CloudEngine S5700, S6700 Switches Configuration Examples (V600)

CloudEngine S3700, S5700, and S6700 Series
Switches
Typical Configuration
Examples(V600)
Issue 05
Date 2023-11-15
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. i

Switches
Typical Configuration Examples(V600) Contents
Contents
1 About This Document.............................................................................................................1

2 Campus Configuration Examples.........................................................................................5
2.1 Quick Configuration Guide.................................................................................................................................................. 5
2.1.1 Before You Start................................................................................................................................................................... 5
2.1.2 Small Campus Networks................................................................................................................................................... 5
2.1.2.1 Networking Diagram.......................................................................................................................................................6
2.1.2.2 Data Plan............................................................................................................................................................................. 7
2.1.2.3 Quickly Configuring Small Campus Networks....................................................................................................... 8
2.1.2.3.1 Logging In to the Device (Using a Switch as an Example)............................................................................ 9
2.1.2.3.2 Configuring the Management IP Address and Telnet...................................................................................... 9
2.1.2.3.3 Configuring Interfaces and VLANs....................................................................................................................... 10
2.1.2.3.4 Configuring DHCP...................................................................................................................................................... 13
2.1.2.3.5 Configuring Routing.................................................................................................................................................. 14
2.1.2.3.6 Configuring the Egress Router............................................................................................................................... 15
2.1.2.3.7 Configuring DHCP Snooping and IPSG............................................................................................................... 15
2.1.2.3.8 Verifying Services........................................................................................................................................................ 16
2.1.2.3.9 Saving the Configuration......................................................................................................................................... 17
2.1.3 Small and Midsize Campus Networks........................................................................................................................17
2.1.3.1 Networking Diagram.................................................................................................................................................... 17
2.1.3.2 Data Plan.......................................................................................................................................................................... 18
2.1.3.3 Quickly Configuring Small and Midsize Campus Networks............................................................................21
2.1.3.3.1 Logging In to the Device (Using a Switch as an Example)..........................................................................21
2.1.3.3.2 Configuring the Management IP Address and Telnet....................................................................................22
2.1.3.3.3 Configuring Network Connectivity....................................................................................................................... 23
2.1.3.3.4 Configuring DHCP...................................................................................................................................................... 27
2.1.3.3.5 Configuring OSPF....................................................................................................................................................... 29
2.1.3.3.6 Configuring Reliability and Load Balancing...................................................................................................... 30
2.1.3.3.7 Configuring Link Aggregation................................................................................................................................ 31
2.1.3.3.8 Configuring Rate Limiting....................................................................................................................................... 32
2.1.3.3.9 Configuring the NAT Server and Multiple Egress Interfaces....................................................................... 33
2.1.3.3.10 Verifying Services and Saving the Configuration.......................................................................................... 37
2.2 Campus Network Typical Configuration Examples................................................................................................... 37
2.2.1 Example for Campus Network Connectivity Deployment................................................................................... 37
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. ii

Switches
2.2.1.1 Key Points of Network Connectivity Deployment.............................................................................................. 37

2.2.1.2 Deployment Differences Between Two-Layer and Three-Layer Network Architectures....................... 39
2.2.1.3 Typical CSS and Stack Deployment......................................................................................................................... 42
2.2.1.4 Standalone AC Solution: Core Switches Function as Gateways for Wired and Wireless Users.......... 53
2.2.1.5 Standalone AC Solution: Aggregation Switches Function as Gateways for Wired and Wireless Users
............................................................................................................................................................................................................ 75
2.2.1.6 Standalone AC Solution: Core Switches and ACs Function as the Gateways for Wired and Wireless
Users Respectively........................................................................................................................................................................ 99
2.2.1.7 Standalone AC Solution: Aggregation Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively....................................................................................................................................................122
2.2.2 Example for Wired and Wireless User Access Authentication Deployment............................................... 145
2.2.2.1 Key Points of User Access Authentication Deployment ................................................................................ 145
2.2.2.2 Standalone AC + NAC Solution: Core Switches and ACs Function as the Authentication Points for
Wired and Wireless Users Respectively.............................................................................................................................. 147
2.2.2.3 Standalone AC + NAC Solution: Aggregation Switches and ACs Function as the Authentication
Points for Wired and Wireless Users Respectively..........................................................................................................179
2.2.2.4 Example for Configuring Authentication on Access Devices Functioning as Authentication Points
......................................................................................................................................................................................................... 217
2.2.3 Example for Deploying an Intelligent Simplified Campus Network..............................................................232
2.2.4 Example for Configuring a VRRP Gateway on a Ring Network......................................................................240
2.2.5 Example for Configuring VXLAN in Centralized Gateway Deployment Mode.......................................... 267
2.3 Typical Configuration for Interoperation Between Switches and Firewalls....................................................282
2.3.1 Example for Configuring a Layer 2 Switch to Work with a Firewall for Internet Access....................... 282
2.3.2 Example for Configuring a Layer 3 Switch to Work with a Firewall for Internet Access....................... 288
2.4 Typical Configuration for Interoperation Between Switches and Routers...................................................... 293
2.4.1 Example for Configuring a Layer 2 Switch to Work with a Router for Internet Access......................... 293
2.4.2 Example for Configuring a Layer 3 Switch to Work with a Router for Internet Access......................... 298
3 Switch Feature Configuration Examples....................................................................... 303

3.1 Feature-Specific Configuration Examples.................................................................................................................. 303
3.1.1 Overview of Feature-Specific Configuration Examples......................................................................................303
3.1.2 Basic Configuration........................................................................................................................................................ 303
3.1.2.1 First Login to a Device............................................................................................................................................... 303
3.1.2.1.1 Example for Configuring First Login Through a Console Port..................................................................303
3.1.2.2 CLI-based Device Login............................................................................................................................................. 306
3.1.2.2.1 Example for Configuring Telnet Login.............................................................................................................. 306
3.1.2.2.2 Example for Configuring STelnet Login............................................................................................................ 308
3.1.2.2.3 Example for Configuring Login Through a Console Port........................................................................... 312
3.1.2.2.4 Example for Configuring Telnet Login Based on ACL Rules and RADIUS Authentication.............. 315
3.1.2.2.5 Example for Configuring STelnet Login Based on RADIUS Authentication......................................... 319
3.1.2.3 Web UI-based Login................................................................................................................................................... 323
3.1.2.3.1 Example for Configuring Web UI-based Login Through HTTPS (Default Certificate)..................... 323
3.1.2.4 File System Management......................................................................................................................................... 325
3.1.2.4.1 Example for Managing Files Locally.................................................................................................................. 325
3.1.2.4.2 Example for Configuring a Device as an FTP Server....................................................................................326
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iii

Switches
3.1.2.4.3 Example for Configuring a Device as an SFTP Server................................................................................. 329

3.1.2.4.4 Example for Configuring a Device as a TFTP Client.....................................................................................332
3.1.2.4.5 Example for Configuring a Device as an FTP Client.....................................................................................333
3.1.2.4.6 Example for Configuring a Device as an SFTP Client.................................................................................. 335
3.1.2.4.7 Example for Configuring a Device as an SCP Client.................................................................................... 341
3.1.3 Interface Management................................................................................................................................................. 343
3.1.3.1 Ethernet Interface........................................................................................................................................................ 343
3.1.3.1.1 Example for Configuring the Rates and Duplex Modes of Ethernet Interfaces................................. 344
3.1.3.1.2 Example for Configuring Layer 2-to-Layer 3 Mode Switching on Ethernet Interfaces....................345
3.1.3.2 Port Isolation................................................................................................................................................................. 347
3.1.3.2.1 Example for Enabling Layer 2 Port Isolation.................................................................................................. 348
3.1.4 System Management..................................................................................................................................................... 349
3.1.4.1 SNMP............................................................................................................................................................................... 349
3.1.4.1.1 Example for Configuring a Device to Communicate with an NMS Through SNMPv1.................... 350
3.1.4.1.2 Example for Configuring a Device to Communicate with NMSs Through SNMPv2c.......................352
3.1.4.1.3 Example for Configuring a Device to Communicate with NMSs Using SNMPv3 USM Users ......356
3.1.4.2 Upgrade Maintenance............................................................................................................................................... 359
3.1.4.2.1 Example for Upgrading a New Device.............................................................................................................. 360
3.1.5 Virtualization.................................................................................................................................................................... 362
3.1.5.1 Stack................................................................................................................................................................................. 363
3.1.5.1.1 Example for Setting Up a Stack.......................................................................................................................... 363
3.1.6 Ethernet Switching......................................................................................................................................................... 367
3.1.6.1 MAC.................................................................................................................................................................................. 367
3.1.6.1.1 Example for Configuring Static MAC Address Entries................................................................................. 367
3.1.6.1.2 Example for Configuring a Blackhole MAC Address Entry........................................................................ 369
3.1.6.1.3 Example for Configuring MAC Address Learning Limit on an Interface............................................... 370
3.1.6.1.4 Example for Configuring MAC Address Learning Limit in a VLAN......................................................... 372
3.1.6.2 Eth-Trunk........................................................................................................................................................................ 374
3.1.6.2.1 Example for Configuring an Eth-Trunk Interface to Work in Manual Mode....................................... 374
3.1.6.2.2 Example for Configuring an Eth-Trunk Interface to Work in Static LACP Mode................................376
3.1.6.2.3 Example for Configuring Local Preferential Forwarding of Traffic on an Eth-Trunk Interface in a
CSS or Stack................................................................................................................................................................................. 379
3.1.6.3 VLAN................................................................................................................................................................................ 383
3.1.6.3.1 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN Communication Through a
Single Device............................................................................................................................................................................... 383
3.1.6.3.2 Example for Configuring Interface-based VLAN Assignment to Implement Intra-VLAN
Communication (Through Multiple Devices)...................................................................................................................384
3.1.6.3.3 Example for Configuring Interface-based VLAN Assignment to Implement Inter-VLAN
Communication (Access Devices Functioning as Gateways)......................................................................................388
3.1.6.3.4 Example for Configuring Interface-based VLAN Assignment to Implement Inter-VLAN
Communication (Aggregation Device Functioning as the Gateway)...................................................................... 393
3.1.6.3.5 Example for Configuring MAC Address-based VLAN Assignment.......................................................... 396
3.1.6.3.6 Example for Configuring Subnet-based VLAN Assignment.......................................................................398
3.1.6.3.7 Example for Configuring VLAN Aggregation..................................................................................................400
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iv

Switches
3.1.6.3.8 Example for Configuring MUX VLAN (on Cascaded Devices).................................................................. 404
3.1.6.3.9 Example for Configuring Basic QinQ.................................................................................................................408
3.1.6.3.10 Example for Configuring VLAN ID-based Selective QinQ....................................................................... 411
3.1.6.3.11 Example for Configuring MQC-based Selective QinQ.............................................................................. 413
3.1.6.4 STP/RSTP/MSTP............................................................................................................................................................416
3.1.6.4.1 Example for Configuring STP............................................................................................................................... 416
3.1.6.4.2 Example for Configuring RSTP............................................................................................................................ 419
3.1.6.4.3 Example for Configuring MSTP........................................................................................................................... 423
3.1.6.4.4 Example for Configuring MSTP+VRRP Networking......................................................................................429
3.1.6.5 VBST................................................................................................................................................................................. 440
3.1.6.5.1 Example for Configuring Basic VBST Functions.............................................................................................440
3.1.7 IP Addresses and Services............................................................................................................................................ 447
3.1.7.1 ARP Security.................................................................................................................................................................. 447
3.1.7.1.1 Example for Configuring ARP Security............................................................................................................. 447
3.1.7.1.2 Example for Configuring Defense Against ARP MITM Attacks................................................................ 451
3.1.7.2 DHCPv4........................................................................................................................................................................... 454
3.1.7.2.1 Example for Configuring a DHCPv4 Server Based on an Interface Address Pool..............................454
3.1.7.2.2 Example for Configuring a DHCPv4 Server Based on a Global Address Pool (Using a Layer 3
Ethernet Interface).................................................................................................................................................................... 457
3.1.7.2.3 Example for Configuring a DHCPv4 Client...................................................................................................... 461
3.1.7.2.4 Example for Configuring DHCPv4 Relay.......................................................................................................... 463
3.1.7.2.5 Example for Configuring a DHCPv4 Server in VRRP Networking........................................................... 466
3.1.7.3 DHCP Snooping............................................................................................................................................................ 473
3.1.7.3.1 Example for Configuring DHCP Snooping Attack Defense........................................................................ 473
3.1.8 IP Routing.......................................................................................................................................................................... 477
3.1.8.1 IPv4 Static Route.......................................................................................................................................................... 477
3.1.8.1.1 Example for Configuring Static Routes for Interworking Between Different Network Segments
......................................................................................................................................................................................................... 477
3.1.8.1.2 Example for Configuring IPv4 Static Routes to Implement Load Balancing....................................... 481
3.1.9 VPN...................................................................................................................................................................................... 485
3.1.9.1 IPv4 L3VPN.................................................................................................................................................................... 485
3.1.9.1.1 Example for Configuring Mutual Access Between Local IPv4 L3VPNs.................................................. 485
3.1.9.1.2 Example for Configuring Basic IPv4 L3VPN over MPLS.............................................................................. 490
3.1.9.1.3 Example for Configuring Hub-Spoke (Double Links Between the Hub-PE and Hub-CE).............. 503
3.1.9.1.4 Example for Configuring L3VPN+VRRP............................................................................................................ 512
3.1.9.1.5 Example for Configuring a Route-Policy to Control Mutual Access Between L3VPN Users..........526
3.1.9.2 IPv6 L3VPN.................................................................................................................................................................... 534
3.1.9.2.1 Example for Configuring Basic IPv6 L3VPN over MPLS.............................................................................. 534
3.1.9.2.2 Example for Configuring IPv6 L3VPN over MPLS Hub-Spoke.................................................................. 546
3.1.10 Network Slicing............................................................................................................................................................. 556
3.1.10.1 Example for Configuring Network Slicing in an EVPN L3VPNv4 over SRv6 BE Scenario (Static
Configuration)............................................................................................................................................................................ 556
3.1.10.2 Example for Configuring VLAN Slicing.............................................................................................................. 569
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. v

Switches
3.1.11 High Availability............................................................................................................................................................ 575

3.1.11.1 VRRP.............................................................................................................................................................................. 575
3.1.11.1.1 Example for Configuring VRRP to Ensure Reliable Multicast Data Transmission............................575
3.1.11.2 M-LAG........................................................................................................................................................................... 589
3.1.11.2.1 Example for Configuring Dual-Homing of a Device to a Layer 2 Network Through an M-LAG in
Root Bridge Mode..................................................................................................................................................................... 589
3.1.11.2.2 Example for Configuring Dual-Homing of a Device to a Layer 3 Network Through an M-LAG in
V-STP Mode................................................................................................................................................................................. 596
3.1.11.2.3 Example for Configuring a Dynamic Routing Protocol for Communication with an M-LAG in V-
STP Mode..................................................................................................................................................................................... 604
3.1.11.2.4 Example for Configuring Multi-Level M-LAG (V-STP Mode)................................................................. 611
3.1.11.2.5 Example for Configuring M-LAG Devices to Function as DHCPv4 Relay Agents (with Option
82's Suboptions Inserted)....................................................................................................................................................... 624
3.1.11.2.6 Example for Configuring M-LAG Devices to Function as DHCPv4 Relay Agents (Option 82
Carries the Return Address)................................................................................................................................................... 629
3.1.12 User Access and Authentication.............................................................................................................................. 633
3.1.12.1 AAA................................................................................................................................................................................ 633
3.1.12.1.1 Example for Configuring AAA Local Authentication and Authorization............................................ 634
3.1.12.1.2 Example for Configuring HWTACACS Authentication, Authorization, and Accounting................ 636
3.1.12.1.3 Example for Configuring RADIUS Authentication, Authorization, and Accounting........................639
3.1.12.2 NAC................................................................................................................................................................................ 643
3.1.12.2.1 Example for Configuring 802.1X Authentication (AAA Using RADIUS Authentication)............... 643
3.1.12.2.2 Example for Configuring 802.1X Authentication (AAA Using Local Authentication).................... 646
3.1.13 Security............................................................................................................................................................................. 649
3.1.13.1 IPSG................................................................................................................................................................................ 649
3.1.13.1.1 Example for Configuring IPSG Based on a Static Binding Table on an Interface............................649
3.1.13.1.2 Example for Configuring IPSG Based on a Static Binding Table in a VLAN...................................... 650
3.1.13.1.3 Example for Configuring IPSG to Prevent Hosts with DHCP-assigned IP Addresses from
Changing Their Own IP Addresses.......................................................................................................................................653
3.1.13.1.4 Example for Configuring IPSG Based on a Dynamic Binding Table in a VLAN................................656
3.1.13.2 Port Security................................................................................................................................................................ 658
3.1.13.2.1 Example for Configuring Port Security........................................................................................................... 658
3.1.14 QoS.................................................................................................................................................................................... 659
3.1.14.1 Packet Filtering.......................................................................................................................................................... 659
3.1.14.1.1 Example for Configuring Access Control Based on Source MAC Addresses......................................660
3.1.14.1.2 Example for Configuring MQC-based Packet Filtering............................................................................. 663
3.1.14.2 Traffic Statistics Collection.....................................................................................................................................665
3.1.14.2.1 Example for Configuring MQC-based Traffic Statistics Collection....................................................... 665
3.1.14.3 Redirection................................................................................................................................................................... 667
3.1.14.3.1 Example for Configuring Redirection to an Interface............................................................................... 667
3.1.14.3.2 Example for Configuring Redirection to a Next-Hop Address............................................................... 671
3.1.14.3.3 Example for Configuring Association Between Redirection to a Next-Hop Address and NQA..675
3.1.14.3.4 Example for Configuring Redirection to Implement Route Selection..................................................680
3.1.14.4 Re-marking.................................................................................................................................................................. 684
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vi

Switches
3.1.14.4.1 Example for Configuring MQC-based Re-marking.................................................................................... 684

3.1.14.5 Traffic Policing, Traffic Shaping, and Interface-based Rate Limiting......................................................688
3.1.14.5.1 Example for Configuring Traffic Shaping to Limit the Rate of Different Services.......................... 688
3.1.14.5.2 Example for Configuring Traffic Shaping Based on Priority Mapping in a DiffServ Domain......692
3.1.14.5.3 Example for Configuring Traffic Shaping Based on Trusted 802.1p Priorities..................................694
3.1.14.5.4 Example for Configuring Traffic Policing to Limit the Rate of Each IP Address on a Network
Segment........................................................................................................................................................................................ 697
3.1.14.5.5 Example for Configuring Traffic Policing to Limit the Rate on an Interface.................................... 700
3.1.14.5.6 Example for Configuring MQC-based Traffic Policing (Level-1 CAR)................................................. 702
3.1.14.6 Congestion Avoidance............................................................................................................................................. 707
3.1.14.6.1 Example for Configuring WRED........................................................................................................................707
3.1.14.7 Congestion Management....................................................................................................................................... 710
3.1.14.7.1 Example for Configuring Congestion Management.................................................................................. 710
3.1.14.7.2 Example for Configuring Congestion Avoidance and Congestion Management (PQ+WDRR
Scheduling and WRED Profile)............................................................................................................................................. 714
3.1.14.8 MPLS QoS.................................................................................................................................................................... 718
3.1.14.8.1 Example for Configuring MPLS QoS............................................................................................................... 718
3.1.15 System Monitoring....................................................................................................................................................... 727
3.1.15.1 Mirroring...................................................................................................................................................................... 727
3.1.15.1.1 Example for Configuring Local N:1 Port Mirroring.................................................................................... 727
3.1.15.1.2 Example for Configuring Local 1:1 Port Mirroring..................................................................................... 729
3.1.15.1.3 Example for Configuring Local 1:N Port Mirroring (Using an Observing Port)............................... 731
3.1.15.1.4 Example for Configuring Local 1:N Port Mirroring (Using an Observing Port Group)................. 733
3.1.15.1.5 Example for Configuring Local M:N Port Mirroring...................................................................................734
3.1.15.1.6 Example for Configuring MQC-based Local Flow Mirroring (1:1)........................................................736
3.1.15.1.7 Example for Configuring Local VLAN Mirroring......................................................................................... 738
3.1.15.2 NetStream.................................................................................................................................................................... 740
3.1.15.2.1 Example for Configuring Original Flow Statistics Export.........................................................................740
3.1.15.2.2 Example for Configuring Flexible Flow Statistics Export..........................................................................743
3.1.15.3 IFIT.................................................................................................................................................................................. 746
3.1.15.3.1 Example for Configuring IFIT Measurement Based on Whitelist Rules.............................................. 746
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vii

Switches
Typical Configuration Examples(V600) 1 About This Document
1 About This Document
Intended Audience
This document is intended for network engineers responsible for switch
management and maintenance. You should be familiar with basic Ethernet
knowledge and have extensive network management experience. In addition, you
should understand your network well, including the network topology and
deployed network services.
Symbol Conventions
The symbols used in this document are described in the following table. They are
defined as follows.
Symbol Description
Indicates a hazard with a high level of

risk which, if not avoided, will result in
death or serious injury.
Indicates a hazard with a medium

level of risk which, if not avoided,
could result in death or serious injury.
Indicates a hazard with a low level of

risk which, if not avoided, could result
in minor or moderate injury.
Indicates a potentially hazardous

situation which, if not avoided, could
result in equipment damage, data loss,
performance deterioration, or
unanticipated results.
NOTICE is used to address practices
not related to personal injury.
Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 1

Switches
Symbol Description
Supplements the important

information in the main text.
NOTE is used to address information
not related to personal injury,
equipment damage, and environment
deterioration.
Command Conventions
Convention Description
Boldface The keywords of a command line are in boldfaces.
Italic Command arguments are in italic.
[] Items (keywords or arguments) in square brackets

[ ] are optional.
{ x | y | ... } Alternative items are grouped in braces and

separated by vertical bars. One is selected.
[ x | y | ... ] Optional alternative items are grouped in square

brackets and separated by vertical bars. One or none
is selected.
{ x | y | ... } * Alternative items are grouped in braces and

separated by vertical bars. A minimum of one or a
maximum of all can be selected.
[ x | y | ... ] * Optional alternative items are grouped in square

brackets and separated by vertical bars. Many or
none can be selected.
&<1-n> This parameter before the & sign can be repeated 1

to n times.
# This parameter before the # sign can be repeated 1

to n times.
Interface Numbering Conventions

Interface numbers used in this document are examples and must be replaced
according to configuration requirements.
Security Conventions
● Password setting
– Configuring a ciphertext password is recommended. For security
purposes, do not disable password complexity check, and change the
password periodically.

Switches
– When configuring a cleartext password, do not start and end the

password with %+%# or %@%# because this will allow the password to
be considered as a valid ciphertext that can be decrypted by the device
and make it visible in the configuration file.
– Ciphertext passwords set for various features must be different. For
example, the ciphertext password set for the AAA feature cannot be used
for other features.
● Encryption algorithm
Currently, the device supports the following encryption algorithms: DES, 3DES,
AES, DSA, RSA, DH, ECDH, HMAC, SHA1, SHA2, and MD5. Select an
encryption algorithm according to the application scenario. Use the
recommended encryption algorithm; otherwise, security protection
requirements may not be met.
– Recommended symmetric encryption algorithm: AES (with a 128-bit or
longer key).
– Recommended asymmetric encryption algorithm: RSA (with a 3072-bit or
longer key). Use different key pairs for encryption and signature.
– Recommended encryption algorithm for the digital signature: RSA (with a
3072-bit or longer key).
– Recommended encryption algorithm for key negotiation: DH (with a
3072-bit or longer key) or ECDH (with a 256-bit or longer key).
– Recommended hash algorithm: SHA2 (256-bit or higher).
– Recommended hash-based message authentication code (HMAC)
algorithm: HMAC-SHA2.
– The SHA1, SHA2, and MD5 encryption algorithms are irreversible, and the
DES, 3DES, RSA, and AES encryption algorithms are reversible.
– In SSH2.0, when the symmetric encryption algorithm in CBC mode is
used, data may be subject to a plaintext-recovery attack, causing
disclosure of encrypted data. Therefore, you are not advised to use the
CBC mode for data encryption in SSH2.0.
– SSL provides a handshake mechanism that allows a client and a server to
establish a session, authenticate each other's identity, and negotiate the
key and cipher suite. It is recommended that a cipher suite of TLS 1.2 or a
later version be used during communication. In TLS versions, when the
symmetric encryption algorithm in CBC mode is used, data may be
subject to a plaintext-recovery attack, causing disclosure of encrypted
data. Therefore, you are not advised to use the CBC mode for data
encryption in TLS versions.
● Personal data
Some personal data (such as MAC or IP addresses of terminals) may be
obtained or used during operation or fault locating of your purchased
products, services, or features, so you have an obligation to make privacy
policies and take proper measures according to applicable laws of the country
to fully protect personal data.
● The terms mirrored port, port mirroring, flow mirroring, and mirroring in this
document are mentioned only to describe the purpose of detecting faults and
errors in communication transmission. They do not involve collection or
processing of any personal information or communication data of users.

Switches
● Reliability design
Reliability must be factored in during network planning and site design to
ensure device- and solution-level protection. Device-level protection refers to
adding redundancy, for example, duplicating networks, planes, devices, and
inter-board links, to prevent single points of failure. Solution-level protection
refers to fast convergence protection, such as FRR and VRRP. If solution-level
protection is used, ensure that the primary and backup paths do not share
links or transmission devices. Otherwise, solution-level protection may fail to
take effect.
Reference Standards and Protocols

To obtain reference standards and protocols, log in to Huawei official website,
search for "standard and protocol compliance list", and download the Huawei S-
Series Switch Standard and Protocol Compliance List.

Switches
Typical Configuration Examples(V600) 2 Campus Configuration Examples
2 Campus Configuration Examples
2.1 Quick Configuration Guide

2.2 Campus Network Typical Configuration Examples
2.3 Typical Configuration for Interoperation Between Switches and Firewalls
2.4 Typical Configuration for Interoperation Between Switches and Routers
2.1 Quick Configuration Guide
2.1.1 Before You Start

This document will help you log in to and quickly configure Huawei S series
switches. For more service configurations, see the Switch Configuration Guide.
NOTE
This document applies to switches of V600R022C10 and later versions. To check the device
version, run the display version command in the user view.
Before configuring any data, complete the following tasks:

1. Install and power on the switch.
2. Place the following contact details around your workplace:
Telephone number of the agent responsible for your network construction
and service.
3. Visit the Huawei Enterprise Service Technical Support website (http://
support.huawei.com/enterprise) to register an account. With an account,
you can browse or download more product documents, cases, and bulletins.
You can also enjoy our subscription and message push services.
2.1.2 Small Campus Networks

Switches
2.1.2.1 Networking Diagram

NOTE
In this example, S5735-L-V2 switches running V600R022C10 function as the access switches
(ACC1 and ACC2), an S8700-4 switch running V600R022C10 functions as the core switch
(CORE), and an AR651 router running V300R022C10 functions as the egress router.
Figure 2-1 Typical small campus network
● On a small campus network, the S5735-L-V2 is usually deployed at the access

layer, the S8700-4 is usually deployed at the core layer, and an AR series
router is used as the egress router.
● The access switches and core switch are connected through Eth-Trunk to
ensure network reliability.
● Each department has a different VLAN allocated for separating services.
VLANIF interfaces are configured on the core switch to implement Layer 3
communication between different departments.
● The core switch functions as a DHCP server to allocate IP addresses to user
devices on the campus network.

Switches
● The DHCP snooping function is configured on access switches to prevent

intranet users from connecting to unauthorized routers to obtain IP addresses.
The IP Source Guard (IPSG) function is also configured on access switches to
prevent intranet users from changing their IP addresses.
2.1.2.2 Data Plan

Before configuring the switches and router, prepare the following data for use in
the next section.
Operation Item Data Description
Configure Manage 10.10.1.1/24 The management IP address is

the ment IP used to log in to the switch.
manageme address
nt IP
address and Manage VLAN 5 The management interface of a
Telnet ment switch is MEth0/0/0.
VLAN For switches without
management interfaces, you are
advised to use VLANIF
interfaces for inband
management.
Configure Eth- Static LACP The Eth-Trunk works in load

interfaces Trunk balancing or static LACP mode.
and VLANs type
Port type The Trunk port This configuration is for Trunk

connects to a and Access port setup. If a
switch, and the Hybrid port setup is available
Access port on a switch, this port can
connects to a PC. connect to either a host or
another switch.
VLAN ID ACC1: VLAN 10 VLAN 1 is the default VLAN on

ACC2: VLAN 20 the switch.
CORE: VLANs 100, To isolate departments A and B
10, and 20 at Layer 2, add department A to
VLAN 10 and department B to
VLAN 20.
CORE connects to the egress
router through VLANIF 100.
Configure DHCP CORE Configure the DHCP server

DHCP server function on CORE.
Address VLAN 10: IP address Terminals in department A

pool pool 10 obtain IP addresses from IP
VLAN 20: IP address address pool 10.
pool 20 Terminals in department B
obtain IP addresses from IP
address pool 20.

Switches
Address Based on a global N/A

allocatio address pool
n
Configure IP CORE: The IP address of VLANIF 100 is

routing of address VLANIF100 used for CORE to connect to the
CORE 10.10.100.1/24 egress router and for intranet
users to communicate with the
VLANIF10 Internet. A default route with
10.10.10.1/24 the next hop pointing to the
VLANIF20 egress router needs to be
10.10.20.1/24 configured on CORE.
After the IP addresses of
VLANIF 10 and VLANIF 20 are
configured on CORE,
departments A and B can then
communicate through CORE.
Configure Public GE0/0/1: 1.1.1.2/30 GE0/0/1 is the public interface

the egress interface that connects the egress router
router and IP to the Internet.
address
Public 1.1.1.1/30 The public gateway address is

gateway the IP address of the carrier
device that connects to the
egress router. Configure a
default route to this IP address
on the egress router to forward
intranet traffic to the Internet.
DNS 8.8.8.8 The DNS server resolves domain

server names into IP addresses.
address
Intranet GE1/0/0: GE1/0/0 connects the egress

interface 10.10.100.2/24 router to the intranet.
and IP
address
Configure Trusted Eth-Trunk1 N/A

DHCP interface
snooping
and IPSG
2.1.2.3 Quickly Configuring Small Campus Networks

Follow the procedure shown below to configure the switches and router. Once
configurations are complete, user devices within the campus can communicate
with each other, and intranet users can access the Internet.

Switches
2.1.2.3.1 Logging In to the Device (Using a Switch as an Example)

1. Connect your PC to the switch through the console cable provided with the
switch. Connect the DB9 connector of the prepared console cable to the PC's
serial port (COM), and the RJ45 connector to the device's console port. If the
PC has no console port, use a USB-to-serial cable.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 2-1 lists the communication parameters on the switch.
Table 2-1 Default settings of the console port on the switch

Parameter Default Setting
Transmission rate 9600 bit/s
Flow control No flow control
Parity No parity check
Stop bit 1
Data bit 8
3. Press Connect until the following information is displayed. Set the login
password as prompted.
Login authentication
Username:admin1
Password:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
The current login time is 2023-02-26 20:10:05+08:00.
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
2.1.2.3.2 Configuring the Management IP Address and Telnet

After configuring the management IP address of a switch, you can log in to the
switch using this address. CORE is used in the example below to show the
procedure of configuring the management IP address and Telnet.
1. Configure the management IP address.
<HUAWEI> system-view
[HUAWEI] vlan 5 //Create management VLAN 5.
[HUAWEI-VLAN5] management-vlan
[HUAWEI-VLAN5] quit

Switches
[HUAWEI] interface vlanif 5

[HUAWEI-vlanif5] ip address 10.10.1.1 24
[HUAWEI-vlanif5] quit
2. Add the management interface to the management VLAN.
[HUAWEI] interface 10GE 1/0/8 //Assume that the interface for connecting to the NMS is 10GE
1/0/8.
[HUAWEI-10GE1/0/8] port link-type trunk
[HUAWEI-10GE1/0/8] port trunk allow-pass vlan 5
[HUAWEI-10GE1/0/8] quit
3. Configure Telnet.
[HUAWEI] telnet server enable //By default, the Telnet function is disabled.
[HUAWEI] telnet server-source -i vlanif 5
Warning: Telnet server source configuration will take effect in the next login. Continue? [Y/N]: Y
[HUAWEI] user-interface vty 0 4 //An administrator generally logs in to the switch through Telnet.
AAA authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //By default, all protocol types are supported,
including SSH and Telnet.
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1 password irreversible-cipher Helloworld@6789 //Configure the
username and password for Telnet login. The username is case-insensitive, whereas the password is
case-sensitive.
[HUAWEI-aaa] local-user admin1 privilege level 3 //Set the administrator account level to 3
(highest).
[HUAWEI-aaa] local-user admin1 service-type telnet
NOTE
STelnet is recommended for logging in to the switch because Telnet may pose security
risks. For detailed configuration procedure, see "Basic Configuration" in the
Configuration Guide based on the version of the device.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Username:admin1 //Enter the username and password.
Password:
<HUAWEI> //User view prompt
2.1.2.3.3 Configuring Interfaces and VLANs
Configuring the Access Switch

1. Starting with access switch ACC1 as an example, create service VLAN 10 on
ACC1.
[HUAWEI] sysname ACC1 //Set the switch name to ACC1.
[ACC1] vlan batch 10 //Create VLANs in a batch.
2. Configure Eth-Trunk 1, through which ACC1 connects to the CORE, to allow
the packets from the VLAN of department A to pass through.
[ACC1] interface eth-trunk 1
[ACC1-Eth-Trunk1] port link-type trunk //Set the link type of Eth-Trunk 1 to trunk.
[ACC1-Eth-Trunk1] port trunk allow-pass vlan 10 //Configure Eth-Trunk 1 to transparently
transmit packets from the service VLAN on ACC1.
[ACC1-Eth-Trunk1] mode lacp-static //Configure Eth-Trunk 1 to work in LACP mode.
[ACC1-Eth-Trunk1] quit
[ACC1] interface GE 1/0/1 //Add member interfaces to Eth-Trunk 1.

Switches
[ACC1-GE1/0/1] eth-Trunk 1
[ACC1-GE1/0/1] quit
[ACC1] interface GE 1/0/2
[ACC1-GE1/0/2] eth-Trunk 1
[ACC1-GE1/0/2] quit
3. Configure the interfaces on ACC1 that connect user devices so that user
devices can be added to the VLAN. Configure the interfaces as edge ports.
[ACC1] interface GE 1/0/5 //Configure the interface connecting to PC1.
[ACC1-GE1/0/5] port link-type access
[ACC1-GE1/0/5] port default vlan 10
[ACC1-GE1/0/5] stp edged-port enable
[ACC1-GE1/0/5] quit
[ACC1-GE1/0/6] quit
[ACC1] interface GE 1/0/7 //Configure the interface connecting to printers.
[ACC1-GE1/0/7] quit
NOTE
To add all users connected to ACC1 to VLAN 10, you can add Eth-Trunk 1 on CORE to
VLAN 10 as an Access interface without adding interfaces on ACC1 to VLAN 10. This
simplifies the configuration and ensures that all users connected to Eth-Trunk 1 belong
to VLAN 10.
4. Configure the BPDU protection function to improve network stability.
[ACC1] stp bpdu-protection
Configuring the Core Switch

1. Create the VLANs for CORE to communicate with ACC1, ACC2, and the egress
router.
[HUAWEI] sysname CORE //Set the switch name to CORE.
[CORE] vlan batch 10 20 100 //Create VLANs in a batch.
2. Configure downstream interfaces and VLANIF interfaces. The VLANIF

interfaces are used for communication between departments A and B. The
following shows an example of configuring Eth-Trunk1 that connects CORE
and ACC1.
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] port link-type trunk //Set the link type to trunk.
[CORE-Eth-Trunk1] port trunk allow-pass vlan 10 //Configure Eth-Trunk 1 to transparently transmit
packets from the service VLAN on ACC1.
[CORE-Eth-Trunk1] mode lacp-static //Configure Eth-Trunk 1 to work in LACP mode.
[CORE-Eth-Trunk1] quit
[CORE] interface 10GE 1/0/1 //Add member interfaces to Eth-Trunk 1.
[CORE-10GE1/0/1] eth-Trunk 1
[CORE-10GE1/0/1] quit
[CORE] interface 10GE 1/0/2
[CORE-10GE1/0/2] eth-Trunk 1
[CORE] interface Vlanif 10 //Configure a VLANIF interface to allow department A to
communicate with department B through Layer 3.
[CORE-Vlanif10] ip address 10.10.10.1 24
[CORE-Vlanif10] quit
[CORE] interface Vlanif 20 //Configure a VLANIF interface to allow department B to
communicate with department A through Layer 3.

Switches
3. Configure upstream interfaces and VLANIF interfaces to allow the campus

network to communicate with the Internet.
[CORE] interface 10GE 1/0/20
[CORE-10GE1/0/20] port link-type access //Set the link type to access.
[CORE-10GE1/0/20] port default vlan 100
[CORE] interface Vlanif 100 //Configure a VLANIF interface to allow CORE to communicate
with the router at Layer 3.
4. After configuring the interfaces and VLANs, run the following commands to
verify the configuration results. For details about the command output, see
the Command Reference based on the version of the device.
Run the display eth-trunk command to view the configurations of Eth-Trunk
on ACC1. The command output shows that GE1/0/1 and GE1/0/2 on ACC1
have been added to Eth-Trunk 1.
[ACC1] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: lacp-static
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fc12-6704
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GE1/0/1 Selected 1000M 32768 2 289 10111100 1
GE1/0/2 Selected 1000M 32768 3 289 10100010 1
Partner:--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GE1/0/1 32768 00e0-fc12-2212 32768 2 289 10111100
GE1/0/2 32768 00e0-fc12-2212 32768 3 289 10111100
Run the display vlan command to check the VLAN configuration on ACC1.
The command output shows that, on ACC1, GE1/0/5 to GE1/0/7 are added to
VLAN 10 in untagged mode and Eth-Trunk 1 is added to VLAN 10 in tagged
mode.
[ACC1] display vlan
The total number of VLANs is : 1
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common UT:GE1/0/5(U) GE1/0/6(U) GE1/0/7(U)
TG:Eth-Trunk1(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
Run the display eth-trunk command to check the Eth-Trunk interface
configuration on CORE. The command output shows that 10GE1/0/1 and
10GE1/0/2 on CORE have been added to Eth-Trunk 1.
[CORE] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: lacp-static
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fc12-6703
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------

Switches

10GE1/0/1 Selected 1000M 32768 2 289 10111100 1
10GE1/0/2 Selected 1000M 32768 3 289 10100010 1
Partner:
--------------------------------------------------------------------------------
10GE1/0/1 32768 00e0-fc12-2211 32768 2 289 10111100
10GE1/0/2 32768 00e0-fc12-2211 32768 3 289 10111100
Run the display vlan command to check the VLAN configuration on CORE.
The command output shows that, on CORE, Eth-Trunk 1 and Eth-Trunk 2 are
added to VLAN 10 and VLAN 20 respectively in tagged mode and 10GE1/0/20
is added to VLAN 100 in tagged mode.
[CORE] display vlan
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common TG:Eth-Trunk1(U)
20 common TG:Eth-Trunk2(U)
100 common TG:10GE1/0/20(U)
--------------------------------------------------------------------------------
2.1.2.3.4 Configuring DHCP

Configure the DHCP server on CORE to allocate IP addresses to user devices in
department A (VLAN 10) and department B (VLAN 20).
Department A is used in the example below.
NOTE
In this section, the DHCP server is configured based on a global address pool. You can also
configure the DHCP server based on the interface address pool. For details, see "IP
Addresses and Services Configuration" in the Configuration Guide based on the version of
the device.
1. Create a global address pool, configure the egress gateway and lease (the
default lease of one day is used, and no configuration is required), and
allocate fixed IP address 10.10.10.254 to the printer with MAC address a-b-c.
<CORE> system-view
[CORE] dhcp enable
[CORE] ip pool 10
[CORE-ip-pool-10] network 10.10.10.0 mask 24 //Specify the address pool range that is used to
allocate IP addresses to users in department A.
[CORE-ip-pool-10] gateway-list 10.10.10.1 //Configure the gateway address for users in
department A.
[CORE-ip-pool-10] static-bind ip-address 10.10.10.254 mac-address a-b-c //Allocate a fixed IP
address to the printer.
[CORE-ip-pool-10] quit
2. Configure the global address pool to allocate IP addresses to user devices in

department A.
[CORE] interface vlanif 10
[CORE-Vlanif10] dhcp select global //Configure the global address pool to allocate IP addresses
to users in department A.

Switches
3. Run the display ip pool command to view configuration and usage

information. The example below shows the configuration of global address
pool 10.
[CORE] display ip pool name 10
Pool-name : 10
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.1
Network : 10.10.10.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.10.10.1 10.10.10.254 253 4 249(0) 0 0
-----------------------------------------------------------------------------
NOTE
● After completing the DHCP server configuration, configure network adapters on

PCs to automatically obtain IP addresses. The PCs then can obtain IP addresses
from the DHCP server and access the Internet.
● After dynamic IP address allocation is configured, it takes a PC a long time to
obtain an IP address after it starts. The reason is that an STP-enabled switch
recalculates the spanning tree topology every time a PC connects to the switch. To
solve this problem, disable STP or configure the switch interface that connects to
user devices as an edge port.
ACC1 is used in the example below.
# Disable STP.
[ACC1-GE1/0/5] stp disable //Alternatively, run the undo stp enable command to disable STP.
# Configure the switch interface that connects to user devices as an edge

port.
[ACC1-GE1/0/5] quit
After either of the preceding operations is performed, PCs can rapidly obtain
IP addresses after they start.
2.1.2.3.5 Configuring Routing

1. Configure a default static route to the campus egress gateway on CORE so
that CORE forwards intranet traffic to the egress router.
[CORE] ip route-static 0.0.0.0 0 10.10.100.2
2. Run the display ip routing-table command on CORE to view the IP routing

table. A default static route whose next hop address is 10.10.100.2 exists,
indicating that the static route is successfully configured. The three direct
routes are automatically generated through link detection.
[CORE] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public

Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop

Switches
Interface
0.0.0.0/0 Static 60 0 RD 10.10.100.2

Vlanif100
10.10.10.0/24 Direct 0 0 D 10.10.10.1

Vlanif10
10.10.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.10.20.0/24 Direct 0 0 D 10.10.20.1
Vlanif20
10.10.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.10.100.0/24 Direct 0 0 D 10.10.100.1
Vlanif100
10.10.100.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
2.1.2.3.6 Configuring the Egress Router

NOTE
Before configuring the egress router, prepare the following data:

● Public IP address: 1.1.1.2/30
● Public gateway address: 1.1.1.1
● DNS server address: 8.8.8.8
The carrier provides these IP addresses after approving bandwidth service applications.
When configuring a network, use the actual IP addresses provided by the carrier.
1. Configure IP addresses for egress router interfaces connecting to the intranet

and Internet.
[Router] interface GigabitEthernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 1.1.1.2 30
[Router-GigabitEthernet1/0/0] ip address 10.10.100.2 24
2. Configure an ACL to allow users on some network segments to access the

Internet.
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 10.10.10.0 0.0.0.255
3. Configure NAT on the interface connecting to the Internet so that intranet

users can access the Internet.
[Router-GigabitEthernet0/0/1] nat outbound 2000
4. Configure a specific route to the intranet and a default static route to the
Internet.
[Router] ip route-static 10.10.10.0 255.255.255.0 10.10.100.1
5. Configure DNS resolution. The carrier provides the DNS server address.
[Router] dns resolve
[Router] dns server 8.8.8.8
2.1.2.3.7 Configuring DHCP Snooping and IPSG

User devices can automatically obtain IP addresses after DHCP is configured. If a
user connects a small router (bogus DHCP server) to the intranet and enables the
DHCP server function on the router, authorized intranet users may obtain IP
addresses allocated by the small router and cannot access the Internet. To prevent
this problem, configure DHCP snooping.

Switches
1. Enable DHCP snooping on ACC1.

<ACC1> system-view
[ACC1] dhcp enable //Enable DHCP.
[ACC1] dhcp snooping enable //Enable DHCP snooping.
2. Enable DHCP snooping on Eth-Trunk 1 that connects to the DHCP server and
configure it as a trusted interface.
[ACC1-Eth-Trunk1] dhcp snooping enable //Enable DHCP snooping.
[ACC1-Eth-Trunk1] dhcp snooping trusted //Configure Eth-Trunk 1 as a trusted interface.
3. Enable DHCP snooping on interfaces that connect to user devices.

[ACC1-GE1/0/5] dhcp snooping enable
[ACC1-GE1/0/5] quit
[ACC1-GE1/0/6] quit
[ACC1] interface GE 1/0/7 //Configure the interface connecting to printers.
[ACC1-GE1/0/7] quit
After the preceding configuration is complete, user devices in department A

can obtain IP addresses from only the authorized DHCP server, and will not
use IP addresses allocated by the small router.
To prevent users from changing IP addresses and attacking the intranet,
enable IPSG after enabling DHCP snooping on the access switch. ACC1 is used
in the example below.
4. On ACC1, enable IPSG in VLAN 10.
[ACC1] vlan 10
[ACC1-vlan10] ipv4 source check user-bind enable//Enable IPSG.
[ACC1-vlan10] quit
ACC1 matches packets received from VLAN 10 with dynamic binding entries
in the DHCP snooping binding table. If a packet matches an entry, ACC1
forwards the packet; otherwise, ACC1 discards the packet. To check packets
received from a specified user device instead of all user devices in the VLAN,
enable IPSG on the interface connecting to the device.
For details about how to configure the switch to prevent users from
connecting a small router to the intranet and changing IP addresses, see
"DHCP Snooping Configuration" in "IP Addresses and Services Configuration"
and "IPSG Configuration" in "Security Configuration" in the Configuration
Guide based on the version of the device.
2.1.2.3.8 Verifying Services

1. Select two PCs within a department to perform ping tests and verify whether
Layer 2 interworking within the department is normal.
The following example uses two PCs (PC1 and PC2) in department A. The two
PCs communicate at Layer 2 through ACC1. If they can ping each other
successfully, Layer 2 interworking is normal.
<PC1> ping 10.10.10.100 //Assume that PC2 automatically obtains an IP address 10.10.10.100
through DHCP.
PING 10.10.10.100 data bytes, press CTRL_C to break
Reply from 10.10.10.100 : bytes=56 Sequence=1 ttl=253 time=62 ms
--- 10.10.10.100 ping statistics ---

Switches
5 packet(s) transmitted
5 packet(s) received //PC1 can ping PC2 successfully, indicating that Layer 2 interworking between
PC1 and PC2 is normal.
2. Select one PC from each department to perform ping tests and verify whether
the two departments can communicate at Layer 3 through VLANIF interfaces.
Users in department A and department B communicate at Layer 3 through
VLANIF interfaces on CORE. If PC1 and PC3 can ping each other successfully,
users in the two departments can normally communicate at Layer 3 through
VLANIF interfaces. The ping command is similar to that in step 1.
3. Select one PC from each department to ping a public network address and
verify whether intranet users of the company can access the Internet
normally.
The following example uses department A. Generally, you can ping a public
network gateway address from PC1 to verify whether PC1 can access the
Internet. The public network gateway address is the IP address of the carrier
device to which the egress router connects. If the ping test succeeds, intranet
users can access the Internet normally. The ping command is similar to that in
step 1.
2.1.2.3.9 Saving the Configuration

You must save your data to the configuration file before restarting the switch.
Unsaved data configured on the CLI will be lost after the switch restarts.
1. Save the data to the configuration file. The example below shows the
procedure of saving CORE's configuration file.
<CORE> save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Now saving the current configuration to the slot 0..
Save the configuration successfully.
2.1.3 Small and Midsize Campus Networks
2.1.3.1 Networking Diagram

NOTE
In this example, S5735-L-V2 switches running V600R022C10 function as access switches

(ACC1, ACC2, ACC3, and ACC4), S8700-4 switches running V600R022C10 function as the
core/aggregation switches (CORE1 and CORE2), and an AR651 router running
V300R022C10 functions as the egress router.

Switches
Figure 2-2 Typical small/midsize campus network
● On a small or midsize campus network, the S5735-L-V2 is usually deployed at

the access layer, the S8700-4 is usually deployed at the core layer, and an AR
series router is used as the egress router.
● The core switches run Virtual Router Redundancy Protocol (VRRP) to ensure
network reliability and load balance traffic to maximize resource utilization.
● Each department has a different VLAN allocated for separating services.
VLANIF interfaces are configured on the core switch to implement Layer 3
communication between different departments.
● The core switches function as DHCP servers to allocate IP addresses to user
devices on the campus network.
● The DHCP snooping function is configured on access switches to prevent
intranet users from connecting to unauthorized routers to obtain IP addresses.
The IP Source Guard (IPSG) function is configured to prevent intranet users
from changing their IP addresses.
2.1.3.2 Data Plan

Before configuring the switches and router, prepare the following data for use in
the next section.
Configure Manage 10.10.1.1/24 The management IP address is

the ment IP used to log in to the switch.
manageme address

Switches
nt IP Manage VLAN 5 The management interface of a

address and ment switch (modular or fixed) is
Telnet VLAN MEth0/0/0.
For switches without
management interfaces, you are
advised to use VLANIF
interfaces for inband
management.
Configure Port type The Trunk port This configuration is for Trunk
interfaces connects to a and Access port setup. If a
and VLANs switch, and the Hybrid port setup is available on
Access port a switch, this port can connect
connects to a PC. to either a host or another
switch.
VLAN ID ACC1: VLANs 10 VLAN 1 is the default VLAN on

and 20 the switch.
CORE1: VLANs 10, To isolate departments A and B
20, 30, 40, 50, 100, at Layer 2, add department A to
and 300 VLAN 10 and department B to
VLAN 20.
CORE1 connects to the egress
router through VLANIF 100.
Configure DHCP CORE1 and CORE2 Configure the DHCP server on

DHCP server CORE1 and CORE2.
Address VLAN 10: IP Terminals in department A

pool address pool 10 obtain IP addresses from IP
VLAN 20: IP address pool 10.
address pool 20 Terminals in department B
obtain IP addresses from IP
address pool 20.
Address Based on a global N/A

allocatio address pool
n

Switches
Configure IP CORE1: CORE1 connects to the campus

core address VLANIF100 egress router through VLANIF
switches 172.16.1.1/24 100 and connects to CORE2
through VLANIF 300.
VLANIF300
172.16.3.1/24 On CORE1, configure a primary
route with the next hop
VLANIF10 pointing to the egress router
192.168.10.1/24 and a backup route with the
VLANIF20 next hop pointing to CORE2.
192.168.20.1/24 After the IP addresses of VLANIF
10 and VLANIF 20 are
configured on CORE1,
departments A and B can then
communicate through CORE1.
Link - The link aggregation mode can

aggregat be load balancing or static
ion LACP.
Configure Public GE0/0/0: 1.1.1.2/30 GE0/0/0 is the public interface

the egress interface that connects the egress router
router and IP to the Internet.
address
Public 1.1.1.1/30 The public gateway address is

gateway the IP address of the carrier
device that connects to the
egress router. Configure a
default route to this IP address
on the egress router to forward
intranet traffic to the Internet.
DNS 8.8.8.8 The DNS server resolves domain

server names into IP addresses.
address
Intranet GE0/0/1: GE0/0/1 and GE0/0/2 connect

interface 172.16.1.2/24 the egress router to the
and IP GE0/0/2: intranet. They connect to CORE1
address 172.16.2.2/24 and CORE2, respectively.
Configure Trusted GE1/0/3 After trusted interfaces are

DHCP interface GE1/0/4 configured, user devices only
snooping s receive DHCP packets from the
and IPSG trusted interfaces, preventing
users from connecting a small
router to the intranet to
allocate IP addresses.

Switches
Configure FTP FTP server: 1. The egress router uses NAT to

intranet server 192.168.50.10 translate between the public
servers Web and private IP addresses of
Web server: intranet servers.
server
192.168.50.20 2. External users can access the
intranet servers using public IP
addresses.
2.1.3.3 Quickly Configuring Small and Midsize Campus Networks

Follow the procedure shown below to configure the switches and router. Once
configurations are complete, user devices within the campus can communicate
with each other, and intranet users can access the Internet.
2.1.3.3.1 Logging In to the Device (Using a Switch as an Example)

1. Connect your PC to the switch through the console cable provided with the
switch.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 2-2 lists the communication parameters on the switch.
Table 2-2 Default settings of the console port on the switch
Parameter Default Setting
Transmission rate 9600 bit/s
Flow control No flow control
Parity No parity check
Stop bit 1
Data bit 8
3. Press Connect until the following information is displayed. Set the login
password as prompted.

Switches
Username:admin1
Password:
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
2.1.3.3.2 Configuring the Management IP Address and Telnet

After configuring the management IP address of a switch, you can log in to the
switch using this address. CORE1 is used in the example below to show the
procedure of configuring the management IP address and Telnet.
1. Configure the management IP address.

[HUAWEI] vlan 5 //Create management VLAN 5.
[HUAWEI-VLAN5] management-vlan
[HUAWEI-VLAN5] quit
[HUAWEI] interface vlanif 5 //Create the VLANIF interface of the management VLAN.
[HUAWEI-vlanif5] ip address 10.10.1.1 24 //Configure an IP address for the VLANIF interface.
[HUAWEI-vlanif5] quit
2. Add the management interface to the management VLAN.

[HUAWEI] interface 10GE 1/0/8 //Assume that the interface for connecting to the NMS through
an intermediate Layer 2 device is 10GE 1/0/8.
[HUAWEI-10GE1/0/8] port link-type trunk
[HUAWEI-10GE1/0/8] port trunk allow-pass vlan 5
[HUAWEI-10GE1/0/8] quit
3. Configure Telnet.
[HUAWEI] telnet server enable //By default, Telnet is disabled. You need to enable Telnet.
[HUAWEI] telnet server-source -i vlanif 5
Warning: Telnet server source configuration will take effect in the next login. Continue? [Y/N]: Y
[HUAWEI] user-interface vty 0 4 //Telnet is typically used for administrator login. AAA
authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //By default, all protocol types are supported,
including SSH and Telnet.
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1 password irreversible-cipher Helloworld@6789 //Configure the
username and password for Telnet login. The username is case-insensitive, whereas the password is
case-sensitive.
[HUAWEI-aaa] local-user admin1 privilege level 3 //Set the privilege level of the administrator
account to 3 (highest).
[HUAWEI-aaa] local-user admin1 service-type telnet
[HUAWEI-aaa] quit
NOTE
STelnet is recommended for logging in to the switch because Telnet may pose security
risks. For the detailed configuration procedure, see "Basic Configuration" in the
Configuration Guide specific to the device version.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Username:admin1 //Enter the username and password.

Password:

Switches

<HUAWEI> //User view prompt
2.1.3.3.3 Configuring Network Connectivity
Configuring the Access Switch

1. Starting with access switch ACC1 as an example, create service VLANs 10 and
20 on ACC1.
[HUAWEI] sysname ACC1 //Set the switch name to ACC1.
[ACC1] vlan batch 10 20 //Create VLANs in a batch.
2. Configure GE1/0/3 and GE1/0/4, through which ACC1 connects to CORE1 and
CORE2 respectively, to allow the packets from the VLANs of departments A
and B to pass through.
[ACC1-GE1/0/3] port link-type trunk //Set the link type of GE1/0/3 to trunk.
[ACC1-GE1/0/3] port trunk allow-pass vlan 10 20 //Configure GE1/0/3 to transparently transmit
packets from the service VLANs on ACC1.
[ACC1-GE1/0/3] quit
[ACC1-GE1/0/4] port link-type trunk //Set the link type of GE1/0/4 to trunk.
[ACC1-GE1/0/4] port trunk allow-pass vlan 10 20 //Configure GE1/0/4 to transparently transmit
packets from the service VLANs on ACC1.
[ACC1-GE1/0/4] quit
3. Configure the interfaces on ACC1 that connect user devices so that user
devices in different departments can be added to VLANs.
[ACC1] interface GE 1/0/1 //Configure the interface connecting to department A.
[ACC1-GE1/0/1] quit
[ACC1] interface GE 1/0/2 //Configure the interface connecting to department B.
[ACC1-GE1/0/2] quit
4. Configure the BPDU protection function to improve network stability.

[ACC1] stp bpdu-protection
NOTE
To add all users connected to ACC1 to VLAN 10, you can add interfaces on CORE1 and
CORE2 that directly connect to ACC1 as Access interfaces, without adding interfaces
on ACC1 to VLAN 10. This simplifies the configuration and ensures that all users
connected to Eth-Trunk1 belong to VLAN 10.
Configuring the Aggregation/Core Switch

1. Create the VLANs for the aggregation/core switch (CORE1) to communicate
with the access switches, CORE2, and egress router.
[HUAWEI] sysname CORE1 //Set the switch name to CORE1.
[CORE1] vlan batch 10 20 30 40 50 100 300 //Create VLANs in a batch.
2. Configure user-side interfaces and VLANIF interfaces. VLANIF interfaces are

used for communication between departments. For example, CORE1 connects
to ACC1 through 10GE1/0/1. The configurations on other interfaces are not
mentioned here.
[CORE1] interface 10GE 1/0/1
[CORE1-10GE1/0/1] port link-type trunk //Set the link type of 10GE1/0/1 to trunk.
[CORE1-10GE1/0/1] port trunk allow-pass vlan 10 20 //Configure 10GE1/0/1 to transparently
transmit packets from the service VLAN on ACC1.

Switches
[CORE1-10GE1/0/1] quit
[CORE1] interface Vlanif 10 //Configure VLANIF 10 to allow department A to
communicate with department B through Layer 3.
[CORE1-Vlanif10] ip address 192.168.10.1 24
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20 //Configure VLANIF 20 to allow department B to
communicate with department A through Layer 3.
3. Configure interfaces connecting to the egress router and VLANIF interfaces.

[CORE1-10GE1/0/7] port link-type access //Set the link type to access.
[CORE1-10GE1/0/7] port default vlan 100
[CORE1] interface Vlanif 100 //Configure a VLANIF interface to allow CORE1 to
communicate with the router at Layer 3.
4. Configure the interface for connecting to the other core switch and configure
a VLANIF interface.
[CORE1-10GE1/0/5] port link-type access //Set the link type to access.
[CORE1-10GE1/0/5] port default vlan 300
[CORE1] interface Vlanif 300
Verifying the Configuration

1. After configuring the interfaces and VLANs, run the following commands to
verify the configuration results. For details about the command output, see
the Command Reference based on the version of the device.
Run the display vlan command to view VLAN configurations on ACC1.
[ACC1] display vlan
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
10 common UT: GE0/0/1(U) TG:GE0/0/3(U) GE0/0/4(U)
20 common UT: GE0/0/2(U) TG:GE0/0/3(U) GE0/0/4(U) //ACC1's upstream and
downstream interfaces have been added to corresponding VLANs, and the upstream interfaces
transparently transmit packets from all service VLANs.
--------------------------------------------------------------------------------
Run the display vlan command to check VLAN configurations on CORE1.

[CORE1] display vlan
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------

Switches
300 common UT:10GE1/0/5(U) //On CORE1, interfaces connecting to access switches
have been added to corresponding service VLANs.
--------------------------------------------------------------------------------
Configuring IP Addresses for Egress Router Interfaces

1. Configure an IP address for the interface connecting to the intranet.
[HUAWEI] sysname Router //Set the device name to Router.
[Router-GigabitEthernet0/0/1] ip address 172.16.1.2 24 //Configure an IP address for the interface
connecting to CORE1.
[Router-GigabitEthernet0/0/1] quit
connecting to CORE2.
2. Configure an IP address for the interface connecting to the Internet.

connecting to the Internet.
(Optional) Configuring Static Routes

If a dynamic routing protocol is configured, skip this step.
1. Configure a default static route to the egress router and a backup static route
on CORE1 and CORE2, respectively.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 //Configure a default static route to the egress
router on CORE1.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.3.2 preference 70 //Configure a backup static route
to CORE2 on CORE1.
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.2.2
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.3.1 preference 70
2. On the egress router, configure a default static route to the carrier device.
3. On the egress router, configure primary and backup routes. The next hop of
the primary route is CORE1 and that of the backup route is CORE2.
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to the network segment of VLAN 10, with the next hop pointing to CORE2.
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to the network segment of VLAN 20, with the next hop pointing to CORE2.
Configuring VRRP for Virtual Gateway Redundancy

After VRRP is configured, the access switches forward traffic to CORE1. If CORE1
fails, a VRRP switchover occurs and CORE2 becomes the master. The access
switches then forward traffic to CORE2.

Switches
1. Create VRRP groups 1 and 2 on CORE1 and CORE2. Set the priority of CORE1
to 120 and set the preemption delay to 20s so that CORE1 functions as the
master in VLANs 10 and 20.
[CORE1-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3 //Configure a virtual IP address for VRRP
group 1.
[CORE1-Vlanif10] vrrp vrid 1 priority 120 //Set the priority of CORE1 to 120.
[CORE1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
[CORE1-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3 //Configure a virtual IP address for VRRP
group 2.
[CORE1-Vlanif20] vrrp vrid 2 priority 120
2. CORE2 uses the default priority and functions as the backup in VLANs 10 and
20.
[CORE2-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3
[CORE2-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3
NOTE
A physical loop exists between CORE1, CORE2, and ACC1 but the actual links do not
form a loop. By default, STP is enabled on switches. To prevent the loop from affecting
the VRRP master and backup status on CORE1 and CORE2, disable STP on upstream
interfaces of access switches. The example below shows the configuration on ACC1.
[ACC1-GE1/0/3] stp disable //Disable STP on the upstream interface of ACC1.
[ACC1-GE1/0/3] quit
[ACC1-GE1/0/4] stp disable
[ACC1-GE1/0/4] quit
If no loop exists on the network, you can also run the stp disable command
to disable STP on the access switch.
[ACC1] stp disable
Warning:The global STP state will be changed. Continue? [Y/N] y
Configuring the Egress Router to Allow Intranet Users to Access the Internet
1. Configure an ACL to allow users to access the Internet. The example below
allows users in VLANs 10 and 20 to access the Internet.
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255 //Allow users in VLAN 10 to
access the Internet.
[Router-acl-basic-2000] rule permit source 192.168.20.0 0.0.0.255 //Allow users in VLAN 20 to
[Router-acl-basic-2000] quit
2. Configure NAT on the interface connecting to the Internet so that intranet

users can access the Internet.
3. Configure DNS resolution. The carrier provides the DNS server address.
[Router] dns resolve
[Router] dns server 8.8.8.8

Switches
4. After completing the preceding configuration, configure static IP addresses for

intranet users in VLAN 10 and set the gateway address to 192.168.10.3.
Intranet users then can access the Internet.
2.1.3.3.4 Configuring DHCP
Configuring the DHCP Server

The administrator configures fixed IP addresses for user devices so that users can
access the Internet. As the network expands, it is difficult for the administrator to
manually configure a large number of IP addresses and manage them. Therefore,
the administrator decides to configure fixed IP addresses for several user devices,
and configure the other user devices to automatically obtain IP addresses from the
DHCP server.
Configure the DHCP server on CORE1 and CORE2 to dynamically allocate IP
addresses to user devices in all departments. CORE1 functions as the active DHCP
server. Department A is used in the example below.
NOTE
● In this section, a global address pool is configured. You can also configure the DHCP
server with an interface address pool. For details, see "IP Addresses and Services
Configuration" in the Configuration Guide specific to the device version.
● To prevent IP address conflicts caused by an active/standby switchover in VRRP
networking, configure the active DHCP server to allocate the first half of all IP addresses
in the address pool and the standby DHCP server to allocate the second half.
1. Configure CORE1 as the active DHCP server to allocate the first half of all IP
addresses in the address pool.
<CORE1> system-view
[CORE1] dhcp enable
[CORE1] ip pool 10
[CORE1-ip-pool-10] gateway-list 192.168.10.3 //Configure the gateway address.
[CORE1-ip-pool-10] network 192.168.10.0 mask 24 //Configure the range of allocable IP
addresses.
[CORE1-ip-pool-10] excluded-ip-address 192.168.10.128 192.168.10.254 //Exclude IP addresses
ranging from 192.168.10.128 to 192.168.10.254.
[CORE1-ip-pool-10] lease day 0 hour 20 minute 0 //Configure the IP address lease.
[CORE1-ip-pool-10] dns-list 8.8.8.8 //Configure the DNS server address.
[CORE1-ip-pool-10] quit
2. Configure CORE2 as the standby DHCP server to allocate the second half of
all IP addresses in the address pool.
<CORE2> system-view
[CORE2] dhcp enable
[CORE2] ip pool 10
[CORE2-ip-pool-10] gateway-list 192.168.10.3
[CORE2-ip-pool-10] network 192.168.10.0 mask 24
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.1 192.168.10.2
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.4 192.168.10.127
[CORE2-ip-pool-10] lease day 0 hour 20 minute 0
[CORE2-ip-pool-10] dns-list 8.8.8.8
[CORE2-ip-pool-10] quit
The procedure of configuring dynamic IP address allocation in VLAN 20 is
similar to the preceding configuration procedure.
3. Configure users in department A to obtain IP addresses from the global
address pool.
[CORE1] interface vlanif 10
[CORE1-Vlanif10] dhcp select global //Configure users in department A to obtain IP addresses
from the global address pool.

Switches
[CORE2] interface vlanif 10
[CORE2-Vlanif10] dhcp select global
4. Run the display ip pool command to view the configuration and IP address
allocation in the global address pool 10.
[CORE1] display ip pool name 10
Pool-name : 10
Pool-No :0
Domain-name : -
DNS-server0 : 8.8.8.8
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 192.168.10.3
Network : 192.168.10.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
192.168.10.1 192.168.10.254 253 1 125(0) 0 127
NOTE
● After completing the DHCP server configuration, configure network adapters on

PCs to automatically obtain IP addresses. The PCs then can obtain IP addresses
from the DHCP server and access the Internet.
● After dynamic IP address allocation is configured, it takes a PC a long time to
obtain an IP address if it is just started. The reason is that an STP-enabled switch
recalculates the spanning tree topology every time a PC connects to the switch. To
solve this problem, disable STP or configure the switch interfaces that connect to
user devices as edge ports.
ACC1 is used in the example below.
# Disable STP.
[ACC1-GE1/0/1] stp disable //Alternatively, run the undo stp enable command.
[ACC1-GE1/0/1] quit
# Configure the switch interface that connects to user devices as an edge

port.
[ACC1-GE1/0/1] quit
After either of the preceding operations is performed, a newly started user

device can rapidly obtain an IP address.
Configuring DHCP Snooping and IPSG

User devices can automatically obtain IP addresses after DHCP is configured. If a
user connects an unauthorized router (bogus DHCP server) to the intranet and
enables the DHCP server function on the router, authorized intranet users may
obtain IP addresses allocated by this unauthorized router and may therefore be
denied access to the Internet. To prevent this problem, configure DHCP snooping.
1. Enable DHCP snooping on ACC1.
<ACC1> system-view
[ACC1] dhcp enable //Enable DHCP.
[ACC1] dhcp snooping enable //Enable DHCP snooping.

Switches
2. Enable DHCP snooping on interfaces that connect to user devices.

[ACC1] interface GE 1/0/1 //Configure the interface connecting to user devices in
department A.
[ACC1-GE1/0/1] quit
[ACC1] interface GE 1/0/2 //Configure the interface connecting to user devices in
department B.
[ACC1-GE1/0/2] quit
3. Enable DHCP snooping on interfaces connecting to DHCP servers and

configure the interfaces as trusted interfaces.
[ACC1] interface GE 1/0/3 //Configure the interface connecting to CORE1.
[ACC1-GE1/0/3] dhcp snooping enable //Enable DHCP snooping.
[ACC1-GE1/0/3] dhcp snooping trusted //Configure the interface as a trusted interface.
[ACC1-GE1/0/3] quit
[ACC1] interface GE 1/0/4 //Configure the interface connecting to CORE2.
[ACC1-GE1/0/4] dhcp snooping trusted
[ACC1-GE1/0/4] quit
After the preceding configuration is complete, user devices in department A

can obtain IP addresses only from the authorized DHCP server, and will not
use IP addresses allocated by an unauthorized router.
To prevent users from changing IP addresses and attacking the intranet,
enable IPSG after enabling DHCP snooping on the access switch. ACC1 is used
in the example below.
4. On ACC1, enable IPSG in VLAN 10.
[ACC1] vlan 10
[ACC1-vlan10] ipv4 source check user-bind enable //Enable IPSG.
[ACC1-vlan10] quit
ACC1 matches packets received from VLAN 10 against dynamic binding

entries in the DHCP snooping binding table. If a packet matches an entry,
ACC1 forwards the packet; otherwise, ACC1 discards the packet. To check
packets received from a specified user terminal instead of all user terminals in
the VLAN, enable IPSG on the interface connecting to the user terminal.
For details about how to configure the switch to prevent users from
connecting an unauthorized router to the intranet and changing IP addresses,
see "DHCP Snooping Configuration" in "IP Addresses and Services
Configuration" and "IPSG Configuration" in "Security Configuration" in the
Configuration Guide specific to the device version.
2.1.3.3.5 Configuring OSPF
NOTE
Devices on the intranet use static routes. If a link fails, the administrator needs to manually
configure a new static route, interrupting network services for a long time. Configuring a
dynamic routing protocol prevents this problem. If a link fails, the dynamic routing protocol
switches traffic forwarded through the faulty link to a normal link based on an algorithm.
After the faulty link recovers, the routing protocol switches traffic back to the link. OSPF
configuration is used in the example below.
1. Delete all static routes on CORE1 and CORE2.

[CORE1] undo ip route-static all
[CORE2] undo ip route-static all
2. On the egress router, delete the static route to the intranet and retain the
static route to the Internet.
[Router] undo ip route-static 192.168.10.0 24
[Router] undo ip route-static 192.168.20.0 24

Switches
3. Configure OSPF on CORE1.

[CORE1] ospf 100 router-id 2.2.2.2
[CORE1-ospf-100] area 0
[CORE1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[CORE1-ospf-100-area-0.0.0.0] quit
[CORE1-ospf-100] quit
4. Configure OSPF on CORE2.

[CORE2] ospf 100 router-id 3.3.3.3
[CORE2-ospf-100] area 0
[CORE2-ospf-100-area-0.0.0.0] quit
[CORE2-ospf-100] quit
5. Configure OSPF on the egress router. To connect the intranet to the Internet,
configure a default static route to the Internet. Advertise the default route in
the OSPF area, and configure a default static route to the carrier device.
[Router] ospf 100 router-id 1.1.1.1
[Router-ospf-100] default-route-advertise always
[Router-ospf-100] area 0
[Router-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Router-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Router-ospf-100-area-0.0.0.0] quit
[Router-ospf-100] quit
For details on OSPF configuration and commands, see "OSPF Configuration"

in "IP Routing Configuration" in the Configuration Guide for the
corresponding device version.
2.1.3.3.6 Configuring Reliability and Load Balancing
Configuring Association Between VRRP and the Interface Status to Monitor

Links
NOTE
If the link from CORE1 to the egress router fails, traffic is forwarded over the
interconnection link between CORE1 and CORE2 to CORE2, increasing traffic load and
imposing high stability and bandwidth requirements on the link. You can configure
association between VRRP and the interface status to implement fast active/standby
switchover upon an uplink failure. If you configure this function on the upstream interface
of the master in the VRRP group, the master lowers its priority to implement an active/
standby switchover when it detects that the upstream interface goes Down.
# Configure association between VRRP and the status of the upstream interface
on CORE1 to monitor the uplink.
[CORE1-Vlanif10] vrrp vrid 1 track interface 10GE 1/0/7 reduced 100 //Configure association between
VRRP and the upstream interface status.
[CORE1-Vlanif20] vrrp vrid 2 track interface 10GE 1/0/7 reduced 100

Switches
Configuring Load Balancing

NOTE
As service traffic increases, the link between CORE1 and the egress router has high
bandwidth utilization, whereas the link between CORE2 and the egress router is idle,
wasting resources and lowering reliability. To effectively use the two links, you can
configure load balancing on CORE1 and CORE2 so that CORE1 functions as the master in
some VLANs while CORE2 functions as the master in the other VLANs. The two links then
load balance traffic from all VLANs, effectively using network resources. Configure CORE1
to still function as the master in VLAN 10, and change the priority of CORE2 so that CORE2
functions as the master in VLAN 20.
1. Delete the VRRP priority and preemption delay configuration on VLANIF 20 of

CORE1.
[CORE1-Vlanif20] undo vrrp vrid 2 preempt-mode timer delay
[CORE1-Vlanif20] undo vrrp vrid 2 priority
2. Configure CORE2 as the master in VLAN 20 and set the preemption delay to
20s.
[CORE2-Vlanif20] vrrp vrid 2 priority 120
3. Configure association between VRRP and the status of the upstream interface
on CORE2 to monitor the uplink.
[CORE2-Vlanif20] vrrp vrid 2 track interface 10GE 1/0/8 reduced 100
2.1.3.3.7 Configuring Link Aggregation

If the uplink of CORE1 or CORE2 fails, traffic passes through the link between
CORE1 and CORE2. However, the bandwidth of the link may be insufficient,
causing packet loss. You can bind multiple physical links into a logical link to
increase the bandwidth and improve the link reliability. CORE1 is used in the
example below.
1. Restore the default configuration on an interface. Skip this step if the

interface uses the default configuration. The example below shows the
procedure of restoring the default configuration on an interface.
[CORE1-10GE1/0/5] display this
#

Switches
interface 10GE1/0/5
port link-type access
port default vlan 300
#
return
[CORE1-10GE1/0/5] undo port default vlan
[CORE1-10GE1/0/5] undo port link-type
2. Run the clear configuration this command to restore the default

configuration on an interface, after which the interface will be shut down. To
enable the interface, run the undo shutdown command.
[CORE1-10GE1/0/5] clear configuration this
Warning: All configurations of the interface will be cleared, and its state will be shutdown.
Continue? [Y/N] :y
Info: Total 2 command(s) executed, 2 successful, 0 failed.
[CORE1-10GE1/0/5] undo shutdown
3. Configure link aggregation.

Method 1: Configure link aggregation in load balancing mode.
[CORE1] interface Eth-Trunk 1
[CORE1-Eth-Trunk1] trunkport 10GE 1/0/5 to 1/0/6
[CORE1-Eth-Trunk1] port link-type access
[CORE1-Eth-Trunk1] port default vlan 300
[CORE1-Eth-Trunk1] quit
Method 2: Configure link aggregation in LACP mode.

[CORE1-Eth-Trunk1] mode lacp-static
[CORE1-Eth-Trunk1] trunkport 10GE 1/0/5 to 1/0/6
[CORE1-Eth-Trunk1] port link-type access
[CORE1-Eth-Trunk1] port default vlan 300
# Set the system priority of CORE1 to 100 so that CORE1 becomes the Actor.
[CORE1] lacp priority 100
# On CORE1, set the maximum number of active interfaces to 2.

[CORE1-Eth-Trunk1] max bandwidth-affected-linknumber 2
# On CORE1, set interface priorities to determine active links. (Configure

10GE1/0/5 and 10GE1/0/6 as active interfaces.)
[CORE1-10GE1/0/5] lacp priority 100
[CORE1-10GE1/0/6] lacp priority 100
The configuration of CORE2 is similar to that of CORE1. The difference is that

CORE2 uses the default system priority.
For details on link aggregation configuration and commands, see "Ethernet
Switching Configuration" in the Configuration Guide based on the version of
the device.
2.1.3.3.8 Configuring Rate Limiting
Configuring Rate Limiting Based on the IP Address

Configuring IP address-based rate limiting on the switch is complicated and
consumes a lot of hardware ACL resources. Instead, you can configure IP address-

Switches
based rate limiting on the egress router's physical interfaces connecting to the
core switches.
To properly transmit service traffic with limited bandwidth resources, the upload
and download rate of each intranet IP address cannot exceed 512 kbit/s.
1. On GigabitEthernet0/0/1, configure IP address-based rate limiting for network
segments 192.168.10.0 and 192.168.20.0 and limit the rate to 512 kbit/s. Note
that IP address-based rate limiting is configured on LAN-side interfaces. This
is because NAT-enabled WAN-side interfaces cannot identify intranet IP
addresses. When configuring IP address-based rate limiting on LAN-side
interfaces, specify the source IP address in the inbound direction to limit the
upload rate, and specify the destination IP address in the outbound direction
to limit the download rate.
[Router-GigabitEthernet0/0/1] qos car inbound source-ip-address range 192.168.10.1 to
192.168.10.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car outbound destination-ip-address range 192.168.10.1 to
192.168.10.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car inbound source-ip-address range 192.168.20.1 to
192.168.20.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car outbound destination-ip-address range 192.168.20.1 to
192.168.20.254 per-address cir 512
The procedure of configuring IP address-based rate limiting for other network

segments and for GigabitEthernet0/0/2 is similar.
Configuring Rate Limiting Based on All Traffic on a Network Segment

To reserve sufficient bandwidth resources for department A as services grow,
configure rate limiting for department B. The Internet access rate in department B
cannot exceed 2 Mbit/s and the download rate cannot exceed 4 Mbit/s.
1. Configure an ACL on the egress router to allow packets from department B to
pass through.
[Router] acl 2222
2. Configure rate limiting on LAN-side interfaces of the egress router to limit the
Internet access rate and download rate.
[Router-GigabitEthernet0/0/1] qos car inbound acl 2222 cir 2048
[Router-GigabitEthernet0/0/1] qos car outbound acl 2222 cir 4096
The configuration procedure for other network segments and for

GigabitEthernet0/0/2 is similar.
For details on rate limiting configuration and commands, see "Traffic Policing,
Traffic Shaping, and Interface-based Rate Limiting Configuration" in "QoS
Configuration" in the Configuration Guide based on the version of the device.
2.1.3.3.9 Configuring the NAT Server and Multiple Egress Interfaces
Configuring the NAT Server

As services grow, the web server and FTP server on the intranet need to provide
services to both internal and external users who access the servers using public IP
addresses.

Switches
1. Configure intranet servers so that external users can access them using public
IP addresses.
[Router-GigabitEthernet0/0/0] nat server protocol tcp global current-interface www inside
192.168.50.20 www
Warning:The port 80 is well-known port. If you continue it may cause function failure.
Are you sure to continue?[Y/N]:y
[Router-GigabitEthernet0/0/0] nat server protocol tcp global current-interface ftp inside
192.168.50.10 ftp
2. Enable NAT ALG for FTP on the egress router.

[Router] nat alg ftp enable
3. Configure an ACL to allow intranet users to access intranet servers using

public IP addresses.
[Router] acl 3333
[Router-acl-adv-3333] rule permit ip source 192.168.10.0 0.0.0.255 destination 203.0.113.0 0.0.0.0
[Router-acl-adv-3333] rule permit ip source 192.168.20.0 0.0.0.255 destination 203.0.113.0 0.0.0.0
[Router-acl-adv-3333] quit
4. Configure NAT on egress router interfaces connecting to the intranet.

5. Configure a mapping table of internal servers on egress router interfaces

connecting to the intranet.
[Router-GigabitEthernet0/0/1] nat server protocol tcp global interface GigabitEthernet 0/0/0
www inside 192.168.50.20 www
[Router-GigabitEthernet0/0/1] nat server protocol tcp global interface GigabitEthernet 0/0/0 ftp
inside 192.168.50.10 ftp
The configuration procedure on GigabitEthernet0/0/2 is similar.

For details on NAT configuration and commands for AR routers, see "NAT
Configuring Multiple Egress Interfaces to the Internet

An enterprise applied for only one link from the carrier. As services grow, the link
cannot provide sufficient bandwidth for the enterprise. The enterprise applies for
another link. The original single egress interface changes to two egress interfaces.
In this case, you need to configure the router to forward traffic from different
network segments on the intranet to the Internet through specified links.

Switches
Configure GigabitEthernet0/0/10 to provide Internet access using PPPoE dial-up.
Configure policy-based routing (PBR) to allow users on different network

segments to access the Internet through different carriers.
1. Configure an ACL for NAT.

[Router] acl 2015
2. Configure the dialup ACL.

[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
3. Configure the dialup interface.

[Router] interface Dialer 0
[Router-Dialer0] ip address ppp-negotiate
[Router-Dialer0] ppp chap user Router
[Router-Dialer0] ppp chap password cipher Router@123
[Router-Dialer0] dialer user user
[Router-Dialer0] dialer bundle 1
[Router-Dialer0] dialer-group 1
[Router-Dialer0] ppp ipcp dns request
[Router-Dialer0] ppp ipcp dns admit-any
[Router-Dialer0] quit
4. Configure NAT.
[Router-Dialer0] nat outbound 2015
5. Set the maximum segment size (MSS) of TCP packets to 1200 bytes. If the
default value (1460 bytes) is used, the Internet access rate may be slow.
[Router-Dialer0] tcp adjust-mss 1200
6. Enable PPPoE on the physical interface GigabitEthernet0/0/10 connecting to

the carrier device.
[Router-GigabitEthernet0/0/10] pppoe-client dial-bundle-number 1
7. Configure a default static route to the Internet with Dialer 0 as the outbound
interface.
[Router] ip route-static 0.0.0.0 0 Dialer 0

Switches
8. Configure an ACL to match data flows. Traffic exchanged between intranet

users is not redirected.
[Router] acl 3000
[Router-acl-adv-3000] rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0
0.0.0.255
[Router-acl-adv-3000] rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0
0.0.0.255
[Router] acl 3001
[Router-acl-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255
[Router] acl 3002
[Router-acl-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255
9. Configure traffic classifiers c0, c1, and c2, and configure matching rules based
on ACL 3000, ACL 3001, and ACL 3002 in the traffic classifiers, respectively.
[Router] traffic classifier c0
[Router-classifier-c0] if-match acl 3000
[Router-classifier-c0] quit
10. Configure traffic behaviors to redirect traffic from the internal network
segment 192.168.10.0 to the next hop address 1.1.1.1 and to redirect traffic
from the internal network segment 192.168.20.0 to the outbound interface
Dialer 0, without redirecting traffic exchanged between intranet users.
[Router] traffic behavior b0
[Router-behavior-b0] permit
[Router-behavior-b0] quit
[Router-behavior-b1] redirect ip-nexthop 1.1.1.1
[Router-behavior-b2] redirect interface Dialer 0
11. Configure a traffic policy and bind traffic classifiers to traffic behaviors in the
traffic policy.
[Router] traffic policy test
[Router-trafficpolicy-test] classifier c0 behavior b0
[Router-trafficpolicy-test] quit
12. Apply the traffic policy to egress router interfaces connecting to the intranet
switches.
[Router-GigabitEthernet0/0/1] traffic-policy test inbound
[Router-GigabitEthernet0/0/2] traffic-policy test inbound
After PBR is configured, intranet users on the network segment 192.168.10.0

access the Internet through GigabitEthernet0/0/0 using PPPoE dial-up, and
intranet users on the network segment 192.168.20.0 access the Internet
through GigabitEthernet0/0/10 using PPPoE dial-up.
For details on PBR configuration and commands, see "Routing Policy

Switches
2.1.3.3.10 Verifying Services and Saving the Configuration
Verifying Services
1. Select two PCs from two departments to perform ping tests and verify that
the two departments can communicate at Layer 3 through VLANIF interfaces.
The following example uses two PCs (PC1 and PC2) in departments A and B.
The two PCs communicate at Layer 3 through CORE1 (or CORE2). If they can
ping each other successfully, Layer 3 interworking is normal.
<PC1> ping 192.168.20.254 //Assume that PC2 automatically obtains an IP address
192.168.20.254 through DHCP.
PING 192.168.20.254 data bytes, press CTRL_C to break
--- 192.168.20.254 ping statistics ---

5 packet(s) received //PC1 can ping PC2 successfully, indicating that Layer 3 interworking
between PC1 and PC2 is normal.
2. Select two PCs within a department to perform ping tests and verify whether
Layer 2 interworking within the department is normal. Users in department A
communicate at Layer 2 through ACC1. If the two PCs can ping each other
successfully, users in department A can normally communicate at Layer 2. The
ping command is similar to that in step 1.
3. Select two PCs from two departments to ping a public IP address and verify
whether intranet users of the company can access the Internet normally. The
following example uses department A. You can ping a public network
gateway address from PC1 to verify whether PC1 can access the Internet. The
public network gateway address is the IP address of the carrier device to
which the egress router connects. If the ping test succeeds, intranet users can
access the Internet normally. The ping command is similar to that in step 1.
Saving the Configuration

You must save your data to the configuration file before restarting the switch.
Unsaved data configured on the CLI will be lost after the switch restarts.
The example below shows the procedure of saving CORE1's configuration file.
<CORE1> save
The current configuration will be written to the device.
Now saving the current configuration to the slot 0..
2.2 Campus Network Typical Configuration Examples

2.2.1 Example for Campus Network Connectivity Deployment
2.2.1.1 Key Points of Network Connectivity Deployment

Network connectivity deployment aims to enable Layer 2 and Layer 3
communication between devices at the core, aggregation, and access layers of a

Switches
campus network, so that wired and wireless users can access the campus network
and communicate with each other. Network connectivity deployment is the basis
of campus network construction.
The table below lists the key points of network connectivity deployment, based on
the services and scale of the campus network.
Table 2-3 Network connectivity deployment

Deployment Description Recommended Scenario
Key Point
Determine A two-layer network For a small-scale network, use a

whether to architecture consists of a two-layer network architecture that
use a two- core layer and an access features simple networking, a small
layer or layer. number of NEs, and fewer potential
three-layer A three-layer network failure points.
network architecture consists of a For a large-scale network, use a
architecture. core layer, an three-layer network architecture
aggregation layer, and that is typically complex and
an access layer. involves a large number of NEs and
For details, see 2.2.1.2 more potential failure points.
Deployment In actual applications, a two-layer
Differences Between network architecture is also used
Two-Layer and Three- when the transmission distance is
Layer Network short and the core layer has enough
Architectures. interfaces to directly connect to the
access layer. This reduces the total
cost and maintenance workload,
and facilitates network status
monitoring.
Determine It is recommended that a To improve network reliability, it is

whether CSS or stack be deployed recommended that a CSS be
devices on according to 2.2.1.3 deployed at the core layer and a
the network Typical CSS and Stack stack be deployed at the
need to set Deployment, as this aggregation layer.
up a Cluster improves network If a large number of users need to
Switch reliability. access the network, deploy a stack
System (CSS) at the access layer to increase the
or stack. number of interfaces.
Determine In most cases, Layer 2 You are advised to determine the

the locations switching services are locations of gateways based on the
of gateways deployed on downstream network scale. That is, use core
on the devices connected to switches as gateways on a small-
network (that gateways, and Layer 3 scale network, and use aggregation
is, the routing services are switches as gateways on a large-
boundary deployed on upstream scale network.
between devices connected to
Layer 2 and gateways.
Layer 3).

