnections............................................................................143
6.1.15 Example for Configuring Multiple L2TP Instances to Implement Communication Between Branches and the
RADIUS Server in the Headquarters................................................................................................................................248
6.1.16 Example for Configuring the LAC Using a 3G Interface to Establish an L2TP Tunnel to Communicate with the
Headquarters Through Automatic Dial-up....................................................................................................................... 252
6.1.17 Example for Configuring the LAC Using a 4G Interface to Establish an L2TP Tunnel to Communicate with the
Headquarters Through Automatic Dial-up....................................................................................................................... 254
6.1.18 Example for Establishing an L2TP Tunnel to Connect a Mobile Office User to the Headquarters (Android Phone)
.......................................................................................................................................................................................... 256
6.1.19 Example for Configuring Layer 2 Network Interconnection Between Branches and the Headquarters Through
L2TP over Bridge............................................................................................................................................................. 258
6.2 GRE............................................................................................................................................................................ 261
6.2.1 Example for Configuring a GRE Tunnel and Static Routes on the Tunnel to Implement Interworking................ 261
6.2.2 Example for Configuring a GRE Tunnel and OSPF on the Tunnel to Implement Interworking............................ 263
6.2.3 Example for Configuring GRE over GRE to Implement Data Encryption............................................................. 266
6.2.4 Example for Configuring IPSec over GRE to Implement Secure Communication Between the Headquarters and
Branch...............................................................................................................................................................................268
6.2.5 Example for Configuring GRE Tunnels to Implement Communication Between the Headquarters and Branches
.......................................................................................................................................................................................... 271
6.2.6 Example for Configuring an IPv6 over IPv4 GRE Tunnel......................................................................................274
6.3 DSVPN....................................................................................................................................................................... 276
6.3.1 Example for Configuring DSVPN to Allow Branches to Learn Routes from Each Other and Implement
Communication Between the Branches (Applicable When There Are a Small Number of Branches)........................... 276
6.3.2 Example for Configuring DSVPN to Allow Branches to Learn Only Summarized Routes to the Headquarters and
Implement Communication Between the Branches (Applicable When There Are a Large Number of Branches)......... 278
6.3.3 Example for Configuring DSVPN to Implement Stable Communication Between the Branches Through Dual
Hubs in the Headquarters................................................................................................................................................. 280
6.4 IPSec........................................................................................................................................................................... 292
6.4.1 Example for Manually Establishing an IPSec Tunnel............................................................................................. 292
6.4.2 Example for Establishing an IPSec Tunnel Between Two Devices Using IKE Negotiation (Without DPD).........294
6.4.3 Example for Establishing an IPSec Tunnel Between Two Devices Using IKE Negotiation (with DPD).............. 296
6.4.4 Example for Establishing an IPSec Tunnel That Traverses NAT Devices.............................................................. 299
6.4.5 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters to Implement Separate
Protection of Multiple Access Resources in the Headquarters.........................................................................................302
6.4.6 Example for Configuring an IPSec Tunnel for Remote Dial-Up Users to Connect to the Headquarters............... 305
6.4.7 Example for Configuring Two Devices to Pass PKI Identity Authentication Before Establishing an IPSec Tunnel
.......................................................................................................................................................................................... 308
6.4.8 Example for Configuring VRRP in the Headquarters to Allow the Branch to Establish an IPSec Tunnel with the
Headquarters Using the VRRP Virtual Address...............................................................................................................313
6.4.9 Example for Establishing Multiple IPSec Tunnels Between the Headquarters and Branches Using the IPSec Policy
Template........................................................................................................................................................................... 317
6.4.10 Example for Configuring the Branch to Access the Internet Through the 3G Interface and Configuring the
Headquarters to Establish an IPSec Tunnel with the Branch Using the IPSec Policy Template..................................... 321
6.4.11 Example for Configuring GRE Over IPSec to Implement Communication Between Devices.............................324
6.4.12 Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and
Headquarters..................................................................................................................................................................... 327
6.4.13 Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and
Headquarters and NAT to Implement Communication Between Branches (Running OSPF)......................................... 332
6.4.14 Example for Establishing an IPSec over GRE Tunnel Between the Headquarters and Branch (Based on ACL)
.......................................................................................................................................................................................... 338
6.4.15 Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL)...................341
6.4.16 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Through IKE Negotiation in
Domain Name Mode........................................................................................................................................................ 345
6.4.17 Example for Establishing an L2TP over IPSec Tunnel for Employees on a Business Trip to Connect to the
Headquarters..................................................................................................................................................................... 348
6.4.18 Example for Configuring the Headquarters to Manage Branches (Cisco Routers) Using Efficient VPN and
Establishing IPSec Tunnels.............................................................................................................................................. 352
6.4.19 Example for Configuring the Headquarters (Cisco Router) to Manage Branches Using Efficient VPN and
Establishing IPSec Tunnels.............................................................................................................................................. 355
6.4.20 Example for Establishing an IPSec Tunnel In Manual and IKE Negotiation Modes............................................357
6.4.21 Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using a Multi-Link
Shared IPSec Policy Group.............................................................................................................................................. 362
6.4.22 Example for Configuring IPSec Reverse Route Injection.....................................................................................365
6.4.23 Example for Implementing QoS Guarantee for Traffic Passing Through the IPSec Tunnel................................ 369
6.4.24 Example for Configuring the Branch to Access Internet Using a 4G Interface and Establish IPSec Tunnel with
the Headquarters Using IPSec Policy Template............................................................................................................... 373
6.4.25 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Through Active and Standby
Links................................................................................................................................................................................. 376
6.4.26 Example for Establishing an IPSec Tunnel Between the Branch and Headquarters Using Wired Lines............. 379
6.5 BGP/MPLS IP VPN................................................................................................................................................... 382
6.5.1 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices.........................382
6.5.2 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between the Branch and
Headquarters and Between Branches............................................................................................................................... 386
6.5.3 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices on a Hierarchical
Network............................................................................................................................................................................ 391
6.5.4 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option A Mode..........................................................394
6.5.5 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option B Mode..........................................................399
6.5.6 Example for Configuring Inter-AS BGP/MPLS IP VPN in Option C Mode..........................................................403
6.5.7 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running IS-IS
Between the PEs and CEs)............................................................................................................................................... 407
6.5.8 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running BGP
Between the PEs and CEs)................................................................................................................................................411
6.5.9 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running OSPF
Between the PEs and CEs)............................................................................................................................................... 415
6.5.10 Example for Configuring an OSPF Sham Link to Prevent Traffic Between Users in One VPN of the Same OSPF
Area from Being Forwarded Based on the OSPF Intra-Area Routes...............................................................................419
6.5.11 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running Static
Routes Between the PEs and CEs)................................................................................................................................... 424
6.5.12 Example for Configuring BGP/MPLS IP VPN to Implement Communication Between Devices (Running RIP
Between the PEs and CEs)............................................................................................................................................... 428
6.5.13 Example for Configuring Route Reflection to Optimize the VPN Backbone Layer............................................ 432
6.6 VLL............................................................................................................................................................................ 436
6.6.1 Example for Configuring Martini VLL to Implement Communication Among Devices....................................... 436
6.6.2 Example for Configuring VLL to Implement Communication over a GRE Tunnel...............................................439
6.7 PWE3..........................................................................................................................................................................441
6.7.1 Example for Configuring E&M Interfaces for Transmitting VHF Services in ATC Scenario (Dual Link Protection
on the Backbone Network)............................................................................................................................................... 442
8 Deploying Routing....................................................................................................................454
8.1 IP Static Route............................................................................................................................................................ 454
8.1.1 Example for Configuring IPv4 Static Routes.......................................................................................................... 454
8.1.2 Example for Configuring NQA for Static IPv4 Routes...........................................................................................456
8.1.3 Example for Configuring IPv6 Static Routes.......................................................................................................... 459
8.1.4 Example for Configuring BFD for IPv4 Static Routes............................................................................................462
8.1.5 Example for Configuring AR Routers to Be Connected to Layer 3 Switches Through IPv4 Static Routes...........464
8.1.6 Example for Configuring Fixed IP Addresses for Two Outbound Interfaces of IPv4 Static Routes...................... 466
8.2 RIP.............................................................................................................................................................................. 467
8.2.1 Example for Configuring RIP..................................................................................................................................467
8.2.2 Example for Configuring BFD for RIP................................................................................................................... 469
8.3 RIPng.......................................................................................................................................................................... 471
8.3.1 Example for Configuring RIPng..............................................................................................................................472
8.4 OSPF...........................................................................................................................................................................473
8.4.1 Example for Configuring OSPF.............................................................................................................................. 473
8.4.2 Example for Configuring an OSPF Virtual Link.....................................................................................................475
8.4.3 Example for Configuring an OSPF Stub Area........................................................................................................ 477
8.4.4 Example for Configuring an OSPF NSSA.............................................................................................................. 479
8.4.5 Example for Configuring Route Summarization in an OSPF Area.........................................................................481
8.4.6 Example for Configuring OSPF to Summarize Imported Routes........................................................................... 483
8.4.7 Example for Configuring OSPF Route Filtering..................................................................................................... 485
8.4.8 Example for Configuring BFD for OSPF................................................................................................................489
8.5 OSPFv3.......................................................................................................................................................................492
8.5.1 Example for Configuring OSPFv3.......................................................................................................................... 492
8.5.2 Example for Configuring Two OSPFv3 Processes for Communication................................................................. 494
8.5.3 Example for Configuring OSPFv3 Route Filtering................................................................................................. 496
8.6 IS-IS(IPv4)..................................................................................................................................................................500
8.6.1 Example for Configuring IS-IS Route Leaking.......................................................................................................501
8.6.2 Example for Configuring IS-IS Route Aggregation................................................................................................504
8.6.3 Example for Configuring BFD for IS-IS................................................................................................................. 505
8.7 IS-IS(IPv6)..................................................................................................................................................................508
8.7.1 Example for Configuring IS-IS IPv6.......................................................................................................................508
8.8 BGP............................................................................................................................................................................ 510
12.2 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC Manages APs Through Layer 3
Interfaces)(V200R006 and V200R007)............................................................................................................................591
12.3 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC Manages APs Through Layer 2
Interfaces)(V200R006 and V200R007)............................................................................................................................593
12.4 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC Manages APs Through Layer 3
Interfaces)(V200R006 and V200R007)............................................................................................................................596
12.5 Example for Configuring Basic WLAN Services on a Large-Scale Network(V200R006 and V200R007)............599
12.6 Example for Configuring WLAN Services on a Small-Scale Network (IPv4 Network) (V200R008 And Later
Versions)........................................................................................................................................................................... 603
12.7 Example for Configuring WLAN Services on a Medium-Scale Network (V200R008 And Later Versions)..........606
12.8 Example for Configuring WLAN Services on a Large-Scale Network (V200R008 And Later Versions).............. 608
14.5 Example for Configuring Single-hop BFD for Detecting Link Faults..................................................................... 735
14.6 Example for Configuring Multi-hop BFD for Detecting Link Faults...................................................................... 736
14.7 Example for Configuring Association Between VRRP Load Balancing and BFD to Fast Switch Services and
Detect Uplink Faults......................................................................................................................................................... 737
14.8 EExample for Configuring VRRP to Implement Gateway Redundancy................................................................. 740
14.9 Example for Deploying VRRP to Load Services on the Master and Backup Devices............................................ 742
17 Deploying QoS.........................................................................................................................768
17.1 Example for Configuring Traffic Shaping................................................................................................................768
17.2 Example for Configuring Traffic Shaping to Limit the Rate of Packets Based on Internal IP Addresses...............770
17.3 Example for Configuring Traffic Policing to Limit All Traffic on a Network Segment..........................................772
17.4 Example for Configuring Traffic Policing to Limit the Rate of Packets from Each IP Address on a Network
Segment............................................................................................................................................................................ 773
17.5 Example for Configuring Congestion Avoidance and Congestion Management.....................................................775
17.6 Example for Preventing BT Download.................................................................................................................... 778
17.7 Example for Configuring Access Control Based on Source MAC Addresses.........................................................780
17.8 Example for Using Two Egresses to Implement Mutual Access and Redirection................................................... 782
17.9 Example for Configuring a Queue Profile to Implement Congestion Avoidance and Congestion Management.... 785
17.10 Example for Configuring CBQ (V200R001C00, V200R001C01, V200R002C00, V200R002C01).................... 787
17.11 Example for Configuring CBQ (V200R002C02 and Later Versions)....................................................................793
18.6 Example for Configuring the NTP Unicast Server/Client Mode with NTP Authentication Enabled to Implement
Clock Synchronization..................................................................................................................................................... 807
18.7 Example for Configuring the NTP Broadcast Mode with NTP Authentication Enabled to Implement Clock
Synchronization................................................................................................................................................................ 810
18.8 Example for Configuring the NTP Multicast Mode to Implement Clock Synchronization.....................................812
18.9 Example for Configuring Local Port Mirroring to Monitor User Behaviors........................................................... 814
19 Comprehensive Cases.............................................................................................................816
19.1 Example for Configuring DHCP and NAT to Enable Users to Dynamically Obtain IP Addresses and Access the
Internet..............................................................................................................................................................................816
19.2 Associating IPSec with NQA to Implement Rapid Switching Between Active and Standby Peers and Links....... 818
19.3 Example for Configuring SPR to Implement Smart Routing on Voice Services..................................................... 827
This document is applicable to all product versions. The information in this document is
subject to change without notice. Every effort has been made in the preparation of this
document to ensure the accuracy of the contents, but the statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or
implied.
Intended Audience
This document provides examples for configuring AR router features in typical usage
scenarios.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Security Conventions
l Password setting
– When configuring a password, the cipher text is recommended. To ensure device
security, change the password periodically.
– When you configure a password in plain text that starts and ends with %@%@, @
%@%, %#%#, or %^%# (the password can be decrypted by the device), the
password is displayed in the same manner as the configured one in the
configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the
same cipher-text password. For example, the cipher-text password set for the AAA
feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA,
SHA1, SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and
MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or
lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital
signature scenarios) have a low security, which may bring security risks. If protocols
allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or
higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on
actual networking. The irreversible encryption algorithm must be used for the
administrator password, SHA2 is recommended.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy
policies and take measures according to the applicable law of the country to protect
personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this manual
are mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Declaration
l This manual is only a reference for you to configure your devices. The contents in the
manual, such as web pages, command line syntax, and command outputs, are based on
the device conditions in the lab. The manual provides instructions for general scenarios,
but do not cover all usage scenarios of all product models. The contents in the manual
may be different from your actual device situations due to the differences in software
versions, models, and configuration files. The manual will not list every possible
difference. You should configure your devices according to actual situations.
l The specifications provided in this manual are tested in lab environment (for example,
the tested device has been installed with a certain type of boards or only one protocol is
run on the device). Results may differ from the listed specifications when you attempt to
obtain the maximum values with multiple functions enabled on the device.
2.1 Deployment
2.2 Logging In to the Device
2.3 Upgrade
2.4 BootROM Menu Operations
2.5 Device Management
2.1 Deployment
Applicability
This example applies to all versions and AR routers.
Networking Requirements
Software engineers do not need to commission devices onsite for device deployment. After
installing a device, you only need to insert the USB flash drive into the USB interface on the
device and power on the device. After being started, the device automatically upgrades
software.
Assume that you need to deploy two routers using the USB flash drive:
l The index file of the USB flash drive is edited at 08:09:10 on June 28, 2011.
l The EMS is offline.
l The first device's ESN is 0000080123456789 and MAC address is 0018-0303-1234.
l The second device's ESN is 6666680123456789 and MAC address is 0018-0303-5678.
l The system software software.cc is in the root directory of the USB flash drive. The
version is v1. The first device does not need to load the configuration file, and the second
device needs to load the configuration file config.zip.
Procedure
Step 1 Edit the index file USB_AR.ini of the USB flash drive.
To edit the index file on the PC, perform the following operations:
1. Create a text file.
2. Edit the index file in the following format:
BEGIN AR
[USB CONFIG]
SN=20110628.080910
EMS_ONLINE_STATE=NO
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=2
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=0000080123456789
MAC=0018-0303-1234
VERSION=v1
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-SOFTWARE
FILENAME1=software.cc
[DEVICE2 DESCRIPTION]
OPTION=OK
ESN=6666680123456789
MAC=0018-0303-5678
VERSION=v1
DIRECTORY=DEFAULT
FILENUM=2
TYPE1=SYSTEM-SOFTWARE
FILENAME1=software.cc
TYPE2=SYSTEM-CONFIG
FILENAME2=config.zip
END AR
Field Description
Field Description
Step 4 When the system detects that the USB flash drive is installed, it checks whether the USB flash
drive contains the index file USB_AR.ini. If the index file exists, the system checks the file
validity.
l If the index file does not exist, the ACT indicator on the SRU is off; if the index file
exists but is invalid, USB-based deployment fails and the ACT indicator on the SRU is
steady red.
l If the index file exists and is valid, USB-based deployment starts and the ACT indicator
on the SRU blinks green.
NOTE
After USB-based deployment starts, the system saves the files used for deployment from the USB
flash drive to the default storage medium according to the information in the USB_AR.ini file.
The default storage medium is the flash memory on the AR150&AR160&AR200 and AR1200 and
the SD1 card on the AR2200 and AR3200. Then the system software and configuration file are
specified as the files for next system startup.
# After the device restarts, the system checks whether the USB-based deployment is
successful. If the deployment indicator is steady green, USB-based deployment succeeds.
----End
Configuration Notes
l Files used for USB-based deployment include: index file, system software, configuration
file, patch file, voice file, and license file. The index file is mandatory. The other files are
mandatory, and at least one file must be selected.
l The USB flash drive must support the FAT32 file system and comply with the USB2.0
interface standards.
l Before storing data to a USB flash drive, disable the write-protection function.
l Before using a USB flash drive to configure a router, ensure that the router is working
properly and the flash memory or SD card has sufficient space for deployment files.
l To ensure compatibility between USB flash drives and devices, use Huawei-certified
USB flash drives to configure the devices.
l Only one USB flash drive can be inserted into a device.
l The SN is an identifier used in USB-based deployment but not the device SN. A device
has a default deployment identifier. When the USB flash drive contains the .ini file, the
device checks whether the existing SN is the same as the SN in the .ini file. If the two
SNs are different, USB-based deployment is triggered, and the device starts using the
specified deployment files in the USB flash drive. After USB-based deployment
succeeds, the existing SN of the device is updated to be the same as the SN in the .ini
file.
Networking Requirements
When the router is powered on for the first time, log in to the router through the console port
to configure or manage the router. As shown in Figure 2-1, the console port of RouterA
connects to Host A. You need to log in to RouterA through the console port.
Procedure
Step 1 Connect the console port of RouterA to the COM port of Host A using a console cable.
Step 2 Start the terminal emulation software on your PC, create a connection, select the connected
port, and set communication parameters. (The third-party software SecureCRT is used as an
example here.)
2. Set the connected port and communication parameters, as shown in Figure 2-3.
Typically, port COM1 is selected. If you cannot log in to the device through COM1,
connect the PC to another COM port.
Communication parameter settings on the terminal emulation software must be the same
as the default values on the device, which are: 9600 bit/s baud rate, 8 data bits, 1 stop bit,
no parity check, and no flow control.
NOTE
By default, no flow control mode is configured on a switch. Because RTS/CTS is selected in the
software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
Step 3 Press Enter on the subsequent dialog boxes until the command line prompt of the user view,
such as <Huawei>, is displayed.
# V200R003C01 and earlier versions.
Please configure the login password (maximum length 16) // Set the password
for logging in through the console port(Only the V200R002C01 and later versions
display the preceding information.).
Enter Password:
Confirm Password:
Username:admin
Password:
<Huawei>
Info: The entered password is the same as the default. You are advised to change
it to ensure security.
You can run commands to configure the router. Enter a question mark (?) whenever you need
help.
NOTE
When you connect to the console port of a router that does not have a startup configuration file, the
system displays "Auto-Config is working. Before configuring the device, stop Auto-Config. If you
perform configurations when Auto-Config is running, the DHCP, routing, DNS, and VTY configurations
will be lost. Do you want to stop Auto-Config? [y/n]:"
l To continue Auto-Config, enter n and press Enter.
l To stop Auto-Config, enter y and press Enter.
If you choose n but still perform configurations through the console port, the DHCP, routing,
DNS, and VTY configurations that you have performed will be lost.
----End
Configuration Notes
The values of Bits per second, Data bits, Parity, Stop bits, and Flow control must be the
same as the default values on RouterA.
Networking Requirements
The console port of RouterA connects to Host A. Users are required to enter the password
when they log in to RouterA through the console port.
Figure 2-4 Configuring authentication for login through the console port
Procedure
Step 1 Configuration of RouterA.
#
user-interface con 0
authentication-mode password //Set the authentication mode for users logging in
through the console to password authentication.
set authentication password cipher
#
# Run the quit command to disconnect Host A from RouterA. Log in to RouterA from Host A
through the console port again. If the user view is displayed after you enter the password
Huawei@123, the configuration is successful.
----End
Specification
This example applies to all AR models of all versions.
Networking Requirements
After you log in to a device for the first time through the console port, configure basic
settings, including the time zone of the device, device name and management IP address, and
configure level 15 for users 0 to 4 who log in remotely through Telnet, and configure the
AAA authentication mode for the users.
Figure 2-5 Networking diagram for performing basic configurations through the console port
Procedure
Step 1 Log in to the device from PC1 through the console port. For details, see Example for
Configuring First Login Through the Console Port.
Step 2 Configure RouterA.
#
sysname Server // Configure the device name.
#
clock timezone BJ add 08:00:00 // Configure the time zone.
#
aaa
local-user admin1234 password irreversible-cipher // Create a local user, set
the user name to admin1234 and password to Helloworld@6789.
local-user admin1234 privilege level 15 // Set the priority level of the local
user admin1234 to 15. A larger value indicates a higher priority level.
local-user admin1234 service-type telnet // Set the access mode of the local
user admin1234 to Telnet.
#
interface GigabitEthernet1/0/0
ip address 10.137.217.159 255.255.255.0 // Assign an IP address to the
interface connected to PC2.
#
telnet server enable // Enable the Telnet server.
telnet server port 10181 // Configure the port number for the Telnet server.
#
user-interface vty 0 4 // Enter the VTY0-VTY4 user interface views.
authentication-mode aaa // Set the authentication mode for the VTY user
interface to AAA.
#
return
Login authentication
Username:admin1234
Password:
<Server>
----End
Configuration Notes
l You can successfully log in to RouterA only if the user name and password that you
enter on PC2 are the same as those configured on RouterA.
l You can successfully log in to RouterA only when you enter the correct IP address and
port number.
Networking Requirements
GE1/0/0 of RouterA connects to Host A. Users are required to enter the user name and
password when they log in to RouterA through Telnet.
NOTE
The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the interface
connected to Host A.
#
aaa
local-user huawei password irreversible-cipher //Create a local user, with the
user name huawei and password Hello@123.
local-user huawei service-type telnet //Set the access type of the local user
huawei to Telnet.
local-user huawei privilege level 3 //Set the level of the local user huawei to
3.
#
telnet server enable //Enable the Telnet service.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode on VTY user interfaces 0
through 4 to AAA.
#
# Use Telnet to log in to RouterA from Host A. This example uses the telnet command in the
command line window provided by the Windows operating system. You can also use third-
party Telnet software to log in to RouterA.
C:\Documents and Settings\Administrator> telnet 10.1.1.1
Login authentication
Username:huawei
Password:
<RouterA>
----End
Configuration Notes
You can successfully log in to RouterA only if the user name and password that you enter on
Host A are the same as those configured on RouterA.
Applicability
This example applies to all versions and all AR models except the AR150&160&200 series.
Networking Requirements
In telecommunication and financial fields, some terminals provide only access through the
serial port or cannot access the Internet using Telnet. The serial port redirection of the device
enables you to configure and manage terminals connected to the device through Telnet.
As shown in Figure 2-7, the asynchronous serial port on RouterA connects to the console port
on RouterB. You can log in to RouterB through RouterA from the remote PC in vpna.
RouterA functions as the serial port server and there is a reachable route between the remote
PC and RouterA. You can log in to RouterB connected to RouterA from the remote PC using
the IP address and specified port number.
Procedure
Step 1 Obtain the TTY user interface number corresponding to the asynchronous serial port.
<RouterA> display user-interface
Idx Type Tx/Rx Modem Privi ActualPrivi Auth Int
0 CON 0 9600 - 15 - N -
9 TTY 9 9600 - 0 - N 2/0/0
10 TTY 10 9600 - 0 - N 2/0/1
11 TTY 11 9600 - 0 - N 2/0/2
12 TTY 12 9600 - 0 - N 2/0/3
13 TTY 13 9600 - 0 - N 2/0/4
14 TTY 14 9600 - 0 - N 2/0/5
15 TTY 15 9600 - 0 - N 2/0/6
16 TTY 16 9600 - 0 - N 2/0/7
+ 129 VTY 0 - 15 4 N -
130 VTY 1 - 15 - N -
131 VTY 2 - 15 - N -
132 VTY 3 - 15 - N -
133 VTY 4 - 15 - N -
145 VTY 16 - 0 - P -
146 VTY 17 - 0 - P -
147 VTY 18 - 0 - P -
148 VTY 19 - 0 - P -
149 VTY 20 - 0 - P -
# Use Telnet to log in to RouterB from Host A. This example uses the telnet command in the
command line window provided by the Windows operating system. You can also use third-
party Telnet software to log in to RouterB.
C:\Documents and Settings\Administrator> telnet 10.1.1.1 2129
Press CTRL_] to quit telnet mode
Trying 10.1.1.1...
Connected to 10.1.1.1...
Login authentication
Password:
<RouterB>
NOTE
l If the redirection function is not associated with the VPN instance for private users, any user on
public or private networks can log in to RouterB.
l Press Ctrl+] to return to the interface of HostA.
----End
Configuration Notes
You can successfully log in to RouterB only when you enter the correct IP address and port
number.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
RouterA has the STelnet service enabled and connects to Host A through GE1/0/0. Users are
required to enter the user name and password when they log in to RouterA using STelnet.
NOTE
The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.
Procedure
Step 1 Generate a local key pair on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] rsa local-key-pair create
# Use Secure Shell (SSH) software to connect to RouterA. This example uses the OpenSSH
software.
----End
Configuration Notes
l You can successfully log in to RouterA only if the user name and password that you
enter on Host A are the same as those configured on RouterA.
l If the VTY user interfaces are configured to support only SSH, the Router disables the
Telnet function.
Networking Requirements
Users securely log in to the device through STelnet. There are reachable routes between
HostA and RouterA functioning as the SSH server, and 10.137.217.159 is the IP address of
the management interface on the SSH server. Configure the login user client001 on the SSH
server and use the account client001 on HostA to log in to the SSH server in RSA
authentication mode.
Figure 2-10 Networking diagram for configuring STelnet login (RSA authentication mode)
NOTE
STelnet V1 has security vulnerabilities. You are advised to log in to the device using STelnet V2.
Procedure
Step 1 Generate a local key pair on HostA.
1. On HostA, run puttygen.exe to generate the public and private key files.
# In Figure 2-11, select SSH-2 RSA and click Generate. You need to move the cursor
continuously in the blank area during the generation of the key pair; otherwise, the
progress bar stops, so does the generation of the key pair.
# After the key is generated, click Save public key in the dialog box shown in Figure
2-12 to save the key as the key.pub file.
# Click Save private key in the dialog box in Figure 2-12. In the PuTTYgen Warning
dialog box that is displayed, click Yes. The private key is saved as the private.ppk file.
2. After the encoding format of the RSA public key is set to .pem, configure the private key
(in .pem format) in the public key file key.pub generated by the puttygen.exe tool on the
server.
# Choose Connection > SSH in the navigation tree. The page shown in Figure 2-15 is
displayed. Select 2 under Preferred SSH protocol version.
# Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure 2-16
is displayed. Select the private.ppk file corresponding to the public key configured on the
server.
# Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the
SSH server.The following information is for reference only.
login as: client001
<SSH Server>
----End
Configuration Notes
l If RSA authentication is used, you need to configure the public key generated by the
SSH client on the SSH server. When you log in to the SSH server on the SSH client, the
SSH client passes the authentication if the private key of the client matches the
configured public key.
l If the VTY user interfaces are configured to support only SSH, the device automatically
disables the Telnet function.
Networking Requirements
An AR functions as the SSH server and needs to provide RADIUS authentication for SSH
clients.
When an SSH client attempts to connect to the SSH server, the RADIUS server authenticates
the client and sends the authentication result to the SSH server. The SSH server determines
whether to establish a connection with the SSH client according to the authentication result.
Procedure
Step 1 Generate a local key pair on the SSH server.
<Huawei> system-view
[Huawei] sysname ssh server
[ssh server] rsa local-key-pair create
Step 2 Configuration of SSH Server varies in different versions. Note the product version when
configuring SSH Server.
#
user-interface vty 0 4
authentication-mode aaa //Set the authentication mode on VTY user interfaces 0
through 4 to AAA.
protocol inbound ssh //Configure the VTY user interfaces to support only SSH.
#
aaa
local-user ssh1@ssh.com password cipher %@%@0qu\:lj<uNH#kN5W/e*A_:G#%@%@ //
Create a local user, with the user name ssh1@ssh.com and password
Huawei@123
(cipher text).
local-user ssh1@ssh.com privilege level 15 //Set the level
of the local user ssh1@ssh.com to 15.
authentication-scheme newscheme //Configure an
authentication scheme newscheme.
authentication-mode radius //Set the
authentication method to RADIUS authentication.
domain ssh.com //Configure a
domain ssh.com.
authentication-scheme newscheme //Apply the
authentication scheme newscheme to the domain ssh.com.
radius-server ssh //Apply the
RADIUS server template ssh to the domain ssh.com.
#
radius-server template ssh //Configure the RADIUS
server template ssh.
radius-server shared-key cipher N`C55QK<`=/Q=^Q`MAF4<1!! //Set the shared key
for the RADIUS server to huawei (cipher text).
radius-server authentication 10.164.6.49 1812 //Specify the
O[ address and port number of the RADIUS authentication server.
#
stelnet server enable //Enable STelnet on the SSH server.
#
# Enter the password huawei. If the following information is displayed, you have logged in
successfully.
Info: The max number of VTY users is 10, and the current number
of VTY users on line is 2.
# Run the display radius-server configuration and display ssh server session commands on
the SSH server to view the RADIUS server configuration and the SSH session status. The
command output shows that the SSH client has successfully connected to the SSH server.
[ssh server] display ssh server session
--------------------------------------------------------------------
Conn Ver Encry State Auth-type Username
--------------------------------------------------------------------
VTY 0 2.0 AES run password ssh1@ssh.com
--------------------------------------------------------------------
----End
Configuration Notes
l Specify the user name of the SSH client on the RADIUS server.
l Specify the IP address and key pair of the SSH server on the RADIUS server.
l If the SSH client uses password authentication, only the SSH server needs to generate
the Rivest-Shamir-Adleman (RSA) key pair. If the SSH client uses RSA authentication,
both the SSH server and client need to generate the RSA key pair. You must specify the
public key generated by the SSH client on the SSH server.
When the router or board is faulty, check whether the router or board is installed properly
and whether the router or board status is correct.
Run the display health command to check information about the router temperature,
power module, fan module, power supply, CPU usage, and storage media.
<Huawei> display health
------------------------------------------------------------------------------
--
Slot Card Sensor No. SensorName Status Upper Lower Temperature.
(C)
------------------------------------------------------------------------------
--
1 - 1 8FE1GE TEMP NORMAL 75 0 29 //The
temperature of the 8FE1GE board in slot 1 is 29°C. The upper temperature
alarm threshold is 75°C and the lower temperature alarm threshold is
0°C.
2 - 1 8FE1GE TEMP NORMAL 75 0
31
5 - 1 8AS TEMP NORMAL 75 0
30
6 - 1 8FE1GE TEMP NORMAL 85 0
32
11 - 1 SRU40 TEMP NORMAL 70 0
38
--------------------------------------------------------------------------
2 8FE1GE 7.366
14
5 8AS 3.968
5
6 8FE1GE 7.366
14
11 SRU40 40.400
94
System CPU Usage
Information:
System cpu usage at 2012-04-27 10:27:34 290
ms
------------------------------------------------------------------------------
-
SlotID CPU Usage Upper
Limit
------------------------------------------------------------------------------
-
5 2 % 80% //The CPU usage of the board in slot 5 is 2%. If
the CPU usage exceeds 80%, the system generates an overload
alarm.
6 4 %
80%
11 8 %
80%
System Memory Usage
Information:
System memory usage at 2012-04-27 10:27:34 370
ms
------------------------------------------------------------------------------
-
SlotID Total Memory(MB) Used Memory(MB) Used Percentage Upper
Limit
------------------------------------------------------------------------------
-
5 176 3 1 % 95% //The
total memory of the board in slot 5 is 176 MB. The board has used 3 MB
memory. The memory usage is 1%. If the memory usage exceeds 95%, the system
generates an alarm.
6 176 20 11%
95%
11 1257 186 14%
95%
System Disk Usage Information: //Storage medium
usage
System disk usage at 2012-04-27 10:27:34 450
ms
------------------------------------------------------------------------------
-
SlotID Device Total Memory(MB) Used Memory(MB) Used
Percentage
------------------------------------------------------------------------------
-
11 sd1: 1882 874
46%
flash: 2 0
6%
l Check CPU usage statistics.
CPU usage is an important index to evaluate device performance. A high CPU usage will
cause service faults, for example, BGP route flapping, frequent VRRP active/standby
switchover, and even failed device login.
Run the display cpu-usage command to check CPU usage statistics.
<Huawei> display cpu-usage
CPU Usage Stat. Cycle: 10
(Second)
CPU Usage Stat. Time : 2012-04-27 11:34:05 //Last time the CPU usage
_MVIFM 0.0% 0/ 0
VIFM
_MVCFG 0.0% 0/ 0
VCFG
_MVRM 0.0% 0/ 0
VRM
_ME2E 0.0% 0/ 0
E2E
_MVPM 0.0% 0/ 0
VPM
_MSIPAPP 0.0% 0/ 20114
SIPAPP
_MSIPSTACK 0.0% 0/ 0
SIPSTACK
_MVOLC 0.0% 0/ 0
VOLC
_MVAM 0.0% 0/ 0
VAM
_MVSPPDT 0.0% 0/ 0
VSPPDT
VPR 0.0% 0/ 0
VPR
_MfXPONDRV 0.0% 0/ 0
fXPONDRV
_MPBX 0.2% 0/ caa8ac
PBX
_MVOIPDRV 0.0% 0/ 0
VOIPDRV
_MfCWMP 0.0% 0/ 0 fCWMP //
CWMP message processing task
_MfFM 0.0% 0/ 0
fFM
Co0 0.0% 0/ 29082 //
Serial port task
FTPS 0.2% 0/ da751c FTPS Main task of FTP
server
CDR 0.0% 0/
19e9
H_IDLE 0.0% 0/
0
CFM 0.0% 0/ 0 //
Configuration recovery task
IC 0.0% 0/ ab3bb //
Information center task
SNMP trap task 0.0% 0/ 2af632 //
SNMP trap sending task
SNMP_CLIENT_SE 0.0% 0/
0
SNMP_CLIENT_RE 0.0% 0/
0
SNMP_SERVER_RE 0.0% 0/
0
PatTask 0.0% 0/ 0 //
Patch asynchronous operation processing task
AutoLoadTask 0.0% 0/ 0 //
Automatic loading task
WebT 0.1% 0/
3c0131
SessionAdminTa 0.0% 0/
25c681
SessionWorkerT 0.0% 0/
1f2c69
WebProxyTask 0.0% 0/
228055
VPS 0.0% 0/ 0
VPS
CMsg 0.0% 0/
52b33
NTPT 0.0% 0/ 28e875 //
NTP task
FM 0.0% 0/ 11a3a1 //
Fault management task
dcm 0.0% 0/
187a77
VSDKS 0.0% 0/
0
VSDKDIS 0.0% 0/
0
VXET 0.0% 0/ 0
VXET
3GCT 0.0% 0/ 0
3GCT
Ecm 0.0% 0/ 165bb
Ecm
IPCQ 0.1% 0/ 3f02a5
IPCQ
VP 0.0% 0/ 0
VP
RPCQ 0.0% 0/ 30c21
RPCQ
Super 0.3% 0/ fdb7e5
Super
PTS 0.2% 0/ c3b3bb
PTS
PRIN 0.0% 0/ 68faa PRINT-
FWD
FAST 0.0% 0/ 610b1 FAST-
FWD
FM_T 0.0% 0/ 1903
FM_TSK
RTMR 0.1% 0/ 7ccadf
RTMR
FECD 0.0% 0/ 42761 FECD Forward Equal Class
Develope
VT 0.0% 0/ 1463b
VT
VSOL 0.0% 0/ 0
VSOL
TSEV 0.0% 0/
2b5352
TCLI 0.0% 0/
172a8
TIO 0.0% 0/
0
_MfTRACE 0.0% 0/ 2dc0
fTRACE
tExcTask 0.0% 0/ 0
tS00
tBspPort 0.2% 0/ a8810c
tS01
EHCDI0 0.0% 0/ 0
tS02
BusM A 0.0% 0/ 13370a
tS03
EHCDI1 0.0% 0/ 0
tS04
BusM B 0.0% 0/ d356a
tS05
BULK_CLASS_IRP 0.0% 0/ 0
tS06
tBulkClnt 0.0% 0/ 0
tS07
usbAcmLib_IRP 0.0% 0/ 0
tS08
tDcacheUpd 0.0% 0/ 4f765
tS09
tSd 0.0% 0/ 6d77
tS0a
TM
SAM 0.0% 0/ 7d78
SAM
WEB 0.0% 0/ 0 WEB
Web
PTAL 0.0% 0/ 0 PTAL
Portal
ARNS 0.0% 0/ 353a
ARNS
GVRP 0.0% 0/ 0 GVRP Protocol //
GVRP management task
SFPM 0.0% 0/ 427f2 SFPM //
Optical module management task
ROUT 0.4% 0/ 14c0a9a ROUTRoute task //
Routing management task
LSPM 0.0% 0/ 1c84a LSPMLsp management //
LSP management task
RSVP 0.0% 0/ 0 RSVP task //
Multicast rouing management task
LDP 0.0% 0/ 0 LDP task //
LDP management task
CSPF 0.0% 0/ 1aabd CSPF task //
CSPF management task
GRES 0.0% 0/ 0 GRESM task //
Global resource management task
UTSK 0.0% 0/ 0 UTSK //
Unified scheduling task
APP 0.0% 0/ 0 APP //
VRRP management task
IP 0.0% 0/ 196bb
IP //IP management task
LINK 0.0% 0/ 79005 LINK //
Link layer management task
STP 0.2% 0/ ba2e4d STP //
Loop prevention protocol task
VRPT 0.0% 0/ 20842
VRPT
HOTT 0.0% 0/ 0 HOTT //
Board hot swapping management task
TNQA 0.0% 0/ 146a99
TNQAC
TTNQ 0.0% 0/ 0
TTNQAS
TARP 0.0% 0/ 0
TARPING
TTVP 0.0% 0/ 0
TTVPLS
L2 0.0% 0/ 12ee1c L2 //
Layer 2 module management task
VRRP 0.0% 0/ 24ff48 VRRP //
VRRP management task
L2_P 0.0% 0/ 4d8f1 L2_PR //
Layer 2 protocol management task
ARP 0.0% 0/ 0 ARP //
ARP management task
QXDM 0.0% 0/ 96c7
QXDM
IFLP 0.0% 0/ 10db1
IFLP
TickTask443318 0.0% 0/
1851f
PKI_KEY 0.0% 0/
0
Cell 0.0% 0/ 3d612
Cell
RMON 0.0% 0/ 243ab RMONRemote monitoring //
Remote monitoring task
MNSC 0.1% 0/ 3fbc02 MNSC //
Data receiving task
ftp server
enable
# //Information about the board that is installed
recently.
snmp-agent local-engineid
800007DB0380FB063545B3
snmp-
agent
# //Interface
configuration
interface
Ethernet2/0/0
ip address 2.2.2.2 255.255.255.0
# //OSPF configuration
ospf
1
area
0.0.0.0
network 19.19.19.0
0.0.0.255
# //Static route
configuration
voice
r2 signalling-type
argentina
r2 signalling-type
brazil
r2 signalling-type
mexico
r2 signalling-type
standard
diagnose
return
----End
2.3 Upgrade
Networking Requirements
The management interface of RouterA connects to Host A. You need to use the BootROM
menu on RouterA to download the upgrade system software package to RouterA from an FTP
server.
Figure 2-18 Using the BootROM menu to upgrade a system software package from an FTP
server
Procedure
Step 1 Start the FTP server on Host A.
Step 2 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 3 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
NOTE
The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Step 6 Set Ftp type to 0 (indicating FTP). Then set the management interface's IP address, mask, and
gateway address, and the FTP server's IP address, user name, and password.
NOTE:
Ftp type define: 0(ftp), 1(tftp),
ENTER = no change; '.' = clear;
Ftp type : 0
File name : software.cc
Ethernet ip address : 192.168.200.174
Ethernet ip mask : ffffff00
Gateway ip address :
Ftp host ip address : 192.168.200.1
Ftp user :
huawei
Ftp password : **********
Step 7 When the system returns to the network menu, select choice 4 to download the specified
system software package from the FTP server.
Network Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
sd1:/ - Volume is OK
Step 9 After the file is downloaded successfully, return to the main menu and change the startup
configuration.
Network Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return
1. Flash
2. SDCard[1]
0. Return
1. Flash
2. SDCard[1]
0. Return
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
----End
Configuration Notes
Do not perform any operation on the BootROM menu. If required, contact technical support
personnel.
Applicability
This example applies to all versions and routers.
Networking Requirements
The management interface of RouterA connects to Host A. You need to use the BootROM
menu on RouterA to download the upgrade system software package to RouterA from a TFTP
server.
Figure 2-19 Using the BootROM menu to upgrade a system software package from a TFTP
server
Procedure
Step 1 Start the TFTP server on Host A.
Step 2 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 3 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.
NOTE
The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
Step 6 Set Ftp type to 1 (indicating TFTP). Then set the management interface's IP address, mask,
and gateway address, and the TFTP server's IP address, user name, and password.
NOTE:
Ftp type define: 0(ftp), 1(tftp),
ENTER = no change; '.' = clear;
Ftp type : 1
File name : software.cc
Ethernet ip address : 192.168.200.174
Ethernet ip mask : ffffff00
Gateway ip address :
Ftp host ip address : 192.168.200.1
Ftp user :
Ftp password :
Step 7 When the system returns to the network menu, select choice 4 to download the specified
system software package from the TFTP server.
Network Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
sd1:/ - Volume is OK
Step 9 After the file is downloaded successfully, return to the main menu and change the startup
configuration.
Network Menu
1. Display parameter
2. Modify parameter
3. Save parameter
4. Download file
0. Return
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return
1. Flash
2. SDCard[1]
0. Return
1. Flash
2. SDCard[1]
0. Return
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
5. Set Startup Waiting Time
0. return
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
----End
Configuration Notes
Do not perform any operation on the BootROM menu. If required, contact technical support
personnel.
Networking Requirements
The AR router connects to a TFTP server and functions as a TFTP client. You need to
download the new system software package to the router using TFTP to upgrade the router.
Figure 2-20 Using the router as a TFTP client to upgrade the router
Procedure
Step 1 Configure the router.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the TFTP server.
Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: flash:/software.cc
Next startup system software: flash:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: flash:/initcfg.cfg
Next startup saved-configuration file: flash:/initcfg.cfg
Step 3 Download the new system software package, and then check whether the system software
package is successfully downloaded.
<Huawei> tftp 10.1.1.1 get software_new.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
77,582,080 bytes received in 241 seconds.
TFTP: Downloading the file successfully.
<Huawei> dir
Directory of flash:/
----End
Configuration Notes
l Before starting the upgrade, enable the TFTP server on the PC and save the new system
software package on the PC.
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.
Networking Requirements
The AR router connects to an FTP server and functions as an FTP client. You need to
download the new system software package to the router using FTP to upgrade the router.
Figure 2-21 Using the router as an FTP client to upgrade the router
Procedure
Step 1 Configure the router.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the FTP server.
Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software.cc
Next startup system software: sd1:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg
Step 3 Download the new system software from the FTP server.
<Huawei> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(192.168.200.1:(none)):huawei
331 Give me your password, please
Enter password:
230 Logged in successfully
[Huawei-ftp]binary
200 Type is Image (Binary)
[Huawei-ftp]get software_new.cc
200 PORT command okay
150 "D:\ftp\software_new.cc" file ready to send (77582080 bytes) in i
mage / Binary mode
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
...............................
226 Transfer finished successfully.
FTP: 77582080 byte(s) received in 152.403 second(s) 509.05Kbyte(s)/sec.
[Huawei-ftp]quit
221 Windows FTP Server (WFTPD, by Texas Imperial Software) says goodbye
<Huawei> dir
Directory of sd1:/
Step 6 Use Telnet to log in to the router and verify the configuration.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software_new.cc
Next startup system software: sd1:/software_new.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg
----End
Configuration Notes
l Before starting the upgrade, enable the FTP server on the PC and save the new system
software package on the PC.
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
To upgrade the device, you must upload the system software to the device functioning as an
FTP server.
Figure 2-22 Using the router as an FTP server to upgrade the router
Procedure
Step 1 Configure FTP Server.
#
ftp server enable //Globally enable the FTP server function.
#
aaa
local-user huawei password irreversible-cipher //Create a local user.
local-user huawei privilege level 15 //Specify the FTP user level for the local
user.
local-user huawei ftp-directory sd1: //Specify the FTP working directory for the
local user.
local-user huawei service-type ftp //Set the service type of the local user to
FTP.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the interface
connected to the FTP client.
Step 2 Check the current system software and configuration file used for startup.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software.cc
Next startup system software: sd1:/software.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg
Step 3 Upload the new system software package to the router from the FTP client, as shown in
Figure 2-23.
Figure 2-23 Uploading the new system software package from the FTP client
Step 4 On the FTP server (router), check whether the software package is successfully uploaded.
<Huawei> dir
Directory of sd1:/
Step 7 Use Telnet to log in to the router and verify the configuration.
<Huawei> display startup
MainBoard:
Startup system software: sd1:/software_new.cc
Next startup system software: sd1:/software_new.cc
Backup system software for next startup: null
Startup saved-configuration file: sd1:/initcfg.cfg
Next startup saved-configuration file: sd1:/initcfg.cfg
----End
Configuration Notes
l Do not power off the router during the upgrade. Otherwise, configuration of the router
may be lost. As a result, the router cannot start.
l You must set the FTP working directory. You can use the local-user huawei ftp-
directory command to specify an FTP working directory for the FTP user, or run the set
default ftp-directory command to configure the default FTP working directory.
Specifications
This example applies to all versions and AR routers.
Networking Requirements
The management interface of RouterA connects to the PC. The passwords for logging in
through the console port and Telnet need to be deleted through the BootROM menu.
Figure 2-24 Changing the name of the configuration file for next startup
Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.
NOTE
The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.
Step 3 In the BootROM menu, you can clear the console port login password or Telnet login
password using a or b method.
1. Select choice 4 to enter the Startup Select menu.
Main
Menu
1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6. Password
Manager
7.
Reboot
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
0. return
1. Display Startup
2. Set Boot File
3. Set Config File
4. Startupfile Check Manage
0. return
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
File Menu
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Password Manager
7. Reboot
d. Stop Auto-Config.
In V200R002C00 and earlier version, the password does not need to be set.
In version from V200R002C01 to V200R003C01, the following is displayed:
e. Change the renamed configuration file to an executable file. Select one based on the
file format.
<Huawei>rename vrpcfg_cpy.cfg vrpcfg_cpy.bat //When the file extension
is .cfg, you need to rename file as an executable file in .bat extension.
Rename sd1:/vrpcfg_cpy.cfg to sd1:/vrpcfg_cpy.bat? (y/n)[n]:y
Info: Rename file sd1:/vrpcfg_cpy.cfg to sd1:/vrpcfg_cpy.bat ......Done
<Huawei>unzip vrpcfg_cpy.zip vrpcfg_cpy.bat //When the file extension
is .zip, you need to decompress the file into an executable file in .bat
extension.
Extract sd1:/vrpcfg_cpy.zip to sd1:/vrpcfg_cpy.bat? (y/n)[n]:y
100% complete
%Decompressed file sd1:/vrpcfg_cpy.zip sd1:/vrpcfg_cpy.bat.
^
Error: Unrecognized command found at '^' position.
[Huawei]execute vrpcfg_cpy.bat
Information:The script file has been executed completely.
NOTE
If there is failure information about "board add" during the configuration restoration, it is a
normal situation and no action is required.
g. Reset the console port login password and Telnet login password, and record the
passwords. The console port login password has been set in V200R002C01 and
later versions. Run the save command to save the configuration.
2. Enter 6 to access the Password Manager menu.
Main
Menu
1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6. Password
Manager
7.
Reboot
PassWord
Menu
b. Enter 1 to continue the device startup. You can then log in to the device to reset the
Telnet login password and record the password. Run the save command to save the
configuration.
NOTE
Configuring the authentication mode and password for the console user interface is
mandatory; otherwise, after the device is restarted, users still need to be authenticated using
the original password when they log in to the device through the console port.
Main
Menu
1. Default
Startup
2. Serial
Menu
3. Network
Menu
4. Startup
Select
5. File
Manager
6.
Reboot
7. Password
Manager
----End
Configuration Notes
l When performing the step, ensure that users on the serial port are kept online.
Networking Requirements
The console port of RouterA connects to the PC. The file name needs to be changed through
BootROM.
Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.
NOTE
The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot
1. Display Startup
2. Set Boot File
3. Set Config File
0. return
1. Flash
2. SDCard[1]
0. Return
----End
Configuration Notes
l Do not randomly enter the BootROM menu to perform operations. If necessary, contact
technical support personnel.
l When performing operations, ensure that users on the serial port are kept online.
l After modifying the system software package file name, specify the system software
package file with the new file name as the system software package file for next startup.
If the system software package file with the new file name is not specified as the system
software package file for next startup, the system may fail to start.
l After modifying the configuration file name, specify the configuration file with the new
file name as the configuration file for next startup. If the configuration file with the new
file name is not specified as the configuration file for next startup, the system
configuration may be lost.
Specifications
This example applies to all versions and AR routers.
Networking Requirements
The management interface of RouterA connects to the PC. The password used to access the
BootROM menu needs to be changed.
Figure 2-26 Networking diagram of changing the password used to access the BootROM
menu
Procedure
Step 1 Connect a PC to the device with a serial cable and log in to the device through the console
port.
Step 2 Restart the device. When the message "Press Ctrl+B to break auto startup ..." is displayed,
press Ctrl+B and enter the password to display the BootROM main menu.
BIOS Creation Date : Nov 10 2011, 14:41:12
DDR DRAM init : OK
Start Memory Test ? ('t' or 'T' is test):skip
Copying Data : Done
Uncompressing : Done
USB2 Host Stack Initialized.
USB Hub Driver Initialized
USBD Wind River Systems, Inc. 562 Initialized
Octeon Host Controller Initialize......Done.
NOTE
The default password in V200R003C01 and earlier versions is huawei, and the default password in
V200R005C00 and later versions is Admin@huawei.
1. Default Startup
2. Serial Menu
3. Network Menu
4. Startup Select
5. File Manager
6. Reboot
7. Password Manager
----End
Configuration Notes
l Do not randomly enter the BootROM menu to perform operations. If necessary, contact
technical support personnel.
l When performing operations, ensure that users on the serial port are kept online.
l Keep your password secure.
Networking Requirements
As shown in Figure 2-27, the router connects to the IP network through Ethernet1/0/0.
The router collects log information and sends logs to the log host.
Procedure
Step 1 Configure the router.
#
info-center channel 6 name loghost1 //Set the name of channel 6 to
loghost1.
info-center source IP channel 6 log level warning //Configure the router to
send logs of the IP module through channel 6 and set the minimum log severity to
warning.
info-center loghost source Ethernet1/0/0 //Configure the source interface that
sends logs.
info-center loghost 10.1.1.1 channel 6 //Configure the router to send logs to a
log host.
#
interface Ethernet1/0/0
ip address 11.1.1.1 255.255.255.0 //Configure an IP address for the router
interface.
#
ip route-static 10.1.1.1 255.255.255.255 Ethernet1/0/0 11.1.1.2 //Configure a
static route between the router and log host and ensure that the route is
reachable.
#
Step 2 Configure the log host. The configuration details are not mentioned here.
# The log host can run the Unix or Linux operating system or run a third party's log software.
# Run the display info-center command on the router to view log host information. The
command output shows that the channel name of the Log host field is loghost1.
----End
Configuration Notes
l After the log severity is set, the router sends only the logs of the same or higher severity,
filtering logs of low severities.
Specifications
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 2-28, the router connects to the Internet through Eth1/0/0. There is a
reachable router between the router and the FTP server.
The maintenance personnel want to use the FTP server to view log files generated by the
router so that the maintenance personnel can learn the running status of the router. When the
router is faulty, the maintenance personnel can quickly locate the fault.
Procedure
Step 1 Configure the router.
#
sysname Router
#
info-center source IP channel 9 log level warning //Configure channel 9 to send
logs of the IP module. The log severity is warning.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.0.0 //Configure an IP address forthe router
interface.
#
ip route-static 10.1.0.0 255.255.0.0 GigabitEthernet1/0/0 10.2.1.2 //Configure a
static route and ensure that the there is a reachable route between the router
and the FTP server.
#
Step 2 Configure the router to transfer the log file to the FTP server.
# Log in to the FTP server.
<Router> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(192.168.1.100:(none)):huawei
331 Give me your password, please
Enter password:
230 Logged in successfully
# Configure the router to transfer the log file to the FTP server (Micro SD card is used as an
example of storage device).
[Router-ftp] put sd1:/logfile/log.log
200 PORT command okay
150 "D:\UPDATE\log.log" file ready to receive in ASCII mode
226 Transfer finished successfully.
FTP: 2761463 byte(s) sent in 26.062 second(s) 105.95Kbyte(s)/sec.
[Router-ftp] quit
----End
Configuration Notes
l By default, the router uses channel 9 to export logs into the log file. You can run the
info-center logfile channel { channel-number | channel-name } command to change the
channel.
l By default, the path for saving log files is as follows (the info-center logfile path path
command can change the path):
– On the AR150&AR160&AR200, log files can be saved into only the flash memory
or USB flash drive. The default log storage medium is flash memory.
– On the AR1200, log files can be saved into only the USB flash drive. The default
log storage medium is usb0. If usb0 is unavailable, the default log storage medium
is usb1. If both usb0 and usb1 are unavailable, log files cannot be saved.
– On the AR2200 and AR3200, log files can be saved into only the USB flash drive
or SD card. The system selects a storage medium in descending order of priority:
sd0, sd1, usb0, and usb1. The default log storage medium is sd0. If sd0 is
unavailable, the default log storage medium is sd1. If none of sd0, sd1, usb0, and
usb1 is unavailable, log files cannot be saved.
l By default, the log file size is 8 MB. You can run the info-center logfile size size
command to set the log file size. If the size of a log file generated on the router exceeds
the configured log file size, the system decompresses the log file into a zip file. You can
also run the save logfile command to save log files to the specified path.
l By default, 200 log files are saved. You can run the info-center max-logfile-number
filenumbers command to set the maximum number of log files to be saved. If the number
of log files generated on the router exceeds the limit, the system deletes the oldest log
file so that the number of log files is not larger than the maximum value.
3 Internet Access
3.1 NAT
3.2 Bandwidth Management
3.1 NAT
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 3-1, the IP address of GE0/0/1 (outbound interface) on the router is
1.1.1.2/24, and the IP address of Eth0/0/1 is 192.168.0.1/24. The remote IP address of
GE0/0/1 is 1.1.1.1/24.
The intranet user uses Easy IP to access the Internet through GE0/0/1.
Procedure
Step 1 Configure the router.
#
sysname Router //Set the device name.
#
acl number 2000 //Configure the IP address segment on which IP addresses can be
translated using NAT as 192.168.0.0/24.
rule 5 permit source 192.168.0.0 0.0.0.255
#
interface Ethernet0/0/1
undo portswhich
ip address 192.168.0.1 255.255.255.0 //Configure an IP address for the intranet
gateway.
#
interface GigabitEthernet0/0/1
ip address 1.1.1.2 255.255.255.0
nat outbound 2000 //Configure Easy IP on outbound interface GE0/0/1.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a default route between the
outbound interface to the remote interface and ensure that the route is reachable.
#
Run the display nat outbound command on the router to view the Easy IP configuration of
the outbound interface.
----End
Configuration Notes
l Configure an ACL to determine for which network segment NAT needs to be performed.
l Configure NAT on an outbound interface.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 3-2, the router allows intranet users to access the Internet using IP
addresses in a NAT address pool.
Procedure
Step 1 Configure the Router.
#
vlan batch 100
#
acl number 2000 //Specify the IP address segment on which IP addresses can be
translated using NAT.
rule 5 permit source 192.168.20.0 0.0.0.255
#
nat address-group 1 2.2.2.100 2.2.2.200 //Configure a NAT address pool.
#
interface vlanif100 //Configure an IP address for the intranet gateway.
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 1 //Configure outbound NAT on the outbound
interface.
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 //Configure a default route.
----End
Networking Requirements
As shown in Figure 3-3, the router uses NAT to translate private IP addresses of intranet users
and provides the WWW service to Internet users.
Procedure
Step 1 Configure the Router.
#
vlan batch 100
#
acl number 2000 //Specify the IP address segment on which IP addresses can be
translated using NAT.
rule 5 permit source 192.168.20.0 0.0.0.255
#
interface vlanif100 //Configure an IP address for the intranet gateway.
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type access
port default vlan 100
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 1 //Configure outbound NAT on the outbound
interface.
nat static protocol tcp global 2.2.2.103 www inside 192.168.20.2 8080 //
Configure the WWW service on the intranet server at 192.168.20.2 on the outbound
interface.
#
nat address-group 1 2.2.2.100 2.2.2.200 //Configure a NAT address pool.
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 //Configure a default route.
----End
Networking Requirements
As shown in Figure 3-4, the router connects to two VPN instances, VPN A and VPN B. The
remote IP address of GE0/0/0 connecting the router to the Internet is 1.1.1.2/24. VPN A and
VPN B are required to access the Internet using NAT.
Procedure
Step 1 Configure the router.
#
ip vpn-instance vpna //Configure VPN instance vpna.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Configure VPN instance vpnb.
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
acl number 2000 //Configure ACL 2000 bound to outbound NAT.
rule 5 permit vpn-instance vpna source 192.168.1.0 0.0.0.255
rule 10 permit vpn-instance vpnb source 192.168.2.0 0.0.0.255
#
interface GigabitEthernet0/0/0 //Specify the outbound interface of the router.
ip address 1.1.1.1 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/1 //Specify the interface bound to VPN instance
vpna.
ip binding vpn-instance vpna
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2 //Specify the interface bound to VPN instance
vpnb.
ip binding vpn-instance vpnb
ip address 172.16.2.1 255.255.255.0
#
ip route-static 192.168.1.0 255.255.255.0 vpn-instance vpna 172.16.1.2 //
Configure a static route from the Internet to hosts in VPN instance vpna, and set
the next hop to CE1.
ip route-static 192.168.2.0 255.255.255.0 vpn-instance vpnb 172.16.2.2 //
Configure a static route from the Internet to hosts in VPN instance vpnb, and set
the next hop to CE2.
----End
Configuration Notes
l Specify a VPN instance when configuring ACLs for NAT.
l Configure both the route from a VPN instance to the Internet and a route from the
Internet to the VPN instance.
l CE configuration is not mentioned in this configuration example. You can configure the
CE according to networking requirements.
Networking Requirements
As shown in Figure 3-5, GE1/0/0 on the router connects to the internal network and its IP
address is 192.168.1.1/24. GE2/0/0 on the router connects to the external network and its IP
address is 11.11.11.1/8. The internal server has an internal IP address 192.168.1.2/24 and an
external IP address 11.11.11.6. The internal host at 192.168.1.3/24 wants to access the internal
server.
The internal host and external host are required to use external IP address 11.11.11.6 to access
the internal server.
Procedure
Step 1 Configure the router.
#
acl number 3000 //Configure an ACL rule to allow packets with source address
192.168.1.0 and destination address of 11.11.11.6.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 //
Configure one-to-one NAT between public address 11.11.11.6 and private address
192.168.1.2.
nat outbound 3000 //Configure Easy IP that uses IP address of GE1/0/0 as the
translated IP address. This ensures that packets exchanged between internal
servers and hosts are forwarded by the router.
#
interface GigabitEthernet2/0/0
ip address 11.11.11.1 255.0.0.0
nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 //
Ensure that external users can use IP address 11.11.11.6 to access servers.
#
ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 //Configure a default route to ensure
that internal users can connect to external
networks.
#
return
----End
Configuration Notes
l Configure an ACL to determine for which network segment NAT needs to be performed.
l On the Layer 2 interface card of the AR2220, AR2240, AR2240C, AR3200 series, 3600
series, NAT needs to be configured on the VLANIF interface. In this case, run the set
NOTE
In V200R008C00 and later versions, if the NAT ALG function is configured, change the destination address
in ACL 3000 to the intranet address of the server: rule 5 permit ip source 192.168.1.0 0.0.0.255 destination
192.168.1.2 0.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 3-6, an FTP server is deployed on the Internet and the router functions as
the enterprise egress gateway. To ensure security, the enterprise requires that service traffic
between public network users and FTP server be forwarded through the router and IP
addresses of the public network user and server are not detected.
Figure 3-6 Networking for configuring NAT static and outbound NAT to implement
communication between public network users and servers
Procedure
Step 1 Configure the router.
#
sysname Router
#
acl number 2000
rule 5 permit source any
#
interface GigabitEthernet1/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 //Configure outbound NAT and map the actual IP address of the
user to the IP address of GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 1.1.1.1 255.255.255.0
nat static global current-interface inside 2.2.2.2 //Configure NAT static and
map the actual IP address of the FTP server to the IP address of GE2/0/0.
#
return
Total : 1
----End
Networking Requirements
As shown in Figure 3-7, the router connects to a campus network through GE1/0/0, to an
education network through GE2/0/0, and to the Internet through GE3/0/0. Intranet users
access the education network through GE2/0/0 and access the Internet through GE3/0/0 along
the default route.
The campus network server provides the web service for intranet and extranet users. The
server's private IP address is 192.168.1.2/24, domain name is www.test.edu.cn, and public IP
address is 1.1.1.6. Internet users and campus network users need to access the server using the
domain name www.test.edu.cn or public IP address 1.1.1.6 and campus network users access
the Internet and education network using NAT. The remote IP addresses of GE2/0/0 and
GE3/0/0 are 1.1.1.2/24 and 2.2.2.2/24.
As required by network plan, Internet users must access the education network through a
dedicated channel. Therefore, extranet users (including education network users and Internet
users) access the campus network through GE2/0/0. Packets with an IP address (1.1.1.6/24 for
example) on the education network as the source IP address will be discarded by the carrier if
they are sent out through GE3/0/0.
Procedure
Step 1 Configure the Router.
#
acl number 2000 //Configure an ACL rule to allow campus network users on the
network segment 192.168.1.0/24 to access the Internet.
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3000 //Configure an ACL rule to allow campus network users to access
the campus network server using 1.1.1.6. NAT is performed on GE1/0/0 only when
intranet hosts initiate access requests.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 1.1.1.6 0
#
acl number 3001 //Configure an ACL rule to prevent the data flows from the
campus network server to campus network hosts from being redirected to the
education network egress.
rule 5 permit ip source 192.168.1.2 0 destination 192.168.1.0 0.0.0.255
#
acl number 3003 //Configure an ACL rule to redirect the data flows from the
campus network server to users outside the campus network to the education
network egress.
rule 10 permit ip source 192.168.1.2 0
#
traffic classifier permitover operator or //Define the data flows that do not
need to be redirected.
if-match acl 3001
traffic classifier redirectover operator or //Define the data flows that need to
be redirected.
if-match acl 3003
#
traffic behavior permitover //Define the traffic behavior named permitover to
permit.
traffic behavior redirectover //Define the traffic behavior named redirectover
to redirect.
redirect ip-nexthop 1.1.1.2 //Redirect the data flows from the campus network
server to users outside the campus network to the education network egress.
#
traffic policy redirect //Bind traffic behavior to traffic policy.
classifier permitover behavior permitover //Configure the router to check
whether data flows are sent from the campus network server to campus network
users.
classifier redirectover behavior redirectover //Configure the router to
redirect the data flows from the campus network server to users outside the
campus network to the education network egress.
#
nat alg dns enable //Enable DNS for NAT ALG.
#
nat dns-map www.test.edu.cn 1.1.1.6 80 tcp //Configure DNS mapping to convert
the DNS resolution result to the campus network server's address.
#
nat address-group 0 2.2.2.50 2.2.2.100 //Configure NAT to be used for access to
a non-education network address.
nat address-group 1 1.1.1.50 1.1.1.100 //Configure NAT to be used for access to
an education network address.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
traffic-policy redirect inbound //Configure GE1/0/0 to redirect incoming data
flows.
nat static global 1.1.1.6 inside 192.168.1.2 netmask 255.255.255.255 //Perform
NAT when campus network users use 1.1.1.6 to access the campus network server.
nat outbound 3000 //Perform Easy IP when campus network users use 1.1.1.6 to
access the campus network server and change the source address to GE1/0/0's
address to ensure that the traffic exchanged between the campus network server
and users is forwarded by the router.
