operating huawei v3[1]
TRANSCRIPT
1
Huawei Introduction
Basis of VRP CLIBasis of VRP CLIJuly 2006
2
Contents
Introduction to the platform and SO IP address configuration Static routing Dynamic routing (Distance vector algorithms) Dynamic routing (Link state algorithms) Summarization and classless routing Redistribution Link protocols (hdlc & ppp frame-relay) Link protocols (frame-relay) Access lists NAT LAN switching VLAN switching
3
VRP Introduction
Versatile Routing Platform (VRP): Core: TCP/IP stack Integrated Technologies: Routing,
QoS, VPN, security, and VoIP Data Forwarding: IP TurboEngine
technology
4
VRP Functionality
Attribute Description
Network interconnectiv
ity
LAN protocolsEthernet_IIEthernet_SNAPVLANBridge
Link layer protocols
PPP, MPSLIPISDNPPPoEIPoAPPPoAPPPoEoAHDLCFrame RelayLAPBX.25ATM
VPN
L2TP VPNGRE VPNIPSec VPNMPLS VPN (L2/L3)DVPN
5
VRP Functionality (Continued)
Attribute Description
Networkprotocols
IP services
ARPStatic domain name resolutionIP UNNUMBEREDDHCP RelayDHCP ServerDHCP Client
Non-IP servicesDLSwIPX
IP Routing
Static routing managementDynamic routing protocols• RIP-1/RIP-2• OSPF• BGP• IS-ISRouting policyPolicy routingMulticast routing protocols• IGMP• PIM-DM• PIM-SM• MBGP• MSDP
6
VRP Functionality (Continued)
Attribute Description
Networksecurity
Authentication,Authorization,
Accounting (AAA) services
RADIUSCHAP authenticationPAP authentication
Firewalls
Packet filter• Interface-based ACL• Period-based ACLFirewall• Packet filtering firewallASPF (status firewall)
Data securitySupport terminal access securityIPSec & IKE
NAT
Allow the LAN users to access external networks by using the IP addresses in the address poolSupport the operation of associating an ACL with an address poolSupport the operation of associating an ACL with an interfaceAllow the hosts on external networks to access the internal serverAllow configuring the valid time period that the address translation is supportedSupport multiple ALGs
7
VRP Functionality (Continued)
Attribute Description
MPLS
Basic MPLS functionsMPLS VPNMPLS QoSMPLS TE
Networkreliability
Backup centerVRRPInterface card/fan/power module hot swappable
QoS
Traffic policing Traffic Policing
Congestion management
FIFO, PQ, CQ, WFQ, CBW/LLQ, RTP
Congestion avoidance
WRED
Traffic shaping TS
Interface rate limit LR
FR QoS
MPLS QoS
Dialupnetwork
DCC configurationModem management configuration
8
VRP Functionality (Continued)
Attribute Description
Configurationmanagement
Command Line Interface
(CLI)
Make local configuration via ConsoleMake remote configuration via the AUX portMake local or remote configuration via Telnet or SSHConfigure hierarchical command protection to safeguard the router against the intrusion of unauthorized usersProvide detailed debugging information to help you make network troubleshootingProvide the network testing tools like tracert and ping commands to help you quickly diagnose whether the network is correctly runningDirectly log in by using the telnet command to manage other routersAdopt the FTP Server/Client model, which makes it possible to download and upload the configuration files and applications by making use of FTPSupport file uploading and downloading with TFTPSupport log functionProvide file system managementSupport user-interface configuration and provide multiple approaches in authentication and authorization of the login users
Support the standard SNMPV3, and be compatible with SNMP V2C, SNMP V1Support Network Time Protocol (NTP)
9
Setup via Console
Router
PC
Console Port
Console Cable
RS-232 Serial Port
10
Setup via Telnet
Ethernet
100BASE-TX
WorkstationRouter
Server Laptop PC
11
Command Views
Command lines are associated with command views: User view like in <Quidway> System view like in [Quidway]
Routing protocol views: OSPF, RIP, BGP, IS-IS…
Interface views: FE, GE, synchronous serial, cE1, E3, cT1, T3, ATM, POS, CPOS, virtual-template, virtual Ethernet, loopback, null, tunnel
User interface view L2TP group view Route mapping view
12
Command Line On-line Help
Enter “?” in any views and you will obtain all the commands in this view and their simple descriptions as well.
<Quidway> ?User view commands: cd Change current directory clock Specify the system clock……
[Quidway] ?System view commands: configure Enter configuration mode delete Erase the configuration file in flash or nvram reboot Reboot the router save Write running configuration to flash or nvram……
13
Command Line On-line Help
Enter a command and a “?” separated by a space. If "?" stands for a key word, all the keywords and their simple descriptions will be given.
<Quidway> display ? aaa AAA status and configuration information acl Acl status and configuration information……
14
Command Line On-line Help
Enter a command and a “?” separated by a space. If "?" stands for a parameter, descriptions of these parameters will be given.
[Quidway] interface ethernet ?<3-3> Slot number[Quidway] interface ethernet 3?/[Quidway] interface ethernet 3/?<0-0>[Quidway] interface ethernet 3/0?/[Quidway] interface ethernet 3/0/?<0-0>[Quidway] interface ethernet 3/0/0 ?<cr>
15
Command Line On-line Help
Enter a character string followed by a “?”. All the commands starting with this string will be displayed.<Quidway> d?
debugging delete dir display
Press <tab> after entering the first several letters of a keyword to display the complete keyword, given that these letters can uniquely identify the keyword in this command.
16
Error Information
Wrong Informantion Cause
Unrecognized command
No such command
No such parameter
Parameter type wrong
Invalid parameter value
Incomplete command Command incomplete
Too many parameters Too many parameters
Ambiguous commandThe string you input can’t indicate a
command uniquely
17
History Command
OperationOperation KeyKey ResultResult
Display the history commands
display history-command
Display the history commands that the user has entered
Access the last history command
Up-arrow key or <Ctrl+P>
Display the earlier history command, if there is any. Otherwise, the system will ring the alarm.