Switches

Key Point
Determine ACs can connect to core It is recommended that ACs be

whether to or aggregation switches deployed in off-path mode for a live
deploy in off-path mode to network that needs small-scale
standalone manage APs. reconstruction. For small and
access ACs can also directly midsize new networks, deploying
controllers connect to APs or access ACs in in-path mode is
(ACs) in off- switches in in-path recommended to simplify the
path or in- mode. The ACs also network architecture.
path mode. function as aggregation
switches to forward and
process APs' data and
management services.
Determine In direct forwarding Tunnel forwarding applies to

whether mode, ACs forward scenarios where service data needs
standalone service packets of APs to to be centrally managed. Direct
ACs forward the upper-layer network forwarding applies to scenarios
wireless data without performing where high packet forwarding
in direct or CAPWAP encapsulation. efficiency is required.
tunnel mode. ● When a switch functions as the
wireless gateway, direct
forwarding is recommended for
wireless data if free mobility is
not deployed, and tunnel
forwarding is recommended if
free mobility is deployed.
● When a standalone AC functions
as the wireless gateway, tunnel
forwarding is recommended for
wireless data.
Deployment Description
● Compared with the three-layer architecture, the two-layer architecture does
not have the aggregation layer. This chapter uses the three-layer architecture
as an example. For differences between the two architectures, see 2.2.1.2
Deployment Differences Between Two-Layer and Three-Layer Network
Architectures.
● Multiple switches configured with the CSS or stacking function are virtualized
into one logical switch, simplifying the configuration and networking. For a
deployment example, see 2.2.1.3 Typical CSS and Stack Deployment.
2.2.1.2 Deployment Differences Between Two-Layer and Three-Layer

Network Architectures
The tree topology is recommended as the physical architecture of a campus
network. This topology facilitates network deployment and management, and

Switches
features good scalability. Typically, a campus network using the tree topology has
a hierarchical architecture that consists of the terminal layer, access layer,
aggregation layer, and core layer. In actual deployments, you can flexibly select a
two-layer or three-layer network architecture based on the network scale and
service requirements.
Two-Layer Network Architecture

Figure 2-3 shows a two-layer network architecture, which consists of a core layer
and an access layer.
Figure 2-3 Two-layer network architecture
To ensure device-level and link-level reliability on the network, it is recommended

that CSS be configured at the core layer, stacking be configured at the access
layer, and core and access devices be connected through Eth-Trunk interfaces. If
standalone access devices can provide sufficient access capacity for downstream
terminals, you do not need to configure stacking at the access layer.
The networking where CSS, stacking, and Eth-Trunk are used is loop-free. The
configuration is simple because complex ring network protocols (such as RSTP,
MSTP, and RRPP) and reliability protocols do not need to be configured. The
networking ensures device-level and link-level reliability, simplifies the network
topology, and reduces the deployment and maintenance workload.
Three-Layer Network Architecture

Figure 2-4 shows a three-layer network architecture, which consists of a core
layer, an aggregation layer, and an access layer.

Switches
Figure 2-4 Three-layer network architecture
To ensure device-level and link-level reliability on the network, it is recommended

that CSS be configured at the core layer, stacking be configured at the
aggregation and access layers, and core, aggregation, and access devices be
connected through Eth-Trunk interfaces. If standalone access devices can provide
sufficient access capacity for downstream terminals, you do not need to configure
stacking at the access layer.
Deployment Differences
The difference between the two network architectures is that the three-layer
network architecture has the aggregation layer, whereas the two-layer network
architecture does not. The aggregation layer is between the core and access layers
and connects to both layers. Aggregation switches aggregate traffic from access
switches, process the traffic, and provide uplinks to the core layer.
The selection of the two network architectures depends on the following factors:
1. Network scale: The number of NEs is proportional to the investment required.
2. Network complexity: The network maintenance cost and fault locating
complexity vary depending on the network complexity. A more complex
network results in more failure points, making fault locating more difficult
and hence increasing the maintenance cost.
3. Transmission distance: A network using the three-layer architecture is larger
than a network using the two-layer architecture, if the differences between
transmission media are not considered.
In general, the two-layer network architecture is applicable to small-scale

campuses for high simplicity, small number of NEs, and fewer failure points. The
three-layer network architecture is applicable to large-scale campuses for its
complexity, large number of NEs, and more failure points.
The two-layer network architecture is usually used in actual deployments. If the

transmission distance is short and access devices can be directly connected to core
devices that provide enough interfaces, the aggregation layer can be omitted,
which is a common practice. This reduces the total cost and maintenance
workload, and facilitates network status monitoring.

Switches
2.2.1.3 Typical CSS and Stack Deployment
Networking Requirements
At the core layer, two modular switches set up a CSS. At the aggregation layer,
every two fixed switches set up a stack. The CSS at the core layer is connected to
stacks at the aggregation layer through Eth-Trunk interfaces.
Figure 2-5 Campus network
Device Requirements and Versions

Location Device Device Used in This Version Used in
Requirement Example This Example
Core layer Modular switches S12700E-8 V200R022C10

that support the CSS
function
Aggregati Fixed switches that S6730-H-V2 V600R022C10

on layer support the stacking
function
Access - S5735-L-V2 V600R022C10

layer

Switches
NOTE
The stack connection mode, CSS connection mode, and support for the stack and CSS
functions vary according to device models. You can use the Stack Assistant or query the
"Stack Support" or "CSS Support" section in the related product documentation to obtain
detailed information about each device model.
Deployment Roadmap
Step Deployment Roadmap Devices Involved
1 Configure CSS and multi-active Core switches

detection (MAD) on core switches.
2 Configure stacking and dual-active Aggregation switches

detection (DAD) on aggregation
switches.
3 Configure uplink and downlink Eth- Core, aggregation, and

Trunk interfaces on switches. access switches
Data Plan
Table 2-4 Software and hardware configuration plan for the CSS
Item Data
CSS connection Service port connection

mode
Number of 2
member switches
Hardware Main control board: two MPUEs

configuration of LPU: two LST7X24BX6E0 cards. To ensure reliability, you are
each switch advised to configure two cards on each switch. If each
switch is configured with one card, two such switches can
also set up a CSS.
CSS cable: four 3 m SFP+ AOC cables
CSS master The switch with the CSS ID 1 is the CSS master.
CSS priority The CSS priority of the switch with the CSS ID 1 is 150.
The switch with the CSS ID 2 uses the default CSS priority 1.
MAD The two member switches in the CSS are directly connected
using an independent cable for MAD. The cable connects
XGE 1/1/0/10 and XGE 2/1/0/10.

Switches
Table 2-5 Software and hardware configuration plan for a stack

Item Data
Stack connection Service port connection

mode
Number of 2
member switches
Hardware Stack ports: 10GE service ports 10GE 1/0/2 and 10GE 1/0/4
configuration of Stack topology: ring topology
each switch
Stack cable: two 3 m SFP+ AOC cables
Stack master The stack IDs of the two member switches are changed to 1
and 2 respectively. The switch with the stack ID 1 is the
master switch.
Stack priority The stack priority of the switch with the stack ID 1 is 150.
The stack priority of the switch with the stack ID 2 is 100.
DAD The two member switches in the stack are directly

connected using an independent cable for DAD. The cable
connects 10GE 1/0/10 and 10GE 2/0/10.
Table 2-6 Plan for the connections between CSS and stack ports
Item Port Number
CSS's downlink Eth-Trunk 10 connected to stack AGG1, containing physical

interfaces member ports XGE 1/1/0/1 and XGE 2/1/0/2
connected to Eth-Trunk 20 connected to stack AGG2, containing physical
stacks member ports XGE 1/1/0/2 and XGE 2/1/0/1
Stack AGG1's Eth-Trunk 10 containing physical member ports 10GE 1/0/1

uplink interface and 10GE 2/0/1
connected to the
CSS

uplink interface and 10GE 2/0/1
connected to the
CSS

downlink and 10GE 2/0/3
interface
connected to
ACC1

Switches
Item Port Number

downlink and 10GE 2/0/3
interface
connected to
ACC2
ACC1's uplink Eth-Trunk 30 containing physical member ports 10GE 1/0/1

interface and 10GE 1/0/2
connected to
AGG1
ACC2's uplink Eth-Trunk 40 containing physical member ports 10GE 1/0/1

interface and 10GE 1/0/2
connected to
AGG2
Procedure
Step 1 Set up a CSS.
1. Power off the switches, install CSS LPUs, and connect CSS cables and the
MAD cable according to the following figure.
Figure 2-6 Connecting cables to set up a CSS

Switches
NOTE
To ensure reliability, you are advised to adopt the following suggestions:

– Add at least two physical member ports on an LPU to a Stack-Port.
– Configure uplink ports and MAD-enabled ports on LPUs that are not used to set
up a CSS.
2. Power on the two switches and configure them according to the data plan.
[HUAWEI] sysname Switch1
[Switch1] set css id 1
[Switch1] set css priority 150 //Set the CSS priority of Switch1 to 150.
[Switch1] interface css-port 1
[Switch1-css-port1] port interface xgigabitethernet 4/0/1 to xgigabitethernet 4/0/2 enable
[Switch1-css-port1] quit
[Switch1] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off LPU 150 Off
[Switch1] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch. To ensure that Switch1 becomes the master switch, restart it first.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
[Switch2] set css id 2 //Set the CSS ID to 2. Retain the default CSS priority of Switch2.
[Switch2] display css status saved //Check whether the CSS configuration is correct.
CSS port media-type: SFP+
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 2 Off LPU 1 Off
[Switch2] css enable //After confirming that the CSS configuration is correct, enable the CSS
function and restart the switch.
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
3. After the switches are restarted, check whether the CSS is set up successfully.
# Check the CSS status by observing CSS indicators on main control boards of
the switches.
The ACT indicator on a main control board of Switch1 is steady green,
indicating that this main control board is the CSS master main control board
and Switch1 is the master switch.
The ACT indicator on a main control board of Switch2 is blinking green,
indicating that this main control board is the CSS standby main control board
and Switch2 is the standby switch.
# Log in to the CSS through the console interface on any main control board
and run commands to check whether the CSS is set up successfully.
Switch1 with a higher CSS priority becomes the master switch of the CSS.
When you run the display device command to check the CSS status, the CSS
name is Switch1.
<Switch1> display device
Chassis 1 (Master Switch)

Switches
S12700E-8's Device status:

Slot Sub Type Online Power Register Status Role
---------------------------------------
1 - LST7X24BX6E0 Present PowerOn Registered Normal NA
3 - - Present PowerOn Unregistered - NA
9 - LST7MPUE0000 Present PowerOn Registered Normal Master
10 - LST7MPUE0000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12700E-8's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
3 - - Present PowerOn Unregistered - NA
9 - LST7MPUE0000 Present PowerOn Registered Normal Master
10 - LST7MPUE0000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present - Unregistered - NA
<Switch1> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master LPU 150 Off
2 On Standby LPU 1 Off
<Switch1> display css channel all //Check whether the CSS topology is consistent with hardware
connections.
CSS link-down-delay: 500ms
Chassis 1 || Chassis 2
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/4/0/1 XGigabitEthernet2/4/0/1 2/1
Chassis 2 || Chassis 1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
<Switch1> system-view
[Switch1] sysname CORE //Change the CSS name to make it easy to remember.
4. Configure MAD after the CSS is set up.

If the CSS splits, services will be affected because two master switches exist.
To avoid this problem, use a cable to directly connect the two member
switches for MAD after the CSS is set up. To be specific, the cable connects
XGE 1/1/0/10 and XGE 2/1/0/10, as shown in Figure 2-6.
[CORE] interface xgigabitethernet 1/1/0/10
[CORE-XGigabitEthernet1/1/0/10] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is
recommended. Continue?[Y/N]:y [CORE-XGigabitEthernet1/1/0/10] quit
[CORE-XGigabitEthernet2/1/0/10] mad detect mode direct
Warning: This command will block the port, and no other configuration running on this port is
recommended. Continue?[Y/N]:y [CORE-XGigabitEthernet2/1/0/10] return
<CORE> display mad verbose //Check the MAD configuration.
Current MAD domain: 0
Current MAD status: Detect

Switches
Mad direct detect interfaces configured:

XGigabitEthernet1/1/0/10
XGigabitEthernet2/1/0/10
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
Step 2 Set up a stack.

The following uses AGG1 as an example to describe how to set up a stack. The
stack setup and configuration procedure of AGG2 is the same as that of AGG1.
1. Configure the two fixed switches according to the data plan.
NOTE
If dedicated stack cables are used, skip this step.

[Switch1] stack
[Switch1-satck] stack member 1 priority 150
[Switch1-satck] quit
[Switch1] interface Stack-Port 1/1
[Switch1-Stack-Port1/1] port member-group interface 10GE 1/0/2 10GE 1/0/4
[Switch1-Stack-Port1/1] quit
<Switch1> save //You do not need to manually save the stack configuration because it is
automatically written into the flash memory. To prevent other configurations from being lost, you are
advised to run the save command to save the configurations.
The current configuration will be written to flash:/
vrpcfg.zip.
Now saving the current configuration to the slot
0.......
[Switch2] stack
[Switch2-satck] stack member 1 priority 100
[Switch2-satck] stack member 1 renumber 2
[Switch2-satck] quit
[Switch2] interface Stack-Port 1/1
[Switch2-Stack-Port1/1] port member-group interface 10GE 1/0/2 10GE 1/0/4
[Switch2-Stack-Port1/1] quit
<Switch2> save //You do not need to manually save the stack configuration because it is
automatically written into the flash memory. To prevent other configurations from being lost, you are
advised to run the save command to save the configurations.
The current configuration will be written to flash:/
vrpcfg.zip.
Now saving the current configuration to the slot
0.......
2. Power off the switches, and connect stack cables and the DAD cable
according to Figure 2-7.
As shown in Figure 2-7, two S6730-H28X6CZ-V2 switches set up a stack, and
the stack ports are the same as the ports configured in the preceding step.

Switches
Figure 2-7 Connecting cables to set up a stack
3. After the switches are restarted, check whether the stack is set up successfully.
<Switch1> display stack configuration //The command output shows that the stack is set up
successfully, and Switch1 is the master switch.
Oper : Operation
Conf : Configuration
* : Offline configuration
# : Media mismatch or absence
Attribute Configuration:
--------------------------------------------------------------------------
MemberID Domain Priority

DelayTime
Oper(Conf) Oper(Conf) Oper(Conf)
Oper(Conf)
--------------------------------------------------------------------------
1(1) 10(10) 150(150) 0(0)
2(2) 10(10) 100(100) 0(0)
--------------------------------------------------------------------------
Stack-Port Configuration:
--------------------------------------------------------------------------------
Stack-Port Member Ports
--------------------------------------------------------------------------------
Stack-Port1/1 10GE1/1/0/2 10GE1/1/0/4
Stack-Port2/1 10GE2/1/0/2 10GE2/1/0/4
--------------------------------------------------------------------------------
Stack-Global Configuration:
--------------------------------------------------------------------------------
AuthMode Password
--------------------------------------------------------------------------------
hmac-sha256 ******
--------------------------------------------------------------------------------
<Switch1> system-view
[Switch1] sysname AGG1 //Change the stack name to make it easy to remember.
4. Configure DAD after the stack is set up.
If the stack splits, services will be affected because two master switches exist.
To avoid this problem, use a cable to directly connect the two member
switches for DAD after the stack is set up. To be specific, the cable connects
10GE 1/0/10 and 10GE 2/0/10, as shown in Figure 2-7.
[AGG1] interface 10ge 1/0/10
[AGG1-10GE1/0/10] dual-active detect mode direct
Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
[AGG1-10GE1/0/10] quit
[AGG1-10GE2/0/10] dual-active detect mode direct
Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
[AGG1-10GE2/0/10] return
<AGG1> display dual-active //Check the DAD configuration.
Stack domainID: 10
Dual-active status: Normal
Dual-active detect mode: Direct

Switches
Dual-active direct detect interfaces configured:

10GE1/0/10 up (Physical) up (Protocol) 10 (PeerDomain)
10GE2/0/10 up (Physical) up (Protocol) 10 (PeerDomain)
Dual-active relay detect interfaces configured:
--
Excluded ports(configurable):
--
Excluded ports(can not be configured):
Step 3 Configure Eth-Trunk interfaces between the CSS and stacks and between the
stacks and access switches.
1. Configure Eth-Trunk interfaces in the CSS.
<CORE> system-view
[CORE] interface eth-trunk 10 //Create an Eth-Trunk interface for connecting to AGG1.
[CORE-Eth-Trunk10] mode lacp
[CORE-XGigabitEthernet1/1/0/1] eth-trunk 10
[CORE-XGigabitEthernet1/1/0/1] quit
[CORE] interface eth-trunk 20 //Create an Eth-Trunk interface for connecting to AGG2.
2. Configure Eth-Trunk interfaces on stack AGG1.

<AGG1> system-view
[AGG1] interface eth-trunk 10 //Create an Eth-Trunk interface for connecting to the CSS.
[AGG1-Eth-Trunk10] mode lacp-static
[AGG1-Eth-Trunk10] quit
[AGG1-10GE1/0/1] eth-trunk 10
[AGG1] interface eth-trunk 30 //Create an Eth-Trunk interface for connecting to access switch ACC1.
3. Configure Eth-Trunk interfaces on stack AGG2.

<AGG2> system-view
[AGG2] interface eth-trunk 20 //Create an Eth-Trunk interface for connecting to the CSS.
[AGG2] interface eth-trunk 40 //Create an Eth-Trunk interface for connecting to access switch ACC2.

Switches
4. Configure an Eth-Trunk interface on access switch ACC1.
<ACC1> system-view
[ACC1] interface eth-trunk 30 //Create an Eth-Trunk interface for connecting to stack AGG1.
[ACC1-Eth-Trunk30] mode lacp-static
[ACC1] interface 10ge 1/0/1
[ACC1-10GE1/0/1] eth-trunk 30
[ACC1-10GE1/0/1] quit
5. Configure an Eth-Trunk interface on access switch ACC2.
<ACC2> system-view
[ACC2] interface eth-trunk 40 //Create an Eth-Trunk interface for connecting to stack AGG2.
----End
Configuration Scripts
NOTE
The CSS and stack configurations are not recorded in the configuration file, but are instead
directly written into the flash memory. Therefore, the configuration file does not contain
the CSS and stack configurations, and contains only the DAD/MAD and Eth-Trunk interface
configurations.
● CSS
#
sysname CORE
#
interface Eth-Trunk10
mode lacp
#
mode lacp
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
eth-trunk 20
#
mad detect mode direct
#
eth-trunk 20
#
eth-trunk 10
#
#
return

Switches
● AGG1
#
sysname AGG1
#
mode lacp
#
mode lacp
#
interface 10GE 1/0/3
eth-trunk 30
#
#
eth-trunk 30
#
#
eth-trunk 10
#
eth-trunk 10
#
return
● AGG2
#
sysname AGG2
#
mode lacp
#
mode lacp
#
eth-trunk 40
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
return
● ACC1
#
sysname ACC1
#
mode lacp
#
interface 10GE1/0/1
eth-trunk 30
#

Switches
interface 10GE1/0/2
eth-trunk 30
#
return
● ACC2
#
sysname ACC2
#
mode lacp
#
interface 10GE1/0/1
eth-trunk 40
#
interface 10GE1/0/2
eth-trunk 40
#
return
2.2.1.4 Standalone AC Solution: Core Switches Function as Gateways for

Wired and Wireless Users
Core switches set up a CSS that functions as the core of the entire campus
network to enhance network reliability and maximize forwarding performance.
Standalone ACs are deployed in off-path mode. They function as gateways to
assign IP addresses to APs and centrally manage network-wide APs.
Aggregation switches set up stacks to implement device-level backup and increase
the port density and forwarding bandwidth.
In this example, core switches set up a CSS that functions as the gateway for
wired and wireless users on the entire network and is responsible for routing and
forwarding of user services.

Switches
Figure 2-8 Core switches functioning as gateways + standalone ACs

Core layer - S12700E V200R022C10
Aggregati - S6730-H-V2 V600R022C10

on layer
Access - S5735-L-V2 V600R022C10

layer
AC - AC6805 V200R022C10
AP - AirEngine 8760-X1-PRO V200R022C10
Deployment Roadmap
1 Configure CSS, stacking, MAD, and Core and aggregation

uplink and downlink Eth-Trunk switches
interfaces on switches.

Switches
2 Configure interfaces and VLANs on the Core, aggregation, and

switches and ACs, and configure IP access switches and ACs
addresses and routes for Layer 3
interfaces to ensure network
connectivity.
3 Configure core switches as DHCP servers Core switches and ACs

to assign IP addresses to wired and
wireless users and ACs as DHCP servers
to assign IP addresses to APs.
4 Configure VRRP HSB on ACs. ACs
5 Configure wireless services on ACs so ACs

that APs and STAs can go online.
6 Configure wireless configuration ACs

synchronization in the scenario where
VRRP HSB is configured.
Data Plan
Table 2-7 Service data plan for core switches

Item VLAN ID Network Segment
Service VLANs for VLAN 30 172.16.30.0/24

wireless users (AP1)
VLAN 40 172.16.40.0/24
Service VLAN for wired VLAN 50 172.16.50.0/24

users (PC1)

users (PC2)
VLAN for communication VLAN 20 192.168.20.20/24

with CORE-ACs

with servers
Table 2-8 Service data plan for CORE-ACs

Management VLAN for VLAN 20 172.16.20.0/24

APs

Switches

between CORE-AC1 and
CORE-AC2
VLAN for wireless VLAN 200 172.16.200.0/24

configuration
synchronization between
CORE-AC1 and CORE-
AC2 in an HSB group
Table 2-9 Wireless service data plan for CORE-ACs
Item Data
AP group ap-group1
Regulatory domain profile domain1
SSID profiles test01 and test02
VAP profiles vap1 and vap2 (Direct forwarding is used in

the VAP profiles.)
CAPWAP source interface and IP VLANIF 20: 192.168.20.1/24

address (CORE-AC1)

address (CORE-AC2)
Deployment Precautions
● It is not recommended that VLAN 1 be used as the management VLAN or a
service VLAN. Remove all interfaces from VLAN 1. Interfaces need to
transparently transmit packets from specific VLANs, instead of all VLANs,
based on actual service requirements.
● In direct forwarding mode, it is recommended that different VLANs be used as
the management VLAN and service VLAN. If you do not follow this
recommendation, services may be interrupted, which can be illustrated with
the following example: If a VLAN is configured as both the management
VLAN and service VLAN, and the interface connecting a switch to an AP has
the management VLAN ID as the PVID, downstream packets in the service
VLAN are terminated when going out from the switch. In this case, services
are interrupted.
● In direct forwarding mode, service packets from APs are not encapsulated in
CAPWAP tunnels, but are directly forwarded to the upper-layer network.
Because of this, service packets and management packets can be transmitted
properly only if the network between APs and the upper-layer network is
added to the service VLAN and the network between ACs and APs is added to
the management VLAN.

Switches
● WLAN service configurations (for example, WMM profile, radio profile, radio,
traffic profile, security profile, security policy, and WLAN ID) of the AP
associated with the master and backup ACs must be consistent on the two
ACs; otherwise, user services may be affected after a master/backup
switchover between the ACs.
● The models and software versions of the master and backup ACs must be the
same.
● When deploying the DHCP server in the scenario where VRRP HSB is
configured, be aware of the following guidelines:
– In V200R019C00 and later versions, there is no restriction on which
interface to enable the DHCP server function. Only the master AC
allocates IP addresses, and IP address allocation information will be
synchronized to the backup AC.
– The IP address pools configured on the master and backup ACs must be
the same. If they are different, data backup between the master and
backup ACs will fail.
– Run the hsb-service-type dhcp hsb-group group-index command to
bind the DHCP service to the HSB group. If you do not perform this
operation, IP address allocation information cannot be backed up from
the master AC to the backup AC.
Procedure
Step 1 Configure CSS on core switches and stacking on aggregation switches, and
configure MAD and uplink and downlink Eth-Trunk interfaces on the switches.
For details, see 2.2.1.3 Typical CSS and Stack Deployment.
Step 2 Configure interfaces and VLANs on CORE.
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Configure an Eth-Trunk interface for connecting to AGG1. The configuration of

the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE-Eth-Trunk10] description con to AGG1
[CORE-Eth-Trunk10] port link-type trunk
[CORE-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CORE-Eth-Trunk10] port trunk allow-pass vlan 20 30 40 50
# Create Eth-Trunk 1 for connecting to CORE-AC1 and add interfaces to it. The
configuration of the Eth-Trunk interface for connecting to CORE-AC2 is similar.
[CORE-Eth-Trunk1] description con to CORE-AC1
[CORE-Eth-Trunk1] port trunk allow-pass vlan 20

Switches
# Add the interface connected to the server zone to VLAN 1000.

[CORE-XGigabitEthernet1/2/0/1] port link-type access
[CORE-XGigabitEthernet1/2/0/1] port default vlan 1000
Step 3 Configure interfaces and VLANs on AGG1. The configuration on AGG2 is similar.
# Create VLANs.
[AGG1] vlan batch 20 30 40 50
# Configure an Eth-Trunk interface for connecting to CORE.

[AGG1] interface eth-trunk 10
[AGG1-Eth-Trunk10] description connect to CORE
[AGG1-Eth-Trunk10] port link-type trunk
[AGG1-Eth-Trunk10] undo port trunk allow-pass vlan 1
[AGG1-Eth-Trunk10] port trunk allow-pass vlan 20 30 40 50
# Configure downlink interfaces for connecting to ACC1.

[AGG1-Eth-Trunk30] port-isolate enable group 1
Step 4 Configure interfaces and VLANs on ACC1. The configuration on ACC2 is similar.
# Create VLANs.
[ACC1] vlan batch 20 30 40 50
# Configure uplink interfaces for connecting to AGG1.

[ACC1-Eth-Trunk30] port link-type trunk
[ACC1-Eth-Trunk30] undo port trunk allow-pass vlan 1
[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 30 40 50

Switches
# Configure downlink interfaces connected to a user PC and AP1, and configure

the interfaces as edge ports.
[ACC1] interface GE1/0/3
[ACC1-GE1/0/3] port-isolate enable group 1
[ACC1-GE1/0/3] quit
[ACC1] interface GE1/0/4
[ACC1-GE1/0/4] port link-type trunk
[ACC1-GE1/0/4] port trunk pvid vlan 20
[ACC1-GE1/0/4] port trunk allow-pass vlan 20 30 40
[ACC1-GE1/0/4] quit
Step 5 Configure interfaces and VLANs on CORE-AC1. The configuration on CORE-AC2 is

similar.
# Configure downlink interfaces for connecting to CORE.
<AC6805> system-view
[AC6805] sysname CORE-AC1
[CORE-AC1] vlan batch 20 100
[CORE-AC1] interface eth-trunk 1
[CORE-AC1-Eth-Trunk1] mode lacp
[CORE-AC1-Eth-Trunk1] port link-type trunk
[CORE-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[CORE-AC1-Eth-Trunk1] port trunk allow-pass vlan 20
[CORE-AC1-Eth-Trunk1] quit
[CORE-AC1] interface xgigabitethernet0/0/21
[CORE-AC1-XGigabitEthernet0/0/21] eth-trunk 1
[CORE-AC1-XGigabitEthernet0/0/21] quit
[CORE-AC1] interface xgigabitethernet0/0/22
[CORE-AC1] interface vlanif 20
[CORE-AC1-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-AC1-Vlanif20] quit
# Configure an interface for connecting CORE-AC1 to CORE-AC2.

[CORE-AC1] interface gigabitethernet 0/0/2
[CORE-AC1-GigabitEthernet0/0/2] port link-type trunk
[CORE-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[CORE-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[CORE-AC1-GigabitEthernet0/0/2] quit
Step 6 Configure DHCP on CORE so that CORE functions as a DHCP server to assign IP
addresses to wired and wireless users.
# Enable DHCP globally and configure DHCP snooping for the service VLANs.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 30
[CORE-vlan30] dhcp snooping enable
[CORE-vlan30] quit
[CORE] vlan 40
[CORE-vlan40] quit
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60

Switches

[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wireless services, and
configure CORE to assign IP addresses to STAs from the interface address pools.
[CORE-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-Vlanif30] dhcp select interface
[CORE-Vlanif30] dhcp server dns-list 192.168.11.2 //Configure the DNS server for terminals.
[CORE-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service VLAN
for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Determine whether to configure this command based on actual requirements.
for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services, and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.
for wired users. Otherwise, wired users cannot communicate with each other. Determine whether to
configure this command based on actual requirements.
# Create Layer 3 interface VLANIF 20 for connecting to the ACs.

# Create Layer 3 interface VLANIF 1000 for connecting to a server.

Step 7 Configure DHCP on CORE-AC1 so that CORE-AC1 functions as a DHCP server to

assign IP addresses to APs. The configuration on CORE-AC2 is similar.
[CORE-AC1] dhcp enable
[CORE-AC1-Vlanif20] dhcp select interface
[CORE-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
Step 8 Configure routes from CORE-AC1 to the network segments of wired users and the
server zone. The configuration on CORE-AC2 is similar.

Switches
[CORE-AC1] ip route-static 172.16.50.0 255.255.255.0 192.168.20.20

Step 9 Configure VRRP HSB on CORE-AC1. The configuration on CORE-AC2 is similar.

# Set the recovery delay of the VRRP group to 60 seconds.
[CORE-AC1] vrrp recover-delay 60
# Create a management VRRP group on CORE-AC1. Set the priority of CORE-AC1

in the VRRP group to 120 and set the preemption delay to 1200 seconds.
[CORE-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[CORE-AC1-Vlanif20] vrrp vrid 1 priority 120
[CORE-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[CORE-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on CORE-AC1 and configure IP addresses and port

numbers for the HSB channel.
[CORE-AC1] hsb-service 0
[CORE-AC1-hsb-service-0] service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port
10241 peer-data-port 10241
[CORE-AC1-hsb-service-0] quit
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
VRRP group to HSB group 0.
[CORE-AC1] hsb-group 0
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[CORE-AC1-hsb-group-0] quit
# Bind the CORE-AC1 service to HSB group 0.

[CORE-AC1] hsb-service-type access-user hsb-group 0
[CORE-AC1] hsb-service-type ap hsb-group 0
[CORE-AC1] hsb-service-type dhcp hsb-group 0
[CORE-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on both
CORE-AC1 and CORE-AC2. In the command output of both devices, the State field
value of CORE-AC1 is Master and that of CORE-AC2 is Backup.
[CORE-AC1] display vrrp
Vlanif20 | Virtual Router 1
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1200s
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Track SysHealth Priority reduced : 254
SysHealth state : UP
Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31

Switches

State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. In the command
output of both devices, the value Connected of Service State indicates that the
HSB channel has been established.
[CORE-AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 172.16.100.1
Peer IP Address : 172.16.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules :
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on CORE-AC1 and CORE-AC2 to check

the service status of HSB group 0.
[CORE-AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif20
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6805
Peer Group Software Version : V200R022C10
Group Backup Modules : Access-user
AP

Switches
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
DHCP
AP
----------------------------------------------------------
Step 10 Configure APs to go online on CORE-AC1.

# Configure the AC's source interface.
[CORE-AC1] capwap source interface vlanif 20
# Create an AP group to add APs with the same configurations to the AP group.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] ap-group name ap-group1
[CORE-AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the country code for the AC in the
profile, and bind the profile to the AP group.
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code en
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the
radio and reset the AP. Continue?[Y/N]:y
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-AC1-wlan-view] ap auth-mode mac-auth
[CORE-AC1-wlan-view] ap-id 1 ap-mac 00e0-fc12-6660
[CORE-AC1-wlan-ap-1] ap-name area_1
[CORE-AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configurations of the radio, whether to continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[CORE-AC1-wlan-ap-1] quit
[CORE-AC1-wlan-view] quit
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. In the command output, the State field value is nor,
indicating that the APs are in normal state.
[CORE-AC1] display ap all
Total AP information:

Switches
nor : normal [2]

ExtraInfo : Extra information
P : insufficient power supply
------------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------------------------------
1 00e0-fc12-6660 area_1 ap-group1 192.168.20.41 AirEngine 8760-X1-PRO nor 0 5M:26S -
------------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on CORE-AC1.

# Configure WLAN service parameters.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] security-profile name sec1
[CORE-AC1-wlan-sec-prof-sec1] security open
[CORE-AC1-wlan-sec-prof-sec1] quit
[CORE-AC1-wlan-view] ssid-profile name ssid1
[CORE-AC1-wlan-ssid-prof-ssid1] ssid test01
[CORE-AC1-wlan-ssid-prof-ssid1] quit
[CORE-AC1-wlan-view] traffic-profile name traff1
[CORE-AC1-wlan-traffic-prof-traff1] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff1] quit
[CORE-AC1-wlan-ssid-prof-ssid2] ssid test02
[CORE-AC1-wlan-view] traffic-profile name traff2
[CORE-AC1-wlan-traffic-prof-traff2] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff2] quit
# Create WLAN VAP profiles, configure the service data forwarding mode and
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-AC1-wlan-view] vap-profile name vap1
[CORE-AC1-wlan-vap-prof-vap1] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap1] service-vlan vlan-id 30
[CORE-AC1-wlan-vap-prof-vap1] security-profile sec1
[CORE-AC1-wlan-vap-prof-vap1] ssid-profile ssid1
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff1
[CORE-AC1-wlan-vap-prof-vap1] ip source check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] arp anti-attack check user-bind enable
[CORE-AC1-wlan-vap-prof-vap1] learn-client-address dhcp-strict
[CORE-AC1-wlan-vap-prof-vap1] quit
[CORE-AC1-wlan-vap-prof-vap2] forward-mode direct-forward
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff2

Switches
NOTE
IP packet check enabled using the ip source check user-bind enable command is based on
binding entries. Therefore:
● For DHCP users, enable DHCP snooping on the device to automatically generate
dynamic binding entries.
● For users using static IP addresses, manually configure static binding entries.
Before running the learn-client-address dhcp-strict command:
● Run the undo dhcp trust port command in the VAP profile view to disable the DHCP
trusted interface on an AP.
● Run the undo learn-client-address { ipv4 | ipv6 } disable command in the VAP profile
view to enable STA IP address learning.
# Bind VAP profiles to the AP group.

[CORE-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0
Step 12 Configure wireless configuration synchronization in the scenario where VRRP HSB
is configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Configure the source interface of CORE-AC2.
# Configure wireless configuration synchronization on CORE-AC1.

[CORE-AC1] wlan
[CORE-AC1-wlan-view] master controller
[CORE-AC1-master-controller] master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address
172.16.100.1 psk YsHsjx_202206
[CORE-AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 20
[CORE-AC1-master-controller] quit

[CORE-AC2] wlan
172.16.100.2 psk YsHsjx_202206
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. In the command output, the
Status field value is cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC automatically restarts.
[CORE-AC1] display sync-configuration status
Controller role:Master/Backup/Local
-----------------------------------------------------------------------------------------------------------------------------
Controller IP Role Device Type Version Status Last synced
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AirEngine 8760-X1-PRO V200R022C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------

Switches
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
NOTE
After wireless configuration synchronization is manually triggered, the backup AC

automatically restarts. After the backup AC restarts, run the display sync-configuration
status command to check whether the wireless configuration synchronization function is
normal.
# Check whether the wireless configuration synchronization function is normal. If

the status field displays up, the wireless configuration synchronization function is
normal.
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
172.16.100.2 Backup AirEngine 8760-X1-PRO V200R022C10 up 2019-11-05/19:09:14
----------------------------------------------------------------------------------------------------
Total: 1
----End

Expected Results
Wired and wireless users can access the campus network.
Verification Method
● Run the following command on CORE-AC1. The command output shows that
APs have obtained IP addresses successfully.
[CORE-AC1] display ip pool interface vlanif20 used
Pool-name : vlanif20
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :254 Used :2
Idle :233 Expired :0
Conflict :0 Disabled :19
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------
Client-ID format as follows:
DHCP : mac-address PPPoE : mac-address
IPSec : user-id/portnumber/vrf PPP : interface index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-id

Switches
-------------------------------------------------------------------------------------
Index IP Client-ID Type Left Status
-------------------------------------------------------------------------------------
40 192.168.20.41 00e0-fc12-6660 DHCP 72528 Used
163 192.168.20.164 00e0-fc12-6670 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
wired users have obtained IP addresses successfully.
[CORE] display ip pool interface vlanif50 used
Pool-name : Vlanif50
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
109 172.16.50.110 00e0-fc12-3344 DHCP 48538 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :3
Domain-name :-
DNS-server0 : 192.168.11.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0

Switches
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
236 172.16.60.237 00e0-fc12-3377 DHCP 48050 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
● Wired and wireless users can communicate with each other.

# AP1 can ping a device in the server zone.
<area_1> ping 192.168.11.1
PING 192.168.11.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.11.1: bytes=56 Sequence=1 ttl=63 time=1 ms
--- 192.168.11.1 ping statistics ---

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# After a wireless user connects to AP1, you can view information about the
wireless user on CORE-AC1.
[CORE-AC1] display station ssid test01
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------------
00e0-fc12-3388 2 area_2 1/1 5G 11ac 173/144 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the user connected to AP1.

C:\Users>ping 172.16.30.168
Pinging 172.16.30.168 with 32 bytes of data:

Reply from 172.16.30.168: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.30.168:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
# CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
dhcp snooping enable
#
vlan 30

Switches
vlan 40
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 192.168.11.2
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif1000
ip address 192.168.11.1 255.255.255.0
#
description con to CORE-AC1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
mode lacp
#
mode lacp
#
description con to AGG1
port trunk allow-pass vlan 20 30 40 50
mode lacp
#
mode lacp
#
eth-trunk 10
#

Switches
eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2
#
#
return
# AGG1
#
vlan batch 20 30 40 50
#
description connect to CORE
mode lacp-static
#
mode lacp-static
port-isolate enable group 1
#
interface 10GE1/0/3
eth-trunk 30
#
interface 10GE2/0/3
eth-trunk 30
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE2/0/1
eth-trunk 10
#
return
# AGG2
#
#

Switches
mode lacp-static
#
interface Eth-trunk40
mode lacp-static
#
interface 10GE1/0/3
eth-trunk 40
#
interface 10GE2/0/3
eth-trunk 40
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE2/0/1
eth-trunk 20
#
return
# ACC1
#
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3
stp edged-port enable
#
interface GE1/0/4
port trunk pvid vlan 20
port trunk allow-pass vlan 20 30 40
#
return
# ACC2
#
#
mode lacp-static

Switches
#
interface 10GE1/0/1
eth-trunk 40
#
interface 10GE1/0/2
eth-trunk 40
#
interface GE1/0/3
#
interface GE1/0/4
#
return
# CORE-AC1
#
sysname CORE-AC1
#
vrrp recover-delay 60
#
vlan batch 20 100
#
dhcp enable
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1200
dhcp server excluded-ip-address 192.168.20.2
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#
interface GigabitEthernet0/0/2
#
interface XGigabitEthernet0/0/21
eth-trunk 1
#
eth-trunk 1
#
ip route-static 172.16.50.0 255.255.255.0 192.168.20.20
ip route-static 172.16.60.0 255.255.255.0 192.168.20.20
ip route-static 192.168.11.0 255.255.255.0 192.168.20.20
#
capwap source interface vlanif20
#
hsb-service 0

Switches
service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port 10241 peer-data-port 10241

#
hsb-group 0
track vrrp vrid 1 interface Vlanif20
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name traff1
user-isolate l2
user-isolate l2
security-profile name sec1
security open
security open
ssid-profile name ssid1
ssid test01
ssid test02
vap-profile name vap1
forward-mode direct-forward
service-vlan vlan-id 30
ssid-profile ssid1
security-profile sec1
traffic-profile traff1
ip source check user-bind enable
arp anti-attack check user-bind enable
learn-client-address dhcp-strict
ssid-profile ssid2
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile vap1 wlan 1
radio 1
ap-id 1 type-id 30 ap-mac 00e0-fc12-6660 ap-sn 2102355547W0E3000316
ap-name area_1
ap-group ap-group1
ap-id 2 type-id 56 ap-mac 00e0-fc12-6670 ap-sn 21500829352SGA900583
ap-name area_2
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif20
master-redundancy peer-ip ip-address 172.16.100.2 local-ip ip-address 172.16.100.1 psk %^%#5Vh&
+;LCyDdLEV1gGJuP}9l(9W&u!+uHt";5T#yM%^%#
#
return
# CORE-AC2
#
sysname CORE-AC2

Switches
#
#
vlan batch 20 100
#
dhcp enable
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 172.16.50.0 255.255.255.0 192.168.20.20
ip route-static 172.16.60.0 255.255.255.0 192.168.20.20
ip route-static 192.168.11.0 255.255.255.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02

Switches
ssid-profile ssid1
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk %^%#QKK0'nRL
%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
return
2.2.1.5 Standalone AC Solution: Aggregation Switches Function as Gateways

for Wired and Wireless Users
the port density and forwarding bandwidth. Standalone ACs are deployed in off-
path mode. They centrally manage APs on the entire network.
In this example, aggregation switches set up stacks that function as gateways for
wired and wireless users on the entire network and are responsible for routing and
forwarding of user services.

Switches
Figure 2-9 Aggregation switches functioning as gateways + standalone ACs


on layer
Access - S5735-L-V2 V600R022C10

layer
AC - AC6805 V200R022C10
AP - AirEngine 8760-X1- V200R022C10

PRO
Deployment Roadmap
1 Configure CSS, stacking, and uplink and Core and aggregation

downlink Eth-Trunk interfaces on switches
switches.

Switches

switches and ACs, and configure IP access switches
connectivity.
3 Configure DHCP on the aggregation Aggregation switches

switches and ACs so that the switches and ACs
and ACs function as DHCP servers to
assign IP addresses to wired and
wireless users and APs.


Data Plan

Network segment for VLAN 70 172.16.70.0/24

communication with
AGG1

communication with
AGG2

communication with
servers
Table 2-11 Service data plan for aggregation switches

Device Item VLAN ID Network
Segment
AGG1 Service VLANs for VLAN 30 172.16.30.0/24

wireless users
VLAN 31 172.16.31.0/24

Switches

Segment
Service VLAN for VLAN 50 172.16.50.0/24

wired users
Network segment VLAN 70 172.16.70.0/24

for
communication
with CORE

for
communication
with AGG-ACs
AGG2 Service VLANs for VLAN 40 172.16.40.0/24

wireless users
VLAN 41 172.16.41.0/24

wired users

for
communication
with CORE

for
communication
with AGG-ACs
Table 2-12 Service data plan for AGG-ACs

Segment
AGG-AC1 and Management VLAN 20 192.168.20.0/24

AGG-AC2 VLAN for APs

for
communication
with CORE

configuration
synchronization
between AGG-
AC1 and AGG-
AC2 in an HSB
group

Switches

Segment


for
communication
with CORE

configuration
synchronization
between AGG-
AC3 and AGG-
AC4 in an HSB
group
Table 2-13 Wireless service data plan for AGG-ACs
Item Data
AP groups ap-group1 and ap-group2
SSID profiles ssid1 and ssid2
VAP profiles vap1 and vap2 (Direct forwarding is

used in the VAP profiles.)
Precautions
are interrupted.

Switches
same.
Procedure
# Create VLANs.
[CORE] vlan batch 70 80 1000
# Configure an Eth-Trunk interface for connecting to AGG1. The configuration of

the Eth-Trunk interface for connecting to AGG2 is similar.
[CORE-Eth-Trunk10] description connect to AGG1
# Add the interface connected to a server to VLAN 1000.

# Create Layer 3 interface VLANIF 70 for connecting to AGG1.


Switches


# Create VLANs.
[AGG1] vlan batch 20 30 31 50 70

[AGG1-Eth-Trunk10] port trunk allow-pass vlan 70
# Create Eth-Trunk 1 for connecting to AGG-AC1 and add interfaces to it.

[AGG1-Eth-Trunk1] description con to AC
# Create Layer 3 interface VLANIF 70 for connecting to CORE.

[AGG1] interface Vlanif 70
[AGG1-Vlanif70] ip address 172.16.70.2 255.255.255.0
[AGG1-Vlanif70] quit



Switches
Step 4 Configure interfaces and VLANs on AGG-AC1. The configurations on AGG-AC2,

AGG-AC3, and AGG-AC4 are similar.
# Create VLANs.
[AC6805] sysname AGG-AC1
[AGG-AC1] vlan batch 20 200
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add

interfaces to the Eth-Trunk.
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
[AGG-AC1] interface 10ge 1/0/1
[AGG-AC1-10GE1/0/1] eth-trunk 1
[AGG-AC1-10GE1/0/1] quit
# On AGG-AC1, configure the interface connected to AGG-AC2.

[AGG-AC1] interface 10ge 1/0/2
[AGG-AC1-10GE1/0/2] port link-type trunk
[AGG-AC1-10GE1/0/2] port trunk allow-pass vlan 200
[AGG-AC1-10GE1/0/2] undo port trunk allow-pass vlan 1
[AGG-AC1-10GE1/0/2] quit
[AGG-AC1] interface vlanif 200
[AGG-AC1-Vlanif200] ip address 172.16.200.1 255.255.255.0
[AGG-AC1-Vlanif200] quit
# Create VLANs.
[HUAWEI] sysname ACC1
[ACC1] vlan batch 20 30 31 50

[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 30 31 50
# Configure downlink interfaces connected to PC1 and AP1, and configure the
interfaces as edge ports.
[ACC1-GE1/0/3] quit

Switches

[ACC1-GE1/0/4] port trunk allow-pass vlan 20 30 31
[ACC1-GE1/0/4] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 30
[AGG1-vlan30] dhcp snooping enable
[AGG1-vlan30] quit
[AGG1] vlan 31
[AGG1-vlan31] quit
[AGG1] vlan 50
[AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 30 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.
[AGG1-Vlanif30] dhcp select interface
[AGG1-Vlanif30] dhcp server dns-list 192.168.11.1 //Configure the DNS server for terminals.
[AGG1-Vlanif30] arp proxy intra-vlan enable //Enable intra-VLAN proxy ARP.
# Create Layer 3 interface VLANIF 31 for wireless services and configure AGG1 to
assign IP addresses to STAs from the interface address pool.
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
Step 7 Configure routing on core and aggregation switches to implement Layer 3

communication.
# Configure OSPF on CORE.

[CORE] ospf 1 router-id 1.1.1.1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] quit
# Configure OSPF on AGG1. The configuration on AGG2 is similar.

Switches
[AGG1] ospf 1 router-id 2.2.2.2

[AGG1-ospf-1] area 0
[AGG1-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255
[AGG1-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
# Configure OSPF on AGG-AC1.

[AGG-AC1] ospf 1 router-id 3.3.3.3
[AGG-AC1-ospf-1] area 1
[AGG-AC1-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255
[AGG-AC1-ospf-1-area-0.0.0.1] quit
[AGG-AC1-ospf-1] quit
Step 8 Configure DHCP on AGG-AC1 so that AGG-AC1 can function as a DHCP server to
assign IP addresses to APs. The configuration on AGG-AC3 is similar.
[AGG-AC1] dhcp enable
[AGG-AC1] interface Vlanif 20
[AGG-AC1-Vlanif20] dhcp select interface
[AGG-AC1-Vlanif20] dhcp server excluded-ip-address 192.168.20.2
Step 9 Configure VRRP HSB on AGG-AC1. The configuration on AGG-AC2 is similar.

[AGG-AC1] vrrp recover-delay 60
# Create a management VRRP group on AGG-AC1. Set the priority of AGG-AC1 in

the VRRP group to 120 and set the preemption delay to 1200 seconds.
[AGG-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[AGG-AC1-Vlanif20] vrrp vrid 1 priority 120
[AGG-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.
[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
[AGG-AC1] hsb-group 0
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
[AGG-AC1-hsb-group-0] quit
# Bind the AGG-AC1 service to HSB group 0.

[AGG-AC1] hsb-service-type access-user hsb-group 0
[AGG-AC1] hsb-service-type ap hsb-group 0
[AGG-AC1-hsb-group-0] hsb enable

Switches
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. In the command output of both devices, the State field value of
AGG-AC1 is Master and that of AGG-AC2 is Backup.
[AGG-AC1] display vrrp
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.3
PriorityRun : 120
Preempt : YES Delay Time : 1200 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17

State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.2
PriorityRun : 120
MasterPriority : 0
TimerRun : 2 s
TimerConfig : 2 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 07:15:11
Last change time : 2019-11-30 14:23:17
# Check the HSB service status on AGG-AC1 and AGG-AC2. In the command
[AGG-AC1] display hsb-service 0
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------

Switches
Source Port : 10241

Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on AGG-AC1 and AGG-AC2 to check

[AGG-AC1] display hsb-group 0
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.

[AGG-AC1] capwap source interface vlanif 20
[AGG-AC1] wlan
[AGG-AC1-wlan-view] ap-group name ap-group1
[AGG-AC1-wlan-ap-group-ap-group1] quit
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code en
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1

Switches
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac 00e0-fc12-3300
[AGG-AC1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG-AC1-wlan-ap-1] ap-group ap-group1
[AGG-AC1-wlan-ap-1] quit
[AGG-AC1-wlan-view] quit
# After powering on AP1, run the display ap all command on AGG-AC1 to check
the AP running status. In the command output, the State field value is nor,
indicating that AP1 is in normal state.
[AGG-AC1] display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
nor : normal [1]
-----------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-----------------------------------------------------------------------------------------------
1 00e0-fc12-3300 area_1 ap-group1 192.168.20.254 AirEngine 8760-X1-PRO nor 0 2M:44S
-----------------------------------------------------------------------------------------------
nor : normal [1]
----------------------------------------------------------------------------------------------------------

ExtraInfo
----------------------------------------------------------------------------------------------------------
1 00e0-fc12-4400 area_1 ap-group1 192.168.20.148 AirEngine 8760-X1-PRO nor 0 1H:19M:18S

-
----------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on AGG-AC1.

# Configure WLAN service parameters, and create security profiles, SSID profiles,
and traffic profiles.
[AGG-AC1] wlan
[AGG-AC1-wlan-view] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] quit
[AGG-AC1-wlan-view] ssid-profile name ssid1
[AGG-AC1-wlan-ssid-prof-ssid1] ssid test01
[AGG-AC1-wlan-ssid-prof-test01] quit
[AGG-AC1-wlan-view] traffic-profile name traff1
[AGG-AC1-wlan-traffic-prof-traff1] user-isolate l2
[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-traffic-prof-traff2] quit
service VLANs, apply security profiles and SSID profiles, and enable IPSG, dynamic
ARP inspection, and strict STA IP address learning through DHCP.

Switches
[AGG-AC1-wlan-view] vap-profile name vap1

[AGG-AC1-wlan-vap-prof-test01] forward-mode direct-forward
[AGG-AC1-wlan-vap-prof-test01] service-vlan vlan-id 30
[AGG-AC1-wlan-vap-prof-test01] security-profile sec1
[AGG-AC1-wlan-vap-prof-test01] ssid-profile ssid1
[AGG-AC1-wlan-vap-prof-test01] traffic-profile traff1
[AGG-AC1-wlan-vap-prof-test01] ip source check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] arp anti-attack check user-bind enable
[AGG-AC1-wlan-vap-prof-test01] learn-client-address dhcp-strict
[AGG-AC1-wlan-vap-prof-test01] quit
[AGG-AC1-wlan-vap-prof-test02] forward-mode direct-forward
NOTE

[AGG-AC1-wlan-ap-group-ap-group1] vap-profile vap1 wlan 1 radio 0
----End

Expected Results
Verification Method
The following uses AGG1 and AGG-AC1 as an example. The verification methods
on AGG2 and AGG-AC3 are similar.
● Run the following command on AGG-AC1. The command output shows that
an AP has obtained an IP address successfully.
[AGG-AC1] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-

Switches
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict
Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 1 251(0) 0

2
-------------------------------------------------------------------------------------

DHCP : mac-address PPPoE : mac-
address
IPSec : user-id/portnumber/vrf PPP : interface
index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
147 192.168.20.148 00e0-fc12-4400 DHCP 80426

Used
-------------------------------------------------------------------------------------
● Run the following command on AGG1. The command output shows that a
wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.11.1
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------

Switches
Network section
Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 0 254(0) 0

0
-------------------------------------------------------------------------------------

<area_1> ping 192.168.11.1
--- 192.168.11.1 ping statistics ---

0.00% packet loss
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
Rx/Tx: link receive rate/link transmit
rate(Mbps)
-----------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP

address
-----------------------------------------------------------------------------------------------
00e0-fc12-5555 1 area_1 0/1 2.4G 11n 24/1 -38 30

172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# PC1 can ping the wireless user connected to AP1.

C:\Users>ping 172.16.30.180


# CORE
#
sysname CORE
#
vlan batch 70 80 1000
#

Switches
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
description connect to AGG1
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return
# AGG-AC1
#
sysname AGG-AC1
#
#
vlan batch 20 200
#
dhcp enable
#
#
interface vlanif 20
ip address 192.168.20.1 255.255.255.0

Switches

#
interface vlanif 200
ip address 172.16.200.1 255.255.255.0
#
interface eth-trunk 1
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test01
ssid test02
ssid-profile ssid1
ssid-profile ssid2

Switches

radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
# AGG-AC2
#
sysname AGG-AC2
#
#
vlan batch 20 200
#
interface vlanif 20
ip address 192.168.20.2 255.255.255.0
#
ip address 172.16.200.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
# AGG-AC3
#
sysname AGG-AC3
#
#
vlan batch 21 200
#
dhcp enable

Switches
#
#
interface vlanif 21
ip address 192.168.21.1 255.255.255.0
#
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.2
network 192.168.21.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test03
ssid test04
ssid-profile ssid3

Switches
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
# AGG-AC4
#
sysname AGG-AC4
#
#
vlan batch 21 200
#
interface vlanif 21
ip address 192.168.21.2 255.255.255.0
#
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
# AGG1

Switches
#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#
dhcp enable
#
#
vlan 30
vlan 31
vlan 50
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp proxy intra-vlan enable
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
description con to AC
mode lacp-static
#
description con to CORE
mode lacp-static
#
port trunk allow-pass vlan 20 30 to 31 50
mode lacp-static
#
eth-trunk 30
#
eth-trunk 1
#
eth-trunk 1

Switches
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
return
# AGG2
#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
dhcp enable
#
#
vlan 40
vlan 41
vlan 60
#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp-static
#
description con to CORE
mode lacp-static
#

Switches

mode lacp-static
#
eth-trunk 40
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 40
#
eth-trunk 20
#
eth-trunk 20
#
return
# ACC1
#
sysname ACC1
#
vlan batch 20 50
#
port trunk allow-pass vlan 20 50
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3
#
interface GE1/0/4
#
return
# ACC2
#
sysname ACC2
#
vlan batch 21 60
#
mode lacp-static

Switches
#
interface 10GE1/0/1
eth-trunk 40
#
interface 10GE1/0/2
eth-trunk 40
#
interface GE1/0/3
#
interface GE1/0/4
#
return
2.2.1.6 Standalone AC Solution: Core Switches and ACs Function as the

Gateways for Wired and Wireless Users Respectively
assign IP addresses to APs and wireless users, and centrally manage APs and
wireless users on the entire network.
In this example, core switches and standalone ACs function as the gateways for
wired and wireless users on the entire network, respectively.

Switches
Figure 2-10 Core switches and standalone ACs functioning as the gateways for
wired and wireless users respectively


on layer
Access - S5735-L-V2 V600R022C10

layer
AC - AC6805 V200R022C10
AP - AirEngine 8760-X1-PRO V200R022C10
Deployment Roadmap
1 Configure CSS, stacking, MAD, and Core and aggregation

uplink and downlink Eth-Trunk switches
interfaces on switches.

Switches

switches and ACs, and configure IP access switches and ACs
connectivity.
3 Configure DHCP on CORE and ACs so Core switches and ACs

that CORE and ACs function as DHCP
servers to assign IP addresses to wired
and wireless users and APs.


Data Plan


wireless users (AP1)
VLAN 40 172.16.40.0/24

users (PC1)

users (PC2)

with CORE-ACs

with servers
Table 2-15 Service data plan for CORE-ACs

Management VLAN for VLAN 20 172.16.20.0/24

APs

Switches

CORE-AC2

configuration
synchronization between
CORE-AC1 and CORE-
AC2 in an HSB group
Table 2-16 Wireless service data plan for CORE-ACs

Item Data
AP group ap-group1
SSID profiles Employee and Guest
VAP profiles vap1 and vap2 (Tunnel forwarding is used in

the VAP profiles.)

address (CORE-AC1)

address (CORE-AC2)
● It is not recommended that VLAN 1 be used as a service VLAN. Remove all
interfaces from VLAN 1. Interfaces need to transparently transmit packets
from specific VLANs, instead of all VLANs, based on actual service
requirements.
● In tunnel forwarding mode, the management VLAN and service VLAN must
be different. Otherwise, MAC address flapping will occur, leading to a packet
forwarding error. The network between the AC and APs needs to permit only
packets tagged with the management VLAN ID and deny packets tagged with
the service VLAN ID.
● In tunnel forwarding mode, service packets from APs are encapsulated in
CAPWAP data tunnels and transmitted to the AC. The AC then forwards the
packets to the upper-layer network. Therefore, service packets and
management packets can be transmitted properly when the interfaces that
connect the AC to APs are added to the management VLAN and the interface
that connects the AC to the upper-layer network is added to a service VLAN.

Switches

same.
Procedure
# Create VLANs.
[CORE] vlan batch 20 30 40 50 60 1000
# Configure Eth-Trunk 10 for connecting to AGG1, which is a stack of aggregation

switches. The configuration of the Eth-Trunk interface for connecting to AGG2 is
similar.
[CORE-Eth-Trunk10] description con to AGG1
[CORE-Eth-Trunk10] port trunk allow-pass vlan 20 50
# Create Eth-Trunk 1 for connecting to CORE-AC1 and add interfaces to it. The
configuration of the Eth-Trunk interface for connecting to CORE-AC2 is similar.
[CORE-Eth-Trunk1] description con to CORE-AC1
[CORE-Eth-Trunk1] port trunk allow-pass vlan 20 30 40
# Add the interface connected to iMaster NCE-Campus to VLAN 1000.

Switches

# Create VLANs.
[AGG1] vlan batch 20 50

[AGG1-Eth-Trunk10] port trunk allow-pass vlan 20 50

[AGG1-Eth-Trunk30] port-isolate enable group 1
# Create VLANs.
[ACC1] vlan batch 20 50

[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 50
[ACC1] interface ge 1/0/3

Switches

[ACC1-GE1/0/3] quit
[ACC1-GE1/0/4] quit
Step 5 Configure interfaces and VLANs on CORE-AC1. The configuration on CORE-AC2 is

similar.
# Configure interfaces for connecting to CORE.
[AC6805] sysname CORE-AC1
[CORE-AC1] vlan batch 20 30 40 100
[CORE-AC1] interface eth-trunk 1
[CORE-AC1-Eth-Trunk1] mode lacp
[CORE-AC1-Eth-Trunk1] port link-type trunk
[CORE-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[CORE-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 30 40
[CORE-AC1-Eth-Trunk1] quit
[CORE-AC1] interface xgigabitethernet 0/0/21
[CORE-AC1] interface xgigabitethernet 0/0/22
# Configure an interface for connecting CORE-AC1 to CORE-AC2.

[CORE-AC1] interface gigabitethernet 0/0/2
[CORE-AC1-GigabitEthernet0/0/2] port link-type trunk
[CORE-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[CORE-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[CORE-AC1-GigabitEthernet0/0/2] quit
Step 6 Configure DHCP on CORE so that CORE functions as the DHCP server to assign IP
addresses to wired users.
[CORE] dhcp enable
[CORE] dhcp snooping enable
[CORE] vlan 50
[CORE-vlan50] quit
[CORE] vlan 60
[CORE-vlan60] quit
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for wired services and
configure CORE to assign IP addresses to wired terminals from the interface
address pools.

Switches

# Create Layer 3 interfaces for connecting to the ACs.


Step 7 Configure DHCP on CORE-AC1 so that CORE-AC1 functions as a DHCP server to

assign IP addresses to APs and wireless users. The configuration on CORE-AC2 is
similar.
[CORE-AC1] dhcp enable
[CORE-AC1] dhcp snooping enable
[CORE-AC1] vlan 30
[CORE-AC1-vlan30] dhcp snooping enable
[CORE-AC1-vlan30] quit
[CORE-AC1] vlan 40
[CORE-AC1-vlan40] dhcp snooping enable
[CORE-AC1-vlan40] quit
# Create VLANIF 20 for wireless management and configure CORE-AC1 to assign

IP addresses to APs from the interface address pool.
# Create Layer 3 interfaces VLANIF 30 and VLANIF 40 for wired services and
configure CORE-AC1 to assign IP addresses to wireless terminals from the
interface address pools.
[CORE-AC1-Vlanif30] dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
[CORE-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
[CORE-AC1-Vlanif40] dhcp server excluded-ip-address 172.16.40.2 172.16.40.3

Switches
[CORE-AC1-Vlanif40] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[CORE-AC1-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP in a service
VLAN for wireless users. Otherwise, wireless users cannot communicate with each other through the AC.
Step 8 Configure a default route on CORE-AC1. The configuration on CORE-AC2 is similar.

Step 9 Configure VRRP HSB on CORE-AC1. The configuration on CORE-AC2 is similar.

[CORE-AC1] vrrp recover-delay 60
# Create a management VRRP group on CORE-AC1. Set the priority of CORE-AC1

in the VRRP group to 120 and set the preemption delay to 1200 seconds.
[CORE-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[CORE-AC1-Vlanif20] vrrp vrid 1 priority 120
[CORE-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[CORE-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on CORE-AC1 and configure IP addresses and port

numbers for the HSB channel.
[CORE-AC1] hsb-service 0
[CORE-AC1-hsb-service-0] service-ip-port local-ip 172.16.100.1 peer-ip 172.16.100.2 local-data-port
[CORE-AC1-hsb-service-0] quit
# Create HSB group 0 on CORE-AC1, and bind HSB service 0 and the management
[CORE-AC1-hsb-group-0] bind-service 0
[CORE-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
# Bind the CORE-AC1 service to HSB group 0.

[CORE-AC1] hsb-service-type access-user hsb-group 0
[CORE-AC1] hsb-service-type ap hsb-group 0
[CORE-AC1] hsb-service-type dhcp hsb-group 0
[CORE-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on both
CORE-AC1 and CORE-AC2. In the command output of both devices, the State field
value of CORE-AC1 is Master and that of CORE-AC2 is Backup.
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 120
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

Switches

Create time : 2019-11-05 15:30:25
Last change time : 2019-11-05 15:30:31
State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.1
PriorityRun : 100
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-05 11:12:13
Last change time : 2019-11-05 11:13:23
# Check the HSB service status on CORE-AC1 and CORE-AC2. In the command
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on CORE-AC1 and CORE-AC2 to check

----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0

Switches

AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
Group Status : Inactive
DHCP
AP
----------------------------------------------------------
Step 10 Configure APs to go online on CORE-AC1.

[CORE-AC1] capwap source interface vlanif 20 //VLAN 20 is the management VLAN for wireless APs.
[CORE-AC1] wlan
[CORE-AC1-wlan-view] regulatory-domain-profile name domain1
[CORE-AC1-wlan-regulate-domain-domain1] country-code en
[CORE-AC1-wlan-regulate-domain-domain1] quit
[CORE-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
# Add target APs to the AP group and configure names for the APs based on their
deployment locations.
[CORE-AC1-wlan-view] ap auth-mode mac-auth

Switches
# After powering on the APs, run the display ap all command on CORE-AC1 to
check the AP running status. In the command output, the State field value is nor,
indicating that the APs are in normal state.
[CORE-AC1] display ap all
nor : normal [2]
---------------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on CORE-AC1.

# Configure WLAN service parameters.
[CORE-AC1] wlan
[CORE-AC1-wlan-ssid-prof-ssid1] ssid Employee
[CORE-AC1-wlan-view] traffic-profile name traff
[CORE-AC1-wlan-traffic-prof-traff] user-isolate l2
[CORE-AC1-wlan-traffic-prof-traff] quit
[CORE-AC1-wlan-ssid-prof-ssid2] ssid Guest
service VLANs, apply security profiles and SSID profiles, and enable strict STA IP
address learning through DHCP, IPSG, and dynamic ARP inspection.
[CORE-AC1-wlan-vap-prof-vap1] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap1] traffic-profile traff
[CORE-AC1-wlan-vap-prof-vap2] forward-mode tunnel
[CORE-AC1-wlan-vap-prof-vap2] traffic-profile traff

Switches
NOTE

Step 12 Configure wireless configuration synchronization in the scenario where VRRP HSB
is configured to synchronize wireless service configuration information from
CORE-AC1 to CORE-AC2.
# Configure the source interface of CORE-AC2.

[CORE-AC1] wlan
172.16.100.1 psk YsHsjx_202206

[CORE-AC2] wlan
172.16.100.2 psk YsHsjx_202206
# Run the display sync-configuration status command to check the status of the
wireless configuration synchronization function. In the command output, the
Status field value is cfg-mismatch. In this case, you need to manually trigger
wireless configuration synchronization from the master AC to the backup AC. Wait
until the backup AC automatically restarts.
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------
172.16.100.2 Backup AirEngine 8760-X1-PRO V200R022C10 cfg-mismatch(config check fail) -
-----------------------------------------------------------------------------------------------------------------------------

Switches
Total: 1
[CORE-AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to it, and save all its
configurations. Whether to continue? [Y/N]:y
NOTE
After wireless configuration synchronization is manually triggered, the backup AC

automatically restarts. After the backup AC restarts, run the display sync-configuration
status command to check whether the wireless configuration synchronization function is
normal.
# Check whether the wireless configuration synchronization function is normal. If

the status field displays up, the wireless configuration synchronization function is
normal.
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
172.16.100.2 Backup AirEngine 8760-X1-PRO V200R022C10 up 2019-11-05/19:09:14
----------------------------------------------------------------------------------------------------
Total: 1
----End

Expected Results
Verification Method
● Run the following command on CORE-AC1. The command output shows that
APs have obtained IP addresses successfully.
[CORE-AC1] display ip pool interface vlanif20 used
Pool-name : vlanif20
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 2 233(0) 0 19
-------------------------------------------------------------------------------------

Switches
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
40 192.168.20.41 00e0-fc12-6660 DHCP 72528 Used
163 192.168.20.164 00e0-fc12-6670 DHCP 72813 Used
-------------------------------------------------------------------------------------
● Run the following commands on CORE. The command output shows that
wired users have obtained IP addresses successfully.
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.254 254 1 253(0) 0 0
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
109 172.16.50.110 00e0-fc12-3344 DHCP 84875 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Pool-No :3
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 1 253(0) 0 0

Switches
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
236 172.16.60.237 00e0-fc12-3377 DHCP 84434 Used
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------

<area_1> ping 192.168.100.2
--- 192.168.100.2 ping statistics ---

0.00% packet loss
wireless user on CORE-AC1.
[CORE-AC1] display station ssid Employee
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
00e0-fc12-3388 1 area_1 1/1 5G 11ac 173/115 -38 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the wireless user connected to AP1.

C:\Users>ping 172.16.30.180


# CORE
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
dhcp enable
#
#

Switches
vlan 50
vlan 60
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#

Switches
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2
#
#
return
# AGG1
#
sysname AGG1
#
vlan batch 20 50
#
mode lacp-static
#
mode lacp-static
#
interface 10GE1/0/3
eth-trunk 30
#
interface 10GE2/0/3
eth-trunk 30
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE2/0/1
eth-trunk 10
#
return
# AGG2
#
sysname AGG2
#
vlan batch 20 60
#
mode lacp-static

Switches
#
mode lacp-static
#
interface 10GE1/0/3
eth-trunk 40
#
interface 10GE2/0/3
eth-trunk 40
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE2/0/1
eth-trunk 20
#
return
# ACC1
#
sysname ACC1
#
vlan batch 20 50
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3
#
interface GE1/0/4
#
return
# ACC2
#
sysname ACC2
#
vlan batch 20 60
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 40

Switches
#
interface 10GE1/0/2
eth-trunk 40
#
interface GE1/0/3
#
interface GE1/0/4
#
return
# CORE-AC1
#
sysname CORE-AC1
#
#
vlan batch 20 30 40 100
#
dhcp enable
#
#
vlan 30
vlan 40
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
dhcp server excluded-ip-address 172.16.30.2 172.16.30.3
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#

Switches

#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
traffic-profile name traff
user-isolate l2
security open
security open
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
traffic-profile traff
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1

Switches

ap-name area_2
ap-group ap-group1
master controller
#
return
# CORE-AC2
#
sysname CORE-AC2
#
#
vlan batch 20 30 40 100
#
dhcp enable
#
#
vlan 30
vlan 40
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#
mode lacp
#
#
eth-trunk 2
#

Switches
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk %^%#QKK0'nRL
%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
return

Switches
2.2.1.7 Standalone AC Solution: Aggregation Switches and ACs Function as

the Gateways for Wired and Wireless Users Respectively
Standalone ACs are deployed in off-path mode. They function as DHCP servers to
assign IP addresses to APs and centrally manage APs on the entire network.
In this example, aggregation switches and ACs function as the gateways for wired
and wireless users on the entire network respectively and are responsible for
routing and forwarding of user services.
Figure 2-11 Aggregation switches and standalone ACs functioning as the

gateways for wired and wireless users respectively


on layer

Switches

Access - S5735-L-V2 V600R022C10

layer
AC - AC6805 V200R022C10
AP - AirEngine 8760-X1- V200R022C10

PRO
Deployment Roadmap
1 Configure CSS, stacking, and uplink and Core and aggregation

downlink Eth-Trunk interfaces on switches
switches.

switches and ACs, and configure IP access switches
connectivity.
3 Configure DHCP on the aggregation Aggregation switches

switches and ACs so that the switches and ACs
and ACs function as DHCP servers to
assign IP addresses to wired and
wireless users and APs.


Data Plan


communication with
AGG1

Switches

communication with
AGG2

communication with
servers

Segment
AGG1 Service VLAN for VLAN 50 172.16.50.0/24

wired users

for
communication
with CORE

for
communication
with AGG-ACs
AGG2 Service VLAN for VLAN 60 172.16.60.0/24

wired users

for
communication
with CORE

for
communication
with AGG-ACs
Table 2-19 Service data plan for ACs

Segment


wireless users
VLAN 31 172.16.31.0/24

Switches

Segment

wired users

for
communication
with CORE

configuration
synchronization
between AGG-
AC1 and AGG-
AC2 in an HSB
group


wireless users
VLAN 41 172.16.41.0/24

wired users

for
communication
with CORE

configuration
synchronization
between AGG-
AC3 and AGG-
AC4 in an HSB
group
Table 2-20 Wireless service data plan for AGG-ACs

Item Data
SSID profiles ssid1 and ssid2
VAP profiles vap1 and vap2 (Tunnel forwarding is

used in the VAP profiles.)

Switches
Precautions
requirements.
same.
Procedure
# Create VLANs.
[CORE] vlan batch 70 80 1000
# Configure Eth-Trunk 10 for connecting to AGG1, which is a stack of aggregation

switches. The configuration of the Eth-Trunk interface for connecting to AGG2 is
similar.

Switches

[CORE-Eth-Trunk10] description connect to AGG1
# Add the interface connected to a server to VLAN 1000.




# Create VLANs.
<AGG1> system-view
[AGG1] vlan batch 20 30 31 50 70

[AGG1] interface 10GE 1/0/1
# Create Eth-Trunk 1 for connecting to AGG-AC1 and add interfaces to it.

[AGG1-Eth-Trunk1] description connect to AC
[AGG1-Eth-Trunk1] port trunk allow-pass vlan 20 30 31
[AGG1-10GigabitEthernet1/0/4] eth-trunk 1
[AGG1-10GigabitEthernet1/0/4] quit

Switches
[AGG1-10GigabitEthernet1/0/5] eth-trunk 1
[AGG1-10GigabitEthernet1/0/5] quit



Step 4 Configure interfaces and VLANs on AGG-AC1. The configurations on AGG-AC2,

AGG-AC3, and AGG-AC4 are similar.
# Create VLANs.
[AC6805] sysname AGG-AC1
[AGG-AC1] vlan batch 20 30 31 200
# On AGG-AC1, create an Eth-Trunk interface for connecting to AGG1 and add

interfaces to the Eth-Trunk.
[AGG-AC1] interface eth-trunk 1
[AGG-AC1-Eth-Trunk1] description connect to AGG1
[AGG-AC1-Eth-Trunk1] mode lacp-static
[AGG-AC1-Eth-Trunk1] port link-type trunk
[AGG-AC1-Eth-Trunk1] port trunk allow-pass vlan 20 30 31
[AGG-AC1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AGG-AC1-Eth-Trunk1] quit
[AGG-AC1] interface gigabitethernet 0/0/1
[AGG-AC1-GigabitEthernet0/0/1] eth-trunk 1
[AGG-AC1-GigabitEthernet0/0/1] quit
[AGG-AC1-GigabitEthernet0/0/2] eth-trunk 1
# On AGG-AC1, configure the interface connected to AGG-AC2.

[AGG-AC1-GigabitEthernet0/0/2] port link-type trunk
[AGG-AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 200
[AGG-AC1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
# Create VLANs.

Switches
<ACC1> system-view
[ACC1] vlan batch 20 50

[ACC1-Eth-Trunk30] port trunk allow-pass vlan 20 50
[ACC1] interface 10GE 1/0/1
[ACC1-GE1/0/3] quit
[ACC1-GE1/0/4] port trunk allow-pass vlan 20
[ACC1-GE1/0/4] quit
Step 6 Configure DHCP on AGG1 so that AGG1 functions as a DHCP server to assign IP
addresses to wired and wireless users. The configuration on AGG2 is similar.
# Enable DHCP globally and configure DHCP snooping for the service VLAN.
[AGG1] dhcp enable
[AGG1] dhcp snooping enable
[AGG1] vlan 50
[AGG1-vlan50] quit
# Create Layer 3 interface VLANIF 50 for wired services and configure AGG1 to
assign IP addresses to wired terminals from the interface address pool.
Step 7 Configure routing on core and aggregation switches to implement Layer 3

communication.
# Configure OSPF on AGG1. The configuration on AGG2 is similar.

Switches
[AGG1] ospf 1 router-id 2.2.2.2

[CORE-ospf-1] quit
# Configure OSPF on AGG-AC1.

[AGG-AC1] ospf 1 router-id 3.3.3.3
[AGG-AC1-ospf-1] area 1
[AGG-AC1-ospf-1-area-0.0.0.1] quit
[AGG-AC1-ospf-1] quit
Step 8 Configure DHCP on AGG-AC1. The configuration on AGG-AC3 is similar.

# Create Layer 3 interface VLANIF 20 for wireless services and configure AGG-AC1
to assign IP addresses to APs from the interface address pool.
[AGG-AC1] dhcp enable
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1-Vlanif30] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
to assign IP addresses to STAs from the interface address pool.
[AGG-AC1-Vlanif31] dhcp server dns-list 192.168.100.2 //Configure the DNS server for terminals.
[AGG-AC1-Vlanif31] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN proxy ARP.
Step 9 Configure VRRP HSB on AGG-AC1. The configuration on AGG-AC2 is similar.

[AGG-AC1] vrrp recover-delay 60
# Create a management VRRP group on AGG-AC1. Set the priority of AGG-AC1 in

the VRRP group to 120 and set the preemption delay to 1200 seconds.
[AGG-AC1-Vlanif20] vrrp vrid 1 virtual-ip 192.168.20.3
[AGG-AC1-Vlanif20] vrrp vrid 1 priority 120
[AGG-AC1-Vlanif20] vrrp vrid 1 preempt-mode timer delay 1200
[AGG-AC1-Vlanif20] admin-vrrp vrid 1
# Create HSB service 0 on AGG-AC1 and configure IP addresses and port numbers
for the HSB channel.

Switches
[AGG-AC1] hsb-service 0
[AGG-AC1-hsb-service-0] service-ip-port local-ip 172.16.200.1 peer-ip 172.16.200.2 local-data-port
[AGG-AC1-hsb-service-0] quit
# Create HSB group 0 on AGG-AC1, and bind HSB service 0 and the management
[AGG-AC1-hsb-group-0] bind-service 0
[AGG-AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 20
# Bind the AGG-AC1 service to HSB group 0.

[AGG-AC1] hsb-service-type access-user hsb-group 0
[AGG-AC1] hsb-service-type ap hsb-group 0
[AGG-AC1] hsb-service-type dhcp hsb-group 0
[AGG-AC1-hsb-group-0] hsb enable
# After the configuration is complete, run the display vrrp command on AGG-AC1
and AGG-AC2. In the command output of both devices, the State field value of
AGG-AC1 is Master and that of AGG-AC2 is Backup.
State : Master
Virtual IP : 192.168.20.3
Master IP : 192.168.20.3
PriorityRun : 120
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 14:23:11
Last change time : 2019-11-30
14:23:17

State : Backup
Virtual IP : 192.168.20.3
Master IP : 192.168.20.2
PriorityRun : 120
MasterPriority : 0
TimerRun : 2s
TimerConfig : 2s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2019-11-30 07:15:11
Last change time : 2019-11-30 14:23:17

Switches
# Check the HSB service status on AGG-AC1 and AGG-AC2. In the command
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Keep Alive Times :5
Shared-key :-
----------------------------------------------------------
# Run the display hsb-group 0 command on AGG-AC1 and AGG-AC2 to check

----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
AP
----------------------------------------------------------
Step 10 Configure wireless services on AGG-AC1 so that AP1 can go online. The
configuration on AGG-AC2 is similar.

Switches
[AGG-AC1] capwap source interface vlanif 20
[AGG-AC1] wlan
[AGG-AC1-wlan-view] regulatory-domain-profile name domain1
[AGG-AC1-wlan-regulate-domain-domain1] country-code en
[AGG-AC1-wlan-regulate-domain-domain1] quit
[AGG-AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
# Add AP1 to the AP group ap-group1 and configure a name for the AP based on
its deployment location.
[AGG-AC1-wlan-view] ap auth-mode mac-auth
[AGG-AC1-wlan-view] ap-id 1 ap-mac 00e0-fc12-3300
[AGG-AC1-wlan-ap-1] ap-name area_1
Warning: The AP name of more than 31 characters does not take effect for APs in versions earlier than
V200R009C00.
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AGG-AC1-wlan-ap-1] ap-group ap-group1
[AGG-AC1-wlan-ap-1] quit
# After powering on AP1, run the display ap all command on AGG-AC1 to check
the AP running status. In the command output, the State field value is nor,
indicating that AP1 is in normal state.
[AGG-AC1] display ap all
nor : normal [1]
----------------------------------------------------------------------------------------------------------

ExtraInfo
----------------------------------------------------------------------------------------------------------
1 00e0-fc12-4400 area_1 ap-group1 192.168.20.148 AirEngine 8760-X1-PRO nor 0 1H:19M:18S

-
----------------------------------------------------------------------------------------------------------
Step 11 Configure STAs to go online on AGG-AC1.

# Configure WLAN service parameters, and create security profiles, SSID profiles,
and traffic profiles.
[AGG-AC1] wlan
[AGG-AC1-wlan-sec-prof-sec1] security open

Switches
[AGG-AC1-wlan-traffic-prof-test01] quit
[AGG-AC1-wlan-sec-prof-sec2] security open
[AGG-AC1-wlan-traffic-prof-traff2] quit
service VLANs, apply security profiles and SSID profiles, and enable IPSG, dynamic
ARP inspection, and strict STA IP address learning through DHCP.
[AGG-AC1-wlan-view] vap-profile name test01
[AGG-AC1-wlan-vap-prof-test01] forward-mode tunnel
[AGG-AC1-wlan-view] vap-profile name test02
[AGG-AC1-wlan-vap-prof-test02] forward-mode tunnel
NOTE

----End

Expected Results

Switches

Verification Method
The following uses AGG1 and AGG-AC1 as an example. The verification methods
on AGG2 and AGG-AC2 are similar.
● Run the following command on AGG-AC1. The command output shows that
an AP has obtained an IP address successfully.
[AGG-AC1] display ip pool interface vlanif20 used
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 192.168.20.0
Mask : 255.255.255.0
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
192.168.20.1 192.168.20.254 254 1 251(0) 0

2
-------------------------------------------------------------------------------------

DHCP : mac-address PPPoE : mac-
address
IPSec : user-id/portnumber/vrf PPP : interface
index
L2TP : cpu-slot/session-id SSL-VPN : user-id/session-
id
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
147 192.168.20.148 00e0-fc12-4400 DHCP 80426

Used
-------------------------------------------------------------------------------------
● Run the following command on AGG1. The command output shows that a
wired user has obtained an IP address successfully.
[AGG1] display ip pool interface vlanif50 used
Pool-No :2
Domain-name :-
DNS-server0 : 192.168.100.2
NBNS-server0 :-

Switches
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.50.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
Disabled
-------------------------------------------------------------------------------------
172.16.50.1 172.16.50.216 254 0 254(0) 0

0
-------------------------------------------------------------------------------------

<area_1> ping 192.168.100.2
--- 192.168.100.2 ping statistics ---

0.00% packet loss
wireless user on AGG-AC1.
[AGG-AC1] display station ssid test01
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
00e0-fc12-3388 2 area_2 1/1 5G 11ac 117/115 -71 30 172.16.30.180
-----------------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# PC1 can ping the user connected to AP1.

C:\Users>ping 172.16.30.180



Switches
# CORE
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
#
#
eth-trunk 20
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
# AGG-AC1
#
sysname AGG-AC1
#
#
vlan batch 20 30 to 31 200

Switches
#
dhcp enable
#
#
vlan 30
vlan 31
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
interface Eth-Trunk 1
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.1
network 192.168.20.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#

Switches
#
wlan
user-isolate l2
user-isolate l2
security open
security open
ssid test01
ssid test02
vap-profile name test01
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
# AGG-AC2
#
sysname AGG-AC2
#
#
vlan batch 20 200
#
interface vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface vlanif200
ip address 172.16.200.1 255.255.255.0
#

Switches

mode lacp
#
interface gigabitethernet 0/0/1
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
# AGG-AC3
#
sysname AGG-AC3
#
#
vlan batch 21 200
#
dhcp enable
#
#
vlan 40
vlan 41
#
interface vlanif21
ip address 192.168.21.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface vlanif201
ip address 172.16.201.1 255.255.255.0
#

Switches

mode lacp
#
eth-trunk 1
#
#
area 0.0.0.2
network 192.168.21.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
user-isolate l2
ssid test03
ssid test04
forward-mode tunnel
ssid-profile ssid3
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1

Switches

ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
# AGG-AC4
#
sysname AGG-AC4
#
#
vlan batch 21 200
#
interface vlanif21
ip address 192.168.21.2 255.255.255.0
admin-vrrp vrid 1
#
interface vlanif201
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
# AGG1
#
sysname AGG1
#
vlan batch 20 50 70
#
dhcp enable
#
#
vlan 50

Switches
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
mode lacp-static
#
mode lacp-static
#
mode lacp-static
#
interface 10GE1/0/3
eth-trunk 30
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface 10GE2/0/3
eth-trunk 30
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE2/0/1
eth-trunk 10
#
return
# AGG2
#
sysname AGG2
#
vlan batch 21 60 80
#
dhcp enable
#
#
vlan 60
#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#

Switches
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp-static
#
mode lacp-static
#
mode lacp-static
#
interface 10GE1/0/3
eth-trunk 40
#
interface 10GE1/0/4
eth-trunk 2
#
interface 10GE1/0/5
eth-trunk 2
#
interface 10GE2/0/3
eth-trunk 40
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE2/0/1
eth-trunk 20
#
return
# ACC1
#
sysname ACC1
#
vlan batch 20 50
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3

Switches

#
interface GE1/0/4
#
return
# ACC2
#
sysname ACC2
#
vlan batch 21 60
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3
#
interface GE1/0/4
#
return
2.2.2 Example for Wired and Wireless User Access

Authentication Deployment
2.2.2.1 Key Points of User Access Authentication Deployment

User access authentication aims to implement user authentication and policy-
based control, which involves the following key nodes:
● Authentication point: a device or node responsible for user access
authentication.
● Access point: a device or node that determines whether a terminal is allowed
to access the network.
● Group policy enforcement point: a device or node that executes group policies
used in free mobility.
The conventional access control solution uses NAC authentication and ACLs, and
defines an authentication control point on a campus network to perform access

Switches
authentication and policy control on user terminals. Huawei's access control

solution combines the conventional NAC solution with policy association and free
mobility to provide a more refined division of device roles in campus network
access control.
● Authentication control point: authenticates users and interacts with an
authentication server to implement authentication, authorization, and
accounting. In the policy association solution, a CAPWAP tunnel is established
between the authentication control point and authentication enforcement
point to exchange user authentication requests and synchronize user entries.
● Authentication enforcement point: controls user access in the policy
association solution by allowing only successfully authenticated users to
access the network, and transparently transmits user authentication packets
to the authentication control point. User authorization policies can be
manually configured on the authentication control point, which will be
delivered to the authentication enforcement point.
● Policy enforcement point: enforces control policies. Typically, the
authentication control point also acts as the policy enforcement point. For
example, in the conventional NAC authentication + ACL solution, an
authentication server authorizes ACL information to authenticated users, and
the authentication control point performs policy control on users based on the
authorized ACL information.
This section describes typical examples for deploying user access authentication.
Standalone ACs can be deployed based on authentication point locations and
policy control solutions.
Table 2-21 Key points of user access authentication deployment

Key Point
AC deployment The When the standalone AC solution is used,

standalone AC the gateways for wired and wireless users
deployment can be combined (only on a switch) or
solution is separated (on a switch for wired users and a
used. standalone AC for wireless users). In the
examples where the standalone AC solution
is used, a standalone AC is deployed as both
the gateway and authentication point for
wireless users.
Wired and The devices In the standalone AC solution, it is

wireless functioning as recommended that a switch be deployed as
authentication user gateways the gateway for wired users and a
points are typically standalone AC as the gateway for wireless
configured as users.
authentication
points.