#
interface GigabitEthernet2/0/0
ip address 1.1.1.1 255.255.255.0
nat static global 1.1.1.6 inside 192.168.1.2 netmask 255.255.255.255 //
Configure NAT on the education network egress.
nat outbound 2000 address-group 1 //Perform NAT when campus network users
access the education network.
#
interface GigabitEthernet3/0/0
ip address 2.2.2.1 255.255.255.0
nat outbound 2000 address-group 0 //Perform NAT when campus network users
access the non-education network.
#
Configuration Notes
l When configuring policy-based routing, ensure that traffic from the campus network
server to the Internet is sent out through the education network egress. If the traffic is not
sent out through the education network egress, the traffic is discarded by the carrier.
l When binding traffic behaviors to a traffic policy, configure the router to check whether
data flows are sent from the campus network server to campus network users. If so,
configure the router not to redirect the data flows. If not, configure the router to redirect
the data flows to the education network egress.
l Configure NAT ALG according to the service that the campus network server provides.
In this example, the campus network server provides common web services. Therefore,
NAT ALG is enabled for DNS so that campus network users can access the Internet and
education network using the domain name.
l In this example, static NAT and outbound NAT are configured on GE1/0/0 to allow
campus network users to use the public IP address 1.1.1.6 to access the campus network
server.
When a campus network user uses the campus network server's public IP address to
access the server, the router needs to translate the destination IP address of the received
HTTP request packet into the server's private IP address (changing
<192.168.1.3,1.1.1.6> to <192.168.1.3,192.168.1.2>) and then sends the HTTP request
packet to the campus network server. When receiving the HTTP request packet, the
campus network server sends the packet to 192.168.1.3. Consequently, the campus
network user cannot receive the HTTP response packet from 1.1.1.6 and fails to access
the campus network server. To ensure that the campus network user accesses the campus
network server, the router must translate the source IP address in the HTTP response
packet from the server into public IP address 1.1.1.6 and then sends the response packet
to the user. When Easy IP is configured on GE1/0/0, the router changes the source IP
address in the HTTP request packet from the campus network user to the IP address of
GE1/0/0 (changing <192.168.1.3,192.168.1.2> to <192.168.1.1,192.168.1.2>) and then
sends the packet to the campus network server. The server sends an HTTP response
packet with GE1/0/0's IP address as the destination address to the router. Then the router
searches the NAT mapping table and changes the source and destination addresses
(<192.168.1.2,192.168.1.1>) of the packet to the server's public and private IP addresses
(<1.1.1.6,192.168.1.3>). Subsequently, the user receives an HTTP response packet with
the destination IP address 1.1.1.6 and can access the server properly.
l When binding traffic behaviors to a traffic policy, bind traffic behavior permitover and
then traffic behavior redirectover to the traffic policy. Data flows from the campus
network server to campus network users are not redirected, while data flows from
campus network server to users outside the campus network must be redirected to
GE2/0/0.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 3-8, the router functions as the gateway of a company, and the internal
network segment has overlapping IP addresses with the network segment where the external
WWW server resides. The company has two public network addresses: 1.1.1.13 and 1.1.1.14.
The company requires that internal users access the WWW server using a domain name.
Procedure
Step 1 Configure the router.
#
acl number 2001
rule 5 permit ip source 192.168.1.0 0.0.0.255 //Allow only users
on the specified network segment to access the external network.
#
nat alg dns enable //Enable the NAT application level
gateway (ALG) function for DNS.
#
nat address-group 1 1.1.1.13 1.1.1.14 //Configure a NAT address
pool.
#
nat overlap-address 0 192.168.1.2 2.2.2.100 pool-length 10 //
Configure the mapping between the overlapping address pool and temporary address
pool.
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
nat outbound 2001 address-group 1 //Configure outbound NAT on
----End
Networking Requirements
As shown in Figure 3-9, the router functions as the gateway of a company, and the FTP
server is an internal server. The company requires that external users can access the internal
FTP server and the internal network does not need to import routes of the external network
through translation of public network addresses.
Procedure
Step 1 Configure the router.
#
acl number 3000
rule 5 permit ip source 2.2.2.0 0.0.0.255 //Allow only users on the
specified network segment to access the internal server.
#
nat alg ftp enable //Enable the NAT application level gateway
(ALG) function for FTP.
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
nat outbound 3000 //Configure outbound NAT to translate the
source IP address used when external users access the internal network and ensure
that the internal network does not need to import routes of the external network.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
nat server protocol tcp global 1.1.1.3 ftp inside 192.168.1.2 ftp //
Configure the NAT server function on the outbound interface to ensure that
external users can access the internal server.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route and
ensure that the next-hop address of packets from the internal network to external
network is 1.1.1.2.
#
return
# Run the display nat server command on the router to check NAT server information.
# Run the display nat outbound command on the router to check outbound NAT
information.
----End
Applicability
This example applies to all AR models of V200R002C00 and later versions.
NOTE
The SAC function is used with a license. To use the SAC function, apply for and purchase the license from
the Huawei local office.
Networking Requirements
Enterprise users connect to Eth2/0/0 of RouterA through the switch. GE1/0/0 on RouterA
connects to the WAN. Download through P2P software such as BT, Thunder, and eMule
needs to be prevented to ensure proper use of enterprise network bandwidth.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20
#
sac enable signature sd1:/sacrule.dat //V200R005 and V200R006: Enable SAC and
load the signature file sacrule.dat. engine enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable the deep
security function.
#
update restore sdb-default sa-sdb //Restore the signature database to the
factory default version.
#
sac protocol-group p2p-group //V200R005 and V200R006: Configure bittorrent,
thunder, and emule in the SAC group p2p-group.
app-protocol bittorrent
app-protocol thunder
app-protocol emule
#
traffic classifier c1 operator or
if-match protocol-group p2p-group //V200R005 and V200R006: Configure a matching
rule for traffic classification based on the SAC group p2p-group. if-match
category FileShare_P2P //V200R007,V200R008,V200R009,V200R010,V300R003 and
V300R019: Configure a matching rule in a traffic classifier based on an SA group.
#
traffic behavior b1
deny //Configure the deny action for matching packets.
#
traffic policy p1
classifier c1 behavior b1 //Create a traffic policy named p1 and bind the
traffic classifier c1 and traffic behavior b1 to the traffic policy.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
sac protocol-statistic enable //V200R005 and V200R006: Enable SAC-based traffic
statistics on VLANIF 20. sa application-statistic enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable SA-based
traffic statistics on VLANIF 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction of VLANIF 20.
#
interface GigabitEthernet1/0/0
ip address 192.168.4.1 255.255.255.0
sac protocol-statistic enable //V200R005 and V200R006: Enable SAC-based traffic
statistics on GE1/0/0. sa application-statistic enable //
V200R007,V200R008,V200R009,V200R010,V300R003 and V300R019: Enable SA-based
traffic statistics on GE1/0/0.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction of GE1/0/0.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
#
return
# Run the display sac protocol-statistic command to check packet statistics based on the
SAC group p2p-group on VLANIF 20 and GE1/0/0.
# Run the display sa application-statistic command to check packet statistics based on the
SA application protocols on VLANIF 20 and GE1/0/0.
----End
Applicability
This example applies to all versions and AR routers.
Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access the server on 222.1.1.1/24 through RouterA. The rate of
packets from enterprise devices on 192.168.10.0/24 to the server needs to be limited to 64
kbit/s.
Figure 3-11 Networking for limiting the rate of packets based on internal IP addresses
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
#
qos queue-profile limit //Create a queue profile named limit.
queue 3 gts cir 64 cbs 1600 //Set the CIR of queue 3 to 64 kbit/s.
#
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b1
remark local-precedence af3 //Configure traffic behavior b1: Re-mark packets
matching the traffic classifier with AF3. When permit or deny is not specified,
the permit action is taken by default.
#
traffic policy p1
classifier c1 behavior b1 //Configure a traffic policy named p1, and bind
traffic classifier c1 to traffic behavior b1 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction on the interface.
#
interface GigabitEthernet3/0/0
ip address 222.0.1.1 255.255.255.0
qos queue-profile limit //Apply the queue profile limit to the interface.
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.0.1.2
#
----End
Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
4 Building a LAN
4.1 Example for Configuring Layer 3 Link Aggregation to Improve the Link Bandwidth and
Reliability
4.2 Example for Configuring VLAN Assignment
4.3 Example for Configuring Sub-interfaces to Implement Inter-VLAN Communication
4.4 Example for Configuring a VLANIF Interface to Implement Inter-VLAN Communication
4.5 Example for Configuring GVRP to Implement Automatic VLAN Registration
4.6 Example for Configuring Transparent Bridging to Implement Communication on the
Same Network Segment
4.7 Example for Configuring Transparent Bridging to Implement Communication on
Different Network Segments
4.8 Example for Configuring a Transparent Bridge to Transmit QinQ Packets
4.9 Example for Configuring the UDP Helper to Enable Inter-Network Users to Access Each
Other Using Host Names
4.10 Example for Configuring the Proxy ARP to Implement Remote Communication of
Routers on the Same Subnet
Networking Requirements
Router_1 and Router_2 are connected through three Layer 3 Ethernet interfaces. Link
aggregation needs to be configured between Router_1 and Router_2 to implement
interworking between Router_1 and Router_2, increase the link bandwidth, and improve the
link reliability.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface Eth-Trunk1 //Create an Eth-Trunk, switch the Eth-Trunk to Layer 3
mode, and configure an IP address.
undo portswitch
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0 //Add GE1/0/0, GE2/0/0, and GE3/0/0 to Eth-
Trunk 1.
eth-trunk 1
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet3/0/0
eth-trunk 1
#
return
#
sysname Router_2
#
interface Eth-Trunk1
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet3/0/0
eth-trunk 1
#
return
----End
Configuration Notes
l Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
Interfaces that use different Ethernet types and rates cannot join the same Eth-Trunk. For
example, GE and FE interfaces cannot join the same Eth-Trunk, and GE electrical and
optical interfaces cannot join the same Eth-Trunk.
l If an interface of the local device is added to an Eth-Trunk, an interface of the remote
device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
l Member interfaces cannot be configured with some services. For example, the IP address
of a member interface cannot be configured.
Networking Requirements
As shown in Figure 4-2, the device of a company connects to two departments. User_1 and
User_2 belong to department 1 and connect to the company network through different
devices, and User_3 and User_4 belong to department 2 and connect to the company network
through different devices.
To ensure communication security and prevent broadcast packets from being flooded, the
company requires that hosts in a department should be allowed to communicate and hosts in
different departments should be isolated.
You can configure interface-based VLAN assignment on the device so that the device adds
interfaces connected to users in the same department to the same VLAN. Users in the same
VLAN can directly communicate with each other, and users in different VLANs cannot
communicate at Layer 2.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
vlan batch 2 to 3 //Create VLAN 2 and VLAN 3.
#
interface Ethernet2/0/1 //Configure the interface connected to User_1 as an
access interface. The default VLAN is VLAN 2.
port link-type access
port default vlan 2
#
interface Ethernet2/0/2 //Configure the interface connected to User_3 as an
access interface. The default VLAN is VLAN 3.
port link-type access
port default vlan 3
#
interface Ethernet2/0/3 //Configure the interface connected to Router_1 and
Router_2 as a trunk interface and configure the interface to allow VLAN 2 and
VLAN 3.
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
#
sysname Router_2
#
vlan batch 2 to 3 //Create VLAN 2 and VLAN 3.
#
interface Ethernet2/0/1 //Configure the interface connected to User_2 as an
access interface. The default VLAN is VLAN 2.
port link-type access
port default vlan 2
#
interface Ethernet2/0/2 //Configure the interface connected to User_4 as an
access interface. The default VLAN is VLAN 3.
port link-type access
port default vlan 3
#
interface Ethernet2/0/3 //Configure the interface connected to Router_2 and
Router_1 as a trunk interface and configure the interface to allow VLAN 2 and
VLAN 3.
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
return
# Configure User_1 and User_2 on the same network segment, for example, 10.1.100.0/24;
configure User_3 and User_4 on the same network segment, for example, 10.1.200.0/24.
# User_1 and User_2 can ping each other, but cannot ping User_3 or User_4. User_3 and
User_4 can ping each other, but cannot ping User_1 or User_2.
----End
Configuration Notes
l To ensure that packets from VLAN 2 and VLAN 3 are correctly transmitted, create
VLAN 2 and VLAN 3 on the device and configure the interface to allow VLAN 2 and
VLAN 3.
l The interfaces connected to users do not need to distinguish VLANs. The interfaces only
receive and send untagged frames and add the default VLAN tag to untagged frames, so
the interfaces need to be configured as access interfaces.
l The interconnected interfaces between devices need to allow packets from VLAN 2 and
VLAN 3, so the interfaces need to be configured as trunk interfaces.
Networking Requirements
On the switch, a trunk interface connects to Eth1/0/0 on the router and an access interface
connects to PCs. PC1 joins VLAN 10 and PC2 joins VLAN 20.
Two sub-interfaces are created on Eth1/0/0 of the router and assigned IP addresses as gateway
addresses of the two VLANs. The two sub-interfaces use 802.1q encapsulation to implement
inter-VLAN communication.
Procedure
Step 1 Configure the router.
#
sysname Router
#
interface Ethernet1/0/0.1
control-vid 1 dot1q-termination //Configure the dot1q termination sub-
interface. V200R002C01 and later versions do not support this command.
dot1q termination vid 10 //Configure the interface to process packets with VLAN
10.
ip address 10.10.10.1 255.255.255.0 //Configure the gateway address for VLAN 10.
arp broadcast enable // The interface can process broadcast ARP packets. In
V200R003C01 and later versions, ARP broadcast is enabled by default.
#
interface Ethernet1/0/0.2
control-vid 2 dot1q-termination
dot1q termination vid 20 //Configure the interface to process packets with VLAN
20.
ip address 10.10.20.1 255.255.255.0 //Configure the gateway address for VLAN 20.
arp broadcast enable
#
return
----End
Configuration Notes
l The switch downlink interface connected to a PC must be the access interface and the
switch uplink interface connected to a device must be the trunk interface.
l The gateway address configured on the PC must be the same as the sub-interface IP
address.
l ARP broadcast must be enabled on the sub-interface.
l The VLAN ID of a sub-interface must be the same as the VLAN ID of the PC.
Networking Requirements
Layer 2 interfaces Eth2/0/1 and Eth2/0/2 of the router connect to PC1 and PC2 on different
network segments.
Two VLANs are configured so that Layer 2 packets from PC1 and PC2 are broadcast in the
VLANs that PC1 and PC2 belong to. A VLANIF interface is configured on the router so that
PC1 and PC2 in different VLANs can communicate with each other.
Procedure
Step 1 Configure the router.
#
sysname Router
#
vlan batch 10 20 //Create VLANs.
#
interface Vlanif10 //Create a VLANIF interface.
ip address 10.10.10.1 255.255.255.0 //Configure the gateway address for PC
terminals in the VLAN.
#
interface Vlanif20
ip address 10.10.20.1 255.255.255.0
#
interface Ethernet2/0/1
port link-type access //Set the link type of the interface to access.
port default vlan 10 //Add the interface to the VLAN.
#
interface Ethernet2/0/2
port link-type access
port default vlan 20
#
return
----End
Configuration Notes
l PCs in different VLANs are located on different network segments.
l The router interface connected to PCs must be the Layer 2 access or hybrid interface.
l The gateway address configured on the PC must be the same as the VLANIF interface IP
address.
l The VLANIF interface number must be the same as the VLAN ID.
Networking Requirements
RouterA and RouterC connect to RouterB through Layer 2 interfaces, and VLANs 100 to 200
are manually configured on RouterA and RouterC. RouterB needs to automatically learn the
VLANs. GVRP is enabled on each router and interface so that VLAN information can be
registered and updated dynamically.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 100 to 200 //Create VLANs.
#
gvrp //Enable GVRP globally.
#
interface Ethernet2/0/0
port link-type trunk //Set the link type of the interface to trunk.
port trunk allow-pass vlan 2 to 4094 //Add the interface to all VLANs.
gvrp //Enable GVRP on the interface.
#
return
#
sysname RouterC
#
vlan batch 100 to 200
#
gvrp
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
#
return
# Run the display vlan summary command on RouterB. The command output shows that
RouterB has learned VLANs 100 to 200 and the type is dynamic.
# Run the display vlan brief command. The command output shows that Eth2/0/0 and
Eth2/0/1 have joined VLANs 100 to 200.
----End
Configuration Notes
l The link type of Layer 2 interfaces must be trunk.
l The GVRP-enabled interface must be added to all VLANs.
Networking Requirements
PCs on LAN 1 and LAN 2 communicate through local bridging and can directly perform
network applications over the WAN.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
bridge 1 //Create a bridge group and generate the virtual bridge.
#
interface Ethernet1/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.
#
interface Ethernet2/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.
#
return
#
sysname RouterB
#
bridge 1
#
interface Ethernet1/0/0
bridge 1
#
interface Ethernet2/0/0
bridge 1
#
return
----End
Configuration Notes
l Interfaces added to a bridge group must be Layer 3 interfaces of Ethernet, ATM, and
serial types.
l PCs on LAN 1 and LAN 2 are on the same network segment.
Networking Requirements
LAN 1 and LAN 2 use the same network segment and a route to LAN 3 is configured on the
router.
Eth1/0/0 and Eth2/0/0 are added to the same bridge group so that PCs on LAN 1 and LAN 2
can communicate.
Bridge-if 1 is created on the router. PCs on LAN 1 and LAN 2 communicate with PCs on
LAN 3 through the route on Bridge-if 1.
Procedure
Step 1 Configure the router.
#
sysname Router
#
bridge 1 //Create a bridge group and generate a virtual bridge.
routing ip //Enable a bridge group to route IP protocol packets.
#
interface Ethernet1/0/0
bridge 1 //Add an interface to the bridge group as the virtual bridge interface.
#
interface Ethernet2/0/0
bridge 1
#
interface Ethernet3/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Bridge-if1 //Create a Bridge-if interface and bind it to the virtual
bridge interface.
ip address 192.168.1.1 255.255.255.0 //Assign an IP address to the Bridge-if
interface.
#
ip route-static 192.168.2.0 255.255.255.0 10.1.1.2
#
return
# PCs on LAN 1 and LAN 2 and PCs on LAN 3 can successfully ping each other.
----End
Configuration Notes
l Interfaces added to a bridge group must be Layer 3 interfaces of Ethernet, ATM, and
serial types.
l PCs on LAN 1 and LAN 2 are on the same network segment.
l The ID of the Bridge-if interface must be the same as the bridge group ID.
Networking Requirements
Multiple departments of an enterprise are located in different areas. As services develop,
departments in different areas need to transmit tagged packets. Through remote bridging and
QinQ of the transparent bridge, tagged packets can be transmitted between departments in
different areas.
In Figure 4-8, Router_A and Router_B are located in different areas and connected through
an intermediate link. PC1 and PC2 belong to different LANs. Through remote bridging and
QinQ of the transparent bridge, tagged packets can be transmitted between hosts in different
areas.
Procedure
Step 1 Configure Router_A.
# Router_A is used as an example. The configuration of Router_B is similar, and is not
mentioned here.
#
vlan batch 2 to 4094
#
bridge 1 //Create a bridge group and generate a
virtual bridge.
#
interface GigabitEthernet0/0/1
bridge 1 //Add the LAN-side interface to bridge 1.
bridge vlan-transmit enable //Enable the interface to transparently
transmit VLAN packets.
#
interface GigabitEthernet0/0/2
undo portswitch
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet0/0/2.1
bridge 1 //Add the WAN-side sub-interface to bridge 1.
bridge vlan-transmit enable //Enable the interface to transparently
transmit VLAN packets.
vlan allow-pass vid 3105 //Configure the VLAN allowed by the sub-
interface.
vlan dot1q-tunnel 3105 //Configure the dotlq tunnel function on the
sub-interface.
#
return
----End
Configuration Notes
When the type of the WAN-side interface is VDSL or G.SHDSL, run the set workmode slot
slot-id vdsl ptm or set workmode slot slot-id shdsl ptm command to configure the interface
to work in PTM mode.
Networking Requirements
As shown in Figure 4-9, the IP addresses of GE0/0/1 and GE0/0/2 on the router are
10.110.1.1/16 and 10.210.1.1/24. The IP address of the NetBIOS-NS name server is
10.2.1.1/16. The router and NetBIOS-NS name server are on different network segments. The
next-hop address of the route from the router to 10.2.0.0/16 is 10.210.1.2/24.
The router is configured to forward broadcast packets with destination UDP port number 137
and destination IP addresses 255.255.255.255 and 10.110.255.255 to the NetBIOS-NS name
server. When the router receives a broadcast NetBIOS-NS Register packet, it changes the
destination IP address in the IP header of the broadcast packet to the IP address of the
NetBIOS-NS name server and forwards the packet to the NetBIOS-NS name server.
Procedure
Step 1 Configure the router.
#
udp-helper enable //Enable the UDP helper function.
#
interface GigabitEthernet0/0/1
ip address 10.110.1.1 255.255.0.0
----End
Configuration Notes
l Enable UDP helper globally.
l Ensure that the UDP helper has a reachable route to the destination server.
Networking Requirements
RouterA and RouterC are on the same subnet. Proxy ARP needs to be configured on RouterB
to enable RouterA and RouterC to communicate.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet0/0/0
ip address 10.1.1.2
255.255.0.0
#
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
arp-proxy
enable
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
arp-proxy
enable
#
interface GigabitEthernet0/0/1
ip address 10.1.2.1
255.255.0.0
----End
5.20 Example for Configuring the Device as a PPPoE Client to Connect Device to the Internet
5.21 Example for Configuring the Device as a PPPoE Client (IPv6) to Connect Device to the
Internet
5.22 Example for Configuring the Device as a PPPoE Server to Connect Users to the Internet
5.23 Example for Connecting the Router to the Internet Through the External ADSL Modem
Using PPPoE
5.24 Example for Connecting the Router to the PSTN Through a Modem (in C-DCC Mode)
5.25 Example for Connecting the Router to the ISDN Through the ISDN PRI Interface (in
RS-DCC Mode)
5.26 Example for Configuring HDLC to Implement Interconnections
Networking Requirements
As shown in Figure 5-1, Host A and Host B connect to Eth2/0/1 and Eth2/0/2 of the router
that connects to the Internet through GE0/0/1. The requirement is as follows: Host A and Host
B cannot exchange packets at Layer 2, but they can communicate with the Internet.
Procedure
Step 1 Configure the router.
#
sysname Router
#
interface Ethernet2/0/1
port-isolate enable group 1 //Enable the port isolation function. Ports
are added to port isolation group 1 by default.
#
interface Ethernet2/0/2
port-isolate enable group 1 //Enable the port isolation function. Ports
are added to port isolation group 1 by default.
#
return
----End
Configuration Notes
l Interfaces in a port isolation group are isolated from each other, but interfaces in
different port isolation groups can communicate.
l When you enable the port isolation function, ports are added to port isolation group 1 by
default if you do not set group group-id.
l By default, ports are isolated at Layer 2 but can communicate at Layer 3. You can run the
port-isolate mode all command to isolate ports at Layer 2 and Layer 3.
Networking Requirements
Two devices are connected through the SONET network, and RouterB has been configured,
as shown in Figure 5-2. To ensure successful connection, configure the POS interface of
RouterA.
Parameter settings of the POS interface of RouterB are as follows:
l The frame format is SONET.
l The link-layer protocol is HDLC.
l The clock mode is the slave mode.
Procedure
Step 1 Configure Router A.
#
sysname RouterA
#
interface Pos2/0/0
link-protocol hdlc // Set the link-layer protocol of the POS interface to
HDLC.
mtu 1200 // Set the MTU of the POS interface to 1200 bytes.
ip address 10.1.1.1 255.255.255.252
flag c2 3 // Set the overhead byte C2 of the POS interface to 3.
flag j0 16byte-mode abc // Set the overhead byte j0 of the POS interface to
abc (16 byte-mode).
flag j1 16byte-mode xyz // Set the overhead byte j1 of the POS interface to
xyz (16 byte-mode).
frame-format sonet // Set the frame format of the POS interface to SONET.
undo scramble // Disable the payload data scrambling function of the POS
interface.
crc 16 // Set the CRC field length of the POS interface to 16 bits.
#
return
----End
Configuration Notes
Ensure that POS interface configurations on both devices are the same. Otherwise, the two
devices cannot be connected.
Networking Requirements
As shown in Figure 5-3, RouterA connects to seven routers RouterB to RouterH. Each of the
seven routers connects to RouterA using an E1 link. RouterA uses a CPOS interface to
aggregate these E1 links.
Another E1 link is added to RouterB to provide more bandwidth. The two E1 links need to be
bound using MP-Group interfaces.
The existing configurations are as follows:
l RouterA uses the clock signals transmitted from the SDH network.
l The RouterA's CPOS interface uses SDH as the frame format, and the AUG
multiplexing mode is au-4.
Figure 5-3 Networking diagram for configuring CPOS interfaces to aggregate E1 lines
Procedure
Step 1 Configure Router A.
#
sysname RouterA
#
interface Mp-group0/0/1 // Create and configure an MP-Group interface.
ip address 10.10.10.1 255.255.255.0 // Configure the IP address of the MP-
Group interface.
#
controller cpos 1/0/0
e1 1 unframed // Configure E1 channel 1 to work in unchannelized mode.
e1 2 unframed // Configure E1 channel 2 to work in unchannelized mode.
e1 1 set clock master // Configure E1 channel 1 to use the master clock mode
that is different from the clock mode on the peer E1-F interface.
e1 2 set clock master // Configure E1 channel 2 to use the master clock mode
that is different from the clock mode on the peer E1-F interface.
#
interface Serial1/0/0/1:0 // Enter the logical channel generated by E1 channel
1.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial1/0/0/1:0 to the MP-Group interface.
#
interface Serial1/0/0/2:0 // Enter the logical channel generated by E1 channel
2.
link-protocol ppp
ppp mp mp-group 0/0/1 // Bind Serial1/0/0/2:0 to the MP-Group interface.
#
return
# On RouterA, run the display controller cpos 1/0/0 e1 1 command to view information
about E1 channel 1 on CPOS 1/0/0.
# On RouterA, run the display interface mp-group command to view the status of the MP-
Group interface on RouterA.
----End
Configuration Notes
Line attributes of the E1 channel on the CPOS port must be the same as those of the E1
channel on the peer device.
Networking Requirements
ATM1/0/0 of RouterA and GE1/0/0 of RouterB connect to the DSLAM. RouterA needs to use
IPoA to communicate with RouterB.
Procedure
Step 1 Configure RouterA.
#
interface Atm1/0/0
ip address 1.1.0.1 255.255.255.0 // Configure the IP address of ATM1/0/0 on
RouterA.
pvc 0/35 // Create a PVC and enter the PVC view.
map ip 1.1.0.2 // Configure IPoA mapping on the PVC.
#
return
----End
5.5.1 Overview
Synchronous serial interfaces work in data terminal equipment (DTE) or data circuit-
terminating equipment (DCE) mode. A DTE is a device on which serial interfaces are
connected to DTE cables, and a DCE is a device on which serial interfaces are connected to
DCE cables. When functioning as a DTE, the device receives clock signals from a DCE.
Synchronous serial interfaces are typically used for campus network interconnection between
an enterprise's branches and the headquarters through Point-to-Point Protocol (PPP), X.25,
Link Access Procedure Balanced (LAPB), Frame Relay (FR), and High-Level Data Link
Control (HDLC) links.
5.5.2 Precautions
l The 1SA, 2SA, and 8SA cards of access routers (ARs) can transmit FR packets over v.35
physical links for interconnection with modem (for example, Aethro) devices from
different vendors. Vendors use different chips and solutions. To ensure successful
interconnection between devices from different vendors, you need to configure the same
parameter settings on the local and remote devices.
l Table 1-1 describes the required product models and versions.
Figure 5-5 Figure 1-1 Configuring network connectivity using synchronous serial interfaces
Step 2 (Optional) Configure the device to invert clock signals received by the synchronous serial
interface.
If the DTE receives error packets, for example, the packet count is not a multiple of the byte
count, run the invert receive-clock command to configure the device to invert clock signals
received by the synchronous serial interface.
[RouterA-Serial1/0/1] invert receive-clock
Step 3 (Optional) Configure the device to invert clock signals transmitted by the synchronous serial
interface.
If the DTE does not receive error packets but the DCE receives error packets, run the invert
transmit-clockcommand to configure the device to invert clock signals transmitted by the
synchronous serial interface.
[RouterA-Serial1/0/1] invert transmit-clock
----End
Step 2 (Optional) Configure the device to invert clock signals transmitted by the synchronous serial
interface.
RouterB(config-if)#invert txclock
!
interface Serial0/1/1
ip address 10.1.11.1 255.255.255.0
encapsulation frame-relay
clock rate 128000
no frame-relay inverse-arp IP 581
frame-relay lmi-type ansi
frame-relay local-dlci 581
frame-relay intf-type dce
end
----End
5.5.5 Verification
1.The physical status and protocol status of the serial interface are Up, and the message
"DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP" is displayed in the command output.
[RouterA] display interface Serial 1/0/1
Serial1/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2017-05-24 16:02:07
Description:HUAWEI, AR Series, Serial1/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.1.11.2/24
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is ANSI, frame relay DTE
LMI status enquiry sent 107, LMI status received 105
LMI status timeout 0, LMI message discarded 0
Last physical up time : 2017-05-24 16:02:07
Last physical down time : 2017-05-24 16:02:04
Current system time: 2017-05-24 16:19:32
Physical layer is synchronous, Virtualbaudrate is 64000 bps
Interface is DTE, Cable type is V35, Clock mode is DTECLK1
Last 300 seconds input rate 2 bytes/sec 16 bits/sec 0 packets/sec
Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec
Alignments: 0, Overruns: 0
Dribbles: 0, Aborts: 0
No Buffers: 0, Frame Error: 0
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 12/12/13 ms
The DCD, DSR, and CTS parameters are related to a DCE device, and the DTR and RTS
parameters are related to a DTE device.
A DTE device obtains synchronization clock information from a DCE device, and data
transmission is normal after clock information is negotiated.
The serial interface can go Up after the preceding parameters are correctly set.
Networking Requirements
As shown in Figure 5-6, a router in a bank outlet connects to the aggregation device in a tier
2 branch through an E1 link leased from a carrier so that the outlet and branch can
communicate. The E1 link uses all the 32 timeslots, PPP encapsulation, and CHAP
authentication.
Figure 5-6 Networking diagram for connecting a bank outlet to a tier 2 branch through an E1
link
Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
controller e1 1/0/0 //Enter the view of controller e1 interface.
using e1 //Configure the E1 interface to work in E1 mode.
#
interface serial 1/0/0:0 //Enter the view of the generated virtual serial
interface.
link-protocol ppp //Configure PPP encapsulation.
ip address 2.2.2.2 255.255.255.0
ppp chap user user1 //Configure the user name for CHAP authentication.
ppp chap password cipher %@%@#0p7U*q6k~qRN7$#9'oY&\z&%@%@ //Configure the
password for CHAP authentication.
#
return
# Run the display interface serial command to check the serial interface status. The
command output shows that both the physical status and link layer status of the interface are
Up.
# Ping the remote device from the router. The ping succeeds, indicating that the two devices
can communicate through the E1 link.
----End
Configuration Notes
l A carrier provides various types of WAN links. The E1 interface of the router may
connect to different types of interfaces. A protocol converter may be required to convert
protocols. Therefore, you need to select proper cable connectors and conversion adapters
based on actual situations.
NOTE
For details about E1/T1 cables supported by the device, see E1/T1 Cable in the Huawei AR Series
Access Routers Hardware Description - Cables.
l PPP authentication improves link security and the configuration mode can be set to PAP
or CHAP. Because E1 links are generally leased from a carrier and are secure, PPP
authentication is not configured on E1 links. You can configure PPP authentication based
on actual requirements.
l When PPP authentication is configured, the router functions as the supplicant.
Networking Requirements
As shown in Figure 5-7, a router in a bank outlet connects to the aggregation device in a tier
2 branch through an E1 link leased from a carrier so that the outlet and branch can
communicate. The E1 link uses timeslots 1, 10 to 16, and 18, PPP encapsulation, and CHAP
authentication.
Figure 5-7 Networking diagram for connecting a bank outlet to a tier 2 branch through an E1
link
Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
controller e1 1/0/0 //Enter the view of controller e1 interface.
using ce1 //Configure the E1 interface to work in CE1 mode.
channel-set 1 timeslot-list 1,10-16,18 //Bind timeslots 1, 10 to 16, and 18 to
form channel interface 1.
#
interface serial 1/0/0:1 //Enter the view of the generated virtual serial
interface. :1 in the interface number 1/0/0:1 indicates channel interface 1.
link-protocol ppp
ip address 2.2.2.2 255.255.255.0
ppp chap user user1 //Configure the user name for CHAP authentication.
ppp chap password cipher %@%@#0p7U*q6k~qRN7$#9'oY&\z&%@%@ //Configure the
password for CHAP authentication.
#
return
# Run the display interface serial command to check the serial interface status. The
command output shows that both the physical status and link layer status of the interface are
Up.
# Ping the remote device from the router. The ping succeeds, indicating that the two devices
can communicate through the E1 link.
----End
Configuration Notes
l A carrier provides various types of WAN links. The E1 interface of the router may
connect to different types of interfaces. A protocol converter may be required to convert
protocols. Therefore, you need to select proper cable connectors and conversion adapters
based on actual situations.
NOTE
For details about E1/T1 cables supported by the device, see E1/T1 Cable in the Huawei AR Series
Access Routers Hardware Description - Cables.
l PPP authentication improves link security and the configuration mode can be set to PAP
or CHAP. Because E1 links are generally leased from a carrier and are secure, PPP
authentication is not configured on E1 links. You can configure PPP authentication based
on actual requirements.
Networking Requirements
It is difficult and costly for enterprises to lease lines from carriers. Therefore, an enterprise
uses a 3G link to access the Internet.
As shown in Figure 5-8, a router connects to downstream users on the enterprise intranet, and
dials up to the upstream Internet through the 3G link so that intranet users can access the
Internet.
Figure 5-8 Networking diagram for configuring an enterprise to use a 3G link to access the
Internet
Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
dialer-rule //Configure a rule that triggers dial-up.
dialer-rule 1 ip permit //Configure the device to trigger dial-up by all IP
packets.
#
acl number 3002 //Configure an ACL.
rule 5 permit ip source 10.10.10.0 0.0.0.255 //Configure the device to filter
packets from the intranet network segment based on the ACL.
#
apn profile 3gnet //Create an APN profile.
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@ authentication-
mode chap //Configure the user name, password, and authentication mode of the
user connecting to the external PDN.
apn 3GNET //Configure the APN. The APN is provided by the carrier.
#
interface Cellular0/0/0
link-protocol ppp
mode wcdma wcdma-precedence //Set the mode for connecting to the WCDMA network
to wcdma-precedence. The mode can also be set to gsm-only, gsm-precedence, or
wcdma-only.
ppp ipcp dns request //Configure a DNS server address through PPP
negotiation.
ip address ppp-negotiate //Configure an IP address through PPP negotiation.
In V200R005C00 and later versions, you are advised to run the ip address
negotiate command to dynamically obtain an IP address.
dialer-group 1 //Associate the rule that triggers dial-up with the 3G
interface.
dialer enable-circular //Enable C-DCC.
dialer number *99# autodial //Configure the device to dial up to the carrier
network through automatic dial-up. Different carriers have different dialer
numbers. The dial-up succeeds only after the correct dialer number is obtained.
dialer timer autodial 10 //Set the automatic dial-up interval to 10 seconds,
that is, the device automatically dials up to the network through the 3G link
every 10 seconds.
apn-profile 3gnet //Bind the APN profile to the 3G interface for CHAP
authentication and the APN to take effect.
nat outbound 3002 //Configure outbound NAT.
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Configure a static route with
the 3G interface as the outbound interface so that traffic can be forwarded to
the external network through the 3G interface.
#
return
# Run the display interface cellular command to view detailed information about the 3G
interface. When the interface transmits traffic, both the physical status and link layer status of
the interface are Up, LCP and IPCP are in Opened state, and the interface successfully obtains
an IP address.
----End
Configuration Notes
l The methods of configuring the APN in different versions are as follows:
– In versions earlier than V200R005C00, if the APN is 3GNET, run the profile
create command on the 3G interface to create a parameter profile and manually
configure the APN. The configuration is as follows:
#
interface Cellular0/0/0
profile create 1 static 3GNET
– In V200R005C00 and later versions, if the APN is 3GNET, create an APN profile,
set the APN to 3GNET in the APN profile, and bind the APN profile to the 3G
interface. The configuration is as follows:
#
apn profile 3gnet
apn 3GNET
#
interface Cellular0/0/0
apn-profile 3gnet
l When CHAP authentication is configured, the router functions as the supplicant. The
methods of configuring CHAP authentication on the 3G interface in different versions
are as follows:
– In versions earlier than V200R005C00, run the ppp chap user and ppp chap
password commands on the 3G interface to configure the user name and password
for CHAP authentication, respectively. The configuration is as follows:
#
interface Cellular0/0/0
ppp chap user 3guser
ppp chap password cipher %@%@9eCPJjmQR!gQxf6@q%.;,u5q%@%@
– In V200R005C00 and later versions, create an APN profile, configure the user
name, password, and authentication mode of the user connecting to the external
PDN in the APN profile, and bind the APN profile to the 3G interface. The
configuration is as follows:
#
apn profile 3gnet
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@
authentication-mode chap
#
interface Cellular0/0/0
apn-profile 3gnet
l If automatic dial-up is configured, the 3G link remains in the connected state after the
router properly starts. More 3G network traffic is consumed. Therefore, you can
configure automatic dial-up based on actual requirements.
Networking Requirements
It is difficult and costly for enterprises to lease lines from carriers. Therefore, an enterprise
uses a 3G link to access the Internet.
As shown in Figure 5-9, a router connects to downstream users on the enterprise intranet, and
dials up to the upstream Internet through the 3G link so that intranet users can access the
Internet.
Figure 5-9 Networking diagram for configuring an enterprise to use a 3G link to access the
Internet
Procedure
Step 1 Configure the router. (Take V200R005C20 as an example.)
#
dialer-rule //Configure a rule that triggers dial-up.
dialer-rule 1 ip permit //Configure the device to trigger dial-up by all IP
packets.
#
acl number 3002 //Configure an ACL
rule 5 permit ip source 10.10.10.0 0.0.0.255 //Configure the device to filter
packets from the intranet network segment based on the ACL.
#
apn profile 3gnet //Create an APN profile.
# Run the display interface cellular command to view detailed information about the 3G
interface. When the interface transmits traffic, both the physical status and link layer status of
the interface are Up, LCP and IPCP are in Opened state, and the interface successfully obtains
an IP address.
----End
Configuration Notes
l When CHAP authentication is configured, the router functions as the supplicant. The
methods of configuring CHAP authentication on the 3G interface in different versions
are as follows:
– In versions earlier than V200R005C00, run the ppp chap user and ppp chap
password commands on the 3G interface to configure the user name and password
for CHAP authentication, respectively. The configuration is as follows:
#
interface Cellular0/0/0
ppp chap user 3guser
ppp chap password cipher %@%@9eCPJjmQR!gQxf6@q%.;,u5q%@%@
– In V200R005C00 and later versions, create an APN profile, configure the user
name, password, and authentication mode of the user connecting to the external
PDN in the APN profile, and bind the APN profile to the 3G interface. The
configuration is as follows:
#
apn profile 3gnet
user name 3guser password cipher %@%@Gy-Z:-sDMYJ`qiLe/gJG)}hP%@%@
authentication-mode chap
#
interface Cellular0/0/0
apn-profile 3gnet
l If automatic dial-up is configured, the 3G link remains in the connected state after the
router properly starts. More 3G network traffic is consumed. Therefore, you can
configure automatic dial-up based on actual requirements.
Networking Requirements
A remote branch of the enterprise needs to exchange large volumes of service traffic with
external networks, but it cannot obtain the wired WAN access service. As shown in Figure
5-10, the branch uses the Router as the egress gateway and uses an LTE cellular interface to
connect to the Internet through the LTE network, meeting service transmission requirements.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and
the users access external networks.
The branch has subscribed to the yearly-package service and users in the branch access the
Internet through automatic dial-up. The branch obtains the following information from the
carrier:
l The APN is 3gnet.
l The dialer number is *99#.
Procedure
Step 1 Configure the router.
#
vlan batch 10 // Create VLAN 10.
#
dhcp enable // Enable DHCP.
#
acl number 3002 // Configure the ACL for NAT.
# On the router, run the display interface cellular 0/0/0 command to view detailed
information about the interface. The command output shows that both the physical layer
status and link layer status of the interface are Up when the interface forwards traffic.
# On the router, run the display cellular 0/0/0 all command to view information about all call
sessions on the LTE data card. The command output shows that the APN is 3gnet, the network
type is Automatic, and the network connection mode is LTE(LTE).
----End
Configuration Notes
l APNs and dialer numbers are provided by the carrier.
l After an APN is configured, it is permanently recorded in an LTE data card. If the APN
changes, reconfigure it.
Networking Requirements
ATM1/0/0 of RouterA and GE1/0/0 of RouterB connect to the DSLAM. RouterA needs to use
IPoA to communicate with RouterB.
Procedure
Step 1 Configure RouterA.
#
interface Atm1/0/0
ip address 1.1.0.1 255.255.255.0 //Assign an IP address to ATM1/0/0.
pvc 0/35 //Create a PVC and enter the PVC
view.
map ip 1.1.0.2 //Configure IPoA mapping on the
PVC.
#
return
----End
Networking Requirements
Users on an enterprise intranet the enterprise gateway RouterA through Layer 2 Ethernet
interfaces. RouterA connects to the DSLAM through the ADSL uplink interface, and the
DSLAM connects to RouterB.
Procedure
Step 1 Configure RouterA.
#
interface Virtual-Ethernet0/0/0 //Create a virtual Ethernet (VE) interface and
enter the VE interface view.
ip address 1.1.0.1 255.255.255.0 //Assign an IP address to the VE
interface.
#
interface Atm1/0/0
pvc 25/45 //Create a PVC and enter the PVC
view.
map bridge Virtual-Ethernet 0/0/0 //Configure IPoEoA mapping on the
PVC.
#
return
#
return
----End
Networking Requirements
All PCs on an enterprise intranet use the IP address of an Ethernet interface on RouterA as the
gateway address. RouterA connects to a DSLAM through the ADSL interface, and the
DSLAM connects to the PPPoEoA server. RouterA functions as the PPPoEoA client and is
authenticated in CHAP mode.
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 10 ip permit //Configure dialer ACL rule 10.
#
acl 2000 //Configure an ACL.
# Run the display interface dialer command to check whether the dialer interface on the
Router has been assigned a correct IP address.
The following information indicates that the dialer interface has been assigned a correct IP
address.
Internet Address is negotiated, 1.1.1.254/32
# Run the display virtual-access command to view the PPP negotiation status of the virtual
access interface created on the dialer interface.
The following information indicates that PPP negotiation is successful on the virtual access
interface.
LCP opened, IPCP opened
# Ping the PPPoEoA server (RouterB) from RouterA. RouterA can successfully ping
RouterB.
----End
Configuration Notes
l The dialer rule numbers in dialer-rule and dialer-group must be the same. The dialer
rule numbers in dialer bundle and pppoe-client dial-bundle-number must be the same.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l If the public network can be connected but web pages cannot be opened after NAT is
performed, run the tcp adjust-mss command on the public network interface. For
PPPoE applications, the recommended maximum segment size (MSS) is 1200 bytes.
Networking Requirements
In PPPoA application, PPP packets are encapsulated in ATM cells, and IP packets and other
protocol packets are encapsulated in PPP packets. PPPoA packet transmission is controlled by
the PPP protocol, which is flexible and supports a variety of applications.
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
# //Configure a WAN-side virtual template (VT)
interface.
interface Virtual-Template10
ppp chap user huawei
ppp chap password cipher %@%@;^p|F{9fb1IiN7U[7HoAFh8)%@%@
ip address ppp-negotiate
#
interface Atm1/0/0 //Configure a WAN-side ATM interface.
pvc 35/53
map ppp Virtual-Template10
#
interface Ethernet2/0/0 //Configure a LAN-side
interface.
ip address 1.1.0.1
255.255.255.0
#
return
interface.
pppoe-server bind Virtual-Template 0
#
return
----End
Configuration Notes
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.
Networking Requirements
RouterA and RouterB are connected through an FR leased line. FR networks do not support
authentication, so access users cannot be authenticated.
The PPP protocol provides authentication and has good extensibility; therefore, the PPPoFR
solution can be implemented based on the PPP and FR protocols. In this example, CHAP
authentication is used over an FR network, and an end-to-end PPP session is set up on the FR
network. All access users are authenticated.
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
interface Virtual-Template10 //Create a virtual template (VT) interface and enter
the VT interface view.
ip address 10.1.0.5 255.255.255.0 //Assign an IP address to the VT interface.
ppp chap user huawei //Configure the user name used for CHAP
authentication.
ppp chap password cipher %@%@;^p|F{9fb1IiN7U[7HoAFh8)%@%@ //Configure the
password used for CHAP authentication.
#
interface Serial1/0/0
link-protocol fr //Set the link layer protocol of the interface to Frame Relay
(FR).
fr interface-type dte //Set the FR interface type to data terminal equipment
(DTE).
fr dlci 100 //Set the data link identifier for the FR
link.
fr map ppp interface Virtual-Template10 100 //Map an FR virtual circuit to a PPP
link.
#
return
# Run the display virtual-access vt vt-number command to view the VA status of the virtual
template interface on RouterB.
----End
Networking Requirements
On the FR network, RouterA and RouterB function as DTEs to transmit IP packets. A public
FR network connects local area networks (LANs).
Procedure
Step 1 Configure RouterA.
#
interface Serial1/0/0
link-protocol fr // Configure FR as the link-layer protocol on the
interface.
fr dlci 60 // Configure the Data Link Control Identifiers (DLCIs) for FR
links.
fr map ip 10.1.0.6 60 // Configure the static mapping between the local DLCI
and destination IP address.
ip address 10.1.0.5 255.255.255.0 // Configure the IP address of the local
device.
#
return
----End
Networking Requirements
Multiple PPP links can be bundled into an MP group to increase link bandwidth. An MP
group is an MP bundle. PPP links in an MP group are fixed. This method is efficient and the
configuration is simple, so it is widely used on networks.
As shown in Figure 5-17, two pairs of serial interfaces on RouterA and RouterB are
connected and are added to the MP-group. The routers use CHAP authentication.
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
aaa //Configure a local user.
authentication-scheme system_a
domain system
authentication-scheme system_a
local-user userb password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
local-user userb privilege level 0
local-user userb service-type ppp
#
interface Mp-group0/0/1
ip address 10.10.10.10 255.255.255.252
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user usera //Configure the user name and password for the remote end.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user usera //Configure the user name and password for the remote end.
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
return
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system //Set the authentication mode to CHAP.
ppp chap user userb //Configure the user name and password for the remote end.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;mdS%@%@
ppp mp mp-group 0/0/1 //Add the interface to the MP group.
return
The command output includes the physical status and protocol status of member links, the
number of member links, and MP member information.
# Run the display virtual-access command on RouterA to view the virtual access interface
status.
----End
Configuration Notes
l To make the configuration take effect, restart all the member interfaces after the
configuration is complete.
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.
Networking Requirements
As shown in Figure 5-18, two routers are connected by serial cables. The serial links form an
MP group to improve communication reliability and bandwidth. The MP group is created by
binding links to a virtual template.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Set a system name to identify the router.
interface serial 1/0/0
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface.
#
interface serial 1/0/1
link-protocol ppp //Set the link layer protocol of the serial interface to PPP.
ppp mp Virtual-Template 1 //Configure the serial interface to work in MP mode
and bind virtual template VT1 to the serial interface.
#
interface Virtual-Template1
ip address 10.10.10.10 255.255.255.252 //Assign an IP address to VT1.
return
----End
Configuration Notes
l The physical interfaces are successfully added to the MP group only after PPP
negotiation is complete. Therefore, restart all the physical interfaces in the MP group
after the configuration to trigger PPP negotiation.
Networking Requirements
As shown in Figure 5-19, two AR routers are connected by serial cables. The serial links
form an MP group to improve communication reliability and bandwidth. The MP group is
created by binding user names to virtual interface templates.
Figure 5-19 Network diagram for binding user names to virtual interface templates
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
sysname RouterA //Set a system name to identify the router.
#
ppp mp user userb bind Virtual-Template 1 //Bind the remote user name userb to
VT 1.
#
aaa
authentication-scheme system_a
domain system
authentication-scheme system_a
local-user userb@system password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@
local-user userb@system privilege level 0
local-user userb@system service-type ppp //Configure the user name and password
that the remote end uses when it is authenticated by the local end.
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user usera@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp //Configure the serial interface to work in MP mode.
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user usera@system
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp //Configure the serial interface to work in MP mode.
#
interface Virtual-Template1
ppp mp binding-mode authentication //Configure MP binding based on the remote
user name.
ip address 10.10.10.10 255.255.255.252
#
return
#
ppp mp user usera bind Virtual-Template 1 //Bind the remote user name userb to
VT 1.
#
aaa
authentication-scheme system_b
domain system
authentication-scheme system_b
local-user usera@system password cipher %@%@wSj=##g9INJIZ$Ip'6f7;rd!%@%@
local-user userasystem privilege level 0
local-user usera@system service-type ppp //Configure the user name and password
that the remote end uses when it is authenticated by the local end.
#
interface Serial1/0/0
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user userb@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;ldS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp
#
interface Serial1/0/1
link-protocol ppp
ppp authentication-mode chap domain system
ppp chap user userb@system
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;mdS%@%@ //Configure the user
name and password that the local end uses when it is authenticated by the remote
end. Set the authentication mode to CHAP.
ppp mp
#
interface Virtual-Template1
ppp mp binding-mode authentication //Configure MP binding based on the remote
user name.
ip address 10.10.10.11 255.255.255.252
#
return
----End
Configuration Notes
l The physical interfaces are successfully added to the MP group only after PPP
negotiation is complete. Therefore, restart all the physical interfaces in the MP group
after the configuration to trigger PPP negotiation.
l The local user name and password must be identical with the remote user name and
password for CHAP authentication.
Networking Requirements
As shown in Figure 5-20, all the hosts on the enterprise intranet connect to the same PPPoE
client, and the PPPoE client is connected to the Internet through a PPPoE server. Router is the
PPPoE client and authenticated by the PPPoE server.
Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Create dialer rule 1.
#
acl 3002 //Configure an ACL.
rule 5 permit ip source 192.168.0.0 0.0.0.255
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Set the link layer protocol of the dialer interface to PPP.
ip address ppp-negotiate //Enable the interface to obtain an IP address after
a successful PPP negotiation.
ppp chap user client //Configure the user name for PPPoE clients to use in
CHAP authentication by the PPPoE server.
ppp chap password cipher %@%@VGZIW'r|aGrQ"v8`<pEP$7uH%@%@ //Configure the user
name for PPPoE clients to use in CHAP authentication by the PPPoE server.
dialer user server //Enable RS-DCC.
dialer bundle 1 //Apply dialer bundle 1 to the dialer interface.
dialer-group 1 //Add the dialer interface to dialer bundle 1.
nat outbound 3002 //Configure outbound NAT in Easy IP mode.
tcp adjust-mss 1200 //Set the maximum segment size (MSS) of TCP packets.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 //Enable the PPPoE client function on the
Ethernet interface.
#
ip route-static 0.0.0.0 0 Dialer0 //Configure a static route to the PPPoE
server, with dialer0 as the outbound interface.
----End
Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PPPoE client function is enabled on the Ethernet interface. If you specify the on-
demand parameter, the on-demand dial-up mode is configured. After being
disconnected, the device can create a dial-up connection only when data needs to be
transmitted. If you does not specify the on-demand parameter, the automatic dial-up
mode is configured. After being disconnected, the device will automatically attempt to
create a dial-up connection at intervals.
Networking Requirements
In Figure 5-21, the device functioning as a PPPoE client is connected to LAN users (hosts)
through a downlink interface GE1/0/0 and connected to the PPPoE server through an uplink
interface GE2/0/0.
It is expected that hosts share the same Internet account. During connection establishment,
hosts are authenticated by the PPPoE server through this account. After the authentication is
successful, a PPPoE session will be established. The following user requirements need to be
met:
l The device establishes an IPv6 connection with the PPPoE server through PPP
authentication.
l After the connection is disconnected, the device periodically attempts to set up a dial-up
connection again.
Configuration Roadmap
The configuration roadmap is as follows:
1. For Ethernet interface access, create a PPPoE session and bind it to
GigabitEthernet2/0/0.
2. Configure CHAP authentication on the dialer interface so that the device can establish a
connection with the PPPoE server through PPP authentication.
3. To enable the dialer interface to automatically obtain an IPv6 address, enable stateless
address autoconfiguration on the device. Enable the device to apply for IPv6 address
prefixes and allocate the prefixes to hosts.
4. Set the dial-up mode to automatic dial-up. This mode enables the device to periodically
attempt to set up a dial-up connection again after the connection is disconnected.
Procedure
Step 1 Enable the IPv6 function globally.
<Huawei> system-view
[Huawei] sysname Router
[Router] ipv6
Step 3 Enable the DHCPv6 client function and assign IPv6 address prefixes to hosts.
[Router-Dialer1] ipv6 enable // Enable the IPv6 function on the dialer interface.
[Router-Dialer1] ipv6 address auto link-local // Configure the device to
automatically generate a link-local address for the interface.
[Router-Dialer1] ipv6 address auto global default // Enable the device to
automatically generate an IPv6 global address through stateless autoconfiguration.
[Router-Dialer1] undo ipv6 nd ra halt // Enable the device to send RA messages.
----End
Configuration Files
Configuration file of the PPPoE client
#
sysname Router
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ipv6 enable
ip address ppp-negotiate
dialer user user2
dialer bundle 1
ipv6 address auto link-local
ipv6 address auto global default
undo ipv6 nd ra halt
dhcpv6 client pd Huawei
#
interface GigabitEthernet2/0/0
undo portswitch
pppoe-client dial-bundle-number 1
#
return
Configuration Notes
l The authentication mode, IP address allocation mode, and IP address or IP address pool
of the PPPoE client need to be configured on the PPPoE server. The configuration
procedure varies based on the device that functions as the IPv6 PPPoE server. For
details, see the device documentation.
l The number specified in the dialer-rule command must be the same as that specified in
the dialer-group command. The number specified in the dialer bundle command must
be the same as dial-bundle-number specified in the pppoe-client command.
l You can define a user name using the dialer user command on a dialer interface. The
dialer user command enables only the resource-shared DCC (RS-DCC) function.
l IPv6 needs to be enabled globally before being enabled on an interface.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server. The dialer interface must be Up.
l When enabling the PPPoE client function on an Ethernet interface, if you specify the on-
demand parameter, on-demand dial-up will be performed. After the connection is
disconnected, the device sets up a dial-up connection only when data needs to be
transmitted. If you do not specify the on-demand parameter, automatic dial-up will be
performed. After the connection is disconnected, the device periodically attempts to set
up a dial-up connection again.
Networking Requirements
As shown in Figure 5-22, hosts with PPPoE client installed on the enterprise intranet access
the Internet through the Router. The Router functions as the PPPoE server to perform local
authentication and allocates IP addresses to the hosts from an IP address pool.
Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
ip pool pool2 //Create an IP address pool2.
gateway-list 192.168.10.1 //Configure the egress gateway IP address.
network 192.168.10.0 mask 255.255.255.0 //Configure the range of allocable IP
addresses in the address pool.
#
aaa //Configure local authentication.
local-user client password cipher %@%@N!}w4F\6;42P$A2'XqkP(Ix6%@%@ //Configure
the user name for PPPoE clients to use in authentication.
local-user client privilege level 0
local-user client service-type ppp //Set the service type of the PPPoE client
to PPP.
#
interface Virtual-Template1 //Create a virtual template (VT) interface and
----End
Configuration Notes
After the PPPoE client is installed on all hosts and the client user names and passwords are
configured on the hosts, the hosts can use the PPPoE protocol to access the Internet through
the Router.
Networking Requirements
As shown in Figure 5-23, a Router Ethernet interface connects to the ADSL modem and and
the Router connects to the Internet using PPPoE.
Figure 5-23 Networking diagram for connecting the Router to the Internet through the
external ADSL modem
Procedure
Step 1 Configure the Router. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable PPPoE client.
#
ip route-static 0.0.0.0 0 Dialer0 //Configure Dialer0 as the outbound
interface of the default route.
----End
Configuration Notes
l The dialer rule numbers in dialer-rule and dialer-group must be the same. The dialer
rule numbers in dialer bundle and pppoe-client dial-bundle-number must be the same.
l If the on-demand parameter is specified, run the dialer timer idle command to set the
link idle time on the dialer interface.
l You can define a user name using the dialer user command. The dialer user command
only enables the RS-DCC function.
l If the public network can be connected but web pages cannot be opened after NAT is
performed, run the tcp adjust-mss command on the public network interface. For
PPPoE applications, the recommended maximum segment size (MSS) is 1200 bytes.
Networking Requirements
As shown in Figure 5-24, RouterA and RouterB are connected through the PSTN. Circular-
DCC (C-DCC) is configured on the routers to allow the routers to dial to each other using the
modems.
Figure 5-24 Networking for connecting the router to the PSTN through a modem in C-DCC
mode
Procedure
Step 1 Configure RouterA.
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
interface Async2/0/0 //Enter the view of Async2/0/0.
link-protocol ppp //Set the link layer protocol of Async2/0/0 to PPP.
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Async2/0/0.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add Async2/0/0 to dialer bundle 1.
dialer number 600152 //Configure the dial number used to call the remote end.
#
user-interface tty 9 //Enter the user interface view.
modem both //Grant the call-in and call-out permissions to the modem.
modem auto-answer //Configure the modem to work in non-auto answer mode.
#
ip route-static 20.1.1.1 255.255.255.255 Async2/0/0 //Configure a static route
to the remote end.
#
Configuration Notes
l The Async interfaces on the local and remote ends must have the same physical
attributes and link-layer attributes. It is recommended that the routers retain the default
settings. When the Async interfaces work in the flow mode, the link layer protocol
cannot be set to PPP.
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group.
l To allow both incoming and outgoing calls, run the modem both command in the user
view.
l There are two modem answer modes: auto-answer and non-auto answer. If the AA
indicator of a modem is on, the modem works in auto-answer mode. The modem answer
mode configured on the router must be the same as the answer mode of the modem
connecting to the router's asynchronous serial interface.
– If the modem works in auto-answer mode, run the modem auto-answer command
before using the dialing function.
– If the modem works in non-auto answer mode, run the undo modem auto-answer
command.
Networking Requirements
As shown in Figure 5-25, RouterA and RouterB are connected through the ISDN. The routers
have resource-RS-DCC (RS-DCC) configured and authenticate each other using CHAP.
Figure 5-25 Networking for connecting the router to the ISDN through the ISDN PRI
interface in RS-DCC mode
Procedure
Step 1 Configure RouterA. (Take V200R005C20 as an example.)
#
dialer-rule //Enter the dialer rule view.
dialer-rule 1 ip permit //Configure dialer rule 1.
#
aaa //Configure local authentication.
local-user userb password cipher %@%@N!}w4F\6;42P$A2'XqkP(Ix6%@%@ //Configure
the local user name and password.
local-user userb privilege level 0
local-user userb service-type ppp //Set the service type of the local user to
PPP.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Set the link layer protocol of the dialer interface to PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user usera //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the
password used for CHAP authentication.
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to the dialer
interface.
dialer user userb //Enable RS-DCC and configure the user name for the remote
end.
dialer bundle 1 //Apply dialer bundle 1 to the dialer interface.
dialer number 660210 //Configure the dialer number used to call the remote end.
dialer-group 1 //Add the dialer interface to dialer group 1.
#
controller E1 1/0/0 //Configure an ISDN PRI interface.
pri-set
#
interface Serial1/0/0:15 //Enter the ISDN PRI interface view.
link-protocol ppp //Set the link layer protocol of the ISDN PRI interface to
PPP.
ppp authentication-mode chap //Set the authentication mode for PPP users to
CHAP.
ppp chap user usera //Configure the user name used for CHAP authentication.
ppp chap password cipher %@%@4k`38}:/##N~BmPHev|;;rdS%@%@ //Configure the
password used for CHAP authentication.
dialer bundle-member 1 //Apply dialer bundle 1 to the ISDN PRI interface.
#
# RouterA and RouterB can communicate with each other using the ISDN and authenticate
each other.
----End
Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dialer
bundle number in dialer bundle-member.
l It is recommended that PAP or CHAP authentication be configured on the physical and
dialer interfaces of the local and remote ends.
l When PPP encapsulation is enabled on a dialer interface, run the dialer user command
to configure the user name for the remote end. The local end compares the configured
remote end user name with the user name obtained through PPP authentication to
determine the dialer interface accepting the call.
Networking Requirements
RouterA and RouterB use the High-level Data Link Control (HDLC) protocol to
communicate with each other.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface Serial1/0/0
link-protocol hdlc
ip address 10.1.1.1 255.255.255.0
#
return
----End
Configuration Notes
l The IP addresses of RouterA and RouterB must be in the same network segment,
otherwise, RouterA and RouterB cannot communicate with each other.
6.1 L2TP
6.2 GRE
6.3 DSVPN
6.4 IPSec
6.5 BGP/MPLS IP VPN
6.6 VLL
6.7 PWE3
6.1 L2TP
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-1, users on enterprise branches LAN1 and LAN2 connect to the LAC
using PPPoE and initiate connections with enterprise headquarters LAN3.
Two domains are configured on the LAC: aaa.com and bbb.com. Users in the domain aaa.com
are located on the network segment 10.1.1.0/24 and users in the domain bbb.com are located
on the network segment 10.2.1.0/24.
There is a reachable route from the LNS to the LAC and a tunnel is set up between the LNS
and the LAC. After access users are authenticated, the LNS allocates IP addresses and
gateway addresses to the access users.
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa
authentication-scheme lmt
domain aaa.com
authentication-scheme lmt
domain bbb.com
authentication-scheme lmt
local-user user1@aaa.com password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
local-user user1@aaa.com service-type ppp
local-user user1@aaa.com privilege level 0
local-user user2@bbb.com password cipher %@%@qh-<X%_2QB+^!UR+UkxUA/6<%@%@
local-user user2@bbb.com privilege level 0
local-user user2@bbb.com service-type ppp //Configure local user names and
passwords on the PPPoE server.
#
interface Virtual-Template1 //Create a virtual template interface VT1 and set
parameters for the PPPoE server.
ppp authentication-mode chap //Set the authentication mode to CHAP.
#
interface GigabitEthernet1/0/0
ip address 202.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1 //Enable PPPoE server on the interface,
import parameters configured on VT1, and authenticate dialup users.
#
interface GigabitEthernet3/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set parameters for L2TP setup.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name lac1 //Set the tunnel name to lac1, which is identified by the peer
LNS.
start l2tp ip 202.1.1.1 domain aaa.com //Initiate L2TP tunnel setup to the peer
device. This example assumes that the domain name of access users is aaa.com.
#
l2tp-group 2
tunnel password cipher %@%@EB~j7Je>;@>uNr''D=J<]\WL%@%@
tunnel name lac2
start l2tp ip 202.1.1.1 domain bbb.com
#
----End
Configuration Notes
l An L2TP group is created for each domain and different L2TP groups have different
tunnel names.
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
Networking Requirements
As shown in Figure 6-2, an enterprise has some branches located in other cities, and the
branches use the Ethernet network.
The enterprise requires that the headquarters should provide VPDN services for branch users,
so that the branch users can access the headquarters network. When branch users access
intranet servers on the headquarters network, data should be encrypted to prevent data leaks.
To meet these requirements, you can configure the LAC to initiate an L2TP connection
request to the LNS. Then you can configure IPSec to protect data exchanged between branch
users and intranet servers. IPSec-encrypted data is transmitted over the L2TP tunnel between
the LAC and LNS.
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.2.1.0 0.0.0.255 destination 10.3.1.0 0.0.0.255
#
ipsec proposal lac //Create an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lac v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
remote-address 10.4.1.1 //Specify an IP address for the remote IPSec interface.
#
ipsec policy lac 1 isakmp //Create an IPSec policy.
security acl 3000
ike-peer lac
proposal lac
#
interface Virtual-Template1 //Create a virtual tunnel template.
ppp chap user huawei //Set the user name of a virtual PPP user to huawei.
ppp chap password cipher %@%@\;#%<c~6Y%cNZK/h.pK%:>Uo%@%@ //Set the password of
the virtual PPP user to Huawei@1234.
ip address ppp-negotiate //Configure IP address negotiation.
l2tp-auto-client enable //Enable the virtual PPP user to initiate an L2TP
connection request.
ipsec policy lac //Apply an IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set related attributes.
tunnel password cipher %@%@7v&1O#yr\#gl]w=Rk^uY:>@"%@%@ //Enable tunnel
authentication and set the cipher-text password to huawei, which is the same as
the password specified on the remote device.
tunnel name lac
start l2tp ip 1.1.2.1 fullusername huawei
#
ip route-static 10.3.1.0 255.255.255.0 Virtual-Template1 10.1.1.1 //Configure a
static route.
ip route-static 10.4.1.0 255.255.255.0 Virtual-Template1
#
return
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l On the LAC, the IPSec policy must be bound to the VT1 interface.
l When you configure a static route on the LAC, the outbound interface in the route
destined to the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 6-3, users connect to the LNS to access the headquarters network though
the LAC. Data exchanged between the LAC and LNS is encrypted by IPSec.