Access the next history command
Down-arrow key or <Ctrl+N>
Display the next history command, if there is any. Otherwise, the system will clear the commands and ring the alarm.
18
Entering/Exiting System View
Enter the system view from the user view system-view
Return to the user view from the system view quit
Return to the user view from any other view return
19
Command Levels
The system commands are divided into four levels: Visit: includes the commands of network diagnosis tools
such as ping, and the commands for visit to external devices, such as Telnet client
Monitor: Commands used for system maintenance and service fault diagnosis, including display and debugging commands
Config: Service configuration commands including routing commands and the commands at the network layer.
Manage: Commands essential to the system operations and the system support modules. They provide support to services that concerns file system, FTP, TFTP, XModem download, configuration file switch, power control, standby board control, user management, level setting, as well as the parameter setting within a system (the last case involves those non-protocol or non-RFC provisioned commands).
20
Visit Level
The commands in visit level:
Visit: includes the commands of network diagnosis tools such as ping and tracert, and the commands for visit to external devices, such as Telnet client, SSH client, and RLOGIN.
21
Monitor Level
The commands in monitor level:
Commands used for system maintenance and service fault diagnosis, including display and debugging commands.
22
Config Level The commands in config level:
Config: Service configuration commands including routing commands and the commands at the network layer.
23
Manage Level
The commands in manage level:
Manage: Commands essential to the system operations and the system support modules. They provide support to services that concerns file system, FTP, TFTP, XModem download, configuration file switch, power control, standby board control, user management, level setting, as well as the parameter setting within a system (the last case involves those non-protocol or non-RFC provisioned commands).
24
Huawei Introduction
Configuration BasicsConfiguration Basics
25
Basic Configuration Commands
Name devices[Quidway] sysname NE16-A
Erase the configuration saved in flash<Quidway> reset saved-configuration
Reset router <Quidway> reboot
Write the description of a interface[Quidway-Ethernet1/0/0] description NE ethernet
interface Configure the IP address of a interface
[Quidway-Atm1/0/0] ip address 129.102.0.1 255.255.255.0
26
Configuring System Clock Set standard time
clock datetime HH:MM:SS YYYY/MM/DD
Set time zoneclock timezone time-zone-name { add | minus }
offset
Remove time zone settingundo clock timezone
Import summer-time schemeclock summer-time summer-time-zone-name { one-
off | repeating } start-time end-time add-time
Cancel summer-time schemeundo clock summer-time
27
Popular Display Command
Operation CommandDisplay system
versiondisplay version [ slot-id ]
Display system clock
display clock
Display terminal user
display users [ all ]
Display original configuration
display saved-configuration
Display current configuration
display current-configuration
Display the state of debugging switch
display debugging [ interface { interface-type interface-number | interface-name } ] [ module-name ]
…… ……
28
Display filters
A lot of display commands are available for showing system status information. When outputting information, you can add "|" in the command to filter information. Three options are available: begin text: to display information starting
from the line with "text" exclude text: to display information of the
lines with no "text" include text: to display information of the
lines with "text"For example, if you enter the
display current-configuration | include ip command,
the configuration information of the line with "ip" are displayed.
29
Console – first steps<Quidway>display users UI Delay Type Ipaddress Username Userlevel+ 0 CON 0 00:00:00 3<Quidway>display clock03:13:49 UTC Fri 09/30/2005<Quidway>display cpu-usage info-===== Current CPU usage info =====center configuratione CreaCPU Usage Stat. Cycle: 28 (Second) CPU Usage : 8% CPU Usage Stat. Time : 2005-09-30 03:16:03 Enter interface command modesplay CPU Usage Stat. Tick : 0x4(CPU Tick High) 0x5336e964(CPU Tick Low)
Actual Stat. Cycle : 0x0(CPU Tick High) 0x29ca1bc3(CPU Tick Low)
dlsw
TaskName CPU Runtime(CPU Tick High/CPU Tick Low) ipsec Specify IPSec configure informationd
VIDL 92% 0/26989bc6 INFO 0% 0/ 3398ROUT 0% 0/ cc1bfSOCK 0% 0/ e7926VTYD 0% 0/ 9d294IPSP 0% 0/ 4162 IKE 0% 0/ 38d8 TAC 0% 0/ c2a29 SC 0% 0/ a0ba1…
30
Display version<Quidway>display version Copyright Notice: All rights reserved (Dec 10 2004). Without the owner's prior written consent, no decompiling nor reverse-engineering shall be allowed. Huawei-3Com Versatile Routing Platform Software VRP(R) software, Version 3.40, Release 0006 Copyright (c) 2003-2004 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights
reserved. Copyright (c) 2000-2003 Huawei Tech. Co.,Ltd. All rights reserved. Quidway AR28-09 uptime is 0 week, 0 day, 0 hour, 5 minutes
CPU type: PowerPC 8241 200MHz 128M bytes SDRAM Memory 32M bytes Flash Memory Pcb Version:1.0 Logic Version:1.0 BootROM Version:9.07 [SLOT 0] AUX (Hardware)1.0, (Driver)1.0, (Cpld)1.0 [SLOT 0] 1FE (Hardware)2.0, (Driver)2.0, (Cpld)0.0 [SLOT 0] WAN (Hardware)1.0, (Driver)1.0, (Cpld)1.0<Quidway>
31
Configuring a Banner
A banner shows information displayed at login, login authentication, or configuration.
Operation Command
Configure the banner to be displayed at login.
header incoming incoming-text
Configure the banner to be displayed at login authentication.
header login login-text
Configure the banner to be displayed when a user enters user view.
header shell shell-text
Cancel the banner setting.undo header { incoming | login | shell }
32
Configuring Password for
User Level Switching
You may set user level switching passwords. After that, a user that logs onto the router with a lower user level is required to provide the password before operating on higher level commands.
Operation Command
Configure a user level switching password.
super password [ level user-level ] { simple | cipher } password
Delete the configured password
undo super password [ level user-level ]
To switch the user level use: super [level ]
33
Configuring Command Levels
All the commands are administratively assigned to different views and categorized into four levels: visit, monitor, system, and manage, identified respectively by 0 through 3.