Switches

Key Point
Policy-based Policy-based NAC applies to all scenarios that require

control control authentication.
solutions Free mobility applies to campus access
include NAC, scenarios to control access rights based on
free mobility, accounts, terminal types, and access modes,
and policy ensuring consistent access rights regardless
association. of users' locations.
Policy association applies to large-scale
campus networks with a large number of
widely distributed access devices. If NAC
authentication and user access policies are
deployed on each access device, the
configuration workload is heavy and policies
cannot be flexibly adjusted. Policy
association (aggregation or core switches
function as authentication control points,
and access switches function as
authentication enforcement points) can be
deployed to prevent users from
communicating with each other through the
access layer before they are authenticated.
It can also obtain online user information
such as the interfaces on which users go
online and the VLANs to which users
belong, facilitating maintenance and
management.
2.2.2.2 Standalone AC + NAC Solution: Core Switches and ACs Function as

the Authentication Points for Wired and Wireless Users Respectively
assign IP addresses to APs and wireless users, and centrally manage APs and
wireless users on the entire network.
In this example, core switches function as the gateway and authentication point
for wired users, and standalone ACs function as the gateway and authentication
point for wireless users. The wired and wireless users can access the network only
after being authenticated. The specific requirements are as follows:

Switches
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
● iMaster NCE-Campus functions as both the authentication server and user
service data source server.
● iMaster NCE-Campus delivers ACLs for authorization of successfully
authenticated users to control network access rights of these users of
different roles.
● Port isolation needs to be configured on access and aggregation switches to
control Layer 2 traffic of users.
Figure 2-12 Core switches and standalone ACs functioning as the authentication
points for wired and wireless users respectively

Location Device Requirement Device Used in Version Used in
This Example This Example
Authentic - iMaster NCE- V300R022C10SP

ation Campus C100
server

on layer
Access - S5735-L-V2 V600R022C10

layer

Switches

AC - AC6805 V200R022C10
AP - AirEngine 8760- V200R022C10

X1-PRO
Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 2.2.1.6 Standalone AC Solution: Core

network Switches and ACs Function as the Gateways for Wired
connectivity. and Wireless Users Respectively.
Configure core 2. Configure AAA, including configuring a RADIUS server

switches and ACs. template, AAA schemes, and authentication domains, as
well as configuring parameters for interconnection between
switches and the RADIUS server and between ACs and the
RADIUS server.
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
successfully authenticated employees and guests.
4. Configure 802.1X authentication for employees.
5. (Required only on ACs) Configure MAC address-

prioritized Portal authentication for guests.
Configure 6. Configure Layer 2 Protocol Tunneling for 802.1X

aggregation and authentication packets.
access switches.
Configure iMaster 7. Add devices that need to communicate with iMaster

NCE-Campus. NCE-Campus, and configure RADIUS and Portal
authentication parameters.
8. Add user groups and user accounts.
9. Enable MAC address-prioritized Portal authentication.
10. Configure network access rights for successfully

authenticated employees and guests.

Switches
Data Plan
Table 2-22 Data plan for campus network connectivity

VLANs for VLAN 20 (management 192.168.20.0/24

communication between VLAN for APs)
core switches and ACs
VLAN 30 (service VLAN 172.16.30.0/24
for wireless access of
employees)
VLAN 40 (service VLAN 172.16.40.0/24

for guests)

users (on AGG1)

users (on AGG2)

CORE-AC2

between core switches
and servers
Table 2-23 Wireless service data plan for ACs

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)
SSID profiles ssid1 (SSID: ssid2 (SSID: Guest)

Employee)
AP group ap-group1
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
Service VLANs VLAN 30 VLAN 40
VAP profiles vap1 vap2

Switches
Table 2-24 Authentication service data plan for core switches and ACs
Item Data
AAA schemes ● Authentication scheme for RADIUS

authentication: auth
● Accounting scheme for RADIUS accounting:
acco
RADIUS server ● RADIUS server template name: tem_rad

● IP addresses of the authentication, accounting,
and authorization servers: 192.168.100.10
● Port number of the authentication server: 1812
● Port number of the accounting server: 1813
● Authentication and accounting keys:
YsHsjx_202206
● Authorization key: YsHsjx_202206
● Accounting interval: 15 minutes
Portal server ● Portal server template name: tem_portal

● IP address of the Portal server: 192.168.100.10
● Port number: 50200
● Shared key of the Portal server: YsHsjx_202206
● Portal server detection: enabled
802.1X access profile ● Name: d1

● Authentication mode: EAP
Portal access profile Name: web1
MAC access profile Name: mac1
Authentication-free DNS server: 192.168.100.2

resources
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.

Switches
Table 2-25 iMaster NCE-Campus service data plan

Item Data
User accounts (user name/ ● Employees: user1/YsHsjx_202206, user2/

password) YsHsjx_202206
● Guest: guest4/YsHsjx_202206
Device IP addresses ● Core switch: 192.168.100.1

● AC: 192.168.20.1 (IP address of the backup AC:
192.168.20.2)
RADIUS authentication ● Device series: Huawei Engine

parameter ● Authentication and accounting keys:
YsHsjx_202206
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: YsHsjx_202206

parameter ● Terminal IP addresses: 172.16.30.0/24,
172.16.40.0/24
requirements.
same.

Switches

● The RADIUS authentication, accounting, and authorization keys, as well as the
Portal key configured on iMaster NCE-Campus must be the same as those
configured on switches.
● By default, the switch allows the packets sent to RADIUS and Portal servers to
pass through. You do not need to configure authentication-free rules for the
two servers on the switch.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 Protocol Tunneling must be enabled
for 802.1X authentication packets on the Layer 2 switch; otherwise, users
cannot be successfully authenticated.
Procedure
Step 1 Enable campus network connectivity. For details, see 2.2.1.6 Standalone AC
Solution: Core Switches and ACs Function as the Gateways for Wired and
Wireless Users Respectively.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] description con to Internet
[CORE-Eth-Trunk30] trunkport xgigabitethernet 1/1/0/5
[CORE-Eth-Trunk30] undo portswitch
[CORE-Eth-Trunk30] ip address 172.16.3.1 24
Step 2 Configure the authentication service on CORE.

1. Configure AAA parameters.
# Configure the RADIUS server template tem_rad, and configure the
parameters for interconnection between CORE and the RADIUS server,
including the IP addresses, port numbers, authentication key, and accounting
key of the RADIUS authentication and accounting servers.
[CORE] radius-server template tem_rad
[CORE-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206
[CORE-radius-tem_rad] quit
# Configure a RADIUS authorization server and an authorization key.

[CORE] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206
# Configure an AAA authentication scheme and an AAA accounting scheme,

set the authentication and accounting modes to RADIUS, and set the
accounting interval to 15 minutes.
[CORE] aaa
[CORE-aaa] authentication-scheme auth

Switches
[CORE-aaa-authen-auth] authentication-mode radius

[CORE-aaa-authen-auth] quit
[CORE-aaa] accounting-scheme acco
[CORE-aaa-accounting-acco] accounting-mode radius
[CORE-aaa-accounting-acco] accounting realtime 15
[CORE-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes

and the RADIUS server template to this domain.
[CORE-aaa] domain huawei.com
[CORE-aaa-domain-huawei.com] authentication-scheme auth
[CORE-aaa-domain-huawei.com] accounting-scheme acco
[CORE-aaa-domain-huawei.com] radius-server tem_rad
[CORE-aaa-domain-huawei.com] quit
[CORE-aaa] quit
2. Configure authentication-free resources and network access rights for

successfully authenticated employees.
# Configure authentication-free resources to allow packets destined for the
DNS server and packets from the AP management VLAN to pass through.
[CORE] free-rule-template name default_free_rule
[CORE-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[CORE-free-rule-default_free_rule] free-rule 2 source vlan 20
[CORE-free-rule-default_free_rule] quit
# Configure network access rights for successfully authenticated employees to

allow them to access the Internet, DNS server, and service server and to
communicate with each other.
[CORE] acl 3001
[CORE-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to
access the Internet after being authenticated.
access the DNS server after being authenticated.
access the service server after being authenticated.
[CORE-acl-adv-3001] rule 7 deny ip destination any
[CORE-acl-adv-3001] quit

# Configure an 802.1X access profile. By default, an 802.1X access profile uses
EAP authentication. Ensure that the RADIUS server supports EAP; otherwise,
the RADIUS server cannot process 802.1X authentication requests.
[CORE] dot1x-access-profile name d1
[CORE-dot1x-access-profile-d1] quit
# Configure an authentication profile for employees.

[CORE] authentication-profile name p1
[CORE-authen-profile-p1] dot1x-access-profile d1
[CORE-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.
[CORE-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink

interfaces.
[CORE-Eth-Trunk10] authentication-profile p1
[CORE-Eth-Trunk20] authentication-profile p1

Switches
Step 3 Configure the authentication service on ACs. The following uses CORE-AC1 as an
example. The configuration of CORE-AC2 is similar to that of CORE-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<CORE-AC1> system-view
[CORE-AC1] radius-server template tem_rad
[CORE-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[CORE-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[CORE-AC1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206
[CORE-AC1-radius-tem_rad] quit
[CORE-AC1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206
[CORE-AC1] aaa
[CORE-AC1-aaa] authentication-scheme auth
[CORE-AC1-aaa-authen-auth] authentication-mode radius
[CORE-AC1-aaa-authen-auth] quit
[CORE-aaa] accounting-scheme acco
[CORE-AC1-aaa-accounting-acco] accounting-mode radius
[CORE-AC1-aaa-accounting-acco] accounting realtime 15
[CORE-AC1-aaa-accounting-acco] quit
successfully authenticated users.
DNS server to pass through.
[CORE-AC1] free-rule-template name default_free_rule
[CORE-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[CORE-AC1-free-rule-default_free_rule] quit
NOTE
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[CORE-AC1] acl 3001
[CORE-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[CORE-AC1-acl-adv-3001] rule 7 deny ip destination any
[CORE-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to
allow them to access the Internet and DNS server and to communicate with
each other.
[CORE-AC1] acl 3002
[CORE-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to

Switches

[CORE-AC1-acl-adv-3002] rule 4 deny ip destination any
[CORE-AC1-acl-adv-3002] quit

[CORE-AC1] dot1x-access-profile name d1
[CORE-AC1-dot1x-access-profile-d1] quit

[CORE-AC1] authentication-profile name p1
[CORE-AC1-authen-profile-p1] dot1x-access-profile d1
[CORE-AC1-authen-profile-p1] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p1] authentication-scheme auth
[CORE-AC1-authen-profile-p1] accounting-scheme acco
[CORE-AC1-authen-profile-p1] radius-server tem_rad
[CORE-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[CORE-AC1] wlan
[CORE-AC1-wlan] security-profile name sec1
[CORE-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
Warning: This action may cause service interruption. Continue?[Y/N]y
#Configure 802.1X authentication for wireless access of employees.

[CORE-AC1-wlan-vap-prof-vap1] authentication-profile p1
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for
interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.
[CORE-AC1] web-auth-server tem_portal
[CORE-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[CORE-AC1-web-auth-server-tem_portal] port 50200
[CORE-AC1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206
[CORE-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[CORE-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[CORE-AC1-web-auth-server-tem_portal] quit
# Configure a Portal access profile.

[CORE-AC1] portal-access-profile name web1
[CORE-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[CORE-AC1-portal-acces-profile-web1] quit
# Configure a MAC access profile.

[CORE-AC1] mac-access-profile name mac1
[CORE-AC1-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.

[CORE-AC1] authentication-profile name p2
[CORE-AC1-authen-profile-p2] portal-access-profile web1
[CORE-AC1-authen-profile-p2] mac-access-profile mac1
[CORE-AC1-authen-profile-p2] free-rule-template default_free_rule
[CORE-AC1-authen-profile-p2] authentication-scheme auth
[CORE-AC1-authen-profile-p2] accounting-scheme acco
[CORE-AC1-authen-profile-p2] radius-server tem_rad
[CORE-AC1-authen-profile-p2] quit

Switches
# Configure MAC address-prioritized Portal authentication for guests.

[CORE-AC1] wlan
[CORE-AC1-wlan-vap-prof-vap2] authentication-profile p2
Step 4 Configure Layer 2 Protocol Tunneling for 802.1X authentication packets on access
and aggregation switches. The following uses ACC1 as an example. The
configurations of other switches are similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication
packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
[ACC1] interface Eth-Trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GE1/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GE1/0/3] quit
[ACC1-GE1/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GE1/0/4] quit
Step 5 Log in to iMaster NCE-Campus, add devices that need to communicate with
iMaster NCE-Campus, and configure RADIUS and Portal authentication
parameters.
Choose Admission > Admission Resources > Admission Device, click Create, and
add devices.
Figure 2-13 shows the procedure for adding an AC. The procedure for adding a
core switch is similar. Table 2-26 lists the parameters for communication between
iMaster NCE-Campus and the core switch and the AC.

Switches
Figure 2-13 Adding an AC

Switches
Table 2-26 Parameter settings for adding core switches and ACs on iMaster NCE-
Campus
Parameter on iMaster Setting for Core Setting for ACs
NCE-Campus Switches
Device name CORE AC
IP address 192.168.100.1 192.168.20.1
RADIUS authentication On
parameter
Backup IP address - 192.168.20.2
Device series Huawei Engine
Accounting key YsHsjx_202206
Authorization key YsHsjx_202206
Accounting interval (min) 15
Portal authentication - On
parameter

Switches
Parameter on iMaster Setting for Core Setting for ACs

NCE-Campus Switches
Portal protocol Huawei Portal (Portal2.0)
Portal key YsHsjx_202206
Terminal IP address list 172.16.30.0/24,

172.16.40.0/24
Portal heartbeat On
verification
Portal authentication port 2000
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
Choose Admission > Admission Resources > User Management.
Create a user group named employee and add users user1 and user2 to the user
group. Create a user group named guest and add the user guest4 to the user
group. Figure 2-14 shows the parameter settings for the user user1. The methods
for creating user2 and guest4 are similar.
Figure 2-14 Creating a user
Step 7 Enable MAC address-prioritized Portal authentication.

1. Choose Admission > Admission Policy > Online User Control. Configure a
Portal authentication-free policy, enable Portal authentication-free, and set
Portal Authentication-Free Period to 1 hour.
2. Assign the Portal authentication-free policy to the user group guest.

Switches
Figure 2-15 Configuring a Portal authentication-free policy
Step 8 Configure network access rights for successfully authenticated employees and
guests.
1. Choose Admission > Admission Policy > Authentication and Authorization.
Click the Authorization Result tab, click Create, and configure authorized
ACLs for employees and guests, respectively.
The ACL numbers must be the same as those configured on the
authentication control device.

Switches
Figure 2-16 Adding authorization ACLs for employees and guests
Table 2-27 Authorization results for employees and guests
Name Authorization Parameter: ACL

Number/AAA User Group
ACL3001 3001

Switches

ACL3002 3002

Click the Authorization Rule tab and bind the authorization result to specify
resources accessible to employees and guests after successful authentication.
Figure 2-17 shows the authorization rules for wired employees. The
configuration methods of authorization rules for wireless employees and
guests are similar. Table 2-28 lists the authorization rules for employees and
guests.
Figure 2-17 Authorization rule for wired access of employees
Table 2-28 Authorization rules for employees and guests
Name Authorization Authorization Result

Condition: User
Group
Employee authorization employee ACL3001

rule-wired

rule-wireless

Switches

Condition: User
Group
Guest authorization rule guest ACL3002
----End
Expected Results
1. The employees and guest can access only the authentication-free resources,
but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication.
2. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
3. After being authenticated, the employees and guest can access
authentication-free resources and resources in post-authentication domains,
but cannot access resources that are denied in the post-authentication
domains.
4. Employees can communicate with each other, but cannot communicate with
the guest.
NOTE
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.

1. Verify that the employees and guest can access only the authentication-free
resources, but not resources in post-authentication domains, before they are
authenticated or when they fail the authentication. The following uses wired
access of an employee as an example.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on CORE to view information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[CORE] display access-user
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC

Status
------------------------------------------------------------------------------------------------------
114337 user1 172.16.50.110 00e0-fc12-3344 Pre-

authen

Switches
------------------------------------------------------------------------------------------------------
Total: 1, printed: 1
# On PC1, ping an authentication-free resource, for example, the DNS server

with IP address 192.168.100.2. The ping operation succeeds.
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>
# On PC1, ping a resource in the post-authentication domain, for example,

the campus egress device with IP address 172.16.3.1. The ping operation fails.
C:\Users\*******>ping 172.16.3.1

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
2. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on CORE and CORE-AC1 to view information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[CORE] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
115318 user1 172.16.50.110 00e0-fc12-3344

Success
------------------------------------------------------------------------------------------------------
[CORE-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------

Switches
16401 guest4 172.16.40.210 00e0-fc12-3355

Success
32788 user2 172.16.30.165 00e0-fc12-3366
Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on CORE to

view detailed authentication and authorization information of user1.
[CORE] display access-user username user1 detail
Basic:
User ID : 115318
User name : user1
Domain-name : huawei.com
User MAC : 00e0-fc12-3344
User IP address : 172.16.50.110
User vpn-instance :-
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk10
User vlan event : Success
QinQVlan/UserVlan : 0/50
User vlan source : user request
User access time : 2019/11/26
11:08:16
User accounting session ID :
CORE002100000000506e****0304276
User access type : 802.1x
Terminal Device Type : Data Terminal
Dynamic ACL ID(Effective) : 3001
AAA:
User authentication type : 802.1x
authentication
Current authentication method :
RADIUS
Current authorization method : -
Current accounting method :
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on CORE-AC1 to view detailed
authentication and authorization information of user2 and guest4.
[CORE-AC1] display access-user username user2 detail
Basic:
User ID : 32788
User name : user2
User IPv6 address :-
User access Interface : Wlan-
Dbss17496

Switches
21:22:53
User accounting session ID : CORE-
AC00000000000030f0****0200014
User accounting mult session ID :
AC853DA6A42038CADA5E441A5DDD9****690329A
AP name : area_1
Radio ID :0
AP MAC : 00e0-fc12-6660
SSID : Employee
Online time : 494(s)
User Group Priority :0
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
[CORE-AC1] display access-user username guest4 detail
Basic:
User ID : 16401
User name : guest4
Dbss17497
21:25:05
User accounting session ID : CORE-
AC000000000000401c****0100011
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : 00e0-fc12-6660
SSID : Guest
Web-server IP address :
192.168.100.10
AAA:
User authentication type : WEB
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------

Switches
3. Verify that the successfully authenticated employees and guest can access
domains. The following uses wired access of an employee as an example.
C:\Users\*******>ping 192.168.100.2

Reply from 192.168.100.2: bytes=32 time=1ms TTL=253

C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>
the campus egress device with IP address 172.16.3.1. The ping operation
succeeds.
C:\Users\*******>ping 172.16.3.1


C:\Users\*******>
# On PC1, ping a resource denied in the post-authentication domain, for
example, the special server with IP address 192.168.100.100. The ping
operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.

Switches
Request time out.

C:\Users\*******>
4. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.165


C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.40.210

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
● CORE
#
sysname CORE
#
vlan batch 20 30 40 50 60 1000
#
authentication-profile name p1
dot1x-access-profile d1
free-rule-template default_free_rule
access-domain huawei.com force
#
dhcp enable
#
#
radius-server template tem_rad
radius-server shared-key cipher %^%#P&%q-,!CC~Ng<^1w;LT:NQj&B.*@a~V.Zi+<pA0H%^%#
radius-server authentication 192.168.100.10 1812 weight 80
radius-server accounting 192.168.100.10 1813 weight 80
radius-server authorization 192.168.100.10 shared-key cipher %^
%#x`c[=x{ot~7c@T@8fMb'+lGz74$gT6:Kc/DZ1K5Z%^%#
#
acl number 3001
rule 1 permit ip destination 172.16.3.0 0.0.0.255
rule 2 permit ip destination 192.168.100.2 0

Switches

rule 7 deny ip
#
free-rule-template name default_free_rule
free-rule 1 destination ip 192.168.100.2 mask 255.255.255.255
free-rule 2 source vlan 20
#
vlan 50
vlan 60
#
aaa
authentication-scheme auth
authentication-mode radius
accounting-scheme acco
accounting-mode radius
accounting realtime 15
domain huawei.com
radius-server tem_rad
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#

Switches
authentication-profile p1
mode lacp
#
mode lacp
#
description con to Internet
undo portswitch
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 30
#
dot1x-access-profile name d1
#
return
● CORE-AC1
#
sysname CORE-AC1
#
#
vlan batch 20 30 40 100
#

Switches
mac-access-profile mac1
portal-access-profile web1
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#
#
web-auth-server tem_portal
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
url http://192.168.100.10:8080/portal
server-detect interval 100 max-times 5 action log
#
portal-access-profile name web1
web-auth-server tem_portal direct
#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0

Switches

#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.1 255.255.255.0
#
mode lacp
#
#
eth-trunk 1
#
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
security wpa2 dot1x aes
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1

Switches
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
#
#
mac-access-profile name mac1
#
return
● CORE-AC2
#
sysname CORE-AC2
#
#
vlan batch 20 30 40 100
#
#
dhcp enable
#
#
vlan 30
vlan 40
#
radius-server shared-key cipher %^%#!XJ(Vgk2'$xrU{5H..g"f)`<ELF*e${j(A>B~f<%%^%#

Switches

radius-server authorization 192.168.100.10 shared-key cipher %^%#Kc8XWx+M
%F{rpFQ:w[v>Ay]0A*xcqV{@CP0}M3<*%^%#
#
acl number 3001
rule 7 deny ip
acl number 3002
rule 4 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#pn3AB{kK:VEVrlUe=YR2a3^q@I<~,7&Pxc&hP|^;%^%#
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif100
ip address 172.16.100.2 255.255.255.0
#

Switches

mode lacp
#
#
eth-trunk 2
#
eth-trunk 2
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.20
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1

Switches

ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
master controller
master-redundancy peer-ip ip-address 172.16.100.1 local-ip ip-address 172.16.100.2 psk%^
%#QKK0'nRL%0U`y32S6bOSB40e=FJE^Lbs7.A]x)QQ%^%#
#
#
#
return
● AGG1
#
sysname AGG1
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
l2protocol-tunnel user-defined-protocol 802.1x enable
mode lacp
#
mode lacp
#
interface 10GE1/0/3
eth-trunk 30
#
interface 10GE2/0/3
eth-trunk 30
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE2/0/1
eth-trunk 10
#
return
● AGG2
#
sysname AGG2
#
vlan batch 20 60
#
0100-0000-0002
#

Switches

mode lacp
#
mode lacp
#
interface 10GE1/0/3
eth-trunk 40
#
interface 10GE2/0/3
eth-trunk 40
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE2/0/1
eth-trunk 20
#
return
● ACC1
#
sysname ACC1
#
vlan batch 20 50
#
0100-0000-0002
#
mode lacp
#
interface 10GE1/0/1
eth-trunk 30
#
interface 10GE1/0/2
eth-trunk 30
#
interface GE1/0/3
#
interface GE1/0/4
#
return
● ACC2
#
sysname ACC2
#
vlan batch 20 60

Switches
#
0100-0000-0002
#
mode lacp
#
interface 10GE1/0/1
eth-trunk 40
#
interface 10GE1/0/2
eth-trunk 40
#
interface GE1/0/3
#
interface GE1/0/4
#
return
2.2.2.3 Standalone AC + NAC Solution: Aggregation Switches and ACs

Function as the Authentication Points for Wired and Wireless Users
Respectively

the port density and forwarding bandwidth. Standalone ACs are deployed in off-
path mode. They centrally manage APs on the entire network.
In this example, aggregation switches function as the gateways and

authentication points for wired users. Standalone ACs function as the gateways
and authentication points for wireless users. The wired and wireless users can
access the network only after being authenticated. The specific requirements are
as follows:
● Users include employees (wired and wireless) who use 802.1X authentication
and guests (wireless only) who use MAC address-prioritized Portal
authentication.
● iMaster NCE-Campus functions as both the authentication server and user
service data source server.
● iMaster NCE-Campus delivers ACLs for authorization of successfully
authenticated users to control network access rights of these users of
different roles.

Switches
● Port isolation needs to be configured on access switches to control Layer 2

traffic of users.
Figure 2-18 Aggregation switches and standalone ACs functioning as the

authentication points for wired and wireless users respectively

Authentic - iMaster NCE- V300R022C10SP

ation Campus C100
server

on layer
Access - S5735-L-V2
layer
AC - AC9700-M1 V200R022C10
AP - AirEngine 8760-
X1-PRO

Switches
Deployment Roadmap
Step Deployment Roadmap
Enable campus 1. For details, see 2.2.1.7 Standalone AC Solution:

network Aggregation Switches and ACs Function as the
connectivity. Gateways for Wired and Wireless Users Respectively.
Configure 2. Configure AAA, including configuring a RADIUS server

aggregation template, AAA schemes, and authentication domains, as
switches and ACs. well as configuring parameters for interconnection between
switches and the RADIUS server.
3. Configure resources accessible to users before they are

authenticated (referred to as authentication-free
resources), and network access rights to be granted to
successfully authenticated employees and guests.
5. (Required only on ACs) Configure MAC address-

prioritized Portal authentication for guests.
Configure access 6. Configure Layer 2 Protocol Tunneling for 802.1X

switches. authentication packets.
Configure iMaster 7. Add devices that need to communicate with iMaster

NCE-Campus. NCE-Campus, and configure RADIUS and Portal
authentication parameters.
8. Add user groups and user accounts.
9. Enable MAC address-prioritized Portal authentication.
10. Configure network access rights for successfully

authenticated employees and guests.
Data Plan
Network segment for - 172.16.3.0/24

connecting to the
Internet

communication with
AGG1

communication with
AGG2

Switches

communication with
servers

Device Item VLAN ID Network Segment
AGG1 Management VLAN 20 192.168.20.0/24

VLAN for APs
Service VLANs VLAN 30 172.16.30.0/24

for wireless users (employee)
VLAN 31 (guest) 172.16.31.0/24

wired users
Network VLAN 70 172.16.70.0/24

segment for
communication
with CORE
AGG2 Management VLAN 21 192.168.21.0/24

VLAN for APs
Service VLANs VLAN 40 172.16.40.0/24

for wireless users (employee)
VLAN 41 (guest) 172.16.41.0/24

wired users
Network VLAN 80 172.16.80.0/24

segment for
communication
with CORE
Table 2-31 Wireless service data plan for ACs

Item Employee Guest
Traffic profile traff: The user isolation mode is Layer 2 isolation and
Layer 3 communication.
Security profiles sec1: WPA/ sec2: open system

WPA2-802.1X authentication (default security
authentication policy)

Switches
Item Employee Guest
SSID profiles ssid1 (SSID: ssid2 (SSID: Guest)

Employee)
Regulatory domain domain1

profile
Service data Tunnel forwarding

forwarding mode
VAP profiles vap1 vap2
Table 2-32 Authentication service data plan for aggregation switches and ACs
Item Data
AAA schemes ● Authentication scheme for RADIUS

authentication: auth
● Accounting scheme for RADIUS accounting:
acco
RADIUS server ● RADIUS server template name: tem_rad

● IP addresses of the authentication, accounting,
and authorization servers: 192.168.100.10
● Port number of the authentication server: 1812
● Port number of the accounting server: 1813
● Authentication and accounting keys:
YsHsjx_202206
● Accounting interval: 15 minutes
Portal server ● Portal server template name: tem_portal

● IP address of the Portal server: 192.168.100.10
● Port number: 50200
● Shared key of the Portal server: YsHsjx_202206
● Portal server detection: enabled
802.1X access profile ● Name: d1

● Authentication mode: EAP
Portal access profile Name: web1
MAC access profile Name: mac1
Authentication-free DNS server: 192.168.100.2

resources

Switches
Item Data
Network access rights for ● Employees: Internet, DNS server, service server,
successfully authenticated and network segments of employees
users ● Guests: Internet, DNS server, and network
segments of guests
The IP addresses of the service server, special
server, and campus egress device are
192.168.100.3, 192.168.100.100, and 172.16.3.1,
respectively.
Table 2-33 iMaster NCE-Campus service data plan

Item Data
User accounts (user name/ ● Employees: user1/YsHsjx_202206, user2/

password) YsHsjx_202206
● Guest: guest4/YsHsjx_202206
Device IP addresses ● AGG1: 172.16.70.2

● AGG2: 172.16.80.2
● AGG-AC1: 192.168.20.1 (IP address of the
backup AC: 192.168.20.2)
● AGG-AC3: 192.168.21.1 (IP address of the
backup AC: 192.168.21.2)
RADIUS authentication ● Device series: Huawei Engine

parameter ● Authentication and accounting keys:
YsHsjx_202206
● Real-time accounting interval: 15 minutes
Portal authentication ● Portal key: YsHsjx_202206

parameter ● IP address list of access terminals (AGG-AC1):
172.16.30.0/24, 172.16.31.0/24
● IP address list of access terminals (AGG-AC3):
172.16.40.0/24, 172.16.41.0/24
Precautions

Switches

are interrupted.
same.
Procedure
Step 1 Enable campus network connectivity. For details, see 2.2.1.7 Standalone AC
Solution: Aggregation Switches and ACs Function as the Gateways for Wired
and Wireless Users Respectively.
# Configure the network segment for CORE to connect to the Internet.
<CORE> system-view
[CORE] interface Eth-Trunk 30
[CORE-Eth-Trunk30] description con to Internet
[CORE] ospf
[CORE-ospf-1] quit
Step 2 Configure the authentication service on aggregation switches. The following uses
AGG1 as an example. The configuration of AGG2 is similar to that of AGG1.

Switches

parameters for interconnection between an aggregation switch and the
RADIUS server, including the IP addresses, port numbers, authentication key,
and accounting key of the RADIUS authentication and accounting servers.
<AGG1> system-view
[AGG1] radius-server template tem_rad
[AGG1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206
[AGG1-radius-tem_rad] quit

[AGG1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206

[AGG1] aaa
[AGG1-aaa] authentication-scheme auth
[AGG1-aaa-authen-auth] authentication-mode radius
[AGG1-aaa-authen-auth] quit
[AGG1-aaa] accounting-scheme acco
[AGG1-aaa-accounting-acco] accounting-mode radius
[AGG1-aaa-accounting-acco] accounting realtime 15
[AGG1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes

and the RADIUS server template to this domain.
[AGG1-aaa] domain huawei.com
[AGG1-aaa-domain-huawei.com] authentication-scheme auth
[AGG1-aaa-domain-huawei.com] accounting-scheme acco
[AGG1-aaa-domain-huawei.com] radius-server tem_rad
[AGG1-aaa-domain-huawei.com] quit
[AGG1-aaa] quit

successfully authenticated employees.
DNS server and packets from the AP management VLAN to pass through.
[AGG1] free-rule-template name default_free_rule
[AGG1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG1-free-rule-default_free_rule] free-rule 2 source vlan 20
[AGG1-free-rule-default_free_rule] quit

[AGG1] acl 3001
[AGG1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow employees to
access the service server after being authenticated.
[AGG1-acl-adv-3001] rule 8 deny ip destination any
[AGG1-acl-adv-3001] quit

Switches

[AGG1] dot1x-access-profile name d1
[AGG1-dot1x-access-profile-d1] quit

[AGG1] authentication-profile name p1
[AGG1-authen-profile-p1] dot1x-access-profile d1
[AGG1-authen-profile-p1] access-domain huawei.com force //Configure the domain huawei.com
as a forcible domain.
[AGG1-authen-profile-p1] quit
# Configure 802.1X authentication for wired access of employees on downlink

interfaces.
[AGG1] interface Eth-Trunk 30
[AGG1-Eth-Trunk30] authentication-profile p1
Step 3 Configure the authentication service on ACs. The following uses AGG-AC1 as an
example. The configurations of other ACs are similar to that of AGG-AC1.
parameters for interconnection between ACs and the RADIUS server, including
the IP addresses, port numbers, authentication key, and accounting key of the
RADIUS authentication and accounting servers.
<AGG-AC1> system-view
[AGG-AC1] radius-server template tem_rad
[AGG-AC1-radius-tem_rad] radius-server authentication 192.168.100.10 1812
[AGG-AC1-radius-tem_rad] radius-server accounting 192.168.100.10 1813
[AGG-AC1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206
[AGG-AC1-radius-tem_rad] quit

[AGG-AC1] radius-server authorization 192.168.100.10 shared-key cipher YsHsjx_202206

[AGG-AC1] aaa
[AGG-AC1-aaa] authentication-scheme auth
[AGG-AC1-aaa-authen-auth] authentication-mode radius
[AGG-AC1-aaa-authen-auth] quit
[AGG-AC1-aaa] accounting-scheme acco
[AGG-AC1-aaa-accounting-acco] accounting-mode radius
[AGG-AC1-aaa-accounting-acco] accounting realtime 15
[AGG-AC1-aaa-accounting-acco] quit

successfully authenticated users.
DNS server to pass through.
[AGG-AC1] free-rule-template name default_free_rule
[AGG-AC1-free-rule-default_free_rule] free-rule 1 destination ip 192.168.100.2 mask 32
[AGG-AC1-free-rule-default_free_rule] quit


Switches
NOTE
ACL rules for wireless users are delivered to APs. Therefore, the APs must permit
network segments of wireless users and all the network segments that wireless users
can access. Otherwise, all packets of wireless users are discarded on APs even if the
users are successfully authenticated.
[AGG-AC1] acl 3001
[AGG-AC1-acl-adv-3001] rule 1 permit ip destination 172.16.3.0 0.0.0.255
[AGG-AC1-acl-adv-3001] rule 8 deny ip destination any
[AGG-AC1-acl-adv-3001] quit
# Configure network access rights for successfully authenticated guests to

allow them to access the Internet and DNS server and to communicate with
each other.
[AGG-AC1] acl 3002
[AGG-AC1-acl-adv-3002] rule 1 permit ip destination 172.16.3.0 0.0.0.255 //Allow guests to access
the Internet after being authenticated.
[AGG-AC1-acl-adv-3002] rule 2 permit ip destination 192.168.100.2 0.0.0.0 //Allow guests to
[AGG-AC1-acl-adv-3002] rule 5 deny ip destination any
[AGG-AC1-acl-adv-3002] quit

[AGG-AC1] dot1x-access-profile name d1
[AGG-AC1-dot1x-access-profile-d1] quit

[AGG-AC1] authentication-profile name p1
[AGG-AC1-authen-profile-p1] dot1x-access-profile d1
[AGG-AC1-authen-profile-p1] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p1] authentication-scheme auth
[AGG-AC1-authen-profile-p1] accounting-scheme acco
[AGG-AC1-authen-profile-p1] radius-server tem_rad
[AGG-AC1-authen-profile-p1] quit
# Configure a security policy for wireless access of employees.

[AGG-AC1] wlan
[AGG-AC1-wlan] security-profile name sec1
[AGG-AC1-wlan-sec-prof-sec1] security wpa2 dot1x aes
#Configure 802.1X authentication for wireless access of employees.

[AGG-AC1-wlan-vap-prof-vap1] authentication-profile p1
[AGG-AC1-wlan-vap-prof-vap1] quit
4. Configure MAC address-prioritized Portal authentication for guests.

# Configure a Portal server template. Configure parameters for
interconnection between the AC and Portal server, including the IP address
and port number of the Portal server, Portal key, and URL of the Portal page.

Switches
[AGG-AC1] web-auth-server tem_portal

[AGG-AC1-web-auth-server-tem_portal] server-ip 192.168.100.10
[AGG-AC1-web-auth-server-tem_portal] port 50200
[AGG-AC1-web-auth-server-tem_portal] shared-key cipher YsHsjx_202206
[AGG-AC1-web-auth-server-tem_portal] url http://192.168.100.10:8080/portal
[AGG-AC1-web-auth-server-tem_portal] server-detect interval 100 max-times 5 critical-num 0
action log //Enable the Portal server detection function so that you can learn the Portal server
status in real time and users can still access the network even if the Portal server is faulty. Note that
the value of interval must be greater than or equal to 15, in seconds; the recommended value is 100.
[AGG-AC1-web-auth-server-tem_portal] quit
# Configure a Portal access profile.

[AGG-AC1] portal-access-profile name web1
[AGG-AC1-portal-acces-profile-web1] web-auth-server tem_portal direct
[AGG-AC1-portal-acces-profile-web1] quit
# Configure a MAC access profile.

[AGG-AC1] mac-access-profile name mac1
[AGG-AC1-mac-access-profile-mac1] quit
# Configure an authentication profile for guests.

[AGG-AC1] authentication-profile name p2
[AGG-AC1-authen-profile-p2] portal-access-profile web1
[AGG-AC1-authen-profile-p2] mac-access-profile mac1
[AGG-AC1-authen-profile-p2] free-rule-template default_free_rule
[AGG-AC1-authen-profile-p2] authentication-scheme auth
[AGG-AC1-authen-profile-p2] accounting-scheme acco
[AGG-AC1-authen-profile-p2] radius-server tem_rad
[AGG-AC1-authen-profile-p2] quit
# Configure MAC address-prioritized Portal authentication for guests.

[AGG-AC1] wlan
[AGG-AC1-wlan-vap-prof-vap2] authentication-profile p2
[AGG-AC1-wlan-vap-prof-vap2] quit
Step 4 Configure Layer 2 Protocol Tunneling for 802.1X authentication packets on the
access switch. The following uses ACC1 as an example. The configuration of ACC2
is similar to that of ACC1.
# Enable this function on all interfaces through which 802.1X authentication
packets pass. If a switch does not support the bpdu enable command, you only
need to run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on its interface.
<ACC1> system-view
[ACC1] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 00e0-fc02-0003 group-mac 00e0-
fc00-0002
[ACC1] interface Eth-Trunk 30
[ACC1-Eth-Trunk30] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1] interface gigabitethernet 1/0/3
[ACC1-GigabitEthernet1/0/3] l2protocol-tunnel user-defined-protocol 802.1x enable
[ACC1-GigabitEthernet1/0/3] quit
[ACC1-GigabitEthernet1/0/4] l2protocol-tunnel user-defined-protocol 802.1x enable
Step 5 Log in to iMaster NCE-Campus, add devices that need to communicate with
iMaster NCE-Campus, and configure RADIUS and Portal authentication
parameters.
Choose Admission > Admission Resources > Admission Device, click Create, and
add devices.

Switches
Figure 2-19 shows the procedure for adding an AC. The procedure for adding an
aggregation switch is similar. Table 2-34 lists the parameters for communication
between iMaster NCE-Campus and aggregation switches as well as ACs.
Figure 2-19 Adding an AC

Switches
Table 2-34 Parameter settings for adding aggregation switches and ACs on
iMaster NCE-Campus
Parameter on iMaster Setting for Setting for ACs
NCE-Campus Aggregation
Switches
Device name and IP ● AGG1: ● AGG-AC1: 192.168.20.1 (IP

address 172.16.70.2 address of the backup AC:
● AGG2: 192.168.20.2)
172.16.80.2 ● AGG-AC3: 192.168.21.1 (IP
address of the backup AC:
192.168.21.2)
RADIUS authentication On
parameter
Device series Huawei Engine
Accounting key YsHsjx_202206
Authorization key YsHsjx_202206

Switches
Parameter on iMaster Setting for Setting for ACs

NCE-Campus Aggregation
Switches
Real-time accounting 15
interval (minute)
Portal authentication - On
parameter
Portal protocol Huawei Portal (Portal2.0)
Portal key YsHsjx_202206
Terminal IP address list ● AGG-AC1:

172.16.30.0/24;172.16.31.0/24
● AGG-AC3:
172.16.40.0/24;172.16.41.0/24
Portal heartbeat On
verification
Portal authentication 2000

port
Step 6 Add user groups and user accounts. The following describes how to create an
employee group and an employee account. The procedure for creating a guest
group and a guest account is similar.
Choose Admission > Admission Resources > User Management.
Create a user group named employee and add users user1 and user2 to the user
group. Create a user group named guest and add the user guest4 to the user
group. Figure 2-20 shows the parameter settings for the user user1. The methods
for creating user2 and guest4 are similar.
Figure 2-20 Creating a user

Switches
Step 7 Enable MAC address-prioritized Portal authentication.

1. Choose Admission > Admission Policy > Online User Control. Configure a
Portal authentication-free policy, enable Portal authentication-free, and set
Portal Authentication-Free Period to 1 hour.
2. Assign the Portal authentication-free policy to the user group guest.
Figure 2-21 Configuring a Portal authentication-free policy
Step 8 Configure network access rights for successfully authenticated employees and
guests.
Click the Authorization Result tab, click Create, and configure authorized
ACLs for employees and guests, respectively.
The ACL numbers must be the same as those configured on the
authentication control device.

Switches
Figure 2-22 Adding authorization ACLs for employees and guests

Switches
Table 2-35 Authorization results for employees and guests

Post-authentication domain for 3001

employees
Post-authentication domain for 3002

guests

Click the Authorization Rule tab and bind the authorization result to specify
resources accessible to employees and guests after successful authentication.
Figure 2-23 shows the authorization rules for wired employees. The
configuration methods of authorization rules for wireless employees and
guests are similar. Table 2-36 lists the authorization rules for employees and
guests.
Figure 2-23 Authorization rules for wired access of employees

Switches
Table 2-36 Authorization rules for employees and guests

Condition: User
Group

rule-wired

rule-wireless
Guest authorization rule guest ACL3002
----End
Expected Results
1. The employees and guest can be successfully authenticated and access the
network after selecting the correct access mode and entering the correct user
names and passwords.
2. After being authenticated, the employees and guest can access
domains.
3. Employees can communicate with each other, but cannot communicate with
the guest.
NOTE
When a guest accesses the network for the first time, the guest can associate with the
WLAN Guest through a mobile terminal, and enter http://192.168.100.10:8080/portal in
the address box of a browser for Portal authentication. On the redirection page that is
displayed, the guest can enter the user name and password, and then is successfully
authenticated. If the guest disconnects from the WLAN and reconnects to the WLAN Guest
within 1 hour, MAC address-prioritized Portal authentication is triggered. The guest can
directly connect to the WLAN without entering the user name and password again.

1. Verify that the employees and guest can be successfully authenticated and
access the network after selecting the correct access mode and entering the
correct user names and passwords.
# Enter the correct user name and password on PC1, connect to the WLANs
Employee and Guest in wireless mode, and then run the display access-user
command on AGG1 and AGG-AC1 to check information about online users.
The command output shows that user1, user2, and guest4 are all in Success
state.
[AGG1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------

Switches
32792 user1 172.16.50.216 00e0-fc12-3344

Success
------------------------------------------------------------------------------------------------------
[AGG-AC1] display access-user
------------------------------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------------------------------
16434 user2 172.16.30.97 00e0-fc12-3366

Success
32809 guest4 172.16.31.165 00e0-fc12-3355
Success
------------------------------------------------------------------------------------------------------
# Run the display access-user username user1 detail command on AGG1 to

view detailed authentication and authorization information of user1.
[AGG1] display access-user username user1 detail
Basic:
User ID : 32792
User name : user1
User IPv6 address : FE80::E9AA:
9FE9:95F9:C499
User IPv6 link local address : FE80::E9AA:
9FE9:95F9:C499
User access Interface : Eth-Trunk10
10:01:33
AGG00018000000050ef****0200018
Terminal Device Type : Data Terminal
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
# Run the display access-user username user2 detail and display access-
user username guest4 detail commands on AGG-AC1 to view detailed
authentication and authorization information of user2 and guest4.

Switches
[AGG-AC1] display access-user username user2 detail
Basic:
User ID : 16434
User name : user2
Dbss17498
10:02:55
AC2000000000000308d****0100032
AC853DA6A42038CADA5E441A5E09C****B2526E4
AP name : area_1
Radio ID :1
AP MAC : 00e0-fc12-4400
SSID : Employee
AAA:
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
[AGG-AC1] display access-user username guest4 detail
Basic:
User ID : 32809
User name : guest4
Dbss17497
09:52:57
AC200000000000031dd****0200029
AC853DA6A42064B0A6A3F913FFFFF****FFFFFFF
User access type : WEB
AP name : area_1
Radio ID :0
AP MAC : 00e0-fc12-4400
SSID : Guest
Web-server IP address :

Switches
192.168.100.10
AAA:
User authentication type : WEB
authentication
RADIUS
RADIUS
------------------------------------------------------------------------------
2. Verify that the successfully authenticated employees and guest can access
domains. The following uses wired access of an employee as an example.
C:\Users\*******>ping 192.168.100.2


C:\Users\*******>
# On PC1, ping the service server with IP address 192.168.100.3. The ping
operation succeeds.
C:\Users\*******>ping 192.168.100.3


C:\Users\*******>
succeeds.
C:\Users\*******>ping 172.16.3.1


Switches

C:\Users\*******>
# On PC1, ping a resource denied in the post-authentication domain, for

example, the special server with IP address 192.168.100.100. The ping
operation fails.
C:\Users\*******>ping 192.168.100.100

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
3. Verify that employees can communicate with each other, but cannot
communicate with the guest.
# On PC1, ping the IP address of the terminal used by the wireless employee
account user2. The ping operation succeeds.
C:\Users\*******>ping 172.16.30.97


C:\Users\*******>
# On PC1, ping the IP address of the wireless terminal used by guest4. The
ping operation fails.
C:\Users\*******>ping 172.16.31.165

Request time out.
Request time out.
Request time out.
Request time out.

C:\Users\*******>
# CORE
#
sysname CORE
#
#
interface Vlanif70
ip address 172.16.70.1 255.255.255.0
#

Switches
interface Vlanif80
ip address 172.16.80.1 255.255.255.0
#
ip address 192.168.100.1 255.255.255.0
#
mode lacp
#
mode lacp
#
undo portswitch
description connect to Internet
ip address 172.16.3.1 255.255.255.0
mode lacp
#
eth-trunk 10
#
eth-trunk 20
#
eth-trunk 30
#
#
#
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
#
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.70.0 0.0.0.255
network 172.16.80.0 0.0.0.255
network 192.168.100.0 0.0.0.255
#
return
# AGG1
#
sysname AGG1
#
vlan batch 20 30 to 31 50 70
#

Switches
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#
acl number 3001
rule 8 deny ip
#
#
vlan 50
#
aaa
domain huawei.com
#
interface Vlanif20
ip address 192.168.20.20 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.3 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.3 255.255.255.0
#
interface Vlanif50
ip address 172.16.50.1 255.255.255.0
#
interface Vlanif70
ip address 172.16.70.2 255.255.255.0
#
port trunk allow-pass vlan 20 30 to 31
mode lacp
#

Switches

mode lacp
#
mode lacp
#
interface 10GigabitEthernet1/0/3
eth-trunk 30
#
eth-trunk 1
#
#
eth-trunk 1
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 10
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.70.0 0.0.0.255
#
#
return
# AGG2
#
sysname AGG2
#
vlan batch 21 40 to 41 60 80
#
#
dhcp enable
#
#
radius-server shared-key cipher %^%#~jZ}F$6t6/!K%~9Ow$"Vb,+LFnrEl>q<\'1!^JD7%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#GH(%~#au`G.f/lA~"P%I]^Z4L*yVj"[/
w"2uWP\'%^%#
#

Switches
acl number 3001

rule 8 deny ip
#
#
vlan 60
#
aaa
domain huawei.com
#
interface Vlanif21
ip address 192.168.21.20 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.3 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.3 255.255.255.0
#
interface Vlanif60
ip address 172.16.60.1 255.255.255.0
#
interface Vlanif80
ip address 172.16.80.2 255.255.255.0
#
mode lacp
#
mode lacp
#
mode lacp
#
eth-trunk 40

Switches
#
eth-trunk 2
#
eth-trunk 2
#
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 20
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
network 172.16.60.0 0.0.0.255
network 172.16.80.0 0.0.0.255
#
#
return
# AGG-AC1
#
sysname AGG-AC1
#
#
#
#
dhcp enable
#
#
vlan 30
vlan 31
#
radius-server shared-key cipher %^%#}q]hRf*~x5o]fjF<R#EEFXy0MI=L4)Tw]%+Nk)ET%^%#
radius-server authorization 192.168.100.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#

Switches
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
shared-key cipher %^%#@Un19tIB1FQ\p%US,S54+gEh'8@qzSQ&BGXJ$niV%^%#
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.1 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.1 255.255.255.0
#
mode lacp

Switches
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1

Switches

ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return
# AGG-AC2
#
sysname AGG-AC2
#
#
#
#
dhcp enable
#
#
vlan 30
vlan 31
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10

Switches
port 50200
#
#
aaa
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif30
ip address 172.16.30.2 255.255.255.0
#
interface Vlanif31
ip address 172.16.31.2 255.255.255.0
#
interface Vlanif200
ip address 172.16.200.2 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.30.0 0.0.0.255
network 172.16.31.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0

Switches
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_1
ap-group ap-group1
provision-ap
#
#
#
return
# AGG-AC3
#
sysname AGG-AC3
#
#
#

Switches
#
dhcp enable
#
#
vlan 40
vlan 41
#
$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
#
#
aaa
#
interface Vlanif21
ip address 192.168.21.1 255.255.255.0
admin-vrrp vrid 1

Switches

#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.1 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.1 255.255.255.0
#
mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1

Switches
forward-mode tunnel
ssid-profile ssid2
radio 0
radio 1
ap-name area_2
ap-group ap-group2
provision-ap
#
#
#
return
# AGG-AC4
#
sysname AGG-AC4
#
#
#
#
dhcp enable
#
#
vlan 40
vlan 41
#

Switches

$3F)3K]ar/O%^%#
#
acl number 3001
rule 8 deny ip
acl number 3002
rule 5 deny ip
#
#
server-ip 192.168.100.10
port 50200
#
#
aaa
#
interface Vlanif21
ip address 192.168.21.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif40
ip address 172.16.40.2 255.255.255.0
#
interface Vlanif41
ip address 172.16.41.2 255.255.255.0
#
interface Vlanif201
ip address 172.16.201.2 255.255.255.0
#

Switches

mode lacp
#
eth-trunk 1
#
#
area 0.0.0.0
network 172.16.40.0 0.0.0.255
network 172.16.41.0 0.0.0.255
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
user-isolate l2
ssid Employee
ssid Guest
forward-mode tunnel
ssid-profile ssid1
forward-mode tunnel
ssid-profile ssid2
radio 0

Switches
radio 1
ap-name area_2
ap-group ap-group2
provision-ap
#
#
#
return
# ACC1
#
sysname ACC1
#
vlan batch 20 50
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 00e0-fc02-0003 group-mac 00e0-fc00-0002
#
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
return
# ACC2
#
sysname ACC2
#
vlan batch 21 60
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 00e0-fc02-0003 group-mac 00e0-fc00-0002
#
mode lacp
#
eth-trunk 40
#

Switches
eth-trunk 40
#
#
#
return
2.2.2.4 Example for Configuring Authentication on Access Devices

Functioning as Authentication Points
Overview
This scenario aims to enable Layer 2 and Layer 3 communication between core,
aggregation, and access devices on a small-sized campus network and configure
802.1X authentication on access devices. Users can access the campus network
and communicate with each other only after being authenticated successfully.
In Figure 2-24, the campus network consists of the core layer, aggregation layer,
and access layer.
● The aggregation switch functions as a user gateway to route and forward user
services.
● Access switches function as user authentication points. Users can access the
network only after passing 802.1X authentication.
● Network devices are connected through Eth-Trunks to improve network
reliability.

Switches
Figure 2-24 Configuring authentication on access devices functioning as

authentication points
Data Plan
Table 2-37 VLAN plan
Device Planned Type Planned Value Description
Core switch - VLAN 70 VLAN used to connect

(CORE) to AGG.
Aggregation - VLAN 60 Service VLAN of ACC1

switch (AGG)
- VLAN 50 Service VLAN of ACC2
Table 2-38 IP address plan

(Optional)
Core switch XGE0/0/1 VLANIF 70: Interfaces connected

(CORE) 172.16.70.1/24 to AGG
XGE0/0/2

Switches

(Optional)
XGE0/0/3 172.16.10.0/24 Network segment for

connecting to the
XGE0/0/4 Internet
Aggregation 10GE1/0/1 VLANIF 60: Network segment for

switch (AGG) 172.16.60.0/24 connecting to ACC1
10GE1/0/2
10GE1/0/3 VLANIF 50: Network segment for

172.16.50.0/24 connecting to ACC2
10GE1/0/4
10GE1/0/5 VLANIF 70: Interface connected to

172.16.70.2/24 CORE
10GE1/0/6
Configuration Precautions
● The RADIUS authentication, accounting, and authorization keys configured on
the switches must be the same as those configured on the RADIUS server.
This example describes only the configurations on the switches. For details
about the configurations on the RADIUS server, see the specific server guide.
● By default, switches allow the packets sent to the RADIUS server to pass
through, removing the need to configure an authentication-free rule for these
packets.
● In the 802.1X authentication scenario, if there is a Layer 2 switch between the
802.1X-enabled switch and users, Layer 2 transparent transmission must be
enabled for 802.1X authentication packets on the Layer 2 switch; otherwise,
users cannot be successfully authenticated.
Applicable Products and Versions
Table 2-39 Applicable products and versions

Produ Device Host Name Version
ct/
Sub-
series
S1270 CORE V200R019C00 and later versions

0
S8700 AGG, ACC2 V600R021C10 and later versions

Switches
Produ Device Host Name Version

ct/
Sub-
series
S5731 ACC1 V200R019C10 and later versions

-S
Configuration Roadmap
Table 2-40 Eth-Trunks in Layer 2 access authentication

Step Configuration Involved Product
Roadmap
1 Configure interfaces Core switch (CORE), aggregation switch

and VLANs on (AGG), and access switches (ACC1 and ACC2)
switches to
implement Layer 2
communication.
2 Configure VLANIF Core switch (CORE) and aggregation switch

interfaces on switches (AGG)
and assign IP
addresses to the
VLANIF interfaces.
3 Configure the DHCP Aggregation switch (AGG)

relay function on the
switch so that the
switch functions as a
DHCP relay agent to
forward DHCP packets
between DHCP clients
and the DHCP server.
4 Configure routing on Core switch (CORE) and aggregation switch

switches to (AGG)
implement Layer 3
communication.

Switches

Roadmap
5 Configure Access switches (ACC1 and ACC2)

authentication,
authorization, and
accounting (AAA),
including configuring
a RADIUS server
template, AAA
schemes, and
authentication
domains to enable
user authentication,
authorization, and
accounting through
RADIUS, as well as
configuring
parameters for
interconnection
between switches and
the RADIUS server.
6 Configure resources Access switches (ACC1 and ACC2)

accessible to users
before they are
authenticated
successfully (referred
to as authentication-
free resources) and
post-authentication
domains, so that users
have corresponding
network access rights
in different
authentication phases.
7 Configure 802.1X Access switches (ACC1 and ACC2)

authentication for
users.
Procedure
Step 1 Configure interfaces and VLANs on switches.
1. Configure interfaces and a VLAN on CORE.
[HUAWEI] sysname CORE
[CORE] vlan batch 70
[CORE-Eth-Trunk20] description connect to AGG

Switches

[CORE] interface xgigabitethernet 0/0/1
[CORE-XGigabitEthernet0/0/1] eth-trunk 20
[CORE-XGigabitEthernet0/0/1] quit
[CORE] interface xgigabitethernet 0/0/2
[CORE-XGigabitEthernet0/0/2] eth-trunk 20
[CORE-XGigabitEthernet0/0/2] quit
[CORE-Eth-Trunk10] description connect to Internet
[CORE-Eth-Trunk10] trunkport xgigabitethernet 0/0/3
[CORE-Eth-Trunk10] trunkport xgigabitethernet 0/0/4
2. Configure interfaces and VLANs on AGG.
[HUAWEI] sysname AGG
[AGG] vlan batch 50 60 70
[AGG] interface eth-trunk 20
[AGG-Eth-Trunk20] description connect to CORE
[AGG-Eth-Trunk20] mode lacp-static
[AGG-Eth-Trunk20] port link-type trunk
[AGG-Eth-Trunk20] port trunk allow-pass vlan 70
[AGG-Eth-Trunk20] undo port trunk allow-pass vlan 1
[AGG-Eth-Trunk20] quit
[AGG] interface 10GE 1/0/5
[AGG-10GE1/0/5] eth-trunk 20
[AGG-10GE1/0/5] quit
[AGG-Eth-Trunk30] description connect to ACC1
[AGG-Eth-Trunk40] description connect to ACC2
3. Configure interfaces and a VLAN on ACC1.
[ACC1] vlan batch 60
[ACC1] interface eth-Trunk 30
[ACC1-Eth-Trunk30] description connect to AGG
[ACC1-Eth-Trunk30] mode lacp
[ACC1-Eth-Trunk30] port trunk allow-pass vlan 60

Switches

[ACC1-GigabitEthernet0/0/1] eth-trunk 30
[ACC1-GigabitEthernet0/0/2] eth-trunk 30
[ACC1-GigabitEthernet0/0/3] port link-type access
[ACC1-GigabitEthernet0/0/3] port default vlan 60
[ACC1-GigabitEthernet0/0/3] stp edged-port enable
[ACC1-GigabitEthernet0/0/4] stp edged-port enable
4. Configure an interface and a VLAN on ACC2.

[ACC2] interface eth-Trunk 40
[ACC2-Eth-Trunk40] description connect to AGG
[ACC2-10GE1/0/3] port link-type access
[ACC2-10GE1/0/3] port default vlan 50
[ACC2-10GE1/0/3] stp edged-port enable
[ACC2-10GE1/0/4] port link-type access
[ACC2-10GE1/0/4] port default vlan 50
[ACC2-10GE1/0/4] stp edged-port enable
Step 2 Configure VLANIF interfaces on switches and assign IP addresses to the VLANIF
interfaces.
1. Configure a VLANIF interface on CORE and assign an IP address to the
VLANIF interface.
# Create Layer 3 interface VLANIF 70 for connecting to AGG.
2. Configure VLANIF interfaces on AGG and assign IP addresses to the VLANIF

interfaces.
# Create Layer 3 interfaces VLANIF 50 and VLANIF 60 for connecting to
access switches.
[AGG] interface vlanif 60
[AGG-Vlanif60] ip address 172.16.60.1 255.255.255.0
[AGG-Vlanif60] quit

Switches

[AGG-Vlanif50] quit

[AGG-Vlanif70] quit
Step 3 Configure the DHCP relay function on AGG so that AGG functions as a DHCP relay
agent to forward DHCP packets between DHCP clients and the DHCP server.
# Enable the DHCP relay function and configure the DHCP server IP address on
VLANIF 50 and VLANIF 60 of AGG.
[AGG] dhcp enable
[AGG-Vlanif50] dhcp select relay
[AGG-Vlanif50] dhcp relay server-ip 172.16.10.4
[AGG-Vlanif50] quit
[AGG-Vlanif60] dhcp select relay
[AGG-Vlanif60] dhcp relay server-ip 172.16.10.4
[AGG-Vlanif60] quit
Step 4 Configure routing on switches to implement Layer 3 communication. You can

configure a routing protocol based on actual requirements. In this example, OSPF
is used.

[CORE-ospf-1] quit
# Configure OSPF on AGG.

[AGG] ospf 1 router-id 2.2.2.2
[AGG-ospf-1] area 0
[AGG-ospf-1-area-0.0.0.0] network 172.16.70.0 0.0.0.255
[AGG-ospf-1-area-0.0.0.0] quit
[AGG-ospf-1] quit
Step 5 Configure DHCP snooping-trusted interfaces on access switches to enable users to

obtain IP addresses from authorized DHCP servers.
# Configure a DHCP snooping-trusted interface on ACC1. The configuration of

ACC2 is similar to that of ACC1.
[ACC1] dhcp enable
[ACC1] dhcp snooping enable
[ACC1] vlan 60
[ACC1-vlan60] dhcp snooping enable
[ACC1-vlan60] dhcp snooping trusted interface Eth-Trunk 30
[ACC1-vlan60] quit
Step 6 Configure AAA parameters on ACC1. The configuration of ACC2 is similar to that
of ACC1.
# Configure the RADIUS server template tem_rad, and configure the parameters
for interconnection between ACC1 and the RADIUS server, including the IP

Switches
addresses, port numbers, authentication key, and accounting key of the RADIUS
authentication and accounting servers.
[ACC1] radius-server template tem_rad
[ACC1-radius-tem_rad] radius-server authentication 172.16.10.2 1812
[ACC1-radius-tem_rad] radius-server accounting 172.16.10.2 1813
[ACC1-radius-tem_rad] radius-server shared-key cipher YsHsjx_202206
[ACC1-radius-tem_rad] quit

[ACC1] radius-server authorization 172.16.10.2 shared-key cipher YsHsjx_202206
# Configure an AAA authentication scheme and an AAA accounting scheme, set

the authentication and accounting modes to RADIUS, and set the accounting
interval to 15 minutes.
[ACC1] aaa
[ACC1-aaa] authentication-scheme auth
[ACC1-aaa-authen-auth] authentication-mode radius
[ACC1-aaa-authen-auth] quit
[ACC1-aaa] accounting-scheme acco
[ACC1-aaa-accounting-acco] accounting-mode radius
[ACC1-aaa-accounting-acco] accounting realtime 15
[ACC1-aaa-accounting-acco] quit
# Configure the authentication domain huawei.com and bind AAA schemes and
the RADIUS server template to this domain.
[ACC1-aaa] domain huawei.com
[ACC1-aaa-domain-huawei.com] authentication-scheme auth
[ACC1-aaa-domain-huawei.com] accounting-scheme acco
[ACC1-aaa-domain-huawei.com] radius-server tem_rad
[ACC1-aaa-domain-huawei.com] quit
[ACC1-aaa] quit
Step 7 Configure authentication-free resources and a post-authentication domain on

ACC1. The configuration of ACC2 is similar to that of ACC1.
# Configure authentication-free resources to allow packets destined for the DNS
server to pass through.
[ACC1] free-rule-template name default_free_rule
[ACC1-free-rule-default_free_rule] free-rule 1 destination ip 172.16.10.1 mask 32
[ACC1-free-rule-default_free_rule] quit
# Configure a post-authentication domain and configure ACL 3001 to control the

network access rights of authenticated users.
[ACC1] acl 3001
[ACC1-acl4-advance-3001] rule 1 permit ip destination 172.16.10.0 0.0.0.255
[ACC1-acl4-advance-3001] rule 4 deny ip destination any
[ACC1-acl4-advance-3001] quit
Step 8 Configure 802.1X authentication on ACC1. The configuration of ACC2 is similar to

that of ACC1.
# Configure an 802.1X access profile. By default, an 802.1X access profile uses EAP
authentication. Ensure that the RADIUS server supports EAP; otherwise, the
RADIUS server cannot process 802.1X authentication requests.
[ACC1] dot1x-access-profile name d1
[ACC1-dot1x-access-profile-d1] quit
# Configure an authentication profile for users.

Switches
[ACC1] authentication-profile name p1

[ACC1-authen-profile-p1] dot1x-access-profile d1
[ACC1-authen-profile-p1] access-domain huawei.com force
[ACC1-authen-profile-p1] authentication event authen-server-up action re-authen
[ACC1-authen-profile-p1] quit
# Configure 802.1X authentication for access users on downlink interfaces.

[ACC1-GigabitEthernet0/0/3] authentication-profile p1
[ACC1-GigabitEthernet0/0/4] authentication-profile p1
----End

1. Verify that users can access only the authentication-free resources, but not
resources in post-authentication domains, before they are successfully
authenticated or when they fail the authentication.
# Enter an incorrect user name or password on PC1, and then run the display
access-user command on ACC1 to check information about online users. The
command output shows that user1 is online but is in Pre-authen state; that
is, authentication has not been performed or user authentication fails.
[ACC1] display access-user
process 0:
-----------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
-----------------------------------------------------------------------------------------------
16457 user1 172.16.60.43 00e0-fc12-3344 Pre-authen
-----------------------------------------------------------------------------------------------

C:\Users>ping 172.16.10.1


fails.
C:\Users>ping 172.16.10.3

Request time out.
Request time out.
Request time out.
Request time out.
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2. Users can access resources in the post-authentication domain after being

successfully authenticated.

Switches
# Run the display ip pool interface vlanif60 used command on AGG. The
command output shows that users have obtained IP addresses.
[AGG] display ip pool interface vlanif60 used
Pool-No :1
Domain-name :-
DNS-server0 : 172.16.10.1
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 :-
Network : 172.16.60.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
172.16.60.1 172.16.60.254 254 2 252(0) 0 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
42 172.16.60.43 00e0-fc12-3344 DHCP 86380 Used
173 172.16.60.174 00e0-fc12-4400 DHCP 85890 Used
-------------------------------------------------------------------------------
# Run the ping 172.16.60.174 command on PC1 to check whether PC1 is
connected to PC3.
C:\Users>ping 172.16.60.174

# Run the display access-user command on ACC1 to check information
about online users.
[ACC1] display access-user
Total: 2
------------------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
------------------------------------------------------------------------------------------------------
16457 user1 172.16.60.43 00e0-fc12-3344 Success
16463 user2 172.16.60.174 00e0-fc12-4400 Success
------------------------------------------------------------------------------------------------------
CORE

Switches
#
sysname CORE
#
vlan batch 70
#
description connect to AGG
mode lacp
#
interface xgigabitethernet 0/0/1
eth-trunk 20
#
interface xgigabitethernet 0/0/2
eth-trunk 20
#
undo portswitch
description connect to Internet
trunkport xgigabitethernet 0/0/3
trunkport xgigabitethernet 0/0/4
mode lacp
ip address 172.16.10.3 24
#
interface vlanif 70
ip address 172.16.70.1 255.255.255.0
#
area 0
network 172.16.70.0 0.0.0.255
network 172.16.10.0 0.0.0.255
#
return
AGG
#
sysname AGG
#
vlan batch 50 60 70
#
mode lacp-static
#
eth-trunk 20
#
eth-trunk 20
#
description connect to ACC1
mode lacp-static
#
eth-trunk 30
#
eth-trunk 30
#

Switches
description connect to ACC2

mode lacp-static
#
eth-trunk 40
#
eth-trunk 40
#
interface vlanif 60
ip address 172.16.60.1 255.255.255.0
#
interface vlanif 50
ip address 172.16.50.1 255.255.255.0
#
interface vlanif 70
ip address 172.16.70.2 255.255.255.0
#
dhcp enable
#
interface vlanif 50
dhcp select relay
dhcp relay server-ip 172.16.10.4
#
interface vlanif 60
dhcp select relay
#
area 0
network 172.16.70.0 0.0.0.255
network 172.16.50.0 0.0.0.255
network 172.16.60.0 0.0.0.255
#
return
ACC1
#
sysname ACC1
#
vlan batch 60
#
interface eth-Trunk 30
mode lacp
#
eth-trunk 30
#
eth-trunk 30
#
#
#
dhcp enable

Switches
#
#
vlan 60
dhcp snooping trusted interface Eth-Trunk 30
#
radius-server authentication 172.16.10.2 1812
radius-server accounting 172.16.10.2 1813
radius-server shared-key cipher %+%##!!!!!!!!!"!!!!$!!!!*!!!!ZonC2XJ]_A]N&P!y16vPj_Uy9)u)C(uV/Z*!!!!!2jp5!!!!!!
>!!!!`)6iHP{C#&HAcVY08({:4]*A%,$y+NJ>E9=@UDl<%+%#
#
radius-server authorization 172.16.10.2 shared-key cipher %+%##!!!!!!!!!"!!!!$!!!!*!!!!ZonC2XJ]_A!^$C:
%n#~KaX8E66].pBb\^nM!!!!!2jp5!!!!!!>!!!!GI3OQ[gk[I#n({0dZ"V(Cvgj)QG[+'oB,D"YP`'A%+%#
#
aaa
domain huawei.com
#
free-rule 1 destination ip 172.16.10.1 mask 32
#
acl 3001
rule 4 deny ip destination any
#
#
authentication event authen-server-up action re-authen
#
#
#
return
ACC2
#
sysname ACC1
#
vlan batch 50
#
interface eth-Trunk 40
mode lacp-static
#
eth-trunk 40
#
eth-trunk 40

Switches
#
#
#
dhcp enable
#
#
vlan 50
dhcp snooping trusted interface Eth-Trunk 40
#
radius-server authentication 172.16.10.2 1812
radius-server accounting 172.16.10.2 1813
radius-server shared-key cipher %+%##!!!!!!!!!"!!!!$!!!!*!!!!ZonC2XJ]_A]N&P!y16vPj_Uy9)u)C(uV/Z*!!!!!2jp5!!!!!!
>!!!!`)6iHP{C#&HAcVY08({:4]*A%,$y+NJ>E9=@UDl<%+%#
#
radius-server authorization 172.16.10.2 shared-key cipher %+%##!!!!!!!!!"!!!!$!!!!*!!!!ZonC2XJ]_A!^$C:
%n#~KaX8E66].pBb\^nM!!!!!2jp5!!!!!!>!!!!GI3OQ[gk[I#n({0dZ"V(Cvgj)QG[+'oB,D"YP`'A%+%#
#
aaa
domain huawei.com
#
free-rule 1 destination ip 172.16.10.1 mask 32
#
acl 3001
rule 4 deny ip destination any
#
#
authentication event authen-server-up action re-authen
#
#
#
return

Switches
2.2.3 Example for Deploying an Intelligent Simplified Campus

Network
Overview
Traditional campus network architectures see the following challenges:
● High costs: The development of the Internet and Internet of Things (IoT)
brings more and more new types of terminals. The network needs to be
expanded to support more terminals. In the current network deployment
mode, switches are deployed in extra-low voltage (ELV) rooms of each floor,
and Ethernet cables connecting to APs are usually buried in walls. If more
terminals need to be connected, reconstruction and re-cabling are required,
resulting in high costs.
● Low bandwidth: The rapid development of services such as remote office and
online teaching requires more network bandwidth. Twisted pairs cannot
support ongoing bandwidth evolution.
● Difficult management: Multi-network convergence is trending, making
networks and their management more complex.
To meet these challenges, Huawei has launched the intelligent simplified campus
network solution. As shown in Figure 2-25, it consists of central switches and
remote units (RUs) distributed in offices, agile workspaces, and classrooms,
making network deployment and operations more efficient.
Figure 2-25 Intelligent simplified campus network

Switches
RUs are plug-and-play, facilitating networking. To connect the central switch and
RUs, you can select the cable type that best suits your needs, choosing from
Ethernet cables, optical fibers, and optical-electrical hybrid cables. Optical-
electrical hybrid cables will enable the central switch to remotely supply power to
RUs, ensuring network continuity in case of power failures.
The uplink interfaces of RUs can be connected to the central switch through a
single link or dual links. If there is only one link, the network is successfully
deployed after the central switch and RUs are powered on. In the case of dual
links, as shown in Figure 2-26, the two links are connected to the same central
switch and RU. Two uplink interfaces on the RU automatically form a link
aggregation group, whereas the two interfaces on the central switch need to be
manually configured to form a link aggregation group.
Figure 2-26 Intelligent simplified campus network with dual links
As shown in Figure 2-27, in dual-link scenarios, the central switch may not set up
a link aggregation group or the two links may connect to different central
switches. In these cases, the central switch will automatically detect the fault,
triggering an alarm and Error-Down event.
Figure 2-27 Abnormal dual-link scenario
An enterprise builds an office building with several offices. Several cameras,
laptops, PCs, and printers are deployed in each office. A laptop may move
between several offices. Laptops from a department can only access their
department's server, regardless of their locations. For example, laptop 1 can only
access server 1 and laptop 2 can only access server 2. The networking is shown in
Figure 2-28.
Switch deployment solution: Deploy a central switch (DeviceA in the figure) in the
ELV room of the office building. Deploy an RU (RUn in the figure, where n
indicates the room number) in the ELV box of each office. The central switch
connects to RUs through hybrid cables and supplies power to RUs through PoE.

Switches
The RU in each office is connected to cameras, laptops, PCs, and printers through
Ethernet cables. The 8-port RU in this example uses four downlink ports, and
other downlink ports are reserved.
Figure 2-28 Networking for RU deployment in the office building
Data Plan
Table 2-41 Terminal data plan

Terminal Power Supply VLAN MAC Address
Mode
Camera 1 PoE 1100 00e0-fc76-1230
Laptop 1 Local power 1200 00e0-fc76-1240

supply
PC 1 Local power 1300 00e0-fc76-1250

supply
Printer 1 Local power 1400 00e0-fc76-1260

supply
Camera 2 PoE 1100 00e0-fc76-2230

Switches
Terminal Power Supply VLAN MAC Address

Mode
Laptop 2 Local power 1500 00e0-fc76-2240

supply
PC 2 Local power 1300 00e0-fc76-2250

supply
Printer 2 Local power 1400 00e0-fc76-2260

supply
Table 2-42 Applicable products and versions of switches

Series Product Version
S12700E S12700E-4, S12700E-8, and V200R021C10 and later

S12700E-12 versions
S12700 S12704, S12708, and S12712 V200R021C10 and later

versions
S8700 S8700-4, S8700-6, and V600R022C10 and later

S8700-10 versions
S7700 S7706 and S7712 V200R021C10 and later

versions
S6700 S6730-H, S6730S-H, S6730-S, V200R021C10 and later

S6730S-S, S6735-S, S6720-EI, versions
and S6720S-EI
S6730-H-V2 V600R022C10 and later

versions
S5700 S5732-H V200R021C10 and later

versions
S5731-H V200R021C10 and later

versions
S5731S-H, S5731-S, S5731S-S, V200R021C10 and later

S5736-S, S5735S-H, S5735-S, versions
S5735S-S, S5735-S-I, S5720I-SI,
S5735-L, S5735S-L, S5735-L1,
S5735S-L1, S5735-L-I, S5720-LI,
S5720S-LI, and S5720I-SI
S5732-H-V2 V600R022C10 and later

versions

Switches
Series Product Version
S5735-L-V2, S5735-S-V2, V600R022C10 and later

S5735I-L-V2, S5735I-S-V2, versions
S5735I-L-V2, and S3710-H
S5755-H V600R023C00 and later

versions
S5500 S5535-L-V2 and S5535-S-V2 V600R023C00 and later

versions
S500 and S500 and S300 V200R021C10 and later

S300 versions
Table 2-43 Applicable products and versions of RUs

RU Model Version
S5731-L4P2HW-RUA V200R021C10 and later versions

S5731S-L4P2HW-RUA
S5731-L4P2HT-RUA
S5731S-L4P2HT-RUA
S5731-L8P2HT-RUA
S5731S-L8P2HT-RUA
S5731-L8P2HT-RUA
S5731S-L8P2HT-RUA
S5731-L4P2ST-RUA
S5731S-L4P2ST-RUA
S5731-L8P2ST-RUA
S5731S-L8P2ST-RUA
S5731-L4T2S-RUA
S5731S-L4T2S-RUA
S5731-L4T2ST-RUA
S5731S-L4T2ST-RUA
S5731-L8T2ST-RUA
S5731S-L8T2ST-RUA

Switches
Table 2-44 Configuration roadmap for the intelligent simplified campus network
solution
Step Configuration Roadmap
1 Connect the RU to the central switch, and onboard the RU

in plug-and-play mode.
2 Bind an interconnection interface for each RU on DeviceA

and configure interface isolation for the RU.
3 Associate the MAC addresses of terminals with VLANs on

the central switch (DeviceA).
4 On the central switch (DeviceA), configure the interfaces

for connecting to the RU and add the interfaces to VLAN
1100, VLAN 1200, VLAN 1300, VLAN 1400, and VLAN
1500.
Procedure
Step 1 Connect the uplink interface of each RU to the central switch and check whether
the RUs go online successfully.
# Check the RU status. Normal indicates that the RU is running properly.
[HUAWEI] sysname DeviceA
[DeviceA] display remote-unit
------------------------------------------------------------------------------------------------------------------------
ESN ID Type ConnectInterface Status VersionMatch Name
------------------------------------------------------------------------------------------------------------------------
219801176801XXXXXXXX - S5731-L8P2HT-RUA 10GE10/0/1 Normal NO -
219801176802XXXXXXXX - S5731-L8P2HT-RUA 10GE10/0/2 Normal NO -
------------------------------------------------------------------------------------------------------------------------
Step 2 Configure the interconnection interfaces and interface isolation for the RUs.
# Bind the interconnection interface.
[DeviceA] remote-unit 0
[DeviceA-remote-unit-0] name RU101
[DeviceA-remote-unit-0] description RU101_10GE10/0/1
[DeviceA-remote-unit-0] bind interface 10GE 10/0/1
[DeviceA-remote-unit-0] quit
[DeviceA] remote-unit 1
[DeviceA-remote-unit-1] name RU201
[DeviceA-remote-unit-1] description RU201_10GE10/0/2
[DeviceA-remote-unit-1] bind interface 10GE 10/0/2
[DeviceA-remote-unit-1] quit
# Configure interface isolation in the global RU view and deliver the configuration
to the RUs.
[DeviceA] remote-unit
[DeviceA-remote-unit] isolate enable
[DeviceA-remote-unit] commit all
[DeviceA-remote-unit] quit

Switches
Step 3 Create VLANs and configure the allowed VLAN for the interfaces. Add the
interconnection interfaces 10GE10/0/1 and 10GE10/0/2 to VLAN 1100, VLAN 1200,
VLAN 1300, VLAN 1400, and VLAN 1500.
[DeviceA] vlan batch 1100 1200 1300 1400 1500
[DeviceA] interface 10GE 10/0/1
[DeviceA-10GE10/0/1] description to_RU101
[DeviceA-10GE10/0/1] port link-type hybrid
[DeviceA-10GE10/0/1] port hybrid pvid vlan 1300
[DeviceA-10GE10/0/1] port hybrid untagged vlan 1100 1200 1300 1400 1500
[DeviceA-10GE10/0/1] quit
[DeviceA-10GE10/0/2] description to_RU201
[DeviceA-10GE10/0/2] port hybrid untagged vlan 1100 1200 1300 1400 1500
# Associate the MAC addresses of terminals with VLANs.

[DeviceA] vlan 1100
[DeviceA-vlan1100] mac-vlan mac-address 00e0-fc76-1230
[DeviceA-vlan1100] quit
[DeviceA] vlan 1200
[DeviceA] vlan 1500
[DeviceA] vlan 1400
[DeviceA-10GE10/0/1] mac-vlan enable
Step 4 Configure allowed VLANs for the uplink interface of the central switch.
[DeviceA-10GE0/0/1] port link-type trunk
[DeviceA-10GE0/0/1] port trunk allow-pass vlan 1100 1200 1300 1400 1500
----End

# Check the RU status. The configured RU IDs and aliases are displayed.
[DeviceA] display remote-unit
------------------------------------------------------------------------------------------------------------------------
ESN ID Type ConnectInterface Status VersionMatch Name
------------------------------------------------------------------------------------------------------------------------
219801176801XXXXXXXX 0 S5731-L8P2HT-RUA 10GE10/0/1 Normal NO -
219801176802XXXXXXXX 1 S5731-L8P2HT-RUA 10GE10/0/2 Normal NO -
------------------------------------------------------------------------------------------------------------------------
# Run the display mac-vlan mac-address all command in any view to check the
configuration of MAC address-based VLAN assignment.
[DeviceA] display mac-vlan mac-address all
---------------------------------------------------
MAC Address MASK VLAN Priority

Switches
---------------------------------------------------
00e0-fc76-1230 ffff-ffff-ffff 1100 0
Total MAC VLAN address count: 6
# After the terminals access the network, check the MAC address table.
[DeviceA] display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
00e0-fc76-1230 1100/-/- 10GE10/0/1 dynamic
00e0-fc76-1240 1200/-/- 10GE10/0/1 dynamic
00e0-fc76-1250 1300/-/- 10GE10/0/1 dynamic
00e0-fc76-1260 1400/-/- 10GE10/0/1 dynamic
00e0-fc76-2230 1100/-/- 10GE10/0/2 dynamic
00e0-fc76-2240 1500/-/- 10GE10/0/2 dynamic
00e0-fc76-2250 1300/-/- 10GE10/0/2 dynamic
00e0-fc76-2260 1400/-/- 10GE10/0/2 dynamic
-------------------------------------------------------------------------------
Total items displayed = 8
DeviceA
#
sysname DeviceA
#
vlan batch 1100 1200 1300 1400 1500
#
vlan 1100
mac-vlan mac-address 00e0-fc76-1230
vlan 1200
vlan 1400
vlan 1500
#
description to_RU101
port link-type hybrid
port hybrid pvid vlan 1300
port hybrid untagged vlan 1100 1200 1300 1400 1500
mac-vlan enable
#
description to_RU201
port hybrid untagged vlan 1100 1200 1300 1400 1500
mac-vlan enable
#
port trunk allow-pass vlan 1100 1200 1300 1400 1500
#
remote-unit
isolate enable
commit all
#

Switches
remote-unit 0
description RU101_10GE10/0/1
name RU101
bind interface 10GE10/0/1
remote-unit 1
description RU201_10GE10/0/2
name RU201
bind interface 10GE10/0/2
#
2.2.4 Example for Configuring a VRRP Gateway on a Ring

Network
Overview
If a loop occurs on a Layer 2 network, packets are continuously duplicated and
transmitted, causing a broadcast storm. When a broadcast storm occurs, a large
amount of available bandwidth is consumed, making the network unavailable.
Layer 2 ring network technologies can be used to block redundant links to
eliminate logical loops on a ring network. As networks rapidly develop and
applications diversify, various value-added services such as Internet Protocol
television (IPTV) and video conferencing are being widely deployed. Network
infrastructure reliability is required to ensure uninterrupted service transmission
for users. Virtual Router Redundancy Protocol (VRRP) solves this problem. VRRP
groups multiple devices into a virtual device without changing the networking,
and the IP address of the virtual device is configured as the default gateway
address, implementing default gateway backup. If a gateway fails, VRRP selects a
different gateway to forward traffic, thereby ensuring reliable communication.
Figure 2-29 shows the basic IPTV networking in a region. To ensure the quality of
live TV streams, the live TV streams sent by the multicast source server need to be
forwarded to the transcoding server for transcoding and then forwarded by the
transcoding server to users. The transcoding server is connected to the IPTV
network through two devices that work in dual-node backup mode on the ring
network, improving network reliability.
● Normal forwarding path for multicast streams sent by the multicast source
server: Core -> PE1 -> Device1 -> CDN -> transcoding server
● Normal forwarding path for multicast streams transcoded by the transcoding
server: transcoding server -> CDN -> Device1 -> PE1 -> AGG -> ACC1 and
ACC2
● Normal forwarding path for unicast streams sent from the recording server to
users: recording server -> CDN -> Device1 -> PE1 -> AGG -> ACC1 and ACC2

Switches
Figure 2-29 Video traffic forwarding paths in a scenario where a VRRP gateway is
configured on a ring network
Figure 2-30 shows the IPTV networking in a region. Users can watch live TV
programs and catch-up TV programs. The requirements are as follows:
● Multicast live streams sent by the multicast source server are first forwarded
to the CDN server for transcoding and recording and then forwarded to users.
● Users can also watch catch-up TV programs in unicast mode.
● Layer 2 and Layer 3 multicast and IGMP snooping are configured to
implement multicast traffic forwarding.
● OSPF is used to implement Layer 3 traffic forwarding. Device1 and Device2
establish neighbor relationships with PE1 and PE2 respectively in area 1 of

Switches
OSPF process 1. Core establishes neighbor relationships with PE1 and PE2 in
area 0 of OSPF process 1.
● MSTP is deployed on CDN, Device1, and Device2, and a VRRP group is
configured on Device1 and Device2. Device1 is configured with a higher
priority and a preemption delay of 20s so that it functions as the master
device to forward traffic, and Device2 is configured with a lower priority so
that it functions as the backup device, implementing gateway redundancy and
improving network reliability.
● To ensure access security, traffic policies are configured on Device1 and
Device2 to restrict the access of the multicast source server.
In this example, an S12700 switch functions as Core, S8700-6 switches function as
PE1, PE2, AGG, CDN, Device1, and Device2, and S5735-L switches function as
ACC1 and ACC2.

Switches
Figure 2-30 Basic IPTV networking in a scenario where a VRRP gateway is

configured on a ring network
Data Plan
Table 2-45 VLAN plan

Plan Type Planned Value Description
VLAN 33 VLAN to which users

connected to ACC1 belong.
34 VLAN to which users

connected to ACC2 belong.

Switches
Plan Type Planned Value Description
88 VLAN used by users to watch

catch-up TV programs.
301 VLAN used by Device1 and

Device2.
400 VLAN used after multicast

live streams are transcoded.
530 VLAN used before multicast

live streams are transcoded.
Table 2-46 IP address plan

Device Plan Planned Value Description
Type
Core XGE1/ 10.6.1.3/24 Layer 3 interface connected

0/1 to the multicast source
server.
XGE1/ 10.7.1.3/24 Layer 3 interface connected

0/2 to PE2.
XGE1/ 10.8.1.2/24 Layer 3 interface connected

0/3 to PE1.
LoopB 10.0.0.3/24 -
ack0
PE1 10GE1 10.12.1.1/24 Layer 3 interface connected

/0/2 to Core.
10GE1 10.60.1.1/24 Layer 3 interface connected

/0/3 to PE2.
VLANI 10.1.1.1/24, Interface connected to

F 10 corresponding to Device1.
physical interface
10GE1/0/1
VLANI 10.11.1.1/24, Interface connected to the

F 11 corresponding to external network.
physical interface
10GE1/0/4
LoopB 10.0.0.1/24 -
ack0
PE2 10GE1 10.20.1.2/24 Layer 3 interface connected

/0/2 to Core.

Switches

Type
10GE1 10.60.1.2/24 Layer 3 interface connected

/0/3 to PE1.

F 10 corresponding to Device2.
physical interface
10GE1/0/1
VLANI 10.22.1.2/24, Interface connected to the

F 22 corresponding to external network.
physical interface
10GE1/0/4
LoopB 10.0.0.2/24 -
ack0
AGG VLANI 10.11.1.8/24, Interface connected to the

F 13 corresponding to video network egress.
physical interface
10GE1/0/4

F 33 corresponding to ACC1.
physical interface
10GE1/0/1

F 34 corresponding to ACC2.
physical interface
10GE1/0/2
LoopB 10.0.0.4/24 -
ack0
Device1 VLANI 10.1.1.2/24, Interface connected to PE1.

F 10 corresponding to
physical interface
10GE1/0/1
VLANI 10.88.1.7/24, Used for communication

F 88 corresponding to with the recording server.
physical interface
10GE1/0/2

F 301 corresponding to Device2. 10GE1/0/3 and
physical interfaces 10GE1/0/4 are bundled
10GE1/0/3 and into Eth-Trunk 1.
10GE1/0/4

Switches

Type

F 400 corresponding to with the server after
physical interface transcoding.
10GE1/0/2

F 530 corresponding to with the server before
10GE1/0/2
Device2 VLANI 10.1.2.2/24, Interface connected to PE2.

F 10 corresponding to
physical interface
10GE1/0/1

F 88 corresponding to with the recording server.
physical interface
10GE1/0/2

F 301 corresponding to Device1. 10GE1/0/3 and
physical interfaces 10GE1/0/4 are bundled
10GE1/0/3 and into Eth-Trunk 1.
10GE1/0/4

F 400 corresponding to with the server after
10GE1/0/2

F 530 corresponding to with the server before
10GE1/0/2

Product/Sub-series Version
S5735-L Supported from V200R019C00
S12700 Supported from V200R019C00
S8700 Supported from V600R021C10

Switches
Table 2-48 Configuration roadmap for configuring a VRRP gateway on a ring

network
Step Configuration Roadmap
1 Create VLANs on ACC, AGG, PE, Device, and CDN nodes

and add interfaces to the VLANs.
2 Configure MSTP on Device1, Device2, and CDN to prevent

Layer 2 loops.
3 Configure an IP address for each VLANIF interface on

Core, PE, AGG, and Device nodes.
4 Configure VRRP on Device1 and Device2 to implement

gateway backup.
5 Configure OSPF on Core, PE, and Device nodes to

implement Layer 3 communication.
6 Configure Layer 3 multicast on Core, PE, AGG, and Device

nodes.
7 Configure IGMP snooping to enable Layer 2 multicast on

ACC and Device nodes.
8 Configure traffic policies on Device1 and Device2 to

control the access of the multicast source.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create a VLAN on ACC1 and add interfaces to the VLAN.
[ACC1-GE1/0/1] description ACC1***to***AGG
[ACC1-GE1/0/1] quit
[ACC1-GE1/0/2] quit
[ACC1-GE1/0/3] quit
# Create a VLAN on ACC2 and add interfaces to the VLAN.