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
#
l2tp enable
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 12.1.1.1 0 destination 12.1.1.2 0
#
ipsec proposal lns //Configure an IPSec proposal.
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike peer lns v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 12.1.1.2
#
ipsec policy lns 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer lns
proposal lns
#
ip pool 1 //Configure an IP address
pool.
gateway-list 13.1.1.1
network 13.1.1.0 mask 255.255.255.0
#
aaa //Configure a local
user.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1 //Configure a virtual template interface, and
configure the authentication mode, IP address, and interface address
pool.
ppp authentication-mode chap
remote address pool 1
ip address 13.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0 //Assign an IP address to the WAN-side
interface.
ip address 12.1.1.1 255.255.255.0
ipsec policy lns //Bind the IPSec
policy.
#
interface GigabitEthernet2/0/0 //Assign an IP address to the LAN-side
interface.
ip address 192.168.0.1 255.255.255.0
#
l2tp-group 1 //Configure an L2TP group and set
attributes.
allow l2tp virtual-template 1 remote LAC
tunnel password cipher %@%@5j*=S&AGSK'J}kG])REK]_-o%@%@ //Enable tunnel
authentication, and set the cipher password to huawei, which is the same as that
on the peer device.
tunnel name LNS
#
ip route-static 192.168.1.0 255.255.255.0 Virtual-Template1 //Configure a static
route.
#
return
# Run the display ike sa command on the LAC or LNS to view SA setup.
# Run the dis l2tp session command on the LAC or LNS to view L2TP session setup.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l The IPSec policy is bound to the external network interface. Packets are encapsulated
with the L2TP header, and then the IPSec header.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-4, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users. In this
example, the PC runs Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 6-4 Networking for configuring remote dialup users to connect to the external network
through the L2TP tunnel
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei server-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create an L2TP group and set
parameters for creating an L2TP tunnel.
ppp authentication-mode chap
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
Enter an Internet address which is the IP address of the LNS (202.1.1.1), enter a destination
name (for example, L2TP) as the network connection name, select Don't connect now; just
set it up so I can connect later, and click Next. You can customize a destination name.
Enter the user name huawei and password Huawei@1234 and click Create.
NOTE
Click Close.
Select Display progress while connecting and Prompt for name and password certificate,
etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.
On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec for Type
of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication Protocol
[CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec pre-shared
key. Do not set the IPSec pre-shared key here.
You do not need to modify settings on the Networking and Sharing tabs.
Choose Start > Run > Network and Sharing Center and click Connect to a network. The
created L2TP connection is displayed. Right-click L2TP, enter the user name and password,
and click Connect.
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Example
Configuration Notes
Networking Requirements
As shown in Figure 6-5, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows XP operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 6-5 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
d. Fill in the company name as the connection name. For example, fill in L2TP and
click Next.
b. Click the Security tab page, select Advanced (custom settings), and click
Settings.
NOTE
If you click IPSec Settings on the page, the IPSec Settings page is displayed for you to set a
pre-shared key for authentication. Do not set a pre-shared key here.
c. Click Networking, and set Type of VPN to the default Auto or L2TP IPSec VPN.
Do not change any configurations on the Advanced tab page.
d. On the Network Connections page, double-click L2TP you have created, enter a
user name and password, and click Connect.
----End
Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-6, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the PC runs
Windows 7 operating system.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 6-6 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure authentication with
domain names.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //The non-authentication mode is
recommended for PC dialup.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return
c. Set Internet address to 202.1.1.1 (the IP address of the LNS) and Destination
name such as L2TP. The destination name is used as the network connection name.
Select Don't connect now; just set it up so I can connect later and then click
Next.
e. Click Close.
b. Select Display progress while connecting and Prompt for name and password
certificate, etc on the Options tab.
NOTE
Do not change the parameters that are displayed after you click PPP Settings.
c. On the Security tab, select Automatic or Layer 2 Tunneling Protocol with IPsec
for Type of VPN.
Select Unencrypted password [PAP], Challenge Handshake Authentication
Protocol [CHAP], and Microsoft CHAP Version 2 [MS-CHAP v2] in Allow
these protocols.
NOTE
If you click Advanced settings, a dialog box is displayed on which you can set the IPSec
pre-shared key. Do not set the IPSec pre-shared key here.
You do not need to modify settings on the Networking and Sharing tabs.
d. Choose Start > Run > Network and Sharing Center and click Connect to a
network. The created L2TP connection is displayed. Right-click L2TP, enter the
user name and password, and click Connect.
----End
Configuration Notes
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
Networking Requirements
As shown in Figure 6-7, physical positions of traveling employees often change and they
need to communicate with the headquarters at any time. L2TP is deployed on the enterprise
network and traveling employees connect to the enterprise network through dialup so that the
headquarters gateway can identify and manage access users. In this example, the VPN client
is installed on the PC.
After an L2TP connection is set up, employees can only access internal resources. To ensure
that traveling employees can access external resource after successful dialup, configure NAT
on the LNS.
Figure 6-7 Establishing an L2TP tunnel between a remote dialup user and the headquarters
based on the authentication domain
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL for NAT translation,
and translate addresses allocated by L2TP using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool named lns
from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user 123456789@huawei.com privilege level 0
local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
ip address 202.1.1.1 255.255.255.0
nat outbound 2001 //Configure outbound NAT for Internet
access.
#
interface Virtual-Template1 //Create a VT and set dialup parameters.
ppp authentication-mode chap domain huawei.com //Configure the authentication
mode and specify the domain name.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Allocate the DNS server address so
that employees can access external resources using domain names.
c. Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
e. Set The name is to the VPN connection name such as L2TP and click Finished.
b. Click the Basic Settings tab page and modify the user name and password based on
the actual situation.
c. Do not modify the parameters on the L2TP Settings tab page if configurations on
the LNS are not modified. The parameters must be the same as those on the LNS.
d. In HUAWEI VPN Client, select the created L2TP and click Connect.
# After the configurations are complete, PC1 can obtain the private IP address 192.168.1.254,
and can communicate with headquarters PC and access external resources.
----End
Configuration Notes
l Add the network segment where employees requiring Internet access are located to an
ACL and perform NAT.
l To ensure that employees can use domain names to access external resources, configure
the LNS IP address as the DNS server IP address on the virtual template interface.
6.1.8 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Traverse NAT Devices and Connect to the
Headquarters over the Internet
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-8, physical positions of traveling employees often change and they
need to communicate with the headquarters and access internal resources at any time. L2TP is
deployed on the enterprise network and traveling employees connect to the enterprise network
through dialup so that the headquarters gateway can identify and manage access users.
Traveling employees connect to the Internet through the NAT device. Traffic sent from
traveling employees to the headquarters needs to be encapsulated through IPSec to ensure
security. In addition, the LNS functions as the gateway and has the firewall service deployed.
NAT traversal in L2TP over IPSec can be configured to meet requirements. Because the L2TP
over IPSec configuration on the PC is complex, and settings such as the registry and services
need to be modified, Huawei dialup software Secoway VPN Client is used on the PC. You can
visit http://support.huawei.com to obtain the software version.
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
ike local-name xp //Use the local name for IKE
negotiation. The local name must be used for NAT traversal in IPSec.
#
acl number 3001 //Configure an ACL.
rule 5 permit udp destination-port eq 1701 //Configure an ACL rule to allow
packets from a specified L2TP port.
rule 10 permit udp destination-port eq 4500 //Configure an ACL rule to allow
packets from a specified L2TP port after NAT traveral in IPSec.
rule 15 permit udp destination-port eq 500 //Configure an ACL rule to allow
packets from a specified L2TP port before NAT traveral in IPSec.
#
ipsec proposal 1
esp encryption-algorithm aes-256
#
ike peer xp v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Configure the aggressive mode. NAT
traversal can be only used in aggressive mode. In later versions of V200R005C00,
you do not need to perform this configuration.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^
%# //Configure the authentication password in the pre-shared key
to huawei, in cipher text. This command in V200R003C00 and earlier versions is
pre-shared-key huawei, and the password is displayed in plain text.
local-id-type name //Set the local ID type to name in
IKE negotiation. In V200R008 and later versions, the name parameter is changed to
fqdn.
nat traversal //Enable NAT traversal. In V200R008
and later versions, the device supports NAT traversal by default, and this
command is not supported.
#
ipsec policy-template xptemp 2 //Configure an IPSec policy template
so that negotiation requests from multiple PCs can be processed.
ike-peer xp
proposal 1
#
ipsec policy xp 1 isakmp template xptemp //Reference an IPSec policy template
in an IPSec policy.
#
ip pool lns //Create an IP address pool named
lns from which IP addresses are allocated to access users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and
password for L2TP access.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei server-type ppp
#
firewall zone untrust
priority 1
#
firewall zone trust
priority 15
#
Set LNS Server to 202.1.1.1, enter the user name and password, and click Next.
Select CHAP from the Authentication Mode drop-down list box, select Enable IPSec
Protocol, select Pre-Shared-Key, set Pre-shared-key to huawei (the pre-shared key must be
the same as that on the LNS), and click Next.
Set IPSec and IKE attributes. Set ESP Authentication Algorithm to MD5 and ESP
Encryption Algorithm to AES-256. In IKE, set Authentication Algorithm to SHA-1,
Encryption Algorithm to DES-CBC, Negotiation Mode to Aggressive mode, ID Type to
Name, Local Gateway Name to a random value, and Remote Gateway Name to xp (the
value must be the same as the local name in IKE negotiation on the LNS), and click Next.
Enter the VPN connection name in The name is. The VPN connection name can be user-
defined. Here, the value is My connection. Then click Finished.
Select My connection and click Property. The My connection Properties page is displayed.
Click Basic Settings. Modify the user name and password according to the actual situation.
Parameters in L2TP Settings, IPSec Settings, IKE Settings, and Advanced are the same as
those on the LNS. If parameters on the LNS are not modified, parameters on these tab pages
do not need to be modified.
On the Secoway VPN Client page, select My connection and click Connect.
# After the configurations are complete, PC2 and PC3 can obtain private IP addresses and
communicate with PC1.
----End
Configuration Notes
Note the following points:
l Because enterprise users use PCs to connect to the enterprise network, so tunnel
authentication cannot be configured.
l The settings on the dialup software and LNS must be the same; otherwise, IPSec and
L2TP tunnels may fail to be set up.
l A NAT device is deployed between enterprise users and LNS, so the aggressive mode
must be used to implement NAT traversal. In addition, use names for IKE negotiation. In
V2R5C00, there is no such limitation.
l When the firewall service is deployed on the LNS, configure an ACL to permit ports
1701, 4500, and 500 used by L2TP and IPSec.
6.1.9 Example for Configuring L2TP over IPSec for Remote Dial-
Up Users to Connect to the Headquarters
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-9, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through L2TP dialup. To ensure
security of traveling employees, the enterprise requires that an IPSec tunnel be set up between
the traveling employee's PC and headquarters gateway.
Figure 6-9 Networking for configuring L2TP over IPSec between a PC and a router
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
l2tp enable //Enable L2TP.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool lns //Configure an IP address pool from which IP addresses are allocated
to access PCs.
gateway-list 192.168.1.1
Step 2 Configure PC A.
# Modify the Windows registry.
Choose Start > Run, and enter regedit to open the registry. Find
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent, create
DWORD named AssumeUDPEncapsulationContextOnSendRule with the value of 2, and
find HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman
\Parameters, create DWORD named ProhibitIpSec with the value of 1, as shown in Figure
6-10, and then restart the PC.
# Create an L2TP connection. Choose Start > Control Panel > Network and Internet >
Network and Sharing Center, and select Set up a new connection or network, as shown in
Figure 6-11.
On the Set up a Connection or Network page shown in Figure 6-12, select Connect to a
workplace and click Next.
Enter the Internet address (IP address of RouterA) and click Next, as shown in Figure 6-14.
Figure 6-17, Figure 6-18, Figure 6-19, and Figure 6-20 show how to create an IPSec policy.
On the IPSec Properties page shown in Figure 6-21, deselect Use Add Wizard and click
Add to add rules.
On the IP Filter List page shown in Figure 6-23, deselect Use Add Wizard and click
Add to add an IP filter list.
Configure IP filter attributes. On the Addresses tab page shown in Figure 6-24, select
My IP Address as the source address, headquarters gateway IP address as the
destination address, and mirror data flows.
On the Protocol tab page shown in Figure 6-25, select Any from the Select a protocol
type drop-down list box.
On the Description tab page shown in Figure 6-26, configure a description for the IP
filter.
Click OK. The IP Filter List page shown in Figure 6-27 is displayed.
Click OK. The New Rule Properties page shown in Figure 6-28 is displayed.
The New Filter Action Properties page shown in Figure 6-30 is displayed. Select
Accept unsecured communication, but always respond using IPSec and click Add.
The Security Methods page shown in Figure 6-31 is displayed. Select Custom and
click Settings.
The Custom Security Method Settings page shown in Figure 6-32 is displayed. Set
integrity and encryption algorithms, and perform session key settings.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
3. Configure authentication methods.
On the Authentication Methods tab page shown in Figure 6-33, click Edit.
The Authentication Method Properties page shown in Figure 6-34 is displayed. Select
Use the string (preshared key) and use the pre-shared key huawei.
On the Key Exchange Settings page, select Methods, as shown in Figure 6-38.
On the Key Exchange Security Methods page, select Add, as shown in Figure 6-39.
The MD5, SHA1, DES and 3DES algorithms have security risks. Exercise caution when you use
non-authentication.
Select the configured L2TP connection in Connect to network. The Figure 6-43 page is
displayed. Enter the user name and password.
# After the configurations are complete, PC A can ping RouterA successfully. Data exchanged
between PC A and RouterA is encrypted. You can run the display ipsec statistics esp
command to view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA. You can view
information about successful IPSec tunnel setup.
----End
Configuration Notes
The IPSec configuration on the PC is much complex than that on the router, so you must be
familiar with the IPSec configuration on the router.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-44, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters.
Figure 6-44 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
communicate with the headquarters
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure an L2TP user name and password.
local-user huawei password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^
%#
local-user huawei privilege level 0
local-user huawei service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac
start l2tp ip 1.1.1.1 fullusername huawei
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
#
return
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 6-45, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
Users in a branch need to establish virtual private dial-up network (VPDN) connections with
the headquarters. Layer 2 Tunneling Protocol (L2TP) is deployed between the branch and the
headquarters. The branch has no dial-up network, and its gateway functions as a Point-to-
Point Protocol over Ethernet (PPPoE) server to allow Point-to-Point Protocol (PPP) dial-up
data to be transmitted over the Ethernet. The branch gateway also functions as an L2TP
access concentrator (LAC) to establish L2TP tunnels with the headquarters.
The gateway at the enterprise headquarters is configured as the L2TP network server (LNS) to
establish L2TP connections between the branch and headquarters. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 6-45 Configuring PPPoE users connected to the LAC to establish an L2TP tunnel to
access the RADIUS server in the headquarters
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
aaa //Configure a user name and password.
local-user l2tp@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F
\H0Qv8B]KAZja3}3q'RNx;VI%^%#
local-user l2tp@huawei.com privilege level 0
local-user l2tp@huawei.com service-type ppp
#
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
Networking Requirements
As shown in Figure 6-46, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS.
Figure 6-46 Configuring the LAC to establish an L2TP tunnel to communicate with the
headquarters through automatic dial-up
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 6-47, an enterprise has some branches located in other cities, and
branches use the Ethernet network.
The headquarters network provides VPDN services for the branch staff to allow them to
access the network of the headquarters. The LNS only authenticates the LAC. The LAC
automatically dials up to establish L2TP connections to the LNS. The RADIUS server in the
headquarters authenticate users and allocate IP addresses to the users.
Figure 6-47 Configuring the LAC to establish an L2TP tunnel to communicate with the
RADIUS server in headquarters through automatic dial-up
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp@huawei.com
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.10.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
start l2tp ip 1.1.1.1 fullusername l2tp@huawei.com
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return
----End
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
Networking Requirements
As shown in Figure 6-48, many enterprises use the same LNS, and users from different
enterprises connect to LAC_1 and LAC_2 to communicate with their own headquarters sites.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC_1 and LAC_2 simultaneously, allowing enterprise
users to access their own internal networks.
Figure 6-48 Configuring multiple L2TP instances to implement communication between the
headquarters and branches
Procedure
Step 1 Configure LAC_1.
#
sysname LAC_1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user l2tp1
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.9.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 6-49, an enterprise has some branches located in other cities and the
branches connect to the same L2TP network server (LNS). Branches A, B, and C
communicate with the headquarters through LAC1, LAC2, and LAC3, respectively.
It is required that multiple L2TP instances be configured on the LNS to enable the LNS to
provide the L2TP access service to LAC1, LAC2, and LAC3 simultaneously, allowing users
of enterprise branches to access the internal network of the enterprise. Users in the same VPN
can communicate with each other. The RADIUS server in the headquarters authenticates
users, delivers VPN instances, and assigns IP addresses to users.
Figure 6-49 Configuring the LACs to establish an L2TP tunnel to implement communication
between the headquarters and branches through automatic dial-up
Procedure
Step 1 Configure LAC1.
#
sysname LAC1
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp chap user lac1@huawei.com
ppp chap password cipher
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
tunnel password cipher
tunnel name lac1
start l2tp ip 1.2.1.1 fullusername lac1@huawei.com
#
ip route-static 1.2.1.0 255.255.255.0 1.1.1.2
ip route-static 10.4.4.0 255.255.255.0 Virtual-Template1
#
return
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpn2 //Configure the VPN instance VPN2.
ipv4-family
route-distinguisher 300:1
vpn-target 222:1 export-extcommunity
vpn-target 222:1 import-extcommunity
#
ip pool 1 //Create an IP address pool and assign IP addresses to access users.
gateway-list 10.10.1.1
network 10.10.1.0 mask 255.255.255.0
#
radius-server template l2tp //Create a RADIUS server template.
radius-server shared-key cipher %^%#}'|y>s-'m)@%$\X7QgS"Bc5M$iWmV:4aXREv:/~P%^%#
radius-server authentication 10.10.10.1 1645 weight 80
#
aaa //Set the AAA mode to RADIUS.
authentication-scheme l2tp
authentication-mode radius
domain huawei.com
authentication-scheme l2tp
radius-server l2tp
#
interface Virtual-Template1 //Create a virtual interface template and configure
dial-up parameters.
ppp authentication-mode chap domain huawei.com
remote address pool 1
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 1.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 2.2.1.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 3.2.1.1 255.255.255.0
#
l2tp-group 1 //Create a L2TP group and configure L2TP connection parameters.
allow l2tp virtual-template 1
tunnel password cipher
tunnel name lns
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2
ip route-static 2.2.2.0 255.255.255.255 2.2.1.2
ip route-static 3.3.3.0 255.255.255.255 3.2.1.2
ip route-static vpn-instance vpn1 10.1.1.0 255.255.255.255 10.10.1.100 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC1 is
10.10.1.100
ip route-static vpn-instance vpn1 10.2.2.0 255.255.255.255 10.10.1.101 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC2 is
10.10.1.101
ip route-static vpn-instance vpn2 10.3.3.0 255.255.255.255 10.10.1.102 //Assume
that the IP address assigned by the RADIUS server to the user on the LAC3 is
10.10.1.102
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 has been established.
# PC_1, PC_2, and PC_4 can ping each other. PC_3 and PC_5 can ping each other.
----End
Configuration Notes
l An L2TP group uses tunnel authentication by default and passwords at both ends of the
tunnel must be the same.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
l You need to configure a static route destined for the RADIUS server on the LNS based
on actual needs. In this example, no static route is configured.
l You need to configure the IP address assigned to the VT interfaces on the LACs on the
RADIUS server. In this example, no IP address is configured.
Networking Requirements
As shown in Figure 6-50, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 3G cellular
interfaces to connect the Internet through the WCDMA network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.
Figure 6-50 Configuring the LAC using a 3G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address 3.1.1.2 255.255.255.0
l2tp-auto-client enable
#
interface Cellular0/0/0 //Configure a 3G interface.
link-protocol ppp
ip address ppp-negotiate //Configure the interface to obtain an IP address
from the carrier. The interface can use the IP address to connect to the public
network.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile 3GNET
dialer timer autodial 60 //Configure the user to dial up at an interval of 60s.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile 3GNET
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-51, an enterprise has some branches located in other cities, and its
branches use the Ethernet network and have gateways deployed, which uses the 4G cellular
interfaces to connect the Internet through the Long Term Evolution (LTE) network.
The headquarters provides VPDN services for the branch staff to allow any staff to access the
network of the headquarters. The LNS only authenticates the LAC. The LAC automatically
dials up to establish L2TP connections to the LNS.
Figure 6-51 Configuring the LAC using a 4G interface to establish an L2TP tunnel to
communicate with the headquarters through automatic dial-up
Procedure
Step 1 Configure the LAC.
#
sysname LAC
#
l2tp enable //Enable L2TP.
#
interface Virtual-Template1 //Create a virtual tunnel template and set dialup
parameters.
ppp chap user huawei
ppp chap password cipher %@%@/|S75*sxcH2@FQL=wn#2@I`a%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0 //Configure a 4G interface.
dialer enable-circular //Enable circular DCC.
dialer-group 1 //Add the dialer interface to the dialer ACL. The group ID must
be the same as that in the dialer ACL.
apn-profile lteprofile
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
ip address negotiate //Configure the interface to obtain an IP address from
the carrier. The interface can use the IP address to connect to the public
network.
#
dialer-rule //Create a dialer ACL.
dialer-rule 1 ip permit
#
apn profile lteprofile
apn ltenet
#
l2tp-group 1 //Create an L2TP group and set L2TP connection parameters.
tunnel password cipher %@%@d'o6Xpp(i/i:WRC)`'0#3nJ*%@%@
tunnel name LAC
start l2tp ip 2.1.1.1 fullusername huawei
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 //Create a static route.
ip route-static 10.1.0.0 255.255.255.0 Virtual-Template1
#
return
# Run the display l2tp tunnel command on the LAC or LNS. You can find that an L2TP
tunnel and a session numbered 1 have been established.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l The LAC and LNS must use the same user name and password.
l When you configure static routes on the LAC, the outbound interface in the route
destined for the headquarters network segment must be the VT1 interface.
Networking Requirements
As shown in Figure 6-52, traveling employees need to communicate with the headquarters
and access the headquarters gateway through the Internet to use internal resources. However,
the headquarters gateway cannot identify and manage access users. To solve this problem,
configure the headquarters gateway as the LNS to establish a virtual point-to-point connection
between the traveling employees and the headquarters gateway when the employees use
phones to initiate L2TP tunnel connections.
Figure 6-52 Example for establishing an L2TP tunnel to connect a mobile office user to the
headquarters
NOTE
Configuration Roadmap
Configure L2TP to implement communication between the phone and the headquarters. The
configuration roadmap is as follows:
1. On Router, configure an interface IP address and a static route to the remote phone to
ensure reachable route between the two ends.
2. On Router, configure L2TP to implement connection to the phone.
3. On the phone, configure L2TP to implement connection to Router. Parameters set for the
phone must be the same as those set for Router.
Procedure
Step 1 Configure the LNS.
#
sysname LNS
#
l2tp enable //Enable L2TP.
#
acl number 2001 //Configure an ACL. The address in this
ACL is allocated by L2TP and translated using NAT.
rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns //Create an IP address pool lns to
allocate IP addresses to users.
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
aaa //Configure the user name and password
for L2TP dial-up access.
authentication-scheme lmt
domain huawei.com
authentication-scheme lmt
local-user vpdnuser password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
nat outbound 2001 //Configure NAT to permit access to the
Internet.
#
interface Virtual-Template1 //Create a VT and configure dial-up
parameters.
ppp authentication-mode chap domain huawei.com //Configure an authentication
mode and specify that the authentication requests must carry the domain name.
remote address pool lns
ppp ipcp dns 10.10.10.10 //Assign the DNS gateway to allow
employees to visit external resources using the domain name.
ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure
L2TP connection parameters.
undo tunnel authentication //Dial up to connect to the network on
the phone. The non-authentication mode is used.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.3
#
return
NOTE
Set L2TP secret to Huawei@1234 configured on Router.
----End
Verification
1. Enable VPN connection on the phone. You can find that the VPN connection is
successful.
2. Run the display l2tp tunnel command on Router. You can find that an L2TP tunnel is
established successfully.
[Router] display l2tp tunnel
Total tunnel :
1
LocalTID RemoteTID RemoteAddress Port Sessions
RemoteName
1 1 3.3.3.3 1701 1 -
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-53, the enterprise headquarters LNS communicate with enterprise
branches LAC_1 and LAC_2, LNS provides VPDN access services for LAC_1 and LAC_2,
and L2TP VPN tunnels are established between LNS and LAC_1, and between LNS and
LAC_2. The enterprise can configure Layer 2 network interconnection between the
headquarters and branches through L2TP over bridge, establishing L2TP connections between
LAC_1 and LNS, and between LAC_2 and LNS and implementing access and mutual
communication of users in branches. After L2TP tunnels are established, traffic between the
headquarters and branches are forwarded through the Layer 2 network.
Figure 6-53 Networking diagram for configuring Layer 2 network interconnection between
branches and the headquarters through L2TP over bridge
Procedure
Step 1 Configure LAC_1.
#
sysname LAC_1
#
bridge 1
#
l2tp enable //Enable the L2TP function.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dialup parameters.
bridge 1 //Create bridge 1 and add the virtual interface to bridge 1.
bridge vlan-transmit enable //Enable transparent VLAN ID transmission on
interfaces of the bridge group.
ppp chap user l2tp1
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
bridge 1
bridge vlan-transmit enable
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_1
start l2tp ip 1.1.1.1 fullusername l2tp1
#
ip route-static 1.1.1.1 255.255.255.255 1.1.2.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 Virtual-Template1
#
return
#
bridge 1
#
l2tp enable //Enable the L2TP function.
#
interface Virtual-Template1 //Create a virtual interface template and configure
dialup parameters.
bridge 1 //Create bridge 1 and add the virtual interface to bridge 1.
bridge vlan-transmit enable //Enable transparent VLAN ID transmission on
interfaecs of the bridge group.
ppp chap user l2tp2
ppp chap password cipher %@%@U>upTZ}mQM:rhRL:4;s$,(xf%@%@
ip address ppp-negotiate
l2tp-auto-client enable
#
interface GigabitEthernet1/0/0
ip address 1.1.3.1 255.255.255.0
#
interface GigabitEthernet2/0/0
bridge 1
bridge vlan-transmit enable
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
tunnel password cipher %@%@/-#)Lg[S4F:#2~ZNvqa$]\DL%@%@
tunnel name lac_2
start l2tp ip 1.1.1.1 fullusername l2tp2
#
ip route-static 1.1.1.1 255.255.255.255 1.1.3.2 //Configure a static route.
ip route-static 10.1.3.0 255.255.255.0 Virtual-Template1
#
return
Total tunnel : 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 1.1.1.1 1701 1 LNS
l Run the display l2tp session command. If L2TP session information is displayed in the
command output, the L2TP session has been successfully established.
[gginLAC_1] display l2tp session
Total session : 1
LocalSID RemoteSID LocalTID
1 1 1
----End
Precautions
l The LAC and LNS must use the same user name and password.
l If the L2TP group ID is 1, you do not need to specify the remote tunnel name, and the
LNS accepts the L2TP connection request initiated by any LAC. If the L2TP group ID is
not 1, you must specify the tunnel name for the remote LAC.
6.2 GRE
Networking Requirements
As shown in Figure 6-54, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1 //Configure a public route.
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1 Configure a static route with
the next hop as the tunnel interface.
#
return
# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.
----End
Configuration Notes
l Both ends must be configured with routes to private network segments, with the
outbound interface as the tunnel interface.
l The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 6-55, RouterA, RouterB, and RouterC are on the VPN backbone
network. OSPF runs among the Routers.
GRE is used between RouterA and RouterC to allow communication between PC1 and PC2.
PC1 and PC2 use RouterA and RouterC respectively as their default gateways.
OSPF is enabled on the tunnel interfaces. OSPF process 1 is used for the VPN backbone
network and OSPF process 2 is used for user access.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0 //Configure the WAN-side outbound interface.
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure the LAN-side outbound interface.
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface. The source and destination
IP addresses of the tunnel interface are the IP addresses of the outbound and
inbound interfaces respectively.
ip address 10.3.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
# Run the display ip routing-table command on RouterA and RouterC. The command output
shows that the outbound interface for packets destined to the peer destination address is a
tunnel interface.
----End
Configuration Notes
l Both ends must be configured with routes to private network segments.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Networking Requirements
As shown in Figure 6-56,PE0 is the headquarters gateway of a bank, while PE1 and PE2 are
the bank's branch gateways. PE1 communicates with PE0 over a carrier network; PE2
communicates with PE1 over a private network; however, PE0 cannot communicate with
PE2. The bank requires data encryption over the public network as well as the private
network; therefore, GRE over GRE can be deployed in the headquarters to implement secure
communication among PE0, PE1, and PE2. After GRE over GRE is configured, data between
PE0 and PE1 is transmitted over the GRE tunnel, and data between PE0 and PE2 is
transmitted over the GRE over GRE tunnel along the carrier network.
Figure 6-56 Configuring GRE over GRE for communication between branches and
headquarters
Procedure
Step 1 Configure PE0.
#
sysname PE0
#
interface GigabitEthernet1/0/0
ip address 10.1.5.1 255.255.255.0
#
interface GigabitEthernet2/0/0
----End
Configuration Notes
1. The source address is the IP address of the interface sending packets, and the destination
address is the IP address of the interface receiving packets.
2. The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Networking Requirements
As shown in Figure 6-57, Router_1 is the gateway of an enterprise branch, and Router_2 is
the gateway of the headquarters. Router_1 and Router_2 communicate through the public
network.
The branch communicates with the headquarters through a GRE tunnel. The enterprise wants
to protect traffic excluding multicast data between the headquarters and branch. You can use
IPSec over GRE to establish a tunnel between virtual tunnel interfaces.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipsec proposal tran1 //Create an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Create an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer spub v2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In V2R3C00 and earlier versions, the
command is pre-shared-key huawei, which specifies a plain-text pre-shared key.
ike-proposal 5
#
ipsec profile profile1 //Create an IPSec profile.
ike-peer spub
proposal tran1
#
interface Tunnel0/0/0 //Create a GRE tunnel interface.
ip address 192.168.1.1 255.255.255.0
tunnel-protocol gre
source 202.138.163.1
destination 202.138.162.1
#
interface Tunnel0/0/1 //Create an IPSec tunnel interface.
ip address 192.168.2.1 255.255.255.0
tunnel-protocol ipsec
source Tunnel0/0/0 //Specify the GRE tunnel interface as the source tunnel
interface.
----End
Configuration Notes
When you create IPSec tunnel interfaces, specify the GRE tunnel interface as the source
interface of the IPSec tunnel and the outbound interface in the route to the destination address
of the IPSec tunnel must be the GRE tunnel interface.
Networking Requirements
As shown in Figure 6-58, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters and branches. The service provider has allocated a public network IP address to
each gateway and the gateways can communicate with each other. The enterprise requires a
simple cost-effective mechanism to implement communication between the headquarters and
branches through private networks.
Generic Routing Encapsulation (GRE) tunnels can be established between the headquarters
and branches to meet this requirement. In this example, the Open Shortest Path First (OSPF)
protocol is configured to create routing entries with the tunnel interface as the source address
on the gateways.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet1/0/0 //Configure a public network outbound interface.
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0 //Configure a private network outbound interface.
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface and set the source and
destination addresses to the IP addresses of interfaces that send and receive
packets.
ip address 10.4.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 1.1.1.1
#
interface Tunnel0/0/2
ip address 10.5.1.1 255.255.255.0
tunnel-protocol gre
source 3.1.1.1
destination 2.1.1.1
#
ospf 1 //Configure a public network route.
area 0.0.0.0
# Run the display ip routing-table command on each router. You can find that the outbound
interface in routes to the peer is the tunnel interface.
----End
Configuration Notes
l Routes from both ends to private network segments must be configured.
l The local address of the tunnel interface at the local end must be the same as the remote
address of the tunnel interface at the remote end, and the remote address of the tunnel
interface at the local end must be the same as the local address of the tunnel interface at
the remote end.
Specifications
This example applies to all routers of V200R003 and later versions.
Networking Requirements
As shown in Figure 6-59, RouterA, RouterB, and RouterC are connected through an IPv4
network. RouterA and RouterC connect to two IPv6 networks, respectively. IPv6 hosts PC1
and PC2 connect to RouterA and RouterC, respectively. It is required that an IPv6 over IPv4
GRE tunnel be configured between RouterA and RouterC so that PC1 and PC2 can
communicate with each other.
Figure 6-59 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IPv4 address for the
interface.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address FC01::1/64 //Configure an IPv6 address for the interface.
#
interface Tunnel0/0/1 //Configure a tunnel interface of the GRE tunnel, set
the tunnel mode to GRE, configure an IPv6 address for the tunnel interface, and
configure IPv4 addresses as the source and destination IP addresses of the tunnel
interface.
ipv6 enable
ipv6 address FC02::1/64
tunnel-protocol gre
source 10.1.1.1
destination 10.1.2.2
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2 //Configure an IPv4 static
route to ensure that RouterA has a reachable route to RouterC.
#
ipv6 route-static FC03:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterA has a reachable route to PC2.
#
return
#
ipv6 route-static FC01:: 64 Tunnel0/0/1 //Configure an IPv6 static route to
ensure that RouterC has a reachable route to PC1
#
return
Configuration Notes
l The devices on the IPv4 network have reachable routes to each other.
l The source and destination IP addresses of devices at both ends of the tunnel must be
configured. The source and destination IP addresses of the local device must be the same
as the destination and source IP addresses of the remote device, respectively.
6.3 DSVPN
6.3.1 Example for Configuring DSVPN to Allow Branches to
Learn Routes from Each Other and Implement Communication
Between the Branches (Applicable When There Are a Small
Number of Branches)
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-60, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 6-60 Configuring DSVPN when branches learn routes from each other
Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 2.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 2.1.1.0 0.0.0.255
ospf 2 //Configure OSPF.
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
ospf network-type broadcast //Set the network type of the OSPF interface to
broadcast.
#
ospf 1 //Configure OSPF.
area 0.0.0.1
network 3.1.1.0 0.0.0.255
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
----End
Configuration Notes
l If OSPF is configured, the OSPF network type of the tunnel interface must be broadcast.
Networking Requirements
As shown in Figure 6-61, the hub (central office), Spoke1 (a branch), and Spoke2 (a branch)
belong to the same autonomous system (AS). They can communicate with each other on the
IP network using routing protocols.
Figure 6-61 Configuring DSVPN when branches have only summarized routes to the central
office
Procedure
Step 1 Configure spoke1.
#
interface Ethernet1/0/0
ip address 2.1.1.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.101 255.255.255.0
tunnel-protocol gre p2mp //Set the tunnel encapsulation mode to MGRE.
source Ethernet1/0/0 //Configure the source address or interface for the tunnel
interface.
nhrp entry 172.16.1.1 1.1.1.1 register //Configure an NHRP mapping table.
nhrp shortcut //Enable the NHRP shortcut function.
#
rip 1 //Configure RIP.
version 2
network 172.16.0.0
#
ospf 2
area 0.0.0.1
network 2.1.1.0 0.0.0.255
#
return
----End
Configuration Notes
l If the dynamic routing protocol RIP is used, enable the split horizon and automatic route
aggregation functions on the tunnel interface of the hub.
Networking Requirements
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which
are located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
subnets of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
Procedure
Step 1 Configure Hub1.
#
sysname Hub1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 1000 //Configure a smaller OSPF cost value on Hub1 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return
interface LoopBack0
ip address 192.168.0.2 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.254 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf cost 3000 //Configure a larger OSPF cost value on Hub2 to ensure that
Spokes prefer to use Hub1 as the next hop device.
ospf network-type p2mp
nhrp redirect //The shortcut function must be configured on the Hub.
nhrp entry multicast dynamic
#
ospf 1 router-id 172.16.1.254
area 0.0.0.0
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Configure the OSPF network type to Point-to-Multipoint
(P2MP) to provide reachable routes to the Hub.
nhrp shortcut //The shortcut function must be configured on the Spoke.
nhrp registration interval 300 //When Hub1 recovers, it restarts to learn
routes to Hub1 when it receives NHRP Registration Request packets from Spokes.
Set the interval for sending NHRP Registration Request packets to a proper value
to ensure that the Spokes can quickly detect Hub1 recovery. The interval for
sending NHRP Registration Request packets is 1800 seconds by default.
nhrp entry 172.16.1.1 1.1.1.10 register
nhrp entry 172.16.1.254 1.1.254.10 register
#
ospf 1 router-id 172.16.1.3 //Configure branch subnets to learn routes from each
other.
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
ospf 2 //Configure OSPF to provide reachable routes to the public network.
area 0.0.0.1
network 1.1.3.0 0.0.0.255
#
return
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:36:30
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:33:14
Expire time : --
NOTE
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view only the
NHRP mapping entry of Hub1 and Hub2.
On Hub, check the NHRP mapping entries of Spoke1 and Spoke2.
Run the display nhrp peer all command on Hub1. The command output is as follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 02:59:52
Expire time : 01:59:12
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 02:59:32
Expire time : 01:59:09
Run the display nhrp peer all command on Hub2. The command output is as follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Hub2. The command output is as follows:
[Huawei] display ospf 1 routing
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:42:50
Expire time : --
------------------------------------------------------------------------------
-
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:43:19
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
l Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
# Run the shutdown command on the interface GE1/0/0 of Hub1.
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] shutdown
[Huawei-GigabitEthernet1/0/0] quit
Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
[Huawei] display ospf 1 routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output
is as follows:
[Huawei] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:29
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:28
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.3 32 1.1.3.10 172.16.1.3 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:22
Expire time : 01:59:38
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Huawei] display nhrp peer all
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.1 32 1.1.1.10 172.16.1.1 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 05:46:54
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.254 32 1.1.254.10 172.16.1.254 static hub
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 04:43:38
Expire time : --
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.1.1 32 1.1.2.10 172.16.1.2 dynamic route
network
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
172.16.1.2 32 1.1.2.10 172.16.1.2 dynamic route
tunnel
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
------------------------------------------------------------------------------
-
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
------------------------------------------------------------------------------
-
192.168.2.1 32 1.1.3.10 172.16.1.3 dynamic local
------------------------------------------------------------------------------
-
Tunnel interface: Tunnel0/0/0
Created time : 00:00:43
Expire time : 01:59:17
NOTE
Before you run the Ping command, clear NHRP mapping entries existing on the Spokes.
----End
Configuration Notes
Different OSPF cost values must be configured on the mGRE interfaces of Hub1 and Hub2 to
ensure that the Spokes learn routes to the interface with a smaller cost value and prefer to use
the master Hub as the next hop device. When the cost value of the route to the master Hub is
larger than that to the backup Hub, Spokes prefer to forward packets through the backup Hub.
FAQ
l Q: Do I need to ensure that routes to the public network are reachable when configuring
DSVPN?
A: Yes. Ensuring reachable routes to the public network is the prerequisite for
implementing DSVPN.
l Q: Should I configure the master and backup Hubs on the same network segment?
A: No. You must not configure the master and backup Hubs on the same network
segment.
l Q: When the master Hub works normally, the backup Hub is in the Inactive state,
wasting sources. Can I configure the backup Hub as a Spoke?
A: Yes. When the master Hub works normally, the backup Hub is in the Inactive state. If
an enterprise has limited resources, you can configure the backup Hub as a Spoke. In this
case, the backup Hub registers with the master Hub in the same way as the other Spokes.
When the master Hub fails, the backup Hub takes over the role of the master and
transmits packets between Spokes.
6.4 IPSec
Networking Requirements
As shown in Figure 6-63, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. The branch subnet is 10.1.1.0/24 and the headquarters
subnet is 10.1.2.0/24.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be manually set up between the branch gateway and headquarters
gateway because they communicate over the Internet and only a few branches gateway need
to be maintained.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.
Networking Requirements
As shown in Figure 6-64, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Procedure
Step 1 Configure RouterA.
#
acl number 3101 //Configure an
ACL.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec
proposal.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
Specifications
This example applies to all versions and routers.
Networking Requirements
The Headquarters and Branch establish an IPSec connection and both of them are configured
with DPD. DPD is configured on a branch to check whether the IPSec peers between the
Headquarters and Branch are alive. This prevents communication interruption between the
Headquarters and Branch in the case that the IPSec SA of the Branch is deleted incorrectly
from the router in the Headquarters. If DPD is not configured, the Branch still sends
encrypted data to the Headquarters, but the Headquarters cannot correctly decrypt the data,
causing communication interruption.
lai
Procedure
Step 1 Configure the Headquarters.
#
sysname Headquarters
#
acl number 3000 //Configure ACL 3000 to match traffic sent from Headquarters
subnet to Branch subnet.
rule 0 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer Center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
----End
Networking Requirements
When a NAT gateway is deployed between two devices of the IPSec tunnel, the two devices
are required to support NAT traversal.
As shown in Figure 6-66, RouterA is the egress gateway of a branch network and RouterB is
the egress gateway of the headquarters network. RouterA and RouterB translate addresses
through the NATER and they establish an IPSec tunnel in aggressive mode. The IPSec tunnel
supports NAT traversal.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the host name of the device.
#
ike local-name RouterA //Configure the local host name used in IKE negotiation.
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name RouterB //Configure the IKE peer name. //Configure the IKE peer
name. In V200R008 and later versions, the device does not support the remote-name
command. This command provides teh same function as the remote-id command.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy-template rta_temp 1 //Create an IPSec policy template.
ike-peer rta
proposal rta
#
ipsec policy rta 1 isakmp template rta_temp //Specify the IPSec policy template
used to create SAs.
#
interface Ethernet1/0/0
ip address 1.2.0.1 255.255.255.0
ipsec policy rta
#
interface Ethernet2/0/0
ip address 10.1.0.1 255.255.255.0
#
ip route-static 10.2.0.0 255.255.255.0 1.2.0.2 //Configure a static route to
10.2.0.0
#
return
0.255.255.255
#
ipsec proposal rtb //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the IKE negotiation mode to aggressive.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name RouterA //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
remote-address 1.2.0.1 //Configure the IKE peer address.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rtb
proposal rtb
#
interface Ethernet1/0/0
ip address 192.168.0.2 255.255.255.0
ipsec policy rtb
#
interface Ethernet2/0/0
ip address 10.2.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1 //Configure a static route.
#
return
Run the ping command to trigger IPSec session setup. Run the display ike sa verbose and
display ipsec sa commands on RouterA to view the IPSec tunnel configuration.
----End
Configuration Notes
l Ensure that RouterA and RouterB can communicate through the NATER.
l RouterA functions as the IPSec responder and needs to be configured with an IPSec
template.
l RouterA and RouterB must support NAT traversal.
Networking Requirements
As shown in Figure 6-67, there are multiple network segments in the headquarters. The
branch needs to use different keys to access different network segments in the headquarters.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure ACL 3000 to match traffic sent from 192.168.1.0/24
to 10.6.0.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.0.0 0.0.0.255
#
acl number 3001 //Configure ACL 3001 to match traffic sent from 192.168.1.0/24
to 10.6.1.0/24.
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.6.1.0 0.0.0.255
#
ipsec proposal default //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer center1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#pf$s.~E0h*hws%-7cwv&ItP3Bfw7DN`{)~~Sh'H'%^%# //
Configure the authentication password in the pre-shared key to huawei@123, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@123, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.1.1
remote-address 1.0.2.254
#
ike peer center2 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#19+-M|4}f2,%g3/9IT#C46mnQm+@3;,Eh^"3>eVI%^%# //
Configure the authentication password in the pre-shared key to huawei@321, in
cipher text. This
command
in V2R3C00 and earlier versions is pre-shared-key huawei@321, and the password is
displayed in plain text.
ike-proposal 5
local-address 1.0.1.1
remote-address 1.0.2.254
#
ipsec policy center 10 isakmp //Configure an IPSec policy center with sequence
number 10 to protect the traffic sent from the branch to network segment
10.6.0.0/24.
security acl 3000
ike-peer center1
proposal default
#
ipsec policy center 20 isakmp //Configure an IPSec policy center with sequence
number 20 to protect the traffic sent from the branch to network segment
10.6.1.0/24.
security acl 3001
ike-peer center2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
branch.
ipsec policy branch 10 isakmp //Configure an IPSec policy branch with sequence
number 10 to protect the traffic sent from the branch to network segment
10.6.0.0/24.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Configure an IPSec policy branch with sequence
number 20 to protect the traffic sent from the branch to network segment
10.6.1.0/24.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet1/0/0 //Configure the WAN-side interface of the
headquarters.
ip address 1.0.2.254 255.255.255.0
ipsec policy branch //Configure an IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure LAN-side interface 1 of the
headquarters.
ip address 10.6.0.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.6.1.1 255.255.255.0 //Configure LAN-side interface 2 of the
headquarters.
#
ip route-static 192.168.1.0 255.255.255.0 1.0.2.2 //Configure a static route
with the destination address as the interface IP address of the branch.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l Both routers must be configured with IPSec policies.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l Ensure that outbound interfaces in the headquarters and branch can exchange packets.
Networking Requirements
An enterprise establishes multiple branches in different areas due to service expansion. The
branch gateways connect to the Internet using PPPoE. As shown in Figure 6-68, RouterA
(branch gateway) and RouterB (headquarters gateway) communicate through the Internet.
Branch devices need to access service servers in the headquarters to carry out services. Data
transmitted between the headquarters and branches need to be encrypted to ensure service
security.
Figure 6-68 Networking diagram for configuring IPSec on the dialer interface
NOTE
If both the branch gateway and headquarters gateway connect to the public network through PPPoE, the
remote-address host-name command must be run on them to specify the domain name for IPSec
negotiation. Otherwise, the IPSec tunnel cannot be established.
Procedure
Step 1 Configure RouterA
#
sysname RouterA
#
acl number 3003 //Configure ACL 3003 to match traffic sent from Branch to
Headquarters.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
#
interface GigabitEthernet1/0/0 //Configure a public network interface.
ip address 1.1.1.6 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0 //Configure an internal network interface.
ip address 10.1.2.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 //Configure a static route to the
internal network of the remote side.
#
return
----End
Configuration Notes
l The PPPoE_Server address must be specified on the PPPoE_Client.
l On the PPPoE_Client, the IKE peer address must be specified because an IPSec policy is
used. On the PPPoE_Server, you do not need to specify the IKE peer address because an
IPSec policy template is used.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-69, devices in two subnets communicate with the Internet using
respective gateways and need to establish an IPSec tunnel to transmit data flows. To meet this
requirement, perform the following operations:
l Establish an IPSec tunnel between the two gateways to protect security of data flows
transmitted between subnet Group1 at 10.1.1.0/24 and subnet Group2 at 10.2.1.0/24.
l Establish a security tunnel between the two gateways using Internet Key Exchange (IKE)
negotiation. During IKE negotiation, PKI certificates are used for identity authentication.
Item Data
Item Data
Procedure
Step 1 Configure RouterA.
#
router id 10.1.1.1
#
pki entity routera //Configure a PKI
entity.
country CN
state jiangsu
organization huawei
organization-unit info
common-name helloa
#
pki realm testa //Configure a PKI
domain.
ca id ca_root
enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
entity routera
fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d7a34d94624b1c1bcbf6d763c4a67035d
certificate-check none
rsa local-key-pair rsa_scep //Use the RSA key pair in SCEP certificate
application. This key pair is created in advance by running the pki rsa local-key-
pair create command. This command is supported in V200R008 and later versions.
password cipher %$%$\1HN-bn(k;^|O85OAtYF3(M4%$%$ //Set the challenge password
used in SCEP certificate application to 6AE73F21E6D3571D. This command is
supported in V200R008 and later versions.
auto-enroll 60 regenerate //Enable automatic certificate enrollment and update.
This command is supported in V200R008 and later versions.
#
acl number 3000 //Configure an ACL to define the data flows to be
protected.
rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal routera //Configure an IPSec
proposal.
esp authentication-algorithm
sha2-256
esp encryption-algorithm
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
ike peer routera v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
aes-128
#
ike proposal 1 //Configure IKE to use a digital signature for identity
authentication.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm aes-xcbc-
mac-96
authentication-method rsa-signature
#
ike peer routerb v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
local-address 2.2.2.1
remote-address 1.1.1.1
pki realm testb
#
ipsec policy routerb 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer routerb
proposal routerb
#
interface Ethernet2/0/0 //Configure an external network
interface.
ip address 10.2.1.1 255.255.255.0
#
----End
Configuration Notes
l During IKE negotiation, if RouterA and RouterB do not obtain CA certificates or local
certificates, IKE negotiation fails.
l ACLs configured on devices in the headquarters and branch must mirror each other.
Networking Requirements
As shown in Figure 6-70, RouterA, RouterB, and RouterC connect to one switch, RTA and
RTB constitute a VRRP group with virtual IP address 1.0.2.128. RouterA functions as the
VRRP master and RouterB functions as the backup. An IPSec session is set up between
RouterC and the virtual IP address of the VRRP group.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.2.128
remote-address 1.0.1.254
#
ipsec policy branch 1 isakmp //Configure an IPSec
policy.
security acl 3000
ike-peer branch
proposal def
#
interface Ethernet1/0/1 //Configure the connected
interface.
ip address 1.0.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1 and use the default
priority.
ipsec policy branch //Bind the IPSec
policy.
#
interface GigabitEthernet0/0/1 //Configure an internal network
interface.
ip address 192.168.0.1 255.255.255.0
#
ip route-static 1.0.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch gateway.
ip route-static 192.168.1.0 255.255.255.0 1.0.2.3 //Configure a static route to
the branch network.
#
return
proposal def
#
interface Ethernet2/0/0 //Configure the internal network
interface.
ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1 //Configure the connected
interface.
ip address 1.0.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.0.2.128 //Configure the virtual IP address 1.0.2.128
for VRRP group 1.
vrrp vrid 1 priority 80 //Set the priority of VRRP group 1 to 80 so that
RouterB becomes the backup.
ipsec policy branch //Bind the IPSec
policy.
#
ip route-static 1.0.1.0 255.255.255.0 1.0.2.4 //Configure a static route to
the branch gateway.
ip route-static 192.168.1.0 255.255.255.0 1.0.2.4 //Configure a static route to
the branch network.
#
return
interface.
ip address 192.168.1.1 255.255.255.0
#
ip route-static 1.0.2.0 255.255.255.0 1.0.1.2 //Configure a static route
to the headquarters gateway.
ip route-static 192.168.0.0 255.255.255.0 1.0.2.128 //Configure a static route
to the headquarters network.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.
Networking Requirements
As shown in Figure 6-71, RouterA functions as the headquarters gateway, and RouterB and
RouterC function as branch gateways. Branches connect to multiple private networks and
secure channels need to be set up between the headquarters and branches. An IPSec policy
template is configured on RouterA and is used for establishing IPSec tunnels.
Figure 6-71 Networking diagram for configuring access to multiple branches using an IPSec
policy template
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.1.1.1
#
ipsec policy-template branch 1 //Configure an IPSec policy
template.
ike-peer branch
proposal def
#
ipsec policy hk 1 isakmp template branch //Configure an IPSec
policy.
#
interface Ethernet2/0/0 //Configure an interconnection interface for setting up
an IKE connection and encapsulating the outer IP address.
ip address 1.1.1.1 255.255.255.0
ipsec policy hk //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0 //Configure the router interface connected to
a private network.
#
interface GigabitEthernet0/0/2
ip address 10.11.1.1 255.255.255.0 //Configure the router interface connected
to another private network.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route.
#
return
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 3G interface to dynamically obtain an IP address from a provider. When
deploying an IPSec policy, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
After an IPSec tunnel is established, branch users can only access internal resources of the
headquarters. The NAT function can be configured on RouterA to allow branch users to
access external networks.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3001 //Configure an ACL to protect data flows to an external network.
rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 13.1.1.1 //Configure the remote address used for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer rta
proposal rta
#
dialer-rule //Create a dilaer ACL.
dialer-rule 1 ip permit
#
apn profile 3gprofile //Create a APN profile.
After the configuration, users in the headquarters and branch can communicate with each
other.
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
Specifications
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 6-73, RouterA and RouterB establish an IPSec session, a GRE tunnel is
set up, and traffic on the network segment connected to GE0/0/1 is imported to the GRE
tunnel.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an
ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
#
ipsec proposal rtb //Configure an IPSec
proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE
proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
remote-address 1.2.2.1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE
negotiation.
security acl 3000 //Specify the
ACL.
ike-peer rtb //Specify the IKE
peer.
proposal rtb //Specify the IPSec
proposal.
#
interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the
interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel
interface.
destination 1.2.2.1 //Specify the destination address of the tunnel
interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static
route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return
----End
Configuration Notes
l The ACL is configured to match the WAN-side interface IP address.
l The encapsulation mode in the IPSec proposal must be transport.
l The source and destination IP addresses of the GRE tunnel interface must be the same as
those of the data flow protected by IPSec (that is, defined in the ACL referenced by the
IPSec policy).
Networking Requirements
As shown in Figure 6-74, RouterA functions as the egress router of the headquarters network
and provides GRE over IPSec access for two branches. RouterB and RouterC are egress
routers of the two branches and connect to the headquarters network using GRE over IPSec.
OSPF is enabled on GRE tunnels of the headquarters and each branch. Traffic exchanged
between the headquarters and branches must be encrypted.
Figure 6-74 Networking diagram for configuring GRE over IPSec and OSPF
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 192.168.255.255 //Configure the OSPF router
ID.
#
acl number 3000 //Configure ACL 3000 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 1.
rule 0 permit ip source 1.0.1.254 0 destination 1.0.2.1 0
#
acl number 3001 //Configure ACL 3001 to permit packets from the outbound
interfaces on egress routers of the headquarters and branch 2.
rule 0 permit ip source 1.0.1.254 0 destination 1.0.3.1 0
#
ipsec proposal default
encapsulation-mode transport
esp authentication-algorithm sha2-256
esp encryption-algorithm
aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch1 v1 //Configure an IKE peer for the egress router of branch
1.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
local-address 1.0.1.254
remote-address 1.0.2.1
#
ike peer branch2 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
local-address 1.0.1.254
remote-address 1.0.3.1
#
ipsec policy branch 10 isakmp //Create an IPSec policy branch and set the
sequence number to 10.
security acl 3000
ike-peer branch1
proposal default
#
ipsec policy branch 20 isakmp //Create an IPSec policy branch and set the
sequence number to 20.
security acl 3001
ike-peer branch2
proposal default
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters.
ip address 1.0.1.254 255.255.255.0
ipsec policy branch
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 10.0.0.1 255.255.255.0
#
interface LoopBack0 //Configure the loopback interface IP address as the router
ID.
ip address 192.168.255.255 255.255.255.255
#
interface Tunnel0/0/0 //Configure the tunnel interface between the headquarters
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.2.1
#
interface Tunnel0/0/1 //Configure the tunnel interface between the headquarters
and branch 2.
ip address 192.168.0.5 255.255.255.252
tunnel-protocol gre
source Ethernet2/0/1
destination 1.0.3.1
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
interface.
ip address 192.168.0.2 255.255.255.252
tunnel-protocol gre
source GigabitEthernet0/0/2
destination 1.0.1.254
#
#
ospf 1 //Configure OSPF
routes.
area 0.0.0.0
network 192.168.255.1 0.0.0.0
network 192.168.0.0 0.0.0.3
network 192.168.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 1.0.2.2
#
return
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l ACLs configured on devices in the headquarters and branches must mirror each other.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l The WAN-side interface IP addresses in the headquarters and branches can be pinged.
Networking Requirements
As shown in Figure 6-75, the egress router in the headquarters provides IPSec VPN access
for branches. NAT devices exist between the branches and the Internet, so the aggressive
mode and NAT traversal are configured on egress routers of the headquarters and branches.
The headquarters egress router uses an IPSec policy template but not the ACL. The three
egress routers use loopback interface IP addresses to establish GRE over IPSec tunnels. ACLs
are configured on branch egress routers to implement communication between the
headquarters and branches through GRE over IPSec tunnels. OSPF is used on GRE over
IPSec tunnels so that traffic exchanged between branches is forwarded through the
headquarters egress router.
Figure 6-75 Networking diagram for configuring GRE over IPSec and OSPF to implement
NAT traversal
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 172.16.0.1 //Configure the OSPF router ID.
#
ike local-name rta
#
ipsec proposal default //Configure a default IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //Set the negotiation mode to
aggressive.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to 123-branch, in
cipher text. This command in V2R3C00 and earlier versions is pre-shared-key 123-
branch, and the password is displayed in plain text.
ike-proposal 5
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is enabled on
the device by default, and this command is not supported. In versions later than
V200R008, this command is supported.
#
ipsec policy-template branch 1 //Configure an IPSec policy template branch and
set the sequence number to 1.
ike-peer branch
proposal default
#
ipsec policy policy1 1 isakmp template branch //Configure an IPSec policy
policy1 and set the sequence number to 1 based on the IPSec policy template
branch.
#
interface Ethernet2/0/1 //Configure the WAN-side interface on the egress router
of the headquarters
ip address 1.0.1.60 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet0/0/1 //Configure the LAN-side interface on the egress
router of the headquarters.
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 172.16.0.1 255.255.255.255
#
interface Tunnel0/0/0 //Configure the tunnel interface between the headquarters
and branch 1.
ip address 192.168.0.1 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 192.168.1.1
#
interface Tunnel0/0/1 //Configure the tunnel interface between the headquarters
and branch 2.
ip address 192.168.0.5 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 192.168.2.1
#
ospf 1 //Configure
routes.
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 172.16.1.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 1.0.1.61 //Configure a default route.
#
return
destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.11.0 0.0.0.255
network 192.168.0.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 10.0.1.1 //Configure a default route.
#
return
2.
ip address 192.168.12.1 255.255.255.0
#
interface LoopBack0 //Configure the LoopBack interface IP address, which is used
for establishing a GRE connection and as the router ID.
ip address 192.168.2.1 255.255.255.255
#
interface Tunnel0/0/1 //Configure a tunnel
interface.
ip address 192.168.0.6 255.255.255.252
tunnel-protocol gre
source LoopBack0
destination 172.16.0.1
# //Configure OSPF
routes.
ospf 1
area 0.0.0.0
network 192.168.0.4 0.0.0.3
network 192.168.12.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.0.2.1 //Configure a default route.
#
return
Configuration Notes
l The ACL configured on the egress router of the headquarters cannot contain a deny rule.
If the ACL contains deny rules, data flows will not be transmitted to the IPSec tunnel.
l You can configure only one IPSec policy on the egress router of the headquarters and
assign IKE peers different sequence numbers.
l There must be reachable routes between the headquarters and branches.
l When configuration a NAT address pool, ensure that routes to address segments in the
NAT address pool are reachable.
Networking Requirements
In Figure 6-76, Router1 is the gateway of an enterprise branch, and Router2 is the gateway of
the headquarters. Router1 and Router2 communicate through the public network.
On the live network, the enterprise branch communicates with the headquarters through a
GRE tunnel. The enterprise wants to protect traffic excluding multicast data between the
headquarters and branch. An IPSec over GRE tunnel can be established based on ACL to
protect traffic between the headquarters and branch.
Figure 6-76 Establishing an IPSec over GRE tunnel between the headquarters and branch
Procedure
Step 1 Configure Router1.
#
sysname Router1
#
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
#
ike peer spub //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.2 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy map1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spub
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 2.1.1.1
ipsec policy map1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route to the
public network.
ip route-static 10.1.2.0 255.255.255.0 Tunnel0/0/0 //Configure a static route
to the private network.
#
return
acl number 3101 //COnfigure the IP address segment that supports IPSec
encryption.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal tran1 //Configure the authentication and encryption algorithms
in the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure the authentication, encryption, and DH algorithms in
the IKE proposal.
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
#
ike peer spua //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#K{JG:rWVHPMnf;5\|,GW(Luq'qi8BT4nOj%5W5=)%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 5
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy use1 10 isakmp //Configure a security policy and import parameters
to the policy.
security acl 3101
ike-peer spua
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure a GRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre
source 2.1.1.1
destination 1.1.1.1
ipsec policy use1 //Apply the security policy to the interface and enable
IPSec protection.
#
ip route-static 1.1.1.0 255.255.255.0 2.1.1.2 //Configure a static route to the
public network.
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/0 //Configure a static route
to the private network.
#
return
----End
Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.
Networking Requirements
In Figure 6-77, a large-sized enterprise has the headquarters (Hub) and multiple branches
(Spoke1 and Spoke2 in this example) located in different areas, and the Spokes connect to
public networks using dynamic IP addresses obtained through DHCP. DSVPN is deployed to
enable communication between Spokes as well as between Spoke and Hub.
The enterprise requires that data transmitted between Spokes as well as between Spoke and
Hub be encrypted. IPSec over DSVPN can be configured on Hub and Spokes to provide
traffic protection.
Figure 6-77 Establishing IPSec over DSVPN tunnels between Hub and Spokes
Assume that the dynamic addresses obtained by Spoke1 and Spoke2 are 1.1.2.10 and 1.1.3.10,
respectively.
Procedure
Step 1 Configure the Hub.
#
sysname Hub
#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer hub //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic
dpd idle-time 40
#
ipsec policy-template use1 10 //Configure an IPSec policy template and import
parameters to the template.
ike-peer hub
proposal pro1
#
ipsec policy policy1 10 isakmp template use1 //Configure an IPSec policy and
reference the policy template.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry multicast dynamic //Add a dynamically registered Spoke to the NHRP
multicast member table.
#
ospf 1 router-id 10.2.1.1 //Configure private network routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.1.0 0.0.0.255
#
return
#
ipsec proposal pro1 //Configure the authentication and encryption algorithms in
the IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure the authentication, encryption, PRF, and DH
algorithms in the IKE proposal.
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
prf aes-xcbc-128
#
ike peer spoke1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%# //Set
the pre-shared key to Huawei@1234.
ike-proposal 1
dpd type periodic //Set the DPD mode to periodic.
dpd idle-time 40 //Set an idle time for DPD.
remote-address 10.2.1.1 //Configure an IP address for the remote tunnel
interface.
#
ipsec policy policy1 10 isakmp //Configure a security policy and import
parameters to the policy.
security acl 3101
ike-peer spoke1
proposal pro1
#
interface GigabitEthernet1/0/0
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel0/0/0 //Configure an mGRE tunnel interface.
ip address 10.2.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
ospf network-type p2mp //Set the OSPF network type to P2MP.
ipsec policy policy1 //Apply the security policy to the interface and enable
IPSec protection.
nhrp entry 10.2.1.1 1.1.1.10 register //Configure an NHRP mapping table.
#
ospf 1 router-id 10.2.1.2 //Configure private network routes.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
ospf 2 //Configure a public network route.
area 0.0.0.1
network 1.1.2.0 0.0.0.255
#
return
After users in Spoke2 ping the Hub, run the display ipsec statistics command on Spoke2 to
view statistics on IPSec packets. The value of the input/output security packets field is not
0, indicating that communication transmitted between the Hub and Spoke2 is encrypted.
----End
Precautions
l The pre-shared key at both ends must be the same.
l The remote address configured for the IKE peer must be the IP address of the tunnel
interface.
Networking Requirements
As shown in Figure 6-78, RouterA (remote branch gateway) and RouterB (headquarters
gateway) communicate through the Internet in PPPoE mode. The branch subnet is 10.1.1.0/24
and the headquarters subnet is 10.1.2.0/24. The DNS server resolves domain names, the
DDNS server updates IP addresses mapping domain names, and the PPPoE server allocates IP
addresses.
The enterprise wants to protect data flows between the branch subnet and the headquarters
subnet. An IPSec tunnel can be set up between the branch gateway and headquarters gateway
because they communicate over the Internet. Because IP addresses of the branch and
headquarters are dynamic addresses, domain names can be used for IKE negotiation.
Figure 6-78 Networking for using dynamic addresses to establish an IPSec tunnel in IKE
negotiation mode between the branch and headquarters
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
dns resolve //Configure DNS.
dns server 70.1.1.11 //Specify the DNS server IP address.
ddns policy ddnspolicy1 //Configure a DDNS policy.
url oray://username1:password1@phddnsdev.oray.net //Configure the URL of the
DDNS server.
#
acl number 3003 //Configure an ACL to permit data flows from 10.1.1.0/24 to
10.1.2.0/24.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rut1 v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address www.huaweib.com //The domain name has been registered with the
DDNS server.