Operation Command
Assign a level to the commands in the specified view.
command-privilege level level view view command-key
Restore the default. undo command-privilege view view command-key
34
User Interface - console Configure the access to the console with a
password:<Quidway>system-view[Quidway] user-interface console 0[Quidway-ui-con0] authentication-mode password[Quidway-ui-con0] set authentication password simple
impsat[Quidway-ui-con0] user priviledge level 1[Quidway-ui-con0] return<Quidway> quitUser interface Con 0 is available.
Press ENTER to get started.password:%Sep 30 03:07:48:621 2005 Quidway SHELL/5/LOGIN:
Console login from con0User privilege changes to 1 level, just equal or less this
level's commands can be used.Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE<Quidway>
35
Privilege level passwords
Configure the priviledge level passwords :[Quidway] super password level 1 simple pass1[Quidway] super password level 2 simple pass2[Quidway] super password level 3 simple pass3
So when a user wishes to change level:<Quidway> super 1Password:User privilege changes to 1 level, just equal or less
this level's commands can be used.Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-
MANAGE<Quidway>
36
Contents and format of the configuration file
The configuration file is a text file in the following format:
Saved in a format of commands. Only non-default parameters are saved for space
economy. Command mode is the basic frame for organizing
these commands. All commands of the same command mode are grouped into a section and blank lines or comment lines (which begin with “#”), are used to separate these sections. Blank lines or comment lines can be one line or multiple lines.
In general, these sections are arranged in the sequence of global configuration, physical interface configuration, logical interface configuration, and routing protocol configuration.
37
Displaying the router configuration
Operation Command
Display the initial configurations of the router
display saved-configuration
Display the configuration files saved in the system for boot.
display startup
Display the configurations in the current view.
display this
Display the current configurations of the router.
display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ isp | post-system | radius-template | system | user-interface| ] ] [ | [ begin | include | exclude ] string ]
38
Saving the current configuration
The user can modify the current configuration of the router through the command line interface. In order to make the current configuration as the startup configuration of the router at the next power-on, the save command is required to save the current configuration into the default storage device.
Operation Command
Save the current configuration save [ file-name ] [ safely ]
Executing this command without the safely keyword can make the speed of saving configuration files fast, but these files cannot survive a reboot or power-off during the saving process; executing this command with the safely keyword, however, makes the saving speed slower, but these files can survive a reboot or power-off during the saving process. By default, fast saving applies.
39
Erasing the configuration file
Using the reset saved-configuration command, you can erase the configuration file in the current storage device of the router. After the configuration file is erased, default configuration parameters will be used for the initialization at the next power-on of the router.
Operation Command
Erase the configuration file in the storage devices
reset saved-configuration
40
Setting the configuration file
Using the startup saved-configuration command, you can set the file to be used at the next boot
Operation Command
Set the configuration file to be used at the next boot.
startup saved-configuration filename
41
Huawei Introduction
User Interface ConfigurationUser Interface Configuration
42
User Interface
User interface (con, vty) view is a new feature provided by the system. Like interface view managing interfaces, the main purpose of this kind of view is the management of asynchronous interfaces working in the flow mode. The emergence of this kind of view allows the user to configure the login parameters of various users in a similar way, for these different kinds of interfaces are usually used for system configuration management.
43
User Interfaces
There are four types of user interfaces commensurate with these configuration modes. They are:
Console port (CON)Console port is a kind of line device port. On a router, a Console port of EIA/TIA-232 DCE type is provided for users to make configuration.
AUX port (AUX)AUX port is also a kind of line device port. On a router, an AUX port of EIA/TIA-232 DTE type is provided for the dialup access via modem.
Asynchronous serial port (TTY)TTY user interface is used if a user logs in the router via an asynchronous serial port or synchronous/asynchronous serial port (working in asynchronous mode)
Virtual line (VTY)Virtual port is a logical terminal line that is used for Telnet access to the router and is generally known as VTY (Virtual Type line).
44
User Interface
Perform the following tasks to configure a user interface: Enter user interface view Configure the protocol supported by the
current user interface Configure the attributes of asynchronous
interface Configure terminal attributes Configure user management Set modem attributes Set the redirection function Configure incoming and outgoing call
restriction on VTY user interface
45
Example: VTY access
How to disable telnet access. Note that no access-lists are required to close the interface:
[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] undo shell
Following will be displayed after the access of a Telnet terminal.
% connection refused by remote host!
Particular filtering can be done through acl: [Quidway-ui-vty0-4] acl acl-number { inbound |
outbound }
46
Displaying…
Displaying the information of users on all user interfaces
Displaying the physical attributes and some configurations on a user interface
Operation Command
Display the use information on all the user interfaces
display users [ all ]
Operation Command
Display the physical attributes and some configurations on a user interface
display user-interface [ type-name number ] [ number ]
47
User Priority
Similar to the priority of commands, the user priority is divided into Visit, Monitor, System and Manage, with the priority identifier from 0 to 3.
User Priority
Name Command
0 Visit Ping, tracert, telnet
1 Monitor ping, tracert, telnet, display, debugging
2 SystemAll configuration commands (except the Manage command) and the commands with the priority level 0 and 1.
3 ManageAll commands (includes file system, FTP and TFTP commands)
48
Configuring User Authentication Mode
How to enable the use of passwords:
[Quidway] authentication-mode password
How to set the password:[Quidway] set authentication password
{ cipher | simple } password
49
Performing Password Authentication
The user need enter the password huawei when logging on the system from the VTY 0 by password authentication. The user priority is 3. The operation commands are shown as follows:<Quidway> system-view[Quidway] user-interface vty 0[Quidway-ui-vty0] authentication-mode password[Quidway-ui-vty0] set authentication password
simple huawei[Quidway-ui-vty0] user privilege level 3
50
Huawei Introduction
Interface ConfigurationInterface Configuration
51
Configuring an interface
[Quidway] interface serial 0[Quidway-Serial0] ?