[ACC2-GE1/0/1] description ACC2***to***AGG

Switches

[ACC2-GE1/0/1] quit
[ACC2-GE1/0/2] quit
[ACC2-GE1/0/3] quit
# Create VLANs on AGG and add interfaces to the VLANs.

[HUAWEI] sysname AGG
[AGG] vlan batch 11 22 33 to 34
[AGG-10GE1/0/1] description AGG***to***ACC1
[AGG-10GE1/0/1] port link-type trunk
[AGG-10GE1/0/1] port trunk allow-pass vlan 33
[AGG-10GE1/0/2] description AGG***to***ACC2
[AGG-10GE1/0/4] description AGG***to***PE1
[AGG-10GE1/0/5] description AGG***to***PE2
# Create VLANs on PE1 and add interfaces to the VLANs.

[HUAWEI] sysname PE1
[PE1] vlan batch 10 to 11
[PE1] interface 10GE 1/0/1
[PE1-10GE1/0/1] description PE1***to***Device1
[PE1-10GE1/0/1] port link-type access
[PE1-10GE1/0/1] port default vlan 10
[PE1-10GE1/0/1] quit
[PE1-10GE1/0/4] description PE1***to***AGG
[PE1-10GE1/0/4] port link-type trunk
[PE1-10GE1/0/4] port trunk allow-pass vlan 11
# Create VLANs on PE2 and add interfaces to the VLANs.

[PE2] vlan batch 10 22
[PE2-10GE1/0/1] description PE2***to***Device2
[PE2-10GE1/0/4] description PE2***to***AGG
# Create VLANs on Device1 and add interfaces to the VLANs.

[HUAWEI] sysname Device1

Switches
[Device1] vlan batch 10 88 301 400 530

[Device1] interface eth-trunk1
[Device1-Eth-Trunk1] description Device1***to***Device2
[Device1-Eth-Trunk1] port link-type trunk
[Device1-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[Device1-Eth-Trunk1] quit
[Device1] interface 10GE 1/0/3
[Device1-10GE1/0/3] eth-trunk 1
[Device1-10GE1/0/3] quit
[Device1-10GE1/0/1] description Device1***to***PE1
[Device1-10GE1/0/1] port link-type access
[Device1-10GE1/0/1] port default vlan 10
[Device1-10GE1/0/2] description Device1***to***CDN
[Device1-10GE1/0/2] port link-type trunk
[Device1-10GE1/0/2] port trunk allow-pass vlan 88 301 400 530
# Create VLANs on Device2 and add interfaces to the VLANs.

[HUAWEI] sysname Device2
[Device2] vlan batch 10 88 301 400 530
[Device2] interface eth-trunk1
[Device2-Eth-Trunk1] description Device1***to***Device2
[Device2-Eth-Trunk1] port link-type trunk
[Device2-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[Device2-Eth-Trunk1] quit
[Device2-10GE1/0/1] description Device2***to***PE2
[Device2-10GE1/0/1] port link-type access
[Device2-10GE1/0/1] port default vlan 10
[Device2-10GE1/0/2] description Device2***to***CDN
[Device2-10GE1/0/2] port link-type trunk
[Device2-10GE1/0/2] port trunk allow-pass vlan 88 301 400 530
# Create VLANs on CDN and add interfaces to the VLANs.

[HUAWEI] sysname CDN
[CDN] vlan batch 88 301 400 530
[CDN] interface 10GE 1/0/1
[CDN-10GE1/0/1] description CDN***to***Device2
[CDN-10GE1/0/1] port link-type trunk
[CDN-10GE1/0/1] port trunk allow-pass vlan 88 301 400 530
[CDN-10GE1/0/1] quit
[CDN-10GE1/0/2] description CDN***to***Device1
[CDN-10GE1/0/2] port link-type trunk
[CDN-10GE1/0/2] port trunk allow-pass vlan 88 301 400 530
[CDN-10GE1/0/3] description CDN***to***HMS-Server
[CDN-10GE1/0/3] port link-type access
[CDN-10GE1/0/3] port default vlan 88
[CDN-10GE1/0/4] description CDN***to***MRF-IN

Switches

[CDN-10GE1/0/5] description CDN***to***MRF-OUT
Step 2 Configure STP. Device1, Device2, and CDN form a Layer 2 loop. MSTP is used to
break the loop.
# Configure an MSTP region and enable STP on Device1.
[Device1] stp region-configuration
[Device1-mst-region] region-name IPTV
[Device1-mst-region] instance 1 vlan 530
[Device1-mst-region] instance 2 vlan 88 301 400
[Device1-mst-region] quit
[Device1] stp instance 1 root primary
[Device1] stp instance 2 root secondary
[Device1] stp enable //By default, STP is enabled globally and on interfaces of the device. You only need to
disable STP on the interface that does not need to participate in STP calculation.
[Device1-10GE1/0/1] stp disable
# Configure an MSTP region and enable STP on Device2.

[Device2] stp region-configuration
[Device2-mst-region] region-name IPTV
[Device2-mst-region] instance 1 vlan 530
[Device2-mst-region] instance 2 vlan 88 301 400
[Device2-mst-region] quit
[Device2] stp instance 1 root secondary
[Device2] stp instance 2 root primary
[Device2] stp enable //By default, STP is enabled globally and on interfaces of the device. You only need to
disable STP on the interface that does not need to participate in STP calculation.
[Device2-10GE1/0/1] stp disable
# Configure an MSTP region and enable STP on CDN.

[CDN] stp region-configuration
[CDN-mst-region] region-name IPTV
[CDN-mst-region] instance 1 vlan 530
[CDN-mst-region] instance 2 vlan 88 301 400
[CDN-mst-region] quit
[CDN] stp enable //By default, STP is enabled globally and on interfaces of the device. You only need to
disable STP on the interfaces that do not need to participate in STP calculation.
[CDN-10GE1/0/3] stp disable
Step 3 Configure IP addresses for interfaces.

# Configure IP addresses for interfaces on Core.
[HUAWEI] sysname Core
[Core] interface XGE 1/0/1
[Core-XGE1/0/1] undo portswitch
[Core-XGE1/0/1] description Core***to***Sever
[Core-XGE1/0/1] ip address 10.6.1.3 255.255.255.0
[Core-XGE1/0/1] quit

Switches

[Core-XGE1/0/2] description Core***to***PE2
[Core-XGE1/0/3] description Core***to***PE1
[Core] interface LoopBack0
[Core-LoopBack0] ip address 10.0.0.3 255.255.255.255
[Core-LoopBack0] quit
# Configure IP addresses for interfaces on PE1.

[PE1] interface vlanif 10
[PE1-Vlanif10] description to***Device1
[PE1-Vlanif10] ip address 10.1.1.1 255.255.255.0
[PE1-Vlanif10] quit
[PE1-Vlanif11] description to***Internet
[PE1-Vlanif11] quit
[PE1-10GE1/0/2] undo portswitch
[PE1-10GE1/0/2] description PE1***to***Core
[PE1-10GE1/0/2] ip address 10.12.1.1 255.255.255.0
[PE1-10GE1/0/3] description PE1***to***PE2
[PE1-10GE1/0/3] ip address 10.60.1.1 255.255.255.0
[PE1] interface LoopBack0
[PE1-LoopBack0] ip address 10.0.0.1 255.255.255.255
[PE1-LoopBack0] quit
# Configure IP addresses for interfaces on PE2.

[PE2-Vlanif10] description to***Device2
[PE2-Vlanif10] quit
[PE2-Vlanif22] description to***Internet
[PE2-Vlanif22] quit
[PE2-10GE1/0/2] description PE2***to***Core
[PE2-10GE1/0/2] ip address 10.20.1.2 255.255.255.0
[PE2-10GE1/0/3] description PE2***to***PE1
[PE2-10GE1/0/3] ip address 10.60.1.2 255.255.255.0
[PE2-LoopBack0] ip address 10.0.0.2 255.255.255.255
# Configure IP addresses for interfaces on AGG.

[AGG-Vlanif11] description to***Internet
[AGG-Vlanif11] quit
[AGG-Vlanif33] description to***ACC1
[AGG-Vlanif33] quit
[AGG-Vlanif34] description to***ACC2

Switches

[AGG-Vlanif34] quit
[AGG] interface LoopBack0
[AGG-LoopBack0] ip address 10.0.0.4 255.255.255.255
[AGG-LoopBack0] quit
# Configure IP addresses for interfaces on Device1.

[Device1] interface vlanif 10
[Device1-Vlanif10] description to***PE1
[Device1-Vlanif10] ip address 10.1.1.2 255.255.255.0
[Device1-Vlanif10] quit
[Device1-Vlanif88] description to***HMS
[Device1-Vlanif301] description to***Device2
[Device1-Vlanif400] description to***MRF IN
[Device1-Vlanif530] description to***MRF OUT
# Configure IP addresses for interfaces on Device2.

[Device2-Vlanif10] description to***PE2
[Device2-Vlanif88] description to***HMS
[Device2-Vlanif301] description to***Device2
[Device2-Vlanif400] description to***MRF IN
[Device2-Vlanif530] description to***MRF OUT
Step 4 Configure VRRP.
# Configure VRRP on Device1.

[Device1-Vlanif88] vrrp vrid 2 virtual-ip 10.88.1.100
[Device1-Vlanif88] vrrp vrid 2 priority 120
[Device1-Vlanif88] vrrp vrid 2 preempt-mode timer delay 20
[Device1-Vlanif88] vrrp vrid 2 track interface 10GE1/0/1 reduced 100
# Configure VRRP on Device2.

Switches

Step 5 Configure OSPF.

# Configure OSPF on Core.
[Core] ospf 1
[Core-ospf-1] area 0
[Core-ospf-1-area-0.0.0.0] quit
[Core-ospf-1] quit
[Core-XGE1/0/1] ospf enable 1 area 0.0.0.0
[Core-10GE1/0/1] quit
[Core] interface LoopBack0
[Core-LoopBack0] ospf enable 1 area 0.0.0.0
[Core-LoopBack0] quit
# Configure OSPF on PE1. Ensure that there are reachable routes between PE1
and AGG through the Internet.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] area 1
[PE1-ospf-1-area-0.0.0.1] nssa
[PE1-ospf-1] quit
[PE1] interface vlanif10
[PE1-Vlanif10] ospf enable 1 area 0.0.0.1
[PE1-Vlanif10] quit
[PE1-10GE1/0/2] ospf enable 1 area 0.0.0.0
[PE1-LoopBack0] ospf enable 1 area 0.0.0.0
# Configure OSPF on PE2. Ensure that there are reachable routes between PE2
and AGG through the Internet.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] area 1
[PE2-ospf-1-area-0.0.0.1] nssa
[PE2-ospf-1] quit
[PE2-Vlanif10] ospf enable 1 area 0.0.0.1
[PE2-Vlanif10] quit

Switches
[PE2-LoopBack0] ospf enable 1 area 0.0.0.0
# Configure OSPF on Device1.

[Device1] interface vlanif10
[Device1-Vlanif10] ospf enable 1 area 0.0.0.1
[Device1-Vlanif301] ospf network-type p2p
[Device1-Vlanif301] ospf timer hello 1
[Device1] ospf 1 router-id 192.168.1.1
[Device1-ospf-1] default-route-advertise
[Device1-ospf-1] silent-interface Vlanif88
[Device1-ospf-1] area 1
[Device1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255
[Device1-ospf-1-area-0.0.0.1] nssa
[Device1-ospf-1-area-0.0.0.1] quit
[Device1-ospf-1] quit
# Configure OSPF on Device2.

[Device2-Vlanif10] ospf enable 1 area 0.0.0.1
[Device2-Vlanif301] ospf network-type p2p
[Device2-Vlanif301] ospf timer hello 1
[Device2] ospf 1 router-id 192.168.1.2
[Device2-ospf-1] default-route-advertise
[Device2-ospf-1] area 1
[Device2-ospf-1-area-0.0.0.1] nssa
[Device2-ospf-1-area-0.0.0.1] quit
[Device2-ospf-1] quit
Step 6 Configure Layer 3 multicast.
# Configure Layer 3 multicast on Core.

[Core] multicast routing-enable
[Core] pim
[Core-pim] static-rp 10.0.0.2
[Core-pim] quit
[Core-XGE1/0/1] pim sm
# Configure Layer 3 multicast on PE1.

[PE1] multicast routing-enable
[PE1] pim

Switches
[PE1-pim] c-bsr LoopBack0

[PE1-pim] c-rp LoopBack0
[PE1-pim] static-rp 10.0.0.2
[PE1-pim] quit
[PE1-Vlanif10] pim sm
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit
[PE1-10GE1/0/2] pim sm
[PE1-LoopBack0] pim sm
# Configure Layer 3 multicast on PE2.

[PE2] multicast routing-enable
[PE2] pim
[PE2-pim] static-rp 10.0.0.2
[PE2-pim] quit
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
[PE2-LoopBack0] pim sm
# Configure Layer 3 multicast on AGG.

[AGG] multicast routing-enable
[AGG] pim
[AGG-pim] static-rp 10.0.0.2
[AGG-pim] quit
[AGG] interface vlanif13
[AGG-Vlanif11] pim sm
[AGG-Vlanif11] quit
[AGG-Vlanif33] igmp enable //Enable IGMP on the interface because it is connected to users.
[AGG-Vlanif33] quit
[AGG-Vlanif34] igmp enable
[AGG-Vlanif34] quit
# Configure Layer 3 multicast on Device1.

[Device1] multicast routing-enable
[Device1] pim
[Device1-pim] static-rp 10.0.0.1
[Device1-pim] quit
[Device1-Vlanif10] pim sm

Switches
[Device1-Vlanif400] pim hello-option dr-priority 100 //Adjust the priority to ensure that multicast traffic
is preferentially forwarded by Device1.
[Device1-Vlanif400] igmp enable
[Device1-Vlanif530] pim hello-option dr-priority 100
[Device1-Vlanif530] igmp enable //Enable IGMP on the interface because it is connected to the decoding
server.
# Configure Layer 3 multicast on Device2.

[Device2] multicast routing-enable
[Device2] pim
[Device2-pim] static-rp 10.0.0.1
[Device2-pim] quit
Step 7 Configure IGMP snooping to enable Layer 2 multicast.

# Enable IGMP snooping on ACC1.
[ACC1] igmp-snooping enable
[ACC1] vlan 33
[ACC1-vlan33] igmp-snooping enable
[ACC1-vlan33] multicast drop-unknown
[ACC1-vlan33] quit
# Enable IGMP snooping on ACC2.

[ACC2] igmp-snooping enable
[ACC2] vlan 34
[ACC2-vlan34] igmp-snooping enable
[ACC2-vlan34] multicast drop-unknown
[ACC2-vlan34] quit
# Enable IGMP snooping on Device1.

[Device1] igmp-snooping enable
[Device1] vlan 301
[Device1-vlan301] igmp-snooping enable
[Device1-vlan301] quit
[Device1] vlan 530
# Enable IGMP snooping on Device2.

[Device2] igmp-snooping enable
[Device2] vlan 301
[Device2] vlan 530
Step 8 Configure traffic policies to restrict the access of the multicast source.
# Configure traffic policies on Device1.

Switches
[Device1] acl number 3000

[Device1-acl-adv-3000] description ***ACL FOR IPTV_Service_IN***
[Device1-acl-adv-3000] rule 1 permit ip source 10.66.1.1 0.0.0.255 destination 10.4.1.1 0.0.0.127
[Device1-acl-adv-3000] quit
[Device1-acl-adv-3998] description ***ACL FOR Multicast Remark***
[Device1-acl-adv-3998] rule 5 permit ip source 10.5.1.80 0.0.0.15
[Device1] traffic classifier IPTV_Service_IN
[Device1-classifier-IPTV_Service_IN] if-match acl 3000
[Device1-classifier-IPTV_Service_IN] quit
[Device1] traffic classifier IPTV_Multicast_Remark
[Device1-classifier-IPTV_Multicast_Remark] if-match acl 3998
[Device1-classifier-IPTV_Multicast_Remark] quit
[Device1] traffic behavior IPTV_Service_IN
[Device1-behavior-IPTV_Service_IN] permit
[Device1-behavior-IPTV_Service_IN] quit
[Device1] traffic behavior IPTV_Multicast_Remark
[Device1-behavior-IPTV_Multicast_Remark] permit
[Device1-behavior-IPTV_Multicast_Remark] remark dscp af41
[Device1-behavior-IPTV_Multicast_Remark] quit
[Device1] traffic policy IPTV_Service_IN
[Device1-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[Device1-trafficpolicy-IPTV_Service_IN] quit
[Device1] traffic policy IPTV_Multicast_Remark
[Device1-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior
IPTV_Multicast_Remark
[Device1-trafficpolicy-IPTV_Multicast_Remark] quit
[Device1-10GE1/0/1] traffic-policy IPTV_Service_IN inbound
[Device1-10GE1/0/2] traffic-policy IPTV_Multicast_Remark inbound
# Configure traffic policies on Device2.

[Device2-acl-adv-3000] description ***ACL FOR IPTV_Service_IN***
[Device2-acl-adv-3000] rule 1 permit ip source 10.66.1.1 0.0.0.255 destination 10.4.1.1 0.0.0.127
[Device2-acl-adv-3998] description ***ACL FOR Multicast Remark***
[Device2-acl-adv-3998] rule 5 permit ip source 10.5.1.80 0.0.0.15
[Device2] traffic classifier IPTV_Service_IN
[Device2-classifier-IPTV_Service_IN] if-match acl 3000
[Device2-classifier-IPTV_Service_IN] quit
[Device2] traffic classifier IPTV_Multicast_Remark
[Device2-classifier-IPTV_Multicast_Remark] if-match acl 3998
[Device2-classifier-IPTV_Multicast_Remark] quit
[Device2] traffic behavior IPTV_Service_IN
[Device2-behavior-IPTV_Service_IN] permit
[Device2-behavior-IPTV_Service_IN] quit
[Device2] traffic behavior IPTV_Multicast_Remark
[Device2-behavior-IPTV_Multicast_Remark] permit
[Device2-behavior-IPTV_Multicast_Remark] remark dscp af41
[Device2-behavior-IPTV_Multicast_Remark] quit
[Device2] traffic policy IPTV_Service_IN
[Device2-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[Device2-trafficpolicy-IPTV_Service_IN] quit
[Device2] traffic policy IPTV_Multicast_Remark
[Device2-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior
IPTV_Multicast_Remark
[Device2-trafficpolicy-IPTV_Multicast_Remark] quit
[Device2-10GE1/0/1] traffic-policy IPTV_Service_IN inbound

Switches
[Device2-10GE1/0/2] traffic-policy IPTV_Multicast_Remark inbound

----End

1. Run the display pim neighbor command to verify that Core, PE1, PE2, and
AGG can generate PIM neighbor information.
[Core] display pim neighbor
VPN-Instance: public net
Total Number of Neighbors = 2
Neighbor Interface Uptime Expires Dr-Priority BFD-

Session
10.12.1.1 XGE1/0/3 01:09:01 00:01:43 1
N
10.20.1.2 XGE1/0/2 01:06:30 00:01:39 1 N
[PE1] display pim neighbor

Session
10.8.1.2 10GE1/0/2 01:10:48 00:01:27 1
N
10.60.1.2 10GE1/0/3 01:08:06 00:01:40 1
N
10.1.1.2 Vlanif10 00:39:38 00:01:21 1 N
10.11.1.8 Vlanif11 01:05:16 00:01:30 1 N
[PE2] display pim neighbor

Session
10.7.1.3 10GE1/0/2 01:11:32 00:01:42 1
N
10.60.1.1 10GE1/0/3 01:11:18 00:01:27 1
N
10.1.2.2 Vlanif10 00:41:06 00:01:39 1 N
10.22.1.8 Vlanif22 01:08:28 00:01:42 1 N
[AGG] display pim neighbor

Session
10.11.1.1 Vlanif11 01:09:30 00:01:20 1
N
10.22.1.2 Vlanif22 01:08:34 00:01:18 1 N
2. Run the display igmp-snooping port-info command to verify that ACC1 and
ACC2 can generate information about multicast group member interfaces
after users send IGMP Report messages.
[ACC1] display igmp-snooping port-info
-------------------------------------------------------------------------------
Flag: S:Static D:Dynamic M:Ssm-mapping
A:Active P:Protocol T:Trill
(Source, Group) Port Flag
--------------------------------------------------------------------------------
VLAN 33, 1 Entry(s)
(*, 225.1.1.1) GE1/0/2 -D-
GE1/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
[ACC2] display igmp-snooping port-info
-------------------------------------------------------------------------------

Switches
Flag: S:Static D:Dynamic M:Ssm-mapping

A:Active P:Protocol T:Trill
(Source, Group) Port Flag
--------------------------------------------------------------------------------
VLAN 34, 1 Entry(s)
(*, 225.1.1.1) GE1/0/2 -D-
GE1/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
3. Run the display pim routing-table command to verify that Device1 and PE1
can generate multicast routing entries after the multicast source sends
multicast packets and the decoding server sends Join messages.
[Device1] display pim routing-table
Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.0.0.1)
RP: 10.0.0.1
Protocol: pim-sm, Flag: WC
UpTime: 00:06:50
Upstream interface: Vlanif10
Upstream neighbor: 10.1.1.1
RPF prime neighbor: 10.1.1.1
Downstream interface(s)
information:
Total number of downstreams: 1
1: Vlanif530
Protocol: igmp, UpTime: 00:01:42, Expires: -
[PE1] display pim routing-table
(*, 225.0.0.1)
RP: 10.0.0.1 (local)
Protocol: pim-sm, Flag: WC
UpTime: 00:12:46
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s)
information:
1: Vlanif10
Protocol: pim-sm, UpTime: 00:08:59, Expires:
00:02:31
● Core
#
sysname Core
#
multicast routing-enable
#
interface XGE1/0/1
undo portswitch
description Core***to***Sever
ip address 10.6.1.3 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
interface XGE1/0/2
undo portswitch
description Core***to***PE2
ip address 10.7.1.3 255.255.255.0
pim sm

Switches
#
interface XGE1/0/3
undo portswitch
description Core***to***PE1
ip address 10.8.1.2 255.255.255.0
pim sm
#
interface LoopBack0
ip address 10.0.0.3 255.255.255.255
#
ospf 1
area 0.0.0.0
#
pim
static-rp 10.0.0.2
#
return
● PE1
#
sysname PE1
#
vlan batch 10 to 11
#
#
interface Vlanif10
description to***Device1
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif11
description to***Internet
ip address 10.11.1.1 255.255.255.0
pim sm
#
interface 10GE1/0/1
description PE1***to***Device1
#
interface 10GE1/0/2
undo portswitch
description PE1***to***Core
ip address 10.12.1.1 255.255.255.0
pim sm
#
interface 10GE1/0/3
undo portswitch
description PE1***to***PE2
ip address 10.60.1.1 255.255.255.0
pim sm
#
interface 10GE1/0/4
description PE1***to***AGG
#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
pim sm
#
pim

Switches
c-bsr LoopBack0
c-rp LoopBack0
static-rp 10.0.0.2
#
return
● PE2
#
sysname PE2
#
vlan batch 10 22
#
#
interface Vlanif10
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif22
ip address 10.22.1.2 255.255.255.0
pim sm
#
interface 10GE1/0/1
description PE2***to***Device2
#
interface 10GE1/0/2
undo portswitch
description PE2***to***Core
ip address 10.20.1.2 255.255.255.0
pim sm
#
interface 10GE1/0/3
undo portswitch
description PE2***to***PE1
ip address 10.60.1.2 255.255.255.0
pim sm
#
interface 10GE1/0/4
description PE2***to***AGG
#
interface LoopBack0
ip address 10.0.0.2 255.255.255.255
#
pim
static-rp 10.0.0.2
#
return
● Device1
#
sysname Device1
#
vlan batch 10 88 301 400 530
#
stp instance 1 root primary
stp instance 2 root secondary
#
#

Switches
igmp-snooping enable
#
stp region-configuration
region-name IPTV
instance 1 vlan 530
instance 2 vlan 88 301 400
#
acl number 3000
description ***ACL FOR IPTV_Service_IN***
rule 1 permit ip source 10.66.1.1 0.0.0.255 destination 10.4.1.1 0.0.0.127
acl number 3998
description ***ACL FOR Multicast Remark***
rule 5 permit ip source 10.5.1.80 0.0.0.15
#
traffic classifier IPTV_Multicast_Remark operator or
if-match acl 3998
traffic classifier IPTV_Service_IN operator or
if-match acl 3000
#
traffic behavior IPTV_Multicast_Remark
permit
remark dscp af41
traffic behavior IPTV_Service_IN
permit
#
traffic policy IPTV_Multicast_Remark match-order config
classifier IPTV_Multicast_Remark behavior IPTV_Multicast_Remark
traffic policy IPTV_Service_IN match-order config
classifier IPTV_Service_IN behavior IPTV_Service_IN
#
vlan 10
description to***PE1
vlan 301
vlan 400
description ***MRF IN***
multicast drop-unknown
vlan 530
description ***MRF OUT***
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
pim sm
#
interface Vlanif88
description to***HMS
ip address 10.88.1.7 255.255.255.0
vrrp vrid 2 track interface 10GE1/0/1 reduced 100
#
interface Vlanif301
description Device1***to***Device2
ip address 10.31.1.1 255.255.255.0
pim sm
ospf network-type p2p
ospf timer hello 1
#
interface Vlanif400
description to***MRF IN
ip address 10.4.1.2 255.255.255.0

Switches

pim hello-option dr-priority 100
pim sm
igmp enable
#
interface Vlanif530
description to***MRF OUT
ip address 10.5.1.2 255.255.255.0
pim hello-option dr-priority 100
pim sm
igmp enable
#
#
interface 10GE1/0/1
description Device1***to***PE1
stp disable
traffic-policy IPTV_Service_IN inbound
#
interface 10GE1/0/2
description Device1***to***CDN
traffic-policy IPTV_Multicast_Remark inbound
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
default-route-advertise
silent-interface Vlanif88
area 0.0.0.1
network 10.1.1.0 0.0.0.255
network 10.31.1.0 0.0.0.255
network 10.88.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
nssa
#
pim
static-rp 10.0.0.1
#
return
● Device2
#
sysname Device2
#
vlan batch 10 88 301 400 530
#
#
#
#
region-name IPTV

Switches
instance 1 vlan 530

#
acl number 3000
description ***ACL FOR IPTV_Service_IN***
acl number 3998
description ***ACL FOR Multicast Remark***
#
traffic classifier IPTV_Multicast_Remark operator or
if-match acl 3998
traffic classifier IPTV_Service_IN operator or
if-match acl 3000
#
traffic behavior IPTV_Multicast_Remark
permit
remark dscp af41
traffic behavior IPTV_Service_IN
permit
#
traffic policy IPTV_Multicast_Remark match-order config
classifier IPTV_Multicast_Remark behavior IPTV_Multicast_Remark
traffic policy IPTV_Service_IN match-order config
classifier IPTV_Service_IN behavior IPTV_Service_IN
#
vlan 10
vlan 301
vlan 400
description ***MRF IN***
vlan 530
description ***MRF OUT***
#
interface Vlanif10
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif88
description to***HMS
ip address 10.88.1.5 255.255.255.0
#
interface Vlanif301
ip address 10.31.1.2 255.255.255.0
pim sm
ospf network-type p2p
ospf timer hello 1
#
interface Vlanif400
description to***MRF IN
ip address 10.4.1.3 255.255.255.0
pim sm
igmp enable
#
interface Vlanif530
description to***MRF OUT
ip address 10.5.1.3 255.255.255.0

Switches
pim sm
igmp enable
#
#
interface 10GE1/0/1
description Device2***to***PE2
stp disable
traffic-policy IPTV_Service_IN inbound
#
interface 10GE1/0/2
description Device2***to***CDN
traffic-policy IPTV_Multicast_Remark inbound
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
default-route-advertise
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
network 10.31.1.0 0.0.0.255
network 10.88.1.0 0.0.0.255
nssa
#
pim
static-rp 10.0.0.1
#
return
● CDN
#
sysname CDN
#
vlan batch 88 301 400 530
#
region-name IPTV
instance 1 vlan 530
#
interface 10GE1/0/1
description CDN***to***Device2
#
interface 10GE1/0/2
description CDN***to***Device1
#
interface 10GE1/0/3
description CDN***to***HMS-Server
stp disable

Switches
#
interface 10GE1/0/4
description CDN***to***MRF-IN
stp disable
#
interface 10GE1/0/5
description CDN***to***MRF-OUT
stp disable
#
return
● AGG
#
sysname AGG
#
vlan batch 11 22 33 to 34
#
#
interface Vlanif13
ip address 10.11.1.8 255.255.255.0
pim sm
#
interface Vlanif33
description to***ACC1
ip address 10.33.1.8 255.255.255.0
pim sm
igmp enable
#
interface Vlanif34
description to***ACC2
ip address 10.34.1.8 255.255.255.0
pim sm
igmp enable
#
interface 10GE1/0/1
description AGG***to***ACC1
#
interface 10GE1/0/2
description AGG***to***ACC2
#
interface 10GE1/0/4
description AGG***to***PE1
#
interface 10GE1/0/5
description AGG***to***PE2
#
return
● ACC1
#
sysname ACC1
#
vlan batch 33
#
#

Switches
vlan 33
#
interface GE1/0/1
description ACC1***to***AGG
#
interface GE1/0/2
#
interface GE1/0/3
#
return
● ACC2
#
sysname ACC2
#
vlan batch 34
#
#
vlan 34
#
interface GE1/0/1
description ACC2***to***AGG
#
interface GE1/0/2
#
interface GE1/0/3
#
return
2.2.5 Example for Configuring VXLAN in Centralized Gateway

Deployment Mode
Overview
VXLAN is an NVO3 network virtualization technology. It encapsulates a data
packet received from a source VM into a UDP packet, encapsulates the IP and
MAC addresses used on the physical network in the packet outer header, and then
sends the packet over an IP network. The VXLAN tunnel endpoint (VTEP) then
decapsulates the packet and sends it to the destination VM. VXLAN enables a
virtual network to provide access services for numerous tenants, and allows
tenants to plan their own virtual networks, not limited by the physical network IP
addresses or BDs. As a result, network management is greatly simplified.
On a VXLAN network, users in different BDs need to communicate through a

Layer 3 VXLAN gateway. In centralized gateway deployment mode, the Layer 3

Switches
gateway is deployed on one device. All inter-subnet traffic is forwarded through

the Layer 3 gateway, implementing centralized traffic management.
This example describes how to configure VXLAN in static mode to build a virtual
network in centralized gateway deployment mode.
An enterprise has built a mature campus network but does not have a dedicated
data center network. All the servers of the enterprise are scattered in different
departments. The enterprise wants to build a virtual network on the existing
campus network. The requirements are as follows:
● Servers scattered in different departments form a virtual network to
implement resource integration and flexible service deployment.
● A large number of VMs are deployed on each server, and servers running
different services need to communicate with each other at Layer 3.
● Servers can access the network only after passing MAC address
authentication.
On the network shown in Figure 2-31, an enterprise has VMs deployed in
different locations. Server1 belongs to VLAN 10, Server2 belongs to VLAN 20, and
Server3 belongs to VLAN 30. VXLAN tunnels need to be established to implement
Layer 3 communication between servers running different services.
Figure 2-31 Network diagram of configuring VXLAN in centralized gateway

deployment mode

Switches
Data Plan
Table 2-49 Data for VXLAN tunnel deployment
Device VXLAN BD VNI Source IP Peer IP

Tunnel
VTEP1 VTEP1 -> 10 10 10.200.200. 10.200.200.1

VTEP2 1 0
20 20
VTEP1 -> 30 30 10.200.200. 10.200.200.2

VTEP3 1 0
VTEP2 VTEP2 -> 10 10 10.200.200. 10.200.200.1

VTEP1 10
20 20
VTEP3 VTEP3 -> 30 30 10.200.200. 10.200.200.1

VTEP1 20
Product/Sub- Device Host Name Version

series
S8700-6 VTEP1 and VTEP2 V600R021C10 and later versions
S6730-H-V2 VTEP3 V200R020C00 and later versions
S5735-S-V2 ACC1 and ACC3 V200R019C00 and later versions
S5735-L-V2 ACC2 V200R019C00 and later versions
Table 2-51 Configuration roadmap for a virtual network in centralized VXLAN

gateway deployment mode

Roadmap
1 Establish a CSS. Two S8700-6 switches establish a CSS that is

named VTEP2. Two S8700-6 switches establish
a CSS that is named VTEP1.
2 Configure routes Core switch (VTEP1) and aggregation switches

between core and (VTEP2 and VTEP3)
aggregation switches.

Switches

Roadmap
3 Configure VLAN Access switches (ACC1 to ACC3) and

access and VXLAN aggregation switches (VTEP2 and VTEP3)
service access points.
4 Configure MAC Aggregation switches (VTEP2 and VTEP3)

address
authentication. Set
the AAA
authentication mode
to RADIUS
authentication.
5 Configure VXLAN Core switch (VTEP1) and aggregation switches

tunnels. (VTEP2 and VTEP3)
6 Configure a Layer 3 Core switch (VTEP1)

VXLAN gateway.
Procedure
Step 1 Establish a CSS.
The following uses VTEP2 as an example to describe how to establish a CSS. The
process of establishing a CSS named VTEP1 is similar to that of establishing a CSS
named VTEP2.
1. Connect CSS cables.
Configure two S8700-6 switches to establish a CSS named VTEP2. Name the
two devices DeviceA and DeviceB, respectively. Connect DeviceA and DeviceB
using CSS cables, as shown in Figure 2-32.
Figure 2-32 CSS connections
2. Set CSS parameters.

Switches
# Set the CSS member ID of DeviceA to 1, CSS priority to 150, and CSS
domain ID to 10.
[DeviceA] css
[DeviceA-css] css member 1
[DeviceA-css] css priority 150
[DeviceA-css] css domain 10
[DeviceA-css] quit
# Set the CSS member ID of DeviceB to 2, CSS priority to 100, and CSS
domain ID to 10.
[HUAWEI] sysname DeviceB
[DeviceB] css
[DeviceB-css] css member 2
[DeviceB-css] css priority 100
[DeviceB-css] css domain 10
[DeviceB-css] quit
3. Configure Stack-Ports.
# You are advised to manually back up the current configuration file before
configuring a Stack-Port.
# Before configuring a Stack-Port, run the shutdown command to disable the
member ports to be added to the Stack-Port to prevent them from entering
the error-down state due to CRC error packets. The configuration procedure is
not provided here.
# On DeviceA, create a Stack-Port and add member ports to it.
[DeviceA] interface stack-port 1
[DeviceA-Stack-Port1] port member-group interface 10ge 5/0/1 10ge 6/0/1
[DeviceA-Stack-Port1] quit
[DeviceA] quit
# On DeviceB, create a Stack-Port and add member ports to it.

[DeviceB] interface stack-port 1
[DeviceB-Stack-Port1] port member-group interface 10ge 5/0/1 10ge 6/0/1
[DeviceB-Stack-Port1] quit
[DeviceB] quit
# Run the undo shutdown command to enable the member ports that have
been shut down. The configuration procedure is not provided here.
4. Save the configurations and enable the CSS function.
# Save the configuration of DeviceA and enable the CSS function. Enable the
CSS function on DeviceA that is planned as the master device first. This
ensures that DeviceA restarts first and becomes the master device as planned.
To make the following configurations easier to understand, change the name
of the master device DeviceA to VTEP2.
<DeviceA> save
Warning: The current configuration will be written to the device. Continue? [Y/N]: y
<DeviceA> system-view
[DeviceA] sysname VTEP2
[VTEP2] css
[VTEP2-css] css enable
Warning: Make sure that one or more dual-active detection methods are configured
once the conversion is complete and the device enters the CSS or stack mode.Swi
tches working in different forward modes cannot set up a CSS or stack.
Current configuration will be converted to the next startup saved-configuration

Switches
file of CSS or stack mode.

System will reboot. Continue? [Y/N]: y //The device automatically restarts after the CSS
function is enabled.
# Save the configuration of DeviceB and enable the CSS function.

<DeviceB> save
<DeviceB> system-view
[DeviceB] css
[DeviceB-css] css enable
Warning: Make sure that one or more dual-active detection methods are configured
once the conversion is complete and the device enters the CSS or stack mode.Swi
tches working in different forward modes cannot set up a CSS or stack.
Current configuration will be converted to the next startup saved-configuration
file of CSS or stack mode.
System will reboot. Continue? [Y/N]: y //The device automatically restarts after the CSS
function is enabled.
Step 2 Configure routes between core and aggregation switches.

1. Configure the core switch.
# Configure IP addresses for interfaces. When configuring OSPF, configure the
devices to advertise the IP addresses of loopback interfaces.
<VTEP1> system-view
[VTEP1] interface loopback 0
[VTEP1-LoopBack0] ip address 10.200.200.1 255.255.255.255
[VTEP1-LoopBack0] quit
[VTEP1] vlan batch 10 11 20 30 100 200
[VTEP1] interface vlanif 11
[VTEP1-Vlanif11] ip address 10.11.1.2 255.255.255.0
[VTEP1-Vlanif11] quit
[VTEP1] interface eth-trunk 11
[VTEP1-Eth-Trunk11] description TO-VTEP2
[VTEP1-Eth-Trunk11] port link-type trunk
[VTEP1-Eth-Trunk11] undo port trunk allow-pass vlan 1
[VTEP1-Eth-Trunk11] port trunk allow-pass vlan 100
[VTEP1-Eth-Trunk11] quit
[VTEP1-Eth-Trunk12] description TO-VTEP3
[VTEP1] interface 10GE 1/3/0/0
[VTEP1-10GE1/3/0/0] eth-trunk 11
[VTEP1-10GE1/3/0/0] quit
[VTEP1-10GE1/3/0/1] port link-type access
[VTEP1-10GE1/3/0/1] port default vlan 11
[VTEP1] ospf router-id 10.200.200.1
[VTEP1-ospf-1] area 0
[VTEP1-ospf-1-area-0.0.0.0] network 10.200.200.1 0.0.0.0

Switches

[VTEP1-ospf-1-area-0.0.0.0] quit
[VTEP1-ospf-1] quit
2. Configure aggregation switches.
# Configure aggregation switch VTEP2.

<VTEP2> system-view
[VTEP2] vlan batch 10 20 100
[VTEP2-ospf-1] quit
# Configure aggregation switch VTEP3.

[HUAWEI] sysname VTEP3
[VTEP3] vlan batch 30 200
[VTEP3] interface xgigabitethernet 0/0/1
[VTEP3-XGigabitEthernet0/0/1] eth-trunk 1
[VTEP3-XGigabitEthernet0/0/1] quit
[VTEP3-ospf-1] quit
Step 3 Configure VLAN access on access switches ACC1 to ACC3, and configure VXLAN
service access points on aggregation switches VTEP2 and VTEP3.
# Configure ACC1.

Switches

[ACC1] interface xgigabitethernet 0/0/1
[ACC1-XGigabitEthernet0/0/1] eth-trunk 1
[ACC1-XGigabitEthernet0/0/1] quit
# Configure ACC2.
# Configure ACC3.
# Configure VTEP2.

Switches

# Configure VTEP3.
Step 4 Configure AAA.

The following uses VTEP2 as an example to describe how to configure AAA. The
procedure for configuring AAA on VTEP3 is similar to that on VTEP2.
# Create and configure the RADIUS server template rd1.
[VTEP2] radius-server template rd1
[VTEP2-radius-rd1] radius-server authentication 10.11.1.1 1812
[VTEP2-radius-rd1] radius-server shared-key cipher YsHsjx_202206789
[VTEP2-radius-rd1] quit
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS authentication.
[VTEP2] aaa
[VTEP2-aaa] authentication-scheme abc
[VTEP2-aaa-authen-abc] authentication-mode radius
[VTEP2-aaa-authen-abc] quit
# Create the authentication domain example.com, and bind the AAA

authentication scheme abc and RADIUS server template rd1 to the domain.
[VTEP2-aaa] domain example.com
[VTEP2-aaa-domain-example.com] authentication-scheme abc
[VTEP2-aaa-domain-example.com] radius-server rd1
[VTEP2-aaa-domain-example.com] quit
[VTEP2-aaa] quit
# Check whether a user can pass RADIUS authentication. (The following assumes
that the test user test1 and password YsHsjx_202206 have been configured on
the RADIUS server.)
[VTEP2] test-aaa test1 YsHsjx_202206 radius-template rd1
Info: Account test succeeded.
Step 5 Configure MAC address authentication.

The following uses VTEP2 as an example to describe how to configure MAC
address authentication. The procedure for configuring MAC address authentication
on VTEP3 is similar to that on VTEP2.
# Configure the MAC access profile m1.
[VTEP2] mac-access-profile name m1
[VTEP2-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the
authentication profile, specify the domain example.com as the forcible

Switches
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[VTEP2] authentication-profile name p1
[VTEP2-authen-profile-p1] mac-access-profile m1
[VTEP2-authen-profile-p1] access-domain example.com
[VTEP2-authen-profile-p1] authentication mode multi-authen max-user 100
[VTEP2-authen-profile-p1] quit
# Bind the authentication profile p1 to Eth-Trunk 11 and Eth-Trunk 12 to enable

MAC address authentication on them.
[VTEP2-Eth-Trunk11] authentication-profile p1
[VTEP2-Eth-Trunk12] authentication-profile p1
Step 6 Configure VXLAN tunnels.
# Configure VTEP1.
[VTEP1] bridge-domain 10
[VTEP1-bd10] vxlan vni 10
[VTEP1-bd10] l2 binding vlan 10
[VTEP1-bd10] quit
[VTEP1-bd20] quit
[VTEP1-bd30] quit
[VTEP1] interface nve 1
[VTEP1-Nve1] source 10.200.200.1
[VTEP1-Nve1] vni 10 head-end peer-list 10.200.200.10
[VTEP1-Nve1] quit
# Configure VTEP2.
[VTEP2-bd10] quit
[VTEP2-bd20] quit
[VTEP2-bd30] quit
[VTEP2-Nve1] source 10.200.200.10
[VTEP2-Nve1] quit
# Configure VTEP3.
[VTEP3-bd10] quit

Switches
[VTEP3-bd20] quit
[VTEP3-bd30] quit
[VTEP3-Nve1] source 10.200.200.20
[VTEP3-Nve1] quit
Step 7 Configure a Layer 3 VXLAN gateway.

# Configure VTEP1.
[VTEP1] interface vbdif 10
[VTEP1-Vbdif1] ip address 10.118.0.10 255.255.255.0
[VTEP1-Vbdif1] quit
[VTEP1-Vbdif2] quit
[VTEP1-Vbdif3] quit
----End

# After the preceding configurations are complete, run the display vxlan tunnel
and display vxlan vni commands on VTEP1, VTEP2, and VTEP3. The command
outputs show that VXLAN tunnels are established and the VNI status is up. The
following example uses the command outputs on VTEP1.
[VTEP1] display vxlan tunnel
Number of vxlan tunnel : 2
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531841 10.200.200.1 10.200.200.10 up static 0035h21m
4026531842 10.200.200.1 10.200.200.20 up static 0036h21m
[VTEP1] display vxlan vni
Number of vxlan vni : 3
VNI BD-ID State
---------------------------------------
10 10 up
20 20 up
30 30 up
# After the configurations are complete, servers (Server1 to Server3) in different

areas can communicate with each other through the VXLAN gateway.
VTEP1
#
sysname VTEP1
#
vlan batch 10 11 20 30 100 200
#
bridge-domain 10
l2 binding vlan 10
vxlan vni 10
#

Switches
bridge-domain 20
l2 binding vlan 20
vxlan vni 20
#
bridge-domain 30
l2 binding vlan 30
vxlan vni 30
#
interface Vbdif10
ip address 10.118.0.10 255.255.255.0
#
interface Vbdif20
ip address 10.128.0.10 255.255.255.0
#
interface Vbdif30
ip address 10.138.0.10 255.255.255.0
#
interface Vlanif11
ip address 10.11.1.2 255.255.255.0
#
interface Vlanif100
ip address 10.1.100.1 255.255.255.252
#
interface Vlanif200
ip address 10.1.200.1 255.255.255.252
#
description TO-leaf1
#
description TO-leaf2
#
interface 10GE1/3/0/0
eth-trunk 11
#
#
eth-trunk 11
#
eth-trunk 12
#
eth-trunk 12
#
interface LoopBack0
ip address 10.200.200.1 255.255.255.255
#
interface Nve1
source 10.200.200.1
vni 10 head-end peer-list 10.200.200.10
#
area 0.0.0.0
network 10.1.100.0 0.0.0.3
network 10.1.200.0 0.0.0.3

Switches
network 10.200.200.1 0.0.0.0

#
return
VTEP2
#
sysname VTEP2
#
mac-access-profile m1
access-domain example.com
authentication mode multi-authen max-user 100
#
#
aaa
authentication-scheme abc
domain example.com
radius-server rd1
#
bridge-domain 10
l2 binding vlan 10
vxlan vni 10
#
bridge-domain 20
l2 binding vlan 20
vxlan vni 20
#
bridge-domain 30
l2 binding vlan 30
vxlan vni 30
#
radius-server rd1
radius-server shared-key cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!SKvr${[Fs.3t@/5k|BENhEu>W(3\~XG!!D;!!!!!2jp5!!!!!!
A!!!!3"pK8qv!}9M#(4$jGWvQF/R[CNe/+:W^jk8HUe&W%+%#
#
mac-access-profile name m1
#
interface Vlanif100
ip address 10.1.100.2 255.255.255.252
#
#
#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 11

Switches
device transceiver 1000BASE-X

#
eth-trunk 12
device transceiver 1000BASE-X
#
eth-trunk 1
device transceiver 10GBASE-FIBER
#
eth-trunk 11
#
eth-trunk 12
#
interface LoopBack0
ip address 10.200.200.10 255.255.255.255
#
interface Nve1
source 10.200.200.10
#
area 0.0.0.0
network 10.1.100.0 0.0.0.3
network 10.200.200.10 0.0.0.0
#
return
VTEP3
#
sysname VTEP3
#
mac-access-profile m1
access-domain example.com
authentication mode multi-authen max-user 100
#
vlan batch 30 200
#
aaa
domain example.com
radius-server rd1
#
bridge-domain 10
l2 binding vlan 10
vxlan vni 10
#
bridge-domain 20
l2 binding vlan 20
vxlan vni 20
#
bridge-domain 30
l2 binding vlan 30
vxlan vni 30
#
radius-server rd1
#
mac-access-profile name m1
#
interface Vlanif200

Switches
ip address 10.1.200.2 255.255.255.252

#
#
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 11
#
eth-trunk 11
#
interface LoopBack0
ip address 10.200.200.20 255.255.255.255
#
interface Nve1
source 10.200.200.20
#
area 0.0.0.0
network 10.1.200.0 0.0.0.3
network 10.200.200.20 0.0.0.0
#
return
ACC1
#
sysname ACC1
#
vlan batch 10
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
ACC2
#
sysname ACC2
#
vlan batch 20
#

Switches
#
#
eth-trunk 1
#
eth-trunk 1
#
return
ACC3
#
sysname ACC3
#
vlan batch 30
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
2.3 Typical Configuration for Interoperation Between

Switches and Firewalls
2.3.1 Example for Configuring a Layer 2 Switch to Work with

a Firewall for Internet Access
Layer 2 Switch
Layer 2 switches perform only Layer 2 forwarding instead of Layer 3 forwarding.
That is, Layer 2 switches support only Layer 2 features instead of Layer 3 features
such as routing.
Layer 2 switches are typically deployed at the access layer and cannot function as
gateways of users.
Precautions
Switch configurations used in this example apply to S series switches running
V600.

Switches
This example uses firewall configurations of USG6655E V600R007C00. For other

firewall configurations, see "Basic Configuration" in the Configuration Guide based
on the version of the device.
In Figure 2-33, a company has multiple departments that belong to different
network segments, and each department needs to access the Internet. It is
required that users access the Internet through the Layer 2 switch and firewall and
that the firewall function as the gateway of users.
Figure 2-33 Configuring a Layer 2 switch to work with a firewall for Internet
access
The configuration roadmap is as follows:
1. Configure interface-based VLAN assignment on the switch for Layer 2
forwarding.
2. Configure the firewall as the gateway of users to implement Layer 3
forwarding across network segments through sub-interfaces or VLANIF
interfaces.
3. Configure the firewall as the DHCP server to assign IP addresses to users.
4. Configure an interzone security policy for the firewall so that packets can be
forwarded among different zones.
5. Configure the port address translation (PAT) function on the firewall to
enable intranet users to access the Internet.

Switches
Procedure
Step 1 Configure the switch.
# Configure the interfaces connecting to user devices.
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface GE 1/0/2
[Switch-GE1/0/2] port default vlan 2
[Switch-GE1/0/2] quit
# Configure the interface connecting to the firewall.

[Switch-GE1/0/1] port link-type trunk
[Switch-GE1/0/1] port trunk allow-pass vlan 2 3
Step 2 Configure the firewall.

Two methods are available to configure a firewall: one is to configure sub-
interfaces and the other is to configure VLANIF interfaces.
● Configure the firewall to terminate VLAN tags through sub-interfaces to
implement Layer 3 forwarding across network segments.
# Configure sub-interfaces for VLAN tag termination.
<USG6600E> system-view
[USG6600E] interface Gigabitethernet 0/0/1.1
[USG6600E-GigabitEthernet0/0/1.1] vlan-type dot1q 2
[USG6600E-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24
[USG6600E-GigabitEthernet0/0/1.1] quit
[USG6600E-GigabitEthernet0/0/1.2] vlan-type dot1q 3
[USG6600E-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24
# Configure the DHCP function to assign IP addresses to intranet users and

specify the DNS server address.
[USG6600E] dhcp enable
[USG6600E-GigabitEthernet0/0/1.1] dhcp select interface
[USG6600E-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6600E-GigabitEthernet0/0/1.2] dhcp select interface
[USG6600E-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5
# Configure a public network interface IP address and a static route.

[USG6600E] interface Gigabitethernet 0/0/2
[USG6600E-GigabitEthernet0/0/2] ip address 203.0.113.2 255.255.255.0
[USG6600E-GigabitEthernet0/0/2] quit
[USG6600E] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
# Configure security zones.

[USG6600E] firewall zone trust
[USG6600E-zone-trust] add interface Gigabitethernet 0/0/1
[USG6600E-zone-trust] add interface Gigabitethernet 0/0/1.1
[USG6600E-zone-trust] add interface Gigabitethernet 0/0/1.2
[USG6600E-zone-trust] quit
[USG6600E] firewall zone untrust

Switches
[USG6600E-zone-untrust] add interface Gigabitethernet 0/0/2

[USG6600E-zone-untrust] quit
# Configure a security policy to allow inter-zone access.

[USG6600E] security-policy
[USG6600E-policy-security] rule name policy1
[USG6600E-policy-security-rule-policy1] source-zone trust
[USG6600E-policy-security-rule-policy1] destination-zone untrust
[USG6600E-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600E-policy-security-rule-policy1] action permit
[USG6600E-policy-security-rule-policy1] quit
[USG6600E-policy-security] quit
# Configure a PAT address pool to allow interface address translation.

[USG6600E] nat address-group addressgroup1
[USG6600E-address-group-addressgroup1] mode pat
[USG6600E-address-group-addressgroup1] route enable
[USG6600E-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2
[USG6600E-address-group-addressgroup1] quit
# Configure a PAT policy so that source IP addresses are automatically

translated when devices on a specified network segment of an internal
network access the Internet.
[USG6600E] nat-policy
[USG6600E-policy-nat] rule name policy_nat1
[USG6600E-policy-nat-rule-policy_nat1] source-zone trust
[USG6600E-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6600E-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600E-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1
[USG6600E-policy-nat-rule-policy_nat1] quit
[USG6600E-policy-nat] quit
[USG6600E] quit
● Configure VLANIF interfaces on the firewall to implement Layer 3 forwarding

across network segments.
# Configure VLANIF interfaces.
[USG6600E] vlan batch 2 3
[USG6600E-GigabitEthernet0/0/1] portswitch
[USG6600E-GigabitEthernet0/0/1] port link-type hybrid
[USG6600E-GigabitEthernet0/0/1] port hybrid tagged vlan 2 to 3
[USG6600E] interface vlanif 2
[USG6600E-Vlanif2] ip address 192.168.1.1 24
[USG6600E-Vlanif2] quit
[USG6600E-Vlanif3] ip address 192.168.2.1 24
# Configure the DHCP function.

[USG6600E] dhcp enable
[USG6600E-Vlanif2] dhcp select interface
[USG6600E-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6600E-Vlanif3] dhcp select interface
[USG6600E-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5

[USG6600E] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1

Switches
[USG6600E] firewall zone trust

[USG6600E-zone-trust] add interface gigabitethernet 0/0/1
[USG6600E-zone-trust] add interface vlanif 2
[USG6600E-zone-trust] add interface vlanif 3
[USG6600E] firewall zone untrust
[USG6600E-zone-untrust] add interface gigabitethernet 0/0/2


[USG6600E-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2
# Configure a PAT policy so that source IP addresses are automatically

translated when devices on a specified network segment of an internal
network access the Internet.
[USG6600E-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600E] quit
Step 3 Verify the configuration.

Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Configure an IP address 203.0.113.1/24 and a gateway address 203.0.113.2 for the
external network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 203.0.113.1/24 and access the Internet.
----End
● Switch
#
sysname Switch
#
vlan batch 2 to 3
#
interface GE 1/0/1
port trunk allow-pass vlan 2 to 3
#
interface GE 1/0/2
port default vlan 2

Switches
#
interface GE 1/0/3
port default vlan 3
#
return
● USG (used when the firewall performs Layer 3 forwarding through sub-
interfaces)
#
#
interface GigabitEthernet0/0/1.1
vlan-type dot1q 2
ip address 192.168.1.1 255.255.255.0
dhcp server dns-list 114.114.114.114 223.5.5.5
#
vlan-type dot1q 3
ip address 192.168.2.1 255.255.255.0
#
ip address 203.0.113.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/1.1
add interface GigabitEthernet0/0/1.2
#
firewall zone untrust
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
#
nat address-group addressgroup1 0 mode pat
route enable
section 0 203.0.113.2 203.0.113.2
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
action source-nat address-group addressgroup1
#
return
● USG (used when the firewall performs Layer 3 forwarding through VLANIF
interfaces)
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0

Switches

#
portswitch
port hybrid tagged vlan 2 to 3
#
ip address 203.0.113.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface Vlanif2
add interface Vlanif3
#
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 203.0.113.2 203.0.113.2
#
security-policy
rule name policy1
source-zone trust
action permit
#
nat-policy
source-zone trust
action source-nat address-group addressgroup1
#
return
Related Content
Videos
Connecting an S Series Switch Acting as a Layer 2 Switch to a Firewall

a Firewall for Internet Access
Layer 3 Switch
Layer 3 switches provide the routing function, which indicates a network-layer
function in the OSI model.
Layer 3 switches can work at Layer 2 and Layer 3 and be deployed at the access
layer or aggregation layer as user gateways.
Precautions
V600.

Switches
This example uses firewall configurations of USG6655E V600R007C00. For other

firewall configurations, see "Basic Configuration" in the Configuration Guide based
on the version of the device.
required that users access the Internet through the Layer 3 switch and firewall and
that the Layer 3 switch function as the gateway of users.
Figure 2-34 Configuring a Layer 3 switch to work with a firewall for Internet
access
1. Configure the switch as the gateway of users to allow users to communicate

across network segments through VLANIF interfaces.
2. Configure the switch as the DHCP server to assign IP addresses to users.
3. Configure an interzone security policy for the firewall so that packets of
different zones can be forwarded.
4. Configure the PAT function on the firewall to enable intranet users to access
the Internet.

Switches
Procedure
# Configure the interfaces connecting to users and corresponding VLANIF
interfaces.
[Switch-GE1/0/2] port default vlan 2 //Add the interface to VLAN 2.
[Switch] interface Vlanif 2
[Switch-Vlanif2] ip address 192.168.1.1 24
[Switch-Vlanif2] quit
# Configure the interface connecting to the firewall and corresponding VLANIF

interface.
[Switch] vlan batch 100
# Configure the default route.

[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //The next hop of the default route is the IP address
192.168.100.1 of the firewall interface.
# Configure the DHCP server.

[Switch] dhcp enable
[Switch-Vlanif2] dhcp select interface //DHCP uses an interface address pool to assign IP addresses to
intranet users.
[Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list
address needs to be configured based on the DNS assigned by the carrier.
[Switch-Vlanif3] dhcp select interface
[Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
Step 2 Configure the firewall.

# Configure an IP address for the interface connecting to the switch.
# Configure an IP address for the interface connecting to the Internet.

[USG6600E-GigabitEthernet0/0/2] ip address 203.0.113.2 255.255.255.0 // //The IP address of the
interface connecting to the Internet is on the same network segment as the public IP address.

Switches
# Configure a default route and a return route.

[USG6600E] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //Configure a static default route with the next
hop pointing to the public IP address 203.0.113.1.
[USG6600E] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //Configure a return route with the
next hop pointing to the IP address 192.168.100.2 of the switch's upstream interface.

[USG6600E] firewall zone trust //Configure the trust zone.
[USG6600E-zone-trust] add interface Gigabitethernet 0/0/1
[USG6600E] firewall zone untrust //Configure the untrust zone.
[USG6600E-zone-untrust] add interface Gigabitethernet 0/0/2


[USG6600E-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2 //Translated public IP
address
# Configure a PAT policy so that source IP addresses are automatically translated

when devices on a specified network segment of an internal network access the
Internet.
[USG6600E-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //Source IP
address that can be translated using PAT
[USG6600E] quit
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for

PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Configure an IP address 203.0.113.1/24 and a gateway address 203.0.113.2 for the

external network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 203.0.113.1/24 and access the Internet.
----End
● Switch

Switches
#
sysname Switch
#
vlan batch 2 to 3 100
#
dhcp enable
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface GE 1/0/1
#
interface GE 1/0/2
port default vlan 2
#
interface GE 1/0/3
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
return
● USG
#
ip address 192.168.100.1 255.255.255.0
#
ip address 203.0.113.2 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 203.0.113.2 203.0.113.2
#
security-policy
rule name policy1
source-zone trust
action permit
#
nat-policy
source-zone trust
action natsource-nat address-group addressgroup1

Switches
#
return
2.4 Typical Configuration for Interoperation Between

Switches and Routers

a Router for Internet Access
Layer 2 Switch
Layer 2 switches perform only Layer 2 forwarding instead of Layer 3 forwarding.
That is, Layer 2 switches support only Layer 2 features instead of Layer 3 features
such as routing.
Layer 2 switches are typically deployed at the access layer and cannot function as
gateways of users.
Precautions
V600.
This example uses router configurations of AR651 V300R022C10. For other router
configurations, see the corresponding documentation.
required that users access the Internet through the Layer 2 switch and router and
that the router function as the gateway of users.

Switches
Figure 2-35 Configuring a Layer 2 switch to work with a router for Internet access
1. Configure interface-based VLAN assignment on the switch for Layer 2

forwarding.
2. Configure the router as the gateway of users to implement Layer 3
forwarding across network segments through sub-interfaces or VLANIF
interfaces.
3. Configure the router as the DHCP server to assign IP addresses to users.
4. Configure the NAT function on the router to enable intranet users to access
the Internet.
Procedure
# Configure the interfaces connecting to user devices.


Switches
# Configure the interface connecting to the router.

[Switch-GE1/0/1] port link-type trunk
[Switch-GE1/0/1] port trunk allow-pass vlan 2 3 //Configure the link type of the interface to trunk so
that packets from VLAN 2 and VLAN 3 can be transparently transmitted.
Step 2 Configure the router.

Two methods are available to configure a router: one is to configure sub-
interfaces and the other is to configure VLANIF interfaces.
● Configure the router to terminate VLAN tags through sub-interfaces to
implement Layer 3 forwarding across network segments.
# Configure sub-interfaces for VLAN tag termination.
[HUAWEI] sysname Router
[Router] vlan batch 2 3
[Router] interface GigabitEthernet 0/0/1.1
[Router-GigabitEthernet0/0/1.1] dot1q termination vid 2
[Router-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24
[Router-GigabitEthernet0/0/1.1] arp broadcast enable
[Router-GigabitEthernet0/0/1.1] quit
[Router-GigabitEthernet0/0/1.2] dot1q termination vid 3
[Router-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24
[Router-GigabitEthernet0/0/1.2] arp broadcast enable

[Router] dhcp enable
[Router-GigabitEthernet0/0/1.1] dhcp select interface //DHCP uses an interface address pool to
assign IP addresses to intranet users.
[Router-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured
DNS-list 114.114.114.114 is a public DNS server address, which is the same for carriers. In practice,
the DNS-list address needs to be configured based on the DNS assigned by the carrier.
[Router-GigabitEthernet0/0/1.2] dhcp select interface
[Router-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5

[Router-GigabitEthernet0/0/2] ip address 203.0.113.2 255.255.255.0 //Configure an IP address
203.0.113.2 for GE0/0/2 connected to the public network.
[Router] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //Configure a static default route with the next
# Configure the NAT function to enable intranet users to access the Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for
source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of
outgoing packets on GE0/0/2.
● Configure VLANIF interfaces on the router to implement Layer 3 forwarding

across network segments.
# Configure VLANIF interfaces.

Switches
[Router] vlan batch 2 3

[Router-GigabitEthernet0/0/1] portswitch //Configure an Ethernet interface to switch from Layer 3
mode to Layer 2 mode. If the interface already works in Layer 2 mode, skip this step.
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3
[Router] interface vlanif 2
[Router-Vlanif2] ip address 192.168.1.1 24 //Configure the IP address of VLANIF 2 as the gateway
address of PC1.
[Router-Vlanif2] quit
[Router-Vlanif3] ip address 192.168.2.1 24 //Configure the IP address of VLANIF 3 as the gateway
address of PC2.
[Router] dhcp enable
[Router-Vlanif2] dhcp select interface
[Router-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-
list address needs to be configured based on the DNS assigned by the carrier.
[Router-Vlanif3] dhcp select interface
[Router-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[Router-GigabitEthernet0/0/2] ip address 203.0.113.2 255.255.255.0
[Router] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //Configure a static default route with the next
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for
source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of
outgoing packets on GE0/0/2.

1. Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1.
PC2.
the external network.
4. After the configurations are complete, PC1 and PC2 can ping the external
network IP address 203.0.113.1/24 and access the Internet.
----End
● Switch
#
sysname Switch

Switches
#
vlan batch 2 to 3
#
interface GE 1/0/1
#
interface GE 1/0/2
port default vlan 2
#
interface GE 1/0/3
port default vlan 3
#
return
● Router (used when the router performs Layer 3 forwarding through sub-
interfaces)
#
sysname Router
#
vlan batch 2 to 3
#
dhcp enable
#
acl number 2001
rule 5 permit source 192.168.0.0 0.0.255.255
#
#
dot1q termination vid 2
ip address 192.168.1.1 255.255.255.0
arp broadcast enable
#
dot1q termination vid 3
ip address 192.168.2.1 255.255.255.0
arp broadcast enable
#
ip address 203.0.113.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
#
return
● Router (used when the router performs Layer 3 forwarding through VLANIF
interfaces)
#
sysname Router
#
vlan batch 2 to 3
#
dhcp enable
#
acl number 2001
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif3

Switches
ip address 192.168.2.1 255.255.255.0

#
portswitch
#
ip address 203.0.113.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
#
return
Related Content
Videos
Connecting an S Series Switch Acting as a Layer 2 Switch to a Router

a Router for Internet Access
Layer 3 Switch
Layer 3 switches provide the routing function, which indicates a network-layer
function in the OSI model.
Layer 3 switches can work at Layer 2 and Layer 3 and be deployed at the access
layer or aggregation layer as user gateways.
Precautions
● Switch configurations used in this example apply to S series switches running
V600.
● This example uses router configurations of AR651 V300R022C10. For other
router configurations, see the corresponding documentation.
required that users access the Internet through the Layer 3 switch and router and
that the Layer 3 switch function as the gateway of users.

Switches
Figure 2-36 Configuring a Layer 3 switch to work with a router for Internet access
1. Configure the switch as the gateway of users to allow users to communicate
across network segments through VLANIF interfaces.
2. Configure the switch as the DHCP server to assign IP addresses to users.
3. Configure the NAT function on the router to enable intranet users to access
the Internet.
Procedure
# Configure the interfaces connecting to users and corresponding VLANIF
interfaces.

Switches

# Configure the interface connecting to the router and corresponding VLANIF

interface.
[Switch] vlan batch 100
# Configure the default route.

[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //The next hop of the default route is the IP address
192.168.100.1 of the router interface.
# Configure the DHCP server.

[Switch] dhcp enable
[Switch-Vlanif2] dhcp select interface //DHCP uses an interface address pool to assign IP addresses to
intranet users.
[Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list
address needs to be configured based on the DNS assigned by the carrier.
[Switch-Vlanif3] dhcp select interface
[Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
Step 2 Configure the router.
# Configure an IP address for the interface connecting to the switch.

[HUAWEI] sysname Router
[Router-GigabitEthernet0/0/1] ip address 192.168.100.1 255.255.255.0 //Configure the IP address
192.168.100.1 as the next-hop IP address of the switch's default route.
# Configure an IP address for the interface connecting to the Internet.

[Router-GigabitEthernet0/0/2] ip address 203.0.113.2 255.255.255.0 //The IP address of the interface
connecting to the Internet is on the same network segment as the public IP address.
# Configure a default route and a return route.

[Router] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //Configure a static default route with the next hop
pointing to the public IP address 203.0.113.1.
[Router] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //Configure a return route with the next
hop pointing to the IP address 192.168.100.2 of the switch's upstream interface.
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for source
IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of outgoing
packets on GE0/0/2.

Switches

PC1.
PC2.
the external network.
4. After the configurations are complete, PC1 and PC2 can ping the external
network IP address 203.0.113.1/24 and access the Internet.
----End
● Switch
#
sysname Switch
#
vlan batch 2 to 3 100
#
dhcp enable
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface GE 1/0/1
#
interface GE 1/0/2
port default vlan 2
#
interface GE 1/0/3
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
return
● Router
#
sysname Router
#
acl number 2001
#
ip address 192.168.100.1 255.255.255.0
#
ip address 203.0.113.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2

Switches
#
return

Switches
Typical Configuration Examples(V600) 3 Switch Feature Configuration Examples
3 Switch Feature Configuration Examples
3.1 Feature-Specific Configuration Examples
3.1 Feature-Specific Configuration Examples
3.1.1 Overview of Feature-Specific Configuration Examples

This document describes feature-specific configuration examples for specific device
models and versions. It uses V600R023C00 as an example and applies to switch
products that can be configured using commands. The command formats and
configuration methods are subject to the device models and software versions in
use. For details, see the corresponding product documentation.
3.1.2 Basic Configuration
3.1.2.1 First Login to a Device
3.1.2.1.1 Example for Configuring First Login Through a Console Port
When a device is powered on for the first time, you can use the console port to
log in to the device to configure and manage the device. In Figure 3-1, the
console port of the device is connected to PC1.
Figure 3-1 Network diagram of configuring first login through the console port

Switches
1. Log in to the device through the console port.
2. Perform basic configurations on the device.
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port.
Step 2 Start a terminal emulation program on the PC. Create a connection and set the
port and communication parameters. (This section uses the third-party software
PuTTY as an example.)
1. Click Session to create a connection, as shown in Figure 3-2.
Figure 3-2 Creating a connection
2. Click Serial, select the port to be connected, and set the communication
parameters, as shown in Figure 3-3.
a. Select the port based on actual situations. For example, on Windows, you
can open Device Manager to view port information and select the port
to be connected.
b. Set the communication parameters. Ensure that the communication
parameter settings in the terminal emulation software are consistent with
the default parameter settings (9600 bit/s transmission rate, 8 data bits,
1 stop bit, no parity check, and no flow control) of the device's console
port.

Switches
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, you
need to select the port to be connected to a console cable. In most cases, COM1 is
used.
If the device's console port communication parameters are modified, you need to
modify those on the PC accordingly and re-establish the connection.
Figure 3-3 Setting the port and communication parameters
Step 3 Press Enter until information similar to the following is displayed. Enter a
password and confirm the password as prompted. (The following information is
for reference only.)
User interface con0 is available
Please Press ENTER.
Please configure the login password (8-16)

Enter Password:
Confirm Password: //Enter the password for logging in to the device through the console port.
Info: Save the password now. Please wait for a moment.
Info: The max number of VTY users is 21, the number of current VTY users online is 1, and total number of
terminal users online is 2.
The current login time is 2020-06-30 18:15:10+08:00
<HUAWEI>

Switches
NOTE
● You must set a login password upon first login to the device through the console port.
By default, you can use the console port to perform administrator operations after
successfully logging in to the device.
● The password is a string of 8 to 16 case-sensitive characters. It must contain at least
two of the following character types: uppercase letters, lowercase letters, digits, and
special characters. Special characters do not include question marks (?) or spaces.
● The password entered in interactive mode will not be displayed on the terminal screen.
● For security purposes, change the password periodically.
----End

After the preceding configurations are complete, you can enter commands to
configure the device. Enter a question mark (?) whenever you need help.
3.1.2.2 CLI-based Device Login
3.1.2.2.1 Example for Configuring Telnet Login
Users want to easily configure and manage the device shown in Figure 3-4. AAA
authentication needs to be configured for Telnet users on the server, and an ACL
policy needs to be configured to ensure that only the users matching the ACL can
log in to the device.
Figure 3-4 Network diagram of Telnet login
1. Configure Telnet login to remotely maintain the device.

2. Configure an ACL to ensure that only users matching the ACL can log in to
the device.
3. Configure the user name and password for the administrator, and configure
an AAA authentication policy to ensure that only users passing the
authentication can log in to the device.

Switches
In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, and protocol. For
details about secure configuration examples, see 3.1.2.2.2 Example for
Configuring STelnet Login.
Procedure
Step 1 Run the install feature-software WEAKEA command in the user view to install
the weak security algorithm/protocol feature package (WEAKEA).
Step 2 # Set the IP address of the management interface for the Telnet server.
[HUAWEI] sysname Telnet Server
[Telnet Server] interface meth 0/0/0
[Telnet Server-MEth0/0/0] ip address 10.137.217.177 255.255.255.0
[Telnet Server-MEth0/0/0] quit
Step 3 Set the server port number and enable the server function.
[Telnet Server] telnet server enable

[Telnet Server] telnet server port 1025
[Telnet Server] telnet server-source all-interface
Step 4 Set parameters for the VTY user interface.

# Set the maximum number of VTY user interfaces.
[Telnet Server] user-interface maximum-vty 8
# Specify the IP address of the host allowed to access the device.

[Telnet Server] acl 2001
[Telnet Server-acl4-basic-2001] rule permit source 10.137.217.10 0
[Telnet Server-acl4-basic-2001] rule deny source 10.137.217.20 0
[Telnet Server-acl4-basic-2001] quit
[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound
# Configure terminal attributes for the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20
[Telnet Server-ui-vty0-7] protocol inbound telnet
# Configure the authentication mode for the VTY user interface.

[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] quit
Step 5 Configure login user information.

# Configure the authentication mode for the login user.
[Telnet Server] aaa
[Telnet Server-aaa] local-user admin1234 password
It is recommended that the password consist of at least 2 types of characters, including lowercase letters,
uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.

Switches
[Telnet Server-aaa] local-user admin1234 service-type telnet

[Telnet Server-aaa] local-user admin1234 privilege level 3
[Telnet Server-aaa] quit
----End

# Run the following command on the CLI of PC1 to telnet to the device:
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
# Press Enter, and enter the user name and password configured for AAA
authentication in the login window. If the authentication is successful, the
command line prompt for the user view is displayed, indicating that you have
successfully logged in to the device.
Username:admin1234
Password:
<Telnet Server>
#
sysname Telnet Server
#
telnet server enable
telnet server-source all-interface
telnet server port 1025
#
acl number 2001
rule 5 permit source 10.137.217.10 0
rule 10 deny source 10.137.217.20 0
#
aaa
local-user admin1234 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
$UF-.fQ,Q}>^)OBzgoU$
local-user admin1234 service-type telnet
local-user admin1234 privilege level 3
#
interface MEth0/0/0
ip address 10.137.217.177 255.255.255.0
#
user-interface maximum-vty 8
#
user-interface vty 0 7
acl 2001 inbound
authentication-mode aaa
history-command max-size 20
idle-timeout 20 0
screen-length 30
#
return
3.1.2.2.2 Example for Configuring STelnet Login
In Figure 3-5, after the STelnet server function is enabled on the device
functioning as the SSH server, the PC functioning as the SSH client can connect to
the SSH server in different authentication modes. This section uses the RSA
authentication mode as an example to describe how to log in to the SSH server
using STelnet.

Switches
To improve system security and prevent unauthorized users from logging in to the
SSH server, you can configure an ACL rule on the SSH server.
Figure 3-5 Network diagram of STelnet login
1. # Set the IP address of the management interface for the SSH server.
2. Configure the SSH server to generate a local key pair.
3. Configure a VTY user interface on the SSH server.
4. Create a local user and configure the service type for the user.
5. Create an SSH user and configure the authentication mode for the user.
6. On the SSH client, create a key pair based on the configured SSH user
authentication mode and copy the public key to the SSH server.
7. On the SSH server, edit the public key and assign it to the user.
8. Enable STelnet on the SSH server and set the service type of the SSH user to
STelnet.
9. On the SSH server, configure an ACL to allow access of the STelnet client.
10. Set parameters for STelnet login to the server.
Data Preparation
To complete the configuration, ensure that the following configurations have been
completed:
NOTE
To ensure high security, you are advised to use the RSA key pair whose length is 3072 bits
or longer.
● OpenSSH has been installed on the SSH client.
● The IP address of the management interface for the SSH server is
10.248.103.194/24.
● The local user's authentication mode is set to password authentication, and
the user name and password are admin123 and YsHsjx_202206, respectively.
● The SSH user's authentication mode is RSA.
● ACL 2000 is configured to allow the clients on the network segment
10.248.103.0/24 to access the SSH server.

Switches
Procedure
Step 1 # Set the IP address of the management interface for the SSH server.
[HUAWEI] sysname SSH Server
[SSH Server] interface meth 0/0/0
[SSH Server-MEth0/0/0] ip address 10.248.103.194 255.255.255.0
[SSH Server-MEth0/0/0] quit
Step 2 Configure the SSH server to generate a local key pair.

[SSH Server] rsa local-key-pair create
The key name will be:Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
Step 3 Configure a VTY user interface on the SSH server.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
NOTE
If SSH is configured as the login protocol, the device automatically disables the Telnet
function.
Step 4 On the server, create a local user and configure the service type for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user admin123 password
[SSH Server-aaa] local-user admin123 service-type ssh
[SSH Server-aaa] local-user admin123 privilege level 3
[SSH Server-aaa] quit
Step 5 Create an SSH user on the server and configure the authentication mode for the
user.
[SSH Server] ssh user admin123
[SSH Server] ssh user admin123 authentication-type rsa
Step 6 Configure the public key algorithm, encryption algorithm, key exchange algorithm
list, HMAC authentication algorithm, and minimum key length on the SSH server.
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SSH Server] ssh server hmac sha2_256 sha2_512
[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512
[SSH Server] ssh server dh-exchange min-len 3072
Step 7 Use OpenSSH to create an RSA key pair on the SSH client and copy the public key
to the SSH server.
Access the Windows CLI, create an RSA key pair, and save it to the local
id_rsa.pub file. (The following information is for reference only.)
C:\Users\User1>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\User1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\User1/.ssh/id_rsa.

Switches
Your public key has been saved in C:\Users\User1/.ssh/id_rsa.pub.

The key fingerprint is:
SHA256:c43yubJjCUjY3JqH0aVZwJFM3gWJcH4YI5+4HUDAIqo
The key's randomart image is:
+---[RSA 3072]----+
| ..o==B=.o. |
|o . O=*+. |
|o. +.oB=o |
|. . =o=o o |
|. ..*. S o . |
|E = o = . |
| . . .o |
| = . |
| ..+. |
+----[SHA256]-----+
Step 8 On the SSH server, edit the public key generated using OpenSSH on the SSH client
and assign it to the user.
[SSH Server] rsa peer-public-key rsa01 encoding-type openssh
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCg5Ag490i6ilB7QuCVb35B8RJEh1DIYB88h2p1qjdh7qdMQv8rp
JaVAgQWxwzKZO0XdFuz4ReGQzTCSf7Det7Ajicddw3qi+6P8hRqZj6MPdLg/o3RN4aPCfr/
LFWCwqJ3gWGHlOC7qqjRk+6pySVoiWcSk5/elBkU7WVk/
cSWrt4qFXJV373OCesKcEVeDvAa1Tvx6L3LQroBqUO0EXzDgOthPCmOqiqvS5h3JipzqVsesdSKjeInooCQzS
Ov5eePpBcFcIvU6wFiLIZ5vnf6YtypgTVzHuje/sh4xM7Iuuon7AYXKHT8NpO9jd9zA/lKaRPXyDtei1O1Bt/
5lxnn
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-key-code] peer-public-key end
[SSH Server] ssh user admin123 assign rsa-key rsa01
Step 9 Enable the STelnet function and set the user service type to STelnet.
[SSH Server] stelnet server enable
[SSH Server] ssh server-source all-interface
[SSH Server] ssh user admin123 service-type stelnet
Step 10 Configure an ACL rule.

[SSH Server] acl 2000
[SSH Server-acl4-basic-2000] rule permit source 10.248.103.0 24
[SSH Server-acl4-basic-2000] quit
[SSH Server] ssh server acl 2000
----End

Use the OpenSSH software to log in to the SSH server from the client. Access the
Windows CLI and run the OpenSSH commands to access the device using STelnet.
C:\Users\User1>ssh [email protected]
Enter passphrase for key 'C:\Users\User/.ssh/id_rsa':
The current login time is 2020-12-15 15:58:03.
<SSH Server>
#
sysname SSH Server
#
acl number 2000
#
rsa peer-public-key rsa01 encoding-type openssh
public-key-code begin

Switches
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCg5Ag490i6ilB7QuCVb35B8RJEh1DIYB88h2p1qjdh7qdMQv8rpJaVA
gQWxwzKZO0XdFuz4ReGQzTCSf7Det7Ajicddw3qi+6P8hRqZj6MPdLg/o3RN4aPCfr/
LFWCwqJ3gWGHlOC7qqjRk+6pySVoiWcSk5/elBkU7WVk/
cSWrt4qFXJV373OCesKcEVeDvAa1Tvx6L3LQroBqUO0EXzDgOthPCmOqiqvS5h3JipzqVsesdSKjeInooCQzSOv5e
ePpBcFcIvU6wFiLIZ5vnf6YtypgTVzHuje/sh4xM7Iuuon7AYXKHT8NpO9jd9zA/lKaRPXyDtei1O1Bt/5lxnn rsa-key
public-key-code end
peer-public-key end
#
aaa
local-user admin123 password irreversible-cipher $1d$+,JS+))\\2$KVNj(.
3`_5x0FCKGv}H&.kUTI`Ff&H*eBqO.ua>)$
local-user admin123 service-type terminal ssh
#
interface MEth0/0/0
ip address 10.248.103.194 255.255.255.0
#
stelnet server enable
ssh user admin123
ssh user admin123 authentication-type rsa
ssh user admin123 assign rsa-key rsa01
ssh user admin123 service-type stelnet
ssh server-source all-interface
ssh server acl 2000
#
ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh server hmac sha2_256 sha2_512
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh server publickey rsa_sha2_256 rsa_sha2_512
ssh server dh-exchange min-len 3072
#
protocol inbound ssh
#
return
3.1.2.2.3 Example for Configuring Login Through a Console Port
If users cannot remotely log in to a device, they can locally log in to the device
through the console port on the device. Password authentication is used for login
through the console port. To prevent unauthorized users from accessing a device,
you can change the authentication mode of the console user interface (used for
login through the console port) to AAA authentication.
Figure 3-6 Network diagram of login through the console port
1. Use the terminal emulation software to log in to the device through the
console port.
2. Configure the authentication mode for the console user interface.

Switches
NOTE
If the system does not provide terminal emulation software, obtain it from a third party. For
details about how to use the software, see the software user guide or online help.
Procedure
Step 1 Connect the DB9 connector of the prepared console cable to the PC's serial port
(COM), and the RJ45 connector to the device's console port. If there is no DB9
serial port on your terminal (PC), use a DB9-to-USB cable to connect the USB port
to the terminal.
Step 2 Start PuTTY on the PC (PuTTY is an example terminal emulator). Create a

connection, select the connection port, and set communication parameters.
1. Click Session to create a connection, as shown in Figure 3-7.
Figure 3-7 Creating a connection
2. Click Serial and set the port to be connected and the communication
parameters, as shown in Figure 3-8.
a. Select the port according to your requirements. For example, in a
Windows operating system, you can open Device Manager to view port
information and select the port to be connected.
b. Ensure that the communication parameters you set in the terminal
emulation software are consistent with the default parameter settings of
the device's console port.

Switches
c. Click Open.
NOTE
A PC may have multiple ports that can be connected to the device. In this step, the
port to be connected to a console cable must be selected. In most cases, COM1 is
used.
If the device's communication parameters are modified, those on the PC must be
modified accordingly and the connection must be re-established.
Figure 3-8 Setting the connection port and communication parameters
Step 3 Press Enter until the system prompts you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for reference only.)
Password:
You can run commands to configure the device. Enter a question mark (?) if you
need help.
Step 4 Configure the authentication mode for the console user interface.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] user privilege level 3
[HUAWEI-ui-console0] quit
[HUAWEI] aaa

Switches
[HUAWEI-aaa] local-user admin1234 password

[HUAWEI-aaa] local-user admin1234 privilege level 3
[HUAWEI-aaa] local-user admin1234 service-type terminal
----End

After the preceding operations, you must enter the user name admin1234 and
password YsHsjx_202206 when logging in to the device.
Username:admin1234
Password:
<HUAWEI>
#
aaa
local-user admin1234 service-type terminal
#
user-interface con 0
#
return
3.1.2.2.4 Example for Configuring Telnet Login Based on ACL Rules and RADIUS
Authentication
The network administrator requires remote management and maintenance on a
device and high network security for protecting the network against unauthorized
access. To meet the requirements, you can configure Telnet login based on ACL
rules and RADIUS authentication.
In Figure 3-9, DeviceA is the Telnet server, and there are reachable routes between
the network administrator's PC and DeviceA and between DeviceA and the
RADIUS server. The IP address and port number of the RADIUS server are
10.1.6.6/24 and 1812, respectively.
Figure 3-9 Network diagram for configuring Telnet login based on ACL rules and
RADIUS authentication

Switches
NOTE
In this example, interface1 and interface2 represent 10GE1/0/1 and 10GE1/0/2, respectively.
1. Set device interface parameters.
2. Configure Telnet to enable users to log in to the device through Telnet.
3. Configure an ACL rule to ensure that only users matching the ACL rule can
4. Configure the RADIUS protocol to implement RADIUS authentication. After
the configuration is complete, users must use the user name and password
configured on the RADIUS server to log in to the device through Telnet,
ensuring login security.
5. Configure the RADIUS server.
● In insecure network environments, you are advised to use a secure password
authentication mode, encryption authentication algorithm, and protocol. For
details about the configuration example of secure authentication, see
3.1.2.2.5 Example for Configuring STelnet Login Based on RADIUS
Authentication.
● Ensure that there are reachable routes between devices before the
configuration.
● Ensure that the IP address, port number, and shared key of the RADIUS server
are configured correctly on the device and are the same as those on the
RADIUS server.
● After a domain is configured as the global default administrative domain, the
AAA configuration in this domain is used, regardless of whether the user
name of the administrator contains the domain name.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user [email protected] (user name@domain name) and password
YsHsjx_202206 have been configured on the RADIUS server.
● If the RADIUS server does not support the user names containing domain
names, run the undo radius-server user-name domain-included command
to configure the device not to encapsulate the domain name in the user name
when sending packets to the RADIUS server.
Procedure
Step 2 Set interface parameters.
# Configure IP addresses for interfaces.
[DeviceA] vlan batch 10 20

Switches
[DeviceA] interface 10ge 1/0/1

[DeviceA-10GE1/0/1] portswitch
[DeviceA-10GE1/0/1] port trunk allow-pass vlan 10
[DeviceA] interface vlanif 10
[DeviceA-Vlanif10] ip address 10.1.1.2 255.255.255.0
[DeviceA-Vlanif10] quit
Step 3 Configure Telnet login.

# Set the server port number and enable the Telnet server function.
[DeviceA] telnet server enable

[DeviceA] telnet server port 1025
[DeviceA] telnet server-source all-interface
# Set the authentication mode and protocol for accessing VTY user interfaces 0 to
4 to AAA and Telnet, respectively.
[DeviceA] user-interface vty 0 4
[DeviceA-ui-vty0-4] authentication-mode aaa
[DeviceA-ui-vty0-4] protocol inbound telnet
[DeviceA-ui-vty0-4] user privilege level 3
[DeviceA-ui-vty0-4] quit
Step 4 Configure an ACL rule to allow the administrator to log in.

[DeviceA] acl 2000
[DeviceA-acl4-basic-2000] rule permit source 10.137.217.10 0
[DeviceA-acl4-basic-2000] quit
[DeviceA-ui-vty0-4] acl 2000 inbound
Step 5 Configure RADIUS authentication.

# Configure a RADIUS server template for communication between DeviceA and
the RADIUS server.
[DeviceA] radius-server template 1
[DeviceA-radius-1] radius-server authentication 10.1.6.6 1812 weight 80
[DeviceA-radius-1] radius-server shared-key cipher YsHsjx_202206
[DeviceA-radius-1] quit
# Configure an AAA authentication scheme and set the authentication mode to

RADIUS.
[DeviceA] aaa
[DeviceA-aaa] authentication-scheme auth1
[DeviceA-aaa-authen-auth1] authentication-mode radius
[DeviceA-aaa-authen-auth1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template to the domain.
[DeviceA-aaa] domain huawei.com
[DeviceA-aaa-domain-huawei.com] authentication-scheme auth1
[DeviceA-aaa-domain-huawei.com] radius-server 1
[DeviceA-aaa-domain-huawei.com] quit
[DeviceA-aaa] quit

Switches
# Configure the domain huawei.com as the global default administrative domain

so that the administrator does not need to enter the domain name when logging
in to the device.
[DeviceA] domain huawei.com admin
Step 6 Configure the RADIUS server.