#
ipsec policy policy1 10 isakmp //Configure an IPSec
policy.
security acl 3003
ike-peer rut1
proposal prop1
#
interface Dialer1 //Set parameters on the dialer
interface.
link-protocol ppp
ppp chap user user@huawei.com
ppp chap password cipher %@%@l$S'&"Sm7!j4F#)i{{G#L3Wu%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1
dialer-group 1
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface so that
the DDNS client can notify the DDNS server of changes in mappings between domain
names and IP addresses when the interface IP address changes.
ipsec policy policy1 //Apply the IPSec policy to the dialer
interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#
interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.255 dialer1
#
return
interface.
#
interface GigabitEthernet1/0/0 //Bind the dialer interface to the physical
interface and establish a PPPoE session.
pppoe-client dial-bundle-number 1
#
interface Ethernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
dialer-rule //Configure a dialer access group to permit all IPv4 packets to pass
through.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 255.255.255.0 dialer1
#
return
# After the configurations are complete, PC A can ping PC B successfully. Data exchanged
between PC A and PC B is encrypted. You can run the display ipsec statistics command to
view packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterA and RouterB. You can
view the IPSec tunnel configuration.
----End
Configuration Notes
If an IPSec tunnel cannot be reestablished due to frequent IP address change of the dialer
interface, use either of the following methods:
l If IPSec policies are configured at both ends, configure DPD to detect faults on both
ends of the device.
l If an IPSec policy is configured at one end and an IPSec policy template is configured at
the other end, run the ipsec remote traffic-identical accept command (supported by
V2R3C00 and later versions) on the end where the IPSec policy template is configured.
This command allows new users with the same traffic rule as original branch users to
access the headquarters network so that the existing IPSec SAs can be rapidly aged and a
new IPSec tunnel can be established.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-79, RouterA functions as the headquarters gateway. Traveling
employees use PC A to communicate with the headquarters through the public network. To
ensure security of traveling employees, the enterprise requires that an L2TP over IPSec tunnel
be set up between the traveling employee's PC and headquarters gateway.
Figure 6-79 Networking for configuring an L2TP over IPSec tunnel between the PC and
router
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
l2tp enable //Enable L2TP.
#
ipsec proposal prop //Configure an IPSec proposal.
encapsulation-mode transport
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
authentication-algorithm sha2-256
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key.
ike-proposal 5
#
ipsec policy-template temp1 10 //Configure an IPSec policy
template.
ike-peer peer1
proposal prop
#
ipsec policy policy1 10 isakmp template temp1 //Configure an IPSec policy.
#
ip pool 1 //Configure the device to allocate IP addresses to L2TP clients from
the IP address pool.
gateway-list 10.2.1.1
network 10.2.1.0 mask 255.255.255.0
#
aaa //Configure AAA local authentication and set the user name and password to
vpdnuser and Hello123.
authentication-scheme l2tp
authentication-mode local
domain l2tp
authorization-scheme l2tp
local-user vpdnuser password cipher %^%#!~$GMN5Gj=j&f)IjQ8\>~b\-1"i^b@~.)+,2gi9K
%^%#
local-user vpdnuser privilege level 0
local-user vpdnuser service-type ppp
#
interface
GigabitEthernet1/0/0
ip address 1.1.1.2 255.255.255.0
ipsec policy policy1
#
interface Virtual-Template1 //Create a VT template and configure dial-up
parameters.
ppp authentication-mode chap domain l2tp //Configure an authentication mode
and specify that authentication information carries the domain name.
remote address pool 1 //Reference the IP address pool.
ip address 10.2.1.1 255.255.255.0
#
l2tp-group 1 //Create an L2TP group and configure L2TP connection parameters.
undo tunnel authentication //Dial up using a mobile phone. You are advised to
disable tunnel authentication.
allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a static route.
ip route-static 10.2.1.0 255.255.255.0 Virtual-Template1
#
return
Step 2 Configure the personal PC for the traveler. This example describes how to set dial-up
parameters on a Windows 7 client.
1. View the IPSec service status and ensure that the IPSec service is enabled.
a. Choose Start > Run, enter services.msc, and click OK to access the Services page.
b. In the Name column, check whether the status of IPsec Policy Agent is Started. If
not, right-click IPsec Policy Agent and select Properties. In Properties, set
Startup type to Automatic and click Apply. Then select Start in Service type.
c. Close the Services page.
2. Create an L2TP over IPSec connection.
a. Choose Start > Control Panel.
b. Select Network and Internet.
c. Select Network and Sharing Center.
d. Select Set up a new connection or network.
e. Select Connect to a workplace.
f. Select Use my Internet connection(VPN).
g. Set the Internet address and target name.
Set the Internet address to the IP address of the WAN interface on the RouterA (you
can also enter the domain name if the domain name is fixed).
h. Set the user name and password.
i. Click Connect.
j. Click Skip to skip the verification process. After a message indicating that the
connection is available is displayed, click Close.
3. Set IKE connection parameters.
a. In the left pane of Network and Sharing Center, select Change adapter setting.
b. Right-click the new VPN connection and select Properties.
c. Set Options, Security, and Networking.
# After the configurations are complete, PC A succeeds in dialing up using the built-in
software.
Run the display l2tp tunnel command on the RouterA. You can find that an L2TP tunnel is
established successfully.
Run the display ike sa command on the RouterA. You can find that an SA is established
successfully.
----End
Configuration Notes
l The pre-shared key for IKE negotiation at both ends must be the same.
l Tunnel authentication must be disabled on the device if the L2TP client does not support
tunnel authentication.
l A host-to-gateway IPSec tunnel is established between a traveling employee and the
headquarters; therefore, the IPSec tunnel is based on the transport mode.
Networking Requirements
As shown in Figure 6-80, RouterA is the enterprise branch gateway (Cisco router) and
RouterB is the enterprise headquarters gateway. The branch communicates with the
headquarters over the public network. IP addresses of branches and headquarters are
configured beforehand. The branch is located on the network segment 10.1.2.0/24 and the
headquarters is located on the network segment 10.1.1.0/24.
The enterprise requires to protect traffic transmitted between the enterprise branch and
headquarters over the public network, and the headquarters gateway is required to uniformly
manage the branch gateways with simple configuration.
To meet the requirements, an IPSec tunnel can be established in Efficient VPN client mode
between the branch gateway and headquarters gateway. In Efficient VPN client mode,
RouterA requests an IP address used to establish the IPSec tunnel, a DNS domain name, a
DNS server address, and a WINS server address from RouterB. The other parameters except
the IP address are used by the branch gateway.
Figure 6-80 Establishing an IPSec tunnel between the device and Cisco router (remote end)
using the Efficient VPN policy
Procedure
Step 1 Configure RouterA.
!
hostname RouterA //Configure a device name.
!
!
crypto ipsec client ezvpn ezvpn1 //Configure the Easy VPN policy.
connect auto //Set the connection mode to auto.
group evpn key 6 huawei@1234 //Configure a service scheme named evpn for the
server end and set the pre-shared key to huawei@1234.
mode client //Set the Easy VPN policy mode to client.
peer 60.1.1.1 //Configure the peer address.
xauth userid mode interactive
!
!
interface GigabitEthernet0/0 //Apply the Easy VPN policy to the interface and
configure the interface as the default outbound interface.
no shutdown
ip address 60.1.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn1
!
interface GigabitEthernet0/1 //Apply the Easy VPN policy to the interface and
configure the interface as the inbound interface
no shutdown
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn ezvpn1 inside
!
//The Easy VPN policy must be applied to the internal and external interface
because the remote end connects to the server end through the two interfaces.
ip route 60.1.1.0 255.255.255.0 60.1.2.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
ip route 10.1.1.0 255.255.255.0 60.1.2.2
!
end
//In the Efficient VPN policy, transform in the IPSec proposal must be set to esp
(default setting).
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm 3des-cbc //When the Efficient VPN policy uses IKEv1, set
encryption-algorithm to 3des-cbc and authentication-algorithm to md5 or sha1 (the
default value is sha1) in the IKE proposal.
dh group2 //In the Efficient VPN policy, the Diffie-Hellman group dh used for
IKE key negotiation must be dh group2.
#
ike peer peer1 v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive //When the Efficient VPN policy uses IKEv1, set
exchange-mode to aggressive.
pre-shared-key cipher %^%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%^%# //Set
the pre-shared key to huawei@1234.
ike-proposal 5
service-scheme evpn //Reference the service scheme to send parameters including
the IP address and DNS domain name to the remote end.
#
ipsec policy-template temp1 10 //Configure an ipsec policy template.
ike-peer peer1
proposal prop1
#
ipsec policy policy1 10 isakmp template temp1 //Apply the ipsec policy template
to the IPSec policy.
#
ip pool pool1 //Create an address pool and reference the address pool in the
service scheme to send IP addresses to the remote end.
gateway-list 100.1.1.1
network 100.1.1.0 mask 255.255.255.128
#
aaa
service-scheme evpn //Create a service scheme to send parameters to the remote
end.
dns 2.2.2.2
dns 2.2.2.3 secondary
ip-pool pool1
wins 3.3.3.2
wins 3.3.3.3 secondary
dns-name mydomain.com.cn
#
interface GigabitEthernet0/0/1 //Apply the IPSec policy to the interface.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
#
return
# After the configurations are complete, PC A can ping PC B successfully, and the data
transmitted between them is encrypted
# Run the show crypto isakmp sa and show crypto ipsec sa commands on RouterA. You can
view that the IPSec tunnel is successfully established.
# Run the display ipsec statistics command on RouterB to check packet statistics.
# Run the display ike sa and display ipsec sa commands on RouterB. You can view that the
IPSec tunnel is successfully established.
----End
Configuration Notes
The configuration commands about the Cisco device are used for reference only. The
recommended Cisco device version is Cisco IOS Software, C3900e Software (C3900e-
UNIVERSALK9-M), Version 15.1(4)M1, R ELEASE SOFTWARE (fc1). For details, visit
http://www.cisco.com/cisco/web/support.
The MD5, SHA-1, DES and 3DES algorithms have security risks. Exercise caution when you
use them.
Networking Requirements
As shown in Figure 6-81, RouterA is the enterprise branch gateway and RouterB is the
enterprise headquarters gateway (Cisco router). IP addresses of branches and headquarters are
configured beforehand. The branch communicates with the headquarters over the public
network. The branch is located on the network segment 10.1.1.0/24 and the headquarters is
located on the network segment 10.1.2.0/24.
The enterprise requires to protect traffic transmitted between the enterprise branch and
headquarters over the public network, and the headquarters gateway is required to uniformly
manage the branch gateways with simple configuration.
To meet the requirements, an IPSec tunnel can be established in Efficient VPN client mode
between the branch gateway and headquarters gateway. In Efficient VPN client mode,
RouterA requests an IP address used to establish the IPSec tunnel, a DNS domain name, a
DNS server address, and a WINS server address from RouterB. The other parameters except
the IP address are used by the branch gateway.
Figure 6-81 Establishing an IPSec tunnel between the device and Cisco router (server end)
using the Efficient VPN policy
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure a device name.
#
ipsec efficient-vpn evpn1 mode client //Configure the Efficient VPN policy.
remote-address 60.1.2.1 v1 //Configure the peer address.
pre-shared-key cipher %^%#@W4p8i~Mm5sn;9Xc&U#(cJC;.CE|qCD#jAH&/#nR%^%# //Set
the pre-shared key to huawei@1234.
local-id-type key-id //When the remote end is a Cisco device, specify the key-
id type in the Efficient VPN policy.
service-scheme evpn //When the remote end is a Cisco device, specify the user
group created by the remote end in the Efficient VPN policy.
#
interface GigabitEthernet0/0/1 //Apply the Efficient VPN policy to the interface.
ip address 60.1.1.1 255.255.255.0
ipsec efficient-vpn evpn1
#
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route to ensure
that there is a reachable route between the two ends.
#
return
!
interface GigabitEthernet0/0 //Apply the crypto isakmp policy to the interface.
no shutdown
ip address 60.1.2.1 255.255.255.0
duplex auto
speed auto
crypto map evpn1
!
interface GigabitEthernet0/1
no shutdown
ip address 10.1.2.1 255.255.255.0
duplex auto
speed auto
!
!
ip local pool poo11 112.1.1.1 112.1.1.128 //Create an address pool.
!
ip route 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route to ensure that
there is a reachable route between the two ends.
!
end
----End
Configuration Notes
The configuration commands about the Cisco device are used for reference only. The
recommended Cisco device version is Cisco IOS Software, C3900e Software (C3900e-
UNIVERSALK9-M), Version 15.1(4)M1, R ELEASE SOFTWARE (fc1). For details, visit
http://www.cisco.com/cisco/web/support.
The MD5, SHA-1, DES and 3DES algorithms have security risks. Exercise caution when you
use them.
Networking Requirements
As shown in Figure 6-82, Router_1, Router_2, and Router_3 are the municipal branch
gateway, county-level branch gateway, and headquarters gateway of an enterprise. Branches
and the headquarters communicate over the public network. The enterprise has few municipal
branches but many county-level branches.
The enterprise wants to implement direct communication between the county-level branch
and headquarters, between county-level branch and headquarters, and between the municipal
branch and headquarters, and protect mutual traffic between branches and the headquarters.
Figure 6-82 Establishing an IPSec tunnel in manual and IKE negotiation modes
Procedure
Step 1 Configure the municipal branch gateway Router_1.
#
sysname Router_1
#
acl number 3001 //When a policy template is used, ACL reference is optional,
and you only need to define the data flow to the headquarters on Router_1.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy policy1 10 manual //Manually configure an IPSec policy for
establishing an IPSec tunnel with the headquarters.
security acl 3001
proposal tran1
tunnel local 60.1.1.1
tunnel remote 60.1.3.1
sa spi inbound esp 12345 //Set the inbound SPI, which must be the same as
the outbound SPI in the headquarters.
sa string-key inbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the inbound SA to Huawei@123, which must
be the same as the authentication key for the outbound SA in the headquarters.
sa spi outbound esp 54321 //Set the outbound SPI, which must be the same as
the inbound SPI in the headquarters.
sa string-key outbound esp cipher %^%#$~1!;0~-Z8a5n\2'#~J'L`eOO>i7iMm*mY173mG7%^
%# //Set the authentication key for the outbound SA to Huawei@321, which must
be the same as the authentication key for the inbound SA in the headquarters.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#]%qh%KV&]('NP)+OE3VF"nAn7VF%/+EgfmX3BE|*%^%# //Set
the pre-shared key to Huawei@4321 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify qualified
county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and
enable IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.2 //Configure a static route.
#
return
ike peer rut1 v2 //Configure an IKE peer used to negotiate with the headquarters
for establishing an IPSec tunnel. You must specify a remote address.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
remote-address 60.1.3.1
#
ike peer rut2 v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#F[de7*vUZ9ZT)V5UEqX(g|)XG`S)xT}:C."&>c].%^%# //Set
the pre-shared key to Huawei@4321 in ciphertext. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@4321 is displayed in plaintext.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the headquarters.
security acl 3001
ike-peer rut1
proposal tran1
ipsec policy policy1 20 isakmp //Configure an IPSec policy for establishing an
IPSec tunnel with the municipal branch.
security acl 3002
ike-peer rut2
proposal tran1
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.2.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected with the
service segment.
ip address 192.168.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.2.2 //Configure a static route.
#
return
sa spi outbound esp 12345 //Set the outbound SPI, which must be the same as
the inbound SPI in the municipal branch.
sa string-key outbound esp cipher %^%#zxX++-NU.;$%h;BB9zu1|7(EKNwdZAHC"EPP1y{S%^
%# //Set the authentication key for the outbound SA to Huawei@123, which must
be the same as the authentication key for the inbound SA in the municipal branch.
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut1 v2 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#SNMkBqDAZOwo!9=MwR{+h;Bp"JEU.-s!Z=Wdu7_@%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
#
ike identity identity1 //Configure an identity filter set to specify
qualified county-level branches.
name huaweirt2 //In V200R008 and later versions, the device does not support
the name command. The fqdn command provides the similar function.
ip address 60.1.2.0 255.255.255.0
#
ipsec policy-template use1 20
ike-peer rut1
proposal tran1
match ike-identity identity1
#
ipsec policy policy1 20 isakmp template use1 //Configure an IPSec policy using
the policy template for establishing an IPSec tunnel with the county-level branch.
#
interface GigabitEthernet0/0/1 //Configure an interconnection interface for
setting up an IKE connection and encapsulating the outer IP address.
ip address 60.1.3.1 255.255.255.0
ipsec policy policy1 //Bind an IPSec policy group to the interface and enable
IPSec.
#
interface GigabitEthernet0/0/2 //Configure an interface connected to the
service segment.
ip address 192.168.3.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 60.1.3.2 //Configure a static route.
#
return
l Ping PC_3 from PC_1 and PC_2 respectively. The ping operations succeed. Run the
display ipsec statistics command to view statistics on IPSec packets. The value of the
Inpacket decap count/Outpacket encap count (in a version earlier than V200R008) or
input/output security packets (in V200R008 or a later version) field is not 0, indicating
that data transmitted between the branches and headquarters is encrypted.
l Run the display ipsec sa command on Router_1, Router_2, and Router_3 to view
information about established SAs. The command output contains the Tunnel remote
(tunnel destination address) and Mode (security policy mode in which the IPSec tunnel
is established) fields.
– On Router_1, the security policy mode for the tunnel with the destination address
60.1.3.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
– On Router_2, the security policy mode for the tunnels with the destination
addresses 60.1.1.1 and 60.1.3.1 is ISAKMP.
– On Router_3, the security policy mode for the tunnel with the destination address
60.1.1.1 is Manual, and that for the tunnel with the destination address 60.1.2.1 is
Template.
l Run the display ike sa v2 command on Router_1, Router_2, and Router_3 to view SAs
established through IKE negotiation. (In V200R008 and later versions, the V2 parameter
is not supported.)
– Only the entry whose peer is 60.1.2.1 exists on Router_1.
– The entries whose peer is 60.1.1.1 and 60.1.3.1 exist on Router_2.
– Only the entry whose peer is 60.1.2.1 exists on Router_3.
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The IKE peers must use the same pre-shared key.
l When configuring an IPSec policy manually, you must specify the inbound and
outbound SPIs. The inbound SPI on the local end must be the same as the outbound SPI
on the remote end. The outbound SPI on the local end must be the same as the inbound
SPI on the remote end.
Networking Requirements
As shown in Figure 6-83, RouterA (branch gateway) and RouterB (headquarters gateway)
communicate through the Internet. RouterA uses two egress links in backup or load balancing
mode. The branch subnet is 10.1.1.0/24 and the headquarters subnet is 10.1.2.0/24.
The Enterprise wants to protect traffic between the branch subnet and headquarters subnet. If
an active/standby switchover occurs or the egress link becomes faulty, IPSec services need to
be smoothly switched.
Figure 6-83 Establishing an IPSec tunnel between the enterprise headquarters and branch
using a multi-link shared IPSec policy group
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3101 //Configure ACL 3101 to match traffic sent from Branch subnet to
Headquarters subnet.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal prop //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer rut v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the authentication password in the pre-shared key to huawei, in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and
the password is displayed in plain text.
ike-proposal 5
remote-address 60.1.1.1
#
ipsec policy policy1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer rut
proposal prop
#
ipsec policy policy1 shared local-interface LoopBack0 //Configure a multi-link
interface GigabitEthernet1/0/0
ip address 60.1.1.1 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet3/0/0
ip address 10.1.2.1 255.255.255.0
#
ip route-static 1.1.1.1 255.255.255.255 60.1.1.2 //Configure a static route with
the destination address as the Loopback interface of the peer.
ip route-static 10.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface of the branch.
ip route-static 70.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface GE1/0/0 of the branch.
ip route-static 80.1.1.0 255.255.255.0 60.1.1.2 //Configure a static route with
the destination address as the LAN-side interface GE2/0/0 of the branch.
#
return
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branch must mirror each other.
l There must be reachable routes between the headquarters and branch.
l All IPSec policies must be bound to WAN-side outbound interfaces.
l The headquarters and branches use the same pre-shared-key.
Networking Requirements
As shown in Figure 6-84, Router_1, Router_2, and Router_3 are gateways of the enterprise
headquarters, branch 1, and branch 2, and they communicate over the public network.
Because the branch gateways connect to multiple private networks, a large number of static
routes need to be configured on the headquarters gateway to direct data destined for branches
to the IPSec tunnel. Besides, the static route configuration on the headquarters gateway needs
to be adjusted when the internal network planning of enterprise branches changes. This results
in heavy workload and configuration errors may easily occur.
The enterprise wants to provide security protection for traffic between the headquarters and
branches, and reduce the configuration and maintenance workload on the headquarters
gateway.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipsec proposal def
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 5
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer center v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 5
local-address 1.1.1.1
#
service segment 1.
#
interface GigabitEthernet0/0/1
ip address 10.2.2.1 255.255.255.0 //Configure an interface connected to service
segment 2.
#
ip route-static 1.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters extranet.
ip route-static 10.1.1.0 255.255.255.0 1.2.1.2 //Configure a static route from
branch 1 to the headquarters intranet.
#
return
#
return
----End
Configuration Notes
l When the headquarters uses an IPSec policy template to establish IPSec tunnels, you do
not need to specify the remote address or remote name of the IKE peer.
l The headquarters and branches use the same pre-shared key.
l There must be reachable routes between the headquarters and branches.
l Only an SA established using dynamic IKE negotiation supports route injection; a
manually established SA does not support route injection.
Applicability
This example applies to all AR models of V200R003C00 and later versions.
Networking Requirements
As shown in Figure 6-85, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters, and they communicate over the public network. The bandwidth between the
branch egress and public network is 2 Mbit/s. VoIP, production, and office service flows are
transmitted between the headquarters and branch.
The enterprise wants to protect service flows transmitted between the enterprise branch and
headquarters and provide QoS guarantee for the VoIP, production, and office service flows.
l For the VoIP service flow, the IP priority must be set to 5 to ensure low latency and 500
kbit/s bandwidth.
l For the production service flow, the IP priority must be set to 4 to ensure 600 kbit/s
bandwidth.
l For the office service flow, the IP priority must be set to 2 to ensure 800 kbit/s
bandwidth.
Figure 6-85 Implementing QoS guarantee for traffic passing through the IPSec tunnel
Procedure
Step 1 Configure Router_1.
NOTE
Configure the downlink interfaces of the LSW connecting to terminals as access interfaces and add the
interfaces to VLANs of the VoIP, production, and office services. Configure the uplink interface of the LSW
connecting to Router_1 as trunk interfaces and configure the interfaces to allow packets from the VoIP,
production, and office service VLANs to pass. For detailed configurations, see the LSW configuration
manual.
#
sysname Router_1
#
ike local-name huawei01
#
acl number 3001 //Create an ACL rule to define the VoIP service flow.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3002 //Create an ACL rule to define the production service flow.
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
acl number 3003 //Create an ACL rule to define the office service flow.
rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal tran1 //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-256 //In V200R008 and later versions, aes-cbc-256
is changed to aes-256.
dh group2
authentication-algorithm sha2-256
prf hmac-sha2-256
#
ike peer branch v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
exchange-mode aggressive
pre-shared-key cipher %^%#bkSqG8J"h(w42U.X6W!C@P.f3tfZB3.&|V04Q}(O%^%# //Set
the pre-shared key to Huawei@1234 in cipher text. In versions earlier than
V2R3C00, the pre-shared key pre-shared-key Huawei@1234 is displayed in plain text.
ike-proposal 1
local-id-type name //Configure the local ID type for IKE negotiation. In
V200R008 and later versions, the name parameter is changed to fqdn.
remote-name huawei02 //Configure the IKE peer name. In V200R008 and later
versions, the device does not support the remote-name command. This command
provides teh same function as the remote-id command.
local-address 20.1.1.1
remote-address 30.1.1.1
#
ipsec policy map1 10 isakmp //Create an IPSec policy for the VoIP service flow.
security acl 3001
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 20 isakmp //Create an IPSec policy for the production service
flow.
security acl 3002
ike-peer branch
proposal tran1
qos pre-classify
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer branch
proposal tran1
qos pre-classify
#
traffic classifier tc2 operator or
if-match acl 3001
traffic classifier tc1 operator or
if-match acl 3002
traffic classifier tc3 operator or
if-match acl 3003
#
traffic behavior tb1
car cir 500 cbs 94000 pbs 156500 mode color-blind green pass yellow pass red
discard
remark local-precedence ef
traffic behavior tb3
car cir 800 cbs 150400 pbs 250400 mode color-blind green pass yellow pass red
discard
remark local-precedence af2
traffic behavior tb2
car cir 600 cbs 112800 pbs 187800 mode color-blind green pass yellow pass red
discard
remark local-precedence af4
#
traffic policy tp1
classifier tc1 behavior tb1
classifier tc2 behavior tb2
classifier tc3 behavior tb3
#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 20.1.1.1 255.255.255.0
traffic-policy tp1 outbound
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
#
interface Ethernet2/0/0.1
dot1q termination vid 10 //Configure the sub-interface to terminate
the VLAN ID of the VoIP service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface. (ARP broadcast is enabled by default.)
ip address 10.1.1.1 255.255.255.0
#
interface Ethernet2/0/0.2
dot1q termination vid 20 //Configure the sub-interface to terminate
the VLAN ID of the production service flow and run the arp broadcast enable
command to enable ARP broadcast on the sub-interface. (ARP broadcast is enabled
by default.)
ip address 10.1.2.1 255.255.255.0
#
interface Ethernet2/0/0.3
dot1q termination vid 30 //Configure the sub-interface to terminate the
VLAN ID of the office service flow and run the arp broadcast enable command to
enable ARP broadcast on the sub-interface.
ip address 10.1.3.1 255.255.255.0
#
ip route-static 192.168.2.0 255.255.255.0 20.1.1.2 //Configure a static route
from the branch to the headquarters intranet.
ip route-static 30.1.1.0 255.255.255.0 20.1.1.2 //Configure a static route
from the branch to the headquarters extranet.
#
return
flow.
security acl 3002
ike-peer center
proposal tran1
ipsec policy map1 30 isakmp //Create an IPSec policy for the office service flow.
security acl 3003
ike-peer center
proposal tran1
#
interface Ethernet1/0/0 //Configure the external network interface.
ip address 30.1.1.1 255.255.255.0
ipsec policy map1
#
interface Ethernet2/0/0 //Configure the private network interface.
ip address 192.168.2.1 255.255.255.0
#
ip route-static 10.1.1.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's VoIP service segment.
ip route-static 10.1.2.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's production service segment.
ip route-static 10.1.3.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch's office service segment.
ip route-static 20.1.1.0 255.255.255.0 30.1.1.2 //Configure a static route
from the headquarters to the branch extranet.
#
return
After the configurations are complete, send VoIP, production, and office service flows to
ETH2/0/0 on Router_1 at a rate of 10,000 kbit/s respectively.
l The bandwidth for VoIP, production, and office service flows from ETH1/0/0 is no less
than 500 kbit/s, 600 kbit/s, and 800 kbit/s respectively.
l Run the capture-packet interface ethernet 1/0/0 destination terminal command in the
system view on Router_1. The command output shows that the DSCP values of VoIP,
production, and office service packets sent from ETH1/0/0 are 5, 4, and 2.
l Run the display ipsec statistics command on Router_1 and Router_2 to view statistics
on IPSec packets. The value of the Inpacket decap count/Outpacket encap count (in a
version earlier than V200R008) or input/output security packets (in V200R008 or a
later version) field is not 0, indicating that data transmitted between the branches and
headquarters is encrypted.
----End
Configuration Notes
l ACLs configured on devices in the headquarters and branches must mirror each other.
l There must be reachable routes between the headquarters and branches.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
The headquarters and branch want to establish a secure IPSec connection. The headquarters
gateway RouterB uses a static public address. The branch size is small and its gateway
RouterA uses a 4G interface to dynamically obtain an IP address from a provider. When
IPSec policies are used, the headquarters must know the branch IP address. The branch IP
address often changes and is difficult to maintain. You can use an IPSec policy template on
RouterB so that the headquarters and branch can perform IPSec negotiation without knowing
the branch IP address.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Configure an ACL to protect data flows.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Set
the pre-shared key to huawei in cipher text. In versions earlier than V2R3C00,
the pre-shared key pre-shared-key huawei is displayed in plain text.
ike-proposal 5
remote-address 13.1.1.1 //Configure a peer IP address for initiating IKE
negotiation.
#
ipsec policy rta 1 isakmp //Configure an IPSec policy.
----End
Configuration Notes
l The pre-shared key at both ends must be the same.
l You do not need to specify the remote address of the IKE peer for the end using an IPSec
policy template.
l You can choose not to configure an ACL on the headquarters using an IPSec policy
template. If an ACL is configured on the headquarters to protect data flows, the
destination segment address in the ACL must cover all the source addresses in ACLs on
branches.
Networking Requirements
As shown in Figure 6-87, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. The branch communicates with the headquarters over the Internet and uses a 3G
link as the standby link. When the active link is faulty, traffic is switched to the standby link
to ensure traffic continuity.
The enterprise requires to protect traffic transmitted over the Internet between the enterprise
branch and headquarters. The enterprise branch and headquarters communicate through the
Internet. An IPSec tunnel can be established between the branch gateway and headquarters
gateway to protect data flows between them. In addition, the NAT function can be configured
on Router_1 to allow branch users to access external networks.
Figure 6-87 Establishing an IPSec tunnel between the branch and headquarters through active
and standby links
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 // Configure an address segment to supports NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3010 // Configure an address segment that supports IPSec encryption.
rule 2 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.1.0 0.0.0.255
#
ipsec proposal rta //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rta v1 //The commands used to configure IKE peers and the IKE protocol
differ depending on the software version. In earlier versions of V200R008, the
command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the
command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2
are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation
request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a
negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
dpd msg seq-hash-notify
remote-address 2.1.1.1
#
ipsec policy rt1 1 isakmp //Configure an IPSec policy.
security acl 3010
ike-peer rta
proposal rta
ipsec policy rt2 1 isakmp
security acl 3010
ike-peer rta
proposal rta
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
ipsec policy rt1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l You do not need to specify the remote IP address of the IKE peer for the end using an
IPSec policy template.
l You can choose not to configure an ACL on the headquarters gateway using an IPSec
policy template. If an ACL is configured to protect data flows, the destination address in
the ACL must cover all the source addresses in ACLs on branches.
l Dial-up parameters on a 3G interface on different 3G networks are different. Contact 3G
network providers.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.
Specifications
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 6-88, Router_1 and Router_2 are gateways of the enterprise branch and
headquarters. Router_1 and Router_2 communicate through the public network.
The enterprise requires to protect traffic transmitted over the public network between the
enterprise branch and headquarters. The enterprise branch and headquarters communicate
through the public network. An IPSec tunnel can be established between the branch gateway
and headquarters gateway to protect data flows between them. In addition, the NAT function
can be configured on Router_1 to allow branch users to access external networks.
Figure 6-88 Establishing an IPSec tunnel between the branch and headquarters using wired
lines
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
acl number 3000 //Configure an address segment to support NAT.
rule 1 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
rule 2 permit ip source 10.1.1.0 0.0.0.255
acl number 3101 //Configure an address segment that supports IPSec encryption.
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
ipsec proposal tran1 // Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer spub v1 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later
versions, the command is ike peer peer-name and version { 1 | 2 }. By default,
IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a
negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To
initiate a negotiation request using IKEv1, run the undo version 2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%#
ike-proposal 5
remote-address 2.1.1.1
#
ipsec policy map1 10 isakmp //Configure an IPSec policy.
security acl 3101
ike-peer spub
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
ipsec policy map1 //Bind the IPSec policy to the interface and launch IPSec
negotiation.
nat outbound 3000 //Configure the NAT function to allow users to access
external networks.
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
ip route-static 2.1.1.0 255.255.255.0 1.1.1.2 //Configure a static route.
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
#
return
After the configuration is complete, users in the headquarters and branch can exchange
encrypted data. In addition, branch users can access external networks.
----End
Configuration Notes
l The pre-shared key used for IKE negotiation at both ends must be the same.
l There must be reachable routes between the headquarters and branches.
l ACLs configured on devices in the headquarters and branches must mirror each other.
l When IPSec and NAT are configured simultaneously on a device, the device implements
NAT before IPSec encryption. Therefore, NAT is performed for data flows sent to the
remote end first. You need to set the action for data flows to be sent over the IPSec
tunnel that match the ACL referenced in NAT to Deny.
Networking Requirements
As shown in Figure 6-89:
l CE1 and CE3 belong to vpna.
l CE2 and CE4 belong to vpnb.
l The VPN target of vpna is 111:1, and the VPN target of vpnb is 222:2.
l Users in different VPNs cannot communicate.
Procedure
Step 1 Configure PE1.
#
sysname PE1
#
ip vpn-instance vpna //Create a VPN instance vpna.
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb //Create a VPN instance vpnb.
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9 //Configure MPLS.
mpls
#
mpls ldp //Configure LDP.
#
interface Ethernet1/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb //Bind the VPN instance to the interface.
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1 //Enable MPLS on the interface.
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100 //Configure an MP-IBGP peer.
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1 /Configure public network routes.
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
bgp 100 //Configure an MP-IBGP peer.
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb //Set up the EBGP peer relationships between the
PEs and CEs and import VPN routes.
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
interface Ethernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65430 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 10.3.1.2 enable
#
return
----End
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.
Networking Requirements
As shown in Figure 6-90, the Hub-CE in the central site controls communication between
Spoke-CEs. That is, the traffic between Spoke-CEs is forwarded by the Hub-CE but not by
the Hub-PE.
Procedure
Step 1 Configure Spoke-CE1.
#
sysname Spoke-CE1
#
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410 //Establish an EBGP peer relationship between the Spoke-PE and the CE.
peer 100.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct //Import direct routes.
peer 100.1.1.2 enable
#
return
#
bgp 100 //Establish an MP-IBGP peer relationship between PEs.
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
# //Establish an MP-IBGP peer relationship between PEs.
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
# //Establish an MP-EBGP peer relationship between the Spoke-PE and the CE.
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct //Import direct routes.
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out //Configure a VPN instance vpn_out.
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9 //Configure the MPLS LSR.
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0 //Enable MPLS on the interface.
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet3/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Ethernet4/0/0 //Bind the VPN instance to the interface.
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100 //Establish an EBGP peer relationship between the Hub-PE and the CE.
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in //Import VPN routes.
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out //Import VPN routes.
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
import-route direct
#
ospf 1 //Configure public network routes.
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
----End
Configuration Notes
l A PE must use a loopback interface address with a 32-bit mask to set up an MP-IBGP
peer relationship with the peer PE so that VPN routes can be iterated to tunnels.
Networking Requirements
As shown in Figure 6-91, CE1 and CE2 belong to the same VPN and have the same VPN
target. CE1 connects to the UPE, and CE2 connects to the PE. UPE, SPE, and PE
communicate using OSPF.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Configure EBGP between the PE and the CE.
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
# //Enable MPLS.
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish MP-IBGP peer relationships between the UPE and the SPE, and
between the PE and the SPE.
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
# //Configure routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
----End
Specifications
This example applies to all versions.
Networking Requirements
As shown in Figure 6-92, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option A. That is, the VRF-to-VRF
method is used to manage VPN routes.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a PE and a CE.
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
mpls
mpls ldp
# //Bind the VPN instance to the interface.
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.1.1.1 as-number 65001
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between
ASBR1 and ASBR2.
peer 192.1.1.2 as-number 200
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
# //Create and configure a VPN instance.
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
# //Enable MPLS.
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
# //Enable MPLS on the interface.
interface Ethernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and ASBR.
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4 //Enable the ability to exchange VPN IPv4 routes with the BGP
peer.
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1 //Establish an EBGP peer relationship between a
PE and a CE.
peer 10.2.1.1 as-number 65002
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
----End
Specifications
This example applies to all versions.
This example does not apply to AR120&AR150&AR160&AR200 series routers.
Networking Requirements
As shown in Figure 6-93, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option B:
l ASBR1 and ASBR2 exchange VPNv4 routes using MP-EBGP.
l ASBRs do not filter the VPN-IPv4 routes received from each other based on VPN
targets.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
# //Establish an EBGP peer relationship between a CE and a PE.
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
# //Establish an MP-IBGP peer relationship between the PE and the ASBR.
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
peer 192.1.1.2 enable
# //Configure OSPF routes.
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
ipv4-family vpnv4 //Disable VPN target-based filtering for received routes and
enable the ASBR to allocate labels for VPN routes based on the next hop.
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002 //Establish an EBGP peer relationship between a PE and a CE.
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
----End
Networking Requirements
As shown in Figure 6-94, CE1 and CE2 belong to the same VPN. CE1 accesses PE1 through
AS100, and CE2 accesses PE2 through AS200.
Inter-AS BGP/MPLS IP VPN is implemented through Option C.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001 //Establish an EBGP peer relationship between a CE and a PE.
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
and a CE and configure PE1 to import VPN routes from the CE.
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
# //Configure labeled IPv4 route exchange.
bgp 200
peer 192.1.1.1 as-number 100 //Establish an EBGP peer relationship between
ASBR2 and ASBR1.
peer 4.4.4.9 as-number 200 //Establish an IBGP peer relationship between ASBR2
and PE1.
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export //Apply a routing policy to the
routes advertised to ASBR1, and enable labeled IPv4 route exchange with ASBR1.
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export //Apply a routing policy to the
routes advertised to PE2, and enable labeled IPv4 route exchange with PE2.
peer 4.4.4.9 label-route-capability
# //Configure routes.
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
# //Create a route-policy.
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
#
return
----End
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use IS-IS to exchange routes.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
isis 1 //Configure an IS-IS process.
network-entity 10.0000.1111.1112.00
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
return
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
isis 1 vpn-instance vpn1 //Bind the IS-IS process to the VPN instance.
network-entity 10.0000.1111.0002.00
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the remote PE to IS-IS.
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
isis enable 1 //Enable IS-IS on the interface.
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route isis 1 //Import IS-IS routes into the VRF table of the BGP-VPN
instance IPv4 address family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return
2. Run the display ip routing-table protocol isis command on CEs. CE1 and CE2 can
learn routes from each other.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use IS-IS to exchange routes, bind the IS-IS process to the VPN
instance.
l PEs need to import routes advertised by BGP and IS-IS routes from each other.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use BGP to exchange routes.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
bgp 65101
peer 10.1.1.1 as-number 100 //Establish an EBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.1 enable
#
return
#
return
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.
Use the display on CE1 as an example.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l PEs and CEs can use IBGP or EBGP to exchange routes. This example uses EBGP.
l You must configure the CE as a VPN peer in the BGP-VPN instance IPv4 address family
view on the connected PE.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.137.1.0 0.0.0.255
#
return
ipv4-family
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
mpls lsr-id 2.2.2.2 //Configure MPLS.
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network side.
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN instance.
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route ospf 2 //Import OSPF routes into the VRF table of the BGP-VPN
instance IPv4 address
family.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ospf 2 vpn-instance vpn1
import-route bgp //Configure the local PE to import VPNv4 routes learned from
the peer PE to OSPF.
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
return
2. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use OSPF to exchange routes, bind the OSPF process to the VPN
instance.
l PEs need to import routes advertised by BGP and OSPF from each other.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use OSPF to exchange routes. CE1 and CE2 belong to the same OSPF area. VPN traffic
between CE1 and CE2 is forwarded over the MPLS backbone network but not OSPF intra-
area routes.
Figure 6-98 Networking diagram for configuring BGP MPLS/IP VPN and OSPF sham link
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface Ethernet1/0/0
ip address 192.168.2.2 255.255.255.0
ospf cost 10
#
interface Ethernet1/0/1
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 100.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
interface Ethernet1/0/0
ip address 100.1.2.2 255.255.255.0
#
interface Ethernet1/0/1
ip address 192.168.2.1 255.255.255.0
ospf cost 10
#
ospf 1
area 0.0.0.0
network 100.1.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
ospf 2 vpn-instance vpn1
import-route bgp
area 0.0.0.0
network 100.1.1.0 0.0.0.255
sham-link 11.11.11.11 22.22.22.22 //Specify the source and destination
addresses of the sham link.
#
return
2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
Use the display on PE1 as an example.
3. Run the display ip routing-table protocol ospf command on CEs. CE1 and CE2 can
learn routes from each other and the outbound interface is the CE interface connected to
the PE.
Use the display on CE1 as an example.
----End
Configuration Notes
l The route of the sham link address cannot be advertised to the peer PE through an OSPF
process bound to a VPN instance. If the route of the sham link address is advertised to
the peer PE through an OSPF process bound to a VPN instance, the peer PE has two
routes to the sham link address. The two routes are learned from OSPF and MP-BGP
respectively. The OSPF route takes precedence over the BGP route, so the peer PE uses
the OSPF route. As a result, the sham link fails to be established.
l A PE must use the loopback interface address with a 32-bit mask to establish a sham
link.
l To forward VPN traffic through the MPLS backbone network, configure the cost of the
sham link to be smaller than the cost of the OSPF route used for forwarding VPN traffic
over the user network.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use static routes to communicate.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp //Enable MPLS on the interface at the public network
side.
#
interface
GigabitEthernet1/0/0
ip binding vpn-instance vpn1 //Bind the interface to the VPN
instance.
ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer relationship.
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 2.2.2.2 enable
#
ipv4-family vpn-instance vpn1
import-route static //Import static routes.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip route-static vpn-instance vpn1 10.137.1.0 255.255.255.0 10.1.1.2
#
return
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0 //Use the loopback interface address
with 32-bit mask to establish an MP-IBGP peer
relationship.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4 //Enable the local node to exchange VPNv4 routing information
with the peer.
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
import-route static //Import static routes.
#
ospf 1 //Enable OSPF to advertise routes to the loopback interface.
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
ip route-static vpn-instance vpn1 10.137.2.0 255.255.255.0 10.1.2.2
#
return
----End
Configuration Notes
l BGP on PEs needs to import static VPN routes.
l Static routes to other VPNs must be configured on CEs.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, and PEs and CEs
use RIP to exchange routes.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 10.137.1.1 255.255.255.0
#
rip 1 //Create a RIP
process.
version 2
network 10.0.0.0
#
return
#
sysname CE2
#
interface GigabitEthernet0/0/1
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.137.2.1 255.255.255.0
#
rip 1 //Create a RIP process.
version 2
network 10.0.0.0
#
return
2. Run the display ip routing-table protocol bgp command on CEs. CE1 and CE2 can
learn routes from each other.
CE2 can ping IP address 10.137.1.1 and CE1 can ping IP address 10.137.2.1.
----End
Configuration Notes
l When PEs and CEs use RIP to exchange routes, bind the RIP process to the VPN
instance.
l PEs need to import routes advertised by BGP and RIP from each other.
Specifications
This example applies to all versions.
Networking Requirements
PE1 connects to CE1, PE2 connects to CE2, CE1 and CE2 belong to vpn1, MP-IBGP
connections between PE1 and the RR, and between PE2 and the RR are set up, and VPN
routes are reflected by the RR.
Figure 6-101 Networking diagram for configuring route reflection to optimize the VPN
backbone layer
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet0/0/1
ip address 192.168.4.2 255.255.255.0
#
bgp 65001 //Establish an EBGP relationship with PE1.
peer 192.168.4.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 192.168.4.1 enable
#
return
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100 //Specify PE2 as the IBGP peer of
RR.
peer 3.3.3.3 connect-interface LoopBack0
peer 1.1.1.1 as-number 100 //Specify PE1 as the IBGP peer of
RR.
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
peer 1.1.1.1 enable
#
ipv4-family vpnv4
undo policy vpn-target //Configure the RR not to filter the received VPNv4
routes based on VPN targets.
peer 3.3.3.3 enable
peer 3.3.3.3 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE2 is the client.
peer 1.1.1.1 enable
peer 1.1.1.1 reflect-client //Configure route reflection for BGP VPNv4 routes
on the RR. PE1 is the client.
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
1
1.1.1.1 4 100 16 19 0 00:13:36 Established
1
2. Run the display ip routing-table vpn-instance vpn1 command on PEs. The VPN
routing table on the local PE has a route to the peer PE.
----End
Configuration Notes
l The PEs only need to establish MP-IBGP peer relationships with the RR.
l The VPN instance does not need to be configured on the RR.
6.6 VLL
Applicability
This example applies to all AR models of V200R003C00 and later versions.
Networking Requirements
As shown in Figure 6-102, the MPLS network of an ISP provides the L2VPN service for
users. Many users connect to the MPLS network through PE1 and PE2, and users connected
to PE1 and PE2 change frequently. A proper VPN solution is required to provide secure VPN
services for users and to simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements.
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
return
#
return
----End
Networking Requirements
The MPLS network of an ISP provides the L2VPN service for users. Many users connect to
the MPLS network through PE1 and PE2, and users connected to PE1 and PE2 change
frequently. A proper VPN solution is required to provide secure VPN services for users and to
simplify configuration when new users connect to the network.
A Martini VLL connection can be set up between CE1 and CE2 to meet the requirements. By
default, PE1 and PE2 set up one LSP tunnel and do not load balance traffic among multiple
tunnels. When the P device does not support MPLS, Martini VLL cannot be implemented.
To solve this problem, you can apply a tunnel policy to a Martini VLL so that VLL services
can be transmitted over the GRE tunnel.
Figure 6-103 Networking diagram for configuring VLL to use a GRE tunnel
Procedure
Step 1 Configure CE1.
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
return
----End
6.7 PWE3
Specifications
This example applies to AR2220, AR2240, AR2240C, AR3260 and AR3670 routers of
V200R005C20 and later versions.
Networking Requirements
In an Air Traffic Control (ATC) scenario, the Area Control Center (ACC) connects to a
broadcasting system over the backbone network as shown in Figure 6-104. PE1 on the
backbone network uses an E&M interface to connect to the Voice Communication System of
the ACC, and PE2 uses an E&M interface to connect to the broadcasting system. The
customer requires that very high frequency (VHF) services can be normally transmitted
between the ACC and broadcasting system, so that the pilots can talk with the air traffic
controller.
In addition, communication between the ACC and broadcasting system is very important and
signal interruption is not allowed. The customer uses two E1 links to ensure communication
stability and reliability.
Figure 6-104 Configuring E&M interfaces for transmitting VHF services in ATC scenario
Requirement Analysis
l VHF services between the ACC and broadcasting system need to be transmitted through
E&M interface. PWE3 is required to set up a tunnel over the backbone network for
transmitting VHF service data.
l The customer uses two E1 links over the backbone network to ensure communication
stability and reliability. Among the current tunneling technologies, MPLS TE is
preferred due to the high reliability and fast switching capability. In addition, MPLS TE
can be used with BFD to speed up fault detection and switching between primary and
backup CR-LSPs. The primary and backup CR-LSPs set up using MPLS TE use one E1
explicit path respectively. After the primary link fails, service data is fast switched to the
hot backup CR-LSP without traffic loss or delay.
NOTE
The PWE3 function is used with a license. To use the PWE3 functions, apply for and purchase the license
from the Huawei local office.
Procedure
Step 1 Configure PE1.
#
sysname PE1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf //Enable CSPF and create an MPLS TE tunnel.
#
mpls l2vpn
#
explicit-path backup //Specify an explicit path for the backup CR-LSP.
next hop 173.1.1.2
next hop 2.2.2.9
#
explicit-path main //Specify an explicit path for the primary CR-LSP.
next hop 172.1.1.2
next hop 2.2.2.9
#
pw-template pe2pe //Set up PWE3 using the PW template.
peer-address 2.2.2.9 //Specify the remote address of the PW.
jitter-buffer depth 8 //Set the jitter buffer depth. The deeper the jitter
buffer is, the stronger the anti-jitter capabilities are, but a long transmission
delay will be introduced when data flows are reconstructed. An improper jitter
buffer depth will degrade service transmission quality.
tdm-encapsulation-number 8 //Set the number of TDM frames encapsulated into each
PW packet. If you encapsulate a small number of TDM frames into a packet, network
delay will be small, but encapsulation overhead will be high. If you encapsulate
a large number of TDM frames into a packet, the bandwidth usage will be high, but
network delay will be large.
#
mpls ldp
#
mpls ldp remote-peer 2.2.2.9 //Specify the MPLS LDP peer.
remote-ip 2.2.2.9
#
controller E1 1/0/0
using e1
clock master //Configure the interface to work in master clock
mode to ensure correct data transmission.
#
controller E1 1/0/1
using e1
clock master
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial1/0/1:0
link-protocol ppp
ip address 173.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0 //Configure an AC interface to create a tunnel for
transmitting high frequency services.
link-protocol tdm
peer-address 1.1.1.9
jitter-buffer depth 8
tdm-encapsulation-number 8
#
mpls ldp
#
#
mpls ldp remote-peer 1.1.1.9
remote-ip 1.1.1.9
#
controller E1 1/0/0
using e1
#
controller E1 1/0/1
using e1
#
interface Serial1/0/0:0
link-protocol ppp
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial1/0/1:0
link-protocol ppp
ip address 173.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls ldp
#
interface Serial4/0/0
link-protocol tdm
mpls l2vc pw-template pe2pe 300 tunnel-policy te
em passthrough enable
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
interface Tunnel0/0/0
ip address unnumbered interface LoopBack0
tunnel-protocol mpls te
destination 1.1.1.9
mpls te tunnel-id 100
mpls te record-route
mpls te path explicit-path main
mpls te path explicit-path backup secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1 router-id 2.2.2.9
opaque-capability enable
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 173.1.1.0 0.0.0.255
mpls-te enable
#
tunnel-policy te
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd a bind mpls-te interface Tunnel0/0/0 te-lsp
discriminator local 10
discriminator remote 10
min-tx-interval 10
min-rx-interval 10
process-pst
notify neighbor-down
commit
#
return
# When music is played in the ACC, the broadcasting system transmits voices properly and
clearly. When the primary E1 link is cut off, services are fast switched to the backup link and
pilots are not aware of interruption or delay. When the primary E1 link recovers, services are
fast switched back to the primary link and pilots are not aware of interruption or delay.
----End
7 IP Address Allocation
7.1 Example for Configuring the Router to Function as a DHCP Server to Dynamically
Assign IP Addresses to Clients
7.2 Example for Configuring the Router to Function as a DHCP Client to Dynamically Obtain
an IP Address
7.3 Example for Configuring DHCP Relay to Enable Users to Obtain IP Addresses from a
DHCP Server
7.4 Example for Configuring Users to Automatically Obtain IPv6 Addresses
Networking Requirements
The router functions as the DHCP server to dynamically allocate IP addresses to the clients on
the network segment 10.10.1.0/24. This network segment consists of two subnet segments:
10.10.1.0/25 and 10.10.1.128/25. The IP addresses of GE0/0/0 and GE0/0/1 on the router are
10.10.1.1/25 and 10.10.1.129/25, respectively. On the network segment 10.10.1.0/25, the IP
address lease is 10 days and 12 hours, the domain name is huawei.com, the DNS server
address is 10.10.1.2, the NetBIOS server address is 10.10.1.4, and the egress gateway address
is 10.10.1.1. It is required that the fixed IP address 10.10.1.5 be assigned to the office PC
(PC_AD) to meet service requirements. On the network segment 10.10.1.128/25, the IP
address lease is 5 days, the domain name is huawei.com, the DNS server address is 10.10.1.2,
no NetBIOS server address is configured, and the egress gateway address is 10.10.1.129.
Procedure
Step 1 Configure the router.
#
sysname Router
#
dhcp enable //Enable the DHCP
function.
#
ip pool ip-pool1
gateway-list 10.10.1.1 //Configure a gateway
address.
network 10.10.1.0 mask 255.255.255.128 //Specify the range of IP addresses that
can be dynamically allocated from the global IP address
pool.
excluded-ip-address 10.10.1.2 //Specify the IP address (10.10.1.2) that cannot
be automatically allocated from an IP address pool.
excluded-ip-address 10.10.1.4 //Specify the IP address (10.10.1.4) that cannot
be automatically allocated from an IP address pool.
dns-list 10.10.1.2 //Configure a DNS server address for the DHCP
client.
nbns-list 10.10.1.4 //Configure a NetBIOS server address for the DHCP
client.
lease day 10 hour 12 minute 0 //Set the lease of IP addresses to 10 days and 12
hours.
domain-name huawei.com //Set the domain name to
huawei.com.
static-bind ip-address 10.10.1.5 mac-address fc12-2567-ce34 //Assign a fixed IP
address to PC_AD.
#
ip pool ip-pool2
gateway-list 10.10.1.129 //Configure a gateway
address.
network 10.10.1.128 mask 255.255.255.128 //Specify the range of IP addresses
that can be dynamically allocated from the global IP address pool.
dns-list 10.10.1.2 //Configure a DNS server address for the DHCP
client.
lease day 5 hour 0 minute 0 //Set the lease of IP addresses to 5 days.
domain-name huawei.com //Set the domain name to
huawei.com.
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.128
dhcp select global //Configure the interface to use the global IP address
pool.
#
interface GigabitEthernet0/0/1
ip address 10.10.1.129
255.255.255.128
dhcp select global //Configure the interface to use the global IP address
pool.
#
----End
Networking Requirements
RouterA functions as the DHCP client and dynamically obtains IP addresses of interfaces.
Procedure
Step 1 Configure RouterA.
#
dhcp enable //Enable the DHCP
function.
#
interface GigabitEthernet0/0/0
ip address dhcp-alloc
#
#
dhcp enable //Enable the DHCP
function.
#
ip pool ip-pool1
gateway-list 10.202.1.1 //Configure a gateway
address.
network 10.202.1.0 mask 255.255.255.0 //Specify the range of IP addresses that
can be dynamically allocated from the global IP address
pool.
#
interface GigabitEthernet0/0/0
ip address 10.202.1.1
255.255.255.0
dhcp select global //Configure the interface to use the global IP address pool.
#
----End
Networking Requirements
As shown in Figure 7-3, RouterA functions as a DHCP relay agent, and RouterB functions as
a DHCP server. DHCP packet needs to be relayed through RouterA so that PCs can obtain IP
addresses from RouterB.
Procedure
Step 1 Configure RouterA.
#
vlan batch 100
#
dhcp enable //Enable DHCP globally.
#
dhcp server group dhcpgroup1 //Create a DHCP server group.
dhcp-server 10.10.10.1 //Add a DHCP server to the DHCP server group.
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay //Enable DHCP relay on an interface.
dhcp relay server-select dhcpgroup1 //Specify a DHCP server group for the
interface.
#
interface Ethernet 2/0/0
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface GigabitEthernet3/0/0
ip address 10.10.20.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2 //Configure a default route and
set the next-hop address to 10.10.20.2.
IP address Statistic
Total :250
Used :0 Idle :248
Expired :0 Conflict :0 Disable :2
----End
Configuration Notes
l Ensure that the PC and DHCP relay both have a reachable route to the DHCP server.
l Ensure that the DHCP relay and DHCP client are on the same subnet.
Networking Requirements
A PC can automatically obtain an IPv6 address after directly connecting to the router's
interface. A default gateway is automatically generated so that the PC can communicate with
the router. In this configuration example, when the router is configured to send router
advertisement (RA) messages, the PC can automatically configure an IP address according to
the received RA message and generate the default route with the router as the next hop.
Procedure
Step 1 Configure the router.
#
ipv6 //Enable
IPv6.
#
interface GigabitEthernet0/0/0
ipv6
enable
Windows IP Configuration
NOTE
(1) Automatically configured global unicast IPv6 address, which has the same prefix as the IPv6 address
of GE0/0/0
(2) EUI-64 address generated using a MAC address
(3) Link-local address
(4) Automatically generated default gateway address, which is the link-local IPv6 address of the
interface directly connecting the PC to the router
Ping GE0/0/0 from the PC. The ping operation succeeds.
C:\> ping fc01::1
----End
8 Deploying Routing
Networking Requirements
Static routes need to be configured to ensure that any two hosts can communicate with each
other. Figure 8-1 shows the IP addresses and masks of hosts and routers' interfaces.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.4.1 255.255.255.252
#
ip route-static 10.1.2.0 255.255.255.0 10.1.4.2
ip route-static 10.1.3.0 255.255.255.0 10.1.4.2 //Configure static routes on
Router A.
#
return
----End
Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IP addresses on the same network segment for the interfaces connecting two
routers together.
l Configure default gateways for hosts.
Networking Requirements
NQA for static IPv4 routes can quickly detect network faults and control advertisement of
static routes. As shown in Figure 8-2, RouterA connects to RouterB through GE2/0/0 and
connects to RouterC through GE1/0/0. Two links are available from RouterA to RouterD:
RouterA-->RouterB-->RouterD (primary link) and RouterA-->RouterC-->RouterD (backup
link).Configure an NQA ICMP test intance on RouterA to detect the active link. When the
active link becomes faulty, packets sent from RouterA to RouterD are switched to the standby
link.
Figure 8-2 Networking diagram of configuring NQA for static IPv4 routes
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.6.1 255.255.255.0
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2
ip route-static 192.168.3.0 255.255.255.0 192.168.4.2
ip route-static 192.168.5.0 255.255.255.0 192.168.1.2 preference 100 //Set the
preference of static routes to 100 so that the static routes can be used as
backup routes.
ip route-static 192.168.5.0 255.255.255.0 GigabitEthernet2/0/0 192.168.4.2 track
nqa admin icmp //Configure a static route to associate it with an NQA test
instance.
#
nqa test-instance admin icmp //Configure an NQA test instance named admin icmp.
test-type icmp //Set the test type to ICMP.
destination-address ipv4 192.168.3.1 //Set the destination address of the NQA
test instance to 192.168.3.1.
frequency 10 //Set the interval between two NQA tests to 10s.
probe-count 2 //Set the number of test probes of an NQA test instance to 2.
start now //Start the NQA test instance immediately.
#
Configuration Notes
l The static route associated with an NQA test instance is deleted from the routing table
only when the NQA test fails. You can run the display nqa results command to view the
NQA test result.
l Before modifying the configuration of an NQA test instance, stop the NQA test instance.
l If the static route associated with one NQA test instance is associated with another NQA
test instance, the association between the static route and the former NQA test instance is
removed.
l Only the NQA ping test instance is used so that RouterA switches services based on the
test result. There is no requirement for the peer device configuration.
Networking Requirements
Static routes need to be configured to ensure that any two hosts can communicate with each
other. Figure 8-3 shows the IPv6 addresses and masks of hosts and routers' interfaces.
Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1::1 64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::2 64
#
ipv6 route-static 3:: 64 2::1
ipv6 route-static 4:: 64 2::1
ipv6 route-static 5:: 64 2::1 //Configure static routes on RouterA.
#
return
#
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 3::1 64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::1 64
#
interface GigabitEthernet3/0/0
ipv6 enable
ipv6 address 4::1 64
#
ipv6 route-static 1:: 64 2::2
ipv6 route-static 5:: 64 4::2
#
return
----End
Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l Configure IPv6 addresses for routers' interfaces correctly.
l Configure default gateways for hosts.
Networking Requirements
On a company's internal network shown in Figure 8-4, there are two forwarding paths from
Router_1 and Router_2 and with next hops Router_2 and Router_3 respectively. Router_1 and
Router_2 are far from each other, and the L2 Switch acts as the relay agent between Router_1
and Router_2. In this example, Router_2 does not support bidirectional forwarding detection
(BFD). BFD for IPv4 static routes needs to be configured on Router_1 to ensure that
Router_1 can fast detect the failure (for example the Down state) of the link between
Router_2 and the L2 Switch and switch traffic to the link of Router_3.
Figure 8-4 Networking diagram of configuring BFD for IPv4 static routes
GE2/0/2 10.10.20.101/24
GE2/0/3 10.10.40.101/24
GE2/0/2 10.10.30.101/24
GE2/0/3 10.10.50.101/24
GE2/0/2 10.10.30.102/24
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1 //Configure an IP address for
GigabitEthernet2/0/1 on Router_1.
ip address 10.10.10.101 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.10.20.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.10.40.101 255.255.255.0
#
bfd aa bind peer-ip 10.10.10.102 interface GigabitEthernet0/0/1 one-arm-echo //
Configure the BFD session between Router_1 and Router_2.
discriminator local 1
min-echo-rx-interval 100
commit
#
ip route-static 10.10.50.0 24 GigabitEthernet2/0/1 10.10.10.102 track bfd-
session aa //Configure a static route from Router_1 to 10.10.50.0/24. Ensure
that traffic from Router_1 to Router_2 is first forwarded along the link Router_1
–> L2 Switch –> Router_2. When the link fails, the traffic is switched to the
link Router_1 –> Router_3 –> Router_2.
ip route-static 10.10.50.0 24 GigabitEthernet2/0/2 10.10.20.102 preference 65
#
return
----End
Networking Requirements
Figure 8-5 shows IP addresses and masks of hosts and routers' interfaces. Static routes need
to be configured to ensure that any two hosts can communicate with each other.
Procedure
Step 1 Configure the switch.
#
vlan batch 10 20 100
#
interface vlanif 10
ip address 192.168.10.1 255.255.255.0
#
interface vlanif 20
ip address 192.168.20.1 255.255.255.0
#
interface vlanif 100
ip address 1.1.1.2 255.255.255.0
#
interface gigabitEthernet0/0/1
port link-type access
port default vlan 100 //Add GigabitEthernet0/0/1 to VLAN 100 as an access
interface. This interface connects to the router.
#
interface gigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface gigabitEthernet0/0/3
port link-type access
port default vlan 20
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //Configure a default static route.
#
return
Run the route add 1.1.1.0 mask 24 192.168.10.1 command to configure an IP address for
PC1 and run the route add 1.1.1.0 mask 24 192.168.20.1 command to configure an IP
address for PC2.
# Run the display ip routing-table command to view the IP routing table of the Router.
----End
Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IPv4 default gateways for hosts.
Specifications
This example applies to all AR models of all versions.
Networking Requirements
Figure 8-6 shows IP addresses and masks of hosts and routers' interfaces. Fixed IP addresses
need to be configured for two outbound interfaces of IPv4 static routes so that users can
access the Internet using the other backup route after one route is lost.
Figure 8-6 Configuring fixed IP addresses for two outbound interfaces of IPv4 static routes
Procedure
Step 1 Configure the Router.
# sysname Router //Change the device name.
#
acl number 2000
rule 5 permit
#
acl number 2001
rule 5 permit
#
interface gigabitethernet
1/0/0
ip address 10.10.1.1 24 //Configure the external network interface 1.
nat outbound 2000
#
interface gigabitethernet 2/0/0
ip address 10.10.2.1 24 //Configure the external network interface 2.
nat outbound 2001
#
interface gigabitethernet 3/0/0
ip address 192.168.0.1 24 //Configure the internal network interface 1.
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
ip route-static 0.0.0.0 0.0.0.0 10.10.2.2
#
----End
Configuration Notes
l Configure an ACL to determine for which network segments NAT needs to be
performed.
l Configure NAT in the outbound interface view.
8.2 RIP
Applicability
This example applies to all versions and AR routers.
Networking Requirements
RIP needs to be configured to ensure that two hosts can communicate with each other. Figure
8-7 shows the IP addresses and masks of hosts and routers' interfaces.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
rip 1
version 2 //Set the RIP version.
network 192.168.1.0 //Enable RIP on the specified network segment.
network 10.0.0.0
#
return
Set the default gateway of hosts in VLAN 10 to 192.168.1.1 and the default gateway of hosts
in VLAN 20 to 172.16.1.1.
----End
Configuration Notes
l Configure IPv4 addresses for routers' interfaces correctly.
l Configure IP addresses on the same network segment for interfaces connecting two
routers together.
l Configure default gateways for hosts.
l Enable RIP on a natural network segment.
Networking Requirements
In Figure 8-8, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Routing Information Protocol
(RIP) and establish RIP neighbor relationships to ensure that they are reachable at the network
layer.
Router_3 does not support bidirectional forwarding detection (BFD). The company wants to
configure BFD for RIP on Router_1 and use BFD echo packets to ensure that BFD can fast
detect and notify RIP of the link failure between Router_1 (or Router_3) and the L2 Switch.
The company wants to configure BFD for RIP on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify RIP of the link failure and switch
traffic to the link of Router_2.
GE2/0/2 10.10.0.101/24
GE2/0/3 10.20.1.1/24
GE2/0/2 10.40.1.101/24
GE2/0/2 10.40.1.102/24
GE2/0/3 10.30.1.1/24
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
rip bfd static
#
interface GigabitEthernet2/0/2
ip address 10.10.0.101 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.20.1.1 255.255.255.0
#
rip 1 //Configure basic RIP functions on Router_1.
version 2
network 10.0.0.0
#
bfd 1 bind peer-ip 10.10.0.102 interface GigabitEthernet2/0/1 one-arm-echo //
Configure the BFD echo function on Router_1.
discriminator local 1
min-echo-rx-interval 200
commit
#
return
----End
8.3 RIPng
Networking Requirements
RIPng needs to be configured to ensure that two hosts can communicate with each other.
Figure 8-9 shows the IPv6 addresses and masks of hosts and routers' interfaces.
Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1::1 64
ripng 1 enable //Enable RIPng on the specified interface.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2::2 64
ripng 1 enable
#
ripng 1 //Enable RIPng process 1.
#
return
Set the default gateway of hosts in VLAN 10 to 1::1 and the default gateway of hosts in
VLAN 20 to 3::1.
# Run the display ripng process-id route command to view the RIPng routing table. The
RIPng routing table contains the routes advertised by RIPng.
----End
Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l Configure IPv6 addresses for routers' interfaces.
l Configure IP addresses on the same network segment for interfaces connecting two
routers together.
l Configure default gateways for hosts.