Bandwidth bandwidth information parameterBaudrate Set transmite and receive baudrateLink-protocol Set encapsulation for interfaceIp Interface Internet Protocol configure commandShutdown Shutdown the selected interfaceUndo Negate a command or set its defaultDialer Dial-On-Demand routing (DDR) commandLoopback Configure internal loopback on an interfaceMtu Maximum transmission unit…
52
display interface<Quidway>dis int s1/0/0Serial1/0/0 current state : DOWNLine protocol current state : DOWNDescription : HUAWEI, Quidway Series, Serial1/0/0 InterfaceThe Maximum Transmit Unit is 1500, Hold timer is 10(sec)Link layer protocol is PPPLCP initialInternet Address is 1.2.1.1/24Interface is no cablecode nrzi not set, idle-mark not set, loopback not setOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Protocol queue : Size/Length/Discards)
0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 5 minutes input rate 0 bytes/sec, 0 packets/sec Last 5 minutes output rate 0 bytes/sec, 0 packets/secInput: 0 packets, 0 bytesOutput:0 packets, 0 bytesDCD=DOWN DTR=DOWN DSR=DOWN RTS=DOWN
CTS=DOWN
Physical layer state information
Data-link layer state information
Interface description
MTU and timer of interface
Data-link encapsulation
DTE, DCE or no cable
Physical Layer
Data transmit
53
Interface configurationFeatures of the synchronous serial interface are as
follows. It can work in two modes: DTE and DCE. Usually,
the synchronous serial interface serves as DTE and receives the clock provided by DCE.
The synchronous serial interface can connect multiple cables externally, such as V.24, and V.35. The VRP can automatically distinguish types of cables connected externally and select electrical characters. Generally, you do not need to perform configuration manually.
The link layer protocols supported by synchronous serial interface include PPP, FR, LAPB and X.25, etc.
It supports network layer protocol IP. Type of external cable and the operating mode (DTE/DCE) of the synchronous serial interface can be viewed with display interface serial command.
54
Interface configurationWhen two synchronous serial interfaces are connected, the baud rate on line is determined at DCE-side. Therefore, when the synchronous serial interfaces act as DCE, the baud rate is to be set. The default baud rate of synchronous serial interface is 64000bit/s.
[Quidway-Serial0/0]baudrate ? 300 only for async mode 600 only for async mode 1200 for syn & asyn mode 2400 for syn & asyn mode 4800 for syn & asyn mode 9600 for syn & asyn mode ...... 115200 for syn & asyn mode 128000 only for syn mode 384000 only for syn mode 2048000 only for syn mode Note: The baudrate must not exceed 64Kbps when using a V.24 cable!
55
Huawei Introduction
Routing ConfigurationRouting Configuration
56
Displaying the routing table
[Quidway]display ip routingRouting Tables:Destination/Mask proto pref Metric Nexthop
Interface 0.0.0.0/0 Static 60 0 120.0.0.2
Serial0 8.0.0.0/8 RIP 100 3 120.0.0.2
Serial0 9.0.0.0/8 OSPF 10 50 20.0.0.2
Ethernet0 9.1.0.0/16 RIP 100 4 120.0.0.2
Serial0 11.0.0.0/8 Static 60 0 120.0.0.2
Serial0 20.0.0.0/8 Direct 0 0 20.0.0.1
Ethernet0 20.0.0.1/32 Direct 0 0 127.0.0.1
LoopBack0 ......
A route is the path information to guide IP packets to be transferred.
57
Route Preference
The route obtained by the protocol of the highest preference is preferred and added in the routing table.
Routing Protocol Preference
DIRECT 0
OSPF 10
STATIC 60
RIP 100
IBGP 130
OSPF ASE 150
EBGP 170
UNKNOWN 255
58
Route Metric
The route metric identifies the cost for arriving at the destination of the route. Generally, the route metric value will be influenced by the line delay, bandwidth, line seizure ratio, degree of line reliability, hop count, MTU, etc.
Different dynamic routing protocols will select one or several factor(s) to calculate the metric value.
The metric value of the static route is 0.
59
Static Route Configuration
[Quidway]ip route-static <ip_address> [ <mask> | <masklen> ] <interface_name> | <gateway_address> [ preference <preference_value> ] [ reject | blackhole ]
Examples:[Quidway] ip route-static 129.1.0.0 16 10.0.0.2[Quidway] ip route-static 129.1.0.0 255.255.0.0 10.0.0.2[Quidway] ip route-static 129.1.0.0 16 Serial 2[Quidway] ip route-static 0.0.0.0 0.0.0.0 10.0.0.2
•Destination unreachable route: when the static route towards a destination is of the "reject" parameter, all IP packets to the destination will be rejected. Besides, with the ICMP message, the source host will be notified of the unreachable destination.•Destination blackhole route: when the static route towards a destination is of the "blackhole" parameter, all IP packets to the destination will be discarded. However, no message is sent to the source host
60
Dynamic routing
What is purpose of the dynamic routing protocols?
Route calculation. The dynamic routing protocols calculate the route from a router to other network segments in a network.
How to do this? All routers send their known route-related information
to the neighboring router, so that each router will receive all routing information in the network.
Then based on an algorithm, the final route is calculated out (in fact, the next hop and metric of the route are calculated out).
61
Overview of RIP
RIP is the abbreviation of Routing Information Protocol.
RIP is a special implementation of the distance-vector routing protocol.
RIP (in two versions: RIP-1 and RIP-2) is applied to small and medium-sized networks.
RIP-2 uses the multicast (224.0.0.9) for transmission, and supports authentication and VLSM.
RIP support split horizon, route poison reverse, and triggered updated.