The configuration includes the following steps: add a device, add a user, and set
the user privilege level to 3.
----End

# Run the following command on the CLI of the administrator's PC to telnet to the
device:
C:\Documents and Settings\Administrator> telnet 10.1.1.2 1025
# In the login window, enter the user name admin123 and password
YsHsjx_202206 configured on the RADIUS server as prompted, and press Enter. If
the authentication succeeds, you can successfully log in to DeviceA through Telnet.
(The following information is for reference only.)
Username:admin123
Password:
<>
#
sysname DeviceA
#
acl number 2000
rule permit source 10.137.217.10 0
#
radius-server template 1
#
aaa
authentication-scheme auth1
accounting-scheme acc1
domain huawei.com
radius-server 1
#
domain huawei.com admin
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.2 255.255.255.0
#
interface 10GE1/0/1

Switches

#
interface 10GE1/0/2
#
telnet server enable
telnet server-source -i Vlanif10
telnet server port 1025
#
acl 2000 inbound
user privilege level 3
protocol inbound telnet
#
acl number 2000
#
return
3.1.2.2.5 Example for Configuring STelnet Login Based on RADIUS Authentication
The network administrator requires secure remote login to a device and high
network security for protecting the network against unauthorized access. To meet
the requirements, you can configure STelnet login based on RADIUS
authentication.
In Figure 3-10, DeviceA functions as an SSH server and there are reachable routes
between it and the RADIUS server. The IP address and port number of the RADIUS
server are 10.1.6.6/24 and 1812, respectively.
Figure 3-10 Network diagram for configuring STelnet login based on RADIUS
authentication
NOTE
1. Set device interface parameters.
2. Configure the SSH server to generate a local key pair to implement secure
data exchange between the server and client.
3. Configure STelnet to enable users to log in to the device through STelnet.
4. Configure an ACL rule to ensure that only users matching the ACL rule can

Switches
5. Configure the RADIUS protocol to implement RADIUS authentication. After

the configuration is complete, users must use the user name and password
configured on the RADIUS server to log in to the device through STelnet,
ensuring login security.
6. Configure the RADIUS server.
● Ensure that the SSH server login software has been installed on the user
terminal before configuring STelnet login.
● Ensure that there are reachable routes between the user terminal and the
device and between the device and RADIUS server.
● After a domain is configured as the global default administrative domain, the
AAA configuration in this domain is used, regardless of whether the user
name of the administrator contains the domain name.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user [email protected] (user name@domain name) and password
YsHsjx_202206 have been configured on the RADIUS server.
● If the RADIUS server does not support the user names containing domain
names, run the undo radius-server user-name domain-included command
to configure the device not to encapsulate the domain name in the user name
when sending packets to the RADIUS server.
Procedure
Step 1 Set interface parameters.
# Configure IP addresses for interfaces.
Step 2 Configure STelnet login.

# Configure DeviceA to generate a local key pair.
[DeviceA] rsa local-key-pair create
# Configure a VTY user interface on the SSH server.

Switches

[DeviceA-ui-vty0-4] protocol inbound ssh
[DeviceA-ui-vty0-4] user privilege level 3
# Configure the public key algorithm, encryption algorithm, key exchange

algorithm list, HMAC authentication algorithm, and minimum key length on the
SSH server.
[DeviceA] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[DeviceA] ssh server hmac sha2_256 sha2_512
[DeviceA] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
[DeviceA] ssh server publickey rsa_sha2_256 rsa_sha2_512
# Create an SSH user on the server and set the authentication mode to password
authentication.
[DeviceA] ssh user admin123
[DeviceA] ssh user admin123 authentication-type password
NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-
type default password command to specify password authentication as the default
authentication mode of SSH users. After this configuration is complete, you do not need to
repeatedly configure the authentication mode and service type for each SSH user,
simplifying configuration and improving efficiency.
# Enable STelnet and set the user service type to STelnet.

[DeviceA] stelnet server enable
[DeviceA] ssh server-source all-interface
[DeviceA] ssh user admin123 service-type stelnet
Step 3 Configure an ACL rule to allow the administrator to log in.

[DeviceA] acl 2000
[DeviceA-acl4-basic-2000] rule permit source 10.137.217.10 0
[DeviceA] ssh server acl 2000
NOTE
The ACL configuration is optional.
Step 4 Configure RADIUS authentication.

the RADIUS server.
[DeviceA-radius-1] radius-server authentication 10.1.6.6 1812 weight 80

RADIUS.
[DeviceA] aaa
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template to the domain.

Switches
[DeviceA-aaa] quit
# Configure the domain huawei.com as the global default administrative domain

so that the administrator does not need to enter the domain name when logging
in to the device.
Step 5 Configure the RADIUS server.

The configuration includes the following steps: add a device, add a user, and set
the user privilege level to 3.
----End

Use the OpenSSH software to log in to the SSH server from the client. Access the
Windows CLI and run the OpenSSH commands to access the device using STelnet.
On the login page, enter the user name admin123 and password YsHsjx_202206
configured on the RADIUS server as prompted, and press Enter. If the
authentication succeeds, you can successfully log in to DeviceA through STelnet.
(The following information is for reference only.)
C:\Documents and Settings\Administrator>ssh [email protected]
Enter passphrase for key 'C:\Users\User/.ssh/id_rsa':
Enter password:
Warning: Negotiated key exchange algorithm and identity key for server authentication are not safe. It is
recommended that you disable the insecure algorithm or upgrade the client.
Warning: The initial password poses security risks.

The password needs to be changed. Change now? [Y/N]:n
The current login time is 2022-09-28 12:07:34.
The last login time is 2022-09-28 06:44:35 from 172.16.0.1 through SSH.
The last login failure time is 2022-09-28 11:59:21 from 172.16.0.1 through SSH. Consecutive login
failures since the last successful login: 3.
<DeviceA>
#
sysname DeviceA
#
acl number 2000
#
#
aaa
domain huawei.com
radius-server 1

Switches
#
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ssh user admin123
ssh user admin123 authentication-type password
ssh user admin123 service-type stelnet
ssh server acl 2000
#
user privilege level 3
#
#
return
3.1.2.3 Web UI-based Login
3.1.2.3.1 Example for Configuring Web UI-based Login Through HTTPS (Default
Certificate)
In Figure 3-11, the local account admin123 is configured for DeviceA, which can
be used to log in to the web UI of DeviceA through HTTPS.
Figure 3-11 Network diagram for logging in to the web UI through HTTPS
(default certificate)
NOTE
In this example, interface 1 represents Vlanif10.

Switches
Data Planning
Item Data
User name admin123
Password YsHsjx_202206
Service type HTTPS
User privilege level 3
1. Configure all interfaces to be used to access the web UI.
2. Configure a login interface for the device.
3. Create a local user account for logging in to the web UI of the device.
4. Enable the web service function on the device.
5. Use the local user account to log in to the web UI of the device.
Procedure
Step 1 Configure all interfaces to be used to access the web UI.
[DeviceA] web-manager server-source all-interface
Step 2 Configure a login interface for the device.

1. Configure an IP address for the interface.
[DeviceA] interface vlanif10
Step 3 Create a web user account.

[DeviceA] aaa
[DeviceA-aaa] local-user admin123 password irreversible-cipher YsHsjx_202206
[DeviceA-aaa] local-user admin123 service-type http
[DeviceA-aaa] local-user admin123 privilege level 3
[DeviceA-aaa] quit
Step 4 Enable the web service function.

1. Enable the HTTPS service.
[DeviceA] web-manager enable port 8443
2. Enable forcible redirection from HTTP to HTTPS.

[DeviceA] web-manager http forward enable
When this function is enabled, HTTPS is used even if you use HTTP to access
the web UI.
Step 5 Log in to the web UI.

1. Set the IP address of the PC used for web UI login to 10.3.0.10/24.
2. Open a browser and enter https://10.3.0.1:8443.

Switches
3. Enter the created web user account (user name: admin123; password:
YsHsjx_202206) and click Login.
----End

Use a browser to access the web UI of the device, enter the user name and
password, and check whether the login is successful.
#
sysname DeviceA
#
web-manager server-source all-interface
web-manager enable port 8443443
web-manager http forward enable
#
interface Vlanif10
ip address 10.3.0.1 255.255.255.0
#
aaa
local-user admin123 password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user admin123 service-type http
#
return
3.1.2.4 File System Management
3.1.2.4.1 Example for Managing Files Locally
A user logs in to a device using the console port, Telnet, or STelnet, and needs to
perform the following operations on the files on the device:
● View files and subdirectories in the current directory.
● Create a directory named test. Copy the vrpcfg.zip file to the directory test
and rename the file backup.zip.
● View files in the test directory.
Procedure
Step 1 View files and subdirectories in the current directory.
[HUAWEI] sysname Device
[Device] quit
<Device> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName

0 -rw- 889 Mar 01 2019 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2019 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2019 17:20:10 vrpcfg.zip
3 -rw- 812 Nov 12 2019 15:43:10 hostkey

Switches
4 drw- - Mar 01 2019 14:41:46 compatible

5 -rw- 540 Nov 12 2019 15:43:12 serverkey
...
670,092 KB total (569,904 KB free)
Step 2 Create a directory named test. Copy the vrpcfg.zip file to the directory test and
rename the file backup.zip.
# Create the test directory.
<Device> mkdir test
Info: Create directory flash:/test/......Done.
# Copy the vrpcfg.zip file to the test directory and rename the file backup.zip.
<Device> copy vrpcfg.zip flash:/test/backup.zip
Info: Are you sure to copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
NOTE
If the destination file name is not specified, the source file name is used as the destination
file name by default. That is, the destination file has the same name as the source file.
----End

# Access the test directory.
<Device> cd test
# View the current directory.

<Device> pwd
flash:/test/
# View files in the test directory.

<Device> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
670,092 KB total (569,900 KB free)
#
sysname Device
#
return
3.1.2.4.2 Example for Configuring a Device as an FTP Server
In Figure 3-12, PC1 connects to the device at 10.136.23.5. The device needs to be
upgraded. To be specific, the device needs to function as the FTP server so that the
system software can be uploaded from PC1 to the device and the configuration
file of the device can be saved to PC1 for backup. In addition, an ACL policy needs
to be configured so that only PC1 can access the FTP server.

Switches
Figure 3-12 Network diagram for configuring a device as an FTP server

NOTE
In this example, interface1 represents 10GE1/0/1.
1. Configure the FTP server function for the device and configure information
about an FTP user, including the source address, user name, password, user
privilege level, service type, and authorized directory.
2. Configure access permissions on the FTP server.
3. Save the current configuration file on the device.
4. Log in to the FTP server from PC1.
5. Upload the system software to the device and back up the configuration file
of the device to PC1.
authentication mode, encryption authentication algorithm, or protocol. For details
about secure configuration examples, see 3.1.2.4.3 Example for Configuring a
Device as an SFTP Server.
Procedure
Step 2 Configure an IP address for the FTP server.
[HUAWEI] sysname FTP_Server
[FTP_Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[FTP_Server-10GE1/0/1] ip address 10.136.23.5 255.255.255.0
[FTP_Server-10GE1/0/1] quit
Step 3 Configure the FTP server function for the device and configure information about
an FTP user.
[FTP_Server] ftp server enable
[FTP_Server] ftp server source all-interface
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password

Switches

[FTP_Server-aaa] local-user admin1234 privilege level 3
[FTP_Server-aaa] local-user admin1234 service-type ftp
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/
[FTP_Server-aaa] quit
Step 4 Configure access permissions on the FTP server.

[FTP_Server] acl number 2001
[FTP_Server-acl4-basic-2001] rule permit source 10.136.23.10 0
[FTP_Server-acl4-basic-2001] rule deny source 10.136.23.20 0
[FTP_Server-acl4-basic-2001] quit
[FTP_Server] ftp server acl 2001
[FTP_Server] quit
Step 5 Save the current configuration file on the device.

<FTP_Server> save
Step 6 Log in to the FTP server from PC1 using the user name admin1234 and password
YsHsjx_202206. Set the file transfer mode to binary.
Assume that PC1 runs the Windows operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
Step 7 Upload the system software to the device and back up the configuration file of
the device to PC1.
# Upload the system software to the device.
ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for /devicesoft.cc
226 Transfer complete.
ftp: 107973953 bytes sent in 151.05Seconds 560.79Kbytes/sec.
# Back up the configuration file.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for /vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
NOTE
When uploading or downloading files, you need to specify the FTP working directory of the
client. For example, the default FTP working directory of the Windows operating system is
C:\Windows\System32. Save the system software to be uploaded to this directory in
advance, and the backup configuration file is also saved to this directory.
----End

# Run the dir command on the FTP server to check whether the system software
is uploaded to the FTP server.

Switches
<FTP_Server> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
2 -rw- 4 Nov 17 2019 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2019 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b
6 -rw- 107,973,953 Mar 13 2019 14:24:24 devicesoft.cc
7 drw- - Oct 31 2019 10:20:28 sysdrv
8 drw- - Feb 21 2019 17:16:36 compatible
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
12 -rw- 588 Nov 04 2019 13:54:04 servercert.der
13 -rw- 320 Nov 04 2019 13:54:26 serverkey.der
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
# Access the FTP user's working directory on PC1 and check for the vrpcfg.zip file.
#
sysname FTP_Server
#
ftp server enable
ftp serversource all-interface
ftp server acl 2001
#
acl number 2001
#
aaa
local-user admin1234 ftp-directory flash:
local-user admin1234 service-type ftp
#
interface 10GE1/0/1
undo portswitch
ip address 10.136.23.5 255.255.255.0
#
return
3.1.2.4.3 Example for Configuring a Device as an SFTP Server
In Figure 3-13, PC1 connects to the device at 10.1.1.5. Files need to be securely
transferred between PC1 and the device. To ensure secure file transfer, the device
needs to be configured as an SSH server to provide the SFTP service, so that the
SSH server can authenticate the client (PC1) and bidirectional data is encrypted. In
addition, an ACL policy needs to be configured so that only PC1 can access the
SSH server.

Switches
Figure 3-13 Network diagram for performing file operations using SFTP
NOTE
1. Generate a local key pair and enable the SFTP server function on the SSH
server so that the server and client can securely exchange data.
2. Configure SSH user information including the authentication mode, service
type, authorized directory, user name, and password.
3. Configure access permissions on the SSH server to control access from SSH
users.
4. Connect to the SSH server from the PC using the third-party software
OpenSSH.
Procedure
Step 1 Configure an IP address for the SSH server.
[HUAWEI] sysname FTP_Server
[SSH Server] interface 10ge 1/0/1
[SSH Server-10GE1/0/1] undo portswitch
[SSH Server-10GE1/0/1] ip address 10.1.1.5 255.255.255.0
[SSH Server-10GE1/0/1] quit
Step 2 On the SSH server, generate a local key pair and enable the SFTP server function.
The key name will be:Host_Server
[SSH Server] sftp server enable
Step 4 Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.
[SSH Server] ssh user client001 authentication-type password
Info: Succeeded in adding a new SSH user.
[SSH Server] ssh user client001 service-type sftp

Switches
[SSH Server] ssh user client001 sftp-directory flash:/

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
Step 5 Configure access permissions on the SSH server.

[SSH Server] acl 2001
[SSH Server-acl4-basic-2001] rule permit source 10.1.1.1 0
[SSH Server-acl4-basic-2001] rule deny source 10.1.1.2 0
[SSH Server-acl4-basic-2001] quit
[SSH Server] ssh server acl 2001
----End

Connect to the SSH server from the PC using the third-party software OpenSSH.
The Windows CLI can identify OpenSSH commands only when OpenSSH is
installed on the terminal.
C:/Documents and Settings/Administrator> sftp [email protected]
Connecting to 10.1.1.5...
The authenticity of host "10.1.1.5 (10.1.1.5)" can't be established.
DSA key fingerprint is 0d:48:82:fd:2f:52:1c:f0:c4:22:70:80:8f:7b:fd:78.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added "10.1.1.5" (DSA) to the list of known hosts.
[email protected]'s password:
sftp>
After you connect to the SSH server using the third-party software, the SFTP view
is displayed. You can then perform file operations in the SFTP view.
#
sysname SSH Server
#
acl number 2001
#
aaa
local-user client001 password irreversible-cipher $1d$v!=.5/:(q-$xL=\K
+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
local-user client001 service-type terminal ssh
local-user client001 privilege level 3
#
interface 10GE1/0/1
undo portswitch
ip address 10.1.1.5 255.255.255.0
#
sftp server enable
ssh server acl 2001
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp

Switches
ssh user client001 sftp-directory flash:

#
#
return
3.1.2.4.4 Example for Configuring a Device as a TFTP Client
In Figure 3-14, the remote device with IP address 10.1.1.1/24 functions as the
TFTP server. The device with IP address 10.2.1.1/24 functions as the TFTP client
and has reachable routes to the TFTP server.
The TFTP client needs to be upgraded. To be specific, you need to download the
system software from the TFTP server to the TFTP client and back up the current
configuration file of the TFTP client to the TFTP server.
Figure 3-14 Network diagram for accessing files on another device using TFTP
NOTE
SFTP V2 or SCP is more secure than TFTP, and is therefore recommended.

1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload files from and download files to the TFTP client using TFTP
commands.
Device as an SCP Client.
Procedure
Step 2 Run the TFTP software on the TFTP server and set the TFTP working directory. For
details, see the help document of the third-party software.

Switches
Step 3 Upload files from and download files to the TFTP client using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Please wait for a while...
/ 107973953 bytes transferred
Info: Downloaded the file successfully.
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Please wait for a while...
/ 100% [***********]
Info: Uploaded the file successfully.
----End

# Run the dir command on the TFTP client to check whether the system software
is successfully downloaded.
<HUAWEI> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b
7 drw- - Oct 31 2019 10:20:28 sysdrv
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
# Access the working directory on the TFTP server and check whether the
vrpcfg.zip file has been uploaded successfully.
None
3.1.2.4.5 Example for Configuring a Device as an FTP Client
In Figure 3-15, the remote device with IP address 10.1.1.1/24 functions as the FTP
server. The device with IP address 10.2.1.1/24 functions as the FTP client and has
reachable routes to the FTP server.
The FTP client needs to be upgraded. To be specific, you need to download the
system software from the FTP server to the FTP client and back up the current
configuration file of the FTP client to the FTP server.

Switches
Figure 3-15 Network diagram for accessing files on another device using FTP
NOTE
1. Run the FTP software on the FTP server and configure an FTP user.
2. Establish a connection between the FTP client and FTP server.
3. Download files from and upload files to the FTP server using FTP commands.
Device as an SFTP Client.
Procedure
Step 2 Run the FTP software on the FTP server and configure an FTP user. For details, see
the help document of the third-party software.
Step 3 Establish a connection between the FTP client and FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL + K to abort
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 4 Download files from and upload files to the FTP server using FTP commands.
[ftp] binary
200 Type is Image (Binary)
[ftp] get devicesoft.cc
500 Unidentified command SIZE test123.cfg
200 PORT command okay
150 "D:\FTP\test123.cfg" file ready to send (3544 bytes) in IMAGE / Binary mode
..
226 Transfer finished successfully.
FTP: 107973953 byte(s) received in 151.05 second(s) 560.79Kbyte(s)/sec.
[ftp] put vrpcfg.zip
150 "D:\FTP\vrpcfg.zip" file ready to receive in IMAGE / Binary mode

Switches
/ 100% [***********]
FTP: 1257 byte(s) send in 0.03 second(s) 40.55Kbyte(s)/sec.
[ftp] quit
----End

# Run the dir command on the FTP client to check whether the system software is
successfully downloaded.
<HUAWEI> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b
7 drw- - Oct 31 2019 10:20:28 sysdrv
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
# Access the working directory on the FTP server and check for the vrpcfg.zip file.
None
3.1.2.4.6 Example for Configuring a Device as an SFTP Client
The SSH protocol uses encryption to secure the connection between a client and a
server. All user authentication, commands, output, and file transfers are encrypted
to protect against attacks in the network. A client can securely connect to the SSH
server and transfer files using SFTP.
In Figure 3-16, routes between the SSH server and clients client001 and client002
are reachable. In this example, a Huawei device functions as the SSH server.
The two clients are required to connect to the SSH server in password and RSA
authentication modes respectively to ensure secure access to files on the SSH
server.
Figure 3-16 Network diagram for accessing files on another device using SFTP
NOTE

Switches
1. Generate a local key pair and enable the SFTP server function on the server so
that the server and client can securely exchange data.
2. On the SSH server, configure client001 and client002 to access the SSH
server in password and RSA authentication modes, respectively.
3. Generate a local key pair on client002 and configure the RSA public key of
client002 on the SSH server so that the server can authenticate the client
when the client attempts to access the server.
4. Configure client001 and client002 to connect to the SSH server using SFTP
for file access.
Procedure
Step 1 On the server, generate a local key pair and enable the SFTP server function.
[SSH Server] sftp server enable
Step 3 Create SSH users on the server.

# Create an SSH user named client001 and configure the password
authentication mode for the user.
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password
It is recommended that the password consist of at least 2 types of characters, i

Switches
ncluding lowercase letters, uppercase letters, numerals and special characters.

[SSH Server-aaa] local-user client001 service-type ssh
# Create an SSH user named client002 and configure the RSA authentication
mode for the user.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type rsa
[SSH Server] ssh authorization-type default root
Step 4 Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on client001.
[HUAWEI] sysname client001
[client001] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[client001] ssh client hmac sha2_256 sha2_512
[client001] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[client001] ssh client publickey rsa_sha2_256 rsa_sha2_512
Step 5 Generate a local key pair on client002 and configure the RSA public key of
client002 on the SSH server.
# Generate a local key pair the client.
[client002] rsa local-key-pair create
# Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on client002.
[client002] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[client002] ssh client hmac sha2_256 sha2_512
[client002] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[client002] ssh client publickey rsa_sha2_256 rsa_sha2_512
# Check the RSA public key on the client.

[client002] display rsa local-key-pair public
========================================================
Time of key pair created : 2019-11-05 12:10:40
Key name : Host_RSA
Key modulus : 3072
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278

Switches
AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D

FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
32693DE5 4B103442 8E0F4DAD 2598BE5E 19
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR
9mIThFCBDGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFa
GFjQ3kn3853Xp3eV8rnJVi6LWYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOu
wKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpMGFapNWiUmY37+oj/FwjDpn4J
I2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QXOAzQsAvF
lJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR9mIThFCB
DGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFaGFjQ3kn3853Xp3eV8rnJVi6L
WYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOuwKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpM
GFapNWiUmY37+oj/FwjDpn4JI2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QX
OAzQsAvFlJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z== rsa-key
# Configure the RSA public key of the client on the server. (The information in
bold in the display command output is the RSA public key of the client. Copy the
key to the server.)
[SSH Server] rsa peer-public-key rsakey001 encoding-type der
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] 3082010A
[SSH Server-rsa-public-key-rsa-key-code] 02820101
[SSH Server-rsa-public-key-rsa-key-code] 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB
[SSH Server-rsa-public-key-rsa-key-code] D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415
[SSH Server-rsa-public-key-rsa-key-code] D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F
[SSH Server-rsa-public-key-rsa-key-code] E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7
[SSH Server-rsa-public-key-rsa-key-code] F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D
[SSH Server-rsa-public-key-rsa-key-code] B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B
[SSH Server-rsa-public-key-rsa-key-code] 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278
[SSH Server-rsa-public-key-rsa-key-code] AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
[SSH Server-rsa-public-key-rsa-key-code] FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5
[SSH Server-rsa-public-key-rsa-key-code] 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87
[SSH Server-rsa-public-key-rsa-key-code] 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493
[SSH Server-rsa-public-key-rsa-key-code] 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1
[SSH Server-rsa-public-key-rsa-key-code] 32693DE5 4B103442 8E0F4DAD 2598BE5E 19
[SSH Server-rsa-public-key-rsa-key-code] 0203
[SSH Server-rsa-public-key-v-key-code] 010001
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
# Bind the client002 user to the RSA public key of client002.

[SSH Server] ssh user client002 assign rsa-key rsakey001
Step 6 Connect SFTP clients to the SSH server.
# Enable the first login function for the SSH clients.
Enable first login for client001.

[client001] ssh client first-time enable
Enable first login for client002.

[client002] ssh client first-time enable

Switches
# Log in to the SSH server from client001 in password authentication mode.

[client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server's public key does not match the one cached before.
The server is not authenticated. Continue to access it? [Y/N]:y
The keyname:10.1.1.1 already exists. Update it? [Y/N]:n
Please input the username: client001

Enter password:
sftp-client>
# Log in to the SSH server from client002 in RSA authentication mode.

[client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server's public key does not match the one cached before.
The server is not authenticated. Continue to access it? [Y/N]:y
The keyname:10.1.1.1 already exists. Update it? [Y/N]:n
Please input the username: client002

sftp-client>
----End

Run the display ssh server status command on the SSH server. The command
output indicates that the SFTP server function has been enabled. Run the display
ssh user-information command to check information about SSH users on the
server.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) :3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
ACL name : --
ACL number : --
ACL6 name : --
ACL6 number : --
SSH server ip-block : Enable
# Check information about SSH users.

[SSH Server] display ssh user-information
--------------------------------------------------------------------------------

Switches
User Name : client001

Authentication type : password
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
User Name : client002

Authentication type : rsa
User public key name : --
User public key type : --
Sftp directory : flash:
Service type : sftp
--------------------------------------------------------------------------------
Total 2, 2 printed
● SSH server
#
sysname SSH Server
#
rsa peer-public-key rsakey001 encoding-type der
public-key-code begin
3082010A
02820101
00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081
0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3
1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F
6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6
6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D
FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E
4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96
BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E
19
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O
local-user client001 service-type terminal ssh
local-user client001 privilege level 3
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory flash:/
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
ssh user client002 sftp-directory flash:/
#
#
return
● client001
#
sysname client001
#

Switches
ssh client first-time enable

#
ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
ssh client hmac sha2_256 sha2_512
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
return
● client002
#
sysname client002
#
#
#
return
3.1.2.4.7 Example for Configuring a Device as an SCP Client
Compared with SFTP, SCP simplifies file transfer operations by combining user
identity authentication and file transfer to improve configuration efficiency.
In Figure 3-17, the routes between the SCP client and SSH server are reachable.
The SCP client needs to download files from the SSH server.
Figure 3-17 Network diagram for configuring a device to access files on another
device as an SCP client
NOTE
1. Generate a local key pair on the SSH server.
2. Create an SSH user on the SSH server.
3. Enable the SCP server function on the SSH server.
4. Download files from the SSH server to the SCP client.
Procedure
Step 1 Generate a local key pair on the server.

Switches
Please input the modulus [default = 3072]:
Step 2 Create an SSH user on the server.

# Configure a VTY user interface.
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
# Create an SSH user named Client, set the authentication mode to password,
and set the service type to all.
[SSH Server] ssh user Client
[SSH Server] ssh user Client authentication-type password
[SSH Server] ssh user Client service-type all
# Set a password for the Client user.

[SSH Server] aaa
[SSH Server-aaa] local-user Client password
[SSH Server-aaa] local-user Client service-type ssh
[SSH Server-aaa] local-user Client privilege level 3
Step 3 Enable the SCP server function on the SSH server.

[SSH Server] scp server enable
Step 5 Configure the encryption algorithm, HMAC authentication algorithm, key

exchange algorithm list, and public key algorithm on the client.
[HUAWEI] sysname SCP Client
[SCP Client] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm
[SCP Client] ssh client hmac sha2_256 sha2_512
[SCP Client] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512
[SCP Client] ssh client publickey rsa_sha2_256 rsa_sha2_512
----End

Download files from the SSH server to the SCP client.
# Enable the first login function for the SSH client.

Switches
[HUAWEI] sysname SCP Client
[SCP Client] ssh client first-time enable
# Download the backup.cfg file from the SSH server at 10.1.1.1 to the local
directory using the aes256_ctr encryption algorithm.
[SCP Client] scp -cipher aes256_ctr [email protected]:backup.cfg backup.cfg
Trying 10.1.1.1 ...
Continue to access it? [Y/N]:y
[Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
backup.cfg 100% 19174Bytes 7Kb/s
● SSH server
#
sysname SSH Server
#
aaa
local-user Client password irreversible-cipher $#z$!9S<a#>H7{7dI>%0S{AcKGC=t:zjv14LlQqHO\
\P.*=<x1]u;y*P`'GR3[m}$
local-user Client service-type terminal ssh
local-user Client privilege level 3
#
scp server enable
ssh user Client
ssh user Client authentication-type password
ssh user Client service-type all
#
#
#
return
● SCP client
#
sysname SCP Client
#
#
#
return
3.1.3 Interface Management
3.1.3.1 Ethernet Interface

Switches
3.1.3.1.1 Example for Configuring the Rates and Duplex Modes of Ethernet
Interfaces
As shown in Figure 3-18, DeviceA, DeviceB, and DeviceC are connected to
10GE1/0/1, 10GE1/0/2, and 10GE1/0/3, respectively, on DeviceD, which is
connected to the Internet through 10GE1/0/4.
Due to special limitations of DeviceD, 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 can

only work in half-duplex mode through auto-negotiation. As a result, packet loss
occurs when the service traffic volume is high. In addition, the rates of 10GE1/0/1,
10GE1/0/2, and 10GE1/0/3 reach the maximum rate 1000 Mbit/s through auto-
negotiation. If DeviceA, DeviceB, and DeviceC concurrently send data at 1000
Mbit/s, the outbound interface 10GE1/0/4 will be congested. Users want to resolve
data packet loss and congestion problems.
Figure 3-18 Network diagram of configuring the rate and duplex mode in non-
auto-negotiation mode
NOTE
In this example, interface1, interface2, interface3, and interface4 represent 10GE1/0/1,

10GE1/0/2, 10GE1/0/3, and 10GE1/0/4, respectively.
● Configure interfaces to work in non-auto-negotiation mode to prevent their
rates from being affected.
● Forcibly set the duplex mode to full-duplex for the interfaces working in non-
auto-negotiation mode to prevent packet loss.
● Forcibly set the working rate to 100 Mbit/s for the interfaces working in non-
auto-negotiation mode to prevent data congestion.

Switches
Procedure
Step 1 Create an interface group and add interface1, interface2, and interface3 to it.
[HUAWEI] sysname DeviceD
[DeviceD] port-group portgroup1 //Create a permanent interface group portgroup1 and enter its view.
[DeviceD-port-group-portgroup1] group-member 10GE1/0/1 to 10GE1/0/3 //Add 10GE1/0/1, 10GE1/0/2,
and 10GE1/0/3 to portgroup1.
Step 2 Configure interface1, interface2, and interface3 to work in non-auto-negotiation

mode, and set the duplex mode and working rate to full-duplex and 100 Mbit/s,
respectively, for them in batches.
[DeviceD-port-group-portgroup1] negotiation disable //Configure the interfaces to work in non-auto-
negotiation mode in batches.
[DeviceD-port-group-portgroup1] duplex full //Configure the interfaces to work in full-duplex mode in
batches.
[DeviceD-port-group-portgroup1] speed 100 //Configure the interfaces to work at 100 Mbit/s in batches.
[DeviceD-port-group-portgroup1] quit
----End

Run the display interface 10ge1/0/1 command in any view to check the current
working rate and duplex mode of the interface.
[DeviceD] display interface 10ge1/0/1
...
Port Mode: AUTO, Port Split/Aggregate: -
Speed: 100, Loopback: NONE
Duplex: FULL, Negotiation: DISABLE
Input Flow-control: DISABLE, Output Flow-control: DISABLE
Mdi: -, Fec:
...
The command output shows that the interface works in non-negotiation mode,
the working rate is 100 Mbit/s, and the duplex mode is full-duplex.
Similarly, you can run the display interface 10ge1/0/2 and display interface
10ge1/0/3 commands to check information about 10GE1/0/2 and 10GE1/0/3,
respectively.
Configuring Scripts
#
sysname DeviceD
#
port-group portgroup1
group-member 10GE1/0/1 to 10GE1/0/3
negotiation disable
duplex full
speed 100
#
return
3.1.3.1.2 Example for Configuring Layer 2-to-Layer 3 Mode Switching on Ethernet

Interfaces
As shown in Figure 3-19, PC1, PC2, PC3, and PC4 each are on a different network
segment, and DeviceB, DeviceC, DeviceD, and DeviceE are access devices for the

Switches
four network segments, respectively. It is required that four physical Ethernet

interfaces on DeviceA be configured as gateway interfaces for the four network
segments.
Figure 3-19 Network diagram of configuring Layer 2/Layer 3 mode switching

NOTE

● Switch the interface working mode to Layer 3.
● Configure the IP addresses of Layer 3 Ethernet interfaces as gateway
addresses.
Procedure
Step 1 Switch the interface working mode to Layer 3.
# Switch a single interface to Layer 3 mode.

Switches
[DeviceA-10GE1/0/1] undo portswitch

# Switch Ethernet interfaces to Layer 3 mode in batches.

[DeviceA] undo portswitch batch 10ge 1/0/2 to 1/0/4
Step 2 Configure the IP addresses of Layer 3 Ethernet interfaces as gateway addresses.
# Configure the IP address of 10GE1/0/1 as a gateway address. The configurations

of 10GE1/0/2, 10GE1/0/3, and 10GE1/0/4 are similar to the configuration of
10GE1/0/1. For details, see Configuration Scripts.
[DeviceA-10GE1/0/1] ip address 10.10.1.1 24
----End

Run the display interface 10GE 1/0/1 command in any view to check the current
working rate and duplex mode of the interface.
[DeviceA] display interface 10ge 1/0/1
...
Description:
Route Port,The Maximum Frame Length is 9216
Internet Address is 10.10.1.1/24
...
If Switch Port is displayed, the interface works in Layer 2 mode. If Route Port is
displayed, the interface works in Layer 3 mode. The preceding command output
shows that the interface works in Layer 3 mode.
Configuring Scripts
#
sysname DeviceA
#
interface 10ge1/0/1
undo portswitch
ip address 10.10.1.1 255.255.255.0
#
interface 10ge1/0/2
undo portswitch
ip address 10.10.2.1 255.255.255.0
#
interface 10ge1/0/3
undo portswitch
ip address 10.10.3.1 255.255.255.0
#
interface 10ge1/0/4
undo portswitch
ip address 10.10.4.1 255.255.255.0
#
return
3.1.3.2 Port Isolation

Switches
3.1.3.2.1 Example for Enabling Layer 2 Port Isolation
In Figure 3-20, PC1, PC2, and PC3 all belong to VLAN 10. PC1 and PC2 are
allowed to communicate with PC3, but are not allowed to communicate with each
other.
Figure 3-20 Network diagram for enabling Layer 2 port isolation

NOTE
In this example, interface 1, interface 2, and interface 3 represent 10GE 1/0/1, 10GE 1/0/2,
and 10GE 1/0/3, respectively.
1. Add the interfaces to the specified VLAN.
2. Enable port isolation.
Precautions
Switching an interface from Layer 3 to Layer 2 is required only when the interface
works at Layer 3.
Procedure
Step 1 Create VLAN 10 and add interfaces to VLAN 10.
[DeviceA] vlan 10
[DeviceA-10GE1/0/1] port link-type access
[DeviceA-10GE1/0/1] port default vlan 10

Switches

Step 2 Enable Layer 2 port isolation.
# Enable Layer 2 port isolation for 10GE 1/0/1.

[DeviceA-10GE1/0/1] port-isolate enable group 1
# Enable Layer 2 port isolation for 10GE 1/0/2.

----End

● PC1 cannot communicate with PC2.
● PC1 and PC3 can communicate with each other.
● PC2 and PC3 can communicate with each other.
DeviceA
#
sysname DeviceA
#
vlan batch 10
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.4 System Management
3.1.4.1 SNMP

Switches
3.1.4.1.1 Example for Configuring a Device to Communicate with an NMS Through

SNMPv1
As shown in Figure 3-21, the NMS is used to manage the device on the network.
Because the network is small and secure, SNMPv1 is configured for the device to
communicate with the NMS. It is expected that, after a new device is added to the
network, existing network resources be utilized to manage the new device and to
quickly locate and rectify network faults.
Figure 3-21 Network diagram of configuring a device to communicate with an

NMS using SNMPv1
NOTE
Precautions
If the network environment is insecure, you are advised to use SNMPv3 for
communication with the NMS.
1. Configure the device to run SNMPv1 so that the NMS running SNMPv1 can
manage the device.
2. Configure access control so that only the NMS with the specified IP address
can perform read/write operations on the specified MIB objects of the device.
3. Configure a community name based on which the device permits access of
the NMS.
4. Configure a trap host and enable the device to proactively send traps.
5. Add the device to the NMS. The community name configured on the device
must be the same as that used by the NMS; otherwise, the NMS cannot
manage the device.
Procedure
the weak security algorithm or protocol feature package (WEAKEA).
Step 2 Configure available routes between the device and the NMSs. Detailed
configurations are not provided.

Switches
Step 3 Enable the SNMP agent.

[Device] snmp-agent
Step 4 Configure the device to run SNMPv1 so that the NMS running SNMPv1 can
manage the device.
[Device] snmp-agent sys-info version v1 //By default, only SNMPv3 is supported.
Step 5 Configure an interface for receiving and responding to NMS requests.

[Device] snmp-agent protocol source-interface Loopback0
Step 6 Configure access control so that only the NMS with the specified IP address can
perform read/write operations on the specified MIB objects of the device.
# Configure an ACL to permit only the NMS with IP address 10.1.1.1 to access the
device.
[Device] acl 2001
[Device-acl4-basic-2001] rule permit source 10.1.1.1 0
[Device-acl4-basic-2001] rule deny
[Device-acl4-basic-2001] quit
# Configure MIB views to specify the MIB objects that can be accessed by the
NMS.
[Device] snmp-agent mib-view included isoview01 system //Configure the system subtree to be
accessible in the MIB view isoview01.
[Device] snmp-agent mib-view included isoview02 interfaces //Configure the interfaces subtree to be
accessible in the MIB view isoview02.
Step 7 Configure a community name. When a device is added to the NMS, the
community name is used for authentication and the ACL is applied for access
control.
[Device] snmp-agent community read adminnms01 mib-view isoview01 acl 2001 //Configure
adminnms01 to have the read-only permission on the system subtree.
[Device] snmp-agent community write adminnms02 mib-view isoview02 acl 2001 //Configure
adminnms02 to have the read and write permissions on the interfaces subtree.
Step 8 Configure a trap host and enable the device to proactively send traps.
[Device] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //Enable the device to
send all traps. By default, the device is enabled to send only some traps. You can run the display snmp-
agent trap all command to check the status of traps.
[Device] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname adminnms01
v1
Step 9 Configure the NMS.

For details about NMS configuration, see the corresponding NMS configuration
guide.
NOTE
The parameter settings on the NMS must be the same as those on the device. Otherwise,
the device cannot be added to the NMS.
----End
#
sysname Device

Switches
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community read cipher %#%#Pqp'RXi))/y\KgEtwP9A3x2z5_FgxG1v'D/
8>=G,D9<yMC^RAM_YB:F0BZlF="bHXg%lH*L"Jq'lea`S%#%# mib-view isoview01 acl 2001
snmp-agent community write cipher %#%#.T|&Whvyf$<Gd"I,wXi5SP_6~Nakk6<<+3H:N-h@aJ6d,l0md
%HCeAY8~>X=>xV\JKNAL=124r839v<*%#%# mib-view isoview02 acl 2001
snmp-agent sys-info version v1
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname cipher %#%#uq/!
YZfvW4*vf[~C|.:Cl}UqS(vXd#wwqR~5M(rU%%#%#
snmp-agent mib-view included isoview01 system
snmp-agent mib-view included isoview02 interfaces
snmp-agent trap enable
snmp-agent protocol source-interface LoopBack0
#
return
3.1.4.1.2 Example for Configuring a Device to Communicate with NMSs Through

SNMPv2c
As shown in Figure 3-22, two NMSs (NMS1 and NMS2) connect to the device
over a public network. According to the network planning, NMS2 can manage
every MIB object on the device, whereas NMS1 does not manage the device.
On the device, only the modules that are enabled by default are allowed to send
alarms to NMS2. This prevents an excess of unwanted alarms from being sent to
NMS2, which would otherwise make fault locating difficult. Inform messages need
to be used to ensure that alarms are received by NMS2, because alarms sent by
the device have to travel across the public network to reach NMS2.
The contact information of the device administrator needs to be configured on the

device, in order to help the NMS administrator contact the device administrator if
a fault occurs.

NMS using SNMPv2c
NOTE

Switches
Precautions
If the network environment is insecure, you are advised to use SNMPv3 for
communication with the NMS.
1. Enable the SNMP agent.

2. Configure the device to run SNMPv2c.
3. Configure an ACL to allow NMS2 to manage MIB objects on the device.
4. Configure a source interface for SNMP to receive and respond to NMS request
packets.
5. Configure the device to send Inform messages to NMS2.
6. Configure the contact information of the device administrator.
7. Configure NMS2.
Procedure
the weak security algorithm or protocol feature package (WEAKEA).

[DeviceA] snmp-agent password min-length 9
[DeviceA] snmp-agent
Step 4 Configure the device to run SNMPv2c.

[DeviceA] snmp-agent sys-info version v2c
Step 5 Configure a source interface for SNMP to receive and respond to NMS request
packets.
[DeviceA] snmp-agent protocol source-interface Loopback0
Step 6 Configure the NMS access permission.
# Configure an ACL to allow NMS2 to manage and disallow NMS1 from

managing the device.
[DeviceA] acl 2001
[DeviceA-acl4-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[DeviceA-acl4-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
# Configure a MIB view.

[DeviceA] snmp-agent mib-view excluded allexthgmp 1.3.6.1.4.1.2011.6.7
# Configure a community to reference an ACL to allow NMS2 to manage the

objects in the MIB view.
[DeviceA] snmp-agent community write adminnms2 mib-view allexthgmp acl 2001

Switches
Step 7 Configure the alarm function.

[DeviceA] snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname
Huawei-1234 v2c
snmp-agent inform timeout 5 resend-times 6 pending 7
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 36
Step 8 Configure the contact information of the device administrator.

[DeviceA] snmp-agent sys-info contact call Operator at 010-12345678
Step 9 Configure NMS2.

guide.
----End

# Check the configured SNMP version.
<DeviceA> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv2c SNMPv3
# Check information about the SNMP community name.

<DeviceA> display snmp-agent community
Community name: %@%##!!!!!!!!!"!!!!"!!!!*!!!!PR=uJ|5'u%-3Bw@/>NzBr/k=X0[ALT.K~:,!!!!!2jp5!!!!!!U!!!!%
{+lTl_[/Jh<3.<4RvQ/.Z'33]YwP
JkB^`J9g":TFqD-'B$kmL6;vyHwQ74KEFp22!!!!!!!!!!!!!!!%@
%#
Group name: %@%##!!!!!!!!!"!!!!"!!!!*!!!!PR=uJ|5'u%-3Bw@/>NzBr/k=X0[ALT.K~:,!!!!!2jp5!!!!!!U!!!!%{+lTl_[/
Jh<3.<4RvQ/.Z'33]YwP
JkB^`J9g":TFqD-'B$kmL6;vyHwQ74KEFp22!!!!!!!!!!!!!!!%@
%#
Acl: 2001
Alias name:
__CommunityAliasName_01_8357
Storage-type: nonVolatile
# Check the configured ACL.

<DeviceA> display acl 2001
Basic ACL 2001, 2 rules
Acl's step is 5
rule 5 permit source 1.1.1.2 0 (0 times matched)
rule 6 deny source 1.1.1.1 0 (0 times matched)
# Check the MIB view.

<DeviceA> display snmp-agent mib-view viewname allexthgmp
View name: allexthgmp
MIB Subtree: huaweiUtility.7
Subtree mask: FF80(Hex)
View Type: excluded
View status: active
# Check the target host.

<DeviceA> display snmp-agent target-host
Target-host NO. 1
---------------------------------------------------------------------------
Host-name : __targetHost_1_41354
IP-address : 1.1.1.2
Source interface :-

Switches
VPN instance :-
Security name : %+%##!!!!!!!!!"!!!!$!!!!*!!!!%&K/U}|G\2KYm@@k}uDDU#gLLO<J"0Q'/kH!!!!!
2jp5!!!!!!<!!!!rv4VL.ucqLA!PK/olg}.vn0tBf0m4'5^XcK!!!!!%+%#
Port : 162
Type : inform
Version : v2c
Level : No authentication and privacy
NMS type : NMS
With ext vb : No
Notification filter profile name : -
Heart beat required : No
---------------------------------------------------------------------------
# Check the contact information of the device administrator.

<DeviceA> display snmp-agent sys-info contact
The contact person for this managed node:
call Operator at 010-12345678
● DeviceA
#
sysname DeviceA
#
acl number 2001
#
vlan 10
#
interface 10GE1/0/1
#
interface Vlanif10
ip address 1.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB0300FDFDFD2211
snmp-agent community write cipher %@%##!!!!!!!!!"!!!!"!!!!*!!!!PR=uJ|5'u%-3Bw@/>NzBr/
k=X0[ALT.K~:,!!!!!2jp5!!!!!!U!!!!%{+lTl_[/Jh<3.<4RvQ/.Z'33]YwPJkB^`J9g":TFqD-'B
$kmL6;vyHwQ74KEFp22!!!!!!!!!!!!!!!%@%# mib-view allexthgmp acl 2001 alias
__CommunityAliasName_01_8357
#
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v2c
snmp-agent password min-length 9
snmp-agent target-host host-name __targetHost_1_11752 inform address udp-domain 1.1.1.2 params
securityname cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!PR=uJ|5'u%<OoF8~{B=#QW("E3cky"H*I%E!!!!!2jp5!!!!!!
<!!!!%m9qN;K61!+'7q>-bKZ&qJzJ3nQ\g)WWHkL!!!!!%+%# v2c
#
snmp-agent mib-view excluded allexthgmp huaweiUtility.7
#
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 36
snmp-agent inform timeout 5
snmp-agent inform resend-times 6
snmp-agent inform pending 7
#

Switches
#
#
return
3.1.4.1.3 Example for Configuring a Device to Communicate with NMSs Using

SNMPv3 USM Users
As shown in Figure 3-23, two NMSs (NMS1 and NMS2) connect to the device
over a public network. According to the network planning, NMS2 can manage
every MIB object on the device, whereas NMS1 does not manage the device.
On the device, only the modules that are enabled by default are allowed to send
alarms to NMS2. This prevents an excess of unwanted alarms from being sent to
NMS2, which would otherwise make fault locating difficult.
The data transmitted between NMS2 and the device needs to be encrypted and
the NMS administrator needs to be authenticated because the data has to travel
across the public network. The contact information of the device administrator
needs to be configured on the device, in order to help the NMS administrator
contact the device administrator if a fault occurs.

NMS using SNMPv3
NOTE
1. Enable the SNMP agent.

2. Configure the device to run SNMPv3.
3. Configure a source interface for SNMP to receive and respond to NMS request
packets.
4. Configure an ACL to allow NMS2 to manage MIB objects on the device. Set
the authentication and encryption algorithms for data to sha2-256 and
aes128 respectively.

Switches
5. Configure the device to send trap messages to NMS2.

6. Configure the contact information of the device administrator.
7. Configure NMS2.
Procedure

[DeviceA] snmp-agent password min-length 10
[DeviceA] snmp-agent
Step 3 Configure the device to run SNMPv3.

[DeviceA] snmp-agent sys-info version v3
Step 4 Configure a source interface for SNMP to receive and respond to NMS request
packets.
[DeviceA] snmp-agent protocol source-interface Loopback0
Step 5 Configure the NMS access permission.
# Configure an ACL to allow NMS2 to manage and disallow NMS1 from

managing the device.
[DeviceA] acl 2001
[DeviceA-acl4-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[DeviceA-acl4-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
[DeviceA] quit
# Configure a MIB view.

[DeviceA] snmp-agent mib-view included iso iso
# Configure a user group and a user. Configure authentication and encryption for
data of the user.
[DeviceA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
[DeviceA] snmp-agent usm-user v3 nms2-admin group admin acl 2001
[DeviceA] snmp-agent usm-user v3 nms2-admin authentication-mode sha2-256
Please configure the authentication password (8-255)
Enter Password:
Confirm Password:
[DeviceA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (8-255)
Enter Password:
Confirm Password:
Step 6 Configure the alarm function.

[DeviceA] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname nms2-admin
v3 privacy
[DeviceA] snmp-agent trap enable
Step 7 Configure the contact information of the device administrator.

[DeviceA] snmp-agent sys-info contact call Operator at 010-12345678
Step 8 Configure the NMS.

Switches
guide.
----End

# Check the configured SNMP version.
<DeviceA> display snmp-agent sys-info version
SNMP version running in the system:
SNMPv3
# Check the user group information.

<DeviceA> display snmp-agent group admin
Group name: admin
Security model: USM AuthPriv
Readview: iso
Writeview: iso
Notifyview: iso
# Check the user information.

<DeviceA> display snmp-agent usm-user
User name: nms2-admin
Engine ID: 800007DB03D0C65B951201 active
Authentication Protocol: sha2-256
Privacy Protocol: aes128
Group name: admin
Acl: 2001
State: Active
# Check the configured ACL.

Basic ACL 2001, 2 rules
ACL's step is 5
rule 5 permit ip source 1.1.1.2 0 (4 times matched)
rule 6 deny source 1.1.1.1 0 (0 times matched)
# Check the MIB view.

<DeviceA> display snmp-agent mib-view viewname iso
View name: iso
MIB Subtree: iso
Subtree mask: 80(Hex)
View Type: included
View status: active
# Check the target host.

<DeviceA> display snmp-agent target-host
Target-host NO. 1
---------------------------------------------------------------------------
Host name : __targetHost_1_27466
IP address : 1.1.1.2
Source interface :-
VPN instance :-
Security name : nms2-admin
Port : 162
Type : trap
Version : v3
Level : Privacy
NMS type : NMS
With ext vb : No
Notification filter profile name : -

Switches
Heart beat required : No

---------------------------------------------------------------------------
# Check the contact information of the device administrator.

<DeviceA> display snmp-agent sys-info contact
The contact person for this managed node:
call Operator at 010-12345678
● DeviceA
#
sysname DeviceA
#
acl number 2001
rule 6 deny source 1.1.1.1 0.0.0.0
#
vlan 10
#
interface 10GE1/0/1
#
interface Vlanif10
ip address 1.1.2.1 255.255.255.0
#
interface loopback0
ip address 10.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
network 1.1.3.1 0.0.0.0
#
snmp-agent
snmp-agent local-engineid 800007DB03D0C65B951201
#
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v3
snmp-agent password min-length 10
snmp-agent group v3 admin privacy read-view iso write-view iso notify-view iso
snmp-agent target-host host-name __targetHost_1_27466 trap address udp-domain 1.1.1.2 params
securityname nms2-admin v3 privacy
#
snmp-agent mib-view included iso iso
snmp-agent usm-user v3 nms2-admin
snmp-agent usm-user v3 nms2-admin group admin
snmp-agent usm-user v3 nms2-admin authentication-mode sha2-256 cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!
PR=uJ|5'u%{Ku|VKwEyE-uN:Pp9K`O+oLF,!!!!!2jp5!!!!!!<!!!!6r!o;)ju=D<fXX.r3a`QWe'gPol7aEif^M'!!!!!%+
%#
snmp-agent usm-user v3 nms2-admin privacy-mode aes128 cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!PR=uJ|5'u
%B.79IwRIE3(xTzFsYNQ5iH4;X!!!!!2jp5!!!!!!<!!!!A"X3:)AC815G!a6]bVc8-wj'EK9!&V<M0HP!!!!!%+%#
snmp-agent usm-user v3 nms2-admin acl 2001
#
#
#
return
3.1.4.2 Upgrade Maintenance

Switches
3.1.4.2.1 Example for Upgrading a New Device
Use a console cable (serial cable) and a network cable to set up a network
between your PC and the device. Specifically, connect the console cable from your
PC to the console port of the device , and connect the network cable from your PC
to any Ethernet interface on the device, as shown in Networking diagram of
upgrading a new device.
Figure 3-24 Networking diagram for upgrading a new device
NOTE
1. Log in to the device through the console port.
2. Run any FTP software on the PC and configure an FTP user.
3. Configure the management IP address of the device so that the device and
the PC reside on the same network segment.
4. Configure the device as the FTP client to obtain the system software package
from the PC and check whether the system software package is successfully
loaded.
5. Specify the system software and patch for next startup.
6. Restart the device.
● Prepare the upgrade tools, including the PC, network cable, and serial cable.
● Obtain the target system software.
– Visit Huawei enterprise technical support website and select the
corresponding product in the software download area.
– Select software of the required version.
– Click Download next to the product_version.cc file of the required
version.
● Obtain the target patch file.
– Visit Huawei enterprise technical support website and select the
corresponding product in the software download area.
– Select the desired patch file.
– Click Download next to the product_version.PAT file of the required
version.

Switches
Procedure
Step 1 Log in to the device from the PC through the console port. For details, see
Example for Configuring First Login Through a Console Port.
Step 3 Run any FTP software on the PC.
Step 4 Configure a management IP address for the device to ensure that the device and
PC reside in the same network segment and can ping each other.
# Configure a management IP address for the device.
Step 5 Establish an FTP connection between the device and the PC.
<DeviceA> ftp 10.10.1.2
Trying 10.10.1.2 ...
Press CTRL + K to abort
User(10.10.1.2:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 6 Configure the device as the FTP client to transfer files to the PC using FTP
commands.
[ftp] binary
200 Type is Image (Binary)
[ftp] get product_version.cc //Load the system software to the device. product_version.cc is the file
name of the system software.
500 Unidentified command SIZE test123.cfg
150 "D:\FTP\test123.cfg" file ready to send (3544 bytes) in IMAGE / Binary mode
..
FTP: 107973953 byte(s) received in 151.05 second(s) 560.79Kbyte(s)/sec.
[ftp] get product_version.PAT //Load the patch file to the device. product_version.PAT is the file name
of the system patch.
150 "D:\FTP\vrpcfg.zip" file ready to receive in IMAGE / Binary mode
/ 100% [***********]
FTP: 1257 byte(s) send in 0.03 second(s) 40.55Kbyte(s)/sec.
[ftp] quit
Step 7 Check whether the system software and patch are successfully loaded.
<DeviceA> dir

0 -rw- 14 Mar 13 2019 14:13:38 back_time_a
1 drw- - Mar 11 2019 00:58:54 logfile
4 -rw- 1,257 Mar 12 2019 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2019 14:13:38 back_time_b

Switches

7 drw- - Oct 31 2019 10:20:28 sysdrv
9 drw- - Feb 09 2019 14:20:10 selftest
10 -rw- 19,174 Feb 20 2019 18:55:32 backup.cfg
11 -rw- 23,496 Oct 15 2019 20:59:36 20191015.zip
14 drw- - Nov 04 2019 13:58:36 security
...
670,092 KB total (569,904 KB free)
Step 8 Specify the system software and patch for next startup.
# For devices with a single main control board:
<DeviceA> startup system-software product_version.cc //Specify the system software for next startup.
<DeviceA> startup patch product_version.PAT all //Specify the patch for next startup. If the current
version does not have a corresponding patch, you do not need to run this command.
# For stacking scenarios

<DeviceA> copy product_version.cc all#flash:
<DeviceA> startup system-software product_version.cc all //Specify the system software for next startup.
<DeviceA> startup patch product_version.PAT all //Specify the patch for next startup. If the current
version does not have a corresponding patch, you do not need to run this command.
Step 9 Check the boot items for next startup. (The actual command output varies
depending on the device. The following command output is only an example.)
<DeviceA> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/product_version.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup patch package: NULL
Next startup patch package: NULL
Step 10 Restart the device.

<DeviceA> reboot fast
----End

# Wait several minutes until the device restart is complete. Then run the display
version command to check the current system version. If the current system
software is new, the upgrade has succeeded.
#
sysname DeviceA
#
interface 10GE1/0/1
ip address 10.10.1.1 24
#
return
3.1.5 Virtualization

Switches
3.1.5.1 Stack
3.1.5.1.1 Example for Setting Up a Stack
On a new enterprise network, access devices are required to provide ample ports,
and the network structure must be simple for easy configuration and
management.
In Figure 3-25, DeviceA, DeviceB, and DeviceC set up a stack in a ring topology.
Figure 3-25 Network diagram for setting up a stack
1. Plan stack setup.
2. Perform stack configurations on member devices based on the stack plan,
including the stack ID, stack priority, and Stack-Port. Then save the
configurations and power off the devices.
3. Use stack cables to connect the devices and power them on.

Switches
NOTE
● Stack-Port n/1 on the local device must be connected to Stack-Port n/2 on the
remote device.
● Multiple physical member ports can be bound to a Stack-Port to improve
stack reliability and bandwidth. The stack will not split as long as one physical
link is available between the member devices, but the stack bandwidth
decreases.
● If the Stack-Ports on the two devices contain multiple physical member ports,
the physical member ports can be connected in any sequence.
● When more than two devices set up a stack, the ring topology is recommended for
improved system reliability. In this case, the stack bandwidth is the minimum
bandwidth among all Stack-Ports.
● When two devices set up a stack, it is recommended that only one Stack-Port be
created on each member device and that multiple physical member ports be added
to each Stack-Port.
4. Check whether the stack is set up successfully.
Procedure
Step 1 Plan stack setup as follows:
● Stack ID: 1 for DeviceA, 2 for DeviceB, and 3 for DeviceC
● Stack priority: 150 for DeviceA (so that it can be elected as the master
device), 100 for DeviceB, and 50 for DeviceC
● Stack topology: ring topology, as shown in Figure 3-26
Figure 3-26 Connections between stack member ports
Step 2 Set stack parameters.

# Set the stack ID of DeviceA to 1 and stack priority to 150. By default, the stack
ID of a device is 1. In this example, the default stack ID is used for DeviceA.
[DeviceA] stack

Switches
[DeviceA-stack] stack member 1 priority 150

[DeviceA-stack] quit
# Set the stack ID of DeviceB to 2 and stack priority to 100.

[DeviceB] stack
[DeviceB-stack] stack member 1 priority 100
[DeviceB-stack] stack member 1 renumber 2
[DeviceB-stack] quit
# Set the stack ID of DeviceC to 3 and stack priority to 50.

[HUAWEI] sysname DeviceC
[DeviceC] stack
[DeviceC-stack] stack member 1 priority 50
[DeviceC-stack] stack member 1 renumber 3
[DeviceC-stack] quit
Step 3 Configure Stack-Ports.

# Before configuring a Stack-Port, you are advised to manually back up the
current configuration file.
# On DeviceA, create a Stack-Port and add member ports to it.
[DeviceA] interface Stack-Port 1/1
[DeviceA-Stack-Port1/1] port member-group interface 10GE 1/0/1 10GE 1/0/2
[DeviceA-Stack-Port1/1] quit
[DeviceA] interface Stack-Port 1/2
[DeviceA-Stack-Port1/2] port member-group interface 10GE 1/0/3 10GE 1/0/4
[DeviceA-Stack-Port1/2] quit
# On DeviceB, create a Stack-Port and add member ports to it.

[DeviceB] interface Stack-Port 1/1
[DeviceB-Stack-Port1/1] port member-group interface 10GE 1/0/1 10GE 1/0/2
[DeviceB-Stack-Port1/1] quit
[DeviceB] interface Stack-Port 1/2
[DeviceB-Stack-Port1/2] port member-group interface 10GE 1/0/3 10GE 1/0/4
[DeviceB-Stack-Port1/2] quit
# On DeviceC, create a Stack-Port and add member ports to it.

[DeviceC] interface Stack-Port 1/1
[DeviceC-Stack-Port1/1] port member-group interface 10GE 1/0/1 10GE 1/0/2
[DeviceC-Stack-Port1/1] quit
[DeviceC] interface Stack-Port 1/2
[DeviceC-Stack-Port1/2] port member-group interface 10GE 1/0/3 10GE 1/0/4
[DeviceC-Stack-Port1/2] quit
Step 4 Check the stack configuration.

# After the preceding configuration is complete, run the display stack
configuration command to check whether the configuration is consistent with the
stack plan. If not, modify the configuration. The following uses DeviceA as an
example.
[DeviceA] display stack configuration
Oper : Operation
Conf : Configuration
* : Offline configuration
# : Media mismatch or absence
^ : Unsaved configuration
Attribute Configuration:

Switches
-----------------------------------------
MemberID Domain Priority DelayTime
Oper(Conf) Oper(Conf) Oper(Conf) Oper(Conf)
-------------------------------------------------------------
1(1) --(10) 100(150) 0(0)
-------------------------------------------------------------
Stack-Port Configuration:
--------------------------------------------------------------------------------
Stack-Port Member Ports
--------------------------------------------------------------------------------
Stack-Port1/1 10GE1/0/1 10GE1/0/2
Stack-Port1/2 10GE1/0/3 10GE1/0/4
--------------------------------------------------------------------------------
Stack-Global Configuration:
--------------------------------------------------------------------------------
AuthMode Password
--------------------------------------------------------------------------------
- -
--------------------------------------------------------------------------------
Step 5 Save the configurations.

# To save device configurations, perform this step. DeviceA is used as an example.
[DeviceA] quit
<DeviceA> save
NOTE
If a device needs to be deployed with factory settings using ZTP, you are not advised to run
the save command to save the configurations.
Step 6 Power off DeviceA, DeviceB, and DeviceC. Then connect them using cables and
power them on by referring to "Connecting Stack Cables and Powering On All
Member Devices" in "Stack Configuration" in CLI Configuration Guide >
Virtualization Configuration.
To ensure that DeviceA will become the master device, power on DeviceA first.
After DeviceA starts, power on DeviceB.
Step 7 Check whether the stack is set up successfully.
# Log in to the stack through the console port or management port of any
member device and run the display stack command to check whether the stack is
set up successfully. When logging in to the stack through the management port,
use the IP address of the master device.
<HUAWEI> display stack
--------------------------------------------------------------------------------
MemberID Role MAC Priority DeviceType Description
--------------------------------------------------------------------------------
1 Master 00e0-fc12-1111 255 S6730-H24X6C-V2
2 Standby 00e0-fc12-2222 100 S6730-H24X6C-V2
3 Slave 00e0-fc12-3333 100 S6730-H24X6C-V2
--------------------------------------------------------------------------------
The preceding command output displays information about three devices,

indicating that a stack has been set up among them successfully. According to the
command output, the master device is the one with the stack ID 1, namely,
DeviceA.
# Check whether the stack topology information is consistent with the stack cable
connections.

Switches
<DeviceA> display stack topology

Stack Topology Type: Ring
----------------------------------------------
Stack-Port 1 Stack-Port 2
MemberID Status Neighbor Status Neighbor
----------------------------------------------
1 up 2 up 3
2 up 3 up 1
3 up 1 up 2
----------------------------------------------
Stack Link:
----------------------------------------------------------------------------
Stack-Port Port Status PeerPort PeerStatus
----------------------------------------------------------------------------
Stack-Port1/1 10GE1/0/1 up 10GE2/0/3 up
----------------------------------------------------------------------------
The command output shows that the topology information is consistent with the
stack cable connections, indicating that all stack links are set up successfully and
no abnormal link exists.
----End
The stack configuration is saved in the device memory and is not written into the
configuration file.
#
sysname DeviceA
#
3.1.6 Ethernet Switching
3.1.6.1 MAC
3.1.6.1.1 Example for Configuring Static MAC Address Entries
In Figure 3-27, a server is connected to 10GE 1/0/2 of a device. To prevent the
device from broadcasting the packets destined for the server, it is required that a
static MAC address entry of the server be configured on the device so that the
device always unicasts the packets destined for the server through 10GE 1/0/2. In
addition, it is required that the MAC address of the PC be statically bound to 10GE
1/0/1 to ensure secure communication between the PC and the server.

Switches
NOTE
In this example, interface 1 and interface 2 represent 10GE 1/0/1 and 10GE 1/0/2,
respectively.
Figure 3-27 Network diagram for configuring static MAC address entries
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure the static MAC address entry of the server on an interface.
Procedure
Step 1 Create VLAN 2 and add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 2.
[DeviceA] vlan batch 2
[DeviceA-10GE] portswitch
[DeviceA-10GE] port link-type access
[DeviceA-10GE] port default vlan 2
[DeviceA-10GE] quit
Step 2 Configure a static MAC address entry of the PC on 10GE 1/0/1.

[DeviceA] mac-address static 00e0-fc12-3456 10ge 1/0/1 vlan 2
Step 3 Configure a static MAC address entry of the server on 10GE 1/0/2.
[DeviceA] mac-address static 00e0-fc12-3457 10ge 1/0/2 vlan 2
----End

Switches

# Run the display mac-address static vlan vlan-id [ verbose ] command in any
view to check static MAC address entries configured based on a specified VLAN.
[DeviceA] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type Age
-------------------------------------------------------------------------------
00e0-fc12-3456 2/-/- 10GE1/0/1 static -
00e0-fc12-3457 2/-/- 10GE1/0/2 static -
-------------------------------------------------------------------------------
#
sysname DeviceA
#
vlan batch 2
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 2
#
mac-address static 00e0-fc12-3456 10GE1/0/1 vlan 2
mac-address static 00e0-fc12-3457 10GE1/0/2 vlan 2
#
return
3.1.6.1.2 Example for Configuring a Blackhole MAC Address Entry
In Figure 3-28, a device receives an access request from an unauthorized user. The
MAC address of the unauthorized user is 00e0-fc12-3456 and the unauthorized
user belongs to VLAN 3. The MAC address needs to be configured as a blackhole
MAC address so that the device filters out packets from the unauthorized user.
Figure 3-28 Network diagram for configuring a blackhole MAC address entry

Switches
1. Create a VLAN to implement Layer 2 forwarding.

2. Configure a blackhole MAC address entry to prevent attack packets from the
MAC address of the unauthorized user.
Procedure
Step 1 Configure a blackhole MAC address entry.
[DeviceA] vlan 3
[DeviceA-vlan 3] quit
[DeviceA] mac-address blackhole 00e0-fc12-3456 vlan 3
----End

# Run the display mac-address blackhole command in any view to check
blackhole MAC address entries.
[DeviceA] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type Age
-------------------------------------------------------------------------------
00e0-fc12-3456 3/-/- - blackhole -
-------------------------------------------------------------------------------
#
sysname DeviceA
#
vlan batch 3
#
mac-address blackhole 00e0-fc12-3456 vlan 3
#
return
3.1.6.1.3 Example for Configuring MAC Address Learning Limit on an Interface
In Figure 3-29, user networks 1 and 2 belong to VLAN 10 and VLAN 20,
respectively. The two user networks are connected to DeviceA through DeviceB,
and DeviceA is connected to DeviceB through 10GE 1/0/1. To control the number
of access users on DeviceA, configure MAC address learning limit on 10GE 1/0/1.
Figure 3-29 Networking of MAC address learning limit on an interface

NOTE
Interface 1 in this example represents 10GE 1/0/1.

Switches
1. Create VLANs and add 10GE 1/0/1 to them to implement Layer 2 forwarding.
2. Configure MAC address learning limit on 10GE 1/0/1 to control the number of
access users.
Procedure
Step 1 Create VLANs and add 10GE 1/0/1 to them.
# Add 10GE 1/0/1 to VLAN 10 and VLAN 20.
[DeviceA-10GE1/0/1] port trunk allow-pass vlan 10 20
Step 2 Configure MAC address learning limit on 10GE 1/0/1.

# Set the maximum number of MAC addresses that can be dynamically learned
on 10GE 1/0/1 to 100, and configure DeviceA to generate an alarm when the
number of learned MAC addresses exceeds the limit.
[DeviceA-10GE1/0/1] mac-address limit maximum 100 alarm enable
----End

# Run the display mac-address limit command in any view to check whether the
maximum number of MAC address entries that can be dynamically learned and
the action for the device to take when the configured maximum number is
reached are configured successfully.

Switches
[DeviceA] display mac-address limit

MAC Address Limit is enabled
Total MAC Address limit rule count : 1
Port VLAN/VSI/SI/BD Slot Maximum Action Alarm

----------------------------------------------------------------------------
10GE1/0/1 -- -- 100 discard enable
#
sysname DeviceA
#
vlan batch 10 20
#
interface 10GE1/0/1
mac-address limit maximum 100 alarm enable
#
return
3.1.6.1.4 Example for Configuring MAC Address Learning Limit in a VLAN
In Figure 3-30, user network 1 is connected to DeviceA through DeviceB, and
DeviceA uses 10GE 1/0/1. Likewise, user network 2 is connected to DeviceA
through DeviceC, and DeviceA uses 10GE 1/0/2. 10GE 1/0/1 and 10GE 1/0/2 both
belong to VLAN 2. To control the number of access users, configure MAC address
learning limit in VLAN 2.
Figure 3-30 Networking of MAC address learning limit in a VLAN

NOTE
Interfaces 1 and 2 in this example represent 10GE 1/0/1 and 10GE 1/0/2, respectively.
1. Create VLAN 2 and add 10GE 1/0/1 and 10GE 1/0/2 to it to implement Layer
2 forwarding.
2. Configure MAC address learning limit on 10GE 1/0/1 and 10GE 1/0/2 to
control the number of access users.

Switches
Procedure
Step 1 Create a VLAN and add 10GE 1/0/1 and 10GE 1/0/2 to it.
# Add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 2.
[DeviceA] vlan 2
Step 2 Configure MAC address learning limit in VLAN 2.

# Set the maximum number of MAC address entries that can be dynamically
learned in VLAN 2 to 100, and set an action for the device to take to forward
when the configured maximum number is reached. New MAC addresses are not
added to the MAC address table.
[DeviceA] vlan 2
[DeviceA-vlan2] mac-address limit maximum 100 action forward
----End

# Run the display mac-address limit command in any view to check whether the
maximum number of MAC address entries that can be dynamically learned and
the action for the device to take when the configured maximum number is
reached are configured successfully.
[DeviceA] display mac-address limit
MAC Address Limit is enabled
Total MAC Address limit rule count : 1
Port VLAN/VSI/SI/BD Slot Maximum Action Alarm

-------------------------------------------------------------------
-- 2 -- 100 forward enable
#
sysname DeviceA
#
vlan batch 2
#
vlan 2
mac-address limit maximum 100 action forward
#
interface 10GE1/0/1
#
interface 10GE1/0/2

Switches

#
return
3.1.6.2 Eth-Trunk
3.1.6.2.1 Example for Configuring an Eth-Trunk Interface to Work in Manual Mode
In Figure 3-31, DeviceA and DeviceB are connected through multiple links,
requiring high bandwidth for traffic load balancing. These links need to be
bundled into an Eth-Trunk to ensure data transmission and link reliability.
Figure 3-31 Networking diagram of an Eth-Trunk in manual mode

NOTE
In this example, Interface 1, Interface 2, and Interface 3 represent 10GE 1/0/1, 10GE 1/0/2,
Procedure
Step 1 Create Eth-Trunk 1 on DeviceA and DeviceB and configure Eth-Trunk 1 to work in
manual mode.
# Configure DeviceA.
[DeviceA] interface eth-trunk 1
[DeviceA-Eth-Trunk1] portswitch
[DeviceA-Eth-Trunk1] mode manual load-balance
# Configure DeviceB.
[DeviceB] interface eth-trunk 1
[DeviceB-Eth-Trunk1] portswitch
[DeviceB-Eth-Trunk1] mode manual load-balance
Step 2 Add member interfaces to the Eth-Trunk interface on DeviceA and DeviceB.
[DeviceA-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/3
[DeviceA-Eth-Trunk1] quit
[DeviceB-Eth-Trunk1] trunkport 10ge 1/0/1 to 1/0/3
[DeviceB-Eth-Trunk1] quit
----End

Switches

Run the display eth-trunk 1 command in any view to check whether the Eth-
Trunk interface is created and whether member interfaces are added to the Eth-
Trunk interface.
[DeviceA] display eth-trunk 1
Working Mode: Normal Hash Arithmetic: profile default
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 128
Operating Status: up Number of Up Ports in Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
10GE1/0/1 Up 1
10GE1/0/2 Up 1
10GE1/0/3 Up 1
The command output shows that Eth-Trunk 1 has three member interfaces: 10GE
1/0/1, 10GE 1/0/2, and 10GE 1/0/3 and that these member interfaces are in up
state. The Operating Status of Eth-Trunk 1 is up.
● DeviceA
#
sysname DeviceA
#
portswitch
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
return
● DeviceB
#
sysname DeviceB
#
portswitch
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
return

Switches
3.1.6.2.2 Example for Configuring an Eth-Trunk Interface to Work in Static LACP

Mode
In Figure 3-32, DeviceA and DeviceB are connected through multiple links. A LAG
in static LACP mode is configured on the two devices to improve bandwidth and
reliability between them. The requirements are as follows:
● Traffic can be load balanced over two active links.
● One link between DeviceA and DeviceB functions as a backup link. If a fault
occurs on an active link, the backup link replaces the faulty link to ensure
reliable data transmission.
Figure 3-32 Networking diagram of an Eth-Trunk in static LACP mode

NOTE
In this example, Interface 1, Interface 2, and Interface 3 represent 10GE 1/0/1, 10GE 1/0/2,
Procedure
Step 1 Create Eth-Trunk 1 on DeviceA and DeviceB and configure Eth-Trunk 1 to work in
static LACP mode.
[DeviceA-Eth-Trunk1] mode lacp-static
[DeviceB-Eth-Trunk1] mode lacp-static
Step 2 Add member interfaces to the Eth-Trunk interface on DeviceA and DeviceB.
[DeviceA-10GE1/0/1] eth-trunk 1

Switches

[DeviceB] interface 10ge 1/0/1
[DeviceB-10GE1/0/1] eth-trunk 1
[DeviceB-10GE1/0/1] quit
Step 3 Set the LACP system priority on DeviceA to 100 and retain the default LACP
system priority on DeviceB so that DeviceA acts as the Actor.
[DeviceA] lacp priority 100
Step 4 On DeviceA, set the upper threshold for the number of active interfaces to 2. The
remaining link is used as a backup link.
[DeviceA-Eth-Trunk1] lacp max active-linknumber 2
Step 5 Set LACP interface priorities and determine active interfaces on DeviceA.
[DeviceA-10GE1/0/1] lacp priority 100
[DeviceA-10GE1/0/2] lacp priority 100
----End

# Check Eth-Trunk information on DeviceA and DeviceB and check whether LACP
negotiation is successful.
Local:
LAG ID: 1 Working Mode: Static
Preempt Delay: Disabled Hash Arithmetic: profile default
System Priority: 100 System ID: xxxx-xxxx-xxxx
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
10GE1/0/1 Selected 10GE 100 1 20289 10111100 1
10GE1/0/2 Selected 10GE 100 2 20289 10111100 1
10GE1/0/3 Unselect 10GE 32768 3 20289 10100000 1
Partner:
--------------------------------------------------------------------------------
10GE1/0/1 32768 xxxx-xxxx-xxxx 32768 4 20289 10111100
10GE1/0/2 32768 xxxx-xxxx-xxxx 32768 5 20289 10111100
10GE1/0/3 32768 xxxx-xxxx-xxxx 32768 6 20289 10100000
[DeviceB] display eth-trunk 1
Local:
LAG ID: 1 Working Mode: Static

Switches
Preempt Delay: Disabled Hash Arithmetic: profile default

System Priority: 32768 System ID: xxxx-xxxx-xxxx
Operating Status: up Number Of Up Ports In Trunk: 2
Timeout Period: Slow
--------------------------------------------------------------------------------
10GE1/0/1 Selected 10GE 32768 4 20289 10111100 1
10GE1/0/2 Selected 10GE 32768 5 20289 10111100 1
10GE1/0/3 Unselect 10GE 32768 6 20289 10100000 1
Partner:
--------------------------------------------------------------------------------
10GE1/0/1 100 xxxx-xxxx-xxxx 100 1 20289 10111100
10GE1/0/2 100 xxxx-xxxx-xxxx 100 2 20289 10111100
10GE1/0/3 100 xxxx-xxxx-xxxx 32768 3 20289 10100000
The command output shows that the LACP system priority of DeviceA is 100,
which is higher than the LACP system priority of DeviceB. Member interfaces 10GE
1/0/1 and 10GE 1/0/2 are active interfaces and are in Selected state, and interface
10GE 1/0/3 is in Unselect state. Load balancing and link backup are implemented.
● DeviceA
#
sysname DeviceA
#
lacp priority 100
#
mode lacp-static
lacp max active-linknumber 2
#
interface 10GE1/0/1
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/2
eth-trunk 1
lacp priority 100
#
interface 10GE1/0/3
eth-trunk 1
#
return
● DeviceB
#
sysname DeviceB
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
return

Switches
3.1.6.2.3 Example for Configuring Local Preferential Forwarding of Traffic on an

Eth-Trunk Interface in a CSS or Stack
On the network shown in Figure 3-33, DeviceA and DeviceB are connected
through dedicated CSS cables to establish a CSS that functions as a logical switch
to increase the total device capacity. To implement backup between devices and
improve reliability, physical interfaces on the two devices are added to the same
Eth-Trunk interface. When no fault occurs on the network, member interface
information on the PE shows that data traffic from VLAN 2 is forwarded through
member interfaces 10GE1/0/1 and 10GE1/0/2, and data traffic from VLAN 3 is
also forwarded through member interfaces 10GE1/0/1 and 10GE1/0/2. This
increases bandwidth capacity between devices but reduces traffic forwarding
efficiency.
To ensure that data traffic from VLAN 2 is forwarded through 10GE1/0/1 and data
traffic from VLAN 3 is forwarded through 10GE1/0/2, configure local preferential
forwarding of traffic on the Eth-Trunk interface in the CSS or stack.
NOTE
In this example, interface 1 and interface 2 represent 10GE1/0/1 and 10GE1/0/2,

respectively.

Switches
Figure 3-33 Network diagram of local preferential forwarding of traffic
Procedure
Step 1 Create an Eth-Trunk interface and configure the allowed VLANs.
# Configure the CSS or stack.

[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk1] portswitch
[CSS-Eth-Trunk1] port link-type trunk
[CSS-Eth-Trunk1] port trunk allow-pass vlan all
# Configure the aggregation device PE.

[HUAWEI] sysname PE
[PE] interface eth-trunk 10
[PE-Eth-Trunk10] portswitch
[PE-Eth-Trunk10] port link-type trunk

Switches
[PE-Eth-Trunk10] port trunk allow-pass vlan all

[PE] quit
Step 2 Add member interfaces to the Eth-Trunk interface.

[CSS] interface 10ge 1/1/0/1
[CSS-10GE1/1/0/1] portswitch
[CSS-10GE1/1/0/1] eth-trunk 10
[CSS-10GE1/1/0/1] quit
[CSS-10GE2/1/0/1] eth-trunk 10
# Configure the aggregation device PE.

[PE] interface eth-trunk 10
[PE-Eth-Trunk10] port link-type trunk
[PE-Eth-Trunk10] trunkport 10ge 1/0/1 to 1/0/2
[PE-Eth-Trunk10] quit
Step 3 Configure local preferential forwarding of traffic on the Eth-Trunk interface in the
CSS or stack.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] undo local-preference disable
[CSS] quit
By default, local preferential forwarding of traffic is enabled on an Eth-Trunk

interface.
Step 4 Configure the Layer 2 forwarding function.

[CSS] vlan batch 2 3
[CSS-10GE1/1/0/2] port link-type trunk
[CSS-10GE1/1/0/2] port trunk allow pass vlan 2
[CSS-10GE2/1/0/2] port link-type trunk
[CSS-10GE2/1/0/2] port trunk allow pass vlan 2
# Configure an access device DeviceC. The configuration of DeviceD is similar to

that of DeviceC.
[DeviceC] vlan 2
[Devicec] quit
[DeviceC] interface 10ge 1/0/1
[DeviceC-1/0/1] port link-type trunk
[DeviceC-1/0/1] port trunk allow pass vlan 2
[DeviceC-1/0/1] quit
[DeviceC-1/0/2] port link-type trunk
[DeviceC-1/0/2] port trunk allow pass vlan 2
[DeviceC-1/0/2] quit
----End

Switches

# After the configuration is complete, run the display eth-trunk membership
command in any view to check information about Eth-Trunk member interfaces.
For example:
The following example uses the command output on the CSS or stack.
<CSS> display eth-trunk membership 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 2
Number Of Up Ports in Trunk = 2
Operate status: up
Interface 10GE1/1/0/4, valid, operate up, weight=1

Interface 10GE2/1/0/4, valid, operate up, weight=1
● CSS
sysname CSS
#
vlan batch 2 3
#
#
#
#
eth-trunk 10
#
eth-trunk 10
#
return
● PE
#
sysname PE
#
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE1/0/2
eth-trunk 10
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 2

Switches
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
3.1.6.3 VLAN
3.1.6.3.1 Example for Configuring VLANIF Interfaces to Implement Inter-VLAN

Communication Through a Single Device
In Figure 3-34, the two hosts connected to DeviceA are located on different
network segments. One belongs to VLAN 2, and the other belongs to VLAN 3.
Both hosts need to communicate with each other.
Figure 3-34 Networking diagram for configuring VLANIF interfaces to implement

inter-VLAN communication through a single device
NOTE
respectively.

Switches
Procedure
Step 2 Configure an IP address for each VLANIF interface.

[DeviceA-Vlanif2] ip address 10.10.10.2 24
----End

Set the IP address of the host in VLAN 2 to 10.10.10.1/24 and default gateway
address to 10.10.10.2/24 (IP address of VLANIF 2), and set the IP address of the
host in VLAN 3 to 10.10.20.1/24 and default gateway address to 10.10.20.2/24 (IP
address of VLANIF 3). After the configuration is complete, hosts in VLAN 2 and
VLAN 3 can ping each other.
#
sysname DeviceA
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif3
ip address 10.10.20.2 255.255.255.0
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 3
#
return
3.1.6.3.2 Example for Configuring Interface-based VLAN Assignment to Implement

Intra-VLAN Communication (Through Multiple Devices)
In Figure 3-35, Host1, Host2, Host5, and Host6 belong to VLAN 2, and Host3,
Host4, Host7, and Host8 belong to VLAN 3. The interfaces on the link between

Switches
DeviceA and DeviceC and those on the link between DeviceC and DeviceB allow
packets sourced from VLAN 2 and VLAN 3 to pass through. This ensures that hosts
in the same VLAN on DeviceA and DeviceB can directly communicate with each
other at Layer 2, but hosts in different VLANs cannot.
Figure 3-35 Networking diagram of configuring interface-based VLAN assignment

for intra-VLAN communication through multiple devices
NOTE
In this example, interfaces 1 through 5 represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE
1/0/4, and 10GE 1/0/5, respectively.
Procedure
Step 1 On DeviceA and DeviceB, configure the interfaces connecting to hosts as access
interfaces, add Host1, Host2, Host5, and Host6 to VLAN 2, and add Host3, Host4,
Host7, and Host8 to VLAN 3.
[DeviceB] vlan batch 2 3
[DeviceB-10GE1/0/1] portswitch

Switches
[DeviceB-10GE1/0/1] port link-type access

[DeviceB-10GE1/0/1] port default vlan 2
Step 2 Configure the link between DeviceA and DeviceC and that between DeviceB and
DeviceC as trunk links.
[DeviceB-10GE1/0/5] port link-type trunk
[DeviceB-10GE1/0/5] port trunk allow-pass vlan 2 3
# Configure DeviceC.
[DeviceC] vlan batch 2 3
[DeviceC-10GE1/0/1] portswitch
[DeviceC-10GE1/0/1] port link-type trunk
[DeviceC-10GE1/0/1] port trunk allow-pass vlan 2 3
[DeviceC-10GE1/0/1] quit
----End

# Run the display vlan command to check the VLAN status. The following
example shows the command output on DeviceA.
[DeviceA] display vlan 2
--------------------------------------------------------------------------------
MAC-LRN: MAC-address learning; STAT: Statistic;
BC: Broadcast; MC: Multicast; UC: Unknown-unicast;

Switches
FWD: Forward; DSD: Discard;

--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
2 UT:10GE1/0/1(U) 10GE1/0/2(U)
TG:10GE1/0/5(U)
VID Type Status Property MAC-LRN STAT BC MC UC Description

--------------------------------------------------------------------------------
2 common enable default enable disable FWD FWD FWD VLAN 0002
# Run the display port vlan command to check information about allowed VLANs
on involved interfaces. The following example shows the command output on
10GE 1/0/5 of DeviceA.
[DeviceA] display port vlan 10ge 1/0/5
Port Link Type PVID Trunk VLAN List Port Description
---------------------------------------------------------------------------------------------------------------
10GE1/0/5 trunk 1 1-3
# Hosts in VLAN 2 can ping one another, as can those in VLAN 3. However, hosts
in VLAN 2 cannot ping hosts in VLAN 3.
● DeviceA
#
sysname DeviceA
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
port default vlan 3
#
interface 10GE1/0/5
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port default vlan 2
#
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
port default vlan 3

Switches
#
interface 10GE1/0/5
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 2 to 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return

Inter-VLAN Communication (Access Devices Functioning as Gateways)
In Figure 3-36, PC1 and PC2 belong to VLAN 2 and VLAN 3 respectively and are
connected to DeviceA at the aggregation layer through DeviceB at the access
layer. PC3 belongs to VLAN 4 and is connected to DeviceA through DeviceC at the
access layer. DeviceB functions as the gateway of PC1 and PC2, and DeviceC
functions as the gateway of PC3. Static routes are configured on the devices to
allow PCs to communicate with each other and access the upper-layer device.
Figure 3-36 Network diagram for configuring access devices as gateways

NOTE

Switches
Procedure
Step 1 Configure DeviceB at the access layer.
# Create VLANs.
# Add interfaces to corresponding VLANs.

# Configure VLANIF interfaces as gateways of PCs.

[DeviceB] interface vlanif 2
[DeviceB-Vlanif2] ip address 192.168.2.1 24
[DeviceB-Vlanif2] quit
# Configure DeviceB for communication with DeviceA.

[DeviceB] vlan batch 5
[DeviceB] interface Vlanif 5

Switches

[DeviceB] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
Step 2 Configure DeviceC at the access layer.

# Create a VLAN.
[DeviceC] vlan batch 4
# Add an interface to the VLAN.

[DeviceC-10GE1/0/2] port link-type access
[DeviceC-10GE1/0/2] port default vlan 4
# Configure a VLANIF interface as the gateway of a PC.

[DeviceC] interface vlanif 4
[DeviceC-Vlanif4] ip address 192.168.4.1 24
[DeviceC-Vlanif4] quit
# Configure DeviceC for communication with DeviceA.

[DeviceC] interface Vlanif 5
[DeviceC] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
Step 3 Configure DeviceA at the aggregation layer.