8.4 OSPF
Applicability
This example applies to all versions and AR routers.
Networking Requirements
OSPF needs to be configured to ensure that PC1 and PC2 communicate with each other
through RouterA and RouterB.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet3/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
area 0.0.0.0
network 192.168.1.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.1.0/24 and the area to which the
interface belongs as Area 0.
network 192.168.0.0 0.0.0.255
#
Set the default gateway of PC1 to 192.168.1.1 and the default gateway of PC2 to 192.168.2.1.
----End
Configuration Notes
l Configure the interface of SwitchA connected to RouterA as a trunk interface and add it
to VLAN 10.
l Configure the interface of SwitchB connected to RouterB as a trunk interface and add it
to VLAN 20.
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l GE3/0/0 interfaces on RouterA and RouterB must belong to the same OSPF area.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
Area 2 is not directly connected to Area 0. Area 1 functions as a transit area to connect Area 2
and Area 0. A virtual link needs to be established between RouterA and RouterB so that
RouterA can learn routes from Area 2. OSPF area authentication needs to be performed on all
OSPF neighbors and OSPF interface authentication needs to be performed on all interfaces.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
ospf authentication-mode hmac-sha256 //Set the authentication mode to hmac-
sha256 authentication.
#
interface GigabitEthernet2/0/0
ip address 192.168.0.2 255.255.255.0
ospf authentication-mode hmac-sha256
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
area 0.0.0.0
authentication-mode hmac-sha256 //Set the authentication mode to hmac-sha256
authentication.
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
area 0.0.0.1
authentication-mode hmac-sha256
network 192.168.1.0 0.0.0.255
vlink-peer 2.2.2.2 //Create a virtual link with the remote router ID as
2.2.2.2.
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 2
area 0.0.0.1
authentication-mode hmac-sha256
network 192.168.1.0 0.0.0.255
vlink-peer 1.1.1.1
area 0.0.0.2
authentication-mode hmac-sha256
network 192.168.3.0 0.0.0.255
#
----End
Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l When area authentication is used, all the routers in an area must have the same
authentication mode and password.
l When interface authentication is used, interfaces on the same network segment must
have the same authentication mode and password. The interface authentication mode
takes precedence over the area authentication mode.
l Routers on two ends must have the same virtual link authentication mode and password.
Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. Area 1 needs to be configured as a stub area so that RouterC can use the default route
advertised by ABR to access the network outside the area.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
import-route direct //Configure the router to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#
----End
Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l All the routers in a stub area must be configured with stub attributes.
Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. Area 1 needs to be configured as an NSSA so that RouterC can use the default route
advertised by the ABR to access the network outside the area.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
import-route direct //Configure the router to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#
# Run the ping command on RouterC. The command output shows that RouterC can
communicate with devices on network segments 192.168.0.0/24 and 192.168.2.0/24.
# Run the display ip routing-table command on RouterB to view the IP routing table. The
routing table contains the direct routes imported by RouterA and RouterC.
----End
Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l All the routers in an NSSA must be configured with NSSA attributes.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterB is an
ABR. RouterB is required to summarize routes of specified network segments that are learned
from RouterA and advertise the summarized routes to RouterC.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
----End
Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
Networking Requirements
RouterA and RouterB run in Area 0, and RouterB and RouterC run in Area 1. RouterA is an
ASBR and RouterB is an ABR. RouterA is required to summarize imported direct routes and
advertise the summarized routes to other routers in the same OSPF AS.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback0 as the router ID.
#
interface GigabitEthernet1/0/0
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 2
asbr-summary 192.168.2.0 255.255.254.0 //Configure the ASBR to summarize
imported routes.
import-route direct //Configure the ASBR to import direct routes.
area 0.0.0.0
network 192.168.0.0 0.0.0.255 //Specify the network segment where the
interface running OSPF process 2 as 192.168.0.0/24 and the area to which the
interface belongs as Area 0.
#
# Run the display ip routing-table command on RouterB to view the IP routing table. The
routing table contains the imported direct route of network segment 192.168.2.0/23 that is
advertised by RouterA.
# Run the display ip routing-table command on RouterC to view the IP routing table. The
routing table contains the imported direct route of network segment 192.168.2.0/23 that is
advertised by RouterA.
----End
Configuration Notes
l Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect.
l Imported intra-area routes must be summarized by an ASBR but not an ABR.
Specifications
This example applies to all AR models of all versions.
Networking Requirements
As shown in Figure 8-16, Company A uses Open Shortest Path First (OSPF) to implement
interconnection between all devices. Company A merges with Company B that uses the
Routing Information Protocol (RIP), requiring OSPF and RIP to import routes to each other
so that departments can communicate. Router_1 and Router_2 function as core devices to
ensure communication between departments. To meet service requirements, Company A
needs to control and adjust network routes by taking the following measures:
l Filter the imported routes on Router_5 to prevent R&D department 2 from accessing
Marketing department 1, R&D department 1, and After-sales Service department.
l Filter routes on Router_3 to prevent Marketing department 1 from accessing R&D
department 1.
l Filter routes on Router_4 to prevent R&D department 1 and After-sales Service
department from accessing Marketing department 2.
GE2/0/3 10.4.1.1/24
GE2/0/3 10.10.2.1/24
(network
segment
where R&D
department 1
resides)
GE2/0/3 10.10.5.1/24
(network
segment
where
Marketing
department 2
resides)
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.4.1.1 255.255.255.0
#
ospf 1 //Enable OSPF on the specified network segment.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
area 0.0.0.1
network 10.4.1.0 0.0.0.255
area 0.0.0.2
network 10.2.1.0 0.0.0.255
#
return
# On Router_3, ping the destination address 10.10.2.1 from the source address 10.10.3.1. The
ping operation fails, indicating that Marketing department 1 cannot access R&D department
1.
# On Router_4, ping the destination address 10.10.5.1 from source addresses 10.10.1.1 and
10.10.2.1. The ping operations fail, indicating that R&D department 1 and After-sales Service
department cannot access Marketing department 2.
# Check information about Router_3 and Router_4 routing tables. The two routing tables do
not contain routes to 10.10.4.0/24, indicating that R&D department 2 cannot access Marketing
department 1, R&D department 1, and After-sales Service department.
----End
Configuration Notes
l When filtering routes, you need to specify the export keyword to filter imported external
routes. This keyword is only applicable to an autonomous system boundary router
(ASBR).
l The route filtering function filters only the routes in routing tables but not the LSAs
advertised in OSPF.
l Routing communication is bidirectional. After you filter routes from a router to a
specified destination network segment, other network segments connected to the router
cannot access devices on the destination network segment and devices on the destination
network segment cannot access devices on the source network segment.
l When using ACLs to implement the route filtering function, you must set the last ACL
to permit the packets sent from all source addresses to avoid filtering the routes of all
network segments.
Networking Requirements
In Figure 8-17, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Open Shortest Path First
(OSPF) and establish OSPF neighbor relationships to ensure that they are reachable at the
network layer.
Router_1, Router_2, and Router_3 support bidirectional forwarding detection (BFD). The
company wants to use BFD for OSPF and BFD control packets to ensure that BFD can fast
detect and notify OSPF of the failure (for example the Down state) of the link between
Router_1 or Router_3 and the L2 Switch.
The company wants to configure BFD for OSPF on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify OSPF of the link failure and switch
traffic to the link of Router_2.
GE2/0/2 10.10.0.101/24
GE2/0/3 10.20.1.1/24
Host A - 10.20.1.2/24
GE2/0/2 10.40.1.101/24
GE2/0/2 10.40.1.102/24
GE2/0/3 10.30.1.1/24
Host C - 10.30.1.2/24
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
ospf bfd enable //Enable BFD on an interface.
ospf bfd min-tx-interval 100 min-rx-interval 100
#
interface GigabitEthernet2/0/2
# Run the display ospf peer command on Router_1 to check OSPF neighbor information.
The command output shows that Router_1 and Router_3 have established an OSPF neighbor
relationship.
# Run the display ospf bfd session all command on Router_1 and Router_3 to check BFD
session information. The command output shows that a BFD session has been set up between
Router_1 and Router_3 and is in Up state.
# Run the display ip routing-table 10.30.1.0 verbose command on Router_1 to check routes
to 10.30.1.0/24. The command output shows that Router_1 and Router_3 communicate
through the L2 Switch.
----End
8.5 OSPFv3
Applicability
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
OSPFv3 runs on RouterA, RouterB, and RouterC. RouterA and RouterC import direct routes.
PC1 and PC2 connect to RouterA and RouterC respectively. It is required that PC1 and PC2
successfully ping each other.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
ospfv3 2
router-id 10.10.10.10 //Set the router ID of the router running OSPFv3 process
2 to 10.10.10.10.
import-route direct //Configure the router to import external routes.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1999::1/64
#
interface GigabitEthernet2/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 2000::1/64
ospfv3 2 area 0.0.0.0 //Configure OSPFv3 process 2 on the interface and specify
the area to which the interface belongs as Area 0.
Configuration Notes
l The OSPFv3 router ID must be manually configured. If no router ID is configured,
OSPFv3 cannot run properly.
l You must configure different router IDs for routers in an AS and specify different router
IDs for multiple OSPFv3 processes running on the same router.
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
Networking Requirements
OSPFv3 process 2 runs on RouterA and RouterB, and OSPFv3 process 3 runs on RouterB and
RouterC. It is required that GE1/0/0 interfaces on RouterA and RouterC successfully ping
each other.
Figure 8-19 Networking diagram of configuring two OSPFv3 processes for communication
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
ospfv3 2
router-id 10.10.10.10 //Set the router ID of the router running OSPFv3 process
2 to 10.10.10.10.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1999::1/64
ospfv3 2 area 0.0.0.0 //Configure OSPFv3 process 2 on the interface and specify
the area to which the interface belongs as Area 0.
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::1/64
ospfv3 2 area 0.0.0.0
#
# Run the ping ipv6 -a 1999::1 2002::1 command on RouterA. The command output shows
that GE1/0/0 interfaces on RouterA and RouterC successfully ping each other.
----End
Configuration Notes
l The OSPFv3 router ID must be manually configured. If no router ID is configured,
OSPFv3 cannot run properly.
l You must configure different router IDs for routers in an AS and specify different router
IDs for multiple OSPFv3 processes running on the same router.
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
Networking Requirements
As shown in Figure 8-20, Company A uses Open Shortest Path First version 3 (OSPFv3) to
implement interconnection between all devices. Company A merges with Company B that
uses the Routing Information Protocol next generation (RIPng), requiring OSPFv3 and RIPng
to import routes to each other so that departments can communicate. Router_1 and Router_2
function as core devices to ensure communication between departments. To meet service
requirements, Company A needs to control and adjust network routes by taking the following
measures:
l Filter the imported routes on Router_5 to prevent R&D department 2 from accessing
Marketing department, R&D department 1, and After-sales Service department.
l Filter routes on Router_3 to prevent Marketing department 1 from accessing R&D
department 1.
l Filter routes on Router_4 to prevent R&D department 1 and After-sales Service
department from accessing Marketing department 2.
GE2/0/3 FC04::1/64
GE2/0/3 FC12::1/64
(network
segment
where R&D
department 1
resides)
GE2/0/3 FC15::1/64
(network
segment
where
Marketing
department 2
resides)
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC01::1/64
ospfv3 1 area 0.0.0.0
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC02::1/64
ospfv3 1 area 0.0.0.2
#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC04::1/64
ospfv3 1 area 0.0.0.1
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_1 interfaces.
router-id 6.6.6.6
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#
return
#
acl ipv6 number 2000 //Create a basic IPv6 ACL to deny packets with the source
IPv6 address FC15::1/64.
rule 0 deny source FC15::/64
rule 5 permit
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC03::2/64
ospfv3 1 area 0.0.0.3
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC11::1/64
ospfv3 1 area 0.0.0.3
#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC12::1/64
ospfv3 1 area 0.0.0.3
#
ospfv3 1 //Create an OSPFv3 process, and enable OSPFv3 on Router_4 interfaces.
router-id 3.3.3.3
filter-policy 2000 import //Use IPv6 ACL 2000 to filter the routes to be
added to the routing table.
area 0.0.0.3
#
return
#
ipv6
#
interface GigabitEthernet2/0/1
ipv6 enable
ipv6 address FC05::2/64
ripng 1 enable
#
interface GigabitEthernet2/0/2
ipv6 enable
ipv6 address FC14::1/64
ripng 1 enable
#
interface GigabitEthernet2/0/3
ipv6 enable
ipv6 address FC15::1/64
ripng 1 enable
#
ripng 1 //Create a RIPng process, and enable RIPng on Router_6 interfaces.
#
return
# On Router_3, ping the destination address FC12::1 from the source address FC13::1. The
ping operation fails, indicating that Marketing department 1 cannot access R&D department
1.
# On Router_4, ping the destination address FC15::1 from source addresses FC11::1 and
FC12::1. The ping operations fail, indicating that R&D department 1 and After-sales Service
department cannot access Marketing department 2.
# Check information about Router_3 and Router_4 routing tables. The two routing tables do
not contain routes to FC14::/64, indicating that R&D department 2 cannot access Marketing
department 1, R&D department 1, and After-sales Service department.
----End
Configuration Notes
l When filtering routes, you need to specify the export keyword to filter imported external
routes. This keyword is only applicable to an autonomous system boundary router
(ASBR).
l The route filtering function filters only the routes in routing tables but not the LSAs
advertised in OSPFv3.
l Routing communication is bidirectional. After you filter routes from a router to a
specified destination network segment, other network segments connected to the router
cannot access devices on the destination network segment and devices on the destination
network segment cannot access devices on the source network segment.
l When using ACLs to implement the route filtering function, you must set the last ACL
to permit the packets sent from all source addresses to avoid filtering the routes of all
network segments.
l When configuring OSPFv3, you must specify the router ID.
8.6 IS-IS(IPv4)
Specifications
This example applies to all AR models of all versions.
Networking Requirements
As shown in Figure 8-21, the company headquarters and branch 1 use Intermediate System to
Intermediate System (IS-IS) for communication. An independent network has been deployed
for the Marketing department and Finance department in the headquarters. Branch 2 uses
Open Shortest Path First (OSPF). The company has the following requirements:
l The Marketing department and Finance department in the headquarters can
communicate. The route leaking function is configured so that branches can
communicate normally with the headquarters and Marketing department but cannot
communicate with the Finance department and cannot view routes of the Finance
department.
l OSPF routes of branch 2 are imported into the branch network so that the Marketing
department can communicate with branch 2.
l Communication is not interrupted when the IS-IS process of the headquarter gateway
Router_3 restarts.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
isis 1 //Configure basic IS-IS functions.
is-level level-1
network-entity 10.0000.0000.1001.00
#
interface GigabitEthernet2/0/1
ip address 1.1.1.1 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 10.100.1.1 255.255.255.0
isis enable 1
#
return
#
isis 1 //Configure basic IS-IS functions.
is-level level-2
network-entity 20.0000.0002.0001.00
import-route direct //Configure the IS-IS process to import direct routes.
import-route ospf 1 //Configure the IS-IS process to import routes of the
OSPF process.
#
interface GigabitEthernet2/0/1
ip address 1.1.10.2 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/2
ip address 1.1.20.1 255.255.255.0
isis enable 1
#
ospf 1 //Configure basic IS-IS functions.
import-route direct //Configure the OSPF process to import direct routes.
import-route isis 1 //Configure the OSPF process to import routes of the IS-
IS process.
area 0.0.0.0
network 1.1.20.0 0.0.0.255
#
return
# Check the IS-IS routing table on Router_4. The routing table contains routes of the
Marketing department (10.100.1.0/24) but does not contain routes of the Finance department
(10.100.2.0/24). This indicates that branches can communicate only with the Marketing
department.
# Check the IS-IS routing table on Router_3. The routing table contains routes of the network
segment 10.200.1.0/24. Ping 10.200.1.1 from Router_3. The ping operation succeeds,
indicating that the Marketing department can communicate normally with branch 2.
# Ping Router_2 from Router_1, and restart the IS-IS process on Router_3 during the ping
operation. Communication is not interrupted during the restart of the IS-IS process on
Router_3. You can view the IS-IS graceful restart (GR) status on Router_3 in the display isis
graceful-restart status command output.
----End
Configuration Notes
Do not change the network topology during the GR of devices. Otherwise, a routing blackhole
may occur.
Networking Requirements
As shown in Figure 8-22, IS-IS is configured on three routers. RouterA is the Level-1 router,
RouterB is the Level-1-2 router, and RouterA and RouterB belong to area 10. RouterC is the
Level-2 router and belongs to area 20. All routes in area 10 need to be aggregated and sent to
RouterC.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
isis 10 //Enable IS-IS process 10.
is-level level-1 //Set the router level to Level-1.
network-entity 10.0000.0000.0001.00 //Set a NET for the IS-IS process.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
isis enable 10 //Enable IS-IS on the interface.
#
interface GigabitEthernet2/0/0
ip address 192.168.3.1 255.255.255.0
isis enable 10
#
interface GigabitEthernet3/0/0
ip address 192.168.2.1 255.255.255.0
isis enable 10
#
network-entity 10.0000.0000.0002.00
summary 192.168.0.0 255.255.0.0 level-1-2 //Configure IS-IS to aggregate routes.
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
isis enable 10
#
interface GigabitEthernet2/0/0
ip address 192.168.3.2 255.255.255.0
isis enable 10
#
----End
Configuration Notes
l When using the network-entity command to set a NET for an IS-IS process, configure
the same area ID for routers in an area.
Networking Requirements
In Figure 8-23, a company uses a L2 Switch as a relay agent to connect two departments that
are far from each other. Router_1, Router_2, and Router_3 run Intermediate System to
Intermediate System (IS-IS) and establish IS-IS neighbor relationships to ensure that they are
reachable to each other at the network layer.
Router_1, Router_2, and Router_3 support bidirectional forwarding detection (BFD). The
company wants to use BFD for IS-IS and BFD control packets to ensure that BFD can fast
detect and notify IS-IS of the failure (for example the Down state of the link between
Router_1 or Router_3 and the L2 Switch).
The company wants to configure BFD for IS-IS on Router_1 and Router_3 to meet the
following requirements:
l Detect the link that passes through the L2 Switch.
l Ensure that the devices can fast detect and notify IS-IS of the link failure and switch
traffic to the link of Router_2.
GE2/0/2 10.10.0.101/24
GE2/0/3 10.20.1.1/24
GE2/0/2 10.40.1.101/24
GE2/0/2 10.40.1.102/24
GE2/0/3 10.30.1.1/24
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
bfd
#
isis 1 //Configure basic IS-IS functions on Router_1, and enable BFD for IS-IS.
is-level level-2
bfd all-interfaces enable
network-entity 10.0000.0000.0001.00
#
interface GigabitEthernet2/0/1
ip address 10.1.0.101 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 //Set the minimum interval
for sending and receiving single-hop BFD control packets to 100 ms.
#
interface GigabitEthernet2/0/2
ip address 10.10.0.101 255.255.255.0
isis enable 1
#
interface GigabitEthernet2/0/3
ip address 10.20.1.1 255.255.255.0
#
return
# Run the display isis bfd session all command on Router_1 and Router_3 to check BFD
session information. The command output shows that a BFD session has been set up and
Session State is in Up state.
# Run the display ip routing-table 10.30.1.0 verbose command on Router_1 to check routes
to 10.30.1.0/24. The command output shows that Router_1 and Router_3 communicate
through the L2 Switch.
----End
8.7 IS-IS(IPv6)
Networking Requirements
As shown in Figure 8-24:
l RouterA, RouterB, RouterC, and RouterD belong to the same AS. The four routers need
to run IS-IS to implement IPv6 interworking.
l RouterA, RouterB, and RouterC belong to Area 10, and RouterD belongs to Area 20.
l RouterA and RouterB are Level-1 routers, RouterC is a Level-1-2 router, and RouterD is
a Level-2 router.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
isis 1 //Enable IS-IS process 1.
is-level level-1 //Set the router as a Level-1 router.
network-entity 10.0000.0000.0001.00 //Set the NET for IS-IS process 1.
#
ipv6 enable topology standard //Enable the IPv6 capability for IS-IS process 1.
#
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 10:1::2/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1 //Enable the IPv6 capability for IS-IS process 1 on the
interface.
#
return
interface.
isis ipv6 enable 1
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 10:2::1/64 //Configure a global unicast IPv6 address for the
interface.
isis ipv6 enable 1
#
return
# Run the display isis route command on each router to view IS-IS routes.
# Interfaces on RouterA, RouterB, RouterC, and RouterD can successfully ping each other.
----End
Configuration Notes
l IPv6 must be enabled in the system view and interface view.
l The IPv6 capability must be enabled for IS-IS on interfaces.
l When using the network-entity command to set a NET for an IS-IS process, configure
the same area ID for routers in an area.
8.8 BGP
Applicability
This example applies to all versions and AR routers.
Networking Requirements
Multiple ASs exist in a region. To access each other, these ASs must exchange their local
routes. As multiple routers exist in the ASs, there are a large number of routes that change
frequently. How to efficiently transmit a great deal of routing information between ASs
without consuming lots of bandwidth resources has become a problem. BGP can be used to
solve this problem.
RouterA and RouterB belong to AS100, and RouterC belongs to AS 200. After BGP is
enabled on the routers, the routers can exchange routing information. When routes of one
router changes, the router will send Update messages carrying only changed routing
information to its peers, and will not send its entire routing table. This greatly reduces
bandwidth consumption. Figure 8-25 shows the IP addresses and masks of hosts and routers'
interfaces.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 10.1.2.2 as-number 100 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast //Enter the IPv4 unicast address family view.
undo synchronization
network 10.1.1.0 24 //Add routes in the local routing table to the BGP routing
table statically and advertise the routes to a peer.
----End
Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l You must configure default gateways for hosts.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.
Networking Requirements
RouterA, RouterB, and RouterC belong to AS 100. RouterB is a route reflector (RR), RouterC
is its client, and RouterA is a non-client. RouterC does not establish a BGP connection with
RouterA but needs to learn the routes advertised by RouterA through RouterB. Figure 8-26
shows the IP addresses and masks of hosts and routers' interfaces.
Procedure
Step 1 Configure RouterA.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.2.1 255.255.255.0
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 10.1.2.2 as-number 100 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast //Enter the IPv4 unicast address family view.
undo synchronization
network 10.1.1.0 24 //Add routes in the local routing table to the BGP routing
table statically and advertise the routes to a peer.
peer 10.1.2.2 enable
#
return
interface GigabitEthernet2/0/0
ip address 10.1.3.1 255.255.255.0
#
bgp 100
router-id 2.2.2.2
peer 10.1.2.1 as-number 100
peer 10.1.3.2 as-number 100
#
ipv4-family unicast
undo synchronization
peer 10.1.2.1 enable
peer 10.1.3.2 enable
peer 10.1.3.2 reflect-client //Configure an RR and its clients.
#
return
# Run the display bgp routing-table command on RouterC to view the BGP routing table.
The command output shows that RouterC has learned from RouterB the routes advertised by
RouterA. You can also view the Originator and Cluster_ID attributes of a specified route.
----End
Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
BGP runs on RouterA and RouterB. RouterA imports two static blackhole routes. RouterB
needs to change the local preference and add the community attribute of routes of
192.168.10.0/24.
Figure 8-27 Networking diagram of configuring the local preference and community attribute
in a BGP route-policy
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advertised to set the IP address
of Loopback 0 as the router ID.
peer 192.168.0.2 as-number 10 //Configure an IP address and an AS number for a
peer.
#
ipv4-family unicast
undo synchronization
import-route static //Configure the router to import static routes.
peer 192.168.0.2 enable
#
ip route-static 192.168.10.0 255.255.255.0 NULL0 //Configure static blackhole
routes.
ip route-static 192.168.20.0 255.255.255.0 NULL0
#
#
bgp 10
router-id 2.2.2.2
peer 192.168.0.1 as-number 10
#
ipv4-family unicast
undo synchronization
peer 192.168.0.1 enable
peer 192.168.0.1 route-policy admin import //Configure a route-policy admin to
filter the routes of peers.
#
route-policy admin permit node 10 //Configure a route-policy admin and set the
index of the node in the route-policy to 10 and the matching mode to permit.
if-match acl 2001 //Configure a matching rule based on ACL 2001.
apply local-preference 120 //Set the local preference of BGP routes to 120.
apply community 10:1 //Set the BGP community attribute of BGP routes to 10:1.
#
route-policy admin permit node 20 //Configure a route-policy admin and set the
index of the node in the route-policy to 20 and the matching mode to permit.
#
# Run the display bgp routing-table command on RouterB to view the BGP routing table.
The routing table contains routes of 192.168.10.0/24 and 192.168.20.0/24. Run the display
bgp routing-table 192.168.10.0 24 command on RouterB. You can view detailed information
about routes of 192.168.10.0/24, including the local preference 120 and community attribute
10:1.
----End
Configuration Notes
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.
l A permit node without contents must be appended to a route-policy so that the routes
that do not match the previous nodes can be added to the BGP routing table.
l The local preference is only used for route selection within an AS and is not advertised
outside the AS. Therefore, the apply local-preference command does not take effect
when a route-policy is configured for an EBGP peer.
Specifications
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 8-28, four routers belong to different ASs and establish EBGP
connections. When RouterD sends routes to RouterA, the AS-Path attribute needs to be
changed so that route from RouterA to 192.168.6.1/24 is changed.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 100
router-id 1.1.1.1 //Configure the router ID as Loopback0 interface IP address.
peer 192.168.1.2 as-number 200 //Specify the peer IP address and AS number.
peer 192.168.2.2 as-number 400
#
ipv4-family unicast
undo synchronization
peer 192.168.1.2 enable
peer 192.168.2.2 enable
#
bgp 200
router-id 2.2.2.2
peer 192.168.2.1 as-number 100
peer 192.168.3.2 as-number 300
#
ipv4-family unicast
undo synchronization
peer 192.168.2.1 enable
peer 192.168.3.2 enable
#
----End
Configuration Notes
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l By default, peers are automatically enabled in the BGP-IPv4 unicast address family
view.
Applicability
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 8-29, RouterB receives a route update from RouterA using EBGP and
forwards the route update to RouterC. RouterC is configured as a route reflector, which has
two clients, RouterB and RouterD.
RouterB and RouterD do not need to establish an IBGP connection. After receiving a route
update from RouterB, RouterC reflects the route update to RouterD. Similarly, RouterC
reflects the route update received from RouterD to RouterB.
Procedure
Step 1 Configure RouterA.
#
ipv6 //Enable IPv6 forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 100::1 96
#
bgp 100 //Enter the BGP view.
router-id 1.1.1.1 //Set the router ID in routing management.
peer 100::2 as-number 200 //Set an IPv6 address and an AS number for a peer.
#
ipv6-family unicast //Enter the IPv6 unicast address view.
undo synchronization
network 100:: 96 //Add the routes in the local routing table to the BGP
routing table statically and advertise the routes to the peer.
peer 100::2 enable //Enable peers to exchange routing information.
#
return
ipv6-family unicast
undo synchronization
network 101:: 96
network 102:: 96
peer 101::2 enable
peer 101::2 reflect-client //Configure RouterC as the route reflector and
RouterB as the client.
peer 102::2 enable
peer 102::2 reflect-client
#
return
----End
Configuration Notes
l You must configure IP addresses on the same network segment for interfaces connecting
two routers together.
l If no mask or mask length is specified in the network command, the IP address in the
network command is considered as a classful address.
l By default, IGP-BGP synchronization is disabled.
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.
Networking Requirements
RouterA establishes EBGP connections with RouterB and RouterC. RouterB and RouterC
import static routes to 3000::/64. Load balancing needs to be implemented between RouterB
and RouterC.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1000::1/64
#
interface GigabitEthernet2/0/0
ipv6 enable
ipv6 address 2000::1/64
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback 0 as the router ID.
peer 1000::2 as-number 20 //Set an IP address and an AS number for a peer.
peer 2000::2 as-number 20
#
ipv6-family unicast
undo synchronization
maximum load-balancing 2 //Set the maximum number of equal-cost routes to 2.
peer 1000::2 enable //Enable peers to exchange routing information.
peer 2000::2 enable
#
# Run the display bgp ipv6 routing-table command on RouterA to view the BGP IPv6
routing table. The routing table contains two routes to 3000::/64. The two routes have next-
hop addresses 1000::2 and 2000::2.
----End
Configuration Notes
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
Applicability
This example applies to all AR models of V200R002C00 and later versions.
Networking Requirements
As shown in Figure 8-31. AS 20 is divided into three sub-ASs: AS 65001, AS 65002, and AS
65003. EBGP and IBGP need to be configured to allow routers in the two ASs to
communicate.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
ipv6 //Enable IPv6 unicast forwarding.
#
interface GigabitEthernet1/0/0
ipv6 enable //Enable IPv6 on the interface.
ipv6 address 1000::1/64
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
router-id 1.1.1.1 //Set the router ID. You are advised to set the IP address of
Loopback 0 as the router ID.
peer 1000::2 as-number 20 //Set an IP address and an AS number for a peer.
#
ipv6-family unicast
undo synchronization
peer 1000::2 enable //Enable peers to exchange routing information.
#
----End
Configuration Notes
l Before configuring an IPv6 routing protocol, enable IPv6 unicast forwarding on routers.
Before configuring IPv6 features on an interface, enable IPv6 on the interface.
l After configuring a BGP4+ peer in the BGP view, enable the BGP4+ peer in the IPv6
unicast address family view.
l RouterB advertises only the existing routes in the local routing table. Therefore, direct
routes must be imported to RouterB using BGP4+. Otherwise, RouterA, RouterC, and
RouterD cannot communicate.
Networking Requirements
As shown in Figure 8-32, Departments A and B of the company are far from each other.
Router_1 and Router_6 function as egress devices of Departments A and B respectively.
Border Gateway Protocol (BGP) has been deployed to ensure that the two departments can
communicate. Router_2 and Router_4 support bidirectional forwarding detection (BFD). The
company wants to use BFD for BGP and use BFD control packets to detect the active link
between autonomous system (AS) 200 and AS 300. When the link between Router_2 and
Router_4 fails, for example, the link becomes Down, BFD can fast detect and notify BGP of
the link failure. The following requirements must be met:
l Use Open Shortest Path First (OSPF) as an Interior Gateway Protocol (IGP) in AS 100.
l Configure the link Router_2 <->Router_3 <-> Router_4 as the active link that forwards
traffic between Router_1 and Router_6, and use BFD control packets to detect the active
link status.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.20.0.1 255.255.255.0
#
bgp 200 //Enable BGP and set the local AS number to 200.
router-id 1.1.1.1
peer 10.20.0.2 as-number 100 //Configure Router_1 and Router_2 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.20.0.0 255.255.255.0
peer 10.20.0.2 enable
#
return
bgp 100 //Enable BGP and set the local AS number to 100.
router-id 4.4.4.4
peer 10.1.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
peer 10.1.0.101 bfd min-tx-interval 100 min-rx-interval 100
peer 10.1.0.101 bfd enable //Configure BFD.
peer 10.30.0.101 as-number 100
peer 10.50.0.1 as-number 300 //Configure Router_4 and Router_6 to set up an
EBGP connection.
peer 10.50.0.1 ebgp-max-hop 255
#
ipv4-family unicast
undo synchronization
preference 255 100 130
peer 10.1.0.101 enable
peer 10.1.0.101 route-policy local-pre export
peer 10.1.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.1.0.101.
peer 10.30.0.101 enable
peer 10.30.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.30.0.101.
peer 10.50.0.1 enable
#
ospf 1 //Configure OSPF in AS 100 to ensure that there are reachable routes
between devices.
import-route direct
area 0.0.0.0
network 10.2.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes to the peer at 10.1.0.101, and set the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return
#
ipv4-family unicast
undo synchronization
network 10.50.0.0 255.255.255.0
peer 10.50.0.2 enable
#
return
----End
Networking Requirements
In Figure 8-33, by default, the Router forwards the packets that are received from GE2/0/0
and destined for the Server through the next hop at 10.4.1.2. according to the routing table.
Local policy-based routing (PBR) needs to be configured on the Router to meet the following
requirements:
l Redirect the packets that are received from GE2/0/0 and destined for the Server and have
the source IP address 10.2.1.1 to the next hop at 10.5.1.2. The flow policy call for this
interface has a higher priority.
l Redirect the HTTP packets that are received from GE2/0/0 and destined for the Server
the next hop at 10.3.1.2.
Procedure
Step 1 Configure the router.
#
sysname Router
#
acl number 3005 //Create ACL 3005 to permit packets with the source IP address
10.2.1.1.
rule 0 permit ip source 10.2.1.1 0
#
acl number 3006 //Create ACL 3006 to permit HTTP packets.
rule 0 permit tcp destination-port eq www
#
traffic classifier 10.2.1.1 operator or
if-match acl 3005
traffic classifier www operator or
if-match acl 3006
#
traffic behavior 10.2.1.1
redirect ip-nexthop 10.5.1.2
traffic behavior www
redirect ip-nexthop 10.3.1.2
#
Traffic policy pbr
Classifier 10.2.1.1 behavior 10.2.1.1 precedence 5
Classifier www behavior www precedence 10
#
interface GigabitEthernet2/0/0 ////Configure an IP address for GE2/0/0
ip address 10.1.2.1 255.255.255.0
traffic-policy pbr inbound
#
interface GigabitEthernet2/0/1
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet2/0/2
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
ip address 10.5.1.1 255.255.255.0
#
ip route-static 192.168.1.0 24 10.3.1.2 //Configure static routes and ensure
that the three paths are reachable and the default next hop is at 10.4.1.2
ip route-static 192.168.1.0 24 10.4.1.2 preference 40
ip route-static 192.168.1.0 24 10.5.1.2
#
return
----End
Networking Requirements
As shown in Figure 8-34, RouterA, RouterB, and RouterC use OSPF to ensure routes
between them are reachable. In the routing table of RouterA, the next-hop address of the route
to 10.0.0.0 is the IP address of GE1/0/0 on RouterC.
PBR is configured on RouterA so that traffic from RouterA to 10.0.0.0/24 is redirected to
RouterB.
Procedure
Step 1 Configure RouterA.
#
acl number 3001 //Configure an ACL to match packets with source address
10.0.2.0/24 and destination address 10.0.0.0/24.
rule 5 permit ip source 10.0.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
traffic classifier rdt operator or //Configure a traffic classifier.
if-match acl 3001
#
traffic behavior rdt //Configure a traffic behavior, with the next hop address
as the IP address of GE1/0/0 on RouterB.
redirect ip-nexthop 10.181.10.2
#
traffic policy rdt //Bind the traffic policy.
classifier rdt behavior rdt
#
interface GigabitEthernet 1/0/0
ip address 10.181.20.1 255.255.255.0
#
interface GigabitEthernet
2/0/0
ip address 10.181.10.1 255.255.255.0
#
interface GigabitEthernet
3/0/0
ip address 10.0.2.1 255.255.255.0
traffic-policy rdt inbound //The traffic sent from 10.0.2.0/24 to 10.0.0.0/24
is redirected toRouterB.
#
ospf 1 //Configure
OSPF.
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.181.20.0 0.0.0.255
network 10.181.10.0 0.0.0.255
#
return
# Run the tracert command on the device on 10.0.2.0/24 to check the path from 10.0.2.0/24
to 10.0.0.0/24. The traffic from 10.0.2.0/24 to 10.0.0.0/24 is redirected to RouterB.
----End
Configuration Notes
None.
Specifications
This example applies to all AR models of all versions.
Networking Requirements
As shown in Figure 8-35, Departments A and B of the company are far from each other.
Router_1 and Router_6 function as egress devices of Departments A and B respectively.
Devices in AS 100 use Open Shortest Path First (OSPF) as an Interior Gateway Protocol
(IGP). The company has the following requirements:
l The Border Gateway Protocol (BGP) is deployed to enable Departments A and B to
communicate.
l A route-policy is configured to make the link Router_2 <-> Router_3 <-> Router_4
become the active link that forwards traffic between Router_1 and Router_6. When the
active link is disconnected, traffic is automatically switched to the standby link Router_2
<-> Router_5 <-> Router_4.
Procedure
Step 1 Configure Router_1.
#
sysname Router_1
#
interface GigabitEthernet2/0/1
ip address 10.20.0.1 255.255.255.0
#
bgp 200 //Enable BGP, set the local AS number to 200, and set the BGP router
ID to 1.1.1.1.
router-id 1.1.1.1
peer 10.20.0.2 as-number 100 //Configure Router_1 and Router_2 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.20.0.0 255.255.255.0 //In the BGP IPv4 unicast address family
view, add routes to the network segment 10.20.0.0/24 in the IP routing table to
the BGP routing table.
peer 10.20.0.2 enable
#
return
IBGP connection.
peer 10.40.1.101 as-number 100
peer 10.20.0.1 as-number 200 //Configure Router_2 and Router_1 to set up an
EBGP connection.
#
ipv4-family unicast
undo synchronization
preference 255 100 130 //Set the EBGP route priority to 255, IBGP route
priority to 100, and local route priority 130 to ensure that IBGP routes are
preferred over OSPF routes.
peer 10.2.0.101 enable
peer 10.2.0.101 route-policy local-pre export //Set the route-policy used to
advertise routes to the peer at 10.2.0.101 to local-pre.
peer 10.2.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.2.0.101.
peer 10.20.0.1 enable
peer 10.40.1.101 enable
peer 10.40.1.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.40.1.101.
#
ospf 1
import-route direct
area 0.0.0.0
network 10.1.0.0 0.0.0.255
network 10.30.0.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes learned from the peer at 10.20.0.1 to the peer at 10.2.0.101, and set
the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return
#
bgp 100 //Enable BGP, set the local AS number to 100, and set the BGP router
ID to 4.4.4.4.
router-id 4.4.4.4
peer 10.1.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
peer 10.50.0.1 as-number 300 //Configure Router_4 and Router_6 to set up an
EBGP connection.
peer 10.30.0.101 as-number 100 //Configure Router_4 and Router_2 to set up an
IBGP connection.
#
ipv4-family unicast
undo synchronization
preference 255 100 130 //Set the EBGP route priority to 255, IBGP route
priority to 100, and local route priority 130 to ensure that IBGP routes are
preferred over OSPF routes.
peer 10.1.0.101 enable
peer 10.1.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.1.0.101.
peer 10.1.0.101 route-policy local-pre export
peer 10.30.0.101 enable
peer 10.30.0.101 next-hop-local //In the BGP IPv4 unicast address family
view, configure the device to set its IP address as the next hop of routes when
advertising BGP routes to the peer at 10.30.0.101.
peer 10.50.0.1 enable
#
ospf 1
import-route direct
area 0.0.0.0
network 10.2.0.0 0.0.0.255
network 10.40.1.0 0.0.0.255
#
route-policy local-pre permit node 10 //Configure a route-policy to advertise
the routes learned from the peer at 10.50.0.1 to the peer at 10.1.0.101, and set
the local priority to 200.
if-match ip route-source acl 2000
apply local-preference 200
#
return
EBGP connection.
#
ipv4-family unicast
undo synchronization
network 10.50.0.0 255.255.255.0 //In the BGP IPv4 unicast address family
view, add routes to the network segment 10.50.0.0/24 in the IP routing table to
the BGP routing table.
peer 10.50.0.2 enable
#
return
----End
9 Deploying IP Multicast
9.1 Example for Configuring IGMP to Enable User Host to Receive Multicast Video
Information
9.2 Example for Configuring PIM-SM to Transmit Multicast Data on a Network
9.3 Example for Configuring a GRE Tunnel to Transmit Multicast Data over a Unicast
Network
9.4 Example for Configuring IGMP Snooping Policies to Enable Users to Receive Data of
Specified Multicast Groups
9.5 Example for Configuring Static Group Member Ports and Router Port to Implement Layer
2 Multicast
Networking Requirements
RouterA connects to a multicast source through GE0/0/1 and connects to RouterB through
GE0/0/0. RouterB connects to RouterA through GE0/0/1, and connects to host A through
GE0/0/0. Host A needs to receive multicast data, so the multicast function needs to be
configured on the network.
Procedure
Step 1 Configure RouterA.
#
multicast routing-enable //Globally enable multicast routing.
#
interface GigabitEthernet0/0/0
ip address 10.0.4.1 255.255.255.0 //Assign an IP address to the interface
connected to RouterB.
pim dm //Enable PIM-DM on the interface.
#
interface GigabitEthernet0/0/1
ip address 10.0.5.1 255.255.255.0 //Assign an IP address to the interface
connected to the multicast source.
pim dm //Enable PIM-DM on the interface.
#
ip route-static 10.0.3.0 255.255.255.0 10.0.4.2 //Configure a route to the
network segment of the receiver.
#
----End
Configuration Notes
l Enable multicast globally on RouterA and RouterB.
l Ensure that there are reachable routes between the multicast source and multicast
receivers. Enable PIM-DM on all router interfaces along the transmission path to ensure
successful reverse path forwarding (RPF).
l Enable IGMP on the interfaces connected to multicast receivers.
Networking Requirements
RouterA connects to a multicast source, and RouterB and RouterC connect to multicast
receivers. To enable multicast receivers to receive multicast data from the multicast source,
perform the following configuration: Enable PIM-SM on RouterA's interface connected to the
multicast source and the interfaces connecting RouterA, RouterB, and RouterC. Enable IGMP
on interfaces of RouterB and RouterC connected to multicast receivers.
Procedure
Step 1 Configure RouterA.
#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.0.6.1 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
interface GigabitEthernet1/0/0
ip address 10.0.4.1 255.255.255.0
pim sm //Enable PIM-SM on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.0.3.1 255.255.255.0
# Run the display pim interface command on each router to check the PIM configuration and
status. The PIM state is Up.
# Run the display pim routing-table command on each router to check the PIM multicast
routing table. The routing table contains a (10.0.6.2, 227.0.0.1) entry.
----End
Configuration Notes
l Enable IGMP on the interfaces connected to multicast receivers.
l To use a dynamic rendezvous point (RP), configure candidate bootstrap router (C-BSR)
and candidate PR (C-RP) on the routers that may become an RP.
l To use a static RP, configure the same static RP on all the routers in the PIM-SM
domain.
Networking Requirements
RouterA connects to a multicast source, and RouterB connects to a multicast receiver.
RouterA and RouterB establish a Generic Routing Encapsulation (GRE) tunnel using
loopback interfaces. PIM-SM needs to be configured on the GRE tunnel interfaces so that
multicast data flows can be sent to the receiver through the GRE tunnel.
Procedure
Step 1 Configure RouterA.
#
multicast routing-enable
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0 //Assign an IP address to the interface
connected to the multicast source.
pim sm //Enable IGMP on the interface.
#
interface GigabitEthernet1/0/0
ip address 192.168.12.1 255.255.255.0
#
interface loopback0
ip address 10.10.1.1 255.255.255.255
#
interface tunnel0/0/1
tunnel-protocol gre //Set the tunnel encapsulation type to GRE.
ip address 192.168.1.1 255.255.255.0
source 10.10.1.1
destination 10.10.1.2
pim sm //Enable PIM-SM on the tunnel interface.
#
ospf 1
area 0
network 10.10.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
# //Configure a C-RP and C-BSR. (Use the IP address of the tunnel interface as
the C-RP IP
address.)
pim
c-bsr Tunnel0/0/1
c-rp Tunnel0/0/1
#
# Run the display pim routing-table command on each router to check the PIM multicast
routing table. The routing table contains a (10.1.1.1, 225.1.1.2) entry.
(10.1.1.1, 225.1.1.2)
RP:
192.168.1.1
Protocol: pim-sm, Flag: ACT
UpTime: 00:04:32
Upstream interface: Tunnel0/0/1
Upstream neighbor:
192.168.1.1
RPF prime neighbor:
192.168.1.1
Downstream interface(s) information:
Total number of downstreams: 1
1: GigabitEthernet0/0/1
Protocol: pim-sm, UpTime: 00:04:32, Expires: -
----End
Configuration Notes
l Establish a GRE tunnel between RouterA and RouterB using loopback interfaces, and
enable PIM-SM on the GRE tunnel interfaces.
l Enable IGMP on the interface connected to the multicast receiver.
l When configuring the C-RP and C-BSR, use the tunnel interface IP address as the IP
address of the C-RP and C-BSR.
Networking Requirements
As shown in Figure 9-4, a user network (VLAN 10) connects to a Protocol Independent
Multicast (PIM) network through RouterB. The multicast source (Source) sends data to
multicast groups 225.1.1.1-225.1.1.5. In VLAN 10, receivers HostA, HostB, and HostC want
to receive only data sent to groups 225.1.1.1-225.1.1.3 and do not want data sent to 225.1.1.4
and 225.1.1.5. To meet this requirement, you need to enable Internet Group Management
Protocol (IGMP) snooping and configure a multicast group filter policy on RouterB.
Figure 9-4 Networking for configuring IGMP snooping and multicast group filter policy
Procedure
Step 1 Configure RouterB.
#
sysname RouterB //Configure the system name.
#
vlan batch 10 //Create VLAN 10.
#
igmp-snooping enable //Enable global IGMP snooping.
#
vlan 10 //Enable IGMP snooping in VLAN 10.
igmp-snooping enable
igmp-snooping group-policy 2000 //Apply multicast group filter policy 2000 in
VLAN 10.
#
acl number 2000 //Configure multicast group filter policy 2000 to reject data
sent to groups 225.1.1.4 and 225.1.1.5, and accepts only data sent to groups
225.1.1.1-225.1.1.3.
rule 5 deny source 225.1.1.4 0
rule 10 deny source 225.1.1.5 0
rule 15 permit source 225.1.1.1 0
rule 20 permit source 225.1.1.2 0
rule 25 permit source 225.1.1.3 0
#
interface Ethernet2/0/1 //Add interface Eth2/0/1 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet2/0/2 //Add interface Eth2/0/2 to VLAN 10.
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet2/0/3 //Add interface Eth2/0/3 to VLAN 10.
port hybrid pvid vlan 10
----End
Configuration Notes
l Interfaces Eth2/0/1, Eth2/0/2, Eth2/0/3 of RouterB must be added to VLAN 10.
l IGMP snooping must be enabled globally and in VLAN 10.
Networking Requirements
As shown in Figure 9-5, RouterA connects to a user network (VLAN 10) through a Layer 2
device RouterB. The user-side Layer 3 VLANIF interface of RouterA has static Internet
Group Management Protocol (IGMP) groups 225.1.1.1-225.1.1.5 configured and does not run
the IGMP protocol. There are four receivers on the user network: HostA, HostB, HostC, and
HostD. HostA and HostB want to receive data of multicast groups 225.1.1.1-225.1.1.3 for a
long time, whereas HostC and HostD want to receive data of multicast groups
225.1.1.4-225.1.1.5 for a long time.
Figure 9-5 Networking for Layer 2 multicast implementation based on static group member
ports and router port
Procedure
Step 1 Configure RouterB.
#
sysname RouterB //Configure the system name.
----End
Configuration Notes
l Interfaces Eth2/0/1, Eth2/0/2, Eth2/0/3 of RouterB must be added to VLAN 10.
l IGMP snooping must be enabled globally and in VLAN 10.
10 Deploying MPLS
10.1 Example for Configuring the MPLS Local Session Function on Backbone Devices to
Forward Data on the MPLS Network
10.2 Example for Configuring the MPLS Remote Session Function on Backbone Devices to
Forward VPN Data on the MPLS Network
10.3 Example for Configuring Static LSP to Implement Communication Between the
Headquarters and Branch
10.4 Example for Configuring LDP LSP to Implement Communication Between the
Headquarters and Branch
10.5 Example for Configuring MPLS TE to Implement Communication Between the
Headquarters and Branch
Networking Requirements
As shown in Figure 10-1, LSRA, LSRB, and LSRC are core devices on the MPLS network.
Data traffic is transmitted over the PE on the MPLS network. To forward data flows in the
MPLS domain, configure local LDP sessions on LSRA, LSRB, and LSRC to swap labels and
establish LDP LSPs.
IP addresses of LSRA, LSRB, and LSRC are planned, as shown in Figure 10-1.
Procedure
Step 1 Configure LSRA.
#
sysname LSRA
#
mpls lsr-id 1.1.1.9 //Configure the IP address of Loopback1 as the LSR ID.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
mpls //Enable MPLS on the interface.
mpls ldp //Enable MPLS LDP on the interface.
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1 //Configure OSPF.
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#
----End
Configuration Notes
l You must configure LSR IDs before running MPLS commands.
Networking Requirements
As shown in Figure 10-2, LSRA and LSRC are deployed at the border of the backbone
network. To deploy VPN services on the network and establish LDP LSPs between VPNs,
you need to establish a remote LDP session between LSRA and LSRC to transmit VPN
services.
IP addresses of LSRA, LSRB, and LSRC are planned, as shown in Figure 10-2.
Procedure
Step 1 Configure LSRA.
#
sysname LSRA
#
mpls lsr-id 1.1.1.9 //Set the LSR ID to the IP address of Loopback1.
mpls //Enable MPLS globally.
#
mpls ldp //Enable MPLS LDP globally.
#
mpls ldp remote-peer LSRC //Set the remote peer for LSRA to LSRC.
remote-ip 3.3.3.9 //Specify the IP address of the remote peer.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1 //Configure OSPF to ensure that LSRA can communicate other
routers on the network.
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.3
#
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#
Configuration Notes
l You must configure LSR IDs before running MPLS commands.
Networking Requirements
As shown in Figure 10-3, LSR_1, LSR_2, and LSR_3 are devices on the Multiprotocol Label
Switching (MPLS) backbone network. It is required that a static label switched path (LSP)
tunnel be established between the headquarters and branch to transmit packets over the MPLS
network.
Figure 10-3 Configuring static LSP to implement communication between the headquarters
and branch
Procedure
Step 1 Configure LSR_1.
#
sysname LSR_1
#
mpls lsr-id 10.10.1.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
mpls //Enable MPLS on the interface.
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
ospf 1 //Configure routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
static-lsp ingress LSP1 destination 10.4.1.0 24 nexthop 10.1.1.2 out-label 20 //
Configure this node as the ingress of LSP1.
static-lsp egress LSP2 incoming-interface GigabitEthernet1/0/0 in-label 60 //
Configure this node as the egress of LSP2.
#
return
----End
Configuration Notes
l Follow this principle when you configure a static LSP: The outgoing label on the
previous node is equal to incoming label on its next hop.
l When you configure a static LSP, the static LSP route must match routing information
exactly.
– If you specify the next hop when configuring a static LSP, you must also specify the
next hop when configuring the static IP route matching the LSP. Otherwise, the
static LSP cannot be set up.
– If a dynamic routing protocol is used between LSRs, the IP address of the next hop
along the LSP must be the same as the IP address of the next hop in the routing
table.
Networking Requirements
As shown in Figure 10-4, the PE and P devices are located on the MPLS backbone network,
and there are reachable routers between PE_1 and PE_2.
The enterprise requires that traffic between the headquarters and branch be forwarded through
the MPLS network, and traffic be switched to the secondary LSP fast to minimize traffic loss
if the primary LSP fails. In addition, to reduce the number of LSPs and ensure device
performance, only the routing entries with the destination addresses 10.10.1.x/32, 10.6.1.0/24,
and 10.7.1.0/24 on all the devices can trigger LSP establishment.
Figure 10-4 Configuring LDP LSP to implement communication between the headquarters
and branch
Procedure
Step 1 Configure PE_1.
#
sysname PE_1
#
bfd //Enable BFD globally.
#
mpls lsr-id 10.10.1.1 //Configure an MPLS LSR ID.
mpls //Enable MPLS globally.
lsp-trigger ip-prefix pe1 //Trigger the establishment of LSPs based on the IP
prefix list.
mpls bfd enable //Enable BFD.
mpls bfd-trigger fec-list tortc //Trigger LDP BFD sessions in the FEC list mode.
mpls bfd min-tx-interval 100 min-rx-interval 100
#
fec-list tortc //Create an FEC list.
fec-node 10.10.1.2
#
mpls ldp //Enable MPLS LDP globally.
#
interface GigabitEthernet1/0/0 //Enable MPLS LDP on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.3.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet3/0/0
ip address 10.6.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
ip ip-prefix pe1 index 10 permit 10.10.1.1 32 //Create an IP prefix list.
ip ip-prefix pe1 index 20 permit 10.10.1.2 32
ip ip-prefix pe1 index 30 permit 10.10.1.3 32
ip ip-prefix pe1 index 40 permit 10.10.1.4 32
ip ip-prefix pe1 index 50 permit 10.10.1.5 32
ip ip-prefix pe1 index 60 permit 10.6.1.0 24
ip ip-prefix pe1 index 70 permit 10.7.1.0 24
#
return
mpls
mpls ldp
#
interface LoopBack1
ip address 10.10.1.4 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.10.1.4 0.0.0.0
#
return
interface GigabitEthernet3/0/0
ip address 10.7.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.10.1.2 255.255.255.255
#
ospf 1 //Configure OSPF routes.
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.1.2 0.0.0.0
#
ip ip-prefix pe2 index 10 permit 10.10.1.1 32 //Create an IP prefix list.
ip ip-prefix pe2 index 20 permit 10.10.1.2 32
ip ip-prefix pe2 index 30 permit 10.10.1.3 32
ip ip-prefix pe2 index 40 permit 10.10.1.4 32
ip ip-prefix pe2 index 50 permit 10.10.1.5 32
ip ip-prefix pe2 index 60 permit 10.6.1.0 24
ip ip-prefix pe2 index 70 permit 10.7.1.0 24
#
return
# Run the display mpls ldp lsp command on each LSR. You can find that an LSP to the
destination address has been established. Connect Port1 and Port2 of the same tester to PE_1
and PE_2 respectively, and send MPLS traffic from Port1 to Port2. Shut down GE1/0/0 on
P_1 to simulate a failure of the primary LSP. You can find that traffic is switched to the
secondary LSP quickly.
# Users in the enterprise headquarters and branch can ping each other.
----End
Configuration Notes
l You must configure LSR IDs before running MPLS commands.
l MPLS establishes LSPs based on routes; therefore, you must ensure the route
reachability.
Networking Requirements
As shown in Figure 10-5, the enterprise headquarters and branch are connected over an
MPLS network. The enterprise wants to create an explicit path
LSR_1→LSR_2→LSR_3→LSR_4 as the primary tunnel. The enterprise also wants to
configure traffic engineering fast reroute (TE FRR) to create a bypass tunnel with the path
LSR_2→LSR_5→LSR_3 on the transit node LSR_2 and an ordinary backup CR-LSP with
the patch LSR_1→LSR_6→LSR_3→LSR_4 on the ingress node LSR_1.
After the link between LSR_2 and LSR_3 is faulty (the primary CR-LSP is in FRR-in-use
state), the system starts the TE FRR bypass tunnel and attempts to restore the primary CR-
LSP. At the same time, the system attempts to set up the secondary CR-LSP.
Procedure
Step 1 Configure LSR_1.
#
sysname LSR_1
#
bfd //Enable BFD.
#
mpls lsr-id 10.10.1.9
mpls //Enable MPLS TE.
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path backup-path //Configure an explicit path for the secondary CR-LSP.
next hop 10.6.1.2
next hop 10.7.1.2
next hop 10.3.1.2
next hop 10.10.4.9
#
explicit-path pri-path //Configure an explicit path for the primary CR-LSP.
next hop 10.1.1.2
next hop 10.2.1.2
next hop 10.3.1.2
next hop 10.10.4.9
#
interface GigabitEthernet1/0/0 //Enable MPLS TE on the interface.
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface GigabitEthernet2/0/0
ip address 10.6.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.1.9 255.255.255.255
#
interface Tunnel0/0/1 //Configure an MPLS TE tunnel interface for the primary
CR-LSP.
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 10.10.4.9
mpls te tunnel-id 100
mpls te bfd enable //Enable dynamic BFD for CR-LSP.
mpls te bfd min-tx-interval 500 min-rx-interval 500
mpls te record-route label
mpls te path explicit-path pri-path
mpls te path explicit-path backup-path secondary
mpls te fast-reroute //Enable TE FRR.
mpls te backup ordinary
mpls te backup frr-in-use
mpls te commit
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
network 10.10.1.9 0.0.0.0
mpls-te enable
#
return
interface GigabitEthernet3/0/0
ip address 10.4.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface LoopBack1
ip address 10.10.2.9 255.255.255.255
#
interface Tunnel0/0/2 //Configure a tunnel interface for the bypass CR-LSP.
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 10.10.3.9
mpls te tunnel-id 300
mpls te record-route
mpls te path explicit-path by-path
mpls te bypass-tunnel
mpls te protected-interface GigabitEthernet2/0/0
mpls te commit
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.10.2.9 0.0.0.0
mpls-te enable
#
return
#
ospf 1 //Configure OSPF routes.
opaque-capability enable
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.3.9 0.0.0.0
mpls-te enable
#
return
# After shutting down GE2/0/0 of LSR_2, run the display mpls te tunnel-interface
command on LSR_1. You can find that the tunnel status is Up, indicating that the primary
tunnel is in the FRR in-use state and the ordinary secondary CR-LSP is being set up. When
the primary CR-LSP is faulty, the system starts the TE FRR bypass tunnel and attempts to
restore the primary CR-LSP. At the same time, the system attempts to set up a secondary CR-
LSP.
----End
Configuration Notes
l When Resource Reservation Protocol-Traffic Engineering (RSVP-TE) is used to
dynamically establish CR-LSPs, TE extension for Interior Gateway Protocol (IGP) must
be configured. Currently, Open Shortest Path First-Traffic Engineering (OSPF TE) and
Intermediate System to Intermediate System Traffic Engineering (ISIS TE) are
supported. If IGP TE is not configured, paths are calculated based on IGP routes but not
using CSPF.
l Only the MPLS TE tunnel established using the RSVP-TE signaling protocol supports
FRR.
l One tunnel interface cannot be the end point of both the bypass tunnel and secondary
tunnel simultaneously.
l One tunnel interface cannot be the end point of both the bypass tunnel and primary
tunnel simultaneously.
l Bypass tunnels are established on selected links or nodes that are not on the protected
primary tunnel. If a link or node on the protected primary tunnel is used for a bypass
tunnel and fails, the bypass tunnel also fails to protect the primary tunnel.
11 Deploying WLAN AP
Networking Requirements
As shown in Figure 11-1, an enterprise provides the WLAN service for users. The device
functions as a Fat AP, serves as a DHCP server to allocate IP addresses to users, and provides
wireless network access service using NAT.
Procedure
Step 1 Configure the Router.
#
dhcp enable
#
vlan batch 100
#
dot1x enable //Enable 802.1X. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif100
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 100
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain the
default parameter settings.
security-profile name security id 1 //Create a security profile.
security-policy wpa2 //Configure the WPA2 security policy.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Set the
data encryption mode to CCMP.
service-set name huawei id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to WLAN-BSS 1.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic
profile.
security-profile id 1 //Bind the service set to the security
profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM
profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio interface to the radio profile.
service-set id 0 wlan 1 //Bind the radio interface to the service set.
#
acl number 2000 //Configure ACL 2000.
rule 1 permit source 192.168.0.0 0.0.0.255 //Configure rule 1 to permit packets
with the source IP address of 192.168.0.0.
#
nat address-group 1 1.1.1.100 1.1.1.200 //Configure a public address pool.
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0 //Configure a public IP address.
nat outbound 2000 address-group 1 //Bind the ACL to the address pool.
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 //Configure a static route.
#
The WLAN with the SSID huawei is available for STAs connected to the AP, and these STAs
can connect to the WLAN.
----End
Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values.
l After a traffic profile is created, parameters in the profile use default values.
l After a security profile is created, you can select the security policy based on actual
networking. The security policy mode can be WEP, WPA, WPA2, or WAPI.
Networking Requirements
As shown in Figure 11-2, the device functions as the Fat AP to provide WLAN services and
uses WEP open system authentication and WEP encryption. The WLAN with the SSID
huawei is available for STAs connected to the AR.
Figure 11-2 Networking of WEP open system authentication and WEP encryption
Procedure
Step 1 Configure the router.
#
vlan 10
#
dhcp enable //Enable DHCP.
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 10.
#
interface Wlan-Bss0 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 10
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WEP open system authentication and WEP-40 encryption.
security-policy wep //Configure WEP shared key authentication.
wep authentication-method open-system data-encrypt
wep key wep-40 pass-phrase 0 cipher %^%#Q-%d~;.Aj!<@qOUJ=vMG~rie2vkWOOUq>`5f73RU
%^%# //Configure WEP-40 encryption. Only later versions of ARV200R002C01
support cipher.
wep default-key 0 //Set the default key ID for WEP
encryption.
service-set name service-set id 0 //Create a service set.
Wlan-Bss 0 //Bind the service set to the WLAN-BSS 0 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
Networking Requirements
As shown in Figure 11-3, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+TKIP. The WLAN with the SSID huawei is available for STAs
connected to the device.
Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.
Networking Requirements
As shown in Figure 11-4, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.
NOTE
In V200R006 and later versions, the router does not support PEAP authentication.
Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+TKIP.
security-policy wpa
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security-3, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.
Networking Requirements
As shown in Figure 11-5, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+PEAP+CCMP. The WLAN with the SSID huawei is available for STAs
connected to the device.
Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
radius-server shared-key simple huawei //Configure teh shared key.
The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+PEAP+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
# The WLAN with the SSID huawei is available for STAs connected to the AR. To use
WLAN services, STAs must pass 802.1x authentication.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+PEAP+CCMP. This default configuration is not provided in the configuration file.
Networking Requirements
As shown in Figure 11-6, the device functions as the Fat AP to provide WLAN services and
uses 802.1x+CCMP. The WLAN with the SSID huawei is available for STAs connected to
the device.
NOTE
In V200R006 and later versions, the router does not support PEAP authentication.
Procedure
Step 1 Configure the Router.
#
dot1x enable //Enable 802.1x authentication globally.
#
vlan batch 102
#
dhcp enable //Enable DHCP.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface. port hybrid tagged vlan 102
dot1x-authentication enable //Enable 802.1x authentication on the WLAN-BSS
interface. The command is dot1x enable in later versions of ARV200R005C00.
dot1x authentication-method eap //Set the authentication mode to EAP.
#
radius-server template peap.radius.com //Create a RADIUS server
template.
radius-server authentication 10.137.146.163 1812 //Configure the IP address and
port number for the RADIUS authentication server.
radius-server accounting 10.137.146.163 1813 //Configure the IP address and
port number for the RADIUS accounting server.
radius-server shared-key simple huawei //Configure teh shared key.
The AR and RADIUS server must use the same shared key.
#
aaa
authentication-scheme radius //Create an authentication scheme named RADIUS.
authentication-mode radius //Set the authentication mode to RADIUS.
accounting-scheme radius //Create an accounting scheme named RADIUS.
accounting-mode radius //Set the authentication mode to RADIUS.
domain peap.radius.com //Create a domain peap.radius.com.
authentication-scheme radius //Apply the authentication scheme named RADIUS
to the domain.
accounting-scheme radius //Apply the accounting scheme named RADIUS to
the domain.
radius-server peap.radius.com //Apply the RADIUS server template to the
domain.
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use 802.1x+CCMP.
security-policy wpa2
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There are reachable routes from the router to the RADIUS server.
l The RADIUS server needs to be configured.
l For security, WPA authentication must be used and 802.1x mode and encryption mode
must be enabled.
l When the security policy is set to WPA2, the default authentication mode is 802.1x
+CCMP. This default configuration is not provided in the configuration file.
Networking Requirements
As shown in Figure 11-7, the device functions as the Fat AP to provide WLAN services and
uses PSK+TKIP. The WLAN with the SSID huawei is available for STAs connected to the
device.
Procedure
Step 1 Configure the Router.
#
vlan 102
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA+PSK+TKIP.
security-policy wpa
wpa authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method tkip
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
Networking Requirements
As shown in Figure 11-8, the device functions as the Fat AP to provide WLAN services and
uses PSK+CCMP. The WLAN with the SSID huawei is available for STAs connected to the
device.
Procedure
Step 1 Configure the Router.
#
vlan 101
#
dhcp enable //Enable DHCP.
#
dot1x enable //Enable 802.1x. The PSK must be transmitted in EAPoL packets;
therefore, 802.1x must be enabled. In V200R008 and later versions, this command
does not need to be configured.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 1 //Create a security profile named
security, and use WPA2+PSK+CCMP.
security-policy wpa2
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
Networking Requirements
As shown in Figure 11-9, the device functions as the Fat AP to provide WLAN services and
uses WAPI. The WLAN with the SSID huawei is available for STAs connected to the device.
Procedure
Step 1 Configure the Router.
#
vlan batch 101
#
dhcp enable //Enable DHCP.
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on a VLANIF interface.
#
interface Wlan-Bss1 //Configure a WLAN-BSS interface.
port hybrid tagged vlan 101
#
wlan
wmm-profile name wmm id 1 //Create a WMM profile and use default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use
default settings.
security-profile name security id 0 //Create a security profile named
security.
security-policy wapi //Configure WAPI authentication.
wapi asu ip 10.10.10.1 //Set the ASU server IP address to
10.10.10.1.
wapi import certificate ap file-name flash:/huawei-ap.cer //Specify
the certificate file path and file name.
wapi import certificate asu file-name flash:/huawei-asu.cer //Specify
the ASU certificate file path and file name.
wapi import certificate issuer file-name flash:/huawei-issuer.cer //Specify
the issuer certificate file path and file name.
wapi import private-key file-name flash:/huawei-ap.cer //Specify
the private key file path and file name.
service-set name ss-1 id 0 //Create a service set.