62
Configuration Commands of RIP
Start the RIP and enter the RIP view [Quidway] rip
Enable RIP in the speciafied network [Quidway-rip] network network-number
Specify the interface version (in interface view)
rip version 1
rip version 2 [broadcast | multicast]
Specify the working state of an interface (under interface view)
rip work
rip input
rip output
Configure the RIP-2 route aggregation summary
Set the interval to update the RIP route timers updates time
Set an RIP route timeout time timers timeout time
63
Display the RIP Configuration Information
[Quidway]display rip RIP is running public net VPN-Instance Checkzero is on Default cost : 1 Summary is on Preference : 100 Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 192.168.2.0
64
Debugging Information of the RIP
<Quidway> terminal debugging% Current terminal debugging is on
<Quidway> debugging rip packetRip packet debugging is on
RIP : receive Response from 120.0.0.2packet : vers 1,cmd Response,length 24 dest 110.0.0.0, Metric 1RIP : send 20.0.0.1 to 255.255.255.255packet : vers 1,cmd Response,length 44 dest 110.0.0.0, Metric 2 dest 120.0.0.0, Metric 1
65
Overview of OSPF Adaptable to large-scale networks High speed of route change and
convergence No route self-loop Supporting variable length subnetwork
mask VLSM Supporting area division Supporting equivalent value route Providing level-by-level route management Supporting verification Supporting transmission of protocol
messages by multicast addresses
66
Configuration Commands for OSPF
Operation Command
Configure the Router ID of the router (System view)
router id A.B.C.D
Start the OSPF Protocol (System view)
ospf [ process-id ]
Entering OSPF Area View (OSPF view)
area area-id
Specifying the Network Segment (area view)
network ip-address wildcard-mask
Set the priority of an interface in DR election: (Interface View)
ospf dr-priority value
67
Advanced Configuration Commands for OSPF
Operation Command
Create and configure an OSPF virtual link: (OSPF area View)
vlink-peer router-id [ hello seconds] [ retransmit seconds ] [ trans-delay seconds ] [ dead seconds] [ simple password | md5 keyid key ]
Configuring the Route Aggregation of OSPF Area: (OSPF area view)
abr-summary ip-address mask [ advertise | not-advertise ]
Configuring Aggregation of Imported Routes by OSPF (OSPF view)
asbr-summary ip-address mask [ not-advertise | tag value ]
68
Testing Tools<Quidway>ping ? -a Select source IP address -c Specify the number of echo requests to send -d Specify the SO_DEBUG option on the socket being used -h Specify TTL value for echo requests to be sent -i Select the interface sending packets -n Numeric output only. No attempt will be made to lookup host addresses for symbolic names -p No more than 8 "pad" hexadecimal characters to fill out the sent packet. For example, -p f2 will fill the sent packet with f and 2 repeatedly -q Quiet output. Nothing is displayed except the summary lines
at startup time and when finished -r Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route -s Specifies the number of data bytes to be sent -t Timeout in milliseconds to wait for each reply -tos Specify TOS value for echo requests to be sent -v Verbose output. STRING<1-20> IP address or hostname of a remote system ip IP Protocol
69
More testing tools
<Quidway>tracert ? -a Select source ip address -f First time to live -m Maximum time to live -p UDP port number -q Number of probe packet -w Timeout in milliseconds to wait
for each reply STRING<1-20> IP address or hostname
of a remote system
70
And more...
<Quidway>terminal ? debugging Enable/disable debug
information to terminal logging Enable/disable log
information to terminal monitor Enable/disable information
output to current terminal trapping Enable/disable trap
information to terminal
71
Huawei Introduction
Access Lists
72
IP packet filtering For any packet a router needs to transfer, first
obtain its packet header information and then compare it with the set rules. Whether to transfer or to discard a packet depends on the comparison results. The key technology to implement packet filtering is access control list.
R
Internet
Headquarters of a company
Internal Network
Unauthorized user
Branch Office
73
Access Lists
According to application purpose, ACL falls into three groups: Basic ACL Advanced ACL Interface-based ACL
acl number acl-number [ match-order { config | auto } ]
Kinds of list Range for a number to identify
Basic ACL 2000-2999
Advanced ACL 3000 - 3999
Interface-based ACL Interface-based ACL
74
Configuration of Basic ACL
The command format for configuring a Basic ACL is as follows:
acl { number acl-number} [ match-order { config | auto } ]
rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]
75
Advanced Access Lists
In addition to source address of a packet, advanced lists can also use destination address and protocol number (TCP, UDP, etc.).
For the packets transmitted through TCP and UDP, the destination port number can also be used to differentiate the packets. rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-mask | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type icmp-type icmp-code ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]
76
Configuration Steps of ACL for Firewall
The following applications can be extended as required: Set the default filtering mode of firewall Enable/disable the filtering based on time
range Set special time range Designate log host
Internet
Headquarters of a company
Enable Firewall
Rules of ACL
Apply the ACL to interface
77
Commands for Configuring Firewall Attributes
Enable/disable firewallfirewall { enable | disable }
Set the default filtering mode of firewallfirewall default { permit|deny }
Display the status information of firewalldisplay firewall
78
Apply Access Control List on the Interface
Apply the access control list on the interface. Designate whether it is in the OUT or IN
direction on the interface.
Ethernet0
The access control list 101 applies to the interface Ethernet0 and is effective in out direction
Serial0
The access control list 3 applies to the interface Serial0 and is effective in in direction
firewall packet-filter { acl-number } { inbound | outbound }
79
Basic Access List
172.16.3.0172.16.4.0
E0 E1
S0
172.16.4.13
Internet
Permit 172.16.3.0/24 network only
[Quidway] firewall enable[Quidway] acl number 2000 [Quidway-acl-basic-2000] rule 0 permit source 172.16.3.0
0.0.0.255[Quidway-acl-basic-2000] quit
[Quidway] interface Serial 0/0[Quidway-Serial0/0] firewall packet-filter 2000 outbound
80
Advanced Access List
172.16.3.0172.16.4.0Internet
non 172.16.0.0
E0 E1
S0
172.16.4.13
Deny FTP for E0 from 172.16.4.0/24
[Quidway] firewall enable[Quidway] acl number 3000[Quidway-acl-adv-3000] rule 0 deny tcp source 172.16.4.0 0.0.0.255
destination 172.16.3.0 0.0.0.255 destination-port eq 21[Quidway-acl-adv-3000] rule 1 deny tcp source 172.16.4.0 0.0.0.255
destination 172.16.3.0 0.0.0.255 destination-port eq 20[Quidway-acl-adv-3000] rule 2 permit ip source 172.16.4.0 0.0.0.255
destination 172.16.3.0 0.0.0.255[Quidway-Ethernet0/0] interface Ethernet 0/0[Quidway-Ethernet0/0] firewall packet-filter 3000 outbound
81
Packet Filtering based on time range
"Special rules for special time range"
Internet
Rules of ACL
During working hour (8: 00 a.m.- 5: 00 p.m.), only special sites can be accessed. Other
sites can be accessed in teh rest time.