# Create a VLAN.
# Add interfaces to the VLAN.

# Configure a VLANIF interface for communication with the upper-layer device.


Switches
# Configure return specific routes to implement mutual access between internal

network segments.
[DeviceA] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
# Configure a default route to allow devices on internal network segments to

access the upper-layer device.
----End

example uses the command output on DeviceB.
[DeviceB] display vlan 2
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
2 UT:10GE1/0/2(U) 10GE1/0/3(U)
TG:10GE1/0/1(U)

--------------------------------------------------------------------------------
on an interface. The following example uses the command output about 10GE
1/0/1 on DeviceB.
[DeviceB] display port vlan 10ge 1/0/1
---------------------------------------------------------------------------------------------------------------
10GE1/0/1 trunk 1 2-3
● DeviceA
#
sysname DeviceA
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface 10GE1/0/1
port default vlan 5
#
interface 10GE1/0/2
port default vlan 5
#

Switches
interface 10GE1/0/3
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 3 5
#
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.2 255.255.255.0
#
interface 10GE1/0/1
port default vlan 5
#
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 4 to 5
#
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.3 255.255.255.0
#
interface 10GE1/0/1
port default vlan 5
#
interface 10GE1/0/2
port default vlan 4
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return

Switches

Inter-VLAN Communication (Aggregation Device Functioning as the Gateway)
In Figure 3-37, PC1 and PC2 belong to VLAN 2 and VLAN 3 respectively and are
connected to DeviceA at the aggregation layer through DeviceB at the access
layer. PC3 belongs to VLAN 4 and is connected to DeviceA through DeviceC at the
access layer. No configuration is performed on DeviceC, and DeviceC functions as
a hub and supports plug-and-play. DeviceA functions as the gateway of PC1, PC2,
and PC3 to allow PCs to communicate with each other and access the upper-layer
device.
Figure 3-37 Network diagram for configuring the aggregation device as the
gateway
NOTE
Procedure
Step 1 Configure DeviceB at the access layer.
# Create VLANs.
# Add interfaces to corresponding VLANs.


Switches

Step 2 Configure DeviceA at the aggregation layer.

# Create VLANs.
[DeviceA] vlan batch 2 to 5
# Add interfaces connected to DeviceB and DeviceC to corresponding VLANs.

# Configure VLANIF interfaces as gateways of PCs.

# Add the interface connected to the upper-layer device to the corresponding

VLAN.
# Configure a VLANIF interface to allow devices on internal network segments to

access the upper-layer device.
----End

Switches

example uses the command output on DeviceB.
[DeviceB] display vlan 2
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
2 UT:10GE1/0/2(U) 10GE1/0/3(U)
TG:10GE1/0/1(U)

--------------------------------------------------------------------------------
on an interface. The following example uses the command output about 10GE
1/0/1 on DeviceB.
[DeviceB] display port vlan 10ge 1/0/1
---------------------------------------------------------------------------------------------------------------
10GE1/0/1 trunk 1 2-3
● DeviceA
#
sysname DeviceA
#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
interface 10GE1/0/1
port default vlan 5
#
interface 10GE1/0/2
#
interface 10GE1/0/3
port default vlan 4
#
return

Switches
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 3
#
interface 10GE1/0/1

#
interface 10GE1/0/2
port default vlan 2
#
interface 10GE1/0/3
port default vlan 3
#
return
3.1.6.3.5 Example for Configuring MAC Address-based VLAN Assignment
In Figure 3-38, Host1, Host2, and Host3 are added to VLAN 10 based on their
MAC addresses. They can communicate with each other and also access the
Internet. Hosts with MAC addresses not associated with VLAN 10 cannot access
the Internet or communicate with authorized hosts in VLAN 10.
Figure 3-38 Networking diagram of configuring MAC address-based VLAN

assignment
NOTE
In this example, interface 1, interface 2, interface 3, and interface 4 represent 10GE 1/0/1,
10GE 1/0/2, 10GE 1/0/3, and 10GE 1/0/4, respectively.

Switches
Procedure
Step 1 Create VLAN 10 and associate host MAC addresses with the VLAN.
[DeviceA] vlan 10
Step 2 On DeviceA, add all four interfaces to VLAN 10 and enable MAC address-based
VLAN assignment on 10GE 1/0/2 to 10GE 1/0/4.
[DeviceA-10GE1/0/1] port hybrid tagged vlan 10
[DeviceA-10GE1/0/2] port hybrid untagged vlan 10
----End

# Run the display mac-vlan vlan 10 command to view MAC addresses associated
with VLAN 10.
[DeviceA] display mac-vlan vlan 10
Total MAC VLAN address count: 3
---------------------------------------------------
MAC Address Mask VLAN Priority
---------------------------------------------------
# Authorized hosts Host1, Host2, and Host3 on the network can communicate
with each other and access the Internet. Hosts with MAC addresses not associated
with VLAN 10 cannot access the Internet or communicate with the authorized
hosts.
DeviceA
#
sysname DeviceA

Switches
#
vlan batch 10
#
vlan 10
#
interface 10GE1/0/1
port hybrid tagged vlan 10
#
interface 10GE1/0/2
port hybrid untagged vlan 10
mac-vlan enable
#
interface 10GE1/0/3
mac-vlan enable
#
interface 10GE1/0/4
mac-vlan enable
#
return
3.1.6.3.6 Example for Configuring Subnet-based VLAN Assignment
In Figure 3-39, PC1, PC2, and PC3 are located on different network segments. It is
necessary for PCs on different network segments to be added to different VLANs.
In this example, PC1, PC2, and PC3 need to be added to VLAN 100, VLAN 200, and
VLAN 300, respectively.
Figure 3-39 Networking diagram of configuring subnet-based VLAN assignment

NOTE
In this example, interface 1 represents 10GE 1/0/1.

Switches
Procedure
Step 1 Create VLANs and associate subnets with the VLANs.
[DeviceA] vlan batch 100 200 300
[DeviceA] vlan 100
[DeviceA-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
[DeviceA] vlan 200
[DeviceA] vlan 300
Step 2 Set 10GE 1/0/1 to a hybrid interface, configure the interface to allow packets from
VLAN 100, VLAN 200, and VLAN 300 to pass through, and enable subnet-based
VLAN assignment on the interface.
[DeviceA-10GE1/0/1] ip-subnet-vlan enable
----End

# Run the display ip-subnet-vlan vlan all command on DeviceA to check
information about subnets associated with VLANs.
[DeviceA] display ip-subnet-vlan vlan all
IP-subnet-VLAN count: 3 total count: 3
----------------------------------------------------------------
VLAN Index IpAddress SubnetMask Priority
----------------------------------------------------------------

Switches
100 1 192.168.1.2 255.255.255.0 2

200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
#
vlan 200
#
vlan 300
#
interface 10GE1/0/1
ip-subnet-vlan enable
#
return
3.1.6.3.7 Example for Configuring VLAN Aggregation
On the network shown in Figure 3-40, VLAN 2 and VLAN 3 are two sub-VLANs
connected to VLAN 4, which is a super-VLAN. PCs in VLAN 2 and VLAN 3 need to

Switches
Figure 3-40 Network diagram of configuring inter-VLAN communication through

VLAN aggregation
1. Create VLANs on CEs and determine the VLANs to which users belong.
2. Configure VLAN aggregation on the PE.
a. Configure the Layer 2 forwarding function.
b. Create a super-VLAN and add sub-VLANs to it.
c. Create a VLANIF interface for the super-VLAN and configure an IP
address for the VLANIF interface as the gateway address.
Data Plan
To complete the configuration, you need the following data:
● IDs of VLANs to which users belong.
● IP addresses of users.
● Numbers of interfaces connecting CEs to users.
● Sub-VLAN IDs and super-VLAN ID.
● Number and IP address of the VLANIF interface of the super-VLAN.
Procedure
Step 1 Create VLANs on CEs and add Layer 2 interfaces to the VLANs.

Switches
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] vlan batch 2
[CE1] interface 10ge 1/0/1
[CE1-10GE1/0/1] portswitch
[CE1-10GE1/0/1] port link-type access
[CE1-10GE1/0/1] port default vlan 2
[CE1-10GE1/0/1] quit
[CE1-10GE1/0/3] port link-type trunk
[CE1-10GE1/0/3] port trunk allow-pass vlan 2
# Configure CE2.
[CE2] vlan batch 3
Step 2 Configure VLAN aggregation on the PE.

# Configure the Layer 2 forwarding function.
[HUAWEI] sysname PE
[PE] vlan batch 2 to 4
[PE] interface 10ge 1/0/1
[PE-10GE1/0/1] portswitch
[PE-10GE1/0/1] port link-type trunk
[PE-10GE1/0/1] port trunk allow-pass vlan 2
[PE-10GE1/0/1] quit
[PE] interface 10ge 1/0/2
[PE-10GE1/0/2] portswitch
[PE-10GE1/0/2] port link-type trunk
[PE-10GE1/0/2] port trunk allow-pass vlan 3
[PE-10GE1/0/2] quit
# Create a super-VLAN and add sub-VLANs to it.

[PE] vlan 4
[PE-vlan4] aggregate-vlan
[PE-vlan4] access-vlan 2 to 3
[PE-vlan4] quit
# Create a VLANIF interface for the super-VLAN and configure an IP address for
the VLANIF interface.

Switches
[PE] interface vlanif 4

[PE-Vlanif4] ip address 10.1.1.12 24
After the preceding configurations are complete, configure an IP address for each
PC. The IP addresses of PCs and the IP address of the VLANIF interface must be on
the same network segment. If the configuration is successful, the PCs used by
employees in each VLAN can communicate with the corresponding switch, but PCs
in VLAN 2 and VLAN 3 cannot communicate with each other.
Step 3 Enable inter-VLAN proxy ARP.
[PE-vlanif4] arp proxy inter-vlan enable
[PE-vlanif4] quit

After the preceding configurations are complete, PCs in VLAN 2 and VLAN 3
cannot communicate with each other.
----End
● CE1
#
sysname CE1
#
vlan batch 2
#
interface 10GE1/0/1

port default vlan 2
#
interface 10GE1/0/2

port default vlan 2
#
interface 10GE1/0/3

#
return
● CE2
#
sysname CE2
#
vlan batch 3
#
interface 10GE1/0/1

port default vlan 3
#
interface 10GE1/0/2

port default vlan 3
#
interface 10GE1/0/3

Switches

#
return
● PE
#
sysname PE
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.12 255.255.255.0
arp proxy inter-vlan enable
#
interface 10GE1/0/1

#
interface 10GE1/0/2

#
return
3.1.6.3.8 Example for Configuring MUX VLAN (on Cascaded Devices)
On the network shown in Figure 3-41, it is required that all hosts can access the
Internet, hosts in VLAN 3 can communicate with each other, and hosts in VLAN 4
cannot communicate with each other.
Figure 3-41 Network diagram of configuring MUX VLAN

NOTE
In this example, interface 1, interface 2, and interface 3 represent 10GE1/0/1, 10GE1/0/2,

and 10GE1/0/3, respectively.

Switches
Procedure
Step 1 Configure MUX VLAN.
# Create VLAN 2 to VLAN 4 on DeviceB. Configure VLAN 2 as a principal VLAN,
VLAN 3 as a group VLAN, and VLAN 4 as a separate VLAN.
[DeviceB] vlan batch 2 3 4
[DeviceB] vlan 2
[DeviceB-vlan2] mux-vlan
[DeviceB-vlan2] subordinate group 3
[DeviceB-vlan2] subordinate separate 4
[DeviceB-vlan2] quit
# Create VLAN 2 to VLAN 4 on DeviceC. Configure VLAN 2 as a principal VLAN,

[DeviceC] vlan batch 2 3 4
[DeviceC] vlan 2
[DeviceC-vlan2] mux-vlan
[DeviceC-vlan2] subordinate group 3
[DeviceC-vlan2] subordinate separate 4
[DeviceC-vlan2] quit
# Create VLAN 2 to VLAN 4 on DeviceD. Configure VLAN 2 as a principal VLAN,

[DeviceD] vlan batch 2 3 4
[DeviceD] vlan 2
[DeviceD-vlan2] mux-vlan

Switches
[DeviceD-vlan2] subordinate group 3

[DeviceD-vlan2] subordinate separate 4
[DeviceD-vlan2] quit
Step 2 Add uplink interface 1 of DeviceB to VLAN 2, enable the MUX VLAN function on
interface 1, and configure downlink interface 2 and interface 3 to allow packets
from VLAN 2 to VLAN 4 to pass through.
[DeviceB-10GE1/0/1] port trunk allow-pass vlan 2
[DeviceB-10GE1/0/1] port mux-vlan enable vlan 2
[DeviceB-10GE1/0/2] port trunk allow-pass vlan 2 to 4
Step 3 Configure uplink interface 1 of DeviceC to allow packets from VLAN 2 to VLAN 4
to pass through, add downlink interface 2 and interface 3 to VLAN 3, and enable
the MUX VLAN function on interface 2 and interface 3.
[DeviceC-10GE1/0/1] port trunk allow-pass vlan 2 to 4
[DeviceC-10GE1/0/2] port mux-vlan enable vlan 3
[DeviceC-10GE1/0/3] port mux-vlan enable vlan 3
Step 4 Configure uplink interface 1 of DeviceD to allow packets from VLAN 2 to VLAN 4
to pass through, add downlink interface 2 and interface 3 to VLAN 4, and enable
the MUX VLAN function on interface 2 and interface 3.
[DeviceD] interface 10ge 1/0/1
[DeviceD-10GE1/0/1] portswitch
[DeviceD-10GE1/0/1] port link-type trunk
[DeviceD-10GE1/0/1] port trunk allow-pass vlan 2 to 4
[DeviceD-10GE1/0/1] quit
[DeviceD-10GE1/0/2] port link-type access
[DeviceD-10GE1/0/2] port default vlan 4
[DeviceD-10GE1/0/2] port mux-vlan enable vlan 4
[DeviceD-10GE1/0/3] port mux-vlan enable vlan 4

Switches
Step 5 Create VLANIF 2 on DeviceA, configure the IP address 10.1.1.1 24 for VLANIF 2,
and add interface 1 to VLAN 2.
NOTE
If the MUX VLAN contains multiple group VLANs and they need to communicate with each
other, run the arp proxy intra-vlan enable command on the VLANIF interface of DeviceA
to configure intra-VLAN proxy ARP.
Step 6 Configure IP addresses for hosts on the network and ensure that the IP addresses
are on the same network segment as the IP address of VLANIF 2 on DeviceA.
----End

● Host1, Host2, Host3, and Host4 can access the Internet.
● Host1 and Host2 can ping each other.
● Host3 and Host4 cannot ping each other.
● Host1 and Host2 in VLAN 3 and Host3 and Host4 in VLAN 4 cannot ping each
other.
● DeviceA
#
sysname DeviceA
#
vlan batch 2
#
interface Vlanif2
ip address 10.10.10.1 255.255.255.0
#
interface 10GE1/0/1
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface 10GE1/0/1

Switches
port mux-vlan enable vlan 2

#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
port default vlan 3
#
interface 10GE1/0/3
port default vlan 3
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate group 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
port default vlan 4
#
interface 10GE1/0/3
port default vlan 4
#
return
3.1.6.3.9 Example for Configuring Basic QinQ
In Figure 3-42, DeviceA and DeviceB located in different areas are connected to
user networks A and B, and connected to each other through the public network.

Switches
On the public network, VLAN 100 and VLAN 200 are assigned for user networks A
and B to transmit traffic, respectively. Basic QinQ needs to be configured on
DeviceA and DeviceB so that VLANs can be divided in user networks A and B
separately without affecting each other, users in user network A connected to
DeviceA can communicate with users in the same network connected to DeviceB,
and users in different user networks are isolated from each other.
Figure 3-42 Networking diagram for configuring basic QinQ

NOTE
Procedure
Step 1 Create VLANs.
# Create VLAN 100 and VLAN 200 on DeviceA.
# Create VLAN 100 and VLAN 200 on DeviceB.

Step 2 On DeviceA, configure 10GE 1/0/1 and 10GE 1/0/2 as QinQ interfaces, configure
10GE 1/0/1 to add an outer tag with VLAN ID 100 to packets, and configure 10GE
1/0/2 to add an outer tag with VLAN ID 200 to packets. The configuration of
DeviceB is similar to that of DeviceA.
[DeviceA-10GE1/0/1] port link-type dot1q-tunnel
[DeviceA-10GE1/0/2] port link-type dot1q-tunnel
Step 3 Add 10GE 1/0/3 on DeviceA to VLAN 100 and VLAN 200. The configuration of
DeviceB is similar to that of DeviceA.

Switches

----End

● Any host on user network A connected to DeviceA can successfully ping a
host in the same VLAN on user network A connected to DeviceB.
● Any host on user network B connected to DeviceA can successfully ping a host
in the same VLAN on user network B connected to DeviceB.
● Any host on user network A connected to DeviceA cannot ping a host in the
same VLAN on user network B connected to DeviceB.
● DeviceA
#
sysname DeviceA
#
vlan batch 100 200
#
interface 10GE1/0/1
port link-type dot1q-tunnel
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 100 200
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return

Switches
3.1.6.3.10 Example for Configuring VLAN ID-based Selective QinQ
In Figure 3-43, service A and service B are user services in location X and location
Y. Service A at both locations belongs to one VLAN range, and service B at both
locations belongs to another VLAN range. To ensure security between services and
conserve VLAN IDs on the core/backbone network, traffic between the two
locations must be transparently transmitted through the core/backbone network.
In addition, the same services at both locations must be able to communicate with
each other, but different services must be isolated from each other.
Figure 3-43 Network diagram of configuring VLAN ID-based selective QinQ

NOTE
respectively.
Procedure
Step 1 Create VLANs.
# Create VLAN 2 and VLAN 3 (outer VLAN IDs to be added) on 10GE 1/0/1 of
DeviceA. The configuration of DeviceB is similar to the configuration of DeviceA.
For detailed configurations, see Configuration Scripts.

# Configure selective QinQ on 10GE 1/0/1 of DeviceA. The configuration of
DeviceB is similar to the configuration of DeviceA. For detailed configurations, see
Configuration Scripts.

Switches
[DeviceA-10GE1/0/1] port hybrid untagged vlan 2 3

[DeviceA-10GE1/0/1] port vlan-stacking vlan 200 to 299 stack-vlan 2
[DeviceA-10GE1/0/1] port vlan-stacking vlan 300 to 399 stack-vlan 3
Step 3 Add the outbound interfaces to the outer VLANs.
# Configure 10GE 1/0/2 on DeviceA to allow packets from VLAN 2 and VLAN 3 to
pass through. The configuration of DeviceB is similar to the configuration of
DeviceA. For detailed configurations, see Configuration Scripts.
----End

● From the server running service A in VLAN 200 to VLAN 299 in location X,
ping the server running the same service in the same VLANs in location Y. If
the ping succeeds, the servers running service A in the same VLANs in both
locations can communicate with each other.
● From the server running service B in VLAN 300 to VLAN 399 in location X,
ping the server running the same service in the same VLANs in location Y. If
the ping succeeds, the servers running service B in the same VLANs in both
locations can communicate with each other.
● From the server running service A in VLAN 200 to VLAN 299 in location X,
ping the server running service B in VLAN 300 to VLAN 399 in location Y. If
the ping fails, different services are isolated from each other.
● DeviceA
#
sysname DeviceA
#
vlan batch 2 3
#
interface 10GE1/0/1
port hybrid untagged vlan 2 3
port vlan-stacking vlan 200 to 299 stack-vlan 2
#
interface 10GE1/0/2
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 3
#
interface 10GE1/0/1
port hybrid untagged vlan 2 3

Switches

#
interface 10GE1/0/2
#
return
3.1.6.3.11 Example for Configuring MQC-based Selective QinQ
In Figure 3-44, PC1 and PC2 connected to DeviceA belong to VLAN 200 and VLAN
300, respectively, whereas PC3 and PC4 connected to DeviceD belong to VLAN 200
and VLAN 300, respectively, whereas PC1 and PC3 are on the same network
segment, and PC2 and PC4 are on the same network segment. On the network
between DeviceB and DeviceC, VLAN 2 is used for communication between PC1
and PC3, whereas VLAN 3 is used for communication between PC2 and PC4. MQC-
based selective QinQ needs to be configured on DeviceB so that PC1 can
unidirectionally access PC3 and PC2 can unidirectionally access PC4.
Figure 3-44 Network diagram of configuring MQC-based selective QinQ

NOTE
Procedure
# Create VLAN 200 and VLAN 300 on DeviceA, add 10GE 1/0/2 to VLAN 200 and
10GE 1/0/3 to VLAN 300, and configure 10GE 1/0/1 to allow packets from VLAN
200 and VLAN 300 to pass through. The configuration of DeviceD is similar to that
of DeviceA.

Switches

# Create VLAN 2 and VLAN 3 on DeviceB so that DeviceB can add an outer VLAN
2 or VLAN 3 tag to packets. Configure 10GE 1/0/1 and 10GE 1/0/2 to allow
packets from the two VLANs to pass through.
# Create VLAN 2 and VLAN 3 on DeviceC, and configure 10GE 1/0/1 and 10GE
1/0/2 to allow packets from VLAN 2 and VLAN 3 to pass through.
[DeviceC-10GE1/0/1] port link-type hybrid
[DeviceC-10GE1/0/1] port hybrid untagged vlan 2 3
[DeviceC-10GE1/0/2] port link-type hybrid
[DeviceC-10GE1/0/2] port hybrid untagged vlan 2 3
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies.
# Configure traffic classifiers, traffic behaviors, and a traffic policy on DeviceB to

add an outer VLAN 2 tag to the packets sent from VLAN 200 and an outer VLAN 3
tag to the packets sent from VLAN 300.
[DeviceB] traffic classifier name1
[DeviceB-classifier-name1] if-match vlan 200
[DeviceB-classifier-name1] quit
[DeviceB] traffic behavior name1
[DeviceB-behavior-name1] vlan-stacking vlan 2
[DeviceB-behavior-name1] quit
[DeviceB] traffic classifier name2
[DeviceB-classifier-name2] if-match vlan 300
[DeviceB-classifier-name2] quit
[DeviceB] traffic behavior name2

Switches
[DeviceB-behavior-name2] vlan-stacking vlan 3

[DeviceB-behavior-name2] quit
[DeviceB] traffic policy name1
[DeviceB-trafficpolicy-name1] classifier name1 behavior name1
[DeviceB-trafficpolicy-name1] classifier name2 behavior name2
[DeviceB-trafficpolicy-name1] quit
Step 3 Apply the traffic policy to a specified interface.

# Apply the traffic policy to 10GE 1/0/1 of DeviceB.
[DeviceB-10GE1/0/1] traffic-policy name1 inbound
----End

After the configuration is complete, PC1 can access PC3, and PC2 can access PC4.
● DeviceA
#
sysname DeviceA
#
vlan batch 200 300
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 3
#
traffic classifier name1 type or
if-match vlan 200
#
traffic classifier name2 type or
if-match vlan 300
#
traffic behavior name1
vlan-stacking vlan 2
#
traffic behavior name2
vlan-stacking vlan 3
#
traffic policy name1
classifier name1 behavior name1 precedence 5
classifier name2 behavior name2 precedence 10
#
interface 10GE1/0/1
traffic-policy name1 inbound
#

Switches
interface 10GE1/0/2
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 2 to 3
#
interface 10GE1/0/1
port hybrid untagged vlan 2 to 3
#
interface 10GE1/0/2
port hybrid untagged vlan 2 to 3
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 200 300
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.6.4 STP/RSTP/MSTP
3.1.6.4.1 Example for Configuring STP
In Figure 3-45, there is a loop between DeviceA, DeviceB, DeviceC, and DeviceD.
In this case, STP can be deployed on the network to break the loop and thereby
avoid broadcast storms and MAC address flapping.
Figure 3-45 Network diagram of STP

NOTE

Switches
Procedure
Step 1 Configure each device to work in STP mode.
[DeviceA] stp mode stp
[DeviceB] stp mode stp
[DeviceC] stp mode stp
[DeviceD] stp mode stp
Step 2 Specify the root bridge and a secondary root bridge. It is best reality to specify
network devices with high performance and higher network layers as the root
bridge and a secondary root bridge.
# Configure DeviceA as the root bridge.
[DeviceA] stp root primary
# Configure DeviceB as a secondary root bridge.

[DeviceB] stp root secondary
Step 3 Configure all devices on the network to use the same path cost calculation
method. Set a path cost value for 10GE 1/0/1 on DeviceC to block this port.
# Configure DeviceA to use the Huawei legacy standard to calculate the path cost.
[DeviceA] stp pathcost-standard legacy
# Configure DeviceB to use the Huawei legacy standard to calculate the path cost.
[DeviceB] stp pathcost-standard legacy
# Configure DeviceC to use the Huawei legacy standard to calculate the path cost.
Set the path cost value for 10GE 1/0/1 on DeviceC to 20000, which is greater than
that for any other interface, to block this 10GE 1/0/1.

Switches
[DeviceC] stp pathcost-standard legacy

[DeviceC-10GE1/0/1] stp cost 20000
# Configure DeviceD to use the Huawei legacy standard to calculate the path cost.
[DeviceD] stp pathcost-standard legacy
Step 4 Disable STP on DeviceB's and DeviceC's ports that are connected to PCs.
# Disable STP on DeviceB's 10GE 1/0/2.

[DeviceB-10GE1/0/2] stp disable
# Disable STP on DeviceC's 10GE 1/0/2.

[DeviceC-10GE1/0/2] stp disable
Step 5 Enable STP on each device.
By default, STP, RSTP, or MSTP is enabled on a device. You can run the stp enable
command in the system view to enable this function if it is disabled.
----End

After the spanning tree calculation is stable, verify the configuration as follows:
# Run the display stp brief command on DeviceA to check the port role and
status. The command output shows that 10GE 1/0/1 and 10GE 1/0/2 have been
elected as designated ports during spanning tree calculation and are in
Forwarding state.
[DeviceA] display stp brief
MSTID Port Role STP State Protection Cost Edged
0 10GE1/0/1 DESI forwarding none 2 disable
# Run the display stp interface brief command on DeviceB to check the role and
status of 10GE 1/0/1. The command output shows that 10GE 1/0/1 has been
elected as a designated port and is in Forwarding state.
[DeviceB] display stp interface 10ge 1/0/1 brief
# Run the display stp brief command on DeviceC to check the port role and
status. The command output shows that 10GE 1/0/1 has been elected as an
alternate port and is in Discarding state and that 10GE 1/0/3 has been elected as
a root port and is in Forwarding state.
[DeviceC] display stp brief
0 10GE1/0/1 ALTE discarding none 20000 disable
0 10GE1/0/3 ROOT forwarding none 2 disable

Switches
● DeviceA
#
sysname DeviceA
#
stp mode stp
stp pathcost-standard legacy
#
return
● DeviceB
#
sysname DeviceB
#
stp mode stp
#
interface 10GE1/0/2
stp disable
#
return
● DeviceC
#
sysname DeviceC
#
stp mode stp
#
interface 10GE1/0/1
stp instance 0 cost 20000
#
interface 10GE1/0/2
stp disable
#
return
● DeviceD
#
sysname DeviceD
#
stp mode stp
#
return
3.1.6.4.2 Example for Configuring RSTP
In this case, RSTP can be deployed on this network to break the loop and thereby
avoid broadcast storms and MAC address flapping.
Figure 3-46 Network diagram of RSTP

NOTE

Switches
Procedure
Step 1 Configure each device to work in RSTP mode.
[DeviceA] stp mode rstp
[DeviceB] stp mode rstp
[DeviceC] stp mode rstp
[DeviceD] stp mode rstp
Step 2 Specify the root bridge and a secondary root bridge. It is best reality to specify
network devices with high performance and higher network layers as the root
bridge and a secondary root bridge.
# Configure DeviceA as the root bridge.
# Configure DeviceB as a secondary root bridge.

[DeviceB] stp root secondary
Step 3 Configure all devices on the network to use the same path cost calculation
method. Set a path cost value for 10GE 1/0/1 on DeviceC to block this port.
# Configure DeviceC to use the Huawei legacy standard to calculate the path cost.
Set the path cost value for 10GE 1/0/1 on DeviceC to 20000, which is greater than
that for any other interface, to block this 10GE 1/0/1.

Switches

# Configure DeviceD to use the Huawei legacy standard to calculate the path cost.
Step 4 Configure DeviceB's and DeviceC's ports that are connected to PCs as edge ports.
# Configure 10GE 1/0/2 on DeviceB as an edge port and enable BPDU protection.
[DeviceB-10GE1/0/2] stp edged-port enable
[DeviceB] stp bpdu-protection
# Configure 10GE 1/0/2 on DeviceC as an edge port and enable BPDU protection.
[DeviceC-10GE1/0/2] stp edged-port enable
[DeviceC] stp bpdu-protection
Step 5 Enable RSTP on each device.
Step 6 Enable root protection for the designated ports 10GE 1/0/1 and 10GE 1/0/2 on the
root bridge DeviceA.
[DeviceA-10GE1/0/1] stp root-protection
----End

After the spanning tree calculation is stable, verify the configuration as follows:
# Run the display stp brief command on DeviceA to check the port status and
enabled protection function. The command output shows that 10GE 1/0/1 and
10GE 1/0/2 have been elected as designated ports through spanning tree
calculation and that root protection has been enabled for the designated ports.
0 10GE1/0/1 DESI forwarding root 2 disable
# Run the display stp interface brief command on DeviceB to check the role and
status of 10GE 1/0/1. The command output shows that 10GE 1/0/1 has been
elected as a designated port and is in Forwarding state.

Switches
[DeviceB] display stp interface 10ge 1/0/1 brief

# Run the display stp brief command on DeviceC to check the port role and
status. The command output shows that 10GE 1/0/1 has been elected as an
alternate port and is in Discarding state. Furthermore, 10GE 1/0/3 has been
elected as a root port and is in Forwarding state.
[DeviceC] display stp brief
● DeviceA
#
sysname DeviceA
#
stp mode rstp
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
stp root-protection
#
return
● DeviceB
#
sysname DeviceB
#
stp mode rstp
stp bpdu-protection
#
interface 10GE1/0/2
#
return
● DeviceC
#
sysname DeviceC
#
stp mode rstp
stp bpdu-protection
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
● DeviceD
#
sysname DeviceD
#
stp mode rstp

Switches

#
return
3.1.6.4.3 Example for Configuring MSTP
In this case, MSTP can be deployed on the network to break the loop, avoid
broadcast storms and MAC address flapping, and implement load balancing for
traffic of VLANs 2 to 10 and VLANs 11 to 20.
Figure 3-47 Network diagram of MSTP

NOTE

Switches
Procedure
Step 1 Configure the same MST region RG1 on DeviceA, DeviceB, DeviceC, and DeviceD
and create MSTI 1 and MSTI 2.
NOTE
Two devices belong to the same MST region when they have the same MST region name,
VLAN-to-MSTI mappings, and revision level of the MST region.
A VLAN can be mapped to only one MSTI. If you map a VLAN to multiple MSTIs, only the
latest one will take effect.
# Configure an MST region on DeviceA.

[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name RG1
[DeviceA-mst-region] instance 1 vlan 2 to 10
[DeviceA-mst-region] instance 2 vlan 11 to 20
[DeviceA-mst-region] quit
# Configure an MST region on DeviceB.

[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name RG1
[DeviceB-mst-region] instance 1 vlan 2 to 10
[DeviceB-mst-region] instance 2 vlan 11 to 20
[DeviceB-mst-region] quit
# Configure an MST region on DeviceC.

[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name RG1
[DeviceC-mst-region] instance 1 vlan 2 to 10
[DeviceC-mst-region] instance 2 vlan 11 to 20
[DeviceC-mst-region] quit
# Configure an MST region on DeviceD.

[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name RG1
[DeviceD-mst-region] instance 1 vlan 2 to 10
[DeviceD-mst-region] instance 2 vlan 11 to 20
[DeviceD-mst-region] quit
Step 2 In the MST region RG1, configure the root bridge and a secondary root bridge in
MSTI 1 and MSTI 2.
# Configure DeviceA as the root bridge in MSTI 1.
[DeviceA] stp instance 1 root primary
# Configure DeviceB as a secondary root bridge in MSTI 1.

[DeviceB] stp instance 1 root secondary
# Configure DeviceB as the root bridge in MSTI 2.

[DeviceB] stp instance 2 root primary
# Configure DeviceA as a secondary root bridge in MSTI 2.

Switches
[DeviceA] stp instance 2 root secondary
Step 3 Configure the same path cost calculation method for all devices on the network.
For the ports to be blocked in MSTI 1 and MSTI 2, set the path costs to be greater
than the default value.
# Configure DeviceC to use the Huawei legacy standard to calculate the path cost,
and set the path cost of 10GE 1/0/2 in MSTI 2 to 20000.
[DeviceC-10GE1/0/2] stp instance 2 cost 20000
# Configure DeviceD to use the Huawei legacy standard to calculate the path cost,
and set the path cost of 10GE 1/0/2 in MSTI 1 to 20000.
[DeviceD-10GE1/0/2] stp instance 1 cost 20000
Step 4 Enable MSTP globally.

Step 5 Disable MSTP on the interfaces connected to terminals.
# Disable MSTP on 10GE 1/0/1 of DeviceC.
# Disable MSTP on 10GE 1/0/1 of DeviceD.

[DeviceD-10GE1/0/1] stp disable
Step 6 Configure protection functions. For example, configure root protection for the
designated ports of the root bridge in each MSTI.
# Enable root protection on 10GE 1/0/1 of DeviceA.
# Enable root protection on 10GE 1/0/1 of DeviceB.


Switches
[DeviceB-10GE1/0/1] stp root-protection


# Create VLANs 2 to 20 on DeviceA and add 10GE 1/0/1 and 10GE 1/0/2 on
DeviceA to the VLANs.
[DeviceA-10GE1/0/1] port trunk allow-pass vlan 2 to 20
# Create VLANs 2 to 20 on DeviceB and add 10GE 1/0/1 and 10GE 1/0/2 on
DeviceB to the VLANs.
[DeviceB] vlan batch 2 to 20
# Create VLANs 2 to 20 on DeviceC and add 10GE 1/0/1, 10GE 1/0/2, and 10GE
1/0/3 on DeviceC to the VLANs.
[DeviceC] vlan batch 2 to 20
# Create VLANs 2 to 20 on DeviceD and add 10GE 1/0/1, 10GE 1/0/2, and 10GE
1/0/3 on DeviceD to the VLANs.
[DeviceD] vlan batch 2 to 20

Switches

----End

After these configurations have been completed and the network topology
becomes stable, perform the following operations to verify the configuration. MSTI
1 and MSTI 2 are used as examples. You do not need to check the interface status
in MSTI 0.
# Run the display stp brief command on DeviceA to check the port role and
status. In MSTI 1, 10GE 1/0/2 and 10GE 1/0/1 on DeviceA are designated ports
because DeviceA is the root bridge. In MSTI 2, 10GE 1/0/1 on DeviceA is the
designated port and 10GE 1/0/2 on DeviceA is the root port.
# Run the display stp brief command on DeviceB to check the port role and
status. In MSTI 2, 10GE 1/0/1 and 10GE 1/0/2 on DeviceB are designated ports
because DeviceB is the root bridge. In MSTI 1, 10GE 1/0/1 on DeviceB is the
designated port and 10GE 1/0/2 on DeviceB is the root port.
[DeviceB] display stp brief
# Run the display stp interface brief command on DeviceC to check the port role
and status. 10GE 1/0/3 on DeviceC is the root port in MSTI 1 and MSTI 2. 10GE
1/0/2 on DeviceC is the blocked port in MSTI 2 and is the designated port in MSTI
1.
[DeviceC] display stp interface 10ge 1/0/3 brief
[DeviceC] display stp interface 10ge 1/0/2 brief
# Run the display stp interface brief command on DeviceD to check the port role
and status. 10GE 1/0/3 on DeviceD is the root port in MSTI 1 and MSTI 2. 10GE
1/0/2 on DeviceD is the blocked port in MSTI 1 and is the designated port in MSTI
2.

Switches
[DeviceD] display stp interface 10ge 1/0/3 brief

[DeviceD] display stp interface 10ge 1/0/2 brief
● DeviceA
#
sysname DeviceA
#
vlan batch 2 to 20
#
#
region-name RG1
instance 1 vlan 2 to 10
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
return
● DeviceC
#
sysname DeviceC

Switches
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
port default vlan 2
stp disable
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 2 to 20
#
#
region-name RG1
#
interface 10GE1/0/1
stp disable
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.6.4.4 Example for Configuring MSTP+VRRP Networking
On the network shown in Figure 3-48, hosts access the Internet through DeviceC,
which is uplinked to DeviceA and DeviceB through redundant links. However, these
links cause a loop that may lead to broadcast storms and damage MAC address
entries. It is therefore required that the loop be prevented while redundant links
are available. In this way, if one uplink is disconnected, traffic can be switched to
the other uplink for forwarding, and network bandwidth can be efficiently used.

Switches
MSTP can be deployed to prevent the loop. It blocks redundant links on the Layer
2 network and prunes the network into a tree topology. In addition, VRRP can be
configured on DeviceA and DeviceB. HostA then uses DeviceA as the default
gateway to access the Internet, and DeviceB functions as the backup gateway.
Conversely, HostB uses DeviceB as the default gateway to access the Internet, and
DeviceA functions as the backup gateway. This provides high reliability while
ensuring traffic load balancing.
Figure 3-48 Network diagram of MSTP+VRRP

NOTE
In this example, interface1 through interface4 represent 10GE1/0/1, 10GE1/0/2, 10GE1/0/3,

and 10GE1/0/4, respectively.
Device Interface VLANIF Interface IP Address
DeviceA interface1 and VLANIF2 10.1.2.102/24

interface2
interface1 and VLANIF3 10.1.3.102/24

interface2
interface3 VLANIF4 10.1.4.102/24

Switches
DeviceB interface1 and VLANIF2 10.1.2.103/24

interface2
interface1 and VLANIF3 10.1.3.103/24

interface2
interface3 VLANIF5 10.1.5.103/24
1. Configure basic MSTP functions on the devices on the ring network, including:
a. Configure an MST region and create multiple MSTIs. Map VLAN 2 to
MSTI 1 and map VLAN 3 to MSTI 2 to balance traffic.
b. Configure the root bridge and secondary root bridge for each MSTI in the
MST region.
c. Configure an appropriate path cost for an interface in each MSTI so that
the interface can be blocked.
d. Enable MSTP to prevent loops, including:
▪ Enable MSTP globally on the devices.
▪ Enable MSTP on all interfaces except those connected to terminals.

NOTE
Interfaces connected to terminals do not participate in MSTP calculation. You are

advised to configure them as edge ports.
2. Configure protection functions to protect devices or links. For example,
configure root protection for the designated ports of the root bridge in each
MSTI.
3. Configure the Layer 2 forwarding function on the devices.
4. Assign interface IP addresses and configure a routing protocol on each device
to ensure network connectivity.
5. Create VRRP groups 1 and 2 on DeviceA and DeviceB. In VRRP group 1,
configure DeviceA as the master device and DeviceB as the backup device. In
VRRP group 2, configure DeviceB as the master device and DeviceA as the
backup device. This implements load balancing.
Procedure
Step 1 Configure basic MSTP functions.
1. On DeviceA, DeviceB, and DeviceC, configure an MST region named RG1 and
create MSTI 1 and MSTI 2.
# Configure an MST region on DeviceA.

Switches
[DeviceA] stp region-configuration

[DeviceA-mst-region] region-name RG1
[DeviceA-mst-region] instance 1 vlan 2
[DeviceA-mst-region] instance 2 vlan 3
[DeviceA-mst-region] quit
# Configure an MST region on DeviceB.
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name RG1
[DeviceB-mst-region] instance 1 vlan 2
[DeviceB-mst-region] instance 2 vlan 3
[DeviceB-mst-region] quit
# Configure an MST region on DeviceC.
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name RG1
[DeviceC-mst-region] instance 1 vlan 2
[DeviceC-mst-region] instance 2 vlan 3
[DeviceC-mst-region] quit
2. In RG1, configure root bridges and secondary root bridges for MSTI1 and
MSTI2.
– Configure the root bridge and secondary root bridge for MSTI 1.
# Configure DeviceA as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Configure DeviceB as a secondary root bridge of MSTI 1.
[DeviceB] stp instance 1 root secondary
– Configure the root bridge and secondary root bridge for MSTI 2.
# Configure DeviceB as the root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Configure DeviceA as the secondary root bridge of MSTI 2.
[DeviceA] stp instance 2 root secondary
3. Set the path costs of the interfaces to be blocked in MSTI 1 and MSTI 2 to be
greater than the default value.
NOTE
– The path cost range varies depending on which standard is used to calculate the
path cost. This example uses the Huawei legacy standard and requires a path cost
of 20000 for the interfaces to be blocked in MSTI 1 and MSTI 2.
– Devices on the same network must use the same standard to calculate the path
costs of their interfaces.
# Configure DeviceA to use the Huawei legacy standard to calculate the path
costs of the desired interfaces.
# Configure DeviceB to use the Huawei legacy standard to calculate the path
costs of the desired interfaces.
# Configure DeviceC to use the Huawei legacy standard to calculate the path
costs of the desired interfaces, and set the path cost of 10GE1/0/1 in MSTI 2
and 10GE1/0/4 in MSTI 1 to 20000.
[DeviceC] interface 10ge1/0/1

Switches

4. Enable MSTP to eliminate the loop.

– Enable MSTP globally on the devices.
# Enable MSTP on DeviceA.
[DeviceA] stp enable
# Enable MSTP on DeviceB.

[DeviceB] stp enable
# Enable MSTP on DeviceC.

[DeviceC] stp enable
– Configure the interfaces connected to the hosts as edge ports.

# Configure 10GE1/0/2 and 10GE1/0/3 on DeviceC as edge ports.
(Optional) Configure BPDU protection on DeviceC.

[DeviceC] stp bpdu-protection
– Configure the interfaces connected to the network as edge ports.

# Configure 10GE1/0/3 on DeviceA as an edge port.
[DeviceA] interface 10ge1/0/3
[DeviceA-10GE1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on DeviceA.

[DeviceA] stp bpdu-protection
# Configure 10GE1/0/3 on DeviceB as an edge port.

[DeviceB] interface 10ge1/0/3
[DeviceB-10GE1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on DeviceB.

[DeviceB] stp bpdu-protection
NOTE
If an STP-enabled network device is connected to an edge port and BPDU

protection is enabled, the edge port is shut down when it receives a BPDU, but its
edge port attribute remains unchanged.
Step 2 Configure protection functions. For example, configure root protection for the
designated ports of the root bridge in each MSTI.
# Enable root protection on 10GE1/0/1 of DeviceA.

# Enable root protection on 10GE1/0/1 of DeviceB.

Switches

[DeviceB-10GE1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on the devices on the ring network.

● Create VLANs 2 to 3 on DeviceA, DeviceB, and DeviceC.
# Create VLANs 2 to 3 on DeviceA.
# Create VLANs 2 to 3 on DeviceB.

[DeviceB] vlan batch 2 to 3
# Create VLANs 2 to 3 on DeviceC.

[DeviceC] vlan batch 2 to 3
● Add desired interfaces on the devices to the VLANs.

# Add 10GE1/0/1 on DeviceA to VLANs.
# Add 10GE1/0/2 on DeviceA to VLANs.

# Add 10GE1/0/1 on DeviceB to VLANs.

# Add 10GE1/0/2 on DeviceB to VLANs.

# Add 10GE1/0/1 on DeviceC to VLANs.





Switches
After the preceding configurations are complete and the network becomes stable,
perform the following operations to verify the configuration.
NOTE
This example uses MSTI 1 and MSTI 2. As such, you do not need to check the interface
status in MSTI 0.
# Run the display stp brief command on DeviceA to check the interface status
and protection type. The displayed information is as follows:
MSTID Port Role STP State Protection
0 10GE1/0/1 DESI FORWARDING ROOT
0 10GE1/0/2 DESI FORWARDING NONE
2 10GE1/0/2 ROOT FORWARDING NONE
In MSTI 1, DeviceA is the root bridge; therefore, 10GE1/0/1 and 10GE1/0/2 on

DeviceA become the designated ports. In MSTI 2, 10GE1/0/1 on DeviceA becomes
the designated port and 10GE1/0/2 the root port.
# Run the display stp brief command on DeviceB. The displayed information is as
follows:
[DeviceB] display stp brief
In MSTI 2, DeviceB is the root bridge; therefore, 10GE1/0/1 and 10GE1/0/2 become
the designated ports. In MSTI 1, 10GE1/0/1 on DeviceB becomes the designated
port and 10GE1/0/2 the root port.
# Run the display stp interface brief command on DeviceC. The displayed
information is as follows:
[DeviceC] display stp interface 10ge1/0/1 brief
2 10GE1/0/1 ALTE DISCARDING NONE
[DeviceC] display stp interface 10ge1/0/4 brief
10GE1/0/1 on DeviceC is the root port in MSTI 1 and is blocked in MSTI 2.

10GE1/0/4 on DeviceC is blocked in MSTI 1 and is the root port in MSTI 2.
Step 5 Enable network connectivity between devices.
# Configure interface IP addresses. The following uses DeviceA as an example. The
configuration of DeviceB is similar to the configuration of DeviceA. For details, see

Switches

# Configure OSPF on DeviceA and DeviceB. The following uses DeviceA as an

example. The configuration of DeviceB is similar to the configuration of DeviceA.
For details, see Configuration Scripts.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
Step 6 Configure a VRRP group.
# Create VRRP group 1 on DeviceA and DeviceB, and set the VRRP priority to 120
and preemption delay to 20s on DeviceA, which then becomes the master device.
[DeviceA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[DeviceA-Vlanif2] vrrp vrid 1 priority 120
[DeviceA-Vlanif2] vrrp vrid 1 preempt timer delay 20
# Use the default VRRP priority for DeviceB, which functions as the backup device.
[DeviceB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
# Create VRRP group 2 on DeviceA and DeviceB, and set the VRRP priority to 120
and preemption delay to 20s on DeviceB, which then becomes the master device.
[DeviceB-Vlanif3] vrrp vrid 2 priority 120
[DeviceB-Vlanif3] vrrp vrid 2 preempt timer delay 20
# Use the default VRRP priority for DeviceA, which functions as the backup device.
# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of
HostA and the virtual IP address 10.1.3.100 of VRRP group 2 as the default
gateway of HostB.
# After completing the preceding configurations, run the display vrrp command
on DeviceA. The command output shows that DeviceA functions as the master
device in VRRP group 1 and backup device in VRRP group 2.

Switches
[DeviceA] display vrrp

State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 00e0-fc12-3456
Check TTL : YES
Config type : normal-vrrp
Create time : 2021-05-11 11:39:18
Last change time : 2021-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Check TTL : YES
Create time : 2021-05-11 11:40:18
Last change time : 2021-05-26 11:48:58
# Run the display vrrp command on DeviceB. The command output shows that
DeviceB functions as the backup device in VRRP group 1 and master device in
VRRP group 2.
[DeviceB] display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Check TTL : YES
Create time : 2021-05-11 11:39:18
Last change time : 2021-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s

Switches
TimerConfig : 1 s
Auth type : NONE
Check TTL : YES
Create time : 2021-05-11 11:40:18
Last change time : 2021-05-26 11:48:58
----End
● DeviceA
#
sysname DeviceA
#
vlan batch 2 to 4
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 preempt timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
● DeviceB
#
sysname DeviceB
#

Switches
vlan batch 2 to 3 5
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
interface 10GE1/0/1
stp root-protection
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 2 to 3
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
port default vlan 2

Switches
#
interface 10GE1/0/3
port default vlan 3
#
interface 10GE1/0/4
#
return
3.1.6.5 VBST
3.1.6.5.1 Example for Configuring Basic VBST Functions
In Figure 3-49, DeviceC and DeviceD are dual-homed to DeviceA and DeviceB,
respectively, forming a ring network. DeviceC transmits traffic from VLAN 10 and
VLAN 20, and DeviceD transmits traffic from VLAN 20 and VLAN 30. The customer
wants to deploy VBST on such a network to fulfill the following requirements:
Service traffic in each VLAN is correctly forwarded and service traffic from
different VLANs is load balanced to improve link efficiency.
Figure 3-49 VBST networking

NOTE
In this example, interfaces 1, 2, 3, 4, and 5 represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3,
10GE 1/0/4, and 10GE 1/0/5 respectively.

Switches
Procedure
Step 1 Create required VLANs on devices.
# Create VLAN 10, VLAN 20, and VLAN 30 on DeviceA.

# Create VLAN 10, VLAN 20, and VLAN 30 on DeviceB.

# Create VLAN 10 and VLAN 20 on DeviceC.

# Create VLAN 20 and VLAN 30 on DeviceD.

[DeviceD] vlan batch 20 30

Switches
Step 2 Add interfaces to VLANs.

# On DeviceA, add 10GE 1/0/1 to VLAN 10, VLAN 20, and VLAN 30, 10GE 1/0/2 to
VLAN 20 and VLAN 30, and 10GE 1/0/3 to VLAN 10 and VLAN 20.
[DeviceA-10GE1/0/1] port trunk allow-pass vlan 10 20 30
[DeviceA-10GE1/0/1] undo port trunk allow-pass vlan 1
#On DeviceB, add 10GE 1/0/1 to VLAN 10, VLAN 20, and VLAN 30, 10GE 1/0/2 to
VLAN 10 and VLAN 20, and 10GE 1/0/3 to VLAN 20 and VLAN 30.
[DeviceB-10GE1/0/1] port trunk allow-pass vlan 10 20 30
[DeviceB-10GE1/0/1] undo port trunk allow-pass vlan 1
#On DeviceC, add 10GE 1/0/2 to VLAN 10 and VLAN 20, 10GE 1/0/3 to VLAN 10
and VLAN 20, 10GE 1/0/4 to VLAN 10, and 10GE 1/0/5 to VLAN 20.
[DeviceC-10GE1/0/2] undo port trunk allow-pass vlan 1
[DeviceC-10GE1/0/3] undo port trunk allow-pass vlan 1

Switches

#On DeviceD, add 10GE 1/0/2 to VLAN 20 and VLAN 30, 10GE 1/0/3 to VLAN 20
and VLAN 30, 10GE 1/0/4 to VLAN 20, and 10GE 1/0/5 to VLAN 30.
[DeviceD-10GE1/0/2] port trunk allow-pass vlan 20 30
[DeviceD-10GE1/0/2] undo port trunk allow-pass vlan 1
[DeviceD-10GE1/0/3] port trunk allow-pass vlan 20 30
[DeviceD-10GE1/0/3] undo port trunk allow-pass vlan 1
Step 3 Configure devices to work in VBST mode.

# Configure DeviceA to work in VBST mode.
[DeviceA] stp mode vbst
# Configure DeviceB to work in VBST mode.

[DeviceB] stp mode vbst
# Configure DeviceC to work in VBST mode.

[DeviceC] stp mode vbst
# Configure DeviceD to work in VBST mode.

[DeviceD] stp mode vbst
Step 4 Configure the root bridges and secondary root bridges in VLANs.
# Configure DeviceA as the root bridge in VLAN 10.
[DeviceA] stp vlan 10 root primary
# Configure DeviceB as a secondary root bridge in VLAN 10.

[DeviceB] stp vlan 10 root secondary
# Configure DeviceA as the root bridge in VLAN 20.

[DeviceA] stp vlan 20 root primary
# Configure DeviceB as a secondary root bridge in VLAN 20.

[DeviceB] stp vlan 20 root secondary
# Configure DeviceB as the root bridge in VLAN 30.

[DeviceB] stp vlan 30 root primary
# Configure DeviceA as a secondary root bridge in VLAN 30.

Switches
[DeviceA] stp vlan 30 root secondary
Step 5 Configure a proper path cost for a port in corresponding VLANs so that the port
will be blocked.
NOTE
● The path cost range varies depending on the path cost calculation method. In this
example, setting the path cost to 2000000 for blocking interfaces complies with the
default IEEE 802.1t calculation method.
● All devices on a network must use the same path cost calculation method.
# Set the path cost of 10GE 1/0/2 on DeviceC to 2000000 in VLAN 10 and VLAN
20.
[DeviceC-10GE1/0/2] stp vlan 10 cost 2000000
[DeviceC-10GE1/0/2] stp vlan 20 cost 2000000
# Set the path cost of 10GE 1/0/2 on DeviceD to 2000000 in VLAN 20 and VLAN
30.
[DeviceD-10GE1/0/2] stp vlan 20 cost 2000000
[DeviceD-10GE1/0/2] stp vlan 30 cost 2000000
Step 6 Enable VBST to eliminate loops.

Enable VBST globally.
By default, VBST is enabled globally. You can run the display stp vlan
information command to check the global VBST status. If VBST is disabled
globally, run the undo stp vlan disable command in the system view to enable
VBST globally.
Enable VBST in a VLAN.
By default, VBST is enabled in a VLAN. You can run the display stp vlan vlan-id
information command to check the VBST status in a VLAN. If VBST is disabled in
the VLAN, run the undo stp vlan vlan-id disable command in the system view to
enable VBST in the VLAN.
----End

After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp vlan bridge local command on DeviceA to check the
spanning tree working mode. In the command output, the Protocol field shows
that the device works in VBST mode.
[DeviceA] display stp vlan bridge local
------------------------------------------------------------------
VLANID BridgeID HelloTime MaxAge ForwardDelay Protocol
------------------------------------------------------------------
10 10.ac94-8400-df01 2 20 15 VBST
20 20.ac94-8400-df01 2 20 15 VBST
30 4126.ac94-8400-df01 2 20 15 VBST
------------------------------------------------------------------

Switches
# Run the display stp vlan information brief command on DeviceA, DeviceB,
DeviceC, and DeviceD to check the port status. The command output on DeviceA
is used as an example. DeviceA participates in spanning tree calculation in VLAN
10, VLAN 20, and VLAN 30. DeviceA is the root bridge in both VLAN 10 and VLAN
20, so 10GE 1/0/1 and 10GE 1/0/3 are elected as the designated ports in VLAN 10
whereas 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3 are elected as the designated
ports in VLAN 20. DeviceA is the secondary root bridge in VLAN 30, so 10GE 1/0/1
and 10GE 1/0/2 are elected as the root port and designated port, respectively, in
VLAN 30.
[DeviceA] display stp vlan information brief
--------------------------------------------------------------------------------
VLANID Interface Role STPState Protection Cost Edged
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
● DeviceA
#
sysname DeviceA
#
stp vlan 10 20 root primary
stp vlan 30 root secondary
#
vlan batch 10 20 30
#
stp mode vbst
#
interface 10GE1/0/1
portswitch
#
interface 10GE1/0/2
portswitch
#
interface 10GE1/0/3
portswitch
#
return
● DeviceB
#
sysname DeviceB
#
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
vlan batch 10 20 30
#
stp mode vbst
#

Switches
interface 10GE1/0/1
portswitch
#
interface 10GE1/0/2
portswitch
#
interface 10GE1/0/3
portswitch
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 10 20
#
stp mode vbst
#
interface 10GE1/0/2
portswitch
stp vlan 10 20 cost 2000000
#
interface 10GE1/0/3
portswitch
#
interface 10GE1/0/4
portswitch
#
interface 10GE1/0/5
portswitch
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 20 30
#
stp mode vbst
#
interface 10GE1/0/2
portswitch
stp vlan 20 30 cost 2000000
#
interface 10GE1/0/3
portswitch

Switches

#
interface 10GE1/0/4
portswitch
#
interface 10GE1/0/5
#
return
3.1.7 IP Addresses and Services
3.1.7.1 ARP Security
3.1.7.1.1 Example for Configuring ARP Security
As shown in Figure 3-50, Device is connected to the server through 10GE 1/0/3, to
HostA and HostB in VLAN 10 through 10GE 1/0/1, and to HostC and HostD in
VLAN 20 through 10GE 1/0/2. In this scenario, the following ARP attacks may
occur:
● If the server is attacked, it may send a large number of packets with
unreachable destination IP addresses.
● If HostA is attacked, it may send a large number of bogus ARP messages with
different source IP addresses.
● If HostC is attacked, it may send a large number of ARP messages with fixed
source IP addresses.
● If HostD is attacked, it may send a large number of ARP messages with
unreachable destination IP addresses.
To prevent these attacks, configure ARP security on Device.
Figure 3-50 Network diagram of configuring ARP security

NOTE

Switches
1. Configure strict ARP learning globally so that the device learns only address
information carried in the ARP reply messages in response to the ARP request
messages that the device itself sends.
2. Configure ARP entry limiting on an interface to enable the device to limit the
number of ARP entries that the interface can learn, preventing an ARP entry
overflow.
3. Configure fixed ARP to prevent attackers from sending bogus ARP messages
to modify ARP entries.
4. Configure rate limiting on ARP messages to limit the number of ARP
messages processed per second, reducing system overheads.
5. Configure rate limiting on ARP Miss messages to limit the number of ARP
Miss messages processed per second, reducing system overheads. In addition,
ensure that the device can process a large number of ARP Miss messages
from the server.
Data Preparation
● Limit on the number of ARP entries that an interface can learn: 20
● Mode of fixed ARP: fixed-mac
● Rate limit for ARP messages: 15
● Rate limit for ARP Miss messages: 30 for HostD; 20 for other hosts; 50 for the
server

Switches
Procedure
Step 1 Configure IP addresses and routing protocols for the interfaces. For detailed
configurations, see Configuration Scripts.
Step 2 Configure strict ARP learning.
[Device] arp learning strict
Step 3 Configure an ARP entry limit for an interface.

# Set an ARP entry limit to 20 for VLAN 10 on 10GE1/0/1.
[Device] interface 10ge1/0/1
[Device-10GE1/0/1] portswitch
[Device-10GE1/0/1] arp limit vlan 10 20
[Device-10GE1/0/1] quit
# Configure an ARP entry limit for 10GE 1/0/2 and 10GE 1/0/3. For configuration
details, see the configuration of 10GE 1/0/1.
Step 4 Configure fixed ARP.
[Device] arp anti-attack entry-check fixed-mac enable
Step 5 Configure rate limiting on ARP messages.

[Device] arp anti-attack rate-limit source-ip maximum 15
Step 6 Configure rate limiting on ARP Miss messages.

[Device] arp miss anti-attack rate-limit source-ip 10.10.10.10 maximum 30
[Device] arp miss anti-attack rate-limit source-ip maximum 20
[Device] arp miss anti-attack rate-limit source-ip 10.20.20.20 maximum 50
----End

# Run the display arp learning strict command to check the configuration of
strict ARP learning.
<HUAWEI> display arp learning strict
The global arp learning strict state:enable
------------------------------------------------------------
Interface LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
Total:0 Force-enable:0 Force-disable:0
# Run the display arp limit interface command to check the ARP entry limit
configured on 10GE 1/0/1.
<HUAWEI> display arp limit interface 10ge1/0/1
Interface VLAN Limit Learnt
---------------------------------------------------------------------------
10GE1/0/1 10 20 0
---------------------------------------------------------------------------
Total:1
# Run the display arp miss anti-attack rate-limit command to check the rate
limits configured for ARP Miss messages.
<HUAWEI> display arp miss anti-attack rate-limit
Global ARP miss rate-limit : 500 (0 means no limit)

Switches
VLAN ID Suppress Rate(pps)(0 means no limit)

-------------------------------------------------------------------------------
All 0
-------------------------------------------------------------------------------
Total: 0, spec of rate-limit configuration for VLAN is 1024.
Source IP Suppress Rate(pps)(0 means no limit)

-------------------------------------------------------------------------------
10.10.10.10/32 30
10.20.20.20/32 50
Other 20
-------------------------------------------------------------------------------
Total: 2, spec of rate-limit configuration for Source IP is 1024.
# Run the display arp packet statistics command to check ARP message
statistics.
<HUAWEI> display arp packet statistics
ARP Packets Received
Total: 154333
Learnt Count: 8
Discard For Entry Limit: 5
Discard For Speed Limit: 0
Discard For Proxy Suppress: 0
Discard For Other: 151597
ARP Packets Sent
Total: 0
Request: 0
Reply: 0
Gratuitous ARP: 0
ARP-Miss Message Received:
Total: 0
Discard For Speed Limit: 0
Discard For Other: 3
Device
#
sysname Device
#
vlan batch 10 20 30
#
arp learning strict
arp anti-attack entry-check fixed-mac enable
arp anti-attack rate-limit source-ip maximum 15
arp miss anti-attack rate-limit source-ip 10.10.10.10 maximum 30
arp miss anti-attack rate-limit source-ip maximum 20
arp miss anti-attack rate-limit source-ip 10.20.20.20 maximum 50
#
interface Vlanif10
ip address 10.9.9.1 255.255.255.0
#
interface Vlanif20
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif30
ip address 10.20.20.1 255.255.255.0
#
interface 10GE1/0/1
arp limit vlan 10 20
#
interface 10GE1/0/2
#
interface 10GE1/0/3

Switches
#
return
3.1.7.1.2 Example for Configuring Defense Against ARP MITM Attacks
As shown in Figure 3-51, DeviceA connects to the DHCP server through
10GE1/0/4, connects to DHCP clients UserA and UserB through 10GE1/0/1 and
10GE1/0/2 respectively, and connects to UserC with a static IP address through
10GE1/0/3. 10GE1/0/1, 10GE1/0/2, 10GE1/0/3, and 10GE1/0/4 of DeviceA all
belong to VLAN 10. An administrator wants to defend against ARP MITM attacks
and theft of authorized users' data, and wants to learn the frequency and scope of
these attacks.
Figure 3-51 Network diagram of defending against ARP MITM attacks

NOTE

1. Enable DAI on DeviceA so that it compares the source IP address, source MAC
address, VLAN, and interface information in a received ARP message with
DHCP snooping binding entries. This defends against ARP MITM attacks.
2. Enable the alarm function for the ARP messages discarded by DAI on DeviceA.
After the function is enabled, DeviceA counts the number of ARP messages

Switches
discarded because they do not match DHCP snooping binding entries, and
generates an alarm when the number of discarded ARP messages exceeds the
alarm threshold. The administrator can then learn the frequency and scope of
the current ARP MITM attacks based on the alarm and the number of
discarded ARP messages.
3. Enable DHCP snooping and configure a static binding entry on DeviceA for
DAI to take effect.
Procedure
Step 1 Create a VLAN and add interfaces to it.
# Create VLAN 10, and add 10GE1/0/1, 10GE1/0/2, 10GE1/0/3, and 10GE1/0/4 to
it.
[DeviceA-10GE1/0/4] interface 10GE 1/0/4
Step 2 Enable DAI and the alarm function for ARP messages discarded by DAI.
# Enable DAI and the alarm function for ARP messages discarded by DAI on
10GE1/0/1, 10GE1/0/2, and 10GE1/0/3.
[DeviceA-10GE1/0/1] arp anti-attack check user-bind enable
[DeviceA-10GE1/0/1] arp anti-attack check user-bind alarm enable
Step 3 Configure DHCP snooping.
# Enable DHCP snooping and configure 10GE1/0/4 connected to the DHCP server
as a trusted interface.
[DeviceA] dhcp enable
[DeviceA] dhcp snooping enable
[DeviceA] vlan 10
[DeviceA-vlan10] dhcp snooping enable

Switches
[DeviceA-10GE1/0/4] dhcp snooping trusted

# Configure a static binding entry.

[DeviceA] user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface 10GE1/0/3 vlan 10
----End

# Run the display arp anti-attack configuration check user-bind command to
check the DAI configuration on each interface. 10GE1/0/1 is used as an example.
[DeviceA] display arp anti-attack configuration check user-bind interface 10GE 1/0/1
arp anti-attack check user-bind alarm enable
arp anti-attack check user-bind check-item ip-address
# Run the display arp anti-attack statistics check user-bind interface command
to check the number of ARP messages discarded by DAI. 10GE1/0/1 is used as an
example.
[DeviceA] display arp anti-attack statistics check user-bind interface 10GE 1/0/1
--------------------------------------------------------------------------------
Type View Total Dropped Last Dropped
--------------------------------------------------------------------------------
Interface 10GE1/0/1 966 605
--------------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
vlan batch 10
#
dhcp enable
#
user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface 10GE1/0/3 vlan 10
#
vlan 10
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface 10GE1/0/4

Switches

dhcp snooping trusted
#
return
3.1.7.2 DHCPv4
3.1.7.2.1 Example for Configuring a DHCPv4 Server Based on an Interface Address

Pool
As shown in Figure 3-52, DeviceA functions as a DHCPv4 server; the PCs on
network segment 10.1.1.0/24 are fixed terminals; network segment 10.1.2.0/24 is
used for the terminals' temporary access. To facilitate unified management, the
administrator requires the terminals to automatically obtain IPv4 addresses and
the IPv4 address of the DNS server (if users need to access the network using
domain names, a DNS server must be configured). A PC named Client_1 requires a
fixed IPv4 address of 10.1.1.100/24 to meet service requirements.
Figure 3-52 Network diagram of configuring a DHCPv4 server based on an

interface address pool
NOTE
respectively.

Switches
1. Set an IPv4 address lease to 30 days for the PCs (Client_1 to Client_n) on
network segment 10.1.1.0/24, and allocate a fixed IPv4 address of
10.1.1.100/24 to Client_1 statically.
2. Set an IPv4 address lease to two days for the PCs (Client_s to Client_t) on
network segment 10.1.2.0/24 for temporary access.
Procedure
Step 1 Enable DHCPv4.
Step 2 Add interfaces to VLANs.

# Add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 10 and VLAN 11, respectively.
Step 3 Configure IPv4 addresses for VLANIF interfaces.

# Configure an IPv4 address for VLANIF 10.
# Configure an IPv4 address for VLANIF 11.

Step 4 Configure interface address pools.

# Configure the clients connected to VLANIF 10 to obtain IPv4 addresses and
other network parameters from the address pool on VLANIF 10.
[DeviceA-Vlanif10] dhcp select interface
[DeviceA-Vlanif10] dhcp server gateway-list 10.1.1.1
[DeviceA-Vlanif10] dhcp server lease day 30
[DeviceA-Vlanif10] dhcp server domain-name huawei.com
[DeviceA-Vlanif10] dhcp server dns-list 10.1.3.1
[DeviceA-Vlanif10] dhcp server static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
# Configure the clients connected to VLANIF 11 to obtain IPv4 addresses and

other network parameters from the address pool on VLANIF 11.
[DeviceA-Vlanif11] dhcp select interface
[DeviceA-Vlanif11] dhcp server gateway-list 10.1.2.1
[DeviceA-Vlanif11] dhcp server lease day 2
[DeviceA-Vlanif11] dhcp server domain-name huawei.com

Switches
[DeviceA-Vlanif11] dhcp server dns-list 10.1.3.1

----End

# On DeviceA, run the display ip pool command to check IPv4 address
configuration and allocation in address pools. The Used field displays the number
of used IPv4 addresses in each address pool.
[DeviceA] display ip pool interface vlanif10
Pool-No :0
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-------------------------------------------------------------------------------
[DeviceA] display ip pool interface vlanif11
Pool-No :1
NBNS-server0 :-
Netbios-type :-
Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.2.1 10.1.1.254 253 3 250(0) 0 0
-------------------------------------------------------------------------------
# Check IPv4 address information on Client_1. You can check that Client_1 has
obtained the IPv4 address 10.1.1.100/24.

Switches
# Check IPv4 address information on other DHCPv4 clients. You can check that the
clients have obtained IPv4 addresses.
DeviceA
#
sysname DeviceA
#
vlan batch 10 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server gateway-list 10.1.1.1
dhcp server static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
dhcp server lease day 30 hour 0 minute 0
dhcp server domain-name huawei.com
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp server gateway-list 10.1.2.1
dhcp server lease day 2 hour 0 minute 0
dhcp server domain-name huawei.com
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
3.1.7.2.2 Example for Configuring a DHCPv4 Server Based on a Global Address Pool
(Using a Layer 3 Ethernet Interface)
As shown in Figure 3-53, DeviceA functions as a DHCPv4 server; the PCs on
network segment 10.1.1.0/24 are fixed terminals; network segment 10.1.2.0/24 is
used for the terminals' temporary access. To facilitate unified management, the
administrator requires the terminals to automatically obtain IPv4 addresses and
the IPv4 address of the DNS server (if users need to access the network using
domain names, a DNS server must be configured). A PC named Client_1 requires a
fixed IPv4 address of 10.1.1.100/24 to meet service requirements.
Figure 3-53 Network diagram of configuring a DHCPv4 server based on a global

address pool (using a Layer 3 Ethernet interface)
NOTE
respectively.

Switches
1. Set an IPv4 address lease to 30 days for the PCs (Client_1 to Client_n) on
network segment 10.1.1.0/24, and allocate a fixed IPv4 address of
10.1.1.100/24 to Client_1 statically.
2. Set an IPv4 address lease to two days for the PCs (Client_s to Client_t) on
network segment 10.1.2.0/24 for temporary access.
Procedure
Step 1 Enable DHCPv4.
Step 2 Configure IPv4 addresses for interfaces.

Step 3 Configure global address pools.

# Configure attributes for the address pool pool1.
[DeviceA] ip pool pool1
[DeviceA-ip-pool-pool1] network 10.1.1.0 mask 24
[DeviceA-ip-pool-pool1] gateway-list 10.1.1.1
[DeviceA-ip-pool-pool1] lease day 30

Switches
[DeviceA-ip-pool-pool1] domain-name huawei.com

[DeviceA-ip-pool-pool1] dns-list 10.1.3.1
[DeviceA-ip-pool-pool1] static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
[DeviceA-ip-pool-pool1] quit
# Configure attributes for the address pool pool2.

[DeviceA-ip-pool-pool2] network 10.1.2.0 mask 24
[DeviceA-ip-pool-pool2] domain-name huawei.com
[DeviceA-ip-pool-pool2] dns-list 10.1.3.1
Step 4 Enable the DHCPv4 server function based on global address pools on Layer 3
Ethernet interfaces.
[DeviceA-10GE1/0/1] dhcp select global
[DeviceA-10GE1/0/2] dhcp select global
----End

# On DeviceA, run the display ip pool command to check IPv4 address
configuration and allocation in address pools. The Used field displays the number
of used IPv4 addresses in each address pool.
[DeviceA] display ip pool name pool1
Pool-name : pool1
Pool-No :7
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 252(0) 0 0
-------------------------------------------------------------------------------------
[DeviceA] display ip pool name pool2
Pool-name : pool2
Pool-No :8
NBNS-server0 :-

Switches
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 0 253(0) 0 0
-------------------------------------------------------------------------------------
# Check IPv4 address information on Client_1. You can check that Client_1 has
obtained the IPv4 address 10.1.1.100/24.
# Check IPv4 address information on other DHCPv4 clients. You can check that the
clients have obtained IPv4 addresses.
DeviceA
#
sysname DeviceA
#
dhcp enable
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
lease day 30 hour 0 minute 0
dns-list 10.1.3.1
domain-name huawei.com
#
ip pool pool2
network 10.1.2.0 mask 255.255.255.0
dns-list 10.1.3.1
domain-name huawei.com
#
interface 10GE1/0/1
undo portswitch
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface 10GE1/0/2
undo portswitch
ip address 10.1.2.1 255.255.255.0
dhcp select global
#
return

Switches
3.1.7.2.3 Example for Configuring a DHCPv4 Client
As shown in Figure 3-54, DeviceA functions as a DHCPv4 client and needs to
obtain information such as an IPv4 address, DNS server address, and gateway
address from DeviceB functioning as a DHCPv4 server.
Figure 3-54 Network diagram of configuring a DHCPv4 client

NOTE
Procedure
Step 1 Configure the DHCPv4 client function on DeviceA.
# Create VLAN 10 and add 10GE 1/0/1 to VLAN 10.
# Enable the DHCPv4 client function on VLANIF 10.

[DeviceA-Vlanif10] ip address dhcp-alloc
Step 2 Create a global address pool on DeviceB and configure network parameters.
1. Enable DHCPv4.

Switches
[DeviceB] dhcp enable
2. Create VLAN 10 and add 10GE 1/0/1 to VLAN 10.

3. Create an address pool and configure attributes for the pool.

[DeviceB] ip pool pool1
[DeviceB-ip-pool-pool1] network 192.168.1.0 mask 24
[DeviceB-ip-pool-pool1] gateway-list 192.168.1.126
[DeviceB-ip-pool-pool1] dns-list 192.168.1.2
[DeviceB-ip-pool-pool1] excluded-ip-address 192.168.1.1
[DeviceB-ip-pool-pool1] excluded-ip-address 192.168.1.2
[DeviceB-ip-pool-pool1] quit
4. Enable the DHCPv4 server function based on the global address pool on
VLANIF 10.
[DeviceB-Vlanif10] dhcp select global
----End

# After VLANIF 10 obtains an IPv4 address, run the display dhcp client command
on DeviceA to check the status of the DHCPv4 client.
[DeviceA] display dhcp client
DHCP client lease information on interface Vlanif10 :
Current machine state : Bound
Internet address assigned via : DHCP
Physical address : 00e0-fc12-3456
IP address : 192.168.1.254
Subnet mask : 255.255.255.0
Gateway ip address : 192.168.1.126
DHCP server : 192.168.1.1
Lease obtained at : 2021-09-26 20:30:39
Lease expires at : 2021-09-27 20:30:39
Lease renews at : 2020-09-27 08:30:39
Lease rebinds at : 2020-09-27 17:30:39
Request option list : 1 3 6 15 28 33 44 121 184
Class identifier : huawei xxxx
Client identifier : 00e0-fc12-1111
DNS : 192.168.1.2
# Run the display ip pool name pool1 command on DeviceB to check IPv4
address allocation in the global address pool. The Used field value indicates the
number of allocated IPv4 addresses.
[DeviceB] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Domain-name :-
DNS-server0 : 192.168.1.2
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 192.168.1.126

Switches
Network : 192.168.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 251(0) 0 1
-------------------------------------------------------------------------------
● DeviceA
#
sysname DeviceA
#
vlan batch 10
#
interface Vlanif10
ip address dhcp-alloc
#
interface 10GE1/0/1
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 10
#
dhcp enable
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.1 192.168.1.2
dns-list 192.168.1.2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface 10GE1/0/1
#
return
3.1.7.2.4 Example for Configuring DHCPv4 Relay
Context
As shown in Figure 3-55, the DHCPv4 server and clients are on different network
segments. A DHCPv4 relay agent must be configured to enable the DHCPv4 clients
to dynamically obtain IPv4 addresses.

Switches
Figure 3-55 Network diagram of configuring a DHCPv4 relay agent

NOTE
respectively.
Procedure
Step 1 Configure connectivity between devices.

Switches
[DeviceB-10GE1/0/1] port link-type hybrid
[DeviceB-10GE1/0/1] port hybrid pvid vlan 200
[DeviceB-10GE1/0/1] port hybrid untagged vlan 200
Step 2 Configure DHCPv4 relay.

# Enable DHCPv4 relay on DeviceA's VLANIF 100 and configure an IPv4 address
for the DHCPv4 server.
[DeviceA-Vlanif100] dhcp select relay
[DeviceA-Vlanif100] dhcp relay server-ip 10.10.20.2
Step 3 Configure the DHCPv4 server.

# Configure the DHCPv4 server function based on the global address pool on
DeviceB.
[DeviceB-ip-pool-pool1] network 10.20.20.0 mask 24
[DeviceB-ip-pool-pool1] option121 ip-address 10.10.20.0 24 10.20.20.1
Step 4 Configure routes.

# Configure a default route on DeviceA.
# Configure a static route on DeviceB.

----End

# Run the display dhcp relay interface vlanif 100 command on DeviceA to check
the configuration of the DHCPv4 relay agent.
[DeviceA] display dhcp relay interface vlanif 100
Server IP address [00] : 10.10.20.2
Gateway address in use : 10.20.20.1
Gateway switch : Disable
# Check IPv4 address information on DHCPv4 clients to confirm that they have
obtained IPv4 addresses.

Switches
● DeviceA
#
sysname DeviceA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.20.20.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.10.20.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 10.10.20.2
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 200
#
dhcp enable
#
ip pool pool1
network 10.20.20.0 mask 255.255.255.0
option121 ip-address 10.10.20.0 24 10.20.20.1
#
interface Vlanif200
ip address 10.10.20.2 255.255.255.0
dhcp select global
#
interface 10GE1/0/1
#
ip route-static 10.20.20.0 255.255.255.0 10.10.20.1
#
return
3.1.7.2.5 Example for Configuring a DHCPv4 Server in VRRP Networking
As shown in Figure 3-56, a host (DHCPv4 client) in an enterprise is dual-homed
to DeviceA and DeviceB through DeviceC. DeviceA is the master device and
functions as a DHCPv4 server to allocate IPv4 addresses to clients. If DeviceA fails,
the client needs to obtain an IPv4 address through DeviceB (backup device).

Switches
Figure 3-56 Network diagram of configuring a DHCPv4 server in VRRP networking

NOTE
1. Configure IPv4 addresses for interfaces on DeviceA and DeviceB, and
configure Layer 2 transparent transmission on DeviceC to ensure network-
layer connectivity.
2. Configure a VRRP group on DeviceA and DeviceB. Configure a high priority for
DeviceA so that it functions as the master device to allocate IPv4 addresses to
clients. Configure a low priority for DeviceB so that it functions as the backup
device.
3. Create global address pools on DeviceA and DeviceB and configure attributes
for the address pools.
4. Configure a loop avoidance protocol (STP is used in this example) on DeviceA,
DeviceB, and DeviceC.
Procedure
Step 1 Configure connectivity between devices.
# Configure IPv4 addresses for interfaces on DeviceA.

Switches
# Configure IPv4 addresses for interfaces on DeviceB.

[DeviceB] interface 10GE 1/0/2
# Configure Layer 2 transparent transmission on DeviceC.

[DeviceC] interface 10GE 1/0/1
[DeviceC-10GE1/0/1] port trunk allow-pass vlan 100
Step 2 Configure address pools.

# Configure an address pool on DeviceA. Enable DHCPv4. Create an address pool,
and configure an address pool range of 10.1.1.2 to 10.1.1.128 so that the address
pool range on DeviceA does not overlap with that on DeviceB.
NOTE
Information about the address pool on the master device cannot be backed up to the
backup device in real time. To prevent IPv4 address conflicts after a master/backup device
switchover, the address pool ranges on the master and backup devices must not overlap.
[DeviceA-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[DeviceA-ip-pool-pool1] excluded-ip-address 10.1.1.1
[DeviceA-ip-pool-pool1] excluded-ip-address 10.1.1.129 10.1.1.254
# Configure an address pool on DeviceB. Enable DHCPv4. Create an address pool,

and configure an address pool range of 10.1.1.130 to 10.1.1.254 so that the
address pool range on DeviceB does not overlap with that on DeviceA.

Switches

[DeviceB-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[DeviceB-ip-pool-pool1] excluded-ip-address 10.1.1.1 10.1.1.110
[DeviceB-ip-pool-pool1] excluded-ip-address 10.1.1.112 10.1.1.129
[DeviceB-ip-pool-pool1] lease day 10

# Create VRRP group 1 on DeviceA, set the priority of DeviceA in the VRRP group
to 120, and configure clients to obtain IPv4 addresses from the global address
pool.
[DeviceA-Vlanif100] vrrp vrid 1 authentication-mode md5 YsH_2022
[DeviceA-Vlanif100] dhcp select global
# Create VRRP group 1 on DeviceB, set the priority of DeviceB in the VRRP group
to 100, and configure clients to obtain IPv4 addresses from the global address
pool.
[DeviceB-Vlanif100] vrrp vrid 1 authentication-mode md5 YsH_2022
Step 4 Configure STP.

# Enable STP globally on DeviceA to break loops.
[DeviceA] stp enable
# Enable STP globally on DeviceB to break loops.

[DeviceB] stp enable
# Enable STP globally on DeviceC to break loops.

[DeviceC] stp enable
# Disable STP on DeviceC's 10GE 1/0/3 and set the path cost of 10GE 1/0/1 to
20000.
----End

# Run the display vrrp command on DeviceA and DeviceB. The command outputs
show that DeviceA and DeviceB are Master and Backup in the VRRP group,
respectively.
[DeviceA] display vrrp verbose

Switches
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
Preempt : YES Delay Time : 0s Remain : --
Hold Multiplier: 3
TimerRun : 1s
TimerConfig : 1s
Auth Type : MD5 Auth Key :
******
Virtual MAC : 00e-fc00-0101
Check TTL : YES
Config Type : Normal
Create Time : 2020-05-12 16:22:11
Last Change Time : 2020-05-12 16:22:11
[DeviceB] display vrrp verbose
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
Hold Multiplier: 3
TimerRun : 1s
TimerConfig : 1s
Auth Type : MD5 Auth Key :
******
Check TTL : YES
Create Time : 2020-05-12 16:22:11
Last Change Time : 2020-05-12 16:22:11
# Run the display ip pool command on DeviceA and DeviceB to check IPv4
address allocation in the address pools. The command outputs show that DeviceA
has allocated an IPv4 address to the DHCPv4 client but DeviceB does not.
[DeviceA] display ip pool
-------------------------------------------------------------------------------
Pool-name : pool1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :253
Used :1 Idle :125
Expired :0 Conflict :0 Disabled :127
[DeviceB] display ip pool
-------------------------------------------------------------------------------
Pool-name : pool1
Pool-No :0
Position : Local
Status : Unlocked

Switches
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Total :253
Used :0 Idle :125
# Run the shutdown command on DeviceA's 10GE 1/0/2 and 10GE 1/0/4 to
simulate a fault on DeviceA. Then, run the display vrrp command on DeviceB to
check the VRRP status. The command output shows that the VRRP status of
DeviceB is Master.
[DeviceA-10GE1/0/2] shutdown
[DeviceA-10GE1/0/4] shutdown
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
Hold Multiplier: 3
TimerRun : 1s
TimerConfig : 1s
Auth Type : NONE
Check TTL : YES
Create Time : 2020-05-12 16:27:11
Last Change Time : 2020-05-12 16:27:11
# Run the display ip pool command on DeviceB to check the configuration of the
global address pool.
[DeviceB] display ip pool
-------------------------------------------------------------------------------
Pool-name : pool1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Total :253
Used :1 Idle :124

Switches
● DeviceA
#
sysname DeviceA
#
vlan batch 100
#
dhcp enable
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.1
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 authentication-mode md5 %+%##!!!!!!!!!"!!!!"!!!!*!!!!%M)\5[{0vYb}
[6P0eY{3bKEQAGvMD,>,NTS!!!!!2jp5!!!!!!9!!!!h*0u$6>G#Qrhz@F'+1JTXy!#3i=0.F!!!!!!!!!!%+%#
dhcp select global
#
interface 10GE1/0/2
#
interface 10GE1/0/4
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 100
#
dhcp enable
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.1.1.129 255.255.255.0
vrrp vrid 1 authentication-mode md5 %+%##!!!!!!!!!"!!!!"!!!!*!!!!%M)\5[{0vYb}
[6P0eY{3bKEQAGvMD,>,NTS!!!!!2jp5!!!!!!9!!!!h*0u$6>G#Qrhz@F'+1JTXy!#3i=0.F!!!!!!!!!!%+%#
dhcp select global
#
interface 10GE1/0/2
port trunk allow vlan 100
#
interface 10GE1/0/4
#
return
● DeviceC

Switches
#
sysname DeviceC
#
vlan batch 100
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
stp disable
#
return
3.1.7.3 DHCP Snooping
3.1.7.3.1 Example for Configuring DHCP Snooping Attack Defense
As shown in Figure 3-57, DeviceA and DeviceB are Layer 2 switches, and DeviceC
is the user gateway that functions as the DHCP relay agent to forward DHCP
messages to the DHCP server, so that DHCP clients can obtain IP addresses and
related configurations from the DHCP server.
The network may encounter the following DHCP attacks:
● Bogus DHCP server attack: An attacker deploys a DHCP server on the network
to allocate IP addresses and other network parameters to clients. If the DHCP
server allocates incorrect IP addresses and other network parameters to
clients, the network will be greatly affected.
● DHCP flood attack: If an attacker sends a large number of DHCP messages to
a device in a short period, device performance is impacted, and the device
may stop working.
● Bogus DHCP message attack: If an attacker pretends to be an authorized user
and continuously sends DHCPREQUEST messages to the DHCP server to
renew the IP address lease, the expired IP addresses cannot be reclaimed. As a
result, authorized users can no longer obtain IP addresses. If an attacker
pretends to be an authorized user and sends a DHCPRELEASE message to the
DHCP server, the authorized user will be disconnected unexpectedly.
● DHCP server DoS attack: If a large number of attackers apply for IP addresses
or an attacker continuously changes the CHADDR field to apply for IP
addresses from the DHCP server, IP addresses on the DHCP server are quickly
exhausted and authorized users can no longer obtain IP addresses.
To defend against DHCP attacks and provide a high-quality service for DHCP
users, configure the DHCP snooping function.

Switches
Figure 3-57 Network diagram of configuring DHCP snooping attack defense

NOTE
In this example, interfaces 1, 2, and 3 represent 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3,
respectively.
1. Configure DHCP relay so that DeviceC forwards DHCP messages from
different network segments to the DHCP server.
2. Configure the basic DHCP snooping functions to prevent bogus DHCP server
attacks. Enable association between ARP and DHCP snooping to ensure that
the binding table is updated in real time when DHCP users are disconnected
unexpectedly. Configure the device to discard DHCP messages in which the
GIADDR field value is not 0 to prevent attacks initiated by unauthorized users.
3. Set the maximum rate of DHCP messages sent to the DHCP message
processing unit to prevent DHCP flood attacks. Enable the packet discarding
alarm function so that an alarm is generated when the number of discarded
DHCP messages reaches the alarm threshold.
4. Enable the device to check DHCP messages against the binding table to
prevent bogus DHCP message attacks. Configure the device to generate an
alarm when the number of DHCP messages discarded because they do not
match the binding table reaches the threshold.
5. Configure the maximum number of access users and enable the device to
check whether the CHADDR field value is the same as the source MAC
address in the header of a DHCPREQUEST message to prevent DHCP server
DoS attacks.
In this example, only the configuration on DeviceC is provided. The example does
not include detailed configurations for the DHCP server.
Procedure
1. Configure DHCP relay.
# Configure DHCP relay.