Wlan-Bss 1 //Bind the service set to the WLAN-BSS 1 interface.
ssid huawei //Specify the SSID.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
radio-profile name radio-1 id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile to the radio interface.
service-set id 0 wlan 1 //Bind the service set to the radio interface.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
networking.
l There is a reachable route from the router to the ASU server.
l The ASU server needs to be configured.
l Before configuring the policies of security, the AP certificate huawei-ap.cer, ASU
server certificate huawei-asu.cer, issuer certificate huawei-issuer.cer, and AP private
key certificate huawei-ap.cer have been stored on the device.
Networking Requirements
As shown in Figure 11-10, STA1 and STA2 are connected to the network through the Router.
The Router functions as a Fat AP, and STA2 is a VIP customer. The requirements are as
follows:
l Video service requirements of STA1 and STA2 are met first.
l Communication requirements of STA2 are met first when the network bandwidth is
insufficient.
Procedure
Step 1 Configure the Router.
#
dhcp enable //Enable DHCP.
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp select interface //Enable DHCP on the VLANIF interface.
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
dhcp select interface
#
interface Wlan-Bss1 //Configure the WLAN-BSS interface.
port hybrid tagged vlan 101
#
interface Wlan-Bss2
port hybrid tagged vlan 102
#
wlan
wmm-profile name wmmf id 0
wmm-profile name huawei-vi id 1 // Create a WMM profile huawei-vi.
wmm edca ap ac-vi aifsn 1 ecw ecwmin 1 ecwmax 1 txoplimit 36 //Modify EDCA
parameters for video queues on an
AP to increase
the priority of video services.
wmm edca client ac-vi aifsn 1 ecw ecwmin 1 ecwmax 3 txoplimit 36 //Modify EDCA
parameters for video queues on
a STA to
increase the priority of video services.
traffic-profile name traf id 0
traffic-profile name huawei id 1 //Create a traffic profile huawei.
rate-limit client up 512 //Limit the STA upstream rate to 512 kbit/s.
rate-limit vap up 1024 //Limit the VAP upstream rate to 1024
kbit/s.
traffic-profile name huawei-vip id 2 //Create a traffic profile huawei-vip.
rate-limit client up 1024 //Limit the STA upstream rate to 1024
kbit/s.
rate-limit vap up 2048 //Limit the VAP upstream rate to 2048
kbit/s.
security-profile name secf id 0
security-profile name huawei id 1 //Crate a security profile huawei and use
default parameters.
service-set name huawei-1 id 0 //Create a service set huawei-1.
Wlan-Bss 1
ssid huawei-1 //Configure an SSID huawei-1.
traffic-profile id 1 //Bind the traffic profile huawei to the service set.
security-profile id 1
service-set name huawei-2 id 1 //Create a service set huawei-2.
Wlan-Bss 2
ssid huawei-2 //Configure an SSID huawei-2.
traffic-profile id 2 //Bind the traffic profile huawei-vip to the service set.
security-profile id 1
radio-profile name radiof id 0
wmm-profile id 0
radio-profile name huawei-vi id 1
wmm-profile id 1
#
interface Wlan-Radio0/0/0
radio-profile id 1 //Bind the radio profile huawei-vi to the radio
interface.
service-set id 0 wlan 1 //Bind the service set huawei-1 to the radio interface.
service-set id 1 wlan 2 //Bind the service set huawei-2 to the radio interface.
# Two WLANs with SSIDs huawei-1 and huawei-2 are available for STAs connected to the
Router. STA 1 and STA2 select WLANs with SSIDs huawei-1 and huawei-2.
# Run the display station assoc-info interface wlan-radio0/0/0 [ service-set service-set-id ]
command on the Router to view information about all STAs associated with a radio or service
set on a radio.
----End
Configuration Notes
l The default country code of a Router is CN. You can change it based on actual
networking.
l You can improve the priority of video services by modifying the following parameters
for the AC_VI queue in the WMM profile: arbitration inter frame spacing number
(AIFSN), exponent form of minimum contention window (ECWmin), exponent form of
maximum contention window (ECWmax), and transmission opportunity limit
(TXOPlimit).
12 Deploying WLAN AC
12.1 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC
Manages APs Through Layer 2 Interfaces)(V200R006 and V200R007)
12.2 Example for Configuring Basic WLAN Services on a Small-Scale Network (AC
Manages APs Through Layer 3 Interfaces)(V200R006 and V200R007)
12.3 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC
Manages APs Through Layer 2 Interfaces)(V200R006 and V200R007)
12.4 Example for Configuring Basic WLAN Services on a Medium-Scale Network (AC
Manages APs Through Layer 3 Interfaces)(V200R006 and V200R007)
12.5 Example for Configuring Basic WLAN Services on a Large-Scale Network(V200R006
and V200R007)
12.6 Example for Configuring WLAN Services on a Small-Scale Network (IPv4 Network)
(V200R008 And Later Versions)
12.7 Example for Configuring WLAN Services on a Medium-Scale Network (V200R008 And
Later Versions)
12.8 Example for Configuring WLAN Services on a Large-Scale Network (V200R008 And
Later Versions)
Networking Requirements
As shown in Figure 12-1, the AC directly connects to the AP through a Layer 2 Ethernet
interface. An enterprise branch needs to deploy a WLAN to implement mobile office so that
the enterprise employees can access the Internet anywhere at any time.
Figure 12-1 Configuring basic WLAN services on a small-scale network (AC manages an AP
through a Layer 2 interface)
Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101 (service
VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101.
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of Ethernet2/0/0 to VLAN
100.
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and
VLAN 101.
port-isolate enable group 1 //Enable port isolation.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface to the service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS interface
to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101 in
tagged mode.
#
capwap source interface vlanif100 //Specify the AC's source interface. The
command applies only to V200R6C10 and later versions. In versions earlier than
V200R6C10, run the wlan ac source interface vlanif100 command in the WLAN AC view
to specify the AC's source interface.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add the AP
offline. Set the AP ID to 0. The AP type is AP6010DN-AGN, the AP type ID is 19,
and the MAC address of the AP is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and use the default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use the
default settings.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Set the security policy to
WPA2.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption and display the password in cipher text.
service-set name test id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS 1.
ssid huawei-1 //Set the SSID to huawei-1.
traffic-profile id 1 //Bind the traffic profile to the service set.
security-profile id 1 //Bind the security profile to the service set.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the WMM profile to the radio profile.
ap 0 radio 0 //Configure the 2.4 GHz frequency band of AP0.
radio-profile id 1 //Apply the radio profile.
service-set id 1 wlan 1 //Apply the service set.
#
return
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP is added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal.
Networking Requirements
In Figure 12-2, an AC directly connects to an AP through a Layer 3 Ethernet interface. An
enterprise branch needs to deploy WLAN services for mobile office so that branch users can
access the Internet from anywhere at any time.
The enterprise has the following requirements:
l A WLAN with the SSID huawei-1 is available.
l Branch users are assigned IP addresses on 10.10.11.0/24.
Figure 12-2 Configuring basic WLAN services on a small-scale network (AC manages an AP
through a Layer 3 interface)
Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 101 //Create a service VLAN (VLAN
101).
#
dot1x enable //Enable 802.1x authentication.
#
wlan ac-global carrier id other ac id 1 //Configure the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
#
capwap source interface loopback0 //Specify the loopback interface
as the source interface for the AC. Only V200R006C10 and later versions support
this command. In earlier versions of V200R006C10, the wlan ac source interface
loopback0 command is used in the WLAN AC view to specify the source interface for
the
AC.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add an AP
offline and set the AP ID to 0. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and retain default
settings in the profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain
default settings in the profile.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Configure WPA2 security
policy.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption, and configure the password in cipher text.
service-set name service id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS interface 1.
ssid huawei-1 //Specify the SSID huawei-1.
traffic-profile id 1 //Bind the service set to the traffic profile.
security-profile id 1 //Bind the service set to the security profile.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the radio profile to the WMM profile.
ap 0 radio 0 //Configure 2.4 GHZ frequency band for AP0.
radio-profile id 1 //Bind the radio profile.
# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration
and wait for a period of time.
# The WLAN with the SSID huawei-1 is available for STAs connected to the AP, and these
STAs can connect to the WLAN.
# Run the display station assoc-info ap 0 radio 0 command on the AC to check information
about associated STAs at the 2.4 GHz frequency band of AP0.
----End
Configuration Notes
l The default country code of the router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a traffic profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a security profile is created, you can configure an authentication mode based on
actual networking. The authentication mode can be WEP, WPA, WPA2, or WAPI.
l After an AP is added offline, ensure that the AP status is normal. If the AP status is not
normal, locate the fault.
l When an AC uses Layer 3 interfaces to manage the AP and assign IP addresses to the AP
or STAs from the interface address pools, configure the AC to assign IP addresses to the
AP from the Layer 3 interface address pool and to STAs from the Layer 3 sub-interface
address pool.
Networking Requirements
As shown in Figure 12-3, the AC (Router) serves as the egress gateway of the campus and
uses a Layer 2 Ethernet interface to connect to the AP through the switch. The AC assigns IP
addresses to the AP and STAs.
The enterprise requires that a WLAN named huawei-1 be deployed to provide ubiquitous
access to users.
Figure 12-3 Configuring basic WLAN services on a medium-scale network (AC manages an
AP through a Layer 2 interface)
Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and VLAN
101.
port-isolate enable group 1 //Enable port isolation.
#
interface Wlan-Ess1 //Add the WLAN-ESS interface to the service VLAN.
port hybrid pvid vlan 101 //Set the default VLAN of the WLAN-ESS interface
to VLAN 101.
port hybrid tagged vlan 101 //Add the WLAN-ESS interface to VLAN 101 in tagged
mode.
#
capwap source interface vlanif100 //Specify the AC's source interface. The
command applies only to V200R6C10 and later versions. In versions earlier than
V200R6C10, run the wlan ac source interface vlanif100 command in the WLAN AC view
to specify the AC's source interface.
#
wlan ac
ap id 0 type-id 19 mac 60de-4476-e360 sn 210235419610CB002287 //Add the AP
offline. Set the AP ID to 0. The AP type is AP6010DN-AGN, the AP type ID is 19,
and the MAC address of the AP is 60de-4476-e360.
wmm-profile name wmm id 1 //Create a WMM profile and use the default
settings.
traffic-profile name traffic id 1 //Create a traffic profile and use the
default settings.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Set the security policy to
WPA2.
wpa2 authentication-method psk pass-phrase cipher %^%#Q-%d~;.Aj!
<@qOUJ=vMG~rie2vkWOOUq>`5f73RU%^%# encryption-method ccmp //Configure PSK
authentication and CCMP encryption and display the password in cipher text.
service-set name service id 1 //Create a service set.
wlan-ess 1 //Bind the service set to WLAN-ESS 1.
ssid huawei-1 //Set the SSID to huawei-1
traffic-profile id 1 //Bind the traffic profile to the service set.
security-profile id 1 //Bind the security profile to the service set.
service-vlan 101 //Set the service VLAN to VLAN 101.
radio-profile name radio id 1 //Create a radio profile.
wmm-profile id 1 //Bind the WMM profile to the radio profile.
ap 0 radio 0 //Configure the 2.4 GHz frequency band of AP0.
radio-profile id 1 //Apply the radio profile.
service-set id 1 wlan 1 //Apply the service set.
#
return
# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration.
# After a while, the WLAN with the SSID huawei-1 is available for STAs, and these STAs
can connect to the WLAN.
# Run the display station assoc-info ap 0 radio 0 command on the router to check
information of STAs associated with the 2.4G frequency band of AP0.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
Networking Requirements
As shown in Figure 12-4, the AC (Router) serves as the egress gateway of the campus. The
AC does not have Layer 2 interfaces and interface cards. Therefore, it uses Layer 3 Ethernet
interfaces to connect to the AP through the switch. The AC assigns IP addresses to the AP and
STAs.
The enterprise requires that a WLAN named huawei-1 be deployed to provide ubiquitous
access to users.
Figure 12-4 Configuring basic WLAN services on a medium-scale network (AC manages an
AP through a Layer 3 interface)
Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 101 //Create VLAN 101 (service VLAN).
#
dot1x enable //Enable 802.1x authentication globally.
#
wlan ac-global carrier id other ac id 1 //Set the AC ID and carrier ID.
#
dhcp enable //Enable DHCP.
#
interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on the GE interface so that the AC
can assign IP addresses to the
AP.
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 101 //Configure a Dot1q termination sub-interface and
add the sub-interface to VLAN 101.
ip address 10.10.11.1 255.255.255.0
# Run the commit ap 0 command in the WLAN view of the AC to commit the configuration.
# After a while, the WLAN with the SSID huawei-1 is available for STAs, and these STAs
can connect to the WLAN.
# Run the display station assoc-info ap 0 radio 0 command on the AC to check information
of STAs associated with the 2.4G frequency band of AP0.
----End
Configuration Notes
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After a WMM profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l After a traffic profile is created, parameters in the profile use default values. You can
configure the parameters according to actual network requirements.
l When creating a security profile, you can set the security policy according to actual
network requirements. The security policy can be WEP, WPA, WPA2, or WAPI.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
l When an AC uses Layer 3 interfaces to manage the AP and assign IP addresses to the AP
or STAs from the interface address pools, configure the AC to assign IP addresses to the
AP from the Layer 3 interface address pool and to STAs from the Layer 3 sub-interface
address pool.
Networking Requirements
In Figure 12-5, the AC is the campus egress gateway. The AC connects to APs through
SwitchA and SwitchB and dynamically allocates IP addresses to APs and STAs.
The WLAN with SSID huawei-1 is required so that STAs can access the Internet from
anywhere at any time.
Procedure
Step 1 Configure the AC.
#
sysname
AC
#
vlan batch 100 to 102 //Create VLAN 100 (mVLAN), and VLAN 101 and VLAN
102 (service VLANs).
#
dot1x enable //Enable global 802.1x authentication.
#
wlan ac-global carrier id other ac id 1 //Configure the AC ID and carrier ID.
#
dhcp enable //Enable
DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 100 so that
the AC can assign IP addresses to AP1 and
AP2.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 101 so that
the AC can assign IP addresses to STAs connected to AP1.
#
interface Vlanif102
ip address 10.10.12.1 255.255.255.0
dhcp select interface //Enable the DHCP server function on VLANIF 102 so that
the AC can assign IP addresses to STAs connected to
AP2.
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add Eth2/0/0 to VLAN 100, VLAN 101,
and VLAN 102.
#
#
capwap source interface vlanif100 //Specify the source interface for the AC.
Only V200R006C10 and later versions support this command. In earlier versions of
V200R006C10, the wlan ac source interface vlanif100 command is used in the WLAN
AC view to specify the source interface for the
AC.
#
wlan ac
ap id 0 type-id 19 mac 643e-8cb5-f420 sn 2102354196W0EB001158 //Add an AP
offline and set the AP ID to 0. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 643e-8cb5-f420.
region-id 10 //Add AP0 to AP region 10.
ap id 1 type-id 19 mac 644e-8cc5-f421 sn 2103354196W0EB001159 //Add an AP
offline and set the AP ID to 1. The AP type is AP6010DN-AGN and corresponding ID
is 19, and the AP's MAC address is 644e-8cc5-f421.
region-id 10 //Add AP1 to AP region 10.
wmm-profile name wmm id 1 //Create a WMM profile and retain default
settings in the profile.
traffic-profile name traffic id 1 //Create a traffic profile and retain
default settings in the profile.
security-profile name security id 1 //Create a security
profile.
security-policy wpa2 //Configure WPA2 security
policy.
#
interface
GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/1 to VLAN100, VLAN101, and
VLAN102.
#
interface
GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/2 to VLAN100, VLAN101,
and VLAN102.
#
return
#
interface
GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/1 to VLAN
100.
port trunk allow-pass vlan 100 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Configure port
isolation.
#
interface
GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100 //Set the default VLAN of GE0/0/2 to VLAN
100.
port trunk allow-pass vlan 100 102 //Add GE0/0/2 to VLAN 100 and VLAN 102.
port-isolate enable group 1 //Configure port
isolation.
#
interface
GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add GE0/0/3 to VLAN 100, VLAN 101,
and VLAN102.
#
return
----End
Configuration Notes
l The default country code of the router is CN. You can change it based on actual
networking.
l After a WMM profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a traffic profile is created, parameters in the profile use default values. You can
change parameter settings based on actual networking.
l After a security profile is created, you can configure an authentication mode based on
actual networking. The authentication mode can be WEP, WPA, WPA2, or WAPI.
l After an AP is added offline, ensure that the AP status is normal. If the AP status is not
normal, locate the fault. The possible cause is that the VLAN configuration is incorrect.
Networking Requirements
As shown in Figure 12-6, the AP is directly connected to the AC. An enterprise branch needs
to deploy WLAN services for mobile office so that branch users can access the enterprise
internal network from anywhere at any time.
The following requirements must be met:
l A WLAN named wlan-net is available.
l Branch users are assigned IP addresses on 10.10.11.0/24.
Procedure
Step 1 Configure the AC.
#
sysname AC
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
dhcp enable //Enable DHCP.
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 100 so that the AC can assign
IP addresses to APs.
#
interface Vlanif101
ip address 10.10.11.1 255.255.255.0
dhcp select interface //Enable DHCP on VLANIF 101 so that the AC can assign
IP addresses to STAs associated with APs.
#
interface Ethernet2/0/0
port link-type trunk
port trunk pvid vlan 100 //Configure VLAN 100 as the default
VLAN of Ethernet2/0/0.
port trunk allow-pass vlan 100 to 101 //Add Ethernet2/0/0 to VLAN 100 and
VLAN 101.
port-isolate enable group 1
#
capwap source interface vlanif100 //Specify the AC's source interface.
#
wlan ac
security-profile name wlan-security //Create a security profile.
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%#
aes //Configure PSK authentication and AES encryption, and display the user
password in ciphertext.
ssid-profile name wlan-ssid //Create an SSID profile.
ssid wlan-net //Set the SSID to wlan-net.
vap-profile name wlan-vap //Create a VAP profile.
service-vlan vlan-id 101 //Configure VLAN 101 as a service VLAN.
ssid-profile wlan-ssid //Bind the SSID profile to the VAP profile.
security-profile wlan-security //Bind the security profile to the
VAP profile.
regulatory-domain-profile name domain1 //Create a regulatory domain profile
and configure the country code. The default country code is CN.
ap-group name ap-group1 //Create an AP
group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP
group.
radio 0
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
radio 1
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
radio 2
vap-profile wlan-vap wlan 1 //Bind the VAP profile to the
radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 //Add
an AP offline.
ap-name area_1 //Configure a name for the
AP.
ap-group ap-group1 //Add the AP to the AP group.
#
return
# Run the display ap all command to check the AP state. If the State field displays nor, the
AP has gone online.
# After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
# Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run
the display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
# After a STA access the WLAN wlan-net, run the display access-user command in they
system view to check the IP address assigned to the STA.
----End
Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
Networking Requirements
As shown in Figure 12-7, an AC manages the AP connected to it through Switch_A.
A medium-sized enterprise needs to deploy a WLAN in office areas to meet mobile office
service needs and requires that users be centrally controlled and managed on the AC.
Procedure
Step 1 Configure the switch.
#
sysname Switch
#
vlan batch 100 to 101 //Create VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100 //Configure VLAN 100 as the default VLAN of GE0/0/1.
port trunk allow-pass vlan 100 to 101 //Add GE0/0/1 to VLAN 100 and VLAN 101.
port-isolate enable group 1 //Enable port isolation on GE0/0/1.
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101 //Add GE0/0/2 to VLAN 100 and VLAN 101.
#
return
# Run the display ap all command to check the AP state. If the State field displays nor, the
AP has gone online.
# After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
# Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run
the display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
# After a STA access the WLAN wlan-net, run the display access-user command in they
system view to check the IP address assigned to the STA.
----End
Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
Networking Requirements
On a network of a large enterprise in Figure 12-8, an aggregation switch Switch_B connects
to an access switch Switch_A and an upstream Router. The enterprise needs to deploy a
WLAN, with as few changes to the current network structure as possible.
Procedure
Step 1 Configure Switch_A.
#
sysname Switch_A
#
vlan batch 100 to 102 //Create VLAN 100 (management VLAN), VLAN 101
#
return
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 102 //Add Ethernet2/0/0 to VLANs 100,
101, and 102.
#
capwap source interface vlanif100 //Specify the AC's source interface.
#
wlan ac
security-profile name guest //Create a security profile.
security wep share-key //Configure the shared-key WEP authentication
method.
wep key 0 wep-40 pass-phrase %^%#z*z]6]#!|%n:n}Xz'mhKE{PfN|cIj*eU$jJYH48S%^
%# //Configure a WEP key.
security-profile name employee //Create a security profile.
security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^%#
aes //Configure PSK authentication and AES encryption, and display the user
password in ciphertext.
ssid-profile name guest //Create an SSID profile.
ssid guest //Set the SSID to guest.
ssid-profile name employee //Create an SSID profile.
ssid employee //Set the SSID to employee.
vap-profile name guest //Create a VAP profile named guest.
service-vlan vlan-id 101 //Configure VLAN 101 as a service VLAN.
ssid-profile guest //Bind the SSID profile guest to the VAP profile
guest.
security-profile guest //Bind the security profile guest to the VAP profile
guest.
vap-profile name employee //Create a VAP profile named employee.
service-vlan vlan-id 102 //Configure VLAN 102 as a service VLAN.
ssid-profile employee //Bind the SSID profile employee to the VAP
profile employee.
security-profile employee //Bind the security profile employee to the VAP
profile employee.
regulatory-domain-profile name domain1 //Create a regulatory domain profile.
ap-group name guest //Create an AP group.
regulatory-domain-profile domain1 //Bind the domain profile to the AP
group.
radio 0
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
radio 1
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
radio 2
vap-profile guest wlan 1 //Bind the VAP profile guest to the
radio.
ap-group name default //Create an AP group named default.
ap-group name employee //Create an AP group named
employee.
regulatory-domain-profile domain1 //Bind the domain profile to the
AP group.
radio 0
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
radio 1
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
radio 2
vap-profile employee wlan 1 //Bind the VAP profile employee to
the radio.
ap-id 0 type-id 19 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042 //Add
an AP offline.
ap-name area_1 //Configure a name for the AP.
ap-group guest //Add the AP to the AP group guest.
ap-id 1 type-id 19 ap-mac 60de-4474-9640 ap-sn 210235554710CB000075 //Add
an AP offline.
ap-name area_2 //Configure a name for the AP.
ap-group employee //Add the AP to the AP group employee.
#
return
----End
Configuration Notes
l After WLAN services are configured, run the commit all command to commit AP
configurations.
l The default country code of the AR router is CN. You can change it based on actual
network requirements.
l After the AP are added offline, ensure that the AP state is normal. If the AP state is not
normal, troubleshoot the fault to make the AP state change to normal. The possible
cause may be that the VLAN is incorrectly configured.
13 Deploying Voice
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).
Networking Requirements
As shown in Figure 13-1, Router A functions as a PBX and Router B functions as a voice
gateway. Voice services are configured on Router A and Router B to meet the following
requirements:
l Users connected to RouterA can call each other.
l Users connected to RouterB can call each other.
l Users connected to RouterA and RouterB can call each other.
On the network, SIP UE 1 is a VoIP phone.
Procedure
Step 1 Configure Router A.
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx
#
enterprise hw //Create an enterprise
hw.
dn-set local //Create a DN set
local.
#
callprefix 2 //Create a call prefix profile
2.
enterprise hw //Bind the enterprise hw to the call
prefix.
dn-set local //Bind the DN set local to the call
prefix.
centrex - //Set the call prefix type to
centrex.
prefix 2 //Configure the call prefix profile
2.
call-type category 0 attribute 0 //Set the call type to
local.
maximum-length 4 //Set the longest digit length to
4.
minimum-length 4 //Set the shortest digit length to 4 and
4.
#
callprefix 3
enterprise hw
dn-set local
centrex -
prefix 3
call-type category 0 attribute 0
maximum-length 4
minimum-length 4
#
callin-right 3
#
dialno 3002
pbxuser 3002
telno 86 25 3002
dn-set local
callout-right 3
callin-right 3
#
return
----End
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example. The devices do not
support user-defined country codes and area codes.
l Users connected to the SIP AG are configured on the PBX and the user type must be set
to SIP UE.
l The media IP address and the proxy IP address configured on the SIP AG must be
reachable to each other.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l After configuring a SIP server, reset the SIP server for the configuration to take effect.
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).
Networking Requirements
As shown in Figure 13-2, an enterprise has POTS users: User A, User B, User C and User D.
Where,
l RouterA functions as a PBX and RouterB functions as a SIP AG.
l Internal calls of the enterprise are connected through the PBX, and outgoing calls from
the enterprise are connected to external users through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE
This example uses the voice tone "Please dial the extension number, or dial zero for the operator."
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx /Enter the PBX view.
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area code.
#
enterprise hw //Create an enterprise hw.
crbt-file flash:/sss.wav status 1 //Specify the RBT file for the enterprise.
dn-set local //Create a DN set local.
#
callprefix 8 //Create a call prefix profile 8.
enterprise hw //Configure an enterprise hw.
dn-set local //Configure a DN set local.
centrex - //Configure a call prefix type centrex
prefix 8 //Configure the call prefix profile 8.
call-type category 0 attribute 0 //Configure the call type and the basic
service attribute.
maximum-length 3 //Configure longest digit length.
minimum-length 3 //Configure the shortest digit length.
#
callprefix 9
enterprise hw
dn-set local
centrex -
prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office //Specify the inter-office attribute.
#
sipserver //Configure a SIP
server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to
huawei.com.
#
pbxuser 800 //Create a PBX user.
type port 1/0/0 //Set the PBX user type to POTS.
enterprise hw //Configure the enterprise hw.
#
pbxuser 801
type port 1/0/1
enterprise hw
#
pbxuser 802
type port 1/0/2
enterprise hw
#
pbxuser 803
type sipue 803
enterprise hw
#
dialno 800 //Set the user identifier of the PBX user.
pbxuser 800 //Bind the user identifier to the PBX user.
telno 86 25 800 //Set the telephone number of the PBX user.
dn-set local //Set the DN set of the PBX user to local.
callout-right 3 //Set the call-out right of the PBX user.
callin-right 3 //Set the call-in right of the PBX user.
service-right call-transfer enable //Enable the call transfer service.
#
dialno 801
pbxuser 801
telno 86 25 801
dn-set local
callout-right 3
callin-right 3
#
dialno 802
pbxuser 802
telno 86 25 802
dn-set local
callout-right 3
callin-right 3
#
dialno 803
pbxuser 803
telno 86 25 803
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0 //Configure an AT0 trunk group.
signalling fxo //Configure the signaling type of the trunk
group.
enterprise hw //Bind the enterprise hw to the trunk group.
dn-set local //Bind the DN set local to the trunk group.
----End
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.
Networking Requirements
As shown in Figure 13-3, the headquarters and branch of enterprise A (hw) are located in
different areas. RouterA and RouterB function as gateways and are connected through the E1
leased line. After voice services are deployed on RouterA and RouterB, enterprise users can
use the voice services across areas. Internal users use the AT0 trunk to call external users.
Where,
l RouterA and RouterB use SIP IP trunks to implement voice services across areas.
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Serial 2/0/0 on RouterA is 192.168.1.1/24 and the IP address of Serial
2/0/0 on RouterB is 192.168.1.2/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.1.2 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.
Figure 13-3 Configuring voice services between the headquarters and branch through leased
lines
Procedure
Step 1 Configure RouterA.
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1
255.255.255.0
#
voice
voip-address signalling interface Serial 2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Serial 2/0/0 192.168.1.1 //Configure a media IP
address.
#
pbx
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area
code.
#
enterprise hw //Configure an enterprise
hw.
function.
#
callroute 9 //Configure a call route
9.
enterprise hw //Bind the enterprise hw to the call
route.
dn-set local //Bind the DN set local to the call
route.
centrex - //Configure the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition time-period disable //Set the validity period of the call
route.
condition time-repeat disable //Set the calling number not to
change.
condition caller-telno disable //Configure call route 9 for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9 //Create a post-routing number
change.
enterprise hw //Set the enterprise to hw after post-routing number
change.
dn-set local //Set the DN set to local after post-routing number
change.
centrex - //Set the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition caller-telno disable //Configure the calling number change for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
caller no-change //Set the caller number change rule to no
change.
called del 7 1 //Delete the seventh digit from the called
number.
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 7 5
#
return
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice
enterprise hw
dn-set local
callin-right 3
callout-right 3
#
trunkgroup sipip
signalling sip
enterprise hw
dn-set local
callin-right 3
callout-right 3
sip reg-mode 0
sip mgc-type 1
sip signalling-ip 192.168.1.2
sip signalling-port 5070
sip media-ip 192.168.1.2
sip peer static 192.168.1.1 5070
sip register-uri huawei.com
sip home-domain huawei.com
#
trunk-at0 at0
port fxo 1/0/4
trunkgroup at0
default-called-telno 33333000
reversepole-detect false
#
callroute 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup at0
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition caller-telno disable
trunkgroup at0
caller no-change
called del 8 1
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 8 5
#
return
----End
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Versions
This example applies to versions from V200R001C01 (included) to V200R002C00
(included).
Networking Requirements
As shown in Figure 13-4, User A and User B belong to enterprise A. Enterprise A accesses
the IMS network using a SIP AT0 trunk.
The carrier allocates the number 56623000 to enterprise A. If external users dial the number
56623000, the phone of User A rings and the call transfer service is enabled. When external
users call other internal users, the phone of User A transfers the calls.
Procedure
Step 1 Configure the voice service.
#
voice
voip-address media interface Ethernet 2/0/0 192.168.1.3 //Configure a media
address pool.
voip-address signalling interface Ethernet 2/0/0 192.168.1.3 //Configure a
signaling address pool.
#
pbx /Enter the PBX view.
pbx string-parameter 0 86 //Configure a country code.
pbx string-parameter 1 25 //Configure an area code.
#
enterprise hw //Configure an enterprise.
dn-set local //Configure a DN set.
#
callprefix 2
enterprise hw
dn-set local
centrex -
prefix 2
call-type category 0 attribute 0
maximum-length 8
minimum-length 4
#
callprefix 8
enterprise hw
dn-set local
centrex -
prefix 8
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
callprefix 8
condition caller-telno disable
trunkgroup sipat0
caller no-change
called del 7 1
#
return
----End
Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l Run the display voice country-code command to view the default country code and area
code in the system before deleting the call prefix that the user has entered. N indicates
the start digit to be deleted, while M indicates the total number of digits to be deleted. N
is calculated using the formula:
N = Number of country code digits + Number of prefix digits + Number of area code
digits + 1
M specifies the number of call prefix digits. For example, when a user needs to dial 9
before dialing an external number, N is 7 and M is 1 (inter-office call prefix: 9)
N = 2 (country code: 86) + 2 (prefix: 00) + 2 (area code: 25) + 1 = 7
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Versions
Versions from V200R001C01 to V200R002C00
Networking Requirements
As shown in Figure 13-5:
l Ethernet2/0/1 accesses the LAN within an enterprise. The IP address of Ethernet2/0/1 is
192.168.1.1/24.
l Ethernet2/0/0 connects to the carrier's device. Dial-up and NAT need to be configured on
the router so that users can access the external network.
l Internal users of an enterprise call each other through the PBX and call the external users
through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE
This example uses the voice tone "Please dial the extension number, or dial zero for the operAT0r."
Procedure
Step 1 Configure NAT and dial-up.
#
dialer-rule //Enter the dialer-rule view.
dialer-rule 1 ip permit //Set the number of dialer ACL to 1.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Configure the link layer protocol of the dialer interface.
ip address ppp-negotiate //Configure IP addresses for client interfaces through
PPP IP address negotiation.
ppp chap user client //Configure a user name for CHAP authentication.
ppp chap password cipher client //Configure a password for CHAP authentication.
dialer user server //Enable the RS-DCC function and configure a user name for
PPPoE server.
dialer bundle 1 //Specify the dialer bundle number as 1.
dialer-group 1 //Configure a dialer access group for dialer interfaces and set
the dialer access group number to 1.
nat outbound 2000 //Enable NAT on interfaces.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable the PPPoE client on the
Ethernet interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure external network access
through static routes and specify Dialer 0 as the outbound interface.
route.
callprefix 9 //Set the call prefix that is bound to the call route to
9.
condition time-period disable //Configure the call route to be always valid.
condition time-repeat disable //Configure the call route to be always valid.
condition caller-telno disable //Configure users meeting the condition to use
call route 9.
trunkgroup at0 //Configure AT0 trunk group for the call
route.
#
afterroute-change 9 //Create a post-routing number change.
enterprise hw //Bind enterprise huawei to the post-routing number change
plan.
dn-set local //Bind the DN set to the number change plan.
centrex - //Configure the router not to bind the Centrex group to the call
route.
callprefix 9 //Configure the router not to bind the call prefix to the call
route.
condition caller-telno disable //Configure users meeting the condition to use
call route 9.
trunkgroup at0 //Configure AT0 trunk group for the call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return
----End
Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l When PPP encapsulation is enabled on a dialer interface, run the dialer user command
to configure the user name for the remote end.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l Run the display voice country-code command to view the default country code and area
code in the system before deleting the call prefix that the user has entered. N indicates
the start digit to be deleted, while M indicates the total number of digits to be deleted. N
is calculated using the formula:
N = Number of country code digits + Number of prefix digits + Number of area code
digits + 1
M specifies the number of call prefix digits. For example, when a user needs to dial 9
before dialing an external number, N is 7 and M is 1 (inter-office call prefix: 9)
N = 2 (country code: 86) + 2 (prefix: 00) + 2 (area code: 25) + 1 = 7
Networking Requirements
As shown in Figure 13-6, two departments of an enterprise are located in different areas.
RouterA and RouterB are used as their gateways. RouterA and RouterB are connected
through an IPSec tunnel to implement voice services between two departments. After voice
services are deployed on RouterA and RouterB through SIP trunks, enterprise users can use
the voice services across areas. Internal users use the AT0 trunk to call external users. Where,
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterA are 10.138.163.2/30 and
192.168.1.1/24. The IP address of Ethernet2/0/0 and Ethernet2/0/1 on RouterB are
10.138.162.2/30 and 192.168.2.1/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.2.1 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.
Figure 13-6 Configuring voice services across areas through an IPSec tunnel
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3000 //Create a data flow protected by the ACL 3000 defined IPSec
tunnel.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal a //Configure an IPSec proposal
a.
#
ike peer a v1 //Configure an IKE peer
a.
pre-shared-key huawei123 //Set the shared key to
huawei123.
remote-address 10.138.162.2 //Set the IP address of a remote IKE peer to
10.138.162.2.
#
ipsec policy a 10 isakmp //Configure an IPSec policy
a.
security acl 3000 //Associate the IPSec policy with ACL 3000.
ike-peer a //Associate the IKE peer a with ACL
3000.
proposal a //Associate the IPSec proposal with ACL
3000.
#
interface Ethernet2/0/0
ip address 10.138.163.2 255.255.255.252
ipsec policy a //Apply the IPSec policy on an
interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.163.1 //Configure an IP route to visit
external networks.
#
return
system-view
voice
voip-address signalling interface Ethernet 2/0/1 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet 2/0/1 192.168.1.1 //Configure a media IP
address.
#
pbx
pbx string-parameter 0 86 //Configure a default country code.
pbx string-parameter 1 25 //Configure a default area
code.
#
enterprise hw //Configure an enterprise
hw.
dn-set local //Configure a DN set
local.
#
callprefix 9 //Create a call prefix profile
9.
enterprise hw //Bind the enterprise hw to the call
prefix.
dn-set local //Bind the DN set local to the call
prefix.
centrex - //Configure the call prefix type to
centrex.
prefix 9 //Configure the call prefix profile
9.
call-type category 0 attribute 0 //Set the call type to
local.
maximum-length 15 //Set the longest digit length to
15.
minimum-length 1 //Set the shortest digit length to
1.
destination-location inter-office //Specify the inter-office
attribute.
#
callprefix 2222
enterprise hw
dn-set local
centrex -
prefix 2222
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver //Configure a SIP
server.
signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP server to
192.168.1.1.
signalling-port 5060 //Set the signaling port of the SIP server to
5060.
media-ip 192.168.1.1 //Set the media IP address of the SIP server to
192.168.1.1.
register-uri huawei.com //Set the register URI of the SIP server to
huawei.com.
home-domain huawei.com //Set the home domain of the SIP server to
huawei.com.
#
pbxuser 22223000 //Create a PBX user
22223000.
type port 1/0/0 //Set the PBX user type to POTS and bind the physical interface
to the user.
enterprise hw //Bind the enterprise hw to the PBX
user.
#
pbxuser 22223001
mode.
sip signalling-ip 192.168.1.1 //Set the signaling IP address of the SIP trunk
group to 192.168.1.1.
sip signalling-port 5070 //Set the signaling port of the SIP trunk group to
5070.
sip media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
sip peer static 192.168.2.1 5070 //Set the peer signaling IP address of the SIP
trunk group to 192.168.2.1 and the signaling port to
5070.
sip register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
sip home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
#
trunk-at0 at0 //Configure an AT0 trunk
group.
port fxo 1/0/4 //Bind the physical interface to the AT0 trunk
group.
trunkgroup at0 //Bind the trunk to the AT0 trunk
group.
default-called-telno 22223000 //Set the default called number to
22223000.
reversepole-detect false //Configure the reverse pole signal
function.
#
callroute 9 //Configure a call route
9.
enterprise hw //Bind the enterprise hw to the call
route.
dn-set local //Bind the DN set local to the call
route.
centrex - //Configure the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition time-period disable //Set the validity period of the call
route.
condition time-repeat disable //Set the calling number not to
change.
condition caller-telno disable //Configure call route 9 for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9 //Create a post-routing number
change.
enterprise hw //Set the enterprise to hw after post-routing number
change.
dn-set local //Set the DN set to local after post-routing number
change.
centrex - //Set the call route type to
centrex.
callprefix 9 //Bind call prefix 9 to the call
route.
condition caller-telno disable //Configure the calling number change for all
callers.
trunkgroup at0 //Bind the call route to the AT0 trunk
group.
dn-set local
centrex -
prefix 9
call-type category 0 attribute 0
maximum-length 15
minimum-length 1
destination-location inter-office
#
callprefix 3333
enterprise hw
dn-set local
centrex -
prefix 3333
call-type category 0 attribute 0
maximum-length 8
minimum-length 8
#
callprefix 20000
enterprise hw
dn-set local
centrex -
prefix 20000
call-type category 0 attribute 0
maximum-length 20
minimum-length 5
destination-location inter-office
#
sipserver
signalling-ip 192.168.2.1
signalling-port 5060
media-ip 192.168.2.1
register-uri huawei.com
home-domain huawei.com
#
pbxuser 33333000
type port 1/0/0
enterprise hw
#
pbxuser 33333001
type port 1/0/1
enterprise hw
#
pbxuser
33333002
type sipue
33333002
enterprise hw
#
dialno 33333000
pbxuser 33333000
telno 86 755 33333000
dn-set local
callout-right 3
callin-right 3
service-right call-transfer enable
#
dialno 33333001
pbxuser 33333001
telno 86 755 33333001
dn-set local
callout-right 3
callin-right 3
#
#
dialno
33333002
pbxuser
33333002
telno 86 25
33333002
dn-set local
callout-right 3
callin-right 3
#
trunkgroup at0
signalling fxo
enterprise hw
dn-set local
callin-right 3
callout-right 3
#
trunkgroup sipip
signalling sip
enterprise hw
dn-set local
callin-right 3
callout-right 3
sip reg-mode 0
sip mgc-type 1
sip signalling-ip 192.168.2.1
sip signalling-port 5070
sip media-ip 192.168.2.1
sip peer static 192.168.1.1 5070
sip register-uri huawei.com
sip home-domain huawei.com
#
trunk-at0 at0
port fxo 1/0/4
trunkgroup at0
default-called-telno 33333000
reversepole-detect false
#
callroute 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup at0
#
callroute 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition time-period disable
condition time-repeat disable
condition caller-telno disable
trunkgroup sipip
#
afterroute-change 9
enterprise hw
dn-set local
centrex -
callprefix 9
condition caller-telno disable
trunkgroup at0
caller no-change
called del 8 1
#
afterroute-change 20000
enterprise hw
dn-set local
centrex -
callprefix 20000
condition caller-telno disable
trunkgroup sipip
caller no-change
called del 8 5
#
return
----End
Configuration Notes
l Both ends of the IPSec tunnel must use the same key.
l Configure an ACL to define the data flows to be protected.
l When an external user calls another external user on the other end of the tunnel, the next
hop IP address of the route must be the IP address of the peer interface to which the
IPSec policy is applied.
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l When configuring the post-routing number change plan, ensure that the digits to be
deleted are call prefixes entered by the user. Run the display voice country-code
command to check the default country code and area code before determining the first
digit to be deleted. In the command output, N indicates the first digit to be deleted, while
M indicates the number of digits to be deleted. In this example, when a user dials the
digit 9 before making an outgoing call, then N = 2 (86) + 2 (00) + 2 (25) + 1 = 7 and M =
1 (9). In this equation, 86 is the country code, 00 is the call prefix, 25 is the area code
and 9 is the outgoing prefix.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.
Networking Requirements
As shown in Figure 13-7, RouterA functions as a PBX and RouterB functions as a SIP AG.
Voice services are configured on RouterA and RouterB to meet the following requirements:
l Users connected to RouterA can call each other
l Users connected to RouterB can call each other
l Users connected to RouterA and RouterB can call each other.
On the network, SIP UE1 is a VoIP phone.
Procedure
Step 1 Configure RouterA.
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1
voip-address media interface Ethernet2/0/0 192.168.1.1
#
#
sipag 1 //Create a SIP AG 1.
signalling-addr 192.168.1.2 5060 //Set the signaling IP address of the SIP AG
to 192.168.1.2 and the signaling port to 5060.
media-addr 192.168.1.2 //Set the media IP address of the SIP AG to 192.168.1.2.
primary-proxy-addr static 192.168.1.1 5060 //Set the IP address of the primary
proxy server to 192.168.1.1 and the signaling port to 5060.
home-domain huawei.com //Set the home domain name of the SIP AG to huawei.com.
#
sipaguser 1 port 1/0/0 //Create a SIP AG user and specify its interface number.
base-telno 2222 //Set a telephone number for the SIP AG user.
agid 1 //Set the SIP AG ID for the SIP AG user to 1.
#
sipaguser 2 port 1/0/1
base-telno 2223
agid 1
#
return
----End
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example. The devices do not
support user-defined country codes and area codes.
l Users connected to the SIP AG are configured on the PBX and the user type must be set
to SIP UE.
l The media IP address and the proxy IP address configured on the SIP AG must be
reachable to each other.
l By default, the AR works in SIP AG mode. Run the service-mode { sipag | pbx }
command in the voice view to switch to the other working mode. Clear the SIP AG or
PBX configuration before switching the working mode. Restart the router after it
switches to the other working mode.
l After configuring a SIP server, reset the SIP server for the configuration to take effect.
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).
Networking Requirements
As shown in Figure 13-8, an enterprise has POTS users: User A, User B, User C, and User D.
Where,
l RouterA functions as a PBX and RouterB functions as a SIP AG.
l Internal calls of the enterprise are connected through the PBX, and outgoing calls from
the enterprise are connected to external users through the AT0 trunk.
l The carrier allocates the number 56623000 to the enterprise. External users can dial the
number 56623000 to query internal extension number. External users can also dial the
number 56623000, and then the call is transferred to an internal user.
NOTE
This example uses the voice tone "Please dial the extension number, or dial zero for the operator."
Procedure
Step 1 Configure RouterA.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
sysname RouterA
#
interface Ethernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Ethernet2/0/0 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet2/0/0 192.168.1.1 //Configure a media IP
address.
pbx default-country-code 86 //Configure a default country code.
pbx default-area-code 25 //Configure a default area code.
#
enterprise hw //Create an enterprise hw.
crbt-file flash:/sss.wav status pass //Specify the RTB file for the enterprise.
dn-set local //Configure a DN set local.
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 800 reversepole-detect disable
#
callprefix 8 //Create a call prefix profile 8.
prefix 8 //Configure the call prefix profile 8.
enterprise hw dn-set local //Configure an enterprise hw and a DN set local.
call-type category basic-service attribute 0 /Configure the call type and the
basic service attribute.
digit-length 3 3 //Configure the shortest and longest digit length.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the inter-office attribute.
callroute trunkgroup1 at0
#
pbxuser 800 pots enterprise hw //Configure a PBX user, set the user type and
enterprise.
port 1/0/0 //Bind the physical port to the PBX user.
telno country-code 86 area-code 25 800 //Set a telephone number for the PBX
user.
dn-set local //Set a DN set local for the PBX user.
call-right in international-toll out international-toll //Set the call-in and
call-out rights of the PBX user.
service-right call-transfer enable //Enable the call transfer service.
#
pbxuser 801 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 801
dn-set local
call-right in international-toll out international-toll
#
pbxuser 802 pots enterprise hw
port 1/0/2
telno country-code 86 area-code 25 802
dn-set local
call-right in international-toll out international-toll
#
pbxuser 803 sipue enterprise hw
sipue 803
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
Networking Requirements
As shown in Figure 13-9, the headquarters and branch of enterprise A (hw) are located in
different areas. RouterA and RouterB function as gateways and are connected through the E1
leased line. After voice services are deployed on RouterA and RouterB, enterprise users can
use the voice services across areas. Internal users use the AT0 trunk to call external users.
Where,
l RouterA and RouterB use SIP IP trunks to implement voice services across areas.
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l The IP address of Serial 2/0/0 on RouterA is 192.168.1.1/24 and the IP address of Serial
2/0/0 on RouterB is 192.168.1.2/24.
l The media and signaling IP address of RouterA is 192.168.1.1 and the signaling port is
5070. The media and signaling IP address of RouterB is 192.168.1.2 and the signaling
port is 5070.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.
Figure 13-9 Configuring voice services between the headquarters and branch through leased
lines
Procedure
Step 1 Configure RouterA.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
#
voice
voip-address signalling interface Serial 2/0/0 192.168.1.1
voip-address media interface Serial 2/0/0 192.168.1.1
pbx default-country-code 86
pbx default-area-code 25
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo //Configure an AT0 trunk group.
enterprise hw dn-set local
call-right in international-toll //Configure the call-in right.
call-right out international-toll //Configure the call-out right.
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable //Bind
a trunk to the trunk group.
#
trunk-group sipip sip no-register //Configure a SIP trunk group.
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.1 port 5070 //Set the signaling IP address of
the SIP trunk group to 192.168.1.1 and the signaling port to 5070.
media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
peer-address static 192.168.1.2 5070 //Set the remote IP address of the SIP
trunk group to 192.168.1.2 and the signaling port to 5070.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 2222
prefix 2222
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8
#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip //Configure a call route.
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25 22223000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9
trunk-group at0 //Configure a trunk group to a call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
afterroute-change 20000
callprefix 20000
trunk-group sipip
caller no-change
called del 7 5
#
return
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface Serial 2/0/0 192.168.1.2
voip-address signalling interface Serial 2/0/0 192.168.1.2
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group sipip sip no-register
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.2 port 5070
media-ip 192.168.1.2
home-domain huawei.com
register-uri huawei.com
Configuration Notes
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.
Networking Requirements
As shown in Figure 13-10, User A and User B belong to enterprise A. Enterprise A accesses
the IMS network using a SIP AT0 trunk.
The carrier allocates the number 56623000 to enterprise A. If external users dial the number
56623000, the phone of User A rings and the call transfer service is enabled. When external
users call other internal users, the phone of User A transfers the calls.
Procedure
Step 1 Configure the voice service.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
voice
voip-address media interface Ethernet 2/0/0 192.168.1.3 //Configure a media
address pool.
voip-address signalling interface Ethernet 2/0/0 192.168.1.3 //Configure a
signaling address pool.
pbx default-country-code 86 //Configure a country code.
pbx default-area-code 25 //Configure an area code.
#
enterprise hw //Configure an enterprise.
dn-set local //Configure a DN set.
#
sipserver
signalling-address ip 192.168.1.3 port 5060
media-ip 192.168.1.3
register-uri huawei.com
home-domain huawei.com
#
trunk-group sipat0 sip trunk-circuit //Create a SIP AT0 trunk.
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
country-code 86 area-code 25
default-caller-telno 2000
signalling-address ip 192.168.1.3 port 5070
media-ip 192.168.1.3
home-domain huawei.com
register-uri huawei.com
register-id 56623000 //Configure the registration number.
trunk-sipat0 56623000 default-called-telno 2000
peer-address static 192.168.1.1 5060
#
callprefix 2
prefix 2
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 4 8
#
callprefix 8
prefix 8
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the home area attribute of a call
prefix to inter-office.
callroute trunkgroup1 sipat0
#
pbxuser 2000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25 2000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable ////Enable the call transfer service.
#
pbxuser 2001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 2001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 8
callprefix 8
trunk-group sipat0
caller no-change
called del 7 1
#
return
----End
Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).
Networking Requirements
As shown in Figure 13-11:
This example uses the voice tone "Please dial the extension number, or dial zero for the operator."
Procedure
Step 1 Configure NAT and dial-up.
#
dialer-rule //Enter the dialer-rule view.
dialer-rule 1 ip permit //Set the number of dialer ACL to 1.
#
interface Dialer0 //Enter the dialer interface view.
link-protocol ppp //Configure the link layer protocol of the dialer interface.
ip address ppp-negotiate //Configure IP addresses for client interfaces
through PPP IP address negotiation.
ppp chap user client //Configure a user name for CHAP authentication.
ppp chap password cipher client //Configure a password for CHAP authentication.
dialer user server //Enable the RS-DCC function and configure a user name for
PPPoE server.
dialer bundle 1 //Specify the dialer bundle number as 1.
dialer-group 1 //Configure a dialer access group for dialer interfaces and set
the dialer access group number to 1.
nat outbound 2000 //Enable NAT on interfaces.
#
interface Ethernet2/0/0 //Enter the Ethernet interface view.
pppoe-client dial-bundle-number 1 on-demand //Enable the PPPoE client on
Ethernet interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure external network access
through static routes and specify Dialer 0 as the outbound interface.
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
voice
pbx default-country-code 86 default-area-code 25 //Configure a country code and
an area code.
#
enterprise hw//Create an enterprise hw.
crbt-file flash:/sss.wav status pass //Specify the RBT file for the enterprise.
dn-set local //Configure a DN set.
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 800 reversepole-detect disable
#
callprefix 8 //Create a call prefix profile.
prefix 8 //Configure a call prefix.
enterprise hw dn-set local //Configure an enterprise hw and a DN set.
call-type category basic-service attribute 0 //Configure the call type and the
basic service attribute.
digit-length 3 3 //Configure the shortest and longest digit length.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office //Specify the inter-office attribute.
callroute trunkgroup1 at0
#
pbxuser 800 pots enterprise hw //Configure a PBX user, set the user type and
enterprise.
port 1/0/0 //Bind the physical port to the PBX user.
telno country-code 86 area-code 25 800 //Configure a telephone number for users.
dn-set local //Configure a DN set.
call-right in international-toll out international-toll //Set the call-in and
call-out rights.
service-right call-transfer enable //Enable the call transfer service.
#
pbxuser 801 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25 801
dn-set local
call-right in international-toll out international-toll
#
pbxuser 802 pots enterprise hw
port 1/0/2
telno country-code 86 area-code 25 802
dn-set local
call-right in international-toll out international-toll
#
pbxusergroup ivr1 ivr enterprise hw //Create an IVR group
dn-set local //Configure a DN set for the IVR group.
access-telno country-code 86 area-code 25 800 //Configure the access number for
IVR groups.
console-telno 0 //Configure a switchboard number for the IVR group.
tone-id file flash:/sss.wav //Set the tone ID of the IVR group to sss.wav.
group-member pbxuser 800 //Configure a group member.
#
afterroute-change 9 //Create a post-routing number change.
callprefix 9 //Configure a call prefix for the post-routing number change.
trunk-group at0 //Configure AT0 trunk group for the call route.
caller no-change //Set the caller number change rule to no change.
called del 7 1 //Delete the seventh digit from the called number.
#
return
----End
Configuration Notes
l The dialer rule number in dialer-rule must be the same as the dialer rule number in
dialer-group. The dialer rule number in dialer bundle must be the same as the dial-
bundle-number value in pppoe-client.
l To configure PPP encapsulation on the dialer interface, run the dialer user command to
configure the user name for the PPPoE server.
l The user name and password for PPP authentication on the dialer interface must be the
same as those configured on the PPPoE server.
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l In this configuration example, the country code and area code in China are used as an
example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media.
l The default working mode is SIP AG. Run the service-mode { sipag | pbx } command
in the voice view to change the working mode. Delete SIP AG/PBX configurations
before changing the working mode. After changing the working mode, restart the device
to make the configuration take effect.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
Specifications
Applicable products and versions
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).
Networking Requirements
As shown in Figure 13-12, two departments of an enterprise are located in different areas.
RouterA and RouterB are used as their gateways. RouterA and RouterB are connected
through an IPSec tunnel to implement voice services between two departments. After voice
services are deployed on RouterA and RouterB through SIP trunks, enterprise users can use
the voice services across areas. Internal users use the AT0 trunk to call external users. Where,
l User A and User B belong to enterprise hw. The DN set is local, call prefix is 2222,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
l User C and User D belong to enterprise hw. The DN set is local, call prefix is 3333,
inter-office prefix of the AT0 trunk is 9, and inter-office prefix between the headquarters
and branch is 20000.
Figure 13-12 Configuring voice services across areas through an IPSec tunnel
Procedure
Step 1 Configure RouterA.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C00SPC100 is used.
#
sysname RouterA
#
acl number 3000 //Create a data flow protected by the ACL 3000 defined IPSec
tunnel.
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal a //Configure an IPSec proposal
a.
#
ike peer a v1 //Configure an IKE peer
a.
pre-shared-key huawei123 //Set the shared key to
huawei123.
remote-address 10.138.162.2 //Set the IP address of a remote IKE peer to
10.138.162.2.
#
ipsec policy a 10 isakmp //Configure an IPSec policy
a.
security acl 3000 //Associate the IPSec policy with ACL 3000.
ike-peer a //Associate the IKE peer a with ACL
3000.
proposal a //Associate the IPSec proposal with ACL
3000.
#
interface Ethernet2/0/0
ip address 10.138.163.2 255.255.255.252
ipsec policy a //Apply the IPSec policy on an
interface.
#
interface Ethernet2/0/1
ip address 192.168.1.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.163.1 //Configure an IP route to visit
external networks.
#
return
system-view
voice
voip-address signalling interface Ethernet 2/0/1 192.168.1.1 //Configure a
signaling IP address.
voip-address media interface Ethernet 2/0/1 192.168.1.1 //Configure a media IP
address.
pbx default-country-code 86
pbx default-area-code 25
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.1 port 5060
media-ip 192.168.1.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo //Configure an AT0 trunk group.
enterprise hw dn-set local
call-right in international-toll //Configure the call-in right.
call-right out international-toll //Configure the call-out right.
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable //Bind
a trunk to the trunk group.
#
trunk-group sipip sip no-register //Configure a SIP trunk group.
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.1.1 port 5070 //Set the signaling IP address of
the SIP trunk group to 192.168.1.1 and the signaling port to 5070.
media-ip 192.168.1.1 //Set the media IP address of the SIP trunk group to
192.168.1.1.
home-domain huawei.com //Set the home domain name of the SIP trunk group to
huawei.com.
register-uri huawei.com //Set the register URI of the SIP trunk group to
huawei.com.
peer-address static 192.168.2.1 5070 //Set the remote IP address of the SIP
trunk group to 192.168.2.1 and the signaling port to 5070.
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher *********** //The password is
admin@12345
local-user admin service-type http
#
interface Ethernet2/0/0
ip address 10.138.162.2 255.255.255.252
ipsec policy b
#
interface Ethernet2/0/1
ip address 192.168.2.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.138.162.1
return
system-view
voice
voip-address media interface Ethernet 2/0/1 192.168.2.1
voip-address signalling interface Ethernet 2/0/1 192.168.2.1
pbx default-country-code 86
pbx default-area-code 755
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.2.1 port 5060
media-ip 192.168.2.1
register-uri huawei.com
home-domain huawei.com
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group sipip sip no-register
enterprise hw dn-set local
call-right in international-toll
call-right out international-toll
signalling-address ip 192.168.2.1 port 5070
media-ip 192.168.2.1
home-domain huawei.com
register-uri huawei.com
peer-address static 192.168.1.1 5070
#
callprefix 9
prefix 9
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 3333
prefix 3333
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 8 8
#
callprefix 20000
prefix 20000
enterprise hw dn-set local
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 sipip
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 755 33333000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 755 33333001
dn-set local
call-right in international-toll out international-toll
#
----End
Configuration Notes
l Both ends of the IPSec tunnel must use the same key.
l Configure an ACL to define the data flows to be protected.
l When an external user calls another external user on the other end of the tunnel, the next
hop IP address of the route must be the IP address of the peer interface to which the
IPSec policy is applied.
l The PBX functions are license controlled. By default, PBX functions are disabled on a
device. To use the PBX functions, apply for and purchase the license from the Huawei
local office.
l The country code and area code in China are used as an example.
l Run the service-mode { sipag | pbx } command in the voice view to switch to the other
working mode. Clear the SIP AG or PBX configuration before switching the working
mode. Restart the router after it switches to the other working mode.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After configuring a SIP server or trunk group, reset the SIP server or trunk group in the
SIP server or trunk group view for the configuration to take effect.
Networking Requirements
As shown in Figure 13-13, the headquarters and branch of enterprise A are located in
different areas. RouterA and RouterB are connected through the E1 trunk. After voice
services are deployed on RouterA and RouterB, enterprise users can use the voice services
across areas. Internal users use the AT0 trunk to call external users.
l RouterA and RouterB use the E1R2 trunk to implement voice services across areas.
l User A and User B belong to enterprise hw, the DN set is local, the call prefix is 2222,
the inter-office prefix of the AT0 trunk is 9, and the inter-office prefix between the
headquarters and branch is 20000.
NOTE
If the PBX has only one enterprise and DN set, default settings of the enterprise and DN set can be
used.
l User C and User D belong to enterprise hw, the DN set is local, the call prefix is 3333,
the inter-office prefix of the AT0 trunk is 9, and the inter-office prefix between the
headquarters and branch is 20000.
l The IP addresses of Serial 2/0/0 interfaces on RouterA and RouterB are 192.168.1.1/24
and 192.168.1.2/24.
l The carrier allocates the number 56623000 to the enterprise headquarters. If external
users dial the number 56623000, the phone of User A rings and the call transfer service
is enabled. When external users call other internal users, the phone of User A transfers
the calls.
l The carrier allocates the number 28963000 to the enterprise branch. If external users dial
the number 28963000, the phone of User C rings and the call transfer service is enabled.
When external users call other internal users, the phone of User C transfers the calls.
Figure 13-13 Configuring the PBX to use the E1R2 trunk to implement voice services
between the headquarters and branch
Procedure
Step 1 Configure RouterA.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C01 is used.
#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.1 255.255.255.0
#
voice
pbx default-country-code 86 default-area-code 25
#
port ve1 2/0/0
signal CAS //Configure the VE1 interface to work in CAS mode. By default, a VE1
interface uses the common channel signaling (CCS) mode. When you configure the
E1R2 trunk, the VE1 interface must work in CAS mode.
#
enterprise hw
dn-set local
#
r2 profile e1r2
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll out international-toll
trunk-at0 1/0/4 default-called-telno 22223000 reversepole-detect disable
#
trunk-group e1r2 e1-r2
enterprise hw dn-set local
call-right in international-toll out international-toll
r2-profile e1r2
trunk-e1r2 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 at0
#
callprefix 2222
enterprise hw dn-set local
prefix 2222
call-type category basic-service attribute 0
digit-length 8 9
#
callprefix 20000
enterprise hw dn-set local
prefix 20000
call-type category basic-service attribute 0
digit-length 5 20
destination-location inter-office
callroute trunkgroup1 e1r2
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
22223000
dn-set local
call-right in international-toll out international-toll
service-right call-transfer enable
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 7 1
#
afterroute-change 20000
callprefix 20000
trunk-group e1r2
caller no-change
called del 7 5
#
sysname RouterB
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
interface Serial2/0/0
link-protocol ppp
ip address 192.168.1.2 255.255.255.0
#
voice
pbx default-country-code 86 default-area-code
755
#
port ve1 2/0/0
signal CAS
#
enterprise hw
dn-set local
#
r2 profile e1r2
#
trunk-group at0 fxo
enterprise hw dn-set local
call-right in international-toll out international-toll
trunk-at0 1/0/4 default-called-telno 33333000 reversepole-detect disable
#
trunk-group e1r2 e1-r2
enterprise hw dn-set local
call-right in international-toll out international-toll
r2-profile e1r2
trunk-e1r2 2/0/0
#
callprefix 9
----End
Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.
l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
l After the SIP server or SIP trunk is configured, reset the SIP server or SIP trunk to make
the setting take effect.
13.2.8 Example for Using the PRA Trunk to Connect to the PSTN
Network
Specifications
Related Products and versions:
l Product
Among the AR200 series routers, only the AR207Vs and AR207V-Ps support voice
features. Among the AR1200 series routers, only the AR1220Vs and AR1220VWs
support voice features. To use the voice feature on the AR2200 and AR3200 series
routers, you are advised to install the DSP module.
l Version
This example applies to versions from V200R002C00SPC100 (included) to
V200R003C01 (included).
Networking Requirements
As shown in Figure 13-14, User A and User B belong to enterprise A. Enterprise A uses the
PRA trunk to connect to the PSTN network.
l The carrier allocates the number 56623000 to User A and 56623001 to User B.
l The inter-office call prefix is 9.
Figure 13-14 Using the PRA trunk to connect to the PSTN network
Procedure
Step 1 Perform voice service configuration.
NOTE
The commands for configuring the country code in V200R002C00SPC100 and V200R002C01 are as
follows:
l V200R002C00SPC100: pbx { default-country-code dcc-value | default-area-code dac-value }
l V200R002C01: pbx { default-country-code dcc-value default-area-code dac-value | default-
area-code dac-value }
Here, the command in V200R002C01 is used.
#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
voice
pbx default-country-code 86 default-area-code
25
#
port ve1 2/0/0
signal CCS //Configure the VE1 interface to work in CCS mode. By default, a
VE1 interface uses the common channel signaling (CCS) mode. When you configure
the PRA trunk, the VE1 interface must work in CCS mode.
#
enterprise hw
dn-set local
#
r2 signalling-type argentina
#
r2 signalling-type brazil
#
r2 signalling-type mexico
#
r2 signalling-type standard
#
trunk-group pra qsig-user
enterprise hw dn-set local
call-right in international-toll out international-toll
country-code 86 area-code 25
trunk-pra 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 pra
#
callprefix 2222
enterprise hw dn-set local
prefix 2222
call-type category basic-service attribute 0
digit-length 8 9
#
pbxuser 22223000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
22223000
dn-set local
call-right in international-toll out international-toll
#
pbxuser 22223001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
22223001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group pra
caller no-change
called del 7 1
----End
Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media
l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
Networking Requirements
As shown in Figure 13-15, RouterA is a PBX and User 1 to User 28 connect to traditional
PBX users. To save enterprise investment and implement communication between users
connected to RouterA and the traditional PBX, enterprise A uses a PRA trunk to connect the
traditional PBX to RouterA.
l The numbers of User A and User B are 33333000 and 33333001.
l User 1 to User 28 are allocated numbers 56623001 to 56623028.
l When User A and User B call traditional PBX users, they want to dial the inter-office
call prefix 9.
Figure 13-15 Configuring a PRA trunk to connect to the traditional TDM PBX
Procedure
Step 1 Perform voice service configuration on RouterA.
#
sysname RouterA
//Configure the E1 interface card as an E1 voice card.
set workmode slot 2 e1t1 e1-voice
Changing the working mode will reset the board in slot 2. Continue? [y/n]:y
#
voice
pbx default-country-code 86 default-area-code
25
#
port ve1 2/0/0
signal CCS //Configure the VE1 interface to work in CCS mode. By default, a
VE1 interface uses the common channel signaling (CCS) mode. When you configure
the PRA trunk, the VE1 interface must work in CCS
mode.