82
Configuring Time Range
Time range commandtime-range time-name [ start-time
to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]
Display timerange commanddisplay time-range { all | time-
name }
83
Huawei Introduction
Network Address Translation
84
Background of Address Translation
Because of increasingly insufficient IP address resources.
Multiple hosts in a LAN to access Internet by a public IP address, address translation can be used.
Network security protection: Address translation technology can effectively hide the hosts of the internal LAN.
Meanwhile, address translation can provide such services as FTP, WWW and Telnet of the internal network to external network according to the requirements of users.
85
Configuration of Address Translation
Define an ACL to specify what kind of host can access Internet.
Adopt EASY IP or address pool to provide public address.
According to the selected mode (address pool or easy IP), address translation is permitted on the interface connected to Internet.
86
Configuration of Static NAT
Create the mapnat static {inside-address}
{outside-address}
Associate it to the corresponding interface nat outbound static
87
Configuration of Dynamic NAT
EASY IP for NAT (associate the ACL with an interface).nat outbound acl-number
Configure a NAT address pool.nat address-group group-number start-addr end-
addr
Use address pool to achieve NAT (associate the ACL with an address pool).nat outbound acl-number address-group group-
number [ no-pat ]
88
Monitoring and Maintenance of NAT
Display the configuration of address translationdisplay nat { address-group | aging-time |
all | outbound | server | statistics | session [ vpn-instance vpn-instance-name ] [ slot slot-number ] [ destination ip-addr ] [source global global-addr | source inside inside-addr ] }
Enable the debugging of NATdebugging nat { event | packet [ interface
{ interface-type interface-number | interface-name } ]| alg }
Clear the connection of address translationreset nat {log-entry | session}
89
Dynamic NAT (1)
Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface Serial0/0/0 connects to ISP.
[Quidway] acl number 2001[Quidway-acl-basic-2001] rule permit source
10.110.10.0 0.0.0.255[Quidway-acl-basic-2001] rule deny
90
Dynamic NAT (2)
Configure the address pool.[Quidway] nat address-group 1
202.110.10.10 202.110.10.12Allow address translation and use the
addresses of address pool 1 for addresstranslation. During translation, the
information of TCP/UDP port is used.[Quidway-Serial0/0/0] nat outbound
2001 address-group 1
91
Delete the previous configuration.[Quidway-Serial0/0/0] undo nat
outbound 2001 address-group 1 Configure simple address
translation (not using the TCP/UDP port information to perform the address translation)[Quidway-Serial1/0/0] nat outbound
2001 address-group 1 no-pat
Dynamic NAT (3)
92
Delete the previous configuration.[Quidway-Serial0/0/0] undo nat
outbound 2001 address-group 1 Configure simple address
translation (using EASY IP, that is the interface address to perform the address translation)[Quidway-Serial1/0/0] nat outbound
2001
Dynamic NAT (4)
93
Huawei Introduction
WAN Services
94
PPP
The link-protocol PPP command is the interface configuration command. It specifies the encapsulation type of a WAN interface as PPP. By default, the encapsulated Link Layer protocol is the PPP in Quidway routers.
Operation Command
Encapsulate PPP link-protocol ppp
Configure authentication methodppp authentication-mode {pap | chap}
Configure user name and password
local-user username {simple |cipher} password
95
Typical PPP Configuration
Authenticated PartyAuthenticating Party
Quidway #1 Quidway #2
PAP authenticationS0/0 S0/0
[Quidway]local-user quidway2 password simple quidway[Quidway]interface serial 0/0[Quidway-Serial0/0]ppp authentication-mode pap
[Quidway]interface serial 0 [Quidway-Serial0/0]ppp pap local-user quidway2 password simple quidway
96
HDLC
The VRP supports the HDLC protocol encapsulation, and is compatible with mainstream equipments of other companies. link-protocol hdlc
The keepalive time delay of the HDLC protocol is used to set the scope of the keepalive packet to detect the link status.timer hold [ seconds ]
97
Introduction to Frame Relay
LAN LANFRDLCI
DLCI
DCE
DCE
DTEDTE
Local Management
Interface (LMI)
Permanent Virtual Circuit (PVC) use
data link connection identifiers (DLCI)
The frame relay protocol is a kind of fast packet switching technology developed from the X.25 packet switching technology, it is a kind of improved X.25 protocol.
The frame relay is based upon virtual circuits.
98
Frame Relay Configuration Commands
Encapsulate the frame relay protocolEncapsulate the frame relay protocollink-protocol fr [ ietf | nonstandard ]
Configure the terminal type of the frame relay interfacefr interface-type { dce | dte | nni }
Select the LMI typefr lmi type { ansi | nonstandard | q933a
}
99
Configure Frame Relay Address Mapping
Configure Frame Relay static address Configure Frame Relay static address mapping:mapping:fr map ip { protocol-address [ ip-mask ] |
default } dlci [ broadcast ] [ nonstandard | ietf ]
Configure Frame Relay dynamic inverse dynamic inverse arparpfr inarp [ ip ] [ dlci ]
The frame relay address mapping sets up the mapping relationship between the remote protocol address and the local DLCI. This address mapping can be static or dynamic.
100
Configure Local Virtual Circuits of Frame Relay
Allocate a virtual circuit number to the Frame Relay interfaceAllocate a virtual circuit number to the Frame Relay interfacefr dlci dlci-number
When the Frame Relay interface type is DCE or NNI, the interface (either main interface or sub-interface) should be configured manually with virtual circuits.When the Frame Relay interface type is DTE, for the main interface, the system will determine the virtual circuit automatically according to the opposite equipment; the sub-interface must be configured with virtual circuits manually.