Switches

[DeviceC] dhcp enable
[DeviceC-Vlanif10] ip address 10.0.0.1 255.255.255.0
[DeviceC-Vlanif10] dhcp select relay
[DeviceC-Vlanif20] ip address 10.1.1.1 255.255.255.0
[DeviceC-Vlanif20] dhcp select relay
Set the IP address of the DHCP server to 10.2.1.2/24, configure the address
pool with the network segment 10.0.1.0/24, and set the gateway address of
the address pool to 10.0.0.1.
2. Enable basic DHCP snooping functions.
# Enable DHCP snooping globally.
[DeviceC] dhcp snooping enable
# Enable DHCP snooping on the user-side interface. The following uses 10GE
1/0/1 as an example. The configuration of 10GE 1/0/2 is the same as that of
10GE 1/0/1.
[DeviceC-10GE1/0/1] dhcp snooping enable
# Enable association between ARP and DHCP snooping.
[DeviceC-10GE1/0/1] dhcp snooping user-bind arp-detect enable
# Enable the device to check whether the GIADDR field value in a
DHCPREQUEST message is not 0.
[DeviceC-10GE1/0/1] dhcp snooping check dhcp-giaddr enable
3. Enable the device to check DHCP messages against the binding table.
# Configure the user-side interface.
[DeviceC-10GE1/0/1] dhcp snooping check dhcp-request enable
4. Configure the maximum number of access users allowed on the interface and
enable the device to check the CHADDR field.
# Configure the user-side interface.
[DeviceC-10GE1/0/1] dhcp snooping user-bind max-number 20
[DeviceC-10GE1/0/1] dhcp snooping check dhcp-chaddr enable
5. Verify the configuration.
# Check the DHCP snooping configuration.
[DeviceC] display dhcp snooping configuration
#
#
interface 10GE1/0/1
dhcp snooping check dhcp-giaddr enable

Switches
dhcp snooping check dhcp-request enable

dhcp snooping check dhcp-chaddr enable
dhcp snooping user-bind max-number 20
#
interface 10GE1/0/2
#
# Check DHCP snooping running information on an interface. The command
output shows that the values of Check dhcp-giaddr, Check dhcp-chaddr,
and Check dhcp-request fields are all Enable. The following uses the
command output on 10GE 1/0/1 as an example:
[DeviceC] display dhcp snooping interface 10GE 1/0/1
DHCP snooping running information for interface 10GE1/0/1 :
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 20
Current dhcp and nd user number :0
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Enable
Check dhcp-request : Enable
DeviceC
#
sysname DeviceC
#
vlan batch 10 20
#
dhcp enable
#
#
interface Vlanif 10
ip address 10.0.0.1 255.255.255.0
dhcp select relay
#
interface Vlanif 20
ip address 10.1.1.1 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return

Switches
3.1.8 IP Routing
3.1.8.1 IPv4 Static Route
3.1.8.1.1 Example for Configuring Static Routes for Interworking Between Different
Network Segments
Overview of Static Routes

Static routes are manually configured by administrators. Compared with dynamic
routes, static routes use less bandwidth, and it does not consume CPU resources
for the device to calculate and analyze route updates. However, if a network fault
occurs or the topology changes, static routes cannot be automatically updated
and must be manually reconfigured. Static routes have five major parameters:
destination IP address, mask, outbound interface, next hop, and preference.
Static routes are easy to configure and control, and meet network requirements
on a simple network. On a complex network, static routes can also be configured
to improve network performance and ensure bandwidth for important
applications.
Precautions
● Communication between two devices is bidirectional. Therefore, reachable
routes must be available in both directions. To enable two devices to
communicate through static routes, configure a static route on the local
device and then configure a return route on the peer device.
● On an enterprise network with two egresses, two equal-cost static routes can
be configured for load balancing so that traffic can be evenly balanced
between two different links. Alternatively, two unequal-cost static routes can
be configured to work in primary/backup mode; if the primary link fails,
traffic is switched to the backup link.
On the network shown in Figure 3-58, hosts on different network segments are
connected through several Switches. It is required that any two hosts on different
network segments can communicate with each other when no dynamic routing
protocols are configured.
NOTE
In this example, interface1, interface2, and interface3 represent 10GE1/0/1, 10GE1/0/2, and
10GE1/0/3, respectively.

Switches
Figure 3-58 Network diagram of configuring static routes for interworking

between different network segments
1. Create VLANs, add interfaces to the VLANs, and configure IP addresses for
VLANIF interfaces, so that neighboring devices can communicate with each
other.
2. Configure an IP default gateway on each PC, and configure IPv4 static routes
or default static routes on the Devices so that any two PCs on different
network segments can communicate with each other.
Procedure
Step 1 Configure VLANs that interfaces belong to.
# Configure DeviceA. The configurations of DeviceB and DeviceC are similar to the
configuration of DeviceA.
[DeviceA] interface 10GE1/0/1
[[DeviceA]-10GE1/0/1] port link-type trunk
[[DeviceA]-10GE1/0/1] port trunk allow-pass vlan 10
[[DeviceA]-10GE1/0/1] quit
[[DeviceA]] interface 10GE1/0/2
[[DeviceA]-10GE1/0/2] port link-type access
[[DeviceA]-10GE1/0/2] port default vlan 30
[[DeviceA]-10GE1/0/2] quit

# Configure DeviceA. The configurations of DeviceB and DeviceC are similar to the
configuration of DeviceA.
[[DeviceA]] interface vlanif 10
[[DeviceA]-Vlanif10] ip address 10.1.4.1 30
[[DeviceA]-Vlanif10] quit

Switches
[[DeviceA]] interface vlanif 30

[[DeviceA]-Vlanif30] ip address 10.1.1.1 24
[[DeviceA]-Vlanif30] quit
Step 3 Configure hosts.
Set the default gateway addresses of PC1, PC2, and PC3 to 10.1.1.1, 10.1.2.1, and
10.1.3.1 respectively.
Step 4 Configure static routes.
# Configure an IP default route on DeviceA.

# Configure two IP static routes on DeviceB.

# Configure an IP default route on DeviceC.

# Check the IP routing table of DeviceA.

[DeviceA] display ip routing-table
------------------------------------------------------------------------------
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.1.4.2 Vlanif10

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif30
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.1.4.0/30 Direct 0 0 D 10.1.4.1 Vlanif10
10.1.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the ping command to verify the connectivity.

[DeviceA] ping 10.1.3.1
--- 10.1.3.1 ping statistics ---

0.00% packet loss
# Run the tracert command to verify the connectivity.

[DeviceA] tracert 10.1.3.1
traceroute to 10.1.3.1(10.1.3.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.1.4.2 31 ms 32 ms 31 ms
2 10.1.3.1 62 ms 63 ms 62 ms
----End

Switches
● DeviceA
#
sysname DeviceA
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 10.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 10.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 10.1.2.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.6
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 20 50
#
interface Vlanif20
ip address 10.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 10.1.3.1 255.255.255.0

Switches
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.5
#
return
3.1.8.1.2 Example for Configuring IPv4 Static Routes to Implement Load Balancing
On the network shown in Figure 3-59, PC1 and PC2 are connected through four
Devices. As shown in the topology, data traffic can be transmitted from PC1 to
PC2 through two links: PC1 -> DeviceA -> DeviceB -> DeviceC -> PC2 and PC1 ->
DeviceA -> DeviceD -> DeviceC -> PC2. To fully use the links, it is required that the
data traffic from PC1 to PC2 be evenly distributed to the two links. If one link fails,
the data traffic is automatically switched to the other link.
NOTE
Figure 3-59 Network diagram of configuring static routes to implement load

balancing
Precautions
● Communication between two devices is bidirectional. Therefore, reachable
routes must be available in both directions. To enable two devices to
communicate through static routes, configure a static route on the local
device and then configure a return route on the peer device.

Switches
● On an enterprise network with two egresses, two equal-cost static routes can
be configured for load balancing so that traffic can be evenly balanced
between two different links. Alternatively, two unequal-cost static routes can
be configured to work in primary/backup mode; if the primary link fails,
traffic is switched to the backup link.
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure round-trip static routes for data traffic forwarding.
3. Configure an IP address and default gateway on each host.
Procedure
Step 1 Configure VLANs that interfaces belong to.
# Configure DeviceA. The configurations of DeviceB, DeviceC, and DeviceD are
similar to the configuration of DeviceA.

# Configure DeviceA. The configurations of DeviceB, DeviceC, and DeviceD are
Step 3 Configure static routes for traffic forwarding from PC1 to PC2.
# On DeviceA, configure two equal-cost static routes — one with the next hop
being DeviceB and the other with the next hop being DeviceD — to implement
load balancing.
[DeviceA] ip route-static 10.1.2.0 24 192.168.12.2

Switches
[DeviceB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure DeviceD.
[DeviceD] ip route-static 10.1.2.0 24 192.168.34.1
Step 4 Configure static routes for traffic forwarding from PC2 to PC1.
# On DeviceC, configure two equal-cost static routes — one with the next hop
being DeviceB and the other with the next hop being DeviceD — to implement
load balancing.
[DeviceC] ip route-static 10.1.1.0 24 192.168.23.1
[DeviceC] ip route-static 10.1.1.0 24 192.168.34.2
[DeviceB] ip route-static 10.1.1.0 24 192.168.12.1
[DeviceD] ip route-static 10.1.1.0 24 192.168.14.1
Step 5 Configure hosts.

Assign IP address 10.1.1.2/24 and default gateway IP address 10.1.1.1 to PC1;
assign IP address 10.1.2.2/24 and default gateway IP address 10.1.2.1 to PC2.
# Check the IP routing table of DeviceA.
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Static 60 0 RD 192.168.12.2 Vlanif100
Static 60 0 RD 192.168.14.2 Vlanif400
192.168.12.0/24 Direct 0 0 D 192.168.12.1 Vlanif100
192.168.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.14.0/24 Direct 0 0 D 192.168.14.1 Vlanif400
192.168.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
The IP routing table of DeviceA shows that there are two equal-cost routes to
network segment 10.1.2.0/24. In this case, data traffic is evenly distributed to the
two links, implementing load balancing.
----End
● DeviceA
#
sysname DeviceA
#
#
interface Vlanif10

Switches
ip address 10.1.1.1 255.255.255.0

#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
● DeviceC
#
sysname DeviceC
#
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2

Switches

#
interface 10GE1/0/3
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
ip route-static 10.1.1.0 255.255.255.0 192.168.34.2
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 300 400
#
interface Vlanif300
ip address 192.168.34.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip route-static 10.1.1.0 255.255.255.0 192.168.14.1
ip route-static 10.1.2.0 255.255.255.0 192.168.34.1
#
return
3.1.9 VPN
3.1.9.1 IPv4 L3VPN
3.1.9.1.1 Example for Configuring Mutual Access Between Local IPv4 L3VPNs
As shown in Figure 3-60, CE1 and CE2 are connected to PE1. CE1 belongs to vpna,
and CE2 belongs to vpnb. It is required that Site 1 and Site 2 communicate with
each other. To meet this requirement, configure mutual access between local
VPNs.
Figure 3-60 Mutual access between local IPv4 VPNs

NOTE
In this example, interface 1 and interface 2 represent VLANIF 100 and VLANIF 200, respectively.

Switches
1. Configure VPN instances on PE1 and different VPN targets for the instances to
isolate VPNs.
2. On PE1, bind the interfaces connected to CEs to the VPN instances to provide
access for VPN users.
3. Import direct routes destined for local CEs into the VPN routing tables on PE1.
On each CE connected to PE1, configure a static route to the other local CE so
that both CEs can communicate with each other.
Procedure
Step 1 Configure VPN instances on PE1 and bind PE1 interfaces connected to CEs to the
corresponding VPN instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 import-extcommunity
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 export-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 111:1 import-extcommunity
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface 10ge 1/0/1
[PE1] interface Vlanif 100
[PE1-Vlanif100] ip binding vpn-instance vpna
[PE1-Vlanif100] ip address 10.1.1.2 24
[PE1-Vlanif100] quit

Switches
[PE1] interface 10GE1/0/2

[PE1-Vlanif200] ip binding vpn-instance vpnb
# Configure an IP address for a related interface on CE1.

[CE1] vlan batch 100
[CE1] interface Vlanif 100
[CE1-Vlanif100] ip address 10.1.1.1 24
[CE1-Vlanif100] quit
# Configure an IP address for the related interface on CE2.

The PE can ping its connected CE. The following uses the ping between PE1 and
CE1 as an example.
[PE1] ping -vpn-instance vpna 10.1.1.1

0.00% packet loss
Step 2 Configure BGP and import the local direct routes destined for CEs to the VPN
routing table on PE1.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
Step 3 Configure a static route on each CE.

# Configure CE1.

Switches
[CE1] ip route-static 10.2.1.0 24 10.1.1.2
# Configure CE2.
[CE2] ip route-static 10.1.1.0 24 10.2.1.2
----End

After the configuration is complete, run the display ip routing-table vpn-
instance command on PE1. The VPNs have imported routes of each other. The
following uses vpna as an example.
[PE1] display ip routing-table vpn-instance vpna
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : vpna
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.2.1.0/24 BGP 255 0 RD 10.2.1.2 Vlanif200
10.2.1.2/32 BGP 255 0 RD 127.0.0.1 Vlanif200
CE1 and CE2 can ping each other.

[CE1] ping 10.2.1.1

0.00% packet loss
● PE1
#
sysname PE1
#
vlan batch 100 200
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family

Switches

#
interface Vlanif100
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
bgp 100
#
ipv4-family unicast
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
return
● CE1
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface 10GE1/0/1
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return
● CE2
#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ip address 10.2.1.1 255.255.255.0
#
interface 10GE1/0/1
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.2
#
return

Switches
3.1.9.1.2 Example for Configuring Basic IPv4 L3VPN over MPLS
On the network shown in Figure 3-61:
● CE1 and CE3 belong to vpna.
● CE2 and CE4 belong to vpnb.
● The VPN targets of vpna are 111:1, and those of vpnb are 222:2.
Users in the same VPN can communicate with each other, but users in different
VPNs cannot.
Figure 3-61 IPv4 L3VPN networking

NOTE
In this example, interface 1, interface 2, and interface 3 represent VLANIF 100, VLANIF 200, and
VLANIF 300, respectively.
Precautions
Note the following during the configuration:
● On the same VPN, the export VPN target list of a site shares VPN targets with
the import VPN target lists of the other sites. Conversely, the import VPN
target list of a site shares VPN targets with the export VPN target lists of the
other sites.

Switches
● After a PE interface connected to a CE is bound to a VPN instance, Layer 3

configurations on this interface are automatically deleted. Such configurations
include IP address and routing protocol configurations, and must be added
again if needed.
1. Enable OSPF on the backbone network to ensure that PEs can communicate.
2. Configure basic MPLS capabilities and MPLS LDP to establish LDP LSPs on the
backbone network.
3. Configure a VPN instance on each PE, enable the IPv4 address family for the
instance, and bind the interface that connects each PE to a CE to the VPN
instance on that PE.
4. Enable MP-IBGP on PEs to exchange VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure IGP to achieve connectivity between devices, including PEs and the P, on
the MPLS backbone network. OSPF is used as IGP in this example.
# Configure PE1.
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1] vlan batch 100 200 300
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 11.11.11.0 0.0.0.255
[PE1-ospf-1] quit
# Configure the P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 100 200
[P] interface 10ge 1/0/1
[P-10GE1/0/1] port link-type trunk
[P-10GE1/0/1] port trunk allow-pass vlan 100
[P-10GE1/0/1] quit
[P] interface Vlanif 100
[P-Vlanif100] ip address 11.11.11.2 24
[P-Vlanif100] quit
[P] interface 10GE1/0/2
[P-10GE1/0/2] port link-type trunk

Switches
[P-10GE1/0/2] port trunk allow-pass vlan 200

[P-10GE1/0/2] quit
[P-Vlanif200] ip address 12.12.12.1 24
[P-Vlanif200] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 11.11.11.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 100 200 300
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be

established between PE1, the P, and PE2. Run the display ospf peer command.
The command output shows that the neighbor status is Full. Run the display ip
routing-table command. The command output shows that the PEs have learned
the routes to each other's Loopback 1.
The following example uses the command output on PE1.
[PE1] display ip routing-table
------------------------------------------------------------------------------
Routing Table: _public_

1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1
2.2.2.9/32 OSPF 10 2 D 11.11.11.2 Vlanif300
3.3.3.9/32 OSPF 10 3 D 11.11.11.2 Vlanif300
11.11.11.0/24 Direct 0 0 D 11.11.11.1 Vlanif300
11.11.11.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
11.11.11.255/32 Direct 0 0 D 127.0.0.1 Vlanif300
12.12.12.0/24 OSPF 10 2 D 11.11.11.2 Vlanif300
[PE1] display ospf peer

(M) Indicates MADJ neighbor
OSPF Process 1 with Router ID 1.1.1.9
Area 0.0.0.0 interface 11.11.11.1(Vlanif300)'s neighbors

Switches
Router ID: 2.2.2.9 Address: 11.11.11.2

State: Full Mode:Nbr is Slave Priority: 1
DR: 1.1.1.9 BDR: 2.2.2.9 MTU: 1500
Dead timer due (in seconds) : 38
Retrans timer interval :0
Neighbor up time : 00h00m29s
Neighbor up time stamp : 2018-06-08 01:41:57
Authentication Sequence :0
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif300] mpls
[PE1-Vlanif300] mpls ldp
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif100] mpls
[P-Vlanif100] mpls ldp
[P-Vlanif100] quit
[P-Vlanif200] mpls
[P-Vlanif200] mpls ldp
[P-Vlanif200] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration is complete, LDP sessions are established between PE1 and
the P and between PE2 and the P. Run the display mpls ldp session command.
The command output shows that the session status is Operational. Then, run the
display mpls ldp lsp command. The command output shows that LDP LSPs have
been established.
[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
An asterisk (*) before a session means the session is being deleted.
-------------------------------------------------------------------------
Peer-ID Status LAM SsnRole SsnAge KA-Sent/Rcv
-------------------------------------------------------------------------

Switches
2.2.2.9:0 Operational DU Passive 0006:20:55 39551/39552

-------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp

LDP LSP Information
-------------------------------------------------------------------------------
Flag after Out IF: (I) - RLFA Iterated LSP, (I*) - Normal and RLFA Iterated LSP
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 11.11.11.2 Vlanif300
2.2.2.9/32 1024/3 2.2.2.9 11.11.11.2 Vlanif300
3.3.3.9/32 NULL/1025 - 11.11.11.2 Vlanif300
3.3.3.9/32 1025/1025 2.2.2.9 11.11.11.2 Vlanif300
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
An asterisk (*) before an LSP means the LSP is not established
An asterisk (*) before a Label means the USCB or DSCB is stale
An asterisk (*) before an UpstreamPeer means the session is stale
An asterisk (*) before a DS means the session is stale
An asterisk (*) before a NextHop means the LSP is FRR LSP
Step 3 On PEs, create VPN instances, enable the IPv4 address family for these instances,
and bind the interfaces connected to CEs to the VPN instances.
# Configure PE1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
# Configure PE2.

Switches
# Configure IP addresses for interfaces on CEs, as shown in Figure 3-61. For

detailed configurations, see Configuration Scripts.
After completing the configuration, run the display ip vpn-instance verbose
command on each PE to check the VPN instance configurations. The command
output shows that each PE can ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, use the -a source-ip-
address parameter to specify a source IP address when running the ping -vpn-instance
vpn-instance-name -a source-ip-address dest-ip-address command to ping the CE
connected to the remote PE. If the source IP address is not specified, the ping operation
may fail.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Vlanif100
Address family ipv4
Create date : 2009/01/21 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Vrf Status : UP
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label policy: label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
VPN-Instance Name and ID : vpnb, 2

Address family ipv4
Create date : 2009/01/21 11:31:18
Vrf Status : UP

Switches
Label policy: label per route


0.00% packet loss
Step 4 Establish an EBGP peer relationship between each PE and its connected CE.
# Configure CE1.
[CE1] interface loopback 1
[CE1-LoopBack1] ip address 11.11.11.11 32
[CE1-LoopBack1] quit
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] network 11.11.11.11 32
[CE1-bgp] quit
NOTE
The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1. For
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
NOTE
The configuration of PE2 is similar to the configuration of PE1. For detailed configurations,
see Configuration Scripts.
After completing the configuration, run the display bgp vpnv4 vpn-instance peer
command on each PE to check the BGP peer relationships between each PE and
its connected CE. The command output shows that the BGP peer relationship is in
the Established state.
The following example uses the peer relationship between PE1 and CE1.
[PE1] display bgp vpnv4 vpn-instance vpna peer
Status codes: * - Dynamic
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:

Total number of peers : 1
Peers in established state : 1

Switches
Total number of dynamic peers : 0

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:06:37 Established 1
Step 5 Establish MP-IBGP peer relationships between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command outputs show that the BGP
peer relationship have been established between the PEs and are in the
Established state.
[PE1] display bgp peer

3.3.3.9 4 100 2 6 0 00:00:12 Established 0
[PE1] display bgp vpnv4 all peer

3.3.3.9 4 100 12 18 0 00:09:38 Established 0
Peer of vpn instance:
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, router ID 1.1.1.9:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1
----End

Run the display ip routing-table vpn-instance command on PEs to check the
routes to CEs' loopback interfaces.

Switches
[PE1] display ip routing-table vpn-instance vpna

------------------------------------------------------------------------------
Routing Table: vpna

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif100
11.11.11.11/32 EBGP 255 0 RD 10.1.1.1 Vlanif100
33.33.33.33/32 IBGP 255 0 RD 3.3.3.9 Vlanif300
[PE1] display ip routing-table vpn-instance vpnb

------------------------------------------------------------------------------
Routing Table: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif200
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif200
10.2.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif200
22.22.22.22/32 EBGP 255 0 RD 10.2.1.1 Vlanif200
44.44.44.44/32 IBGP 255 0 RD 3.3.3.9 Vlanif300
CEs on the same VPN can ping each other, but CEs on different VPNs cannot.
For example, CE1 can ping CE3 at 10.3.1.1, but cannot ping CE4 at 10.4.1.1.
[CE1] ping -a 11.11.11.11 33.33.33.33
0.00% packet loss
[CE1] ping -a 11.11.11.11 44.44.44.44
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
● PE1
#
sysname PE1
#
#
ipv4-family

Switches

#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif300
ip address 11.11.11.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 11.11.11.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
● P

Switches
#
sysname P
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 11.11.11.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 12.12.12.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 11.11.11.0 0.0.0.255
network 12.12.12.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
● PE2
#
sysname PE2
#
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif200

Switches
ip address 10.4.1.2 255.255.255.0

#
interface Vlanif300
ip address 12.12.12.2 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 12.12.12.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
● CE1
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
peer 10.1.1.2 enable

Switches
#
return
● CE2
#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ip address 10.2.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
#
ipv4-family unicast
network 22.22.22.22 255.255.255.255
#
return
● CE3
#
sysname CE3
#
vlan batch 100
#
interface Vlanif100
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
#
ipv4-family unicast
network 33.33.33.33 255.255.255.255
#
return
● CE4
#
sysname CE4
#
vlan batch 100
#
interface Vlanif100
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 44.44.44.44 255.255.255.255
#
bgp 65440

Switches
#
ipv4-family unicast
network 44.44.44.44 255.255.255.255
#
return
3.1.9.1.3 Example for Configuring Hub-Spoke (Double Links Between the Hub-PE
and Hub-CE)
On the network shown in Figure 3-62, the communication between the Spoke-
CEs is controlled by the Hub-CE at the central site. In other words, the traffic
between Spoke-CEs is forwarded also through the Hub-CE, not only through the
Hub-PE. The Hub-CE accesses the Hub-PE over double links.
Figure 3-62 Hub-spoke networking

NOTE
In this example, interface 1, interface 2, interface 3, and interface 4 represent VLANIF 100,
VLANIF 200, VLANIF 300, and VLANIF 400, respectively.

Switches
Precautions
● The import and export VPN targets configured on a Spoke-PE are different.
● Two VPN instances (vpn_in and vpn_out) are created on the Hub-PE. The
VPN targets received by vpn_in are the VPN targets advertised by the two
Spoke-PEs; the VPN targets advertised by vpn_out are the VPN targets
received by the two Spoke-PEs and are different from the VPN targets
received by vpn_in.
● The Hub-PE is configured to accept the routes with AS numbers repeated
once in the AS_Path attribute.
2. Configure basic MPLS capabilities and MPLS LDP to establish LDP LSPs on the
backbone network.
Procedure
Step 1 Configure IGP on the backbone network for the Hub-PE and Spoke-PEs to
communicate.
OSPF is used as IGP in this example. For detailed configurations, see Configuration
Scripts.
After the configuration is complete, OSPF neighbor relationships are established

between the Hub-PE and Spoke-PEs. Run the display ospf peer command. The
command output shows that the neighbor status is Full. Run the display ip
routing-table command. The command output shows that the Hub-PE and
Spoke-PEs have learned the routes to each other's loopback interface.
Step 2 Configure basic MPLS capabilities and MPLS LDP to establish LDP LSPs on the
backbone network.
After the configuration is complete, LDP peer relationships are established

between the Hub-PE and Spoke-PEs. Run the display mpls ldp session command
on each device. The command output shows that Session State is Operational.
Step 3 Configure a VPN instance on each PE, enable the IPv4 address family for the
instance, and bind the interface that connects each PE to a CE to the VPN instance
on that PE.

Switches
NOTE
The import VPN target list of a VPN instance on the Hub-PE must contain the export VPN
targets of all Spoke-PEs.
The export VPN target list of the other VPN instance on the Hub-PE must contain the
import VPN targets of all Spoke-PEs.
# Configure Spoke-PE1.
<Spoke-PE1> system-view
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] ipv4-family
[Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface Vlanif 100
[Spoke-PE1-Vlanif100] ip binding vpn-instance vpna
[Spoke-PE1-Vlanif100] ip address 10.1.1.2 24
[Spoke-PE1-Vlanif100] quit
[Spoke-PE2-vpn-instance-vpna] quit
[Spoke-PE2] interface Vlanif 100
[Spoke-PE2-Vlanif100] ip address 10.4.1.2 24
# Configure the Hub-PE.

<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] ipv4-family
[Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] ipv4-family
[Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface Vlanif 300
[Hub-PE-Vlanif300] ip binding vpn-instance vpn_in
[Hub-PE-Vlanif300] ip address 10.2.1.2 24
[Hub-PE-Vlanif300] quit
[Hub-PE] interface Vlanif 400
[Hub-PE-Vlanif400] ip binding vpn-instance vpn_out
[Hub-PE-Vlanif400] ip address 10.3.1.2 24

command on each PE to check the VPN instance configuration. Each PE can ping
its connected CEs using the ping -vpn-instance vpn-name ip-address command.

Switches
NOTE
may fail.
Step 4 Establish EBGP peer relationships between PEs and CEs to import VPN routes.
NOTE
Configure the Hub-PE to allow AS numbers to be repeated once in the AS_Path attribute, so
that it can receive the routes advertised by the Hub-CE.
You do not need to configure the Spoke-PEs to allow AS numbers to be repeated once,
because the device does not check the AS_Path attributes in routes received from IBGP
peers.
# Configure Spoke-CE1.
[Spoke-CE1] interface loopback 1
[Spoke-CE1-Loopback1] ip address 11.11.11.11 32
[Spoke-CE1-Loopback1] quit
[Spoke-CE1] bgp 65410
[Spoke-CE1-bgp] peer 10.1.1.2 as-number 100
[Spoke-CE1-bgp] network 11.11.11.11 32
[Spoke-CE1-bgp] quit
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[Spoke-PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[Spoke-PE1-bgp-vpna] quit
[Spoke-PE1-bgp] quit
[Spoke-CE2-Loopback1] ip address 22.22.22.22 32
[Spoke-CE2-bgp] peer 10.4.1.2 as-number 100
[Spoke-CE2-bgp] network 22.22.22.22 32
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp-vpna] peer 10.4.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] quit
# Configure the Hub-CE.

[Hub-CE] interface loopback 1
[Hub-CE-Loopback1] ip address 33.33.33.33 32
[Hub-CE-Loopback1] quit
[Hub-CE] bgp 65430
[Hub-CE-bgp] peer 10.2.1.2 as-number 100
[Hub-CE-bgp] peer 10.3.1.2 as-number 100
[Hub-CE-bgp] network 33.33.33.33 32
[Hub-CE-bgp] quit

Switches
[Hub-PE] bgp 100

[Hub-PE-bgp] ipv4-family vpn-instance vpn_in
[Hub-PE-bgp-vpn_in] peer 10.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 10.3.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 10.3.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit
After completing the configuration, run the display bgp vpnv4 all peer command
on each PE. The command output shows that BGP peer relationships have been
established between the PEs and CEs and are in Established state.
Step 5 Establish MP-IBGP peer relationships between the PEs.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit
[Spoke-PE2] bgp 100

[Hub-PE] bgp 100
[Hub-PE-bgp] peer 1.1.1.9 as-number 100
[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[Hub-PE-bgp] ipv4-family vpnv4
[Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[Hub-PE-bgp-af-vpnv4] quit
After completing the configuration, run the display bgp peer or display bgp
vpnv4 all peer command on PEs. The command output shows that BGP peer
relationships have been established between PEs and are in the Established state.
----End

After the configuration is complete, the Spoke-CEs can ping each other. Run the
tracert command. The command output shows that the traffic between the
Spoke-CEs is forwarded through the Hub-CE. You can also deduce the number of
forwarding devices between the Spoke-CEs based on the TTL displayed in the
command output.
The following example uses the command output on Spoke-CE1.
<Spoke-CE1> ping -a 11.11.11.11 22.22.22.22
Reply from 22.22.22.22: bytes=56 Sequence=1 ttl=250ime=80 ms
Reply from 22.22.22.22: bytes=56 Sequence=2 ttl=250ime=129 ms

Switches

0.00% packet loss
<Spoke-CE1> tracert -a 11.11.11.11 22.22.22.22
traceroute to 22.22.22.22(22.22.22.22), max hops: 64, packet length: 40, press CTRL_C to break
1 10.1.1.2 31 ms 12 ms 6 ms
2 10.3.1.2 9 ms 11 ms 24 ms
3 10.3.1.1 46 ms 27 ms 9 ms
4 10.2.1.2 23 ms 22 ms 28 ms
5 10.4.1.2 12 ms 34 ms 23 ms
6 22.22.22.22 46 ms 1 ms 9 ms
Run the display bgp routing-table command on each Spoke-CE. The command
output shows that there are repetitive AS numbers in the AS_Path attributes of the
BGP routes to the peer Spoke-CE.
<Spoke-CE1> display bgp routing-table
BGP Local router ID is 11.11.11.11

Status codes: * - valid, > - best, d - damped, x - best external, a - add path,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3

Network NextHop MED LocPrf PrefVal Path/Ogn
*> 11.11.11.11/32 0.0.0.0 0 0 i
*> 22.22.22.22/32 10.1.1.2 0 100 65430 100 65420i
*> 33.33.33.33/32 10.1.1.2 0 100 65430i
● Spoke-CE1
#
sysname Spoke-CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface Loopback 1
ip address 11.11.11.11 255.255.255.255
#
bgp 65410
#
ipv4-family unicast
network 11.11.11.11 255.255.255.255
#
return
● Spoke-PE1
#
sysname Spoke-PE1
#
vlan batch 100 200

Switches
#
ipv4-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
● Spoke-PE2
#
sysname Spoke-PE2
#
vlan batch 100 200
#
ipv4-family
#
mpls lsr-id 3.3.3.9
#
mpls
#

Switches
mpls ldp
#
interface Vlanif100
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif200
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
● Spoke-CE2
#
sysname Spoke-CE2
#
vlan batch 100
#
interface Vlanif100
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/1
#
ip address 22.22.22.22 255.255.255.255
#
bgp 65420
#
ipv4-family unicast
network 22.22.22.22 255.255.255.255
#
return
● Hub-CE

Switches
#
sysname Hub-CE
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.2.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ip address 33.33.33.33 255.255.255.255
#
bgp 65430
#
ipv4-family unicast
network 33.33.33.33 255.255.255.255
#
return
● Hub-PE
#
sysname Hub-PE
#
vlan batch 100 200 300 400
#
ip vpn-instance vpn_in
ipv4-family
#
ip vpn-instance vpn_out
ipv4-family
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip binding vpn-instance vpn_in
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif400

Switches
ip binding vpn-instance vpn_out

ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface 10GE1/0/4
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
#
ipv4-family vpn-instance vpn_out
peer 10.3.1.1 allow-as-loop
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
3.1.9.1.4 Example for Configuring L3VPN+VRRP
As shown in Figure 3-63, CE1 and CE2 belong to vpna, and CE1 is dual-homed to
PE1 and PE2 through PE4. The user requirements are as follows:
● In most cases, CE1 communicates with CE2 through PE1 (the default
gateway). If PE1 fails, PE2 functions as the gateway to implement gateway
redundancy.
● After PE1 recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.

Switches
Figure 3-63 Configuring L3VPN+VRRP

NOTE
In this example, interface 1, interface 2, interface 3, and interface 5 represent 10GE 1/0/1, 10GE
1/0/2, 10GE 1/0/3, and 10GE 1/0/5, respectively.
PE1 10GE1/0/1 VLANIF 300 192.168.1.1/24
10GE1/0/2 VLANIF 100 10.1.1.1/24
10GE1/0/5 VLANIF 100 10.1.1.1/24
PE2 10GE1/0/1 VLANIF 200 192.168.2.1/24
10GE1/0/2 VLANIF 100 10.1.1.2/24
10GE1/0/5 VLANIF 100 10.1.1.2/24
PE3 10GE1/0/1 VLANIF 300 192.168.1.2/24
10GE1/0/2 VLANIF 200 192.168.2.2/24
10GE1/0/3 VLANIF 400 172.16.1.100/24
CE1 10GE1/0/3 VLANIF 100 10.1.1.100/24
CE2 10GE1/0/3 VLANIF 400 172.16.1.200/24
Precautions
other sites.

Switches

again if needed.
2. Configure basic MPLS capabilities and MPLS LDP on the backbone network to
establish LDP LSPs.
Procedure
Step 1 Configure IGP on the MPLS backbone network to achieve connectivity between
PEs on the backbone network.
# Configure PE1.
[PE1] vlan 300
[PE1-vlan300] quit
[PE1-10GE1/0/1] port link-type hybrid
[PE1-10GE1/0/1] port hybrid pvid vlan 300
[PE1-10GE1/0/1] port hybrid untagged vlan 300
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan 200
[PE2-vlan200] quit

Switches

[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.

Switches

[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
Step 3 Configure VPN instances on the PEs and bind the instances to the CE interfaces.
# Configure PE4.
[PE4] vlan 100
[PE4-vlan100] quit
# Configure PE1.
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1] vlan 100
[PE1-vlan100] quit
# Configure PE2.
[PE2] vlan 100

Switches
[PE2-vlan100] quit
# Configure PE3.
[PE3] vlan 400
[PE3-vlan400] quit
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] interface 10GE1/0/3
[CE1-10GE1/0/3] port link-type hybrid
[CE1-10GE1/0/3] port hybrid pvid vlan 100
[CE1-10GE1/0/3] port hybrid untagged vlan 100
[CE1] interface vlanif 100
# Configure CE2.
[CE2] vlan 400
[CE2-vlan400] quit
[CE2] interface 10GE1/0/3
[CE2-10GE1/0/3] port link-type hybrid
[CE2-10GE1/0/3] port hybrid pvid vlan 400
[CE2-10GE1/0/3] port hybrid untagged vlan 400
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410

Switches
[CE1-bgp] import-route direct

[CE1-bgp] quit
# Configure CE2.
[CE2] bgp 65430
[CE2-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp-vpna] quit
[PE3-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100

Switches
[PE3-bgp] quit
Step 6 Configure MSTP to block the link between PE2 and PE4 for loop protection.
# Configure the MSTP mode on PE1. The MSTP mode is enabled by default.
[PE1] stp mode mstp
[PE2] stp mode mstp
[PE4] stp mode mstp
# Configure PE1 as the root bridge.

[PE1] stp root primary
# Configure PE2 as the secondary root bridge.

[PE2] stp root secondary
# Set the path cost of the interfaces connecting PE2 and PE4 to 400000 so that
the link between PE2 and PE4 can be blocked.
[PE2-10GE1/0/2] stp cost 400000
[PE4-10GE1/0/2] stp cost 400000
# Disable STP on the interface connecting PE4 to CE1.

[PE4-10GE1/0/3] stp disable
# Enable STP globally on PE1. STP is enabled by default.

[PE1] stp enable

[PE2] stp enable

[PE4] stp enable
# After the configuration is complete, run the display stp brief command on PE4
to view the interface status. The command output shows that 10GE 1/0/2
becomes an alternate interface and is in DISCARDING state.
[PE4] display stp brief
0 10GE1/0/1 ROOT FORWARDING NONE 2000 enable
0 10GE1/0/2 ALTE DISCARDING NONE 400000 enable

# Configure VRRP group 1 on PE1, and set the VRRP priority of PE1 to 120 and the
preemption delay to 20s.
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111

Switches
[PE1-Vlanif100] vrrp vrid 1 priority 120

[PE1-Vlanif100] vrrp vrid 1 preempt timer delay 20
# Create VRRP group 1 on PE2, and set the VRRP priority of PE2 to 100.
[PE2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
----End

# After the configuration is complete, run the display vrrp verbose command on
PE1 and PE2. The command outputs show that PE1 is the VRRP master and PE2 is
VRRP backup.
[PE1] display vrrp verbose
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
Preempt : YES Delay Time : 20 s Remain : --
Hold Multiplier: 3
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
Hold Multiplier: 3
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the shutdown command on 10GE 1/0/2 and 10GE 1/0/5 of PE1 to simulate
a fault on PE1.
[PE1-10GE1/0/2] shutdown
[PE1-10GE1/0/5] shutdown

Switches
# Run the display vrrp verbose command on PE2 to view the VRRP status. The
command output shows that PE2 becomes the VRRP master.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
Hold Multiplier: 3
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40
# Run the undo shutdown command on 10GE 1/0/2 and 10GE 1/0/5 of PE1. After
20 seconds, run the display vrrp verbose command on PE1 to view the VRRP
status. The command output shows that PE1 is the VRRP master.
[PE1-10GE1/0/2] undo shutdown
[PE1-10GE1/0/5] undo shutdown
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
Hold Multiplier: 3
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
● PE1
#
sysname PE1
#
vlan batch 100 300
#
stp enable
#
ipv4-family

Switches

#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/5
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
● PE2
#
sysname PE2
#
vlan batch 100 200
#
stp enable
#

Switches
ipv4-family
#
mpls lsr-id 2.2.2.2
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/5
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
● PE3
#
sysname PE3
#
#

Switches
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif400
ip address 172.16.1.100 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
import-route direct
peer 172.16.1.200 as-number 65430
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

Switches
● PE4
#
sysname PE4
#
vlan batch 100
#
stp enable #
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
stp disable
#
return
● CE1
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.100 255.255.255.0
#
interface 10GE1/0/3
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
● CE2
#
sysname CE2
#
vlan batch 400
#
interface Vlanif400
ip address 172.16.1.200 255.255.255.0
#
interface 10GE1/0/3
#
bgp 65430
peer 172.16.1.100 as-number 100
#
ipv4-family unicast
import-route direct

Switches

#
return
3.1.9.1.5 Example for Configuring a Route-Policy to Control Mutual Access Between

L3VPN Users
On the network shown in Figure 3-64, CE1 is connected to the enterprise branch
Site 1, and CE2 is connected to the enterprise branch Site 2. Site 1 and Site 2
communicate across the ISP backbone network. To meet service requirements, the
enterprise requires that users on some network segments between Site 1 and Site
2 can securely communicate with each other.
Figure 3-64 Configuring a route-policy to control mutual access between L3VPN

users
NOTE
In this example, interface 1 and interface 2 represent VLANIF 10 and VLANIF 100 respectively.
Precautions
other sites.
again if needed.

Switches
1. Configure OSPF on PEs to ensure IP connectivity on the backbone network.

2. Configure basic MPLS capabilities and MPLS LDP on PEs to establish MPLS
LSPs for VPN data transmission.
3. Configure VPN instances on PEs to provide access services for VPN users, and
specify different VPN targets to isolate users in branches.
4. Configure a route-policy on PEs to change the VPN targets of the routes that
match the route-policy so that users on specific network segments can
Procedure
Step 1 Configure IGP on the MPLS backbone network to achieve connectivity between
PEs on the backbone network.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.

Switches

[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

established between PE1 and PE2. Run the display ospf peer command. The
routing-table command. The command output shows that the PEs have learned
the routes to each other's Loopback 1.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration is complete, run the display mpls ldp session command.
The command output shows that an LDP session has been established between
PE1 and PE2 and its state is Operational.
Step 3 Configure VPN instances on the PEs and bind the instances to the CE interfaces.
# Configure PE1.
[PE1-Vlanif10] quit
# Configure PE2.

Switches
[PE2-Vlanif10] quit
# Configure IP addresses for interfaces on CEs, as shown in Figure 3-64.

[CE1] vlan batch 10
[CE1] interface 10GE 1/0/1
[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit

command on each PE to check the VPN instance configurations. The command
output shows that each PE can ping its connected CE.
NOTE
may fail.
Step 4 Configure route-policies.
# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1-vpn-instance-vpna] export route-policy vpnroute
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2-vpn-instance-vpna] export route-policy vpnroute

Switches
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance
vpna peer command on the PEs. The command output shows that BGP peer
relationships have been established between the PEs and CEs and are in the
Established state.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that the BGP
peer relationship has been established between the PEs and is in the Established
state.
----End

# Run the ping -vpn-instance command on the PEs. The command output shows
that the ping to the site that is attached to the remote PE is successful.

Switches

0.00% packet loss
● PE1
#
sysname PE1
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/7
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#

Switches
route-policy vpnroute permit node 1

if-match ip-prefix ipPrefix1
apply extcommunity rt 222:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
#
return
● PE2
#
sysname PE2
#
vlan batch 10 100
#
ipv4-family
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/7
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#

Switches
#
#
return
● PE2
#
sysname PE2
#
vlan batch 10 100
#
ipv4-family
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.2 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/7
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
#

Switches
#
return
● CE1
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface 10GE1/0/1
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
● CE2
#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.2.2 255.255.255.0
#
interface 10GE1/0/1
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
3.1.9.2 IPv6 L3VPN
3.1.9.2.1 Example for Configuring Basic IPv6 L3VPN over MPLS
IPv6 L3VPN applies to scenarios where different user sites communicate through
the public network without letting the public network detect their internal routing
information. IPv6 L3VPN can isolate VPN services from each other by allowing
intra-VPN access and prohibiting inter-VPN access.
On the network shown in Figure 3-65, CE1 and CE3 belong to VPNA, and CE2 and
CE4 belong to VPNB. It is required that IPv6 L3VPN be configured to allow the
sites in VPNA and those in VPNB to communicate with each other through an
MPLS backbone network instead of directly communicating with each other. It is

Switches
also required that different methods be used to exchange routes between PEs and
CEs:
● BGP4+ between PE1 and CE1, and between PE2 and CE4
● IPv6 static route between PE1 and CE2
● OSPFv3 between PE2 and CE3
Figure 3-65 Configuring basic IPv6 L3VPN

NOTE
In this example, interface 1, interface 2, and interface 3 represent VLANIF 100, VLANIF 200,
and VLANIF 300, respectively.
1. Configure IGP on the IPv4 backbone network for PEs to communicate.

2. Configure MPLS and MPLS LDP on each PE and the P to establish LDP LSPs
between PEs.
3. Configure MP-IBGP on PE1 and PE2 to enable PEs to exchange IPv6 VPN
routing information through BGP.
4. Configure an IPv6-address-family-enabled VPN instance on both PE1 and PE2,
and bind the interfaces connected to CEs to the corresponding VPN instances.
5. Configure IPv6 routing protocols between PEs and CEs for them to exchange
IPv6 routing information.

Switches
Data Plan
● AS numbers of PEs and CEs
● VPN instance names
● Attributes of the VPN instance IPv6 address family, such as the RD and VPN
targets
Procedure
Step 1 Configure IPv4 or IPv6 addresses for device interfaces.
# Configure an IPv6 address for the interface on CE1.
[CE1-Vlanif100] ipv6 enable
[CE1-Vlanif100] ipv6 address 2001:db8:1::1 64
The configurations of CE2, CE3, CE4, PE1, PE2, and the P are similar to the
configuration of CE1. For detailed configurations, see Configuration Scripts.
Step 2 Configure IGP on the IPv4 backbone network for PEs to communicate. IS-IS is used
as IGP in this example.
# Configure PE1.
[PE1] isis 1
[PE1-isis-1] network-entity 10.1111.1111.1111.00
[PE1-isis-1] quit
[PE1-Vlanif300] isis enable 1
[PE1-LoopBack1] isis enable 1
The configurations of the P and PE2 are similar to the configuration of PE1. For
After the configuration is complete, PE1, PE2, and the P can learn routes, including
the routes to loopback interfaces, from one another. You can run the display ip
routing-table command to check route information. The following example uses
the command output on PE1.
[PE1] display ip routing-table
------------------------------------------------------------------------------
Routing Table: _public_

2.2.2.9/32 ISIS-L2 15 10 D 10.11.11.2 Vlanif300
3.3.3.9/32 ISIS-L2 15 20 D 10.11.11.2 Vlanif300

Switches

10.11.11.0/24 Direct 0 0 D 10.11.11.1 Vlanif300
10.11.11.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
10.11.11.255/32 Direct 0 0 D 127.0.0.1 Vlanif300
10.12.12.0/24 ISIS-L2 15 20 D 10.11.11.2 Vlanif300
Step 3 Enable MPLS and MPLS LDP both globally and per interface on each device of the
IPv4 backbone network to establish an LDP LSP between PE1 and PE2.
# Enable MPLS and MPLS LDP on PE1.

[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
The configurations of the P and PE2 are similar to the configuration of PE1. For
After the configuration is complete, an LDP LSP should exist between PE1 and
PE2. Run the display mpls ldp lsp command. The command output shows that an
LDP LSP has been established. The following example uses the command output
on PE1.
[PE1] display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
Flag after Out IF: (I) - RLFA Iterated LSP, (I*) - Normal and RLFA Iterated LSP
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 10.11.11.2 Vlanif300
2.2.2.9/32 1024/3 2.2.2.9 10.11.11.2 Vlanif300
3.3.3.9/32 NULL/1025 - 10.11.11.2 Vlanif300
3.3.3.9/32 1025/1025 2.2.2.9 10.11.11.2 Vlanif300
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
An asterisk (*) before an LSP means the LSP is not established
An asterisk (*) before a Label means the USCB or DSCB is stale
An asterisk (*) before an UpstreamPeer means the session is stale
An asterisk (*) before a DS means the session is stale
An asterisk (*) before a NextHop means the LSP is FRR LSP
Step 4 Configure an IPv6-address-family-enabled VPN instance on PEs and bind the

interfaces connecting PEs to CEs to the corresponding VPN instances.
# On PE1, configure an IPv6-address-family-enabled VPN instance named vpna.

[PE1-vpn-instance-vpna-af-ipv6] vpn-target 22:22 export-extcommunity
[PE1-vpn-instance-vpna-af-ipv6] vpn-target 33:33 import-extcommunity

Switches
# Bind the interface that directly connects PE1 to CE1 to the VPN instance named
vpna.
[PE1-Vlanif100] ipv6 enable
[PE1-Vlanif100] ipv6 address 2001:db8:1::2 64
# On PE1, configure an IPv6-address-family-enabled VPN instance named vpnb.

[PE1-vpn-instance-vpnb-af-ipv6] vpn-target 44:44 export-extcommunity
[PE1-vpn-instance-vpnb-af-ipv6] vpn-target 55:55 import-extcommunity
# Bind the interface that directly connects PE1 to CE2 to the VPN instance named
vpnb.
[PE1-Vlanif200] ipv6 address 2001:db8:3::2 64
The configuration of PE2 is similar to the configuration of PE1. For detailed

command on each PE to check VPN instance configuration. The command output
shows that each PE can ping its connected CE. The following example uses the
command output on PE1.
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Address family ipv6
Create date : 2010/07/20 12:31:47
Vrf Status : UP
Label Policy : label per route
VPN-Instance Name and ID : vpnb, 2

Address family ipv6
Create date : 2010/07/20 14:41:46
Vrf Status : UP
Label Policy : label per route
[PE1] ping ipv6 vpn-instance vpna 2001:db8:1::1
PING 2001:db8:1::1 : 56 data bytes, press CTRL_C to break

Switches
Reply from 2001:db8:1::1

bytes=56 Sequence=1 hop limit=64 time = 20 ms
--- 2001:db8:1::1 ping statistics ---

0.00% packet loss
Step 5 Establish a VPNv6 peer relationship between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
on each PE to check the VPNv6 peer relationship status. The following example
uses the command output on PE1.
[PE1] display bgp vpnv6 all peer
Total number of peers : 1 Peers in established state : 1
3.3.3.9 4 100 4 3 0 00:01:50 Established 0
The command output shows that State is Established, indicating that the VPNv6
peer relationship between PE1 and PE2 has been established.
Step 6 Configure BGP4+ on PE1 and CE1.
# Configure EBGP on PE1.
[PE1] bgp 100
[PE1-bgp6-vpna] peer 2001:db8:1::1 as-number 65410
[PE1-bgp6-vpna] quit
[PE1-bgp] quit
# Configure EBGP on CE1.

[CE1] bgp 65410
[CE1-bgp] router-id 10.10.10.10

Switches
[CE1-bgp] peer 2001:db8:1::2 as-number 100

[CE1-bgp] ipv6-family unicast
[CE1-bgp-af-ipv6] network 2001:db8:8:: 64
[CE1-bgp-af-ipv6] peer 2001:db8:1::2 enable
[CE1-bgp-af-ipv6] import-route direct
[CE1-bgp-af-ipv6] quit
[CE1-bgp] quit
The configurations between PE2 and CE4 are similar to the configurations
between PE1 and CE1. For detailed configurations, see Configuration Scripts.
After completing the configuration, run the display bgp vpnv6 vpn-instance vpn-
instance-name peer command on each PE to check whether the peer relationship
is established. The following example uses the command output on PE1.
2001:DB8:1::1 4 65410 3 3 0 00:00:37 Established 1
Step 7 Configure static routes between PE1 and CE2.

# Configure an IPv6 static route for the VPN instance named vpnb on PE1, and
import the route into the routing table of the BGP VPN instance IPv6 address
family.
[PE1] ipv6 route-static vpn-instance vpnb 2001:db8:8:: 64 2001:db8:3::1
[PE1] bgp 100
[PE1-bgp6-vpnb] import-route static
[PE1-bgp6-vpnb] quit
[PE1-bgp] quit
# Configure an IPv6 default route on CE2.

[CE2] ipv6 route-static :: 0 2001:db8:3::2
Step 8 Configure OSPFv3 between PE2 and CE3.

# Configure OSPFv3 on PE2.
[PE2] ospfv3 1 vpn-instance vpna
[PE2-ospfv3-1] router-id 10.10.11.11
[PE2-ospfv3-1] area 0.0.0.0
[PE2-ospfv3-1-area 0.0.0.0] quit
[PE2-ospfv3-1] import-route bgp
[PE2-ospfv3-1] quit
[PE2-Vlanif200] ospfv3 1 area 0
# Import OSPFv3 routes into BGP on PE2.

[PE2] bgp 100
[PE2-bgp6-vpna] import-route ospfv3 1
[PE2-bgp6-vpna] quit
[PE2-bgp] quit
# Configure OSPFv3 on CE3.

[CE3] ospfv3 1
[CE3-ospfv3-1] router-id 22.22.22.22
[CE3-ospfv3-1] area 0.0.0.0

Switches
[CE3-ospfv3-1-area 0.0.0.0] quit

[CE3-ospfv3-1] quit
[CE3] interface Vlanif100
[CE3-Vlanif100] ospfv3 1 area 0
[CE3] interface LoopBack 1
[CE3-LoopBack1] ospfv3 1 area 0
----End

After the configuration is complete, the ping operations (with the source address
specified in the ping command) between CE1 and CE3 and between CE2 and CE4
can succeed. The following example uses the command output on CE1.
[CE1] ping ipv6 -a 2001:db8:8::1 2001:db8:9::1
--- 2001:db8:9::1 ping statistics ---

0.00% packet loss
The address 2001:db8:9::1/64 also exists on CE4. To determine whether the

forwarding path is the desired one, you only need to run the display ipv6
statistics interface command on PE2 to check if the number of ICMPv6 packets
sent/received on the interface changes.
Run the ping ipv6 -a 2001:db8:8::1 -c 100 2001:db8:9::1 command on CE1 to
send 100 IPv6 packets (with the source address specified in the command). Then,
repeatedly run the display ipv6 statistics interface Vlanif100 or display ipv6
statistics interface Vlanif200 command on PE2 to check the number of ICMPv6
packets received/sent on each interface. Data on VLANIF 200 keeps changing,
meaning that IPv6 data is forwarded to CE3 that is on the same VPN as CE1 and
the VPNs are isolated from each other.
● PE1
#
sysname PE1
#
#
ipv6-family
#

Switches
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 10.1111.1111.1111.00
#
interface Vlanif100
ipv6 enable
ipv6 address 2001:db8:1::2/64
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ip address 10.11.11.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 3.3.3.9 enable
#
peer 2001:db8:1::1 as-number 65410
#
import-route static
#
ipv6 route-static vpn-instance vpnb 2001:db8:8:: 64 2001:db8:3::1
#
return
● P
#
sysname P

Switches
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 20.2222.2222.2222.00
#
interface Vlanif100
ip address 10.11.11.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif200
ip address 10.12.12.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return
● PE2
#
sysname PE2
#
#
ipv6-family
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
isis 1
network-entity 30.3333.3333.3333.00
#
ospfv3 1 vpn-instance vpna
router-id 10.10.11.11
import-route bgp
area 0.0.0.0
#

Switches
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
ospfv3 1 area 0.0.0.0
#
interface Vlanif300
ip address 10.12.12.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospfv3 1
#
#
return
● CE1
#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
interface 10GE1/0/1
#
interface LoopBack1
ipv6 enable
#

Switches
bgp 65410
router-id 10.10.10.10
#
ipv4-family unicast
#
ipv6-family unicast
network 2001:db8:8:: 64
import-route direct
peer 2001:db8:1::2 enable
#
return
● CE2
#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
interface 10GE1/0/1
#
interface LoopBack1
ipv6 enable
#
ipv6 route-static :: 0 2001:db8:3::2
#
return
● CE3
#
sysname CE3
#
vlan batch 100
#
ospfv3 1
router-id 22.22.22.22
area 0.0.0.0
#
interface Vlanif100
ipv6 enable
#
interface 10GE1/0/1
#
interface LoopBack1
ipv6 enable
#
return
● CE4
#
sysname CE4
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#

Switches
interface 10GE1/0/1
#
interface LoopBack1
ipv6 enable
#
bgp 65420
router-id 33.33.33.33
#
ipv4-family unicast
#
ipv6-family unicast
import-route direct
#
return
3.1.9.2.2 Example for Configuring IPv6 L3VPN over MPLS Hub-Spoke
On the network shown in Figure 3-66, the communication between the Spoke-
CEs is controlled by the Hub-CE at the central site. In other words, the traffic
between Spoke-CEs is forwarded also through the Hub-CE, not only through the
Hub-PE.
Figure 3-66 Hub-spoke networking

NOTE
In this example, interface 1, interface 2, interface 3, and interface 4 represent VLANIF 100,
VLANIF 200, VLANIF 300, and VLANIF 400, respectively.

Switches
Precautions
During the configuration, note the following:
● The import and export VPN targets configured on a Spoke-PE are different.
● Two VPN instances (vpn_in and vpn_out) are created on the Hub-PE. The
VPN targets received by vpn_in are the VPN targets advertised by the two
Spoke-PEs; the VPN targets advertised by vpn_out are the VPN targets
received by the two Spoke-PEs and are different from the VPN targets
received by vpn_in.
● The Hub-PE is configured to accept the routes with AS numbers repeated
once in the AS_Path attribute.
1. Establish MP-IBGP peer relationships between the Hub-PE and Spoke-PEs.
There is no need to establish an MP-IBGP peer relationship or exchange VPN
routing information between the two Spoke-PEs.
2. Create VPN instances and VPN targets on PEs.
3. Configure EBGP connections between CEs and PEs.

Switches
Procedure
Step 1 Configure IGP on the backbone network for the Hub-PE and Spoke-PEs to
communicate.
OSPF is used as IGP in this example. For detailed configurations, see Configuration
Scripts.
After the configuration is complete, OSPF neighbor relationships are established

between the Hub-PE and Spoke-PEs. Run the display ospf peer command. The
routing-table command. The command output shows that the Hub-PE and
Spoke-PEs have learned the routes to each other's loopback interface.
Step 2 Configure basic MPLS capabilities and MPLS LDP to establish LDP LSPs on the
backbone network.
After the configuration is complete, LDP peer relationships are established

between the Hub-PE and Spoke-PEs. Run the display mpls ldp session command
on each device. The command output shows that the Session State field displays
Operational.
Step 3 Configure an IPv6-address-family-enabled VPN instance on each PE and bind the

interface connecting a PE to a CE to the VPN instance on that PE.
NOTE
The import VPN target list of a VPN instance on the Hub-PE must contain the export VPN
targets of all Spoke-PEs.
The export VPN target list of the other VPN instance on the Hub-PE must contain the
import VPN targets of all Spoke-PEs.
[Spoke-PE1] interface Vlanif100
[Spoke-PE1-Vlanif100] ipv6 enable
[Spoke-PE1-Vlanif100] ipv6 address 2001:db8:1::2 64
[Spoke-PE2] interface Vlanif100
[Spoke-PE2-Vlanif100] ipv6 enable
[Spoke-PE2-Vlanif100] ipv6 address 2001:db8:2::2 64

Switches

<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] ipv6-family
[Hub-PE-vpn-instance-vpn_in-af-ipv6] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in-af-ipv6] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in-af-ipv6] quit
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] ipv6-family
[Hub-PE-vpn-instance-vpn_out-af-ipv6] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out-af-ipv6] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out-af-ipv6] quit
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface Vlanif300
[Hub-PE-Vlanif300] ip binding vpn-instance vpn_in
[Hub-PE-Vlanif300] ipv6 enable
[Hub-PE-Vlanif300] ipv6 address 2001:db8:3::2 64
[Hub-PE] interface Vlanif400
[Hub-PE-Vlanif400] ip binding vpn-instance vpn_out
[Hub-PE-Vlanif400] ipv6 enable
[Hub-PE-Vlanif400] ipv6 address 2001:db8:4::2 64


command on PEs to check VPN instance configuration. Each PE can ping its
connected CEs through the ping ipv6 vpn-instance vpn-name ipv6-address
command.
Step 4 Establish EBGP peer relationships between PEs and CEs to import VPN routes.
NOTE
Configure the Hub-PE to allow AS numbers to be repeated once in the AS_Path attribute, so
that it can receive the routes advertised by the Hub-CE.
You do not need to configure the Spoke-PEs to allow AS numbers to be repeated once,
because the device does not check the AS_Path attributes in routes received from IBGP
peers.
[Spoke-CE1-Loopback1] ipv6 enable
[Spoke-CE1-Loopback1] ipv6 address 2001:db8:11::1 128
[Spoke-CE1-bgp] ipv6-family unicast
[Spoke-CE1-bgp-af-ipv6] peer 2001:db8:1::2 as-number 100
[Spoke-CE1-bgp-af-ipv6] network 2001:db8:11::1 128
[Spoke-CE1-bgp-af-ipv6] quit
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp-6-vpna] peer 2001:db8:1::1 as-number 65410
[Spoke-PE1-bgp-6-vpna] quit

Switches

[Spoke-CE2-Loopback1] ipv6 enable
[Spoke-CE2-Loopback1] ipv6 address 2001:db8:12::2 128
[Spoke-CE2-bgp] ipv6-family unicast
[Spoke-CE2-bgp-af-ipv6] peer 2001:db8:2::2 as-number 100
[Spoke-CE2-bgp-af-ipv6] network 2001:db8:12::2 128
[Spoke-CE2-bgp-af-ipv6] quit
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp-6-vpna] peer 2001:db8:2::1 as-number 65420
[Spoke-PE2-bgp-6-vpna] quit
# Configure the Hub-CE.

[Hub-CE] interface loopback 1
[Hub-CE-Loopback1] ipv6 enable
[Hub-CE-Loopback1] ipv6 address 2001:db8:13::3 128
[Hub-CE-Loopback1] quit
[Hub-CE] bgp 65430
[Hub-CE-bgp] ipv6-family unicast
[Hub-CE-bgp-af-ipv6] peer 2001:db8:3::2 as-number 100
[Hub-CE-bgp-af-ipv6] peer 2001:db8:4::2 as-number 100
[Hub-CE-bgp-af-ipv6] network 2001:db8:13::3 128
[Hub-CE-bgp-af-ipv6] quit
[Hub-CE-bgp] quit

[Hub-PE] bgp 100
[Hub-PE-bgp] ipv6-family vpn-instance vpn_in
[Hub-PE-bgp-6-vpn_in] peer 2001:db8:3::1 as-number 65430
[Hub-PE-bgp-6-vpn_in] quit
[Hub-PE-bgp] ipv6-family vpn-instance vpn_out
[Hub-PE-bgp-6-vpn_out] peer 2001:db8:4::1 as-number 65430
[Hub-PE-bgp-6-vpn_out] peer 2001:db8:4::1 allow-as-loop 1
[Hub-PE-bgp-6-vpn_out] quit
[Hub-PE-bgp] quit
on each PE. The command output shows that BGP peer relationships have been
established between the PEs and CEs and are in Established state.
Step 5 Establish MP-IBGP peer relationships between the PEs.
[Spoke-PE1] bgp 100
[Spoke-PE2] bgp 100

Switches
[Hub-PE] bgp 100

[Hub-PE-bgp] ipv6-family vpnv6
[Hub-PE-bgp-af-vpnv6] quit
After completing the configuration, run the display bgp peer or display bgp
vpnv6 all peer command on PEs. The command output shows that BGP peer
relationships have been established between PEs and are in Established state.
----End

After completing the configuration, configure Spoke-CEs to ping each other. The
command output shows that the Spoke-CEs can ping each other.
<Spoke-CE1> ping ipv6 -a 2001:db8:11::1 2001:db8:12::2
bytes=56 Sequence=1 hop limit=59 time=7 ms
---2001:db8:12::2 ping statistics---

0.00% packet loss
round-trip min/avg/max=3/3/7 ms
Run the display bgp ipv6 routing-table command on the Spoke-CEs. The
command output shows that there are repetitive AS numbers in the AS_Path
attributes of the BGP routes to the peer Spoke-CE.
<Spoke-CE1> display bgp ipv6 routing-table
BGP Local router ID is 1.1.1.1
Status codes: * - valid, > - best, d - damped, x - best external,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 3

*> Network : 2001:db8:11::1 PrefixLen : 128
NextHop : :: LocPrf :
MED :0 PrefVal : 0
Label :
Path/Ogn : i
NextHop : 2001:db8:1::2 LocPrf :
MED : PrefVal : 0
Label :
Path/Ogn : 100 65430 100 65420i

Switches
NextHop : 2001:db8:1::2 LocPrf :

MED : PrefVal : 0
Label :
Path/Ogn : 100 65430i
● Spoke-CE1
#
sysname Spoke-CE1
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 2001:db8:11::1/128
#
interface 10GE1/0/1
#
bgp 65410
router-id 1.1.1.1
#
ipv6-family unicast
network 2001:db8:11::1 128
#
return
● Spoke-PE1
#
sysname Spoke-PE1
#
vlan batch 100 200
#
ipv6-family
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2

Switches

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
● Spoke-PE2
#
sysname Spoke-PE2
#
vlan batch 100 200
#
ipv6-family
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast

Switches
peer 2.2.2.9 enable

#
ipv6-family vpnv6
policy vpn-target
peer 2.2.2.9 enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
● Spoke-CE2
#
sysname Spoke-CE2
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
interface LoopBack1
ipv6 enable
ipv6 address 2001:db8:12::2/128
#
interface 10GE1/0/1
#
bgp 65420
router-id 3.3.3.3
#
ipv6-family unicast
network 2001:db8:12::2 128
#
return
● Hub-CE
#
sysname Hub-CE
#
vlan batch 100 200
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface LoopBack1
ipv6 enable
ipv6 address 2001:db8:13::3/128
#

Switches
bgp 65430
router-id 2.2.2.2
#
ipv6-family unicast
network 2001:db8:13::3 128
#
return
● Hub-PE
#
sysname Hub-PE
#
vlan batch 100 200 300 400
#
ip vpn-instance vpn_in
ipv6-family
#
ip vpn-instance vpn_out
ipv6-family
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip binding vpn-instance vpn_in
ipv6 enable
#
interface Vlanif400
ip binding vpn-instance vpn_out
ipv6 enable
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface 10GE1/0/4
#

Switches
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpnv6
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv6-family vpn-instance vpn_in
#
ipv6-family vpn-instance vpn_out
peer 2001:db8:4::1 allow-as-loop
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
3.1.10 Network Slicing
3.1.10.1 Example for Configuring Network Slicing in an EVPN L3VPNv4 over

SRv6 BE Scenario (Static Configuration)
This section describes how to configure network slicing in an EVPN L3VPNv4 over
SRv6 BE scenario.
NOTE
This configuration is supported only by the S5755-H, S6730-H-V2 and S5732-H-V2 series.
As shown in Figure 3-67, PE1, P, and PE2 belong to the same AS. A bidirectional
SRv6 BE path needs to be deployed between PE1 and PE2 to carry EVPN L3VPNv4
services. In addition, to guarantee the service SLAs of the VPN instance vpn1
between CE1 and CE2, a network slice (slice ID: 10) needs to be created on the
public network and used to carry vpn1's services. And to guarantee the service
SLAs of the VPN instance vpn2 between CE3 and CE4, another network slice (slice
ID: 20) needs to be created on the public network and used to carry vpn2's
services.

Switches
Figure 3-67 Network diagram for configuring network slicing in an EVPN

L3VPNv4 over SRv6 BE scenario
NOTE
In this example, interface 1, interface 2, and interface 3 represent VLANIF 100, VLANIF 200, and
VLANIF 300, respectively.
Precautions
1. If you want to use the route color to steer SRv6 BE traffic to a network slice,
you first need to configure the route color (extended community attribute) in
the import or export route-policy.
1. Enable IPv6 forwarding and configure an IPv6 address for interfaces on PE1,
the P, and PE2.
2. Enable OSPFv3 on PE1, the P, and PE2.
3. Configure EVPN L3VPN instances on each PE and bind the instances to the
corresponding access-side interfaces.
4. Establish an EBGP peer relationship between each PE and its connected CE.
5. Establish a BGP EVPN peer relationship between the PEs.
6. Configure SRv6 BE and enable OSPFv3 SRv6 on the PEs.
7. Create network slice instances and configure a base interface on PE1, the P,
and PE2.

Switches
8. Configure traffic policies on PE1 and PE2 to divert traffic to slices.
Procedure
Step 1 Enable IPv6 forwarding and configure an IPv6 address for each interface. The
following example uses the configuration of PE1. The configurations of other
devices are similar to the configuration of PE1. For detailed configurations, see
[PE1] vlan batch 100 200 300
[PE1-Vlanif100] ipv6 address 2001:DB8:10::1 64
[PE1] interface LoopBack 1
[PE1-LoopBack1] ipv6 enable
[PE1-LoopBack1] ipv6 address 2001:DB8:1::1 128
Step 2 Configure OSPFv3.
# Configure PE1.
[PE1] ospfv3 1
[PE1-ospfv3-1] area 0
[PE1-ospfv3-1-area-0.0.0.0] quit
[PE1-ospfv3-1] quit
[PE1-Vlanif100] ospfv3 1 area 0.0.0.0
[PE1] interface loopback1
[PE1-LoopBack1] ospfv3 1 area 0.0.0.0
# Configure the P.
[P] ospfv3 1
[P-ospfv3-1] router-id 2.2.2.2
[P-ospfv3-1] area 0
[P-ospfv3-1-area-0.0.0.0] quit
[P-ospfv3-1] quit
[P] interface vlanif 100
[P-Vlanif100] ospfv3 1 area 0.0.0.0
[P-Vlanif100] quit
[P] interface vlanif 200
[P-Vlanif200] ospfv3 1 area 0.0.0.0
[P-Vlanif200] quit
[P] interface loopback1
[P-LoopBack1] ospfv3 1 area 0.0.0.0
[P-LoopBack1] quit
# Configure PE2.
[PE2] ospfv3 1
[PE2-ospfv3-1] area 0
[PE2-ospfv3-1-area-0.0.0.0] quit
[PE2-ospfv3-1] quit
[PE2-Vlanif200] ospfv3 1 area 0.0.0.0
[PE2] interface loopback1

Switches
[PE2-LoopBack1] ospfv3 1 area 0.0.0.0

After the configuration is complete, perform the following operations to check

whether OSPFv3 is successfully configured.
# Display OSPFv3 neighbor information. The following example uses the
command output on PE1.
[PE1] display ospfv3 peer
OSPFv3 Process (1)

Total number of peer(s): 1
Peer(s) in full state: 1
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/Backup 00:00:37 Vlanif100 0
Step 3 Configure EVPN L3VPN instances on each PE and bind the instances to the
corresponding access-side interfaces.
# Configure PE1.
[PE1] evpn-overlay enable
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 evpn both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1-Vlanif200] ip binding vpn-instance vpn1
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] advertise l2vpn evpn
[PE1-bgp-vpn1] quit
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] evpn-overlay enable

Switches

[PE2] bgp 100
[PE2-bgp-vpn1] quit
[PE2-bgp-vpn2] quit
[PE2-bgp] quit
Step 4 Establish an EBGP peer relationship between each PE and its connected CE.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure CE3.
[CE3] bgp 65430
[CE3-bgp] quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] router-id 1.1.1.1
[PE1-bgp-vpn1] peer 10.1.1.2 as-number 65410
[PE1-bgp-vpn1] quit

Switches

[PE1-bgp-vpn2] quit
[PE1-bgp] quit
# Configure CE2.
[CE2] bgp 65420
[CE2-bgp] quit
# Configure CE4.
[CE4] bgp 65440
[CE4-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] router-id 3.3.3.3
[PE2-bgp-vpn2] quit
[PE2-bgp] quit
After completing the configuration, run the display bgp vpnv4 vpn-instance peer
command on the PEs to check whether BGP peer relationships have been
established between the PEs and CEs. If the Established state is displayed in the
command output, the BGP peer relationships have been established successfully.
The following uses PE1 as an example to show that a peer relationship has been
established between PE1 and CE1.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer

VPN-Instance vpn1, Router ID 1.1.1.1:

Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
10.1.1.2 4 65410 43 47 0 00:35:32 Established 1
Step 5 Establish a BGP EVPN peer relationship between the PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 2001:DB8:3::3 as-number 100
[PE1-bgp] peer 2001:DB8:3::3 connect-interface loopback 1
[PE1-bgp] l2vpn-family evpn
[PE1-bgp-af-evpn] peer 2001:DB8:3::3 enable
[PE1-bgp-af-evpn] quit
[PE1-bgp] quit

Switches
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 2001:DB8:1::1 as-number 100
[PE2-bgp] peer 2001:DB8:1::1 connect-interface loopback 1
[PE2-bgp-af-evpn] peer 2001:DB8:1::1 enable
[PE2-bgp] quit
After completing the configuration, run the display bgp evpn peer command on
the PEs to check whether a BGP EVPN peer relationship has been established
between the PEs. If the Established state is displayed in the command output, the
BGP EVPN peer relationship has been established successfully.
Step 6 Configure SRv6 BE on the PEs.
# Configure PE1.
[PE1] segment-routing ipv6
[PE1-segment-routing-ipv6] encapsulation source-address 2001:DB8:1::1
[PE1-segment-routing-ipv6] locator PE1 ipv6-prefix 2001:DB8:100:: 64 static 32
[PE1-segment-routing-ipv6-locator] opcode ::100 end-dt4 vpn-instance vpn1 evpn
[PE1-segment-routing-ipv6-locator] quit
[PE1-segment-routing-ipv6] quit
[PE1] ospfv3 1
[PE1-ospfv3-1] segment-routing ipv6 locator PE1 auto-sid-disable
[PE1-ospfv3-1] quit
[PE1] bgp 100
[PE1-bgp-af-evpn] peer 2001:DB8:3::3 advertise encap-type srv6
[PE1-bgp-vpn1] segment-routing ipv6 locator PE1 evpn
[PE1-bgp-vpn1] segment-routing ipv6 best-effort evpn
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] segment-routing ipv6
[PE2-segment-routing-ipv6] encapsulation source-address 2001:DB8:3::3
[PE2-segment-routing-ipv6] locator PE2 ipv6-prefix 2001:DB8:130:: 64 static 32
[PE2-segment-routing-ipv6-locator] opcode ::200 end-dt4 vpn-instance vpn1 evpn
[PE2-segment-routing-ipv6-locator] quit
[PE2-segment-routing-ipv6] quit
[PE2] ospfv3 1
[PE2-ospfv3-1] segment-routing ipv6 locator PE2 auto-sid-disable
[PE2-ospfv3-1] quit
[PE2] bgp 100
[PE2-bgp-af-evpn] peer 2001:DB8:1::1 advertise encap-type srv6
[PE2-bgp-vpn1] segment-routing ipv6 locator PE2 evpn
[PE2-bgp-vpn1] segment-routing ipv6 best-effort evpn
[PE2-bgp-vpn1] quit
[PE2-bgp] quit
Step 7 Create network slice instances and configure slice interfaces.

# The following uses PE1 as an example. The configuration of PE2 is similar to the
configuration of PE1.
[PE1] network-slice enable
[PE1] network-slice protocol-number 160
[PE1] network-slice instance 10

Switches

[PE1-10GE1/0/1]network-slice 10 flex-channel 1000
[PE1-10GE1/0/1]network-slice 20 flex-channel 1000
# Configure network slicing on the P.

[P] network-slice enable
[P] network-slice protocol-number 160
[P] network-slice instance 10
[P] network-slice instance 20
[P-10GE1/0/1] network-slice 10 flex-channel 1000
[P-10GE1/0/1] quit
[P-10GE1/0/2] quit
Step 8 Configure traffic policies to divert traffic to slices.

# Configure PE1. The configuration of PE2 is similar to the configuration of PE1.
[PE1] traffic classifier c1
[PE1-classifier-c1] if-match any
[PE1-classifier-c1] quit
[PE1] traffic behavior b1
[PE1-behavior-b1] network-slice-instance 10
[PE1-behavior-b1] quit
[PE1] traffic policy p1
[PE1-trafficpolicy-p1] classifier c1 behavior b1 precedence 5
[PE1-trafficpolicy-p1] quit
[PE1-classifier-c2] if-match any
Step 9 Apply the traffic policies.

The following uses PE1 as an example. The configuration of PE2 is similar to the
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] traffic-policy p1 inbound
[PE1]ip vpn-instance vpn2
[PE1-vpn-instance-vpn2] traffic-policy p2 inbound
----End
● PE1
#
sysname PE1
#
evpn-overlay enable
#
#
ip vpn-instance vpn1

Switches
traffic-policy p1 inbound
ipv4-family
vpn-target 1:1 export-extcommunity evpn
vpn-target 1:1 import-extcommunity evpn
#
ipv4-family
#
traffic classifier c1 type or
if-match any
#
if-match any
#
traffic behavior b1
network-slice-instance 10
#
traffic behavior b2
#
traffic policy p1
classifier c1 behavior b1 precedence 5
#
traffic policy p2
#
network-slice instance 10
#
segment-routing ipv6
encapsulation source-address 2001:DB8:1::1
locator PE1 ipv6-prefix 2001:DB8:100:: 64 static 32
opcode ::100 end-dt4 vpn-instance vpn1 evpn
#
ospfv3 1
router-id 1.1.1.1
segment-routing ipv6 locator PE1 auto-sid-disable
area 0.0.0.0
#
interface Vlanif100
ipv6 enable
ipv6 address 2001:DB8:10::1/64
#
interface Vlanif200
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/1
network-slice 10 flex-channel 1000
#
interface 10GE1/0/2
#
interface 10GE1/0/3

Switches

#
interface LoopBack1
ipv6 enable
#
bgp 100
router-id 1.1.1.1
peer 2001:DB8:3::3 as-number 100
peer 2001:DB8:3::3 connect-interface LoopBack1
#
ipv4-family unicast
#
ipv4-family vpn-instance vpn1
import-route direct
advertise l2vpn evpn
segment-routing ipv6 locator PE1 evpn
segment-routing ipv6 best-effort evpn
#
import-route direct
#
l2vpn-family evpn
undo policy vpn-target
peer 2001:DB8:3::3 enable
peer 2001:DB8:3::3 advertise encap-type srv6
#
network-slice protocol-number 160
#
return
● P
#
sysname P
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
area 0.0.0.0
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#

Switches
interface LoopBack1
ipv6 enable
#
return
● PE2
#
sysname PE2
#
evpn-overlay enable
#
#
#
ipv4-family
#
ipv4-family
#
if-match any
#
if-match any
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy p1
#
traffic policy p2
#
#
segment-routing ipv6
encapsulation source-address 2001:DB8:3::3
locator PE2 ipv6-prefix 2001:DB8:130:: 64 static 32
opcode ::200 end-dt4 vpn-instance vpn1 evpn
#
ospfv3 1
router-id 3.3.3.3
segment-routing ipv6 locator PE1 auto-sid-disable
area 0.0.0.0
#
interface Vlanif 100
ip address 10.2.1.1 255.255.255.0
#
ipv6 enable

Switches

#
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface LoopBack1
ipv6 enable
#
bgp 100
router-id 3.3.3.3
peer 2001:DB8:1::1 as-number 100
peer 2001:DB8:1::1 connect-interface LoopBack1
#
ipv4-family unicast
#
import-route direct
#
import-route direct
#
l2vpn-family evpn
undo policy vpn-target
peer 2001:DB8:1::1 enable
peer 2001:DB8:1::1 advertise encap-type srv6
#
network-slice protocol-number 160
#
return
● CE1
#
sysname CE1
#
vlan batch 200
#
interface Vlanif200
ip address 10.1.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1

Switches
ip address 192.168.11.1 255.255.255.255

#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
● CE2
#
sysname CE2
#
vlan batch 100
#
interface Vlanif100
ip address 10.2.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 192.168.22.1 255.255.255.255
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
● CE3
#
sysname CE3
#
vlan batch 300
#
interface Vlanif300
ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 192.168.33.1 255.255.255.255
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
● CE4
#
sysname CE4
#
vlan batch 300
#

Switches
interface Vlanif300
ip address 10.4.1.2 255.255.255.0
#
interface 10GE1/0/1
#
interface LoopBack1
ip address 192.168.44.1 255.255.255.255
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
3.1.10.2 Example for Configuring VLAN Slicing

This section describes how to configure VLAN slicing.
As shown in Figure 3-68, PE1 and PE2 communicate through VLANs. To guarantee
the service SLAs of VLAN 10 between CE1 and CE2, a network slice (slice ID: 10)
needs to be created on the public network and used to carry VLAN 10's services.
And to guarantee the service SLAs of VLAN 20 between CE3 and CE4, another
network slice (slice ID: 20) needs to be created on the public network and used to
carry VLAN 20's services.
Figure 3-68 Network diagram for configuring VLAN slicing

NOTE
In this example, Interface1, Interface2, and Interface3 represent 10GE1/0/1, 10GE1/0/2, and
Precautions
To prevent VLAN slicing information from flowing into other networks and
therefore affecting traffic forwarding, configure a termination mode for VLAN

Switches
slicing at the egresses of the slices, for example, interface 2 and interface 3 of the
PEs.
1. Create VLANs on the devices.

2. On each PE, add Interface1 to VLAN 10 and VLAN 20, Interface2 to VLAN 10,
and Interface3 to VLAN 20.
3. On each CE, add interfaces to VLANs. Specifically, add Interface2 to VLAN 10,
and add Interface3 to VLAN 20.
4. Create network slice instances and configure a base interface on PE1 and PE2.
5. Configure traffic policies on PE1 and PE2 to divert traffic to slices.
NOTE
In this example, a traffic policy is configured on an interface. It can also be configured

globally by running the traffic-policy policy-name global inbound command.
Only the S6730-H-V2, S5755-H, and S5732-H-V2 series support the configuration of a
global traffic policy.
Procedure
Step 1 Create VLANs on the devices.

# Configure CE1. The configuration of CE2 is similar to the configuration of CE1.

[CE1] vlan batch 10
# Configure CE3. The configuration of CE4 is similar to the configuration of CE3.

[CE3] vlan batch 20
Step 2 Add PE interfaces to VLANs.

[PE1-10GE1/0/1] port trunk allow-pass vlan 10 20
[PE1]interface 10ge 1/0/2
[PE1]interface 10ge 1/0/3

Switches
After the configuration is complete, you can check information about interfaces in
the VLANs.
[PE1] display vlan 10
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
10 TG:10GE1/0/1(U) 10GE1/0/2(U)
--------------------------------------------------------------------------------
Step 3 Add CE interfaces to VLANs.

# Configure CE1.
# Configure CE2.
# Configure CE3.
# Configure CE4.
Step 4 Create network slice instances and configure slice interfaces.

# The following uses PE1 as an example. The configuration of PE2 is similar to the
[PE1] network-slice enable
[PE1] network-slice vlan-encapsulate enable
[PE1-network-slice-instance-10] quit
[PE1-network-slice-instance-20] quit
[PE1-10GE1/0/1] network-slice 10 flex-channel 1000
[PE1-10GE1/0/1] network-slice 20 flex-channel 1000
[PE1-10GE1/0/2] network-slice 10 flex-channel 100 end-mode
[PE1-10GE1/0/3] network-slice 20 flex-channel 100 end-mode

Switches
Step 5 Configure traffic policies to divert traffic to slices.

[PE1-classifier-c1] if-match vlan 10
[PE1-classifier-c2] if-match vlan 20
Check the traffic policy configuration.

[PE1] display traffic policy p1
Traffic Policy Information:
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Classifier: c2
Type: OR
Behavior: b2
Step 6 Apply the traffic policies.

# Configure PE1.
[PE1-10GE1/0/1] traffic-policy p1 inbound
# Configure PE2.
Check the traffic policy configuration. The following example uses the command
output on PE1.
[PE1] display traffic-policy applied-record
Total records : 1
--------------------------------------------------------------------------------
Policy Type/Name Apply Parameter Slot State
--------------------------------------------------------------------------------

Switches
p1 10GE1/0/1(IN) 1 success
10GE1/0/2(IN) 1 success
10GE1/0/3(IN) 1 success
--------------------------------------------------------------------------------
----End
● PE1
#
sysname PE1
#
vlan batch 10 20
#
if-match vlan 10
#
if-match vlan 20
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy p1
#
#
interface 10GE1/0/1
#
interface 10GE1/0/2
network-slice 10 flex-channel 100 end-mode
#
interface 10GE1/0/3
#
network-slice enable
#
network-slice vlan-encapsulate enable
#
return
● PE2
#
sysname PE2
#
vlan batch 10 20
#
traffic-policy p1 global inbound
#

Switches
if-match vlan 10
#
if-match vlan 20
#
traffic behavior b1
#
traffic behavior b2
#
traffic policy p1
#
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
network-slice enable
#
network-slice vlan-encapsulate enable
#
return
● CE1
#
sysname CE1
#
vlan batch 10
#
interface 10GE1/0/1
#
return
● CE2
#
sysname CE2
#
vlan batch 10
#
interface 10GE1/0/1
#
return
● CE3
#
sysname CE3

Switches
#
vlan batch 20
#
interface 10GE1/0/1
#
return
● CE4
#
sysname CE4
#
vlan batch 20
#
interface 10GE1/0/1
#
return
3.1.11 High Availability
3.1.11.1 VRRP
3.1.11.1.1 Example for Configuring VRRP to Ensure Reliable Multicast Data

Transmission
Figure 1 Networking diagram of configuring VRRP to ensure reliable
multicast data transmission shows a campus network on which DeviceA and
DeviceB serve as egress gateways, and DeviceC and DeviceD serve as core devices.
The multicast source connects to the campus network through routers. On this
network, key nodes work in redundancy mode to improve network reliability, and
the egress gateways and core devices are fully meshed to implement link
redundancy. Configuring VRRP enables the multicast data to be securely and
reliably transmitted to downstream networks.
Figure 3-69 Networking diagram of configuring VRRP to ensure reliable multicast

data transmission
NOTE
In this example, interface 1, interface 2, interface 3, interface 4, interface 5, and interface 6

represent 10GE1/0/1, 10GE1/0/2, 10GE1/0/3, 10GE1/0/4, 10GE1/0/5, and 10GE 1/0/6,
respectively.

Switches
D Interface VLAN VLANIF De Interface VLAN VLANIF

e Interfac vic Interfac
vi e IP e e IP
c Address Address
e
D 10GE1/0/ VLAN10 10.1.1.1/ De 10GE1/0/1 VLAN40 10.1.6.1/

ev 1 0 24 vic 0 24
ic eC
e
A

Switches
D Interface VLAN VLANIF De Interface VLAN VLANIF

e Interfac vic Interfac
vi e IP e e IP
c Address Address
e
Eth-Trunk VLAN VLANIF Eth-Trunk 1 VLAN VLANIF

1 100 and 200 is (member 400 and 500 is
(member VLAN not interfaces: VLAN not
interfaces 200 created. 10GE1/0/2, 500 created.
: 10GE1/0/3,
10GE1/0/ and
2, 10GE1/0/4)
10GE1/0/
3, and
10GE1/0/
4)
10GE1/0/ VLAN30 10.1.2.1/ 10GE1/0/5 VLAN30 10.1.2.2/

5 1 24 1 24
10GE1/0/ VLAN30 10.1.3.1/ 10GE1/0/6 VLAN30 10.1.5.2/

6 2 24 4 24
D 10GE1/0/ VLAN10 10.1.1.2/ De 10GE1/0/1 VLAN40 10.1.6.2/

ev 1 0 24 vic 0 24
ic eD
e Eth-Trunk VLAN VLANIF Eth-Trunk 1 VLAN VLANIF
B 1 100 and 200 is (member 400 and 500 is
(member VLAN not interfaces: VLAN not
interfaces 200 created. 10GE1/0/2, 500 created.
: 10GE1/0/3,
10GE1/0/ and
2, 10GE1/0/4)
10GE1/0/
3, and
10GE1/0/
4)
10GE1/0/ VLAN30 10.1.4.1/ 10GE1/0/5 VLAN30 10.1.4.2/

5 3 24 3 24
10GE1/0/ VLAN30 10.1.5.1/ 10GE1/0/6 VLAN30 10.1.3.2/

6 4 24 2 24
Precautions
1. VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
2. Devices in a VRRP group must be configured with the same VRID.