#
enterprise hw
dn-set local
#
r2 signalling-type argentina
#
r2 signalling-type brazil
#
r2 signalling-type mexico
#
r2 signalling-type standard
#
trunk-group pra qsig-net
enterprise hw dn-set local
call-right in international-toll out international-
toll
trunk-pra 2/0/0
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 0
digit-length 1 15
destination-location inter-office
callroute trunkgroup1 pra
#
callprefix 3333
enterprise hw dn-set local
prefix 3333
call-type category basic-service attribute 0
digit-length 8 9
#
pbxuser 33333000 pots enterprise hw
port 1/0/0
telno country-code 86 area-code 25
33333000
dn-set local
call-right in international-toll out international-toll
#
pbxuser 33333001 pots enterprise hw
port 1/0/1
telno country-code 86 area-code 25
33333001
dn-set local
call-right in international-toll out international-toll
#
afterroute-change 9
callprefix 9
trunk-group pra
caller no-change
called del 7 1
----End
Configuration Notes
l The PBX functions are controlled by the license. By default, PBX functions are disabled
on a newly purchased device. To use the PBX functions, apply for and purchase the
license from the Huawei local office.
l The country code and region code in China are used as an example.
l If the user-defined RBT is used, ensure that the RBT file has been made and uploaded/
downloaded to the storage media
l The default working mode is SIPAG. Run the service-mode { sipag | pbx } command
in the voice view to switch the working mode. Delete SIPAG/PBX configurations before
switching. Restart the equipment after switching.
l A user may fail to locate the called party after dialing the prefix and called number. For
example, user 33333000 (global number format 00 86 25 33333000) in Nanjing, China
needs to dial 56623001 (global number format 00 86 755 56623001). The user dials 9
and 56623001. If the number is not changed, the called number received by the PBX is
956623001. Actually, the called number is 56623001. In this case, configure a post-
routing number change plan to delete the prefix. You must correctly configure the
deletion position and number of deleted digits. Configure the user number in global
number format: international toll call prefix + country code + area code + user number.
You can run the display voice pbxuser [ pbxuser-name ] command to view the country
code and area code, and run the display voice country-code [ country-code-value ]
command to view the international toll call prefix.
del-offset = Number of digits of the international toll call prefix + Number of digits of
the country code + Number of digits of the area code + 1(first digit of the prefix)
del-offset indicates the number of deleted digits, which is often the number of digits of
the call prefix.
For example, user 33333000 (global number format 00 86 25 33333000) in Nanjing,
China needs to dial 56623001. The user dials 9 and 56623001.
del - offset = 2 (00) + 2 (86) + 3 (25) + 1 = 7
del-len=1 (9)
The value 00 is the international toll call prefix, the value 86 is the country code, the
value 25 is the area code, and the value 9 is the inter-office call prefix.
Run the called del 7 1 command to delete 9.
Networking Requirements
An enterprise's external number allocated by the carrier is 99900002.
LTE user A calls PSTN user C. The MDC checks the internally configured office route and
detects that call 2000 is sent to the AR PSTN gateway. The AR is running properly. The
called number is sent to the AR. The AR receives the call message and detects that the
outgoing prefix is directed to the PSTN through the AT0 trunk, as shown in Figure 13-16.
PSTN user D calls public number 3000. The AR calls local IVR access number 12345
through the AT0 trunk, and triggers the IVR service to play a two-stage dial tone prompting
user D to dial 1000. The AR sends called number 1000 to the MDC, and changes calling
number 2001 to 99900002, as shown in Figure 13-17.
Data Plan
2/0/4 12345
9 Outer-office ttt
12345 IVR -
Procedure
Step 1 Router configuration
#
voice
voip-address signalling interface Vlanif 10 10.240.255.15 //Add the VLAN
address to media and signaling IP addresses respectively.
#
callprefix 5
prefix 5
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 6
prefix 6
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 7
prefix 7
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 8
prefix 8
call-type category basic-service attribute 0
digit-length 1 35
destination-location inter-office
callroute trunkgroup1 pstn
#
callprefix 900x
prefix 9
call-type category basic-service attribute 0
digit-length 4 4
destination-location inter-office
callroute trunkgroup1 ttt
#
callprefix ivr
prefix 12345
call-type category basic-service attribute 0
digit-length 5 5
#
pbxusergroup ivr ivr //Create an IVR group.
access-telno 12345 //Configure the access code for the IVR group.
#
afterroute-change elte //Create post-routing number conversion.
callprefix 900x //Configure the bound prefix of number conversion.
trunk-group ttt //Configure the bound trunk group of the call route.
caller del-then-Insert 5 4 99900002 //Configure conversion rules for calling
numbers.
called no-change //Configure not to convert called numbers.
Outgoing PSTN user D calls public number 3000. The AR plays a two-stage dial tone
call prompting user D to dial 1000. User D talks with user A, and the called
number is displayed as 99900002 on the called party's phone.
Incoming LTE user A calls PSTN user C. The two parties talk with each other after user
call C picks up the phone.
----End
Networking Requirements
To ensure sufficient bandwidth for established voice calls and for users with a high priority to
access at any time, configure the Call Admission Control (CAC) function on the AR.
CAC uses the SIP protocol to control the codec type carried by packets and remaining voice
bandwidth, and determines whether to allow new calls on the AR. On a live network, the total
voice bandwidth on the AR is determined by the minimal DSLM upstream/downstream
activation rate. In principle, the total voice bandwidth on the AR does not exceed the minimal
value. Otherwise, the voice quality of established calls may be compromised. After the CAC
function is configured on the AR and a new call is made, the AR senses the status of the voice
user, and allocates bandwidth from the remaining bandwidth for the current user. If the
bandwidth is insufficient, the call is rejected. By doing so, the CAC function ensures voice
quality of established calls.
Procedure
Step 1 Router configuration
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 //Configure the NAT policy
for voice users on a private network.
#
NAT cac enable bandwidth 100 //Enable the CAC function.
#
interface Ethernet0/0/0
undo portswitch
ip address 172.16.1.2 255.255.255.0
NAT outbound 3000 //Configure NAT outbond on the WAN side, and perform
source NAT for private network users.
#
interface Ethernet0/0/1
port link-type access
port default vlan 192
#
interface Vlanif192
ip address 192.168.1.1 255.255.255.0
#
ip route-static 1.1.1.0 255.255.255.0 172.16.1.1 //Configure default routing
to the SBC.
----End
Networking Requirements
The PBX configures the external number allocated to an enterprise by the carrier as the
automatic switchboard number. An outer-office user dials the external number and then dials
an extension number as prompted to connect to an intra-office user. Intra-office users make
calls to each other by dialing short numbers. Figure 13-19 shows the voice service network.
This topic assumes that you want to implement the following requirements:
l The country code is 86, and the area code is 571.
l The internal numbers of users A, B, and C are 7000, 7001, and 7100 respectively.
l Users A, B, and C belong to enterprise hw. The DN set is local. The intra-office call
prefix is 7. The outgoing call prefix is 9. The incoming and outgoing call rights of all
users are all.
l Both the signaling IP address and media IP address are 192.168.1.2.
l The automatic switchboard name is ivr. A number allocated by the PSTN is used as the
automatic switchboard number, such as 28980808.
l Post-routing number change scheme 9 is configured to retain calling numbers and delete
the first digit of called numbers when PBX users make outgoing calls through the FXO
port.
Prerequisites
The IVR configuration has been completed. For details, see IVR. vu-service-name
configured for the automatic switchboard is service for the IVR.
Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.
3/0/4 28980808 0
7 Intra-office N/A
9 Outgoing 0
Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[Huawei-voice] service-mode pbx
[Huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...
Step 2 Set the Ethernet IP address of interface GE0/0/0 to 192.168.1.2, and add 192.168.1.2 to the
media IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2
Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.
Step 6 Set the enterprise and DN set of prefixes to hw and local, and configure intra-office call
prefix 7 whose call attribute is 0 and local call prefix 9 whose call attribute is 1. Configure
national toll call prefix 90 whose call attribute is 2 and international toll call prefix 900 whose
call attribute is 3.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set local
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 3 32
[Huawei-voice-callprefix-7] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] enterprise hw dn-set local
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callprefix 90
[Huawei-voice-callprefix-90] enterprise hw dn-set local
[Huawei-voice-callprefix-90] prefix 90
[Huawei-voice-callprefix-90] call-type category basic-service attribute 2
[Huawei-voice-callprefix-90] digit-length 2 32
[Huawei-voice-callprefix-90] quit
[Huawei-voice] callprefix 900
[Huawei-voice-callprefix-900] enterprise hw dn-set local
[Huawei-voice-callprefix-900] prefix 900
[Huawei-voice-callprefix-900] call-type category basic-service attribute 3
[Huawei-voice-callprefix-900] digit-length 3 32
[Huawei-voice-callprefix-900] quit
Step 8 Configure a SIP user whose user number is 7100, authentication password is a123456, and
incoming and outgoing call rights are all.
[Huawei-voice] pbxuser 7100 sipue enterprise hw
[Huawei-voice-pbxuser-7100] dn-set local
[Huawei-voice-pbxuser-7100] sipue 7100
[Huawei-voice-pbxuser-7100] telno 7100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7100] quit
Step 9 Configure POTS users whose user numbers are 7000 and 7001 and incoming and outgoing
call rights are all.
[Huawei-voice] pbxuser 7000 pots enterprise hw
[Huawei-voice-pbxuser-7000] dn-set local
[Huawei-voice-pbxuser-7000] port 3/0/0
[Huawei-voice-pbxuser-7000] telno 7000
[Huawei-voice-pbxuser-7000] call-right in all
[Huawei-voice-pbxuser-7000] call-right out all
[Huawei-voice-pbxuser-7000] quit
[Huawei-voice] pbxuser 7001 pots enterprise hw
[Huawei-voice-pbxuser-7001] dn-set local
[Huawei-voice-pbxuser-7001] port 3/0/1
[Huawei-voice-pbxuser-7001] telno 7001
[Huawei-voice-pbxuser-7001] call-right in all
[Huawei-voice-pbxuser-7001] call-right out all
[Huawei-voice-pbxuser-7001] quit
Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.
Outgoing call Calls can be made properly, l The outgoing call prefix
and the calling number is is incorrectly configured.
correctly displayed. For l The outgoing trunk is
example, user 7000 can incorrectly configured.
make an outgoing call
through the AT0 trunk, and
the calling number
displayed to the called party
is 28980808.
----End
Configuration Files
l Router configuration
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
#
callroute 9
#
enterprise hw
dn-set local
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group at0 fxo
enterprise hw dn-set local
trunk-at0 3/0/4 default-called-telno 28980808
callroute 9
#
callprefix 7
enterprise hw dn-set local
prefix 7
call-type category basic-service attribute 0
digit-length 3 32
#
callprefix 9
enterprise hw dn-set local
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 9
#
callprefix 90
enterprise hw dn-set local
prefix 90
call-type category basic-service attribute 2
digit-length 2 32
#
callprefix 900
enterprise hw dn-set local
prefix 900
call-type category basic-service attribute 3
digit-length 3 32
#
callprefix ivr
enterprise hw dn-set local
prefix 28980808
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
pbxuser 7000 pots enterprise hw
telno 7000
dn-set local
port 3/0/0
call-right out all
#
pbxuser 7001 pots enterprise hw
telno 7001
dn-set local
port 3/0/0
call-right out all
#
pbxuser 7100 sipue enterprise hw
sipue 7100
telno 7100
dn-set local
call-right out all
eid-para password cipher %@%@nGE1Y)
%q*~n14{5/1l2@,._1TrX7Eeq(Y>/,=AT'V"\~._4,%@%@
#
afterroute-change 9
callprefix 9
trunk-group at0
caller no-change
called del 1 1
#
Networking Requirements
To reduce toll call costs, an enterprise connects two branches in different cities through a SIP
trunk. Each branch connects to the IMS through a SIP AT0 trunk or connects to the PSTN
through a PRA trunk.
When an intra-office user in city A dials a PSTN number in city B, the call is routed by the
PBX to the IP PBX through the SIP IP trunk, routed by the IP PBX to the PSTN through the
PRA trunk, and finally connected to the outer-office user in city B. When an intra-office user
in city B dials a local number in city A, the call process is similar, in which the call is first
routed to the PBX.
This scenario reduces toll call costs. Figure 13-20 shows the distributed networking.
This topic assumes that you want to implement the following requirements:
l The country code is 86, the area code of city A is 571, and the area code of city B is 577.
l The IP address of the IMS is 192.168.1.4, and the port number is 5060.
l The automatic switchboard number of the PBX is 83787005, and the automatic
switchboard number of the IP PBX is 83786005.
l PBX users and IP PBX users make calls to each other by dialing short numbers.
l When a PBX user or an IP PBX user dials a local number in city B, the call is routed
through the IP PBX. If the calling user has a long number, the long number is displayed
as the calling number. If the calling user does not have a long number, 83786005 is
displayed as the calling number.
l When an IP PBX user or a PBX user dials a local number in city A, the call is routed
through the PBX. If the calling user has a long number, the long number is displayed as
the calling number. If the calling user does not have a long number, 83787005 is
displayed as the calling number.
Prerequisites
The IVR configuration has been completed. For details, see IVR. The value of vu-service-
name configured for the automatic switchboard is the value of service for the IVR.
Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.
7100–7104 N/A
6100–6104 N/A
3/0/0 0 PSTN
Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[Huawei-voice] service-mode pbx
[Huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...
Step 2 Set the Ethernet IP address of interface GE0/0/0 to 192.168.1.2, and add 192.168.1.2 to the
media IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2
Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.
Configure national toll call prefix 90 whose call attribute is 2 and call route is 0, and
configure international toll call prefix 900 whose call attribute is 3 and call route is 0.
For details, see the configuration of prefix 9.
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] prefix 9
[Huawei-voice-callprefix-9] call-type category basic-service attribute 1
[Huawei-voice-callprefix-9] digit-length 1 32
[Huawei-voice-callprefix-9] quit
[Huawei-voice] callroute 3
[Huawei-voice-calldroute-3] quit
[Huawei-voice] callprefix 9
[Huawei-voice-callprefix-9] callroute 3
[Huawei-voice-callprefix-9] quit
2. Configure a POTS user whose user number is 7100 and incoming and outgoing call
rights are all.
[Huawei-voice] pbxuser 7100 pots
[Huawei-voice-pbxuser-7100] port 2/0/0
[Huawei-voice-pbxuser-7100] telno 7100 long-telno 83787100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] quit
[Huawei] voice
[Huawei-voice] port ve1 3/0/0
[Huawei-voice-ve1-3/0/0] signal ccs
Set signal type successfully
[Huawei-voice-ve1-3/0/0] quit
[Huawei-voice] quit
[Huawei] clock source 0 3/0/0
[Huawei] voice
[Huawei-voice] callroute 0
[Huawei-voice-calldroute-0] quit
[Huawei-voice] trunk-group pra dss1-user
[Huawei-voice-trunkgroup-pra] trunk-pra 3/0/0
[Huawei-voice-trunkgroup-pra] callroute 0
[Huawei-voice-trunkgroup-pra] quit
Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.
Outgoing call made by an Calls can be made properly, l The outgoing call prefix
intra-office user with a long and the calling number is is incorrectly configured.
number correctly displayed. For l The outgoing trunk is
example: incorrectly configured,
l User 7000 can dial 6000 or the reset command is
to make a call to user not executed after the
6000, and the calling configuration.
number displayed to user
6000 is 7000.
l User 7000 can make an
outgoing call through the
SIP AT0 trunk, and the
calling number displayed
to the called party is
83787000.
l User 7000 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
83787000.
----End
Configuration Files
l Router configuration
#
clock source 0 3/0/0 priority 9
#
set workmode slot 3 e1t1 e1-voice
#
interface GigabitEthernet0/0/0
ip address 192.168.200.155 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
port ve1 3/0/0
signal CCS
#
callroute 0
#
callroute 1
#
callroute 3
#
enterprise hw
dn-set hwdnset
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group pra dss1-user
callroute 0
trunk-pra 3/0/0
#
trunk-group sipat0 sip trunk-circuit
callroute 3
signalling-address ip 192.168.1.2 port 5061
media-ip 192.168.1.2
peer-address static 192.168.1.4 5060
register-uri abcd.com
home-domain abcd.com
number-parameter 19 1
trunk-sipat0 +862083787005@abcd.com password cipher %^%#sh1hK7Y[vIDIo]@
%y)"(^`xyQQLvuFT&:]Fob_b5%^%#
#
trunk-group sipip01 sip no-register
callroute 1
signalling-address ip 192.168.1.2 port 5062
media-ip 192.168.1.2
peer-address static 192.168.1.3 5062
register-uri abcd.com
home-domain abcd.com
#
callprefix 6
prefix 6
call-type category basic-service attribute 1
digit-length 4 32
callroute 1
#
callprefix 7
prefix 7
call-type category basic-service attribute 0
digit-length 4 32
#
callprefix 9
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 3
#
pbxuser 7000 sipue
sipue 7000
telno 7000 long-telno 83787000
call-right out all
eid-para password cipher %^%#%')'%i~C[2>B0.~$l6E@D)H|+:L0I!`Dg@,2>qjJ%^%#
#
pbxuser 7100 pots
port 2/0/0
telno 7100 long-telno 83787100
call-right out all
#
afterroute-change 9_6xxx_sipat0
callprefix 9
trunk-group at0
condition caller-telno 6xxx
caller del-then-Insert 1 32 83786005
called del 1 1
#
afterroute-change 9_7xxx_sipat0
callprefix 9
trunk-group at0
condition caller-telno 7xxx
caller del-then-Insert 1 32 83787005
called del 1 1
#
Networking Requirements
Connect the live-network PBX to a new PBX to meet the requirements of expanding the
capacity based on the live-network PBX and retaining the original long and short user
numbers, automatic switchboard number, and users' dialing habit. Figure 13-21 shows the
typical network for connecting the live-network PBX to the PBX.
This topic assumes that you want to implement the following requirements:
l The country code is 86, and the area code is 571.
l The enterprise is hw, and the DN set is hwdnset.
l PBX users and live-network PBX users make calls to each other by dialing short
numbers.
l The PBX connects to the live-network PBX through an H.323 trunk, and the call route is
2.
l The live-network PBX connects to the PBX through an H.323 trunk, and the call route is
3.
l The PBX connects to carrier A through an AT0 trunk, and connects to carrier B through
a PRA trunk. The outgoing call routing mode based on load balancing is used, and both
trunks are bound to call route 0.
l Outgoing calls to the PSTN of carrier B are routed through a PRA trunk. If the calling
user has a long number, the long number is displayed as the calling number. If the calling
user does not have a long number, 28980808 is displayed as the calling number.
l Outgoing calls to the PSTN of carrier A are routed through an AT0 trunk. If the calling
user has a long number, the long number is displayed as the calling number. If the calling
user does not have a long number, 83780808 is displayed as the calling number.
l Users of carrier A or B dial the automatic switchboard of the PBX to make incoming
calls.
Figure 13-21 Typical network for connecting the live-network PBX to the PBX
Prerequisites
The IVR configuration has been completed. For details, see IVR. The value of vu-service-
name configured for the automatic switchboard is the value of service for the IVR.
Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.
7100–7104 N/A
6100–6104 N/A
1/0/0 0 PSTN
3/0/4 83780808 0
7 Intra-office N/A
8378 Outgoing 2
7 Outgoing 3
9 Outgoing 3
Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...
Step 2 Set the Ethernet IP address of interface 0/0/0 to 192.168.1.2, and add 192.168.1.2 to the media
IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2
Step 4 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.
1. Configure intra-office call prefix 7 whose call attribute is 0, and set the enterprise and
DN set to hw and hwdnset.
NOTE
The procedure for configuring intra-office call prefix 2898 is similar. You only need to change the
minimum number length to 8.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set hwdnset
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 4 32
[Huawei-voice-callprefix-7] quit
2. Configure a POTS user whose user number is 7100 and incoming and outgoing call
rights are all.
[Huawei-voice] pbxuser 7100 pots enterprise hw
[Huawei-voice-pbxuser-7100] dn-set hwdnset
[Huawei-voice-pbxuser-7100] port 3/0/0
[Huawei-voice-pbxuser-7100] telno 7100
[Huawei-voice-pbxuser-7100] call-right in all
[Huawei-voice-pbxuser-7100] call-right out all
[Huawei-voice-pbxuser-7100] return
[Huawei-voice-trunkgroup-pra] callroute 0
[Huawei-voice-trunkgroup-pra] quit
[Huawei-voice] trunk-group AT0
[Huawei-voice-trunkgroup-AT0] callroute 0
[Huawei-voice-trunkgroup-AT0] quit
Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.
Outgoing call made by an Calls can be made properly, l The outgoing call prefix
intra-office user with a long and the calling number is is incorrectly configured.
number correctly displayed. For l The outgoing trunk is
example: incorrectly configured,
l User 7000 can dial 6000 or the reset command is
to make a call to user not executed after the
6000, and the calling configuration.
number displayed to user
6000 is 7000.
l User 7000 can make an
outgoing call through the
PRA trunk, and the
calling number displayed
to the called party is
28987000.
l For example, user 7000
can make an outgoing
call through the AT0
trunk, and the calling
number displayed to the
called party is 28987000.
----End
Configuration Files
l Router configuration
#
clock source 0 1/0/0 priority 9
#
set workmode slot 1 e1t1 e1-voice
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
port ve1 1/0/0
signal CCS
#
h323-attribute
localip 192.168.1.2
#
callroute 0
selecttype loadshare
#
callroute 2
#
enterprise hw
dn-set hwdnset
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group at0 fxo
trunk-AT0 3/0/4 default-called-telno 83780808
enterprise hw dn-set hwdnset
callroute 0
#
trunk-group h323 h323 symmetrical
enterprise hw dn-set hwdnset
callroute 2
media-ip 192.168.1.2
peer-address static 192.168.1.3 1720
#
trunk-group pra dss1-user
trunk-pra 1/0/0
enterprise hw dn-set hwdnset
callroute 0
#
callprefix 6
enterprise hw dn-set hwdnset
prefix 6
call-type category basic-service attribute 1
digit-length 4 32
callroute 2
#
callprefix 7
enterprise hw dn-set hwdnset
prefix 7
call-type category basic-service attribute 0
digit-length 4 32
#
callprefix 9
enterprise hw dn-set hwdnset
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 0
#
callprefix ivr
enterprise hw dn-set hwdnset
prefix 28980808
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
pbxuser 7000 sipue enterprise hw
sipue 7000
telno 7000 long-telno 28987000
dn-set hwdnset
call-right out all
eid-para password cipher %^%#"(sq-~Wu6YD^RCIcKx:'6]z--N|iKU6DyrM4m&*X%^%#
#
pbxuser 7100 pots enterprise hw
telno 7100
port 3/0/0
dn-set hwdnset
call-right out all
#
afterroute-change 9_6xxx_pra
callprefix 9
trunk-group pra
condition caller-telno 6xxx
caller del-then-Insert 1 32 28980808
called del 1 1
#
afterroute-change 9_71xx_pra
callprefix 9
trunk-group pra
condition caller-telno 71xx
caller del-then-Insert 1 32 28980808
called del 1 1
#
afterroute-change 9_at0
callprefix 9
trunk-group AT0
caller no-change
called del 1 1
#
afterroute-change 9_pra
callprefix 9
trunk-group pra
caller no-change
called del 1 1
#
Networking Requirements
Users A and B belong to enterprise 1. Users C and D belong to enterprise 2. Enterprises 1 and
2 are in the same industrial campus. By configuring different enterprises on the device, you
can logically isolate multiple enterprises' voice services, implementing PBX sharing.
Enterprises 1 and 2 can use virtual PBXs to implement voice services for intra-office users
and use a unified egress to implement voice services between intra-office and outer-office
users. This reduces enterprise costs as well as the carrier's access points. Figure 13-22 shows
the PBX sharing network.
This topic assumes that you want to implement the following requirements:
l The external number allocated by the carrier to enterprise 1 is 56623000. When an outer-
office user dials 56623000, user B's phone rings. If the outer-office user wants to make a
call to an intra-office user other than user B, the call can be transferred by user B to the
target user.
l The external number allocated by the carrier to enterprise 2 is 56623001. When an outer-
office user dials 56623001, user C's phone rings. If the outer-office user wants to make a
call to an intra-office user other than user C, the call can be transferred by user C to the
target user.
l The country code is 86, and the area code is 571.
l The internal numbers of users A, B, C, and D are 7100, 7000, 6000, and 6100
respectively.
l Both the signaling IP address and media IP address are 192.168.1.2.
l Users A and B belong to enterprise hw. The DN set is local. The intra-office call prefix
is 7. The outgoing call prefix is 8. Users C and D belong to enterprise hw1. The DN set
is local1. The intra-office call prefix is 6. The outgoing call prefix is 9.
l A SIP AT0 trunk is used to route outgoing calls. The IP address of the IMS is
192.168.10.10, and the port number is 5060.
l Post-routing number change scheme 8 is configured to retain calling numbers and delete
the first digit of called numbers when users of enterprise 1 make outgoing calls through
the SIP AT0 trunk. Post-routing number change scheme 9 is configured to retain calling
numbers and delete the first digit of called numbers when users of enterprise 2 make
outgoing calls through the SIP AT0 trunk.
l Figure 13-22 PBX sharing network
Configuration Roadmap
The configuration procedure is as follows:
1. Set the service mode of the router to PBX, and set public parameters. Configure
enterprises 1 and 2, and connect the enterprises to the router.
2. Configure the users, call prefixes, trunk group, call route, and post-routing number
change for enterprise 1 so that intra-office users of enterprise 1 can make intra-office and
outgoing calls.
3. Configure the users, call prefixes, trunk group, call route, and post-routing number
change for enterprise 2 so that intra-office users of enterprise 2 can make intra-office and
outgoing calls.
Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.
7100–7104 N/A
N/A 56623000
6100–6104 N/A
N/A 56623001
8 Outgoing 0
9 Outgoing 0
Procedure
Step 1 Set the service mode to PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] quit
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei>reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...
Step 2 Set the Ethernet IP address of interface 0/0/0 to 192.168.1.2, and add 192.168.1.2 to the media
IP address pool and signaling IP address pool of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 192.168.1.2
[Huawei-voice] quit
Step 3 Set the default country code to 86 and default area code to 571, and enable country code
change and area code change.
[Huawei] voice
[Huawei-voice] pbx default-country-code 86 default-area-code 571
[Huawei-voice] pbx enable-country-area-transform enable
Step 6 Set the enterprise of users A and B to hw, the DN set to local, the intra-office call prefix to 7,
and the outgoing call prefix to 8.
NOTE
Set the enterprise of users C and D to hw1, the DN set to local1, the intra-office call prefix to 6, and the
outgoing call prefix to 9.
[Huawei-voice] callprefix 7
[Huawei-voice-callprefix-7] enterprise hw dn-set local
[Huawei-voice-callprefix-7] prefix 7
[Huawei-voice-callprefix-7] call-type category basic-service attribute 0
[Huawei-voice-callprefix-7] digit-length 4 32
[Huawei-voice-callprefix-7] quit
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] enterprise hw dn-set local
[Huawei-voice-callprefix-8] prefix 8
[Huawei-voice-callprefix-8] call-type category basic-service attribute 1
[Huawei-voice-callprefix-8] digit-length 1 32
[Huawei-voice-callprefix-8] quit
[Huawei-voice] callroute 8
[Huawei-voice-callroute-8] quit
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] callroute 8
[Huawei-voice-callprefix-8] quit
Step 7 Configure SIP user A whose user number is 7100 and authentication password is a123456.
NOTE
Configure users D whose enterprise is hw1 and user number is 6100. For details, see the configuration
of user 7100.
[Huawei-voice] pbxuser 7100 sipue enterprise hw
[Huawei-voice-pbxuser-7100] dn-set local
[Huawei-voice-pbxuser-7100] sipue 7100
[Huawei-voice-pbxuser-7100] telno 7100
[huawei-voice-pbxuser-7100] eid-para password cipher
Please input user password(6-64 chars): *******
[Huawei-voice-pbxuser-7100] quit
NOTE
Configure post-routing number change scheme 9 to retain calling numbers and delete the first digit of
called numbers when users of enterprise 2 make outgoing calls through the SIP AT0 trunk.
[Huawei-voice] callprefix 8
[Huawei-voice-callprefix-8] callroute 8
[Huawei-voice-callprefix-8] quit
[Huawei-voice] trunk-group sipat0
[Huawei-voice-trunkgroup-sipat0] callroute 8
[Huawei-voice-trunkgroup-sipat0] quit
[Huawei-voice] afterroute-change 8
[Huawei-voice-afterroute-change-8] callprefix 8
[Huawei-voice-afterroute-change-8] trunk-group sipat0
[Huawei-voice-afterroute-change-8] caller no-change
[Huawei-voice-afterroute-change-8] called del 1 1
[Huawei-voice-afterroute-change-8] save
Intra-office call Calls can be made properly, The intra-office call prefix is
and the calling number is incorrectly configured.
correctly displayed. For
example, user 7000 can dial
7100 to make a call to user
7100, and the calling
number displayed to user
7100 is 7000.
Outgoing call Calls can be made properly, l The outgoing call prefix
and the calling number is is incorrectly configured.
correctly displayed. For l The outgoing trunk is
example, user 7000 can incorrectly configured.
make an outgoing call
through the SIP AT0 trunk,
and the calling number
displayed to the called party
is 56623000.
----End
Configuration Files
l Router configuration
#
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
voice
voip-address media interface GigabitEthernet 0/0/0 192.168.1.2
voip-address signalling interface GigabitEthernet 0/0/0 192.168.1.2
pbx default-area-code 571
pbx enable-country-area-transform enable
#
callroute 8
#
enterprise hw
dn-set local
#
enterprise hw1
dn-set local1
#
sipserver
signalling-address ip 192.168.1.2 port 5060
media-ip 192.168.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group sipat0 sip trunk-circuit
enterprise hw dn-set local
callroute 8
Networking Requirements
l When the central node is correctly connected to the AR local node:
– All users at the headquarters and branches register with the central node.
– The central node processes all internal calls.
l When the central node is faulty or disconnects from the local node, local users register
with the local node, and the local node processes service requests (including intra-office
calls and incoming and outgoing calls) from local users. This is known as local
regeneration.
Data Plan
The data plan provided in this example is for reference only. Plan data by negotiating with
users and the carrier.
Procedure
Step 1 Configure the service mode to IP PBX.
<Huawei> system-view
[Huawei] voice
[huawei-voice] service-mode pbx
[huawei-voice] return
[Huawei] save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:yIt will take several minutes to save
configuration file, please wait..........
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
<Huawei> reboot
Info: The system is comparing the configuration, please wait.
System will reboot! Continue ? [y/n]:yInfo: system is rebooting, please wait...
Step 2 Set the IP address of interface 0/0/0 to 172.16.1.2, and add 172.16.1.2 to the media and
signaling IP address pools of the interface.
<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/0
[Huawei-GigabitEthernet0/0/0] ip address 172.16.1.2 24
[Huawei-GigabitEthernet0/0/0] quit
[Huawei] voice
[Huawei-voice] voip-address media interface gigabitethernet 0/0/0 172.16.1.2
[Huawei-voice] voip-address signalling interface gigabitethernet 0/0/0 172.16.1.2
Step 4 Set the default country code to 86 and default area code to 021. Enable country/area code
transformation.
[Huawei-voice] pbx default-country-code 86 default-area-code 021
[Huawei-voice] pbx enable-country-area-transform enable
3. Configure the automatic switchboard. The automatic switchboard name is ivr, and
number is 28888999.
NOTE
Before configuring the automatic switchboard, perform IVR configuration by referring to the AR
Product Documentation. Use the same value for vu-service-name of the automatic switchboard and
service of the IVR.
[Huawei-voice] callprefix ivr
[Huawei-voice-callprefix-ivr] prefix 28888999
[Huawei-voice-callprefix-ivr] call-type category vu-service vu-service-name
vudefault
[Huawei-voice-callprefix-ivr] digit-length 8 32
[Huawei-voice-callprefix-ivr] save
[Huawei-voice-callprefix-ivr] quit
Skip this step if the transmission mode in step 9 is configured to TCP. However, non-encrypted TCP
transmission has security risks. It is recommended that you use TLS transmission.
1. Obtain the servercert.pem certificate file and serverkey.pem private key file from the
U1900 series unified gateway host software package (if you do not have the software
package, download it from http://support.huawei.com/enterprise).
Certificate and private key files are credentials for TLS transmission authentication.
Matched certificate and private key files are preconfigured when the U1900 series
unified gateways are delivered.
It is recommended that you replace the preconfigured files with certificate and private
key files generated by the customer or issued by an official authority. After certificate
and private key files are replaced on the AR, import matched certificate and private key
files to the U1900 series unified gateway.
2. Upload certificate and private key files to the AR.
3. Configure the policy.
[Huawei] pki realm u1900
[Huawei-pki-realm-u1900] quit
[Huawei] ssl policy u1900 type server
[Huawei-ssl-policy-u1900] pki-realm u1900
[Huawei-ssl-policy-u1900] quit
required.
Please enter the name of private key file <length 1-127>:
serverkey.pem
Please enter the type of private key file(pem , p12):
pem
The current password is required, please enter your password <length 1-31
>:********
Successfully imported the certificate.
NOTE
You can obtain the decryption password for the private key file attached with the U1900 series unified
gateway from Configuration > Configuration Guide > Advanced Configuration > Configuring
Signaling Encryption in the eSpace U1900 series unified gateway product documentation.
5. Access the local-survival view and bind the policy.
[Huawei-voice] local-survival
[Huawei-voice-local-survival] transfer tls
[Huawei-voice-local-survival] ssl-server-policy u1900
[Huawei-voice-local-survival] reset
[Huawei-voice-local-survival] save
1 Verifying intra-office calls made by 1. IP phone 81000 rings. The call is set
short numbers between SIP users up after the IP phone is picked up.
and POTS users 2. POTS phone 88001 rings. The call is
1. Pick up the IP phone 86000 at set up after the POTS phone is picked
branch 1 and call IP phone up.
81000 at the headquarters.
2. Pick up IP phone 86000 at
branch 1 and call POTS phone
88001 at branch 1.
2 Verifying outgoing calls 1. PSTN user B's phone rings. The call is
1. Pick up IP phone 86000 at set up after the phone is picked up.
branch 2 and dial 2. PSTN user A's phone rings. The call is
9XXXXXXXX to call PSTN set up after the phone is picked up.
user B at branch 2.
2. Pick up IP phone 86000 at
branch 2 and dial
9010XXXXXXXX to call
PSTN user A at the
headquarters.
4 Verifying local regeneration calls 1. POTS phone 88001 rings. The call is
by disconnecting from the central set up after the POTS phone is picked
node up.
1. Pick up IP phone 86000 at 2. PSTN user B's phone rings. The call is
branch 2 and call POTS phone set up after the phone is picked up.
88001 at branch 2. 3. IP phone 28886000 rings. The call is
2. Pick up IP phone 86000 at set up after the IP phone is picked up.
branch 2 and dial 4. POTS phone 88001 rings. The call is
9XXXXXXXX to call PSTN set up after the POTS phone is picked
user B at branch 2. up.
3. Pick up the phone of PSTN user
B at branch 2 and dial the long
number 28886000 to call IP
phone 86000 at branch 2.
4. Pick up the phone of PSTN user
B at branch 2 and dial the
enterprise switchboard number
28888999 and then the
extension number 88001.
----End
media-ip 172.16.1.2
register-uri abcd.com
home-domain abcd.com
#
trunk-group pra dss1-user
trunk-pra 1/0/0
callroute 1
#
trunk-group sipat0 sip trunk-circuit
signalling-address ip 172.16.1.2 port 5061
media-ip 172.16.1.2
peer-address static 10.10.10.2 5060
register-uri abcd.com
home-domain abcd.com
trunk-sipat0 28888001 default-called-telno 88001
#
trunk-group sipip sip no-register
callroute 2
signalling-address ip 172.16.1.2 port 5063
media-ip 172.16.1.2
peer-address static 10.10.10.2 5060
register-uri abcd.com
home-domain abcd.com
#
callprefix 8
prefix 8
call-type category basic-service attribute 0
digit-length 5 32
#
callprefix 9
prefix 9
call-type category basic-service attribute 1
digit-length 1 32
callroute 1
#
callprefix ivr
prefix 28888999
call-type category vu-service vu-service-name vudefault
digit-length 8 32
#
local-survival
dataserver ip 10.10.10.2
dataservertype u1900
local-address ip 172.16.1.2
sync-interval 2
password cipher %^%#nw@y%OP0$#],HR"wQH/3`|.@A7+ZttF2*1D!)C~.or3f~>0ZB#EX,
3dEoR%^%#
ssl-server-policy u1900
primary-trunk-group sipip proxyreg-trunk-group sipat0
#
pbxuser 88001 pots
telno 88001
port 2/0/1
call-right out all
#
afterroute-change 9
callprefix 9
trunk-group pra
caller del-then-Insert 1 32 28888999
called del 1 1
#
14 Deploying Reliability
Networking Requirements
RouterA connects to a 3G network. It uses Cellular0/0/0 as the primary interface and
Cellular0/0/1 as the backup interface to transmit data on the 3G network.
Procedure
Step 1 Configure RouterA.
interface Cellular0/0/0
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular //Enable circular
DCC.
dialer-group 1
dialer timer autodial 60 //Set the interval for automatic
dialup.
dialer number *99# autodial //Enable the interface to automatically dial up
using the dialer number *99#.
standby interface Cellular0/0/1 //Configure Cellular0/0/1 as the standby
interface.
#
interface Cellular0/0/1 //Configure the standby 3G
interface.
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular
dialer-group 1
dialer timer autodial 60
dialer number *99# autodial
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 40
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/1 preference 80
#
# When Cellular0/0/0 is shut down, Cellular0/0/1 goes to Up state and obtains an IP address.
When RouterA pings the gateway address, the number of received packets on Cellular0/0/1
increases.
----End
Configuration Notes
l Cellular interfaces support only circular DCC.
l The primary and backup interfaces must have reachable routes to the destination network
segment.
l It takes some time for a cellular interface to dial to the 3G interface. Therefore, some
data packets may be lost during an active/standby switchover.
Networking Requirements
RouterA connects to the IP network through two links:
l Primary link: An ADSL interface on the 1ADSL-A/M interface card connects to the
ADPD card of the DSLAM, and the DSLAM connects to RouterB through an interface
on the main board.
l Backup link, RouterA connects to a NodeB through a cellular interface, and
communicates with the IP network through the 3G network.
NOTE
In this example, the DSLAM is an MA5600T, and its configuration is provided for reference.
Procedure
Step 1 Configure RouterA.
#
interface Atm1/0/0 //Configure the ATM interface connected to the ADSL
link.
ip address 10.1.0.5 255.255.255.252 //Assign an IP address to the ATM
interface. Ensure that the IP address is on same network segment as GE1/0/0
of
RouterB.
pvc ipoa 20/80 //Create a PVC, and set the VPI to 20 and the VCI to
80.
map ip 10.1.0.6 //Configure IPoA mapping for the
PVC.
standby interface Cellular0/0/0 //Configure the 3G as the standby
interface.
#
interface Cellular0/0/0 //Configure the standby
interface.
link-protocol ppp
ip address ppp-negotiate
dialer enable-circular //Enable circular
DCC.
dialer-group 1
dialer timer autodial 60 //Set the interval for automatic
dialup.
dialer number *99# autodial //Enable the 3G interface to automatically dial up
using the dialer number *99#.
#
dialer-rule //Specify a dialer access control
list.
dialer-rule 1 ip permit
# //Configure static routes to the gateway. (Configure a default route if you do
not know the gateway IP address.)
ip route-static 200.168.2.0 255.255.255.0 10.1.0.6 preference 40
ip route-static 200.168.2.0 255.255.255.0 Cellular0/0/0 preference 80
#
native-vlan 3 vlan 100 //Specify the native VLAN for the uplink interface.
#
service-port 40 vlan 100 adsl 0/4/32 vpi 20 vci 80 //Add ADSL interface 0/4/32
to the service interface.
#
mac-pool 3 0000-0000-0001 //Create MAC address pool 3 and set the start MAC
address to 0000-0000-0001.
ipoa enable
encapsulation 0/4/32 vpi 20 vci 80 type ipoa llc srcIP 10.1.0.5 dstIP 10.1.0.6
// Configure the IPoA encapsulation mode for ADSL interface 0/4/32. The VPI and
VCI must be the same as those of the uplink ATM interface.
#
----End
Configuration Notes
l Cellular interfaces support only circular DCC.
l The primary and backup interfaces must have reachable routes to the destination network
segment.
l The VPI and VCI used on the DSLAM must be the same as those used on RouterA.
When configuring IPoA on the DSLAM for the first time, configure a MAC address
pool.
l It takes some time for a cellular interface to dial to the 3G interface. Therefore, some
data packets may be lost during an active/standby switchover.
Networking Requirements
As shown in Figure 14-3, RouterA connects to the IP network through Ethernet1/0/0 and
Ethernet2/0/0.
Ethernet1/0/0 is the primary interface, and Ethernet2/0/0 is the backup interface.
Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0
----End
Configuration Notes
l Only WAN interfaces support interface backup.
l A primary interface can have a maximum of three backup interfaces.
l An interface can be used as the backup interface of only one primary interface.
l A maximum of 10 primary interfaces can be configured on a router simultaneously.
l When the primary interface is faulty, backup interfaces are selected based on priorities.
When backup interfaces have the same priority, they are selected in the configuration
order.
Networking Requirements
As shown in Figure 14-4, RouterA functions as the gateway of the branch, and RouterB
functions as the gateway of the headquarters.
The IP network provides the primary communication path for the headquarters and branch.
The integrated services digital network (ISDN) provides the backup link for the headquarters
and branch.
The access codes of the branch and headquarters are 660220 and 660210 respectively.
RouterA monitors the status of the route to 10.1.2.0/24 (headquarters). When the primary link
becomes unavailable, RouterA uses the backup dial-up link.
Procedure
Step 1 Configure RouterA.
#
standby routing-rule 1 ip 10.1.2.0 255.255.255.0 //Create a dynamic routing
backup group and add the monitored network segment to the
group.
#
controller E1 1/0/0 //Configure the physical interface E1
1/0/0.
pri-set
#
interface Serial1/0/0:15
link-protocol ppp
ip address 20.1.1.1 255.255.255.0 //Assign an IP address to the dialup
interface.
dialer enable-circular //Enable circular
DCC.
dialer-group 1 //Configure dialer group 1 for the dialup
group.
dialer route ip 20.1.1.2 broadcast 660210 //Configure the destination IP
address and dialer number in the dialer
group.
standby routing-group 1 //Enable routing backup on the standby dialup
interface.
#
interface Ethernet2/0/0
ip address 30.1.1.1 255.255.255.0 //Assign an IP address to Ethernet2/0/0,
which connects to the branch network through the active link.
#
dialer-rule
dialer-rule 1 ip permit //Configure a dialer rule for dialer group 1 and
configure the condition that triggers DCC dialup.
#
ospf 1 router-id 1.1.1.1 //Enable
OSPF.
area 0.0.0.0
----End
Configuration Notes
l The AR supports a maximum of 255 standby routing groups and each group contains
only one network segment.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 14-5, RouterA is directly connected to RouterB through a Layer 3
physical link. Faults on the link between RouterA and RouterB need to be fast detected.
Figure 14-5 Networking diagram for configuring single-hop BFD on a Layer 3 physical link
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
bfd
#
interface GigabitEthernet 1/0/0
ip address 10.1.1.1 255.255.255.0
#
bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet 1/0/0 //Create a single-
hop BFD session named atob.
discriminator local 1 //Set the local discriminator to 1.
discriminator remote 2 //Set the remote discriminator to 2.
commit
#
return
# After the configuration is complete, run the display bfd session all verbose command on
RouterA and RouterB. You can view that a single-hop BFD session is set up and its status is
Up.
----End
Configuration Notes
l When creating a single-hop BFD session for the first time, bind the single-hop BFD
session to the peer IP address and the local address.
l The local discriminator of the local system must be the same as the remote discriminator
of the remote system; the remote discriminator of the local system must be the same as
the local discriminator of the remote system.
Networking Requirements
As shown in Figure 14-6, RouterA is indirectly connected to RouterC. Static routes are
configured so that RouterA can communicate with RouterC. Faults on the link between
RouterA and RouterB need to be fast detected.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
bfd
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to RouterA interface.
#
bfd atoc bind peer-ip 10.2.1.2 //Confiugre a multi-hop BFD session.
discriminator local 10 //Set the local discriminator to 10.
discriminator remote 20 //Set the remote discriminator to 20.
commit
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route.
#
return
Configuration Notes
l When creating a multi-hop BFD session for the first time, bind the BFD session to the
peer IP address.
l The local discriminator of the local system must be the same as the remote discriminator
of the remote system; the remote discriminator of the local system must be the same as
the local discriminator of the remote system.
Applicability
This example applies to all versions and AR routers.
Networking Requirements
As shown in Figure 14-7, RouterA is directly connected to RouterB on a company network.
Both RouterA and RouterB connect to a downstream switch. The company requires that
Internet access and email services be transmitted by RouterA, and video and core services be
transmitted by RouterB. When the link of RouterA or RouterB fails, all services are switched
to another router.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
acl number 3100
rule 5 permit ip destination 1.1.1.3 0
#
bfd
#
traffic classifier 0 operator or
if-match acl 3100
#
traffic behavior 0
redirect ip-nexthop 192.168.2.253 track nqa internet icmp //Associate
redirection with NQA.
#
traffic policy 0
classifier 0 behavior 0
#
ip pool 1
gateway-list 192.168.0.2
----End
Networking Requirements
As shown in Figure 14-8, Host A communicates with Host B through the default gateway.
RouterA and RouterB form a VRRP group, which functions as the default gateway of Host A.
RouterA serves as the master router, and RouterB functions as the backup router. When
RouterA fails, RouterB functions as the gateway.
After RouterA is restored, it becomes the master router within 20 seconds by preemption.
Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/0,
which is connected to Host A.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address.
vrrp vrid 1 priority 120 //Set the priority of RouterA to 120 in the VRRP
backup group. By default, the priority of a router is 100, and a larger value
indicates a higher priority.
vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay time to 20
seconds.
#
interface Ethernet1/0/1
ip address 11.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/1,
which is connected to Host B.
#
Configuration Notes
l Configure the same virtual IP address for RouterA and RouterB.
l Configure priorities for RouterA and RouterB to determine the master/backup routers in
the VRRP group. By default, the priority of a router is 100, and a larger value indicates a
higher priority.
l Host B must have reachable routes to RouterA and RouterB.
Networking Requirements
As shown in Figure 14-9, two VRRP groups need to be configured on RouterA and RouterB.
The two VRRP groups load balance traffic and back up each other.
RouterA functions as the master router in VRRP group 1 and the backup router in VRRP
group 2.
RouterB functions as the master router in VRRP group 2 and the backup router in VRRP
group 1.
Host A uses VRRP group 1 as the gateway, and host C uses VRRP group 2 as the gateway.
Procedure
Step 1 Configure RouterA.
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to Ethernet1/0/0,
which is connected to Host A.
vrrp vrid 1 virtual-ip 10.1.1.111 //Configure the virtual gateway IP address
for VRRP group 1.
vrrp vrid 1 priority 120 //Set the priority of RouterA to 120 in VRRP
group 1.
vrrp vrid 2 virtual-ip 10.1.1.112 //Configure the virtual gateway IP address
for VRRP group 2.
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
# Perform a tracert test on Host C to check connectivity between Host C and Host B. The
following command output shows that the route from Host C to Host B passes through
RouterB and RouterC.
<HostC> tracert 20.1.1.100
traceroute to 20.1.1.100(20.1.1.100), max hops: 30, packet length: 40
1 10.1.1.2 30 ms 60 ms 40 ms
2 192.168.2.2 90 ms 60 ms 60 ms
3 20.1.1.100 70 ms 60 ms 90 ms
# Run the display vrrp command on RouterA. VRRP group 1 is in master state, and VRRP
group 2 is in backup state. This indicates that RouterA functions as the master router in VRRP
group 1 and the backup router in VRRP group 2.
<RouterA> display vrrp
Ethernet2/0/0 | Virtual Router 1
state : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:02:21
Last change time : 2007-11-22 16:02:25
Ethernet2/0/0 | Virtual Router 2
state : Backup
Virtual IP : 10.1.1.112
Master IP : 10.1.1.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:03:05
Last change time : 2007-11-22 16:03:09
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:02:21
Last change time : 2007-11-22 16:02:25
Ethernet2/0/0 | Virtual Router 2
state : Master
Virtual IP : 10.1.1.112
Master IP : 10.1.1.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual Mac : 0000-5e00-0102
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2007-11-22 16:03:05
Last change time : 2007-11-22 16:03:09
----End
Configuration Notes
l RouterA and RouterB must have the same virtual IP address in the same VRRP group.
l Configure priorities for RouterA and RouterB in the VRRP groups to determine the
master/backup routers in the VRRP groups. By default, the priority of a router is 100.
l Before performing tracert, run the icmp port-unreachable send command on RouterA,
RouterB, and RouterC to enable devices to send ICMP Unreachable packets.
Networking Requirements
PC1 (10.10.10.2/30) is directly connected to RouterA through Eth2/0/1. The gateway IP
address for PC1 is 10.10.10.1/30, which is the IP address of VLANIF10 on RouterA. 802.1x
local authentication needs to be configured on RouterA.
Procedure
Step 1 Configure RouterA.
In earlier versions of V200R007:
#
vlan batch 10
#
dot1x enable //Globally enable 802.1x authentication.
#
aaa
local-user huawei password cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure the password of a local user to huawei@123
local-user huawei privilege level 0
local-user huawei service-type 8021x //Configure a local
user.
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
dot1x enable //Enable 802.1x authentication on the interface.
dot1x port-method port //Set the access mode on the interface to port-based
authentication.
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1
#
aaa
local-user huawei password cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure the password of a local user to huawei@123
local-user huawei privilege level 0
local-user huawei service-type 8021x //Configure a local
user.
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
authentication-profile p1 //Bind the authentication profile p1 to Eth2/0/1
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
dot1x-access-profile name d1
#
Start the 802.1x client software on PC1 and enter the user name huawei and password
huawei@123. PC1 goes online successfully. Run the display access-user command on
RouterA. The command output shows information about user huawei.
----End
Configuration Notes
By default, access users are authenticated based on MAC addresses on an interface. Each user
is authenticated individually. When port-based 802.1x authentication is configured, all the
other users on the interface can go online without authentication after the first user is
authenticated.
Networking Requirements
PCA connects to the Internet through RouterA. RouterA and the RADIUS server have
reachable routes to each other. To ensure network security, users must be authenticated before
connecting to the Internet.
Procedure
Step 1 Configure RouterA.
In earlier versions of V200R007:
#
vlan batch 10
#
dot1x enable //Globally enable 802.1x authentication.
#
radius-server template radius1 //Create a RADIUS server template.
radius-server shared-key cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure a shared key used by the router and the RADIUS server.
radius-server authentication 10.11.1.1 1645 //Configure a RADIUS authentication
server.
radius-server accounting 10.11.1.1 1646 ///Configure a RADIUS accounting server.
#
aaa
authentication-scheme radius1 ///Configure an authentication
scheme.
authentication-mode radius //Set the authentication mode to RADIUS
authentication.
accounting-scheme radius1 //Configure an accounting scheme.
accounting-mode radius //Set the accounting mode to RADIUS accounting.
domain huawei //Create a user domain.
authentication-scheme radius1 //Apply the RADIUS authentication scheme to the
user domain.
accounting-scheme radius1 //Apply the RADIUS accounting scheme to the user
domain.
radius-server radius1 //Apply the RADIUS server template to the user
domain.
#
interface Ethernet2/0/1
port link-type access
port default vlan 10
dot1x enable //Enable 802.1x on the interface.
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1
#
radius-server template radius1 //Create a RADIUS server template.
radius-server shared-key cipher %^%#G"!M:/faAYTy,Z/ybp^0/"9i,tFOpPe4Lq!c"pn=%^
%# //Configure a shared key used by the router and the RADIUS server.
radius-server authentication 10.11.1.1 1645 //Configure a RADIUS authentication
server.
radius-server accounting 10.11.1.1 1646 ///Configure a RADIUS accounting server.
#
aaa
authentication-scheme radius1 ///Configure an authentication
scheme.
authentication-mode radius //Set the authentication mode to RADIUS
authentication.
accounting-scheme radius1 //Configure an accounting scheme.
accounting-mode radius //Set the accounting mode to RADIUS accounting.
domain huawei //Create a user domain.
authentication-scheme radius1 //Apply the RADIUS authentication scheme to the
user domain.
accounting-scheme radius1 //Apply the RADIUS accounting scheme to the user
domain.
radius-server radius1 //Apply the RADIUS server template to the user
domain.
#
interface Ethernet2/0/1
port link-type access
----End
Configuration Notes
l The default port number of the RADIUS authentication server is 1645 or 1812, and the
default port number of the RADIUS accounting server is 1646 or 1813. The port
numbers of the authentication and accounting servers configured on the router must be
the same as those on the RADIUS server.
l The router and RADIUS server must use the same shared key.
l The router and RADIUS server must have reachable routes to each other.
Networking Requirements
PCs connect to the Internet through the router. To ensure network security, 802.1x
authentication must be performed on users before they access the Internet. The IP addresses of
the primary and secondary RADIUS servers are 10.10.10.1/24 and 10.10.10.2/24 respectively.
When the primary RADIUS server is faulty, the router can switch services to the secondary
RADIUS server within 3s.
Procedure
Step 1 Configure the router.
#
vlan batch 10
#
dot1x enable
#
radius-server template shiva //Configure a RADIUS server template
shiva.
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS
authentication server.
radius-server authentication 10.10.10.2 1812 secondary //Configure the secondary
RADIUS authentication server.
#
aaa
authentication-scheme scheme0 //Create an authentication scheme
scheme0.
authentication-mode
radius
#
vlan batch 10
#
authentication-profile name p1
dot1x-access-profile d1 //Bind the 802.1x access profile d1 to the
authentication profile p1.
#
radius-server template shiva //Configure a RADIUS server template
shiva.
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^
%#
radius-server authentication 10.10.10.1 1812 //Configure the primary RADIUS
authentication server.
radius-server authentication 10.10.10.2 1812 secondary //Configure the secondary
RADIUS authentication server.
#
aaa
authentication-scheme scheme0 //Create an authentication scheme
scheme0.
authentication-mode
radius
Configuration Notes
l The router and the primary RADIUS server must use the same port number.
l The router and the primary RADIUS server must use the same shared key.
l There must be a reachable route between the router and the primary RADIUS server.
Networking Requirements
As shown in Figure 15-4, a user accesses the network through the Router. The user belongs to
the domain huawei.com and the user level is 3. The user does not need to use some level-3
commands. To implement refined management and ensure device security, configure the
Router to perform command line authorization for the user through HWTACACS and record
the commands executed by the user.
The IP address of the HWTACACS server is 10.1.6.6/24, authentication port number is 49,
and authorization port number is 49.
Procedure
Step 1 Configure the Router.
#
sysname Router
#
hwtacacs-server template 1 //Configure an HWTACACS server template.
hwtacacs-server authentication 10.1.6.6 weight 80 //Configure an HWTACACS
authentication server.
hwtacacs-server authorization 10.1.6.6 weight 80 //Configure an HWTACACS
authorization server.
hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^
%# //Set the shared key between router and HWTACACS server to Hello@1234.
#
aaa
authentication-scheme sch1 //Create the authentication scheme
sch1.
authentication-mode hwtacacs
authorization-scheme ht //Create the authorization scheme ht.
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs //Configure command line authorization for users
at level 3.
recording-scheme scheme0 //Create the record scheme scheme0.
recording-mode hwtacacs 1 //Associate an HWTACACS server template with the
record scheme scheme0.
cmd recording-scheme scheme0 //Configure scheme0 to record the commands
executed on the device.
service-scheme sch1 //Create the service scheme sch1.
admin-user privilege level 15
domain huawei.com //Create the domain
huawei.com.
authentication-scheme sch1 //Specify the HWTACACS authentication scheme for
the users in this domain.
authorization-scheme ht //Specify the HWTACACS authorization scheme for the
users in this domain.
service-scheme sch1 //Specify the service scheme for the users in this
domain.
hwtacacs-server 1 //Specify the HWTACACS server template for the users in this
domain.
#
interface GigabitEthernet1/0/1
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.6.10 255.255.255.0
#
telnet server enable //Enable the Telnet
server.
#
user-interface maximum-vty 15 //Set the maximum number of login users on the VTY
user interface to 15.
user-interface vty 0 14
authentication-mode aaa //Set the authentication mode for VTY user interface to
AAA.
#
return
----End
Configuration Notes
l The Router and HWTACACS server must use the same authentication port number.
l The Router and HWTACACS server must use the same shared key.
l There must be a reachable route between the Router and HWTACACS server.
Networking Requirements
Users connect to the Router through STelnet. During SSH authentication, the Router supports
remote RADIUS authentication for SSH users.
When authentication a user, the RADIUS server returns authentication result to the Router.
The Router determines whether the user can access the network depending on the
authentication result.
Figure 15-5 Networking diagram of configuring RADIUS authentication for SSH users
Procedure
Step 1 Generate a local key pair on Router.
<Huawei> system-view
[Huawei] sysname Router
[Router] rsa local-key-pair create
The key name will be: Host
RSA keys defined for Host already exist.
Confirm to replace them? (y/n):y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
..................................................................................
....+++
....+++
.......................................++++++++
..............++++++++
Figure 15-6 Logging in to the SSH server through PuTTY in password authentication mode
# Click Open. On the displayed page, enter the user name admin and password
Huawei@1234 and press Enter to log in to the SSH server. (The following information is for
reference only.)
login as: admin
Sent username "admin"
admin@10.137.217.203's password:
<SSH Server>
----End
Configuration Notes
l The Router and RADIUS server must use the same authentication port number.
l The Router and RADIUS server must use the same shared key.
l If an SSH user uses password authentication, only the SSH server needs to generate the
Rivest-Shamir-Adleman (RSA) key pair.
l There must be a reachable route between the Router and RADIUS server.
Networking Requirements
As shown in Figure 15-7, an HWTACACS server is deployed on a network, and the
administrator Telnets to the device to remotely manage it. The specific requirements are as
follows:
1. The administrator must enter correct user name and password to log in to the device
through Telnet.
2. After logging in to the device through Telnet, the administrator can run the commands at
levels 0-15.
Figure 15-7 Example for configuring authentication for telnet login users (HWTACACS)
Procedure
Step 1 Configure the Router.
#
sysname Router
#
hwtacacs-server template 1 //Configure a HWTACACS server template.
hwtacacs-server authentication 10.1.6.6 weight 80 //Configure the HWTACACS
authentication server.
hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^
%# //Set the shared key used between router and HWTACACS server to Hello@1234.
#
aaa
authentication-scheme sch1 //Create an authentication scheme named
sch1.
authentication-mode hwtacacs //Set the authentication mode to
HWTACACS.
service-scheme sch1 //Create a service scheme named sch1.
admin-user privilege level 15
domain huawei.com //Create a domain named
huawei.com.
authentication-scheme sch1 //Set HWTACACS authentication for the users in the
domain.
service-scheme sch1 //Specify the service scheme for the users in the domain.
hwtacacs-server 1 //Specify the HWTACACS server template for the users in the
domain.
#
interface GigabitEthernet1/0/1
ip address 10.1.2.10 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.6.10 255.255.255.0
#
telnet server enable //Enable the Telnet
server.
#
user-interface maximum-vty 15 //Set the maximum number of login users in VTY
user interface to 15.
user-interface vty 0 14
authentication-mode aaa //Set AAA authentication for the VTY user
interface.
#
return
----End
Configuration Notes
l The router and the HWTACACS server must use the same port number.
l The router and the HWTACACS server must use the same shared key.
l There must be a reachable route between the router and the HWTACACS server.
Networking Requirements
As shown in Figure 16-1, users on different LANs access the Internet through RouterA. To
locate attacks on RouterA, attack source tracing needs to be configured to trace the attack
source. The following situations occur:
l A user on network segment Net1 frequently initiates attacks to RouterA.
l The attacker sends a large number of ARP Request packets, degrading CPU
performance.
l The administrator needs to upload files to RouterA using FTP. However, no FTP
connection has been set up between the administrator's host and RouterA.
l Most LAN users obtain IP addresses through DHCP, whereas RouterA does not first
process DHCP client packets sent to the CPU.
Configurations should be performed on RouterA to solve the preceding problems.
NOTE
This section provides only the configuration procedures related to local attack defense. For details about
routing configurations, see the Configuration Guide - IP Routing.
Procedure
Step 1 Configure the router.
#
acl number 4001 //Configure the ACL to be referenced by the blacklist of local
attack defense.
rule 5 permit source-mac 0001-c0a8-0102
#
cpu-defend policy devicesafety //Create a local attack defense policy.
auto-defend enable //Enable the attack source tracing capability.
auto-defend threshold 50 //Set the attack source tracing threshold to 50 pps.
blacklist 1 acl 4001 //Specify the blacklist.
packet-type arp-request rate-limit 64 //Set the rate limit for ARP request
packets sent to the CPU to 64 pps.
application-apperceive packet-type ftp rate-limit 2000 //Set the rate limit for
FTP packets to 2000 pps.
packet-type dhcp-client priority 3 //Set the priority of the DHCP-client
packets sent to the CPU to 3.
#
cpu-defend-policy devicesafety //Apply the attack defense policy to the MPU.
#
return
----End
Networking Requirements
The Router functions as the gateway for LAN 10 and LAN 20. The firewall on the Router
must reject all data flows from LAN 20 to LAN 10, except the flows that the FTP server in
LAN 20 sends in response to access requests from LAN 10.
Procedure
Step 1 Configure the Router.
#
firewall-nat session ftp aging-time 300 //Set the aging time of FTP sessions to
300s.
#
acl number 3102
rule 5 deny ip //Configure a rule in ACL 3102 to deny all
packets.
#
trust.
#
interface GigabitEthernet2/0/0
ip address 2.2.2.2
255.0.0.0
zone untrust //Add the interface to zone
untrust.
#
----End
FAQ
How are the inbound and outbound directions in an interzone defined?
Inbound is the direction from a low-priority zone to a high-priority zone. Outbound is the
direction from a high-priority zone to a low-priority zone. In this example, inbound refers to
the direction from the untrust zone to the trust zone.
Networking Requirements
The PC at 192.168.1.12/24 is prohibited from accessing all websites.
Figure 16-3 Configuring ACL-based Packet Filtering So That Internal Users Cannot Access
All External Networks
Procedure
Step 1 Configure the Router.
#
dhcp enable //Globally enable DHCP.
#
acl number 2000 //Create ACL 2000 and configure a rule that permits packets with
source IP addresses on the
network segment 192.168.1.0/24 to pass.
rule 5 permit source 192.168.1.0 0.0.0.255
#
acl number 3005 //Configure ACL 3005 for packet filtering.
description deny_souce_ip_www
rule 5 deny tcp source 192.168.1.12 0 destination-port eq www
rule 10 permit tcp source 192.168.1.12 0
#
ip pool pool1 //Create a global IP address
pool.
gateway-list 192.168.1.2 //Configure the egress gateway address for DHCP
clients.
network 192.168.1.0 mask 255.255.255.0 //Configure the range of allocable IP
addresses in the global IP
address pool.
dns-list 10.106.0.20 10.106.46.151 //Specify the IP address of the DNS server
for DHCP clients.
#
interface Serial2/0/0
link-protocol ppp
ip address 219.143.125.234 255.255.255.252
nat outbound 2000 //Enable NAT for hosts on network segment 192.168.1.0/24.
#
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
traffic-filter inbound acl 3005 //Apply ACL 3005 to the interface to filter
packets on the interface.
dhcp select global //Configure the interface to use the global IP address
pool.
#
ip route-static 0.0.0.0 0.0.0.0 Serial2/0/0 //Configure a default route.
#
----End
Networking Requirements
GE1/0/0 of RouterA connects to HostA. The hosts in the network segment 10.1.1.0/24 need to
be allowed to access device of the web platform and the hosts in other network segments need
to be prohibited from accessing the devices the web platform.
Procedure
Step 1 Configure RouterA.
#
http acl 2000
http server enable
acl number 2000 //Configure an ACL to permit packets from devices of the web
platform.
rule 1 permit source 10.1.1.0 0.0.0.255
rule 10 deny
#
aaa
local-user huawei password cipher %@%@Dyb;#tOxsEBO@H@Jy'IX_:HK%@%@ //Create a
local user with the user name huawei and cipher text password Huawei@123.
local-user huawei service-type http //Configure the HTTP service for the local
user.
local-user huawei privilege level 3 //Set the priority of the local user to 3.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IP address for an interface
connected to HostA.
#
HostA can access RouterA of the web platform and the hosts in other network segments
cannot access RouterA.
----End
Configuration Notes
# You can successfully log in to RouterA only if the user name and password that you enter
on HostA are the same as those configured on RouterA.
# When you attempt to access the web platform using a host in other network segments, the
login page can be displayed, but the message indicating invalid IP address is displayed after
you click Login.
Networking Requirements
Eth2/0/0 of RouterB is a trusted interface. Therefore, DHCP reply messages from the DHCP
server connected to Eth2/0/0 are forwarded. DHCP reply messages sent from untrusted
interfaces are discarded.
Procedure
Step 1 Configure RouterA.
#
dhcp enable
#
ip pool pool1 //Create a global IP address
pool.
gateway-list 10.1.1.2
network 10.1.1.0 mask 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
dhcp select
global
#
dhcp enable //Globally enable
DHCP.
dhcp snooping enable //Globally enable DHCP
snooping.
#
interface Ethernet2/0/0
dhcp snooping trusted //Configure the interface as a trusted interface.
#
interface Ethernet2/0/1
dhcp snooping enable
#
interface Ethernet2/0/2
dhcp snooping enable
#
----End
Configuration Notes
None.
17 Deploying QoS
Networking Requirements
As shown in Figure 17-1, the LAN of an enterprise connects to Eth2/0/0 of RouterA through
Switch. RouterA connects to the WAN through GE3/0/0. The voice, video, and data services
are deployed on the LAN.