101
Configure Frame Relay Subinterface
Create frame relay subinterface and enter Create frame relay subinterface and enter the subinterface configuration modethe subinterface configuration mode
interface type number.subinterface-number [p2mp | p2p]
Configure the virtual circuit number for Configure the virtual circuit number for the frame relay subinterfacesthe frame relay subinterfaces
Configure Sub-Interface PVC and Configure Sub-Interface PVC and Establish Address MappingEstablish Address Mapping
The command for creating the address mapping is the same as that of the physical interface, you may either use the static or dynamic address mapping. The static address mapping is only needed in point-to-multipoint condition..
102
Configure Frame Relay PVC Switching
Enable the Frame Relay switchingEnable the Frame Relay switchingfr switching
Configure Frame Relay switched route Assign a PVC number for Frame Relay
interface (DCE or NNI)fr dlci dlci-number
Configure the route for Frame Relay PVC switching
fr dlci-switch in-dlci interface type number dlci out-dlci
Note: If the frame relay switching is used, interface type must be DCE or NNI
103
Typical Frame Relay Configuration Example I
DLCI 100
Router A Router BEncapsulated as frame relay
DCE DTE
fr switchinginterface serial 1ip address 202.38.163.251 255.255.255.0link-protocol frfr interface-type dcefr dlci 100fr inarpor fr map ip 202.38.163.252 dlci 100
interface serial 1 ip address 202.38.163.252 255.255.255.0link-protocol frfr interface-type dtefr inarpor fr map ip 202.38.163.251dlci 100
202.38.163.251 202.38.160.252
104
IP 202.38.11.251DLCI 50 DLCI 70
IP:202.38.11.252
Router B
Router A
Router C
DLCI 60DLCI 80
Frame Relay
Router D (FR Switch)
Serial0/0 Serial1/0
Serial2/0
LANs interconnection through frame relay network
Typical Frame Relay Configuration Example II
105
Typical Frame Relay Configuration Example II (Continued)
Configure Router D (FR Switching):Configure Router D (FR Switching):# Enable the Frame Relay to carry out PVC switching[RouterD] fr switching# Encapsulate FR on interface and set interface type. Here, take serial0 as an example, and other interfaces are configured similarly.[RouterD-Serial0/0] link-protocol fr[RouterD-Serial0/0] fr interface-type dce# Enable the Frame Relay to carry out PVC switching[RouterD-Serial0/0] fr dlci-switch 50 interface serial 1/0 dlci 70[RouterD-Serial0/0] fr dlci-switch 60 interface serial 2/0 dlci 80[RouterD-Serial1/0] fr dlci-switch 70 interface serial 0/0 dlci 50[RouterD-Serial2/0] fr dlci-switch 80 interface serial 1/0 dlci 60Configure Router A:Configure Router A:# Configure interface IP address[Quidway-Serial0/1]ip address 202.38.11.251 255.255.255.0# Configure the link layer protocol of the interface to Frame Relay[Quidway-Serial0/1]link-protocol fr[Quidway-Serial0/1]fr interface-type dte# Configure static address mapping[Quidway-Serial0/1]fr map ip 202.38.11.252 50[Quidway-Serial0/1]fr map ip 202.38.11.253 60
106
Frame Relay Monitor and Maintenance
Enable the information-debugging of Enable the information-debugging of Frame RelayFrame Relaydebugging fr {all / compress / congestion / de
/ event / fragment / inarp / lmi / mfr / packet / transmit-rate} [ interface type number ]
View the Frame Relay status on each View the Frame Relay status on each interface.interface.display fr interface interface-type interface-
num View the Frame Relay address mapping View the Frame Relay address mapping
table.table.display fr map-info [ interface interface-
type interface-num ]
107
Frame Relay Troubleshooting
The Physical Layer is DOWN check the physical lines check the remote equipment
The Physical Layer is UP, but the Link Layer is DOWN Protocol encapsulation Whether does DTE/DCE corresponds to each other Monitor the transmitting/receiving status of the LMI
message The Link Layer protocol is UP, but it cannot ping through the remote equipment
Whether the Link Layer protocols of the equipment at both ends are in Up status
Whether the address mapping is correct check the routing table to see whether there is route to the
remote equipment
108
Frame Relay Summary Use the local DLCI as the frame relay PVC
identifier to the destination end The QUIDWAY supports three LMI types:
ANSI ( Annex D) CCITT ( Annex A) nonstandard
Configure static frame relay MAP Configure subinterface to avoid the problem of
split horizon concerning routing update By default, the Inverse ARP can find remote
protocol address for the local DLCI automatically Use the commands display and debug to
monitor the frame relay
109
Huawei Introduction
VLAN Switching
110
LAN Switching
System configuration is similar to router´s.
User-interfaces are equally defined
111
Select port duplex
[Quidway-Ethernet0/1]duplex ? auto Enable port's duplex negotiation
automatically full Full-duplex half Half-duplex
112
Select port speed
[Quidway-Ethernet0/1]speed ? 10 Specify speed of current port
10Mb/s 100 Specify speed of current port
100Mb/s auto Enable port's speed negotiation
automatically
113
Configure a vlan IP Address
In vlan-interface view:[Quidway]interface Vlan-interface 1
[Quidway-Vlan-interface1]ip address
192.168.1.1 255.255.255.0
Add static routes in system view:[Quidway]ip route-static 0.0.0.0
0.0.0.0 192.168.1.254
114
Format of 802.1q Frame
DA SA Type Data CRC
Standard Ethernet Frame
DA SA Type Data CRCtag
TPID Priority CFI VLAN ID
TCI
Ethernet Frame with IEEE802.Iq Flag
115
Link Type
Access LinkAccess Link
Trunk Link or Hybrid LinkTrunk Link or Hybrid Link
116
Frame Changes in Network Communication
vlan 2 vlan 1
vlan 1 vlan 2
Ethernet frame with tag
Ethernet frame with tag
Ethernet frame without tag
117
Trunk and VLAN
VLAN 4VLAN 4
VLAN 2VLAN 2 VLAN 4VLAN 4 VLAN 3VLAN 3 VLAN 2VLAN 2 VLAN 4VLAN 4 VLAN 5VLAN 5 VLAN 5VLAN 5 VLAN 2VLAN 2
VLAN 5VLAN 5
Directed Broadcast Directed Broadcast
Trunk LinkTrunk Link
118
VLAN Basic Configuration
Enter into the VLAN view, If the specific VLAN is not created, then create it:vlan vlan_id
Delete a VLAN undo vlan vlan_id
Add/delete Ethernet interface for a specific VLAN[undo] port interface-list
Interface-list: Ethernet 2/0/1 to Ethernet 2/0/24
119
Access Link Configuration
Setting the Ethernet interface’s link-typeport link-type access undo port link-type
Set the PVID for access interface (interface view)port access vlan vlan-id
Reset the PVID to default valueundo port access vlan Default : VLAN 1
120
Trunk Link Configuration
Setting the Ethernet interface’s link-typeport link-type trunk undo port link-type
Setting Trunk interface’s PVIDport trunk pvid vlan vlan_idundo port trunk pvid Default VLAN ID: 1
set/cancel VLANs that can pass through trunk interface [undo] port trunk permit vlan
{ vlan_id_list | all }
121
What happens in a network What happens in a network with loops? with loops?
How to avoid the loops?How to avoid the loops?
STP resolves this problem STP resolves this problem and provides link and provides link redundancy.redundancy.
Review of Spanning TreeReview of Spanning Tree
122
Applications of Transparent Bridge
Expand LAN scaleFree dynamic learning of site address information
Problem: frames or packets might be forwarded circularly and continuously, resulting in network congestion
123
Why we need spanning tree protocol?
To remove path loops that might exist in the bridging network by blocking redundant links
To activate redundant backup links to restore network connection when the current active path fails
ROOTROOTLAN ALAN A LAN BLAN B
LAN CLAN C
LAN DLAN D
LAN ELAN E
124
Basic Principle of Spanning Tree Protocol
Transmits BPDUs among network bridges and do the following jobs:
Select one from all bridges in the network as the root;Calculate the shortest path from itself to the root;For each LAN , first select a bridge nearest to the root as a designated bridge, to handle the data forwarded on its LAN;The bridge selects a root port, and the path given from this port will be the optimal path from this bridge to the root; Select ports (designated ports) contained on the spanning tree except the root port.
127
Statuses of interface
Port AbilityPort Ability
Not receive/send any messageNot receive/send any messageDisabledDisabled
BlockingBlocking
ListeningListening
LearningLearning
Port StatuesPort Statues
ForwardingForwarding
Not receive/forward data, receive but not Not receive/forward data, receive but not transfer BPDUs, and not learn addressestransfer BPDUs, and not learn addresses
Not receive/forward data, receive and transfer Not receive/forward data, receive and transfer BPDUs, but not learn addressesBPDUs, but not learn addresses
Not receive/forward data, receive and Not receive/forward data, receive and transfer BPDUs, and start to learn addressestransfer BPDUs, and start to learn addresses
Receive and forward data, receive and Receive and forward data, receive and transfer BPDUs, and learn addressestransfer BPDUs, and learn addresses
128
Configure Spanning Tree
Enable/disable the STP in system-Enable/disable the STP in system-viewview
[Quidway] stp enable/disable[Quidway] stp enable/disable
Enable/disable the STP on the Enable/disable the STP on the interfaceinterface
[Quidway-Ethernet0/1] stp [Quidway-Ethernet0/1] stp enable/disableenable/disable
129
Configurable Parameters of Spanning Trees
Configurable parameters of a spanninConfigurable parameters of a spanning tree include:g tree include:
Bridge PriorityBridge PriorityPort PriorityPort PriorityPath cost of a link corresponding to Path cost of a link corresponding to the portthe port (( PortPathCostPortPathCost ))Three important timer parameters:Three important timer parameters:(( Hello Time/Max Age/ForwardDelaHello Time/Max Age/ForwardDelayy ))Bridge Diameter of whole switched Bridge Diameter of whole switched networknetwork (( BridgeDiameterBridgeDiameter ))
130
Determine the Root by Configuration
BBridge ID consists of two parts:ridge ID consists of two parts:BridgePriority+BridgeMacAddressBridgePriority+BridgeMacAddress
Configure the Bridge Priority Configure the Bridge Priority [Quidway] stp priority [Quidway] stp priority bridge-bridge-prioritypriority
131
Interface Cost
Configure the cost of interfaceConfigure the cost of interface[Quidway-Ethernet0/1] stp cost [Quidway-Ethernet0/1] stp cost costcost
Default Value determined by Default Value determined by bandwidthbandwidth
InterfaceInterface bandwidthbandwidth Value rangeValue range
10Mb/s10Mb/s
100Mb/s100Mb/s
1Gb/s1Gb/s
10Gb/s10Gb/s
2,0002,000
200200
2020
22
200200 -- 20,00020,000
2020 -- 2,0002,000
22 -- 200200
22 -- 2020
11 -- 200,000200,000
11 -- 200,000200,000
11 -- 200,000200,000
11 -- 200,000200,000
Default ValueDefault ValueRecommended Recommended
value rangevalue range
132
Interface Priority
Port ID consists of two parts:Port ID consists of two parts: PortPriority+PortPortPriority+Port number number
Configure the interface PriorityConfigure the interface Priority
[Quidway-Ethernet0/1] [Quidway-Ethernet0/1] stp port prioritystp port priority port-port-prioritypriority
LANLAN
Parallel LinkParallel LinkMultiple ports connected to one network segmentMultiple ports connected to one network segment
133
Timer of STP
Set the value of forward-delay timer[Quidway] stp timer forward-delay centiseconds Default value: 15 seconds
Set the value of Hello timer[Quidway] stp timer hello centiseconds Default value: 2 seconds
Set the value of Max-age timer[Quidway] stp timer max-age centiseconds Default value: 20 seconds
134
Maintenance
Display the information of STP sDisplay the information of STP stattatuuss
display stp [ interface display stp [ interface interface_listinterface_list ]]
Clear the information of STPClear the information of STPreset stp [ interface reset stp [ interface interface_list interface_list ]]
135
Huawei Introduction
EndThank you!!!