Packets of different services are identified by 802.1p priorities on the LAN. RouterA sends
service packets to queues based on 802.1p priorities. When packets reach the WAN through
GE3/0/0, jitter may occur. To prevent jitter and ensure bandwidth for services, perform the
following configuration:
l Set the CIR on each interface to 8000 kbit/s.
l Set the CIR for voice service packets to 256 kbit/s and the CBS to 6400 bytes.
l Set the CIR for video service packets to 4000 kbit/s and the CBS to 100000 bytes.
l Set the CIR for data service packets to 2000 kbit/s and the CBS to 50000 bytes.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10
#
qos queue-profile qp1 // Create a queue profile qp1.
queue 2 gts cir 2000 cbs 50000 // Set the CIR for queue 2 to 2000 kbit/s and
the CBS to 50000 bytes.
queue 5 gts cir 4000 cbs 100000 // Set the CIR for queue 5 to 4000 kbit/s and
the CBS to 100000 bytes.
queue 6 gts cir 256 cbs 6400 // Set the CIR for queue 6 to 256 kbit/s and the
CBS to 6400 bytes.
schedule wfq 0 to 5 pq 6 to 7 // Set the scheduling mode to queues 0 to 5 to
weighted fair
queuing (WFQ), and set the scheduling mode
for queue 6 and
queue 7 to priority queuing (PQ).
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 10 // Add the trunk interface to VLAN 10.
trust 8021p // Trust 802.1p priorities of packets on the interface.
#
interface GigabitEthernet3/0/0
ip address 192.168.4.1 255.255.255.0
qos queue-profile qp1 // Apply the queue profile qp1 to the interface.
qos gts cir 8000 cbs 200000 // Set CIR for the interface to 8000 kbit/s and the
CBS to 200000 bytes.
# Run the display qos queue statistics interface gigabitethernet 3/0/0 command on
RouterA to check packet statistics in queues on GE3/0/0. You can see that the output rate of
each queue is within the configured limit. When a queue is full, excess packets are discarded.
----End
Configuration Notes
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l The traffic shaping CIR value configured on an interface must be larger than or equal to
the sum of CIR values of all queues on the interface. Otherwise, packets in high-priority
queues may fail to be scheduled.
Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access the server on 222.1.1.1/24 through RouterA. The rate of
packets from enterprise devices on 192.168.10.0/24 to the server needs to be limited to 64
kbit/s.
Figure 17-2 Networking for limiting the rate of packets based on internal IP addresses
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
#
qos queue-profile limit //Create a queue profile named limit.
queue 3 gts cir 64 cbs 1600 //Set the CIR of queue 3 to 64 kbit/s.
#
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b1
remark local-precedence af3 //Configure traffic behavior b1: Re-mark packets
matching the traffic classifier with AF3. When permit or deny is not specified,
the permit action is taken by default.
#
traffic policy p1
classifier c1 behavior b1 //Configure a traffic policy named p1, and bind
traffic classifier c1 to traffic behavior b1 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy p1 inbound //Apply the traffic policy p1 to the inbound
direction on the interface.
#
interface GigabitEthernet3/0/0
ip address 222.0.1.1 255.255.255.0
qos queue-profile limit //Apply the queue profile limit to the interface.
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.0.1.2
#
# Run the display qos queue statistics interface gigabitethernet 3/0/0 command to check
the traffic statistics on GE3/0/0 where the queue profile limit is applied. You can see that the
rate of outgoing packets on the interface is within the rate limit. When the queue is full,
excess packets are discarded.
----End
Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and connect to the Internet through RouterA.
Traffic policing needs to be configured on RouterA to limit the rate of all the traffic on the
network segment 192.168.1.0/24 to 512 kbit/s, and limit the rate of all the traffic on the
network segment 192.168.2.0/24 to 128 kbit/s.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 2000 // Create ACL 2000.
rule 0 permit source 192.168.1.0 0.0.0.255 // Configure rule 0, which permits
packets with source
addresses on network segment
192.168.1.0 to pass.
acl number 2001 // Create ACL 2001.
rule 0 permit source 192.168.2.0 0.0.0.255 // Configure rule 0, which permits
packets with source
addresses on network segment
192.168.2.0 to pass.
#
interface Vlanif10
----End
Configuration Notes
l On the Switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l This example configures traffic policing for outgoing packets on a WAN-side interface.
You can also configure traffic policing for incoming packets on a LAN-side interface.
Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and connect to the Internet through RouterA. Traffic policing needs
to be configured on RouterA to limit the rate of traffic from each IP address on network
segment 192.168.1.0/24 to the Internet to 64 kbit/s, and limit the rate of traffic from each IP
address on network segment 192.168.2.0/24 to the Internet to 128 kbit/s.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
qos car inbound source-ip-address range 192.168.1.2 to 192.168.1.254 per-address
cir 64 cbs 12032 pbs 20032 green pass yellow pass red discard
//Configure traffic policing for ingoing packets with source addresses in the
range of 192.168.1.2 to 192.168.1.254 and set the CIR to 64 kbit/s.
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
qos car inbound source-ip-address range 192.168.2.2 to 192.168.2.254 per-address
cir 128 cbs 24064 pbs 40064 green pass yellow pass red discard
//Configure traffic policing for ingoing packets with source addresses in the
range of 192.168.2.2 to 192.168.2.254 and set the CIR to 128 kbit/s.
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to Trunk.
port trunk allow-pass vlan 10 20 // Add the trunk interface to VLAN 10 and VLAN
20.
#
interface GigabitEthernet3/0/0
ip address 1.1.1.1 255.255.255.0
#
# Run the display qos car statistics interface Vlanif 10 inbound command and display qos
car statistics interface Vlanif 20 inbound command to check the traffic statistics where
traffic policing is configured. You can see that the rate of outgoing packets on the interface is
within the rate limit and excess packets are discarded.
----End
Configuration Notes
l On the Switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l If per-address is not specified in the qos car command, the rate of all the packets with
source IP addresses in the specified range is limited.
Networking Requirements
As shown in Figure 17-5, voice, video, and data terminals on the enterprise's LAN connect to
Eth2/0/0 and Eth2/0/1 of RouterA through SwitchA and SwitchB. These terminals connect to
the WAN through GE3/0/0 of RouterA.
SwitchA and SwitchB set DSCP values of voice, video, and data packets to 46 (ef), 38 (af43),
28 (af32), and 26 (af31) respectively. RouterA places packets into different queues based on
their DSCP queues. GE3/0/0 may be congested by outgoing packets because the link
bandwidth provided by the service provider may be insufficient. To reduce the impact of
network congestion and ensure bandwidth for high-priority and delay-sensitive services, set
QoS parameters according to the following table.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20 30
#
drop-profile data // Create a WRED drop profile data.
wred dscp // Configure DSCP-based drop mode in the profile.
dscp af31 low-limit 40 high-limit 60 discard-percentage 40 // For packets with
DSCP value 26, set the lower
drop threshold
to 40%, the upper drop threshold
to 60%, and the
drop probability to 40%.
dscp af32 low-limit 50 high-limit 70 discard-percentage 30 // For packets with
DSCP value 28, set the lower
drop threshold
to 50%, the upper drop threshold
to 70%, and the
drop probability to 30%.
#
drop-profile video // Create a WRED drop profile video.
wred dscp // Configure DSCP-based drop mode in the profile.
dscp af43 low-limit 60 high-limit 80 discard-percentage 20 // For packets with
DSCP value 38, set the lower
drop threshold to
60%, the upper drop threshold
to 80%, and the
drop probability to 20%.
#
qos queue-profile queue-profile1 // Create a queue profile queue-profile1.
----End
Configuration Notes
l Configure the interfaces of SwitchA and SwitchB connected to RouterA as trunk
interfaces and add the interfaces to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l The queue profile uses the trust command to specify the priority to be mapped for
packets. The packets then enter different queues based on mapped local priorities. If the
trust command is not set, packets enter queues based on the interface priority.
l Different interfaces on the AR support different scheduling modes, as shown in the
following table.
LAN interface l PQ
l DRR
l WRR
l PQ+DRR
l PQ+WRR
NOTE
l Layer 2 interfaces on the AR150&AR160
(except the AR161, AR161EW,
AR161EW-M1, AR161G-L, AR161G-Lc,
AR161W, AR169, AR169CVW,
AR169CVW-4B4S, AR169JFVW-4B4S,
AR169JFVW-2S, AR169EGW-L,
AR169EW, AR169G-L, AR169-P-M9,
AR169RW-P-M9 and AR169W-P-
M9)&AR200 series support only PQ,
WRR, and PQ+WRR, but do not support
DRR.
l Layer 2 interfaces on the AR1200 (except
the AR1220C, AR1220F, AR1220E,
AR1220EV, AR1220EVW and
AR1220-8GE) series SRU support only
PQ, WRR, and PQ+WRR, but do not
support DRR.
l Layer 2 VE interfaces only support PQ,
WFQ and PQ+WFQ.
WAN interface l PQ
l WFQ
l PQ+WFQ
NOTE
The SAC function is used with a license. To use the SAC function, apply for and purchase the license from
the Huawei local office.
Networking Requirements
As shown in Figure 17-6, enterprise users connect to Eth2/0/0 of RouterA through the
Switch. RouterA connects to the WAN through GE0/0/1.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 20
#
engine enable //Enable the deep security function.
#
update restore sdb-default sa-sdb //Restore the signature database to the
factory default version.
#
traffic classifier c1 operator or // Create a traffic classifier c1.
if-match application BT //Configure a rule that matches the BT application.
#
traffic behavior b1 // Create a traffic behavior b1.
deny // Configure the traffic behavior to deny packets matching the associated
traffic classifier.
#
# Run the display sa application-statistic command to check packet statistics based on the
SA application protocols on Eth2/0/0 and GE0/0/1.
----End
Configuration Notes
l Configure the interface of the Switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l Configure RouterB to ensure that it can communicate with RouterA.
l When specifying the name of a signature file, enter the complete path and name of the
file to ensure that the configuration can be restored when the AR router restarts.
Networking Requirements
As shown in Figure 17-7, the Router functions as the gateway of the enterprise. Users in the
enterprise connect to the Internet through the Router. The enterprise does not allow some
hosts on the LAN to connect to the Internet. However, users can still connect to the Internet
from these hosts by changing host IP addresses. Firewalls cannot prevent such unauthorized
access. You can configure access control based on source MAC addresses to solve this
problem. The configuration performed in this example prevents some hosts from connecting
to the Internet but allows them to access the gateway.
Figure 17-7 Network diagram of access control based on source MAC addresses
Procedure
Step 1 Configure the Router.
#
sysname Router
#
vlan batch 10
#
acl number 3001 // Create ACL 3001.
rule 1 permit ip destination 10.1.1.0 0.0.0.255 // Configure rule 1, which
permits packets with the destination
IP address 10.1.1.1/24
gateway address to pass.
#
traffic classifier gate operator and
if-match acl 3001 // Create a traffic classifier gate and reference ACL 3001 in
the classifier.
traffic classifier mac1 operator and
if-match source-mac 0015-c50d-0001 // Create a traffic classifier mac1 and
configure a rule that matches
source MAC address 0015-c50d-0001.
traffic classifier mac2 operator and
if-match source-mac 0015-c50d-0002 // Create a traffic classifier mac2 and
configure a rule that matches
source MAC address 0015-c50d-0002.
traffic classifier mac3 operator and
if-match source-mac 0015-c50d-0003 // Create a traffic classifier mac3 and
configure a rule that matches
source MAC address 0015-c50d-0003.
#
traffic behavior p1
permit // Create a traffic behavior p1 and configure it to permit packets
matching the associated classifier
to pass.
traffic behavior d1
deny // Create a traffic behavior d1 and configure it to drop packets matching
the associated classifier.
#
traffic policy myqos // Create a traffic policy myqos.
classifier gate behavior p1 // Bind the traffic classifier gate to the behavior
p1.
classifier mac1 behavior d1 // Bind the traffic classifier mac1 to the behavior
d1.
classifier mac2 behavior d1 // Bind the traffic classifier mac2 to the behavior
d1.
classifier mac3 behavior d1 // Bind the traffic classifier mac3 to the behavior
d1.
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
traffic-policy myqos inbound // Apply the traffic policy myqos to the inbound
direction of the interface.
#
interface Ethernet2/0/0
port link-type trunk // Set the link type of the interface to trunk.
port trunk allow-pass vlan 10 // Add the trunk interface to VLAN 10.
#
# Run the display traffic policy user-defined command to check the traffic policy
configuration.
# The restricted hosts can ping the gateway address successfully but cannot ping IP addresses
out of the LAN.
----End
Configuration Notes
l Configure the interface of the Switch connected to the Router as a trunk interface and
add it to VLAN 10.
l After a traffic policy is applied to an interface, the system matches packets on the
interface with the traffic classifiers in the policy based on the configuration order.
Therefore, when configuring the traffic policy myqos, you must first configure the
classifier and behavior that permit packets sent to the gateway address, and then
configure the classifiers and behaviors that deny packets sent from restricted hosts to the
Internet.
Networking Requirements
RouterA is deployed at the egress of an enterprise network. Users in the enterprise are located
on two network segments and access ServerA (222.1.1.1/24) and ServerB (111.1.1.1/24)
through RouterA. Data flows from user groups on 192.168.10.0/24 need to reach the WAN
through ServerB, and user groups on 192.168.10.0/24 and 192.168.20.0/24 need to
communicate.
Figure 17-8 Networking of using dual egresses to implement mutual access and redirection
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
acl number 3002 //Configure ACL 3002.
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0
0.0.0.255 //Configure rule 5 to allow packets with the source address on
192.168.10.0 and destination address on 192.168.20.0 to pass through.
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.0
0.0.0.255 //Configure rule 10 to allow packets with source and destination
addresses on 192.168.10.0 to pass through.
acl number 3003 //Configure ACL 3003.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
#
traffic classifier c2 operator or
if-match acl 3003 //Configure a traffic classifier named c2 to match ACL 3003.
traffic classifier c1 operator or
if-match acl 3002 //Configure a traffic classifier named c1 to match ACL 3002.
#
traffic behavior b2
redirect ip-nexthop 111.1.1.1 //Configure a traffic behavior named b2 to
redirect matching packets to 111.1.1.1.
traffic behavior b1 //Configure a traffic behavior named b1 to permit packets to
pass through so that departments can communicate with each other.
#
traffic policy pp
classifier c1 behavior b1
classifier c2 behavior b2 //Configure a traffic policy named pp, and bind
traffic classifier c1 to traffic behavior b1, and traffic classifier c2 to
traffic behavior b2 in the traffic policy.
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Ethernet2/0/0
port link-type trunk //Configure the link type of the interface as trunk.
port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and VLAN 20.
traffic-policy pp inbound //Apply the traffic policy pp to the inbound
direction on the interface.
#
interface GigabitEthernet2/0/0
ip address 222.1.1.2 255.255.255.0
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
interface GigabitEthernet1/0/0
ip address 111.1.1.2 255.255.255.0
nat outbound 3001 //Perform NAT for packets matching ACL 3001.
#
ip route-static 0.0.0.0 0.0.0.0 222.1.1.1
#
# Run the display traffic policy user-defined command to check the traffic policy
configuration, and run the display traffic-policy applied-record command to check whether
the traffic policy is applied successfully.
# User groups on 192.168.10.0/24 can communicate with each other and user groups on
192.168.20.0/24.
----End
Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
l After a traffic policy is applied to an interface, the system matches packets on the
interface with the traffic classifiers in the policy based on the configuration order.
Therefore, when configuring the traffic policy pp, you must first configure the classifier
and behavior that permit packets, and then configure the classifier and behavior that
redirect packets.
Networking Requirements
The enterprise connects to Eth2/0/0 of RouterA through the switch. RouterA connects to the
WAN through GE3/0/0. The voice, video, and data services are deployed on the enterprise
network. Packets of different services are differentiated based on source IP addresses. Voice,
video, and data packets come from 192.168.10.2/24, 192.168.20.2/24, and 192.168.30.2/24
respectively. Bandwidth guarantee is required for packets of the three services: voice, video,
and data packets occupy 50%, 40%, and 5% bandwidths of actual interface bandwidth
respectively.
Figure 17-9 Networking for configuring queues to implement congestion management and
congestion avoidance
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
vlan batch 10 20 30
#
acl number 3001 //Configure ACL 3001.
rule 5 permit ip source 192.168.10.0 0.0.0.255 //Configure rule 5 to allow
packets on 192.168.10.0 to pass through.
rule 10 permit ip source 192.168.20.0 0.0.0.255 //Configure rule 10 to allow
packets on 192.168.20.0 to pass through.
rule 15 permit ip source 192.168.30.0 0.0.0.255 //Configure rule 15 to allow
packets on 192.168.30.0 to pass through.
acl number 3002 //Configure ACL 3002.
# Run the display traffic policy user-defined command to check the traffic policy
configuration, and run the display traffic-policy applied-record command to check whether
the traffic policy is applied successfully.
----End
Configuration Notes
l On the switch, set the link type of the interfaces connected to the user network segments
to access, and add the interfaces to service VLANs of users.
l Configure the interface of the switch connected to RouterA as a trunk interface and add
the interface to service VLANs.
This example does not apply to the AR150&200 and devices that do not support MPLS.
Networking Requirements
As shown in Figure 17-10, users in the enterprise connect to RouterA and RouterB through
the switches. They connect to the WAN through RouterA and RouterB.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30
#
ip vpn-instance vpn-nrt // Create a VPN instance vpn-nrt for transmitting non-
----End
Configuration Notes
l It is recommended that you set the router ID and MPLS LSR ID to the IP address of the
same loopback interface.
l MPLS and MPLS LDP must be enabled in both the system view and interface view.
l When configuring BGP, use the routers' loopback0 interfaces to establish BGP peers.
l Configure the switch interfaces connected to the routers as trunk interfaces and add the
interfaces to service VLANs.
l CBQ classifies packets based on the IP precedence or DSCP priority, inbound interface,
or 5-tuple (protocol type, source IP address and mask, destination IP address and mask,
source port range, and destination port range). Then CBQ sends packets matching traffic
classification rules to EF and AF queues. The packets that do not match any configured
classifier are added to the default class and enter BE queues based on session
information of flows.
Networking Requirements
As shown in Figure 17-11, users in the enterprise connect to RouterA and RouterB through
the switches. They connect to the WAN through RouterA and RouterB.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
router id 1.1.1.1 // Set the Router ID. (It is recommended that you set the
router ID to the IP address of
LoopBack0.)
#
vlan batch 20 30
#
ip vpn-instance vpn-nrt // Create a VPN instance vpn-nrt for transmitting non-
real-time service packets.
ipv4-family
route-distinguisher 21825:2
vpn-target 21825:200 export-extcommunity
vpn-target 21825:200 import-extcommunity
#
ip vpn-instance vpn-rt // Create a VPN instance vpn-rt for transmitting real-
time service packets.
ipv4-family
route-distinguisher 21825:1
vpn-target 21825:100 export-extcommunity
vpn-target 21825:100 import-extcommunity
#
mpls lsr-id 1.1.1.1 // Set the MPLS LSR ID to the IP address of LoopBack0.
mpls // Globally enable MPLS.
#
mpls ldp // Globally enable MPLS LDP
#
traffic classifier vpn-nrt operator or // Configure a traffic classifier vpn-nrt
that matches packets with
EXP value 3.
if-match mpls-exp 3
traffic classifier lan-rt operator or // Configure a traffic classifier lan-rt
that matches all packets.
if-match any
traffic classifier vpn-rt operator or // Configure a traffic classifier vpn-rt
that matches packets with
EXP value 4.
if-match mpls-exp 4
traffic classifier lan-nrt operator or // Configure a traffic classifier lan-nrt
that matches all packets.
if-match any
#
traffic behavior vpn-nrt // Create a traffic behavior vpn-nrt and configure it
to perform assured forwarding
for packets matching the associated classifier. Set
the minimum assured bandwidth for
these packets to 30% of the interface bandwidth.
queue af bandwidth pct 30
traffic behavior lan-rt // Create a traffic behavior lan-rt and configure it to
set EXP values of packets
matching the associated classifier
to 4.
remark mpls-exp 4
traffic behavior vpn-rt // Create a traffic behavior vpn-rt and configure it to
perform LLQ
for packets matching the associated classifier. Set
the minimum maximum bandwidth for
these packets to 60% of the interface bandwidth.
queue llq bandwidth pct 60
traffic behavior lan-nrt // Create a traffic behavior lan-nrt and configure it
to set EXP values of packets
matching the associated classifier to 3.
remark mpls-exp 3
#
traffic policy lan-rt // Create a traffic policy lan-rt.
classifier lan-rt behavior lan-rt // Bind the traffic classifier lan-rt to the
traffic behavior lan-rt
so that the system sets the EXP value of
all packets passing through
the interface to 3.
traffic policy vpn // Create a traffic policy vpn.
classifier vpn-nrt behavior vpn-nrt // Bind the traffic classifier vpn-nrt to
the traffic behavior vpn-nrt
so that the system performs assured
forwarding for packets with EXP value 3
and provides a minimum of 30% of
#
ipv4-family vpnv4 // Enable the VPNv4 routing capability for BGP.
policy vpn-target // Configure the local device to filter received VPNv4
routes by VPN target.
peer 2.2.2.2 enable // Enable the local device to exchange VPNv4 routing
information with peer 2.2.2.2.
#
ipv4-family vpn-instance vpn-nrt
network 10.1.1.0 255.255.255.0 // Advertise local network segment 10.1.1.0/24
in the VPN instance vpn-nrt.
import-route direct // Import direct routes.
#
ipv4-family vpn-instance vpn-rt
network 10.1.2.0 255.255.255.0 // Advertise local network segment 10.1.2.0/24
in the VPN instance vpn-rt.
import-route direct // Import direct routes.
#
ospf 100 // Configure OSPF so that RouterA and RouterB can communicate with each
other.
import-route direct
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
traffic policy lan-rt
classifier lan-rt behavior lan-rt
traffic policy vpn
classifier vpn-nrt behavior vpn-nrt
classifier vpn-rt behavior vpn-rt
traffic policy lan-nrt
classifier lan-nrt behavior lan-nrt
#
controller E1 3/0/0
using e1
#
controller E1 3/0/1
using e1
#
interface Vlanif20
ip binding vpn-instance vpn-nrt
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance vpn-rt
ip address 10.1.4.1 255.255.255.0
#
interface Mp-group0/0/0
ip address 10.1.2.1 255.255.255.0
qos gts cir 400 cbs 100000
traffic-policy vpn outbound
mpls
mpls ldp
#
interface Serial3/0/0:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Serial3/0/1:0
link-protocol ppp
ppp mp Mp-group 0/0/0
#
interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 20
traffic-policy lan-nrt inbound
#
interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
traffic-policy lan-rt inbound
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100 // Set the AS number of IPv4 peer 1.1.1.1 to 100.
peer 1.1.1.1 connect-interface LoopBack0 // Specify the source interface and
source IP address of BGP packets.
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn-nrt
network 10.1.3.0 255.255.255.0 // Advertise local network segment 10.1.3.0/24
in VPN instance vpn-nrt.
import-route direct // Import direct route.
#
----End
Configuration Notes
l It is recommended that you set the router ID and MPLS LSR ID to the IP address of the
same loopback interface.
l MPLS and MPLS LDP must be enabled in both the system view and interface view.
l When configuring BGP, use the routers' loopback0 interfaces to establish BGP peers.
l Configure the switch interfaces connected to the routers as trunk interfaces and add the
interfaces to service VLANs.
l LLQ queues are special type of EF queues and have shorter delay than EF queues.
l CBQ classifies packets based on the IP precedence or DSCP priority, inbound interface,
or 5-tuple (protocol type, source IP address and mask, destination IP address and mask,
source port range, and destination port range). Then CBQ sends packets matching traffic
classification rules to EF and AF queues. The packets that do not match any configured
classifier are added to the default class and enter BE queues based on session
information of flows.
18.1 Example for Configuring the SNMP Function to Implement Communication Between
the Device and the NMS
18.2 Example for Configuring the Netstream Function to Account User Traffic
18.3 Example for Configuring a UDP Jitter Test
18.4 Example for Configuring a TCP Test
18.5 Example for Configuring RMON to Remotely Monitor and Manage the Device
18.6 Example for Configuring the NTP Unicast Server/Client Mode with NTP Authentication
Enabled to Implement Clock Synchronization
18.7 Example for Configuring the NTP Broadcast Mode with NTP Authentication Enabled to
Implement Clock Synchronization
18.8 Example for Configuring the NTP Multicast Mode to Implement Clock Synchronization
18.9 Example for Configuring Local Port Mirroring to Monitor User Behaviors
Networking Requirements
Router A connects to the NMS through GE1/0/0. SNMP needs to be deployed to ensure that
the NMS and managed network devices communicate properly.
Procedure
Step 1 Configure Router A.
In V200R003C00 earlier versions.
#
interface GigabitEthernet1/0/0
ip address 10.1.2.1 255.255.255.0
#
snmp-agent local-engineid 000007DB7FFFFFFF00001AA7
snmp-agent sys-info version v1 //Set the SNMP version to V1.
snmp-agent community read admin@123 //Set the community name to admin@123 and
permit read-only access.
snmp-agent target-host trap-hostname nms address 10.1.1.2 udp-port 162 trap-
paramsname trapnms2 //Set the destination address of trap messages to 10.1.1.2,
target host name to nms, and name of the list containing parameters for sending
trap messages to trapnms2.
snmp-agent target-host trap-paramsname trapnms2 v1 securityname admin@123 //Set
the name of the list containing parameters for sending trap messages to trapnms2,
SNMP version to V1, and community name to admin@123.
snmp-agent trap enable //Enable RouterA to send trap messages to the NMS.
snmp-agent
#
snmp-agent
#
----End
Configuration Notes
l Ensure that the NMS and RouterA use the same SNMP version and community name.
Networking Requirements
As shown in Figure 18-2, HostA connects to GE1/0/0 of RouterA. The NetStream function is
enabled on RouterA. NSC&NDA collects statistics about incoming and outgoing traffic on
GE1/0/0 of RouterA. The statistics serve as a basis for accounting.
Procedure
Step 1 Configure Router A.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.2 255.255.255.0
ip netstream inbound //Configure the statistics function of
incoming traffic.
ip netstream outbound //Configure the statistics function of
outgoing traffic.
#
interface GigabitEthernet2/0/0
ip address 10.2.1.1 255.255.255.0
#
----End
Configuration Notes
l Ensure that Router A and the NSC&NDA use the same destination port number of
NetStream packets.
Networking Requirements
As shown in Figure 18-3, RouterA functions as an NQA client and RouterC functions as an
NQA server. A UDP Jitter test needs to be configured to measure the jitter time of packets
transmitted between RouterA and RouterC.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterA.
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route from
RouterA to the specified network segment.
#
nqa test-instance admin jitter //Create an NQA test instance and enter the NQA
test instance view.
test-type jitter //Set the test instance type to Jitter.
destination-address ipv4 10.2.1.2 //Configure a destination address.
----End
Networking Requirements
As shown in Figure 18-4, RouterA functions as an NQA client and RouterC functions as an
NQA server. An NQA TCP test needs to be configured to measure the TCP connection setup
time between RouterA and RouterC.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA //Configure the device name.
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Assign an IP address to GE1/0/0 of RouterA.
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 //Configure a static route from
RouterA to the specified network segment.
#
nqa test-instance admin tcp //Create an NQA test instance and enter the NQA test
instance view.
test-type tcp //Set the test instance type to TCP.
destination-address ipv4 10.2.1.2 //Configure a destination address.
destination-port 9000 //Configure a destination port number.
#
return
----End
Networking Requirements
As shown in Figure 18-5, a subnet connects to the network through GE2/0/0 of the router.
The network management system (NMS) needs to monitor the subnet, including:
l Collecting real-time and history statistics on traffic and each type of packets
l Recording logs when the traffic rate exceeds the threshold
l Monitoring broadcast and multicast traffic rate on the subnet and sending traps to the
NMS when the traffic rate exceeds the threshold
Procedure
Step 1 Configure the router.
#
sysname Router
#
interface GigabitEthernet1/0/0
ip address 10.2.2.1 255.255.255.0 //Configure an IP address for GE1/0/0.
#
interface GigabitEthernet2/0/0
ip address 10.3.3.1 255.255.255.0 //Configure an IP address for GE2/0/0.
rmon-statistics enable //Enable RMON statistics collection on GE2/0/0.
rmon statistics 1 owner Test300 //Configure a statistical table with table index
1 and creator Test300.
rmon history 1 buckets 10 interval 30 owner Test300 //Configure a historical
control table. Configure RMON to sample traffic on subnets at an interval of 30s.
Save the latest 10 records.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.2.2.0 0.0.0.255 //Configure the network segment where OSPF is run.
network 10.3.3.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
snmp-agent target-host trap-hostname hwnm address 10.1.1.1 udp-port 162 trap-
paramsname hw //Configure the device to send traps to the specified NMS.
snmp-agent target-host trap-paramsname hw v1 securityname %@%@_=XqAFC_94uCS,
3'<gYC*ZU6%@%@
snmp-agent trap enable //Enable SNMP trap sending.
#
rmon event 1 description null log owner Test300 //Set the handling method of
RMON event 1 to recording logs.
rmon event 2 description forUseofPrialarm trap public owner Test300 //Set the
handling method of RMON event 2 to sending traps to NMS.
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1 falling-
threshold 100 1 owner Test300 //Configure the trap table, sampling interval, and
threshold to trigger trap 1 (OID: 1.3.6.1.2.1.16.1.1.1.6.1).
rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2
entrytype forever owner Test300 //Configure extended trap table, and configure
RMON to sample broadcast and multicast packets once every 30 seconds. When the
sampling delta is higher than upper threshold 1000 or below the lower threshold
0, event 2 is triggered and a trap is sent to the NMS.
#
return
# Run the display rmon statistics gigabitethernet 2/0/0 command to view traffic statistics on
the subnet.
# Run the display rmon history gigabitethernet 2/0/0 command to view historical statistics.
# Run the display rmon event command to view RMON event configurations.
# Run the display rmon alarm 1 command to view configurations of the RMON alarm
function.
# Run the display rmon prialarm 1 command to view RMON extended alarm configuration.
# Run the display rmon eventlog command to view details about the RMON event logs.
----End
Networking Requirements
As shown in Figure 18-6, RouterB, RouterC, and RouterD are on a local area network
(LAN), and are connected to RouterA through a network. To ensure normal service, all
routers on the LAN must synchronize their system clocks to a standard clock. The
requirements are as follows:
l RouterA functions as the master clock server and the stratum is 2.
l RouterA and RouterB use the NTP unicast server/client mode to synchronize clocks.
RouterA functions as a server and RouterB functions as a client.
l RouterB uses the NTP unicast server/client mode to synchronize clock with RouterC and
RouterD. RouterB functions as a server, and RouterC and RouterD function as clients.
Figure 18-6 Networking diagram for configuring the NTP unicast server/client mode
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.2.2.2 255.255.255.0 //Configure an IP address for GE1/0/0.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.2.2.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 42 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 42 //Claim reliability of NTP
authentication cipher.
ntp-service refclock-master 2 //Configure RouterA as the NTP master clock and
set stratum to 2.
#
return
# Run the display ntp-service status command on RouterB to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterB has synchronized clock with RouterA.
# Run the display ntp-service status command on RouterC to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterB,
RouterC has synchronized clock with RouterB.
# Run the display ntp-service status command on RouterD to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterB,
RouterD has synchronized clock with RouterB.
----End
Configuration Notes
l When configuring NTP authentication in the unicast server/client mode, enable the NTP
authentication on the client, and then specify the NTP server address and the
authentication cipher to be sent to the server. If these operations are not performed, the
NTP server and client directly synchronize their clocks without NTP authentication.
l The server and the client must be configured with the same authentication cipher.
l To ensure successful authentication, configure the NTP client and server properly.
Networking Requirements
As shown in Figure 18-7, RouterB, RouterC, and RouterD are located on the same LAN.
RouterA is directly connected to RouterB. RouterC directly synchronizes its clock to a
standard clock by radio. All routers except routerA on the LAN must synchronize their clocks
to the standard clock. The requirements are as follows:
l RouterC functions as the master clock server and uses its local clock as the NTP master
clock, and its clock stratum is 3.
l RouterC functions the NTP broadcast server that sends broadcast packets from interface
GE1/0/0.
l RouterA, RouterD and RouterB function as NTP broadcast clients. RouterA uses
GE1/0/0 to listen to the broadcast packets. RouterD uses GE1/0/0 to listen to the
broadcast packets. RouterB uses GE2/0/0 to listen to the broadcast packets.
l NTP authentication function is required to strengthen network security.
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.11 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service broadcast-client //Configure RouterA as the NTP broadcast client.
#
ospf 1 //Create and run an OSPF process.
area 0.0.0.0 //Create and enter the OSPF area view.
network 10.1.1.0 0.0.0.255 //Configure the network segment where OSPF is run.
#
ntp-service authentication enable //Enable NTP authentication.
ntp-service authentication-keyid 16 authentication-mode hmac-sha256 cipher %@%@,
1_MBtq@`IsY6$XkI|J<"6P(%@%@ //Configure NTP authentication cipher.
ntp-service reliable authentication-keyid 16 //Claim reliability of NTP
authentication cipher.
#
return
# Run the display ntp-service status command on RouterA to view NTP status. When the
value of clock status is displayed as unsynchronized, RouterA does not synchronize clock
with RouterC. RouterA and RouterC are on different network segments, so RouterA cannot
receive broadcast packets from RouterC.
# Run the display ntp-service status command on RouterD to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 4, which is one stratum lower than RouterC,
RouterD has synchronized clock with RouterC. RouterD and RouterC are on the network
segment, so RouterD can receive broadcast packets from RouterC.
----End
Networking Requirements
As shown in Figure 18-8, RouterA, RouterB, and RouterC are located on the same LAN.
RouterA directly synchronizes its clock to a standard clock by radio. The clocks of all routers
on the network need to be synchronized to the standard clock. The requirements are as
follows:
l RouterA functions as the master clock server and uses its local clock as the NTP master
clock, and its clock stratum is 2.
l RouterA functions as the NTP multicast server that sends multicast packets from
interface GE1/0/0.
l RouterB and RouterC function as NTP multicast clients. RouterB uses GE1/0/0 to listen
to the multicast packets. RouterC uses GE1/0/0 to listen to the multicast packets.
Figure 18-8 Networking diagram for configuring the NTP multicast mode
Procedure
Step 1 Configure RouterA.
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0 //Configure an IP address for GE1/0/0.
ntp-service multicast-server //Configure RouterA as an NTP multicast server.
#
ntp-service refclock-master 2 //Configure RouterA as the NTP master clock and
set stratum to 2.
#
return
# Run the display ntp-service status command on RouterB to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterB has synchronized clock with RouterA.
# Run the display ntp-service status command on RouterC to view NTP status. When the
value of clock status is displayed as synchronized, clock synchronization is complete. When
the value of clock stratum is displayed as 3, which is one stratum lower than RouterA,
RouterC has synchronized clock with RouterA.
----End
Networking Requirements
As shown in Figure 18-9, the router functions as the egress gateway of an enterprise. The
R&D department and marketing department of the enterprise connect to Ethernet2/0/0 and
Ethernet2/0/1 on the router. The server (a data monitoring device) that has the monitoring
software installed connects to Ethernet2/0/2 on the router to analyze the captured packets. To
ensure enterprise information security, configure local port mirroring on the router to help the
server monitor all the packets sent by the R&D department and marketing department.
Procedure
Step 1 Configure the router.
#
observe-port interface Ethernet2/0/2 //Configure the local observing
port.
#
interface Ethernet2/0/0
mirror to observe-port inbound //Configure Ethernet2/0/0 as the local mirrored
port, and mirror only incoming packets on a
port.
#
interface Ethernet2/0/1
mirror to observe-port inbound //Configure Ethernet2/0/1 as the local mirrored
port, and mirror only incoming packets on a
port.
#
----End
Configuration Notes
l A router can have only one observing port, which must be a LAN-side Ethernet port.
l On the router, the packets on multiple ports can be mirrored to one observing port.
l When you configure the observing port and mirrored port, correctly allocate bandwidth
to the ports. If a GE interface is used as the mirrored port and an Ethernet interface is
used as the observing port, the observing port bandwidth is insufficient. This may result
in the loss of mirrored packets.
l After an interface is configured as the observing port, do not perform other
configurations on the interface. Otherwise, the local port mirroring function may be
affected. For example, if the observing port transmits both mirrored packets and other
service traffic, the observing port cannot identify the source of the packets. When the
observing port becomes congested, mirrored packets may be discarded because these
packets have lower priority than service traffic.
19 Comprehensive Cases
19.1 Example for Configuring DHCP and NAT to Enable Users to Dynamically Obtain IP
Addresses and Access the Internet
19.2 Associating IPSec with NQA to Implement Rapid Switching Between Active and
Standby Peers and Links
19.3 Example for Configuring SPR to Implement Smart Routing on Voice Services
Networking Requirements
The router functions as the egress gateway of an enterprise. The enterprise has departments A
and B, and plans two address network segments (10.10.1.0/25 and 10.10.1.128/25) and
gateway addresses (10.10.1.1/25 and 10.10.1.129/25) for terminals in the two departments
respectively. In department A, PCs are used as office terminals, with the address lease of 30
days, domain name huawei.com, and DNS server address 10.10.1.2. In department B,
portable computers of employees on business trips are mostly used, with the address lease of
2 days, domain name huawei.com, and DNS server address 10.10.1.2. The internal addresses
of the enterprise are planned as private network addresses and the terminals need to access the
Internet. Therefore, NAT needs to be configured to implement translation from private
network addresses to public network addresses. The remote IP address of the outbound
interface GE0/0/3 connected to the router is 2.1.1.1/24.
Figure 19-1 Networking diagram of configuring DHCP and NAT to enable users to
dynamically obtain IP addresses and access the Internet
Procedure
Step 1 Configure the router.
#
sysname Router //Modify the device name.
#
dhcp enable //Enable the DHCP
function.
#
acl number 2000 //Configure the internal network address segment 10.10.1.0/24 on
which NAT is allowed.
rule 5 permit source 10.10.1.0 0.0.0.255
#
ip pool ip-pool1
gateway-list 10.10.1.1 //Configure the gateway
address.
network 10.10.1.0 mask 255.255.255.128 //Configure the range of IP addresses
that can be dynamically allocated in the global address
pool.
excluded-ip-address 10.10.1.2 //Configure 10.10.1.2 in the address pool not to
be automatically allocated.
dns-list 10.10.1.2 //Configure the IP address of the DNS server used by the DHCP
client.
lease day 30 hour 0 minute 0 //Configure the IP address lease to 30 days.
domain-name huawei.com //Configure the domain name
huawei.com.
#
ip pool ip-pool2
gateway-list 10.10.1.129 //Configure the gateway
address.
network 10.10.1.128 mask 255.255.255.128 //Configure the range of IP addresses
that can be dynamically allocated in the global address pool.
dns-list 10.10.1.2 //Configure the IP address of the DNS server used by the DHCP
client.
lease day 2 hour 0 minute 0 //Configure the IP address lease to 2 days.
domain-name huawei.com //Configure the domain name
huawei.com.
#
interface GigabitEthernet0/0/1
ip address 10.10.1.1 255.255.255.128
----End
Configuration Notes
Configure an ACL to determine for which network segment NAT needs to be performed.
As shown in Figure 19-3, to ensure the reliability of devices in the headquarters, the
headquarters uses two or more devices to establish VRRP groups and establishes an IPSec
tunnel with the branch. The branch gateway needs to establish an IPSec tunnel with the
headquarters by configuring two addresses or domain names for one peer. The branch
gateway uses the first address or domain name to establish an IPSec tunnel with the
headquarters gateway. If the IPSec tunnel fails to be set up or dead peer detection (DPD) fails,
the second address or domain name is used. However, the switching process requires a long
time. In addition, after the fault is rectified, the traffic cannot be switched back to the original
peer.
You can associate IPSec with NQA to check whether the peer address is invalid based on the
NQA test. If the peer address is invalid, the traffic is rapidly switched to the other peer. This
ensures that traffic is rapidly switched to another headquarters gateway when one
headquarters gateway fails. In addition, you can configure revertive switching to ensure that
traffic can be switched back after the original headquarters gateway recovers.
To increase the reliability of branch links, the branch gateway connects to the Internet using
two interfaces. The branch gateway uses the active link to establish an IPSec tunnel with the
headquarters gateway. If the active link fails, the branch gateway uses the standby link to
establish an IPSec tunnel. The switching process requires a long time. After the failure is
rectified, traffic cannot be switched back to the active link. Therefore, you can also associate
IPSec with NQA to check whether the active link works properly according to the NQA test.
If the active link fails, traffic is rapidly switched to the standby link. In addition, after the
active link recovers, traffic can be switched back.
Configuration Notes
1. Devices in the VRRP group must be configured with the same virtual router ID (VRID).
2. The authentication and encryption algorithms of the branch and headquarters gateways
must be the same.
3. The ACLs on the branch and headquarters gateways must mirror each other. If ACL
rules between peers do not mirror each other, an SA can be established successfully only
when the range defined by the ACL rule of the initiator is a subset of the range defined
by the ACL rule of the responder.
4. When both IPSec and NAT are configured on a device, check whether data flows
encapsulated by IPSec needs to be translated using NAT.
– If NAT is required, the security ACL needs to match the NAT-translated address.
– If NAT is not required, the security ACL needs to match the address that is not
translated using NAT. In addition, define the deny action in the ACL for the data
flows that need to be transmitted using the IPSec tunnel.
5. When configuring IPSec, ensure that the public network route is reachable.
Networking Requirements
As shown in Figure 19-4, HQ1 and HQ2 are headquarters gateways, and AR1 is the branch
gateway. The DNS server parses domain names, and the DDNS server updates IP addresses
mapping domain names.
To improve the reliability of the enterprise headquarters gateway, HQ1 and HQ2 establish a
VRRP group, and HQ1 is the master. To enhance the reliability of the branch link and service
security, ARI establishes an IPSec VPN with the headquarters using two links. The 3G dial-up
link is the standby link. The requirements are as follows:
l When the link between HQ1 and AR1fails, the VRRP group can detect it and perform an
active/standby switchover. HQ2 then takes over services to reduce the impact of a link
fault on service forwarding.
l When HQ1 fails, AR1 can rapidly establish an IPSec tunnel with HQ2 through
negotiation to reduce traffic loss. In addition, when HQ1 recovers, traffic can be
switched back.
l When the active link of AR1 fails, services on the IPSec tunnel can be rapidly switched
back to the standby link to reduce traffic loss. At the same time, when the active link
recovers, traffic can be rapidly switched back.
Configuration Roadmap
The configuration roadmap is as follows:
1. To implement gateway backup, configure a VRRP group on HQ1 and HQ2. Set the
priority of HQ1 to 120 and preemption delay to 20 seconds, and configure HQ1 as the
master; set the priority of HQ2 to 90 and configure it as backup.
2. To ensure a rapid VRRP active/standby switchover and reduce the traffic loss, associate
VRRP with NQA to monitor the connectivity of the active link of the headquarters.
When NQA detection fails, data flows can be switched from HQ1 to HQ2.
3. To implement secure communication between the branch and headquarters, configure
IPSec on HQ1, HQ2, and AR1.
4. To implement rapid switching between the branch and HQ1/HQ2 and reduce service
loss, associate IPSec with NQA on AR1to check whether the peer address is valid and
ensure that traffic can be rapidly switched to another headquarters gateway when one
headquarters gateway fails. In addition, you can also configure revertive switching of
peers to ensure that traffic can be switched back when the original headquarters gateway
recovers.
5. To implement rapid switching of active and standby branch links and reduce service loss,
associate IPSec with NQA on AR1 to monitor the connectivity of the IPSec tunnel in
real time and ensure that traffic can be rapidly switched back to the standby link when
the active branch link fails. After the active link recovers, traffic can be switched back.
Data Plan
Configuration Files
l Configure HQ1.
#
sysname HQ1
#
dns resolve //Enable DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
ddns policy ddnspolicy1 //Configure a DDNS policy to update the IP address
mapping the domain name.
url oray://username1:password1@phddnsdev.oray.net //Configure a URL of the
DDNS server.
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-
cbc-128 parameter is changed to aes-128
authentication-algorithm sha2-256
#
ike peer branch v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
#
ipsec policy-template use1 10 //Configure an IPSec policy template.
ike-peer branch
proposal def
#
ipsec policy branch 1 isakmp template use1 //Reference the IPSec policy
template in the IPSec policy.
#
interface Dialer0 //Configure paremeters of the dialer interface.
link-protocol ppp
ppp pap local-user user@huawei.com password cipher %@%@ZX}=YK.{rUa.K#7W\==O)+
[c%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1 //Specify a Dialer bundle for the RS-DCC dialer interface.
dialer-group 1 //Specify a dailer group for the dailer interface.
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface, so
that the dialer interface can forward dynamic update to the DDNS server when
the interface IP address changes.
ipsec policy branch //Bind the IPSec policy.
#
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 //Bind the dialer interface and establish
a PPPoE session.
#
interface GigabitEthernet2/0/0
ip address 10.1.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.0.10 //Set the virtual address of VRRP group 1
to 10.1.0.10.
vrrp vrid 1 priority 120 //Configure the priority of the device in the VRRP
group.
vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay for the
device in the VRRP group.
vrrp vrid 1 track nqa user test reduced 40 //Associate VRRP with NQA to
monitor the connectivity of the active link of the headquarters.
#
dialer-rule //Configure a dialer rule that permits all IPv4 packets.
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0 //Configure a static route.
#
nqa test-instance user test //Configure an NQA test instance.
test-type icmp //Configure the test type of the NQA test instance as
ICMP.
destination-address ipv4 5.1.1.2
frequency 20 //Configure the interval of automatic NQA test.
probe-count 5 //Set the number of probes for one test.
source-interface Dialer0 //Configure the source interface that forwards
NQA packets.
l Configure HQ2.
#
sysname HQ2
#
dns resolve //Enable an DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
ddns policy ddnspolicy1 //Configure a DDNS policy to update the the IP
address mapping the domain name.
url oray://username1:password1@phddnsdev.oray.net //Configure a URL of the
DDNS server.
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128
authentication-algorithm sha2-256
#
ike peer branch v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1.
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
#
ipsec policy-template use1 10 //Configure an IPSec policy. template
ike-peer branch
proposal def
#
ipsec policy branch 1 isakmp template use1 //Reference the IPSec policy
template in the IPSec policy.
#
interface Dialer0 //Configure paremeters of the dialer interface.
link-protocol ppp
ppp pap local-user user@huawei.com password cipher %@%@ZX}=YK.{rUa.K#7W\==O)+
[c%@%@
ip address ppp-negotiate
dialer user huawei
dialer bundle 1 //Specify a Dialer bundle for the RS-DCC dialer interface.
dialer-group 1 //Specify a dailer group for the dailer interface.
ddns policy ddnspolicy1 //Apply the DDNS policy to the dialer interface, so
that the dialer interface can forward dynamic update to the DDNS server when
the interface IP address changes.
ipsec policy branch //Bind the IPSec policy.
#
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1 //Bind the dialer interface and establish
a PPPoE session.
#
interface GigabitEthernet2/0/0
l Configure AR1.
#
sysname AR1
#
dns resolve //Enable DNS resolution to resolve the headquarters gateway
address.
dns server 5.1.1.2 //Configure the IP address of the DNS server.
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
#
ipsec proposal def //Configure an IPSec proposal.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128
authentication-algorithm sha2-256
#
ike peer center v2 //The commands used to configure IKE peers and the IKE
protocol differ depending on the software version. In earlier versions of
V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and
later versions, the command is ike peer peer-name and version { 1 | 2 }. By
default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2
to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to
respond. To initiate a negotiation request using IKEv1, run the undo version
2 command.
pre-shared-key cipher %^%#IRFGEiFPJ1$&a'Qy,L*XQL_+*Grq-=yMb}ULZdS6%^%# //
Configure the pre-shared key authentication key as "huawei1234" in cipher
text. This command in V2R3C00 and earlier versions is pre-shared-key
huawei1234, and the password is displayed in plain text.
ike-proposal 1
nat traversal //Enable NAT traversal. In V200R008, NAT traversal is
enabled on the device by default, and this command is not supported. In
versions later than V200R008, this command is supported.
dpd type periodic //Specify the DPD mode as periodic.
dpd retransmit-interval 10 //Set the interval for retransmitting DPD
packets to 10 seconds.
remote-address store1.huawei.com track nqa user test1 up //When the status
of the NQA test instance is Up, the domain name can be used as the remote
address for negotiation.
remote-address store2.huawei.com track nqa user test1 down //When the status
of the NQA test instance is Down, the domain name can be used as the remote
address for negotiation.
switch-back enable
#
ipsec policy center1 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer center
proposal def
connect track nqa user test up //When the status of the NQA test instance
is Up, establish an IPSec tunnel using the IPSec policy.
disconnect track nqa user test down //When the status of the NQA test
instance is Down, terminate the IPSec tunnel established using the IPSec
policy.
#
ipsec policy center2 1 isakmp //Configure an IPSec policy.
security acl 3000
ike-peer center
proposal def
connect track nqa user test down //When the status of the NQA test instance
is Down, establish an IPSec tunnel using the IPSec policy.
disconnect track nqa user test up //When the state of the NQA test instance
is Up, terminate the IPSec tunnel estabilshed using the IPSec policy.
#
interface GigabitEthernet1/0/0
ip address 10.2.1.2 255.255.255.0
ipsec policy center1 //Bind the IPSec policy.
#
interface GigabitEthernet2/0/0
ip address 10.1.1.1 255.255.255.0
#
interface Cellular0/0/0
dialer enable-circular
dialer-group 1
dialer timer idle 180
dialer timer autodial 10
dialer number *99#
ipsec policy center2
ip address negotiate
#
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 200 //Configure the
static route as the standby route.
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1 track nqa user test //Configure the
static route as active route and configure the NQA test.
ip route-static 5.1.1.2 255.255.255.0 10.2.1.1 //Configure the static route
to ensure connectivity with the address 5.1.1.2 .
#
dialer-rule //Configure a dialer rule that permits all IPv4 packets.
dialer-rule 1 ip permit
#
nqa test-instance user test //Configure an NQA test instance.
test-type icmp //Configure the test type of the NQA test instance as
ICMP.
destination-address ipv4 5.1.1.2 //Specify a stable IP address for the
public network to check connectivity.
frequency 20 //Configure the interval of automatic NQA tests.
probe-count 5 //Set the number of probes for one test.
source-interface GigabitEthernet1/0/0 //Configure a source interface that
forwards test packets.
nqa test-instance user test1
test-type icmp
destination-address ipv4 3.1.1.1 // Specify the HQ1 public network address.
frequency 20
probe-count 5
#
return
SPR addresses this problem. It actively detects the link quality and matches service
requirements to select an optimal link to forward service data. SPR prevents network
blackholes and flappings.
Generally, SPR selects an optimal link for different service data flows (such as data, voice,
and video services) based on link quality. As shown in Figure 19-5, an enterprise branch
connects to the enterprise data center over two Internet service provider (ISP) networks (ISP1
and ISP2), and a 3G outbound interface is configured on RouterA to provide a best-effort link.
RouterA connects to ISP1 through the link group named group1 and connects to ISP2 through
the link group named group2. ISP1 provides advanced network service at a high cost, while
ISP2 provides common network service at a low cost. The enterprise branch exchanges voice,
video, FTP and HTTP services with the data center. Voice and video services require high link
quality. Therefore, group1 and group2 function as the primary and backup link groups,
respectively, for voice and video services. FTP and HTTP services do not require high link
quality. Therefore, group2 and group1 function as the primary and backup link groups,
respectively, for FTP and HTTP services. When no suitable link in group1 and group2 is
available to voice, video, FTP, and HTTP services, the 3G best-effort link can be used.
The functions that associate interface backup with network quality analysis (NQA),
bidirectional forwarding fetection (BFD), or routes select links based on link connectivity and
are unaware of link quality and service requirements. As long as routes are reachable, these
functions select a link to transmit services even though the link quality is poor. Unlike these
functions, SPR selects links based on different service requirements on the latency, jitter, and
packet loss ratio. It can actively detect the link quality and match service requirements based
on the link quality to select an optimal link to forward service data.
Configuration Notes
1. This example applies to all AR routers running V200R005C00 and later versions. This
example uses AR169G-L series routers.
2. Only ADSL interfaces, VDSL interfaces in ATM mode, and G.SHDSL interfaces in
ATM mode support the ATM feature. These interfaces can function as ATM interfaces to
have services such as IPoA, IPoEoA, PPPoA, or PPPoEoA services configured.
– 1ADSL-A/M and 1ADSL-B/J cards can provide ADSL interfaces; 4G.SHDSL and
1GBIS4W cards can provide G.SHDSL interfaces; VDSL2 cards, 1V35B-AM can
provide VDSL interfaces.
– Among AR150&AR160&AR200 series routers, only AR156, AR156W, AR157
series, AR206, and AR207 series routers support the configuration of ADSL
interfaces.
– Among AR150&AR160&AR200 series routers, only AR129, AR169, AR169F,
AR169BF, AR169FVW, AR169FGW-L, AR169FGVW-L, AR169G-L, AR169-P-
M9, support the configuration of VDSL interfaces.
– Among AR150&AR160&AR200 series routers, only AR158E, AR158EVW,
AR168F, and AR208E support the configuration of G.SHDSL interfaces.
NOTE
Networking Requirements
As shown in Figure 19-6, the Router functions as the enterprise egress gateway, connects to
PCs and IP phones through downlink interfaces, and connects to the data/IP multimedia
subsystem (IMS) network through an uplink ATM interface and an uplink 3G interface.
Figure 19-6 Figure 1-2 SPR for wired and wireless convergence
To meet service development requirements, the enterprise wants the Router to transmit both
data and voice services. Because the leased ATM link is unstable, to ensure voice and data
service transmission quality, the enterprise also has the following requirements:
1. The Router can assign IP addresses to PCs and IP phones in the enterprise internal
network.
2. Data traffic and voice traffic have their own backup links to ensure traffic transmission
reliability.
3. Transmission links can be dynamically switched for voice traffic based on the link
latency, jitter, and packet loss ratio to ensure high link quality.
4. Transmission links can be dynamically switched for data traffic based on the link status
to improve transmission reliability.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the DHCP server function on the Router to assign IP addresses to PCs and IP
phones in the enterprise internal network.
2. To save the cost, configure two ATM sub-interfaces as the primary links to transmit data
packets and voice packets respectively.
3. Configure SPR for voice services and configure the delay, jitter, packet loss ratio, and
composite measure indicator (CMI) thresholds as link quality indicators in the SPR
service profile to ensure high reliability for voice services. When the delay, jitter, packet
loss ratio, or CMI of an ATM voice sub-interface does not meet link quality indicators,
traffic is automatically switched to a 3G voice channel interface. When the delay, jitter,
packet loss ratio, and CMI become normal, the Router shuts down the 3G voice channel
interface so that voice services can be switched back to the ATM voice sub-interface.
4. Considering that data services are delay-insensitive, configure association between
interface backup and NQA on the 3G data channel interface to detect the connectivity of
primary links in real time. When the link detection in an NQA test instance fails, data
traffic is switched from an ATM data sub-interface to the 3G data channel interface.
When the link detection succeeds, the 3G data channel interface is set to the standby
state, and then data services are switched back to the ATM data sub-interface.
Data Plan
Service Parameter Description
NQA l NQA test instance data Use the NQA test instance
wan_connected_check: test type data wan_connected_check
ICMP, destination address 8.8.8.8, is for association between a
probe failure percentage 33%, interval 3G data channel interface
(4 seconds) between packets, probe Cellular0/0/0:2 and NQA
timeout time 2 seconds, 15 probes, and configure
and interval (35 seconds) of automatic Cellular0/0/0:2 as the
NQA tests backup interface of
l NQA test instance degrad ATM0/0/0.2.
voice_linkcheck: test type UDP jitter, Associate the voice wired
destination address 9.9.9.9, detection link ATM0/0/0.1
destination port number 10000, using with the NQA test instance
the hardware forwarding engine to degrad voice_linkcheck,
transmit packets and add timestamp to and associate the voice
packets, code type g729a for the wireless detection link
simulated voice test, probe packet size Cellular0/0/0:1 with the
64 bytes, source port VE0/0/1, and NQA test instance degrad
interval (900 seconds) of automatic voice_linkcheck_3G.
NQA tests
l NQA test instance degrad
voice_linkcheck_3G: test type UDP
jitter, destination address 9.9.9.9,
destination port number 10000, using
the hardware forwarding engine to
transmit packets and add timestamp to
packets, code type g729a for the
simulated voice test, probe packet size
64 bytes, source port Cellular0/0/0:1,
and interval (900 seconds) of
automatic NQA tests
SPR SPR switchover period 1200 seconds, Add VE0/0/1 to the primary
flapping suppression period 2400 link group, and associate
seconds, delay (600 seconds) after which VE0/0/1 with the NQA test
an interface is automatically shut down instance degrad
when SPR does not select the link of the voice_linkcheck. Add
interface, delay threshold 100, packet loss Cellular0/0/0:1 to the
ratio threshold 30, and jitter threshold 30 backup link group, and
associate Cellular0/0/0:1
with the NQA test instance
degrad
voice_linkcheck_3G.
Configure the thresholds of
the delay, jitter, packet loss
ratio, and CMI in the SPR
service profile as link
quality indicators to define
link quality.
Configuration File
#
#
sysname Router
#
dhcp enable // Enable the DHCP function.
#
vlan 20 //Create a VLAN for IP phones.
vlan 30 //Create a VLAN for user PCs.
#
acl 3000 //Configure an ACL to match voice packets, indicating that UDP
packets from network segment 10.1.2.0/24 and with destination port number ranging
from 10000 to 32766 are voice packets.
rule 0 permit udp source 10.1.2.0 0.0.0.255 destination-port range 10000 32766
acl 3001 //Configure an ACL to be referenced by outbound NAT. The ACL defines
the rules for NAT translation.
rule 0 permit ip
#
traffic classifier 3G_voice operator or //Configure a traffic classifier for 3G
voice services.
if-match acl 3000
traffic classifier voice operator or // Configure a traffic classifier for
ATM voice services.
if-match acl 3000
#
traffic behavior voice_behavior //Configure a traffic behavior for ATM
voice services.
remark dscp ef //Configure the device to re-mark the DSCP priorities
of IP packets with EF.
statistic enable
queue ef bandwidth 120 cbs 3000 //Set the maximum allowed bandwidth of ATM
voice traffic to 120 kbit/s.
traffic behavior 3G_voice_behavior //Configure a traffic behavior for 3G
voice services.
remark dscp ef //Configure the device to re-mark the DSCP priorities of
IP packets with EF.
statistic enable
queue ef bandwidth 128 cbs 3200 //Set the maximum allowed bandwidth of 3G voice
traffic to 128 kbit/s.
traffic behavior default_behavior //Configure a traffic behavior for data
services.
remark dscp af31 //Configure the device to re-mark the DSCP priorities of
IP packets with AF31.
statistic enable
#
traffic policy traffic_policy //Configure a traffic policy for ATM services.
classifier voice behavior voice_behavior //Bind the voice traffic classifier to
the traffic behavior.
classifier default-class behavior default_behavior // Bind the data traffic
classifier to the traffic behavior. The data traffic classifier is the system
default traffic classifier default-class.
traffic policy 3G_policy //Configure a traffic policy for 3G services.
classifier 3G_voice behavior 3G_voice_behavior //Bind the voice traffic
classifier to the traffic behavior.
classifier default-class behavior default_behavior //Bind the data traffic
classifier to the traffic behavior. The data traffic classifier is the system
default traffic classifier default-class.
#
ip pool pool_voice //Configure an IP address pool to assign IP addresses
to IP phones.
gateway-list 10.1.2.1
network 10.1.2.0 mask 255.255.255.0 //Set the IP address pool range to
10.1.2.0/24.
lease day 0 hour 0 minute 30 //Set the IP address lease to 30 minutes.
dns-list 4.4.4.4 //Configure the DNS server address 4.4.4.4.
domain-name ims.it //Configure a domain name suffix.
#
ip pool pool_data //Configure an IP address pool to assign IP addresses to
user PCs.
gateway-list 10.1.3.1
network 10.1.3.0 mask 255.255.255.0 //Set the IP address pool range to
10.1.3.0/24.
lease day 5 hour 0 minute 0 //Set the IP address lease to 5 days.
dns-list 5.5.5.5 //Configure the DNS server address 5.5.5.5.
#
interface Vlanif20 //Create VLANIF 20.
description *** VLAN VOICE***
ip address 10.1.2.1 255.255.255.0
dhcp select global //Enable the DHCP server function to assign IP
addresses to clients from the global address pool.
#
interface Vlanif30 //Create VLANIF 30.
description *** VLAN DATA ***
ip address 10.1.3.1 255.255.255.0
dhcp select global //Enable the DHCP server function to assign IP addresses
to clients from the global address pool.
#
interface Cellular0/0/0 //Enter the 3G interface.
link-protocol ppp
traffic-policy 3G_policy outbound //Apply the 3G traffic policy in the outbound
direction of the 3G interface.
multi-apn enable //Enable the multi-APN function.
#
interface Cellular0/0/0:1 //Enter the 3G channel interface numbered 1.
description *** 3G VOICE ***
link-protocol ppp
ip address ppp-negotiate //Obtain IP addresses dynamically through PPP
negotiation.
dialer enable-circular //Enable the circular DCC function.
dialer-group 1 //Associate the dialer ACL numbered 1 with the 3G channel
interface.
dialer timer idle 20
dialer timer autodial 10 //Set the interval for automatic dialup.
dialer number *99***1# //Configure a dialer number.
qos pre-nat //Enable the NAT pre-classification function.
apn-profile imsbackup //Bind the APN profile to the 3G channel interface.
nat outbound 3001 //Configure the outbound NAT function.
#
interface Cellular0/0/0:2
description *** 3G DATA***
ip address negotiate //Obtain IP addresses dynamically through WWAN
negotiation.
dialer enable-circular //Enable the circular DCC function.
dialer-group 1 //Associate the dialer ACL numbered 1 with the 3G channel
interface.
dialer timer idle 20
dialer timer autodial 10
dialer number *99***1# //Configure a dialer number.
qos pre-nat //Enable the NAT pre-classification function.
standby track nqa data wan_connected_check //Configure association between
interface backup and NQA to monitor the primary link in real time.
apn-profile webdsl //Bind the APN profile to the 3G channel interface.
nat outbound 3001 //Configure the outbound NAT function.
#
interface Atm0/0/0 //Enter the ATM interface.
traffic-policy traffic_policy outbound //Apply the traffic policy in the
outbound direction of the ATM interface.
#
interface Atm0/0/0.1 p2p //Enter an ATM sub-interface. The sub-interface
transmits voice traffic.
description *** PVC ADSL VOICE ***
pvc 10/35 //Create a PVC with VPI/VCI 10/35.
map bridge Virtual-Ethernet0/0/1 //Reference IPoEoA mapping created on VE0/0/1
in the PVC view.
#
interface Atm0/0/0.2 p2p //Enter the other ATM sub-interface. The sub-
interface transmits data traffic.
description *** PVC ADSL DATA***
start now
#
smart-policy-route //Create a smart-policy-route and enter the smart-policy-
route view.
period 1200
wtr period hours 2 //Set the SPR switchover period.
route flapping suppression 2400
prober Virtual-Ethernet0/0/1 nqa degrad voice_linkcheck //Configure a
detection link in SPR and associate VE0/0/1 with the NQA test instance degrad
voice_linkcheck.
prober Cellular0/0/0:1 nqa degrad voice_linkcheck_3G //Configure a detection
link in SPR and associate Cellular0/0/0:1 with the NQA test instance degrad
voice_linkcheck_3G.
standby-interface Cellular0/0/0:1 //Configure the function that automatically
shuts down Cellular0/0/0:1 when SPR does not select the link of Cellular0/0/0:1.
standby-limit-time 600
link-group group1 //Create a link group named group1.
link-member Virtual-Ethernet0/0/1 //Add the detection link interface VE0/0/1
to the link group group1.
link-group group2 //Create a link group named group2.
link-member Cellular0/0/0:1 //Add the detection link interface Cellular0/0/0:1
to the link group group2.
service-map voice //Create an SPR service profile and enter the SRP service
profile view.
cmi-method d+l+j //Configure the CMI calculation formula. The CMI depends
on the link delay, jitter, and packet loss ratio. In the formula, d indicates the
delay, j indicates the jitter, and l indicates the packet loss ratio.
match acl 3000 //Bind ACL3000 to the SPR service profile to differentiate
voice service traffic.
set delay threshold 100 //Set the delay threshold for services in SPR. When
the link delay is larger than the threshold, the link quality is unsatisfied.
set loss threshold 30 //Set the packet loss ratio threshold for services in
SPR. When the link packet loss ratio is larger than the threshold, the link
quality is unsatisfied.
set jitter threshold 30 //Set the jitter threshold for services in SPR. When
the link jitter is larger than the threshold, the link quality is unsatisfied.
set cmi threshold 8840 //Set the CMI threshold. When the CMI is smaller than
the threshold, the link CMI is unsatisfied.
set link-group group1 //Configure group1 as the primary link group.
set link-group group2 backup //Configure group2 as the backup link group.
#