Switches
1. Configure link aggregation. Configure link aggregation between DeviceA and
DeviceB, and between DeviceC and DeviceD to ensure that VRRP packets can
be exchanged and VRRP can run properly.
2. Configure VLANs. Create VLANs on the devices and add their interfaces to
respective VLANs. Configure IP addresses for the corresponding VLANIF
interfaces to make local network segments reachable.
NOTE
The Spanning Tree Protocol (STP) is enabled on Layer 2 interfaces of a device by

default. On a Layer 2 ring network, STP blocks an interface to prevent loops. In this
example, DeviceC, DeviceD, and the downstream Layer 2 switch form a Layer 2 ring
network. To enable load balancing among OSPF routes, you are advised to disable STP
on DeviceC's and DeviceD's Layer 2 interfaces connected to the Layer 2 switch.
Additionally, you can configure Smart Link on the Layer 2 switch to implement load
balancing between links while preventing broadcast storms on the Layer 2 ring
network.
3. Configure OSPF. Configure OSPF on the devices to ensure reachable routes
between them.
4. Configure VRRP groups. Configure a VRRP group between DeviceA and
DeviceB and another one between DeviceC and DeviceD to ensure reliable
multicast data forwarding. The VRRP groups implement load balancing for
unicast traffic to reduce loads of links that transmit multicast and unicast
data simultaneously.
5. Configure a multicast protocol. Configure a multicast protocol on the devices
to ensure normal multicast data forwarding.
6. Configure BFD for OSPF and BFD for PIM to ensure that the devices can
quickly detect link faults and implement fast route convergence.
Procedure
1. Configure link aggregation. On DeviceA, create an Eth-Trunk interface and
add a member interface to it. The configurations of DeviceB, DeviceC, and
DeviceD are similar to the configuration of DeviceA. For detailed
[DeviceA-Eth-Trunk1] trunkport 10ge 1/0/2 to 1/0/4
2. Configure VLANs.
a. On DeviceA, create VLANs and add interfaces to them. The configurations
of DeviceB, DeviceC, and DeviceD are similar to the configuration of
DeviceA. For detailed configurations, see Configuration Scripts.
[DeviceA] vlan batch 100 200 301 302

Switches
[DeviceA-Eth-Trunk1] port link-type trunk
[DeviceA-Eth-Trunk1] port trunk allow-pass vlan 100 200
b. On DeviceA, configure IP addresses for Layer 3 interfaces. The

configurations of DeviceB, DeviceC, and DeviceD are similar to the
configuration of DeviceA. For detailed configurations, see Configuration
Scripts.
[DeviceA] interface loopback 1
[DeviceA-LoopBack1] ip address 10.10.1.1 32
[DeviceA-LoopBack1] quit
3. Configure OSPF. Enable OSPF on DeviceA, add the device to area 0, and
advertise local network segments in area 0. The configurations of DeviceB,
DeviceC, and DeviceD are similar to the configuration of DeviceA. For detailed
[DeviceA] ospf
4. Configure VRRP groups.

a. Configure VRRP group 1 on DeviceA and DeviceB. Configure DeviceA as
the master and DeviceB as the backup.
[DeviceA-Vlanif100] vrrp vrid 1 preempt timer delay 20
b. Configure VRRP group 2 on DeviceA and DeviceB. Configure DeviceB as

the master and DeviceA as the backup.

Switches

[DeviceB-Vlanif100] vrrp vrid 2 priority 120
[DeviceB-Vlanif100] vrrp vrid 2 preempt timer delay 20
The configurations of DeviceC and DeviceD are similar to the configurations

of DeviceA and DeviceB. For detailed configurations, see Configuration Scripts.
5. Configure a multicast protocol.
# Enable multicast routing on DeviceA. The configuration of DeviceB is similar
to the configuration of DeviceA. For detailed configurations, see Configuration
Scripts.
[DeviceA] multicast routing-enable
[DeviceA-Vlanif100] pim sm
[DeviceA-LoopBack1] pim sm
# Enable multicast routing, IGMP, and dynamic RP on DeviceC. The

configuration of DeviceD is similar to the configuration of DeviceC. For
[DeviceC] multicast routing-enable
[DeviceC-Vlanif400] pim sm
[DeviceC-Vlanif400] igmp enable
[DeviceC] interface loopback 1
[DeviceC-LoopBack1] pim sm
[DeviceC-LoopBack1] quit
[DeviceC] pim
[DeviceC-pim] c-bsr loopback 1
[DeviceC-pim] c-rp loopback 1
[DeviceC-pim] quit
6. Configure BFD.
a. Enable BFD globally on DeviceA. The configurations of DeviceB, DeviceC,
and DeviceD are similar to the configuration of DeviceA. For detailed
[DeviceA] bfd
[DeviceA-bfd] quit
b. Configure BFD for OSPF on DeviceA. The configurations of DeviceB,

DeviceC, and DeviceD are similar to the configuration of DeviceA. For
[DeviceA-Vlanif100] ospf bfd enable

Switches

c. Configure BFD for PIM on DeviceA. The configurations of DeviceB,

DeviceC, and DeviceD are similar to the configuration of DeviceA. For
[DeviceA-Vlanif100] pim bfd enable

1. Verify the configuration of link aggregation.
# Run the display eth-trunk 1 command on DeviceA. The command output
shows that Eth-Trunk 1 has three member interfaces: 10GE1/0/2, 10GE1/0/3,
and 10GE1/0/4. All the member interfaces are in the Up state. The process to
verify the configuration on DeviceB, DeviceC, and DeviceD is similar to that on
DeviceA.
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
10GE1/0/2 Up 1
10GE1/0/3 Up 1
10GE1/0/4 Up 1
2. Verify the VRRP configuration.

# Run the display vrrp verbose command on DeviceA. The command output
shows that DeviceA is the master device in VRRP group 1 and the backup
device in VRRP group 2.
[DeviceA] display vrrp verbose
State : Master
Virtual IP : 10.1.1.253
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00
Last change time : 2012-12-31 10:34:26 UTC-08:00

State : Backup
Virtual IP : 10.1.1.254

Switches
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-12-31 10:35:39 UTC-08:00
# Run the display vrrp verbose command on DeviceB. The command output
shows that DeviceB is the backup device in VRRP group 1 and the master
device in VRRP group 2.
State : Backup
Virtual IP : 10.1.1.253
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00

State : Master
Virtual IP : 10.1.1.254
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-12-31 10:35:39 UTC-08:00
The process to verify the configuration on DeviceC and DeviceD is similar to
that on DeviceA and DeviceB.
3. Verify the OSPF configuration.
# Run the display ip routing-table command on DeviceA. The command
output shows that there are two IP routes to 10.1.6.0/24, implementing load
balancing of unicast traffic.
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100

Switches
10.1.1.253/32 Direct 0 0 D 127.0.0.1 Vlanif100

10.1.1.254/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif301
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif301
10.1.3.0/24 Direct 0 0 D 10.1.3.1 Vlanif302
10.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif302
10.1.4.0/24 OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.5.0/24 OSPF 10 2 D 10.1.2.2 Vlanif301
10.1.6.0/24 OSPF 10 2 D 10.1.2.2 Vlanif301
OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.6.253/32 OSPF 10 2 D 10.1.2.2 Vlanif301
OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.6.254/32 OSPF 10 2 D 10.1.3.2 Vlanif302
OSPF 10 2 D 10.1.2.2 Vlanif301
The process to verify the configuration on DeviceB, DeviceC, and DeviceD is

similar to that on DeviceA.
4. Verify the multicast protocol configuration.
# Run the display pim routing-table command on DeviceB and DeviceD. The
command output shows that PIM routing entries have been created for group
225.0.0.10.
NOTE
● According to the dynamic RP election rules, if C-RP interfaces have the same IP
address mask, priority, and hash calculation result, the interface with a larger IP
address is selected as the RP interface. Therefore, Loopback1 of DeviceD becomes
the RP interface.
● According to the reverse path check (RPF) rules, if two equal-cost optimal routes
are available in the IP routing table, the route with a larger next hop address is
selected as the RPF route. Therefore, DeviceD selects the route with the next hop
address 10.1.4.1 and destination network segment 10.1.1.0/24 as the RPF route to
the destination network segment 10.1.1.0/24.
[DeviceB] display pim routing-table
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Downstream interface(s) information:
1: Vlanif303
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
[DeviceD] display pim routing-table
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
Downstream interface(s) information:
1: Vlanif400
Protocol: pim-sm, UpTime: 00:00:42, Expires:-

Switches
5. Verify the BFD configuration.

a. Run the display ospf bfd session all command on DeviceA. The
command output shows that OSPF BFD sessions have been successfully
set up.
[DeviceA] display ospf bfd session all
Area 0.0.0.0 interface 10.1.1.1(Vlanif100)'s BFD Sessions
NeighborId:10.2.2.2 AreaId:0.0.0.0 Interface: Vlanif100

BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8196 LocalIpAdd:10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic Info:No diagnostic information



The process to verify the configuration on DeviceB, DeviceC, and DeviceD

is similar to that on DeviceA.
b. Run the display pim bfd session command on DeviceA. The command
output shows that PIM BFD sessions have been successfully set up.
[DeviceA] display pim bfd session
Total 4 BFD session Created
Vlanif100 (10.1.1.1): Total 2 BFD session Created
Neighbor ActTx(ms) ActRx(ms) ActMulti Local/Remote State

10.1.1.2 1000 1000 3 8192/8192 Up
10.1.1.3 1000 1000 3 8191/8191 Up

10.1.2.2 1000 1000 3 8193/8193 Up

10.1.3.2 1000 1000 3 8194/8194 Up
The process to verify the configuration on DeviceB, DeviceC, and DeviceD

is similar to that on DeviceA.
● DeviceA

Switches
#
sysname DeviceA
#
vlan batch 100 200 301 302
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif301
ip address 10.1.2.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif302
ip address 10.1.3.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
trunkport 10GE1/0/2 to 10GE1/0/4
#
interface 10GE1/0/1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
#
interface 10GE1/0/6
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
return

Switches
● DeviceB
#
sysname DeviceB
#
vlan batch 100 200 303 304
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
#
interface 10GE1/0/1
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
#
interface 10GE1/0/6
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.2.2.2 0.0.0.0

Switches
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 301 304 400 500
#
#
bfd
#
interface Vlanif301
ip address 10.1.2.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.1 255.255.255.0
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
#
interface 10GE1/0/1
stp disable
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
#
interface 10GE1/0/6
#
interface LoopBack1
ip address 10.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255

Switches
network 10.1.5.0 0.0.0.255

network 10.1.6.0 0.0.0.255
network 10.3.3.3 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 302 303 400 500
#
#
bfd
#
interface Vlanif302
ip address 10.1.3.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.2 255.255.255.0
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
#
interface 10GE1/0/1
stp disable
#
interface 10GE1/0/2
eth-trunk 1
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
#
interface 10GE1/0/6
#

Switches
interface LoopBack1
ip address 10.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.4.4.4 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
3.1.11.2 M-LAG
3.1.11.2.1 Example for Configuring Dual-Homing of a Device to a Layer 2 Network

Through an M-LAG in Root Bridge Mode
In Figure 3-70, a server is dual-homed to a Layer 2 network through an M-LAG.
As link aggregation between hosts and access devices only achieves link-level
reliability, a fault on an access device may cause service interruption. As such, this
cannot fulfill service reliability requirements. To address this problem, an M-LAG
can be configured. When both M-LAG master and backup devices work properly,
traffic is load balanced to them. In addition, services will not be affected if any of
the two devices fails. As such, high service reliability is ensured. On an Ethernet
network, a blocked interface cannot transmit DAD packets between M-LAG
master and backup devices; therefore, a DFS group is configured and bound to the
IP address of the Ethernet management interface on each of the two devices to
ensure normal forwarding of DAD packets.
Figure 3-70 Configuring dual-homing of a device to a Layer 2 network using an

M-LAG
NOTE
In this example, interface 1, interface 2, interface 3, interface 4, interface 5, interface 6, and

interface 7 on DeviceA represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, 10GE
1/0/5, 10GE 1/0/7, and MEth 0/0/0, respectively.
interface 7 on DeviceB represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, 10GE
1/0/5, 10GE 1/0/7, and MEth 0/0/0, respectively.
In this example, interface 1 and interface 2 on DeviceC represent 10GE 1/0/1 and 10GE
1/0/2, respectively.
In this example, interface 1 and interface 2 on DeviceD represent 10GE 1/0/1 and 10GE

Switches
1. Configure DeviceA and DeviceB as root bridges with the same bridge MAC
address to ensure that both devices function as the root bridge on the Layer 2
network.
2. Configure IP addresses for the Ethernet management interface on DeviceA
and DeviceB to ensure their Layer 3 connectivity so that DAD packets can be
forwarded between them.
3. Configure M-LAG on DeviceA and DeviceB so that the server can be dual-
homed to the M-LAG set up by DeviceA and DeviceB.
Procedure
Step 1 Configure DeviceA and DeviceB as root bridges with the same bridge MAC
address.
NOTE
If the downstream device dual-homed to the M-LAG member devices is a network device, root
protection must be configured.
[DeviceA] stp bridge-address 00e0-fc12-3458 //Configure the bridge MAC address of the root bridge
(MAC address of the M-LAG master device).
[DeviceA-Eth-Trunk1] trunkport 10ge 1/0/2
[DeviceA-Eth-Trunk1] stp edged-port enable

Switches
[DeviceB] stp root primary

[DeviceB] stp bridge-address 00e0-fc12-3458 //Configure the bridge MAC address of the root bridge.
[DeviceB-Eth-Trunk1] trunkport 10ge 1/0/2
[DeviceB-Eth-Trunk1] stp edged-port enable
Step 2 Configure an IP address for the Ethernet management interface on DeviceA and
DeviceB, respectively.
Ensure that DeviceA and DeviceB can communicate at Layer 3 through their
Ethernet management interfaces.
[DeviceA] interface meth 0/0/0
[DeviceA-MEth0/0/0] ip address 10.1.1.1 24
[DeviceA-MEth0/0/0] quit
[DeviceB] interface meth 0/0/0
[DeviceB-MEth0/0/0] ip address 10.1.1.2 24
[DeviceB-MEth0/0/0] quit
Step 3 Create a DFS group on DeviceA and DeviceB and bind the IP address of the
Ethernet management interface on each of the two devices to the DFS group.
[DeviceA] dfs-group 1
[DeviceA-dfs-group-1] dual-active detection source ip 10.1.1.1 peer 10.1.1.2
[DeviceA-dfs-group-1] priority 150
[DeviceA-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206
[DeviceA-dfs-group-1] quit
[DeviceB] dfs-group 1
[DeviceB-dfs-group-1] dual-active detection source ip 10.1.1.2 peer 10.1.1.1
[DeviceB-dfs-group-1] priority 120
[DeviceB-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206
[DeviceB-dfs-group-1] quit
Step 4 Configure a peer-link between DeviceA and DeviceB.

[DeviceA-Eth-Trunk0] undo stp enable
[DeviceA-Eth-Trunk0] peer-link 1
[DeviceB-Eth-Trunk0] undo stp enable
[DeviceB-Eth-Trunk0] peer-link 1
Step 5 Add the Eth-Trunk interfaces connecting DeviceA to the server and DeviceB to the
server to VLAN 11 and bind the interfaces to the DFS group.

Switches
The uplink interfaces that connect the server to DeviceA and DeviceB must be
added to an Eth-Trunk interface, and the working mode of the Eth-Trunk interface
must be the same as that of the Eth-Trunk interfaces on both devices. In this
example, the Eth-Trunk interfaces on both devices are configured to work in static
LACP mode.
[DeviceA-Eth-Trunk1] port link-type access
[DeviceA-Eth-Trunk1] port default vlan 11
[DeviceA-Eth-Trunk1] dfs-group 1 m-lag 1
[DeviceB-Eth-Trunk1] port link-type access
[DeviceB-Eth-Trunk1] port default vlan 11
[DeviceB-Eth-Trunk1] dfs-group 1 m-lag 1
Step 6 Configure the link between DeviceA and DeviceC and the link between DeviceB
and DeviceD, and configure the interface type and allowed VLAN.
[DeviceA-Eth-Trunk2] port trunk allow-pass vlan 11
[DeviceB-Eth-Trunk2] port link-type trunk
[DeviceB-Eth-Trunk2] port trunk allow-pass vlan 11
[DeviceC] interface eth-trunk 2
[DeviceC-Eth-Trunk2] mode lacp-static
[DeviceC-Eth-Trunk2] port link-type trunk
[DeviceC-Eth-Trunk2] port trunk allow-pass vlan 11
[DeviceC-Eth-Trunk2] trunkport 10ge 1/0/1
[DeviceC-Eth-Trunk2] trunkport 10ge 1/0/2
[DeviceC-Eth-Trunk2] quit
[DeviceD] vlan batch 11
[DeviceD] interface eth-trunk 2

Switches
[DeviceD-Eth-Trunk2] mode lacp-static

[DeviceD-Eth-Trunk2] port link-type trunk
[DeviceD-Eth-Trunk2] port trunk allow-pass vlan 11
[DeviceD-Eth-Trunk2] trunkport 10ge 1/0/1
[DeviceD-Eth-Trunk2] trunkport 10ge 1/0/2
[DeviceD-Eth-Trunk2] quit
----End

# Display information about the M-LAG with DFS group ID 1.
[DeviceA] display dfs-group 1 m-lag
* : Local node
Heart beat state : OK
Node 1 *
Dfs-Group ID :1
Priority : 150
Dual-active Address : 10.1.1.1
VPN-Instance : public net
State : Master
Causation :-
System ID : 00e0-fc12-3456
SysName : DeviceA
Version : V600R023C00
Device Type : S6730-H-V2
Node 2
Dfs-Group ID :1
Priority : 120
State : Backup
Causation :-
SysName : DeviceB
In the preceding command output, the Heart beat state field displays OK,
indicating that the heartbeat status is normal. DeviceA is node 1 with a priority of
150 and serves as the M-LAG master device (the State field displays Master),
whereas DeviceB is node 2 with a priority of 120 and serves as the M-LAG backup
device (the State field displays Backup). In addition, the Causation field displays
-, indicating that the M-LAG is set up successfully.
# Display M-LAG information on DeviceA.
[DeviceA] display dfs-group 1 node 1 m-lag brief
* - Local node
M-Lag ID Interface Port State Status Consistency-check

1 Eth-Trunk 1 Up active(*)-active --
Failed reason:
1 -- Relationship between vlan and port is inconsistent
2 -- STP configuration under the port is inconsistent
3 -- STP port priority configuration is inconsistent
4 -- LACP mode of M-LAG is inconsistent
5 -- M-LAG configuration is inconsistent
6 -- The number of M-LAG members is inconsistent
7 -- LACP system-id of M-LAG is inconsistent
8 -- LACP priority of M-LAG is inconsistent
9 -- STP port edged configuration is inconsistent
10 -- M-LAG mode configuration is inconsistent
# Display M-LAG information on DeviceB.

Switches
[DeviceB] display dfs-group 1 node 2 m-lag brief

* - Local node

1 Eth-Trunk 1 Up active-active(*) --
Failed reason:
In the preceding command outputs, the Port State fields of node 1 and node 2
display Up, and the M-LAG status of node 1 and node 2 is active, indicating that
the M-LAG configuration is correct.
● DeviceA
#
sysname DeviceA
#
dfs-group 1
priority 150
dual-active detection source ip 10.1.1.1 peer 10.1.1.2
authentication-mode hmac-sha256 password %+%##!!!!!!!!!"!!!!"!!!!*!!!!C+tR0CW9x*eB&pWp`t),Azgw-h
\o8#4LZPD!!!!!!!!!!!!!!!9!!!!>fwJ)I0E{=:%,*,XRhbH&t0MCy_8=7!!!!!!!!!!%+%#
#
vlan batch 11
#
stp bridge-address 00e0-fc12-3458
stp root primary
#
interface MEth0/0/0
ip address 10.1.1.1 255.255.255.0
#
mode lacp-static
stp disable
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/7
eth-trunk 2
#
interface 10GE1/0/3
eth-trunk 0
#

Switches
interface 10GE1/0/4
eth-trunk 0
#
interface 10GE1/0/5
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return
● DeviceB
#
sysname DeviceB
#
dfs-group 1
priority 120
authentication-mode hmac-sha256 password %+%##!!!!!!!!!"!!!!"!!!!*!!!!=I9f8>C{!P_bhB31@7r-=jrS8c|
_"(Bn~#[email protected](wAt/IQXl6>[g{6YlOi9$!!!!!!!!!!%+%#
#
vlan batch 11
#
stp bridge-address 00e0-fc12-3458
stp root primary
#
interface MEth0/0/0
ip address 10.1.1.2 255.255.255.0
#
mode lacp-static
stp disable
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/7
eth-trunk 2
#
interface 10GE1/0/3
eth-trunk 0
#
interface 10GE1/0/4
eth-trunk 0
#
interface 10GE1/0/5
eth-trunk 1
#
interface 10GE1/0/2
eth-trunk 1
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 11

Switches
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 11
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 2
#
interface 10GE1/0/2
eth-trunk 2
#
return
3.1.11.2.2 Example for Configuring Dual-Homing of a Device to a Layer 3 Network

Through an M-LAG in V-STP Mode
In Figure 3-71, a device is dual-homed to a Layer 3 network through an M-LAG,
with the following requirements:
● High reliability: If one access link fails, traffic needs to be quickly switched to
the other link.
● High bandwidth utilization: Both access links are in active state and can load
balance traffic.
Figure 3-71 Network diagram for dual-homing a device to a Layer 3 network

through an M-LAG
NOTE
In this example, interface 1, interface 2, interface 3, interface 4, and interface 5 on DeviceA

represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, and MEth 0/0/0, respectively.
In this example, interface 1, interface 2, interface 3, interface 4, and interface 5 on DeviceB
represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, and MEth 0/0/0, respectively.

Switches
1. On DeviceD, bind uplink interfaces to an Eth-Trunk interface.
2. On DeviceA and DeviceB, configure V-STP, create a DFS group, bind IP
addresses of management interfaces to the DFS group, and configure peer-
link interfaces and M-LAG member interfaces.
3. On DeviceA and DeviceB, configure IP and MAC addresses for VLANIF
interfaces so that DeviceA and DeviceB function as dual-active gateways for
access devices.
4. On DeviceA, DeviceB, and DeviceC, configure OSPF to ensure Layer 3
connectivity.
NOTE
To prevent an interface from being blocked by a spanning tree protocol in a V-STP

scenario, you can configure main interfaces to implement Layer 3 connectivity or
disable the spanning tree protocol on the device on the IP network side.
5. On DeviceA and DeviceB, add uplink and downlink interfaces to a Monitor
Link group to prevent user-side traffic forwarding failures and traffic loss due
to possible uplink faults.
Procedure
Step 1 On DeviceD, bind uplink interfaces to an Eth-Trunk interface.

Switches
[DeviceD] interface eth-trunk 20
[DeviceD-Eth-Trunk20] trunkport 10ge 1/0/1 to 1/0/4
Step 2 On DeviceA and DeviceB, configure V-STP, create a DFS group, bind IP addresses of
management interfaces to the DFS group, and configure peer-link interfaces and
M-LAG member interfaces.
[DeviceA] stp v-stp enable
[DeviceA] interface meth 0/0/0
[DeviceA-MEth0/0/0] ip address 10.200.1.1 24
[DeviceA-MEth0/0/0] quit
[DeviceA-Eth-Trunk1] port vlan exclude 1
[DeviceB] stp v-stp enable
[DeviceB-dfs-group-1] priority 120
[DeviceB-Eth-Trunk1] port vlan exclude 1

Switches

Step 3 On DeviceA and DeviceB, configure IP and MAC addresses for VLANIF interfaces so
that DeviceA and DeviceB function as dual-active gateways for access devices.
DeviceA and DeviceB must be configured with the same virtual IP address and
virtual MAC address.
[DeviceA-Vlanif11] mac-address 0000-5e00-0101
[DeviceB-Vlanif11] mac-address 0000-5e00-0101
Step 4 On DeviceA, DeviceB, and DeviceC, configure OSPF to ensure Layer 3 connectivity.
The ID of the OSPF area to which DeviceA, DeviceB, and DeviceC belong must be
different from the ID of the OSPF area to which DeviceA, DeviceB, and DeviceD
belong.
[DeviceA] ospf 1
[DeviceB-10GE1/0/1] undo portswitch
[DeviceB-10GE1/0/1] ip address 10.4.1.1 24
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
[DeviceC-10GE1/0/1] undo portswitch
[DeviceC-10GE1/0/1] ip address 10.3.1.2 24

Switches

[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
Step 5 On DeviceA and DeviceB, add uplink and downlink interfaces to a Monitor Link
group.
[DeviceA] monitor-link group 1
[DeviceA-mtlk-group1] port 10ge 1/0/1 uplink
[DeviceA-mtlk-group1] port eth-trunk 10 downlink 1
[DeviceA-mtlk-group1] quit
[DeviceB] monitor-link group 1
[DeviceB-mtlk-group1] port 10ge 1/0/1 uplink
[DeviceB-mtlk-group1] port eth-trunk 10 downlink 1
[DeviceB-mtlk-group1] quit
----End

# Display information about the M-LAG with DFS group ID 1.
* : Local node
Node 1 *
Dfs-Group ID :1
Priority : 150
State : Master
Causation :-
SysName : DeviceA
Node 2
Dfs-Group ID :1
Priority : 120
State : Backup
Causation :-
SysName : DeviceB
In the preceding command output, the Heart beat state field displays OK,
indicating that the heartbeat status is normal. DeviceA is node 1 with a priority of
150 and serves as the M-LAG master device (the State field displays Master),
whereas DeviceB is node 2 with a priority of 120 and serves as the M-LAG backup
device (the State field displays Backup). In addition, the Causation field displays
-, indicating that the M-LAG is set up successfully.
# Display M-LAG information on DeviceA.
* - Local node

Switches

Failed reason:
# Display M-LAG information on DeviceB.

* - Local node

1 Eth-Trunk 10 Up active-active(*) --
Failed reason:
In the preceding command outputs, the Port State fields of node 1 and node 2
display Up, and the M-LAG status of node 1 and node 2 is active, indicating that
the M-LAG configuration is correct.
● DeviceA
#
sysname DeviceA
#
dfs-group 1
priority 150
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
mac-address 0000-5e00-0101
#
mode lacp-static
peer-link 1
port vlan exclude 1
#

Switches
mode lacp-static
dfs-group 1 m-lag 1
#
interface MEth0/0/0
ip address 10.200.1.1 255.255.255.0
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
monitor-link group 1
port 10GE1/0/1 uplink
port Eth-Trunk10 downlink 1
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
area 0.0.0.1
network 10.2.1.0 0.0.0.255
#
return
● DeviceB
#
sysname DeviceB
#
dfs-group 1
priority 120
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
#
mode lacp-static
peer-link 1
port vlan exclude 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface MEth0/0/0
ip address 10.200.1.2 255.255.255.0
#

Switches
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
#
ospf 1
area 0.0.0.0
network 10.4.1.0 0.0.0.255
area 0.0.0.1
network 10.2.1.0 0.0.0.255
#
return
● DeviceC
#
sysname DeviceC
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 11
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE1/0/2
eth-trunk 20
#
interface 10GE1/0/3
eth-trunk 20
#
interface 10GE1/0/4
eth-trunk 20

Switches
#
return
3.1.11.2.3 Example for Configuring a Dynamic Routing Protocol for Communication

with an M-LAG in V-STP Mode
On the network shown in Figure 3-72, DeviceA, DeviceB, and DeviceC constitute
an M-LAG. The M-LAG member interfaces on DeviceB and DeviceC support
dynamic routing protocols. A dynamic routing protocol is configured on servers so
that they can communicate with the M-LAG through Layer 3 routes.
Figure 3-72 Network diagram for configuring a dynamic routing protocol for
communication with an M-LAG
NOTE
In this example, interface 1 and interface 2 on DeviceA represent 10GE 1/0/1 and 10GE
In this example, interface 1, interface 2, interface 4, and interface 5 on DeviceB represent
10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/4, and 10GE 1/0/5, respectively.
In this example, interface 1, interface 2, interface 4, and interface 5 on DeviceC represent
10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/4, and 10GE 1/0/5, respectively.
In this example, interface 1 and interface 2 on DeviceD represent 10GE 1/0/1 and 10GE

Switches
1. Configure a routing protocol on DeviceB, DeviceC, and DeviceD to implement
Layer 3 connectivity.
2. Create Eth-Trunk interfaces.
3. Configure V-STP.
4. Configure an M-LAG.
– Configure a DFS group on DeviceB and DeviceC respectively, and bind IP
addresses of management interfaces to the DFS group.
– Configure the link between DeviceB and DeviceC as the peer-link.
– Bind the user-side Eth-Trunk interface to the DFS group on DeviceB and
DeviceC, respectively.
5. Configure an IP address for OSPF over M-LAG.
6. Configure M-LAG member devices to use the specified IP address to establish
OSPF neighbor relationships with DeviceA.
Procedure
Step 1 Configure a routing protocol.
# Configure DeviceB. The configurations of DeviceC and DeviceD are similar to the
configuration of DeviceB. When configuring OSPF, configure the devices to
advertise the 32-bit IP addresses of loopback interfaces.
[DeviceB] interface loopback 2
[DeviceB-LoopBack2] ip address 10.3.3.3 32
[DeviceB-LoopBack2] quit
[DeviceB] ospf 1 router-id 10.11.1.1
After OSPF is configured successfully, DeviceB, DeviceC, and DeviceD can learn the
IP addresses of each other's loopback interface through OSPF and successfully
ping each other.
Step 2 Create Eth-Trunk interfaces and add physical Ethernet interfaces to them.
The uplink interfaces that connect the server to DeviceB and DeviceC must be
added to an Eth-Trunk interface, and the working mode of the Eth-Trunk interface
must be the same as that of the Eth-Trunk interfaces on both devices.
# Create Eth-Trunk interfaces in LACP mode on DeviceB and add member
interfaces to the Eth-Trunk interfaces. The configuration of DeviceC is similar to
that of DeviceB.

Switches

[DeviceB-Eth-Trunk10] lacp mixed-rate link enable
Step 3 Configure V-STP.

[DeviceC] stp v-stp enable
Step 4 Configure a DFS group on DeviceB and DeviceC respectively, and bind IP addresses
of management interfaces to the DFS group.
Ensure that DeviceB and DeviceC can communicate at Layer 3 through their
management interfaces.
# Configure DeviceB. The configuration of DeviceC is similar to that of DeviceB.
Step 5 Configure the link between DeviceB and DeviceC as the peer-link.
Step 6 Bind the user-side Eth-Trunk interface to the DFS group on DeviceB and DeviceC,
respectively.
Step 7 Configure an IP address for OSPF over M-LAG on DeviceB and DeviceC,
respectively.
[DeviceB] vlan 100
[DeviceB-Vlanif100] ip address 10.100.0.1 255.255.255.0
[DeviceB-Vlanif100] ospf source sub-address 10.100.0.3
[DeviceB-Vlanif100] m-lag ip address 10.100.0.3 255.255.255.0
[DeviceB-Vlanif100] mac-address 0000-5e00-0101
[DeviceB-Vlanif100] arp proxy enable

Switches
Step 8 Configure M-LAG member devices to use the specified IP address to establish
OSPF neighbor relationships with DeviceA. The ID of the OSPF area to which
DeviceA, DeviceB, and DeviceC belong must be different from the ID of the OSPF
area to which DeviceB, DeviceC, and DeviceD belong.
[DeviceB] ospf
[DeviceA] vlan 100
[DeviceA] ospf 1 router-id 10.11.4.4
----End

# Run the display dfs-group 1 m-lag command to check M-LAG information.
[DeviceB] display dfs-group 1 m-lag
* : Local node
Node 1 *
Dfs-Group ID :1
Priority : 100
State : Master
Causation :-
SysName : DeviceB
Node 2
Dfs-Group ID :1
Priority : 100
State : Backup
Causation :-
SysName : DeviceC
# Check M-LAG information on DeviceB.

* - Local node

Failed reason:

Switches

# Check M-LAG information on DeviceC.

[DeviceC] display dfs-group 1 node 2 m-lag brief
* - Local node

Failed reason:
Run the display ospf peer brief command on DeviceB, DeviceC, and DeviceA to
check OSPF neighbor information.
# Check OSPF neighbor information on DeviceB.
[DeviceB] display ospf peer brief
(M) Indicates MADJ interface
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 10GE1/0/1 10.11.3.3 Full
0.0.0.0 Vlanif100 10.11.2.2 Full
0.0.0.1 Vlanif100 10.11.4.4 Full
# Check OSPF neighbor information on DeviceC.

[DeviceC] display ospf peer brief
----------------------------------------------------------------------------
0.0.0.0 10GE1/0/1 10.11.3.3 Full
0.0.0.0 Vlanif100 10.11.1.1 Full
0.0.0.1 Vlanif100 10.11.4.4 Full
# Check OSPF neighbor information on DeviceA.

[DeviceA] display ospf peer brief
----------------------------------------------------------------------------

Switches

0.0.0.1 Vlanif100 10.11.1.1 Full
0.0.0.1 Vlanif100 10.11.2.2 Full
● DeviceB
#
sysname DeviceB
#
dfs-group 1
#
vlan batch 100
#
stp mode rstp
stp v-stp enable
#
interface Vlanif100
ip address 10.100.0.1 255.255.255.0
ospf source sub-address 10.100.0.3
m-lag ip address 10.100.0.3 255.255.255.0
arp proxy enable
#
mode lacp-static
peer-link 1
#
mode lacp-static
lacp mixed-rate link enable
dfs-group 1 m-lag 1
#
interface MEth0/0/0
ip address 10.200.1.1 255.255.255.0
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack2
ip address 10.3.3.3 255.255.255.255
#
area 0.0.0.0
network 10.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
area 0.0.0.1
network 10.100.0.0 0.0.0.255
#
return
● DeviceC

Switches
#
sysname DeviceC
#
dfs-group 1
#
vlan batch 100
#
stp mode rstp
stp v-stp enable
#
interface Vlanif100
ip address 10.100.0.1 255.255.255.0
ospf source sub-address 10.100.0.4
m-lag ip address 10.100.0.4 255.255.255.0
arp proxy enable
#
mode lacp-static
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface MEth0/0/0
ip address 10.200.2.1 255.255.255.0
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.2.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack2
ip address 10.4.4.4 255.255.255.255
#
area 0.0.0.0
network 10.4.4.4 0.0.0.0
network 192.168.2.0 0.0.0.255
area 0.0.0.1
network 10.100.0.0 0.0.0.255
#
return
● DeviceD
#
sysname DeviceD
#
interface 10GE1/0/1
undo portswitch
ip address 192.168.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch

Switches
ip address 192.168.2.2 255.255.255.0

#
interface LoopBack1
ip address 10.1.1.1 255.255.255.255
#
area 0.0.0.0
network 10.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● DeviceA
#
sysname DeviceA
#
vlan batch 100
#
interface Vlanif100
ip address 10.100.0.2 255.255.255.0
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE1/0/2
eth-trunk 10
#
area 0.0.0.1
network 10.100.0.0 0.0.0.255
#
return
3.1.11.2.4 Example for Configuring Multi-Level M-LAG (V-STP Mode)
In Figure 3-73, multi-level M-LAG ensures reliability, improves link utilization, and
expands the network scale in dual-homing mode, meeting customer requirements.
In addition, aggregation devices function as dual-active gateways, and core and
aggregation devices are cross-connected to ensure device-level reliability. A server
is connected to access devices in load balancing or active/standby mode. If load
balancing mode is used for server access, you are advised to configure the M-LAG
to work in dual-active mode. If active/standby mode is used for server access, you
are advised to configure the M-LAG to work in active/standby mode. In this
example, the server is connected to access devices in load balancing mode. M-LAG
devices at the access and aggregation layers use independent links as DAD links to
improve reliability.

Switches
Figure 3-73 Network diagram for configuring multi-level M-LAG

NOTE

interface 7 represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, 10GE 1/0/5, 10GE
Table 3-1 Data plan
Device Name Interface IP Address Virtual MAC

Address
DeviceA 10GE1/0/4 10.1.1.1/24 -
DeviceB 10GE1/0/4 10.1.1.2/24 -
DeviceC 10GE1/0/1 10.4.1.1/24 -
10GE1/0/2 10.5.1.1/24 -

Switches
Device Name Interface IP Address Virtual MAC

Address
VLANIF 11 10.3.1.1/24 0000-5e00-0110
VLANIF 100 10.10.10.1/30 -
10GE1/0/5 10.2.1.1/24 -
DeviceD 10GE1/0/1 10.6.1.1/24 -
10GE1/0/2 10.7.1.1/24 -
VLANIF 11 10.3.1.1/24 0000-5e00-0110
VLANIF 100 10.10.10.2/30 -
10GE1/0/5 10.2.1.2/24 -
DeviceE 10GE1/0/1 10.4.1.2/24 -
10GE1/0/2 10.7.1.2/24 -
DeviceF 10GE1/0/1 10.6.1.2/24 -
10GE1/0/2 10.5.1.2/24 -
1. On DeviceA and DeviceB at the access layer, configure M-LAG, links between
the access and aggregation layers, and server access.
2. On DeviceC and DeviceD at the aggregation layer, configure M-LAG, links
between the aggregation and access layers, Layer 3 gateways, and the egress
network.
3. On DeviceE and DeviceF at the core layer, configure interface IP addresses and
enable OSPF to implement Layer 3 communication with the aggregation
layer.
Procedure
Step 1 Configure DeviceA and DeviceB at the access layer.
1. Configure M-LAG.
# Configure M-LAG in V-STP mode.
Configure DeviceA.
[DeviceA] stp v-stp enable
Configure DeviceB.

Switches

# Deploy an independent direct physical link for M-LAG heartbeat detection.

Configure DeviceA.
[DeviceA] interface 10GE1/0/4
[DeviceA-10GE1/0/4] m-lag unpaired-port reserved
Configure DeviceB.
[DeviceB] interface 10GE1/0/4
[DeviceB-10GE1/0/4] m-lag unpaired-port reserved
# Configure a DFS group and bind IP addresses to the DFS group.

Configure DeviceA.
Configure DeviceB.
# Configure peer-link interfaces in the M-LAG.

Configure DeviceA.
[DeviceA] interface Eth-Trunk0
[DeviceA-Eth-Trunk0] trunkport 10GE1/0/5
[DeviceA-Eth-Trunk0] port vlan exclude 1
Configure DeviceB.
[DeviceB] interface Eth-Trunk0
[DeviceB-Eth-Trunk0] trunkport 10GE1/0/5
[DeviceB-Eth-Trunk0] port vlan exclude 1
2. Configure links between the access and aggregation layers.


Switches

[DeviceA-Eth-Trunk10] undo port trunk allow-pass vlan 1
[DeviceB-Eth-Trunk10] undo port trunk allow-pass vlan 1
3. Configure server access.

[DeviceA-Eth-Trunk1] undo port trunk allow-pass vlan 1
[DeviceB-Eth-Trunk1] undo port trunk allow-pass vlan 1
Step 2 Configure DeviceC and DeviceD at the aggregation layer.

1. Configure M-LAG.
# Configure M-LAG in V-STP mode.
Configure DeviceC.
[DeviceC] stp v-stp enable
Configure DeviceD.
[DeviceD] stp mode rstp
[DeviceD] stp v-stp enable
# Deploy an independent direct physical link for M-LAG heartbeat detection.

Configure DeviceC.
[DeviceC] interface 10GE1/0/5

Switches
[DeviceC-10GE1/0/5] m-lag unpaired-port reserved

Configure DeviceD.
[DeviceD] interface 10GE1/0/5
[DeviceD-10GE1/0/5] undo portswitch
[DeviceD-10GE1/0/5] ip address 10.2.1.2 24
[DeviceD-10GE1/0/5] m-lag unpaired-port reserved
# Configure a DFS group and bind IP addresses to the DFS group.

Configure DeviceC.
[DeviceC] dfs-group 1
[DeviceC-dfs-group-1] priority 150
[DeviceC-dfs-group-1] dual-active detection source ip 10.2.1.1 peer 10.2.1.2
[DeviceC-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206
[DeviceC-dfs-group-1] quit
Configure DeviceD.
[DeviceD] dfs-group 1
[DeviceD-dfs-group-1] priority 120
[DeviceD-dfs-group-1] dual-active detection source ip 10.2.1.2 peer 10.2.1.1
[DeviceD-dfs-group-1] authentication-mode hmac-sha256 password YsHsjx_202206
[DeviceD-dfs-group-1] quit
# Configure peer-link interfaces in the M-LAG.

Configure DeviceC.
[DeviceC] interface Eth-Trunk0
[DeviceC-Eth-Trunk0] trunkport 10GE1/0/6
[DeviceC-Eth-Trunk0] peer-link 1
[DeviceC-Eth-Trunk0] port vlan exclude 1
Configure DeviceD.
[DeviceD] interface Eth-Trunk0
[DeviceD-Eth-Trunk0] trunkport 10GE1/0/6
[DeviceD-Eth-Trunk0] peer-link 1
[DeviceD-Eth-Trunk0] port vlan exclude 1
2. Configure links between the aggregation and access layers.

[DeviceC] interface Eth-Trunk10
[DeviceC-Eth-Trunk10] port link-type trunk
[DeviceC-Eth-Trunk10] undo port trunk allow-pass vlan 1
[DeviceC-Eth-Trunk10] port trunk allow-pass vlan 11
[DeviceC-Eth-Trunk10] dfs-group 1 m-lag 10
[DeviceD] interface Eth-Trunk10

Switches

[DeviceD-Eth-Trunk10] undo port trunk allow-pass vlan 1
[DeviceD-Eth-Trunk10] dfs-group 1 m-lag 10
3. Configure Layer 3 gateways. On DeviceC and DeviceD, configure the same IP

addresses and MAC addresses for VLANIF interfaces so that the devices
function as dual-active gateways for the access layer.
[DeviceC-Vlanif11] mac-address 0000-5e00-0110
[DeviceD] interface vlanif 11
[DeviceD-Vlanif11] ip address 10.3.1.1 24
[DeviceD-Vlanif11] mac-address 0000-5e00-0110
[DeviceD-Vlanif11] quit
4. Configure the egress network. Configure physical links of the peer-link as

egress bypass links between DeviceC and DeviceD, and configure dedicated
VLANIF interfaces for the peer-link for Layer 3 interconnection.
[DeviceC-Vlanif100] ospf cost 10000
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
[DeviceD-Vlanif100] ospf cost 10000

Switches
[DeviceD] ospf 1
[DeviceD-ospf-1] area 0
[DeviceD-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[DeviceD-ospf-1-area-0.0.0.0] quit
[DeviceD-ospf-1] quit
Step 3 Configure DeviceE and DeviceF at the core layer.

# Configure DeviceE.
[HUAWEI] sysname DeviceE
[DeviceE] interface 10GE1/0/1
[DeviceE-10GE1/0/1] undo portswitch
[DeviceE-10GE1/0/1] ip address 10.4.1.2 24
[DeviceE-10GE1/0/1] quit
[DeviceE] interface 10GE1/0/2
[DeviceE-10GE1/0/2] undo portswitch
[DeviceE-10GE1/0/2] ip address 10.7.1.2 24
[DeviceE-10GE1/0/2] quit
[DeviceE] ospf 1
[DeviceE-ospf-1] area 0
[DeviceE-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[DeviceE-ospf-1-area-0.0.0.0] network 10.7.1.0 0.0.0.255
[DeviceE-ospf-1-area-0.0.0.0] quit
[DeviceE-ospf-1] quit
# Configure DeviceF.
[HUAWEI] sysname DeviceF
[DeviceF] interface 10GE1/0/1
[DeviceF-10GE1/0/1] undo portswitch
[DeviceF-10GE1/0/1] ip address 10.6.1.2 24
[DeviceF-10GE1/0/1] quit
[DeviceF] interface 10GE1/0/2
[DeviceF-10GE1/0/2] undo portswitch
[DeviceF-10GE1/0/2] ip address 10.5.1.2 24
[DeviceF-10GE1/0/2] quit
[DeviceF] ospf 1
[DeviceF-ospf-1] area 0
[DeviceF-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[DeviceF-ospf-1-area-0.0.0.0] network 10.6.1.0 0.0.0.255
[DeviceF-ospf-1-area-0.0.0.0] quit
[DeviceF-ospf-1] quit
----End

● Run the display dfs-group 1 m-lag command to check the M-LAG status.
Under normal circumstances, the states of two member devices are displayed.
One device is in Master state, and the other device is in Backup state.
# Check the M-LAG status at the access layer.
* : Local node
Node 1 *
Dfs-Group ID :1
Priority : 150
State : Master
Causation :-

Switches
SysName : DeviceA
Node 2
Dfs-Group ID :1
Priority : 120
State : Backup
Causation :-
SysName : DeviceB
# Check the M-LAG status at the aggregation layer.
[DeviceC] display dfs-group 1 m-lag
* : Local node
Node 1 *
Dfs-Group ID :1
Priority : 150
State : Master
Causation :-
SysName : DeviceC
Node 2
Dfs-Group ID :1
Priority : 120
State : Backup
Causation :-
SysName : DeviceD
● Run the display dfs-group 1 node 1 m-lag [ brief ] command to check the
M-LAG Eth-Trunk status.
# Check the M-LAG Eth-Trunk status on DeviceA.
* - Local node

1 Eth-Trunk 1 Up active(*)-active success
......
# Check the M-LAG Eth-Trunk status on DeviceC.
[DeviceC] display dfs-group 1 node 1 m-lag brief
* - Local node

......
● DeviceA
#
sysname DeviceA
#

Switches
dfs-group 1
priority 150
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
#
mode lacp-static
peer-link 1
port vlan exclude 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
mode lacp-static
dfs-group 1 m-lag 10
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
undo portswitch
ip address 10.1.1.1 255.255.255.0
m-lag unpaired-port reserved
#
interface 10GE1/0/5
eth-trunk 0
#
interface 10GE1/0/6
eth-trunk 0
#
return
● DeviceB
#
sysname DeviceB
#
dfs-group 1
priority 120
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
#
mode lacp-static
peer-link 1

Switches
port vlan exclude 1

#
mode lacp-static
dfs-group 1 m-lag 1
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 10
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 1
#
interface 10GE1/0/4
undo portswitch
ip address 10.1.1.2 255.255.255.0
#
interface 10GE1/0/5
eth-trunk 0
#
interface 10GE1/0/6
eth-trunk 0
#
return
● DeviceC
#
sysname DeviceC
#
dfs-group 1
priority 150
#
vlan batch 11 100
#
stp mode rstp
stp v-stp enable
#
interface Vlanif11
ip address 10.3.1.1 255.255.255.0
#
interface Vlanif100
ip address 10.10.10.1 255.255.255.252
ospf cost 10000
#
mode lacp-static
peer-link 1
port vlan exclude 1
#
mode lacp-static

Switches

#
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.5.1.1 255.255.255.0
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 10
#
interface 10GE1/0/5
undo portswitch
ip address 10.2.1.1 255.255.255.0
#
interface 10GE1/0/6
eth-trunk 0
#
interface 10GE1/0/7
eth-trunk 0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
network 10.10.10.0 0.0.0.3
#
return
● DeviceD
#
sysname DeviceD
#
dfs-group 1
priority 120
#
vlan batch 11 100
#
stp mode rstp
stp v-stp enable
#
interface Vlanif11
ip address 10.3.1.1 255.255.255.0
#
interface Vlanif100
ip address 10.10.10.2 255.255.255.252
ospf cost 10000
#
mode lacp-static
peer-link 1
port vlan exclude 1
#
mode lacp-static

Switches
#
interface 10GE1/0/1
undo portswitch
ip address 10.6.1.1 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.7.1.1 255.255.255.0
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 10
#
interface 10GE1/0/5
undo portswitch
ip address 10.2.1.2 255.255.255.0
#
interface 10GE1/0/6
eth-trunk 0
#
interface 10GE1/0/7
eth-trunk 0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
network 10.10.10.0 0.0.0.3
#
return
● DeviceE
#
sysname DeviceE
#
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.7.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.4.1.0 0.0.0.255
network 10.7.1.0 0.0.0.255
#
return
● DeviceF
#
sysname DeviceF
#
interface 10GE1/0/1
undo portswitch
ip address 10.5.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.6.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.5.1.0 0.0.0.255

Switches
network 10.6.1.0 0.0.0.255

#
return
3.1.11.2.5 Example for Configuring M-LAG Devices to Function as DHCPv4 Relay

Agents (with Option 82's Suboptions Inserted)
In Figure 3-74, DeviceA and DeviceB form an M-LAG, through which DeviceD
connects to the Layer 3 network. DHCPv4 relay needs to be deployed on DeviceA
and DeviceB so that the DHCPv4 server can assign an IPv4 address to DeviceD.
Figure 3-74 Configuring M-LAG devices as DHCPv4 relay agents

NOTE

represent 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, 10GE 1/0/4, and 10GE 1/0/5, respectively.
1. Configure M-LAG active-active gateways. For configuration details, see
3.1.11.2.2 Example for Configuring Dual-Homing of a Device to a Layer 3
Network Through an M-LAG in V-STP Mode.

Switches
2. Configure DHCPv4 relay on the M-LAG active-active gateways DeviceA and

DeviceB. Specifically:
a. Enable DHCPv4 relay.
b. Configure Option 82's suboption 5 to implement accurate route selection.
c. Configure DeviceA and DeviceB to advertise routes destined for the local
loopback addresses.
3. Configure the route to the DHCPv4 server on DeviceC.
Procedure
Step 1 Configure DHCPv4 relay on DeviceA and DeviceB.
[DeviceA-Vlanif11] dhcp relay information enable
[DeviceA-Vlanif11] dhcp relay giaddr source-interface loopback0
[DeviceA-Vlanif11] dhcp option82 link-selection insert enable
[DeviceB-Vlanif11] dhcp select relay
[DeviceB-Vlanif11] dhcp relay server-ip 192.168.1.1
[DeviceB-Vlanif11] dhcp relay information enable
[DeviceB-Vlanif11] dhcp relay giaddr source-interface loopback0
[DeviceB-Vlanif11] dhcp option82 link-selection insert enable
Step 2 Configure DeviceA and DeviceB to advertise routes destined for the local loopback
addresses.
[DeviceA] ospf 1
[DeviceB] ospf 1
Step 3 On DeviceC, configure the route to the DHCPv4 server (whose IP address is
192.168.1.1).
[DeviceA] ospf 1

Switches

----End

# Check the DHCPv4 relay configuration on DeviceA. The configuration on
DeviceB is similar to that on DeviceA.
[DeviceA] display dhcp relay configuration
DHCP relay global running information :
DHCP relay address cycle : Disable (default)
DHCP relay trust option82 : Enable (default)
DHCP relay request server-match : Enable (default)
DHCP relay reply forward all : Disable (default)
DHCP relay agent running information of interface Vlanif11 :
Relay select : Enable
GIADDR source interface : LoopBack0
Link-selection insert : Enable
Server-id-override insert : Disable
Vss-control insert : Disable
Giaddr outgoing-interface-address : Disable
● DeviceA
#
sysname DeviceA
#
dfs-group 1
priority 150
#
vlan batch 11
#
stp mode rstp stp v-stp enable
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
dhcp select relay
dhcp relay information enable
dhcp relay giaddr source-interface loopback 0
dhcp option82 link-selection insert enable
#
mode lacp-static
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10

Switches
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return
● DeviceB
#
sysname DeviceB
#
dfs-group 1
priority 120
#
vlan batch 11
#
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
dhcp select relay
dhcp relay giaddr source-interface loopback 0
dhcp option82 link-selection insert enable
#
mode lacp-static
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1

Switches
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return
● DeviceC
#
sysname DeviceC
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 11
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE1/0/2
eth-trunk 20
#
interface 10GE1/0/3
eth-trunk 20
#
interface 10GE1/0/4
eth-trunk 20
#
return

Switches
3.1.11.2.6 Example for Configuring M-LAG Devices to Function as DHCPv4 Relay

Agents (Option 82 Carries the Return Address)
In Figure 3-75, DeviceA and DeviceB form an M-LAG, through which DeviceD
connects to the Layer 3 network. DHCPv4 relay needs to be deployed on DeviceA
and DeviceB so that the DHCPv4 server can assign an IPv4 address to DeviceD.
Figure 3-75 Configuring M-LAG devices as DHCPv4 relay agents

NOTE

1. Configure M-LAG active-active gateways. For configuration details, see
3.1.11.2.2 Example for Configuring Dual-Homing of a Device to a Layer 3
Network Through an M-LAG in V-STP Mode.
2. Configure DHCPv4 relay on the M-LAG active-active gateways DeviceA and
DeviceB. Specifically:
a. Enable DHCPv4 relay.

Switches
b. Configure Option 82 to carry the return address.

c. Configure DeviceA and DeviceB to advertise routes destined for the local
loopback addresses.
3. Configure the route to the DHCPv4 server on DeviceC.
Procedure
Step 1 Configure DHCPv4 relay on DeviceA and DeviceB.
[DeviceA-Vlanif11] dhcp relay information enable
[DeviceA-Vlanif11] dhcp option82 vendor-specific format vendor-sub-option 2 source-ip-address 5.5.5.5
[DeviceB-Vlanif11] dhcp select relay
[DeviceB-Vlanif11] dhcp relay server-ip 192.168.1.1
[DeviceB-Vlanif11] dhcp relay information enable
[DeviceB-Vlanif11] dhcp option82 vendor-specific format vendor-sub-option 2 source-ip-address 6.6.6.6
Step 2 Configure DeviceA and DeviceB to advertise routes destined for the local loopback
addresses.
[DeviceA] ospf 1
[DeviceB] ospf 1
Step 3 On DeviceC, configure the route to the DHCPv4 server (whose IP address is
192.168.1.1).
[DeviceA] ospf 1
----End

Switches

# Check the DHCPv4 relay configuration on DeviceA. The configuration on
DeviceB is similar to that on DeviceA.
[DeviceA] display dhcp relay configuration
DHCP relay global running information :
DHCP relay address cycle : Disable (default)
DHCP relay trust option82 : Enable (default)
DHCP relay request server-match : Enable (default)
DHCP relay reply forward all : Disable (default)
DHCP relay agent running information of interface
Vlanif11 :
Relay select : Enable
Link-selection insert : Disable
Server-id-override insert : Disable
Vss-control insert : Disable
Giaddr outgoing-interface-address : Disable
● DeviceA
#
sysname DeviceA
#
dfs-group 1
priority 150
#
vlan batch 11
#
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
dhcp select relay
dhcp option82 vendor-specific format vendor-sub-option 2 source-ip-address 5.5.5.5
#
mode lacp-static
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5

Switches
eth-trunk 1
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
#
ospf 1
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return
● DeviceB
#
sysname DeviceB
#
dfs-group 1
priority 120
#
vlan batch 11
#
#
interface Vlanif11
ip address 10.2.1.1 255.255.255.0
dhcp select relay
dhcp option82 vendor-specific format vendor-sub-option 2 source-ip-address 6.6.6.6
#
mode lacp-static
peer-link 1
#
mode lacp-static
dfs-group 1 m-lag 1
#
interface 10GE1/0/1
undo portswitch
ip address 10.4.1.1 255.255.255.0
#
interface 10GE1/0/2
eth-trunk 10
#
interface 10GE1/0/3
eth-trunk 10
#
interface 10GE1/0/4
eth-trunk 1
#
interface 10GE1/0/5
eth-trunk 1
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#

Switches

#
ospf 1
area 0.0.0.0
network 6.6.6.6 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return
● DeviceC
#
sysname DeviceC
#
interface 10GE1/0/1
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface 10GE1/0/2
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● DeviceD
#
sysname DeviceD
#
vlan batch 11
#
mode lacp-static
#
interface 10GE1/0/1
eth-trunk 20
#
interface 10GE1/0/2
eth-trunk 20
#
interface 10GE1/0/3
eth-trunk 20
#
interface 10GE1/0/4
eth-trunk 20
#
return
3.1.12 User Access and Authentication
3.1.12.1 AAA

Switches
3.1.12.1.1 Example for Configuring AAA Local Authentication and Authorization
In Figure 3-76, the enterprise requires that the administrator use AAA local
authentication to log in to the device through STelnet. The specific requirements
are as follows:
1. The administrator can log in to the device through STelnet only after entering
a correct user name and password.
2. After the administrator logs in to the device through STelnet, the privilege
level 3 is authorized to the administrator.
Figure 3-76 Configuring AAA local authentication and authorization

NOTE
1. Configure STelnet login on DeviceA: Set the authentication mode for
accessing VTY user interfaces to AAA, enable the STelnet service, and
configure the authentication mode and service type for SSH users.
2. Configure AAA local authentication: Configure a user name and password, set
the user access type, and set the user privilege level.
Precautions
Ensure that there are reachable routes between the user terminal and DeviceA
before the configuration.
Procedure

# Generate a local key pair on DeviceA.

Switches

4 to AAA and SSH, respectively.
# Enable the SSH server function on DeviceA.

[DeviceA] ssh server-source -i vlanif 10
# Set the authentication mode of all SSH users to password authentication and
the service type to STelnet.
[DeviceA] ssh authentication-type default password
Step 3 Configure AAA local authentication.

[DeviceA] aaa
[DeviceA-aaa] local-user user1-huawei password irreversible-cipher
YsHsjx_202206
[DeviceA-aaa] local-user user1-huawei service-type ssh
[DeviceA-aaa] local-user user1-huawei privilege level 3
[DeviceA-aaa] quit
----End

The administrator can log in to DeviceA through the STelnet client after entering
the correct user name and password.
#
sysname DeviceA
#
aaa
local-user user1-huawei password irreversible-cipher $1d$OwseVRh@LH}ZeTBm$1nH4$ab>d(N{-%0!
ab48y=Ic*xEUR4pVhR2"9-~,$
local-user user1-huawei privilege level 3
local-user user1-huawei service-type ssh
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.10.1 24
#
interface 10GE1/0/1
#
ssh server-source -i Vlanif 10
#
#
return

Switches
3.1.12.1.2 Example for Configuring HWTACACS Authentication, Authorization, and

Accounting
In Figure 3-77, an HWTACACS server is deployed on an enterprise network. The
enterprise requires that the administrator use HWTACACS authentication to log in
to DeviceA through STelnet.
level 3 is authorized to the administrator, the commands that the
administrator can execute are limited, and the commands that the
administrator has executed are recorded.
Figure 3-77 Configuring HWTACACS authentication, authorization, and

accounting
NOTE
respectively.
2. Configure HWTACACS authentication on DeviceA: Create an HWTACACS
server template, configure AAA schemes and recording scheme, and enable
command authorization.
3. Configure an HWTACACS server.
Precautions
Ensure that there are reachable routes between the user terminal and DeviceA
before the configuration.
Procedure

Switches


# Set the authentication mode and service type of all SSH users to password
authentication and STelnet, respectively.
Step 3 Configure HWTACACS authentication, authorization, and accounting.
# Create an HWTACACS server template named template1 for communication

between DeviceA and the HWTACACS server.
[DeviceA] hwtacacs-server template template1
[DeviceA-hwtacacs-template1] hwtacacs-server authentication 10.1.6.6 49
[DeviceA-hwtacacs-template1] hwtacacs-server authorization 10.1.6.6 49
[DeviceA-hwtacacs-template1] hwtacacs-server accounting 10.1.6.6 49
[DeviceA-hwtacacs-template1] hwtacacs-server shared-key cipher YsHsjx_202206139
[DeviceA-hwtacacs-template1] quit
# Create an authentication scheme named sch1 and set the authentication mode
to HWTACACS authentication.
[DeviceA] aaa
[DeviceA-aaa] authentication-scheme sch1
[DeviceA-aaa-authen-sch1] authentication-mode hwtacacs
[DeviceA-aaa-authen-sch1] quit
# Create an authorization scheme named sch2, set the authorization mode to

HWTACACS authorization, and enable command authorization for the
administrator with the privilege level 3.
[DeviceA-aaa] authorization-scheme sch2
[DeviceA-aaa-author-sch2] authorization-mode hwtacacs

Switches
[DeviceA-aaa-author-sch2] authorization-cmd 3 hwtacacs

[DeviceA-aaa-author-sch2] quit
# Create a recording scheme named sch0 to record the commands that the
administrator has executed.
[DeviceA-aaa] recording-scheme sch0
[DeviceA-aaa-recording-sch0] recording-mode hwtacacs template1
[DeviceA-aaa-recording-sch0] quit
[DeviceA-aaa] cmd recording-scheme sch0
# Create an accounting scheme named sch3 and set the accounting mode to
HWTACACS accounting.
[DeviceA-aaa] accounting-scheme sch3
[DeviceA-aaa-accounting-sch3] accounting-mode hwtacacs
[DeviceA-aaa-accounting-sch3] quit
# Apply the HWTACACS server template and AAA schemes to the domain
huawei.com.
[DeviceA-aaa-domain-huawei.com] hwtacacs-server template1
[DeviceA-aaa-domain-huawei.com] authentication-scheme sch1
[DeviceA-aaa-domain-huawei.com] authorization-scheme sch2
[DeviceA-aaa-domain-huawei.com] accounting-scheme sch3
[DeviceA-aaa] quit
# Specify the domain huawei.com as a global default administrative domain.

Step 4 Configure an HWTACACS server. Here, the Secure ACS is used as an example.
The configuration includes the following steps: add a device, add an administrator
account, set the administrator privilege level to 3, and configure command
authorization. Note that the reset hwtacacs-server statistics all command
cannot be configured.
You can check logs recording command execution successes and failures of all
users including non-HWTACACS-authenticated users under Reports and Activity
> TACACS+ Administration.
----End

● The administrator can log in to DeviceA through the STelnet client after
entering the correct user name and password.
● After the administrator logs in to DeviceA, run the reset hwtacacs-server
statistics all command. The system displays the message "Error: Failed to
pass the authorization.", indicating that command authorization is successful.
[DeviceA] quit
<DeviceA> reset hwtacacs-server statistics all
Error: Failed to pass the authorization.
DeviceA
#
sysname DeviceA

Switches
#
hwtacacs-server template template1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server authorization 10.1.6.6
hwtacacs-server accounting 10.1.6.6
hwtacacs-server shared-key cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!SKvr${[Fs."u,S-6a-X1'[X=L"cpF!5Oz`1!!!!!2jp5!!!!!!
A!!!!Ix>cM8i{y6!);(8Dr9:dK`&BHfE(H2=.:SH{@pT%+%#
#
aaa
authentication-scheme sch1
authentication-mode hwtacacs
authorization-scheme sch2
authorization-mode hwtacacs
authorization-cmd 3 hwtacacs
accounting-scheme sch3
accounting-mode hwtacacs
recording-scheme sch0
recording-mode hwtacacs template1
cmd recording-scheme sch0
domain huawei.com
authentication-scheme sch1
accounting-scheme sch3
authorization-scheme sch2
hwtacacs-server template1
#
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ssh server-source -i Vlanif10
#
#
return
3.1.12.1.3 Example for Configuring RADIUS Authentication, Authorization, and

Accounting
In Figure 3-78, a RADIUS server is deployed on an enterprise network. The
enterprise requires that the administrator use RADIUS authentication to log in to
DeviceA through STelnet. The specific requirements are as follows:
level 3 is authorized to the administrator.

Switches
Figure 3-78 Configuring RADIUS authentication, authorization, and accounting

NOTE
respectively.
2. Configure RADIUS authentication on DeviceA: Create a RADIUS server
template and AAA schemes, and apply the server template and AAA schemes
to a domain.
3. Configure a RADIUS server.
Precautions
● Ensure that there are reachable routes between the user terminal and
DeviceA before the configuration.
● Ensure that the shared key in the RADIUS server template is the same as that
configured on the RADIUS server.
● After the domain is set as the global default administrative domain and the
user name of the administrator contains the domain name or does not
contain any domain name, the administrator uses AAA configuration in the
global default administrative domain.
● If the RADIUS server does not support the user name containing a domain
name, run the undo radius-server user-name domain-included command in
the RADIUS server template view to configure the device to send packets that
do not contain a domain name to the RADIUS server.
● After the undo radius-server user-name domain-included command is run,
the device changes only the user name format in the sent packet, without
affecting the domain to which the user belongs. For example, after this
command is run, the user with the user name [email protected] still
uses AAA configuration in the domain named huawei.com.
● When the extended RADIUS attribute HW-Exec-Privilege (26-29) is used to
authorize the priority of an administrator, the value ranges from 0 to 3. The
value greater than or equal to 4 is invalid.
Procedure

Switches


# Set the authentication mode and service type of all SSH users to password
authentication and STelnet, respectively.
Step 3 Configure RADIUS authentication, authorization, and accounting.

RADIUS server.
[DeviceA-radius-1] radius-server authentication 10.1.6.6 1812
[DeviceA-radius-1] radius-server accounting 10.1.6.6 1813

RADIUS.
[DeviceA] aaa
# Configure an AAA accounting scheme named acc1 and set the accounting mode
to RADIUS accounting.
[DeviceA-aaa] accounting-scheme acc1
[DeviceA-aaa-accounting-acc1] accounting-mode radius
[DeviceA-aaa-accounting-acc1] quit

Switches
# Apply the AAA schemes and RADIUS server template to a domain.

[DeviceA-aaa-domain-huawei.com] accounting-scheme acc1
[DeviceA-aaa] quit
Step 4 Configure the domain to which the administrator belongs as the global default
administrative domain so that the administrator does not need to enter the
domain name during an STelnet login to DeviceA.
Step 5 Configure a RADIUS server.

The configuration includes the following steps: add a device, add an administrator
account, and set the administrator privilege level to 3.
----End

The administrator can log in to DeviceA through the STelnet client after entering
the correct user name and password.
DeviceA
#
sysname DeviceA
#
#
aaa
domain huawei.com
radius-server 1
#
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2

Switches

#
ssh server-source -i Vlanif10
#
#
return
3.1.12.2 NAC
3.1.12.2.1 Example for Configuring 802.1X Authentication (AAA Using RADIUS

Authentication)
In Figure 3-79, terminals in a company's office area are connected to the
company's intranet through DeviceA. The downlink interfaces (for example, 10GE
1/0/2) of DeviceA are directly connected to terminals in the office area, and the
uplink interface 10GE 1/0/1 of DeviceA is connected to the RADIUS server through
the intranet.
To meet the company's high security requirements, 802.1X authentication needs to

be configured to authenticate terminals in the office area through the RADIUS
server. Additionally, authentication points need to be deployed on DeviceA's
interfaces (for example, 10GE 1/0/2) that are directly connected to the terminals.
Figure 3-79 Network diagram for 802.1X authentication

NOTE
respectively.

Switches
Procedure
Step 1 Configure network connectivity.
# Create VLANs, configure the allowed VLANs on interfaces, and configure IP

addresses for interfaces.
Step 2 Configure AAA.
# Create and configure the RADIUS server template rd1.

[DeviceA] radius-server template rd1
[DeviceA-radius-rd1] radius-server authentication 192.168.1.30 1812
[DeviceA-radius-rd1] radius-server shared-key cipher Huawei@123456789
[DeviceA-radius-rd1] quit
# Create the authentication scheme abc and set the authentication mode to
RADIUS authentication.
[DeviceA] aaa
[DeviceA-aaa] authentication-scheme abc
[DeviceA-aaa-authen-abc] authentication-mode radius
[DeviceA-aaa-authen-abc] quit
# Create the authentication domain example.com, and bind the authentication

scheme abc and RADIUS server template rd1 to the domain.
[DeviceA-aaa] domain example.com
[DeviceA-aaa-domain-example.com] authentication-scheme abc
[DeviceA-aaa-domain-example.com] radius-server rd1
[DeviceA-aaa-domain-example.com] quit
[DeviceA-aaa] quit
# Check whether a user can pass RADIUS authentication. (The test user test and
password Example2012 have been configured on the RADIUS server.)
[DeviceA] test-aaa test Example2012 radius-template rd1
Info: Account test succeeded.
Step 3 Configure 802.1X authentication.
# Configure the 802.1X access profile d1.

[DeviceA] dot1x-access-profile name d1
[DeviceA-dot1x-access-profile-d1] dot1x authentication-method eap
[DeviceA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[DeviceA-dot1x-access-profile-d1] quit

Switches
NOTE
By default, an 802.1X access profile uses EAP authentication. Ensure that the RADIUS server
supports the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X
authentication requests.
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, and configure the forcible authentication domain
example.com for users using the authentication profile.
[DeviceA] authentication-profile name p1
[DeviceA-authen-profile-p1] dot1x-access-profile d1
[DeviceA-authen-profile-p1] access-domain example.com force
[DeviceA-authen-profile-p1] quit
# Bind the authentication profile p1 to a downlink interface and enable 802.1X

authentication on the interface. The following uses 10GE 1/0/2 as an example.
Other interfaces have similar configurations.
[DeviceA-10GE1/0/2] authentication-profile p1
----End

1. A user starts the 802.1X client on a terminal, and enters the user name and
password for authentication.
2. If the user name and password are correct, an authentication success
message is displayed on the client page. The user can access the network.
3. After the user goes online, you can run the display access-user access-type
dot1x command on the device to check online 802.1X user information.
DeviceA
#
sysname DeviceA
#
access-domain example.com force
#
vlan batch 10 to 20
#
aaa
domain example.com
radius-server rd1
#
radius-server template rd1
#
dot1x timer client-timeout 30
#
interface Vlanif10

Switches
ip address 192.168.1.10 255.255.255.0

#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
3.1.12.2.2 Example for Configuring 802.1X Authentication (AAA Using Local

Authentication)
In Figure 3-80, terminals in a company's office area are connected to the
company's intranet through DeviceA. The downlink interface (for example 10GE
1/0/2) of DeviceA is directly connected to terminals in the office area.
To meet the company's high security requirements, 802.1X authentication and
local authentication need to be configured to authenticate terminals in the office
area. Additionally, authentication points need to be deployed on DeviceA's
interfaces (for example, 10GE 1/0/2) that are directly connected to the terminals.
Figure 3-80 Network diagram for configuring 802.1X authentication

NOTE
respectively.
Procedure
Step 1 Configure network connectivity.
# Create VLANs, configure the allowed VLANs on interfaces, and configure IP
addresses for interfaces.

Switches
Step 2 Configure AAA local authentication.
# Configure the authentication scheme a1 and set the authentication mode to

local authentication.
[DeviceA] aaa
[DeviceA-aaa] authentication-scheme a1
[DeviceA-aaa-authen-a1] authentication-mode local
[DeviceA-aaa-authen-a1] quit
# Configure the authorization scheme b1 and set the authorization mode to local
authorization.
[DeviceA-aaa] authorization-scheme b1
[DeviceA-aaa-author-b1] authorization-mode local
[DeviceA-aaa-author-b1] quit
# Configure the user name, password, and access type of a local user.
NOTE
Configure a terminal's MAC address as the local user name, set the password to Example@123,
and set the access type to MAC address authentication (dot1x). The following assumes that the
MAC address of printer 1 is 00e0-fcd4-8828.
[DeviceA-aaa] local-access-user 00e0-fcd4-8828
[DeviceA-aaa-access-user-00e0-fcd4-8828] password cipher Example@123
[DeviceA-aaa-access-user-00e0-fcd4-8828] service-type dot1x
[DeviceA-aaa-access-user-00e0-fcd4-8828] quit
# Configure the service scheme s1. In the service scheme s1, set the maximum
number of users who are allowed to access the network using the same user
name to 15.
[DeviceA-aaa] service-scheme s1
[DeviceA-aaa-service-s1] access-limit user-name max-num 15
[DeviceA-aaa-service-s1] quit
# Configure the domain example.com, and apply the authentication scheme a1,
authorization scheme b1, and service scheme s1 to the domain.
[DeviceA-aaa] domain example.com
[DeviceA-aaa-domain-example.com] authentication-scheme a1
[DeviceA-aaa-domain-example.com] authorization-scheme b1
[DeviceA-aaa-domain-example.com] service-scheme s1
[DeviceA-aaa-domain-example.com] quit
[DeviceA-aaa] quit

Switches
Step 3 Configure 802.1X authentication.

# Configure the 802.1X access profile d1.
[DeviceA] dot1x-access-profile name d1
[DeviceA-dot1x-access-profile-d1] dot1x authentication-method eap
[DeviceA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[DeviceA-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, and configure the forcible authentication domain
example.com for users using the authentication profile.
[DeviceA] authentication-profile name p1
[DeviceA-authen-profile-p1] dot1x-access-profile d1
[DeviceA-authen-profile-p1] access-domain example.com force
[DeviceA-authen-profile-p1] quit
# Bind the authentication profile p1 to a downlink interface and enable 802.1X

authentication on the interface. The following uses 10GE 1/0/2 as an example.
Other interfaces have similar configurations.
[DeviceA-10GE1/0/2] authentication-profile p1
----End

1. After a user starts a terminal, the device automatically obtains the terminal's
MAC address as the user name and password for authentication.
2. The user can access the network after being successfully authenticated.
3. After the user goes online, you can run the display access-user access-type
dot1x command on the device to check online 802.1X user information.
DeviceA
#
sysname DeviceA
#
access-domain example.com force
#
vlan batch 10 to 20
#
aaa
authentication-scheme a1
authentication-mode local
authorization-scheme b1
authorization-mode local
service-scheme s1
access-limit user-name max-num 15
domain example.com
authentication-scheme a1
authorization-scheme b1
service-scheme s1
local-access-user 00e0-fcd4-8828
password cipher %+%##!!!!!!!!!"!!!!"!!!!*!!!!SKvr${[Fs.<FvBB,.w;M75IN5Z>'!L8G:n-!!!!!2jp5!!!!!!<!!!!
k9&fPO<BSRW}jPT(,ewKyfIL"zVtM1~=>e.!!!!!%+%#
service-type dot1x
#

Switches
dot1x timer client-timeout 30
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
3.1.13 Security
3.1.13.1 IPSG
3.1.13.1.1 Example for Configuring IPSG Based on a Static Binding Table on an

Interface
In Figure 3-81, PC1 and PC2 access the network through DeviceA, and they both
use static IP addresses. The administrator wants users to use fixed IP addresses to
Figure 3-81 Network diagram of configuring IPSG based on a static binding table
on an interface
NOTE

Switches
Procedure
Step 1 Create static binding entries on Device A.
# Create static binding entries on Device A.
[DeviceA] user-bind static ip-address 10.0.0.1 mac-address 00e0-fc12-3456
[DeviceA] user-bind static ip-address 10.0.0.11 mac-address 00e0-fc12-3478
Step 2 Enable IPSG.

# Enable IPSG on 10GE1/0/1, and 10GE1/0/2 of DeviceA.
[DeviceA-10GE1/0/1] ipv4 source check user-bind enable
[DeviceA-10GE1/0/2] ipv4 source check user-bind enable
----End

# Display static binding entries.
[DeviceA] display ip source check user-bind status
DHCP Bind-table on slot 1:
----------------------------------------------------------------------------------------------------------
IP Address MAC Address Vlan(O/I) Interface
Type Status
-----------------------------------------------------------------------------------------------------------
10.0.0.1 00e0-fc12-3456 - /- -
Static IPv4/-
10.0.0.11 00e0-fc12-3478 - /- -
Static IPv4/-
-----------------------------------------------------------------------------------------------------------
Total count: 2
Configuration Files
DeviceA
#
sysname DeviceA
#
user-bind static ip-address 10.0.0.1 mac-address 00e0-fc12-3456
user-bind static ip-address 10.0.0.11 mac-address 00e0-fc12-3478
#
interface 10GE1/0/1
ipv4 source check user-bind enable
#
interface 10GE1/0/2
#
return
3.1.13.1.2 Example for Configuring IPSG Based on a Static Binding Table in a VLAN
In Figure 3-82, PC1 and PC2 access the network through DeviceA, and they both
use static IP addresses. The Gateway functions as the enterprise egress gateway.

Switches
The administrator wants the PCs to use fixed IP addresses to access the Internet
through fixed interfaces. For security purposes, the administrator does not allow
external hosts to access the intranet without permission.
Figure 3-82 Network diagram of configuring IPSG based on a static binding table
in a VLAN
NOTE

Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.

Switches
Step 2 Configure static binding entries on 10GE1/0/1 and 10GE1/0/2 of DeviceA.

[DeviceA] user-bind static ip-address 10.0.0.1 mac-address 00e0-fc12-3456 interface 10GE 1/0/1
[DeviceA] user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3478 interface 10GE 1/0/2
Step 3 Configure the upstream interface 10GE1/0/4 as a trusted interface.

[DeviceA-10GE1/0/4] dhcp snooping trusted
Step 4 Enable IPSG in VLAN 10.

[DeviceA] vlan 10
[DeviceA-vlan10] ipv4 source check user-bind enable
----End

# Display static binding entries.
--------------------------------------------------------------------------------
Type Status
--------------------------------------------------------------------------------
10.0.0.1 00e0-fc12-3456 - /- 10GE1/0/1
Static IPv4/-
10.0.0.2 00e0-fc12-3478 - /- 10GE1/0/2
Static IPv4/-
--------------------------------------------------------------------------------
Total count: 2
DeviceA
#
sysname DeviceA
#
dhcp enable
#
user-bind static ip-address 10.0.0.1 mac-address 00e0-fc12-3456 interface 10GE1/0/1
user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3478 interface 10GE1/0/2
#
vlan batch 10
#
vlan 10
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
interface 10GE1/0/4
dhcp snooping trusted

Switches
#
return
3.1.13.1.3 Example for Configuring IPSG to Prevent Hosts with DHCP-assigned IP

Addresses from Changing Their Own IP Addresses
In Figure 3-83, PC1, PC2, and PC3 connect to the network through DeviceA,
DeviceB functions as a DHCP server to dynamically assign IP addresses to PC1 and
PC2, PC3 uses a static IP address, and Gateway is the enterprise egress gateway.
The administrator hopes that the PCs cannot access the network using static IP
addresses configured without permission.
NOTE

Figure 3-83 Network diagram of configuring IPSG to prevent hosts with DHCP-
assigned IP addresses from changing their own IP addresses
Procedure
Step 1 Configure the DHCP server function on DeviceB.

Switches

[DeviceB] ip pool 10
[DeviceB-ip-pool-10] network 10.1.1.0 mask 24
[DeviceB-ip-pool-10] gateway-list 10.1.1.1
[DeviceB-ip-pool-10] quit
[DeviceB-Vlanif10] dhcp enable
[DeviceB-Vlanif10] ip address 10.1.1.1 255.255.255.0
Step 2 Configure DHCP snooping on DeviceA.

# Create a VLAN and add interfaces to the VLAN.
# Enable DHCP snooping and configure 10GE1/0/4 for connecting to the DHCP
server as a trusted interface.
[DeviceA] vlan 10
[DeviceA-vlan10] dhcp snooping trusted interface 10GE 1/0/4
Step 3 Create a static binding entry for PC3.

[DeviceA] user-bind static ip-address 10.1.1.2 mac-address 00e0-fc12-3489 interface 10GE 1/0/3 vlan 10
Step 4 Enable IPSG in VLAN 10.

[DeviceA] vlan 10
----End

# Display dynamic binding entries corresponding to PC1 and PC2.
[DeviceA] display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

Switches
IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease

--------------------------------------------------------------------------------
10.1.1.254 00e0-fc12-3456 10 /-- /-- GE10GE1/0/1 2014.08.17-07:31
10.1.1.253 00e0-fc12-3478 10 /-- /-- GE10GE1/0/2 2014.08.17-07:34
--------------------------------------------------------------------------------
Print count: 2 Total count: 2
# Display the static binding entry corresponding to PC3.

[DeviceA] display user-bind static all
DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan
IP Address MAC Address VLAN(O/I) Interface
--------------------------------------------------------------------------------
10.1.1.2 00e0-fc12-3489 10/-- 10GE1/0/3
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
DeviceA
#
sysname DeviceA
#
vlan batch 10
#
dhcp enable
#
user-bind static ip-address 10.1.1.2 mac-address 00e0-fc12-3489 interface 10GE 1/0/3 vlan 10
#
vlan 10
dhcp snooping trusted interface 10GE 1/0/4
#
#
#
#
#
return
DeviceB
#
sysname DeviceB
#
vlan batch 10
#
dhcp enable
#
ip pool 10
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10

Switches
ip address 10.1.1.1 255.255.255.0

dhcp select global
#
#
return
3.1.13.1.4 Example for Configuring IPSG Based on a Dynamic Binding Table in a

VLAN
In Figure 3-84, PC1 and PC2 access the network through DeviceA. The
administrator wants the PCs to use dynamically allocated IP addresses to access
the Internet and deny the access to the Internet if statically configured IP
addresses are used.
Figure 3-84 Network diagram of configuring IPSG based on a dynamic binding

table in a VLAN
NOTE
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.

Switches

Step 2 Enable DHCP snooping and configure 10GE1/0/3 for connecting to the DHCP
server as a trusted interface.
[DeviceA] vlan 10
[DeviceA-vlan10] dhcp snooping trusted interface 10GE 1/0/3
Step 3 Enable IPSG in VLAN 10 of DeviceA.

----End

# Display dynamic binding entries.
--------------------------------------------------------------------------------
Type Status
--------------------------------------------------------------------------------
10.1.1.254 00e0-fc12-3456 10 /- 10GE1/0/1
Dynamic IPv4/-
10.1.1.253 00e0-fc12-3478 10 /- 10GE1/0/2
Dynamic IPv4/-
--------------------------------------------------------------------------------
Total count: 2
DeviceA
#
sysname DeviceA
#
vlan batch 10
#
dhcp enable
#
#
vlan 10
dhcp snooping trusted interface 10GE1/0/3
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3

Switches
#
return
3.1.13.2 Port Security
3.1.13.2.1 Example for Configuring Port Security
As shown in Figure 3-85, PC1, PC2, and PC3 can communicate with each other in
VLAN 10, and connect to the company network through DeviceA. For security
purposes, only PC1, PC2, and PC3 can access the company network, and external
users cannot access the company network.
Figure 3-85 Network diagram of port security

NOTE
1. Configure a VLAN to enable employee PCs to communicate with each other.
2. Enable port security and limit the number of MAC addresses learned on an
interface, so that external users cannot access the company network.
Procedure
Step 1 Configure a VLAN.

Switches

Step 2 Configure port security.

[DeviceA-10GE1/0/1] port-security enable maximum 1
[DeviceA-10GE1/0/1] port-security mac-address sticky
----End

Only PC1, PC2, and PC3 connected to the three interfaces on DeviceA can access
the company network.
#
sysname DeviceA
#
vlan batch 10
#
interface 10GE1/0/1
port-security enable maximum 1
port-security mac-address sticky
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.14 QoS
3.1.14.1 Packet Filtering

Switches
3.1.14.1.1 Example for Configuring Access Control Based on Source MAC Addresses
In Figure 3-86, users of an enterprise access the Internet through DeviceA. The
enterprise does not allow some hosts on the LAN to access the Internet. However,
users can still access the Internet from these hosts by changing host IP addresses,
and firewalls cannot prevent such unauthorized access. Access control based on
source MAC addresses can be configured to solve this problem. In this example,
some hosts can be prevented from accessing the Internet but can access DeviceA.
Figure 3-86 Network diagram

NOTE
Procedure
Step 1 Create a VLAN and configure interfaces.
# On DeviceA, create VLAN 10, configure VLANIF 10, and add 10GE 1/0/1 to the
VLAN.
[DeviceA] vlan 10

# On DeviceA, create ACL 3001 to match the traffic with the destination IP
address 10.1.1.1/24.
[DeviceA] acl 3001
[DeviceA-acl4-advance-3001] rule 1 permit ip destination 10.1.1.0 0.0.0.255
[DeviceA-acl4-advance-3001] quit
Step 3 Configure traffic classifiers.

# On DeviceA, create a traffic classifier c1 and reference ACL 3001 in the traffic
classifier.

Switches
[DeviceA] traffic classifier c1 type and

[DeviceA-classifier-c1] if-match acl 3001
[DeviceA-classifier-c1] quit
# On DeviceA, create traffic classifiers c2 to c4 to match MAC addresses of user

hosts.
[DeviceA-classifier-c2] if-match source-mac 00e0-fc0d-0001
Step 4 Configure traffic behaviors.

# On DeviceA, create a traffic behavior b1 and configure the permit action in the
traffic behavior.
[DeviceA] traffic behavior b1
[DeviceA-behavior-b1] permit
[DeviceA-behavior-b1] quit
# On DeviceA, create a traffic behavior b2 and configure the deny action in the
traffic behavior.
[DeviceA-behavior-b2] deny
Step 5 Configure a traffic policy and apply it to the inbound direction of an interface.
# On DeviceA, create a traffic policy p1 and bind traffic classifiers to traffic
behaviors in the traffic policy.
[DeviceA] traffic policy p1
[DeviceA-trafficpolicy-p1] classifier c1 behavior b1 precedence 5
[DeviceA-trafficpolicy-p1] quit
# Apply the traffic policy p1 to the inbound direction of an interface.

[DeviceA-Vlanif10] traffic-policy p1 inbound
[DeviceA] quit
----End

# Check the ACL rule configuration.
Advanced ACL 3001, 1 rule
ACL's step is 5
(0 times matched)
# Check the traffic classifier configuration.

<DeviceA> display traffic classifier c1
Traffic Classifier Information:

Switches
Classifier: c1
Type: AND
Rule(s):
if-match acl 3001
Classifier: c2
Type: AND
Rule(s):
if-match source-mac 00e0-fc0d-0001
# Check the traffic policy configuration.

<DeviceA> display traffic policy p1
Policy: p1
Classifier: c1
Type: AND
Behavior: b1
Classifier: c2
Type: AND
Behavior: b2
Deny
Classifier: c3
Type: AND
Behavior: b2
Deny
Classifier: c4
Type: AND
Behavior: b2
Deny
DeviceA
#
sysname DeviceA
#
vlan 10
#
interface 10ge 1/0/1
#
interface vlanif 10
ip address 10.1.1.1 255.255.255.0
#
acl 3001
#
traffic classifier c1 type and
if-match acl 3001
#
#
#
#
traffic behavior b1
permit
#
traffic behavior b2
deny
#

Switches
traffic policy p1
#
interface vlanif 10
#
return
3.1.14.1.2 Example for Configuring MQC-based Packet Filtering
In Figure 3-87, Host1, Host2, and Host3 communicate with each other through
DeviceA. For specific reasons, Host1 is allowed to receive traffic from Host2
through DeviceA but is not allowed to receive traffic from Host3.
Figure 3-87 Network diagram of packet filtering

NOTE
Procedure
# On DeviceA, create ACL 3001 to match the traffic with source IP address
192.168.3.1 and destination IP address 192.168.1.1 (traffic from Host3 to Host1).
[DeviceA] acl 3001
[DeviceA-acl4-advance-3001] rule permit ip destination 192.168.1.1 24 source 192.168.3.1 24
Step 2 Configure a traffic classifier.

Switches
# On DeviceA, create traffic classifier c1 and reference ACL 3001 in the traffic
classifier.
[DeviceA] traffic classifier c1
Step 3 Configure a traffic behavior.

# On DeviceA, create traffic behavior b1 and define the deny action in the traffic
behavior.
[DeviceA-behavior-b1] deny
Step 4 Configure a traffic policy and apply it to the outbound direction of 10GE 1/0/1.
# On DeviceA, create traffic policy p1, in which traffic classifier c1 is associated
with traffic behavior b1.
[DeviceA-trafficpolicy-p1] classifier c1 behavior b1
# Apply traffic policy p1 to the outbound direction of 10GE 1/0/1.

[DeviceA-10GE1/0/1] traffic-policy p1 outbound
[DeviceA] quit
----End

# Check the ACL configuration.
ACL's step is 5
(0 times matched)

Classifier: c1
Type: OR
Rule(s):
if-match acl 3001

Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Deny
DeviceA

Switches
#
sysname DeviceA
#
acl number 3001
#
if-match acl 3001
#
traffic behavior b1
deny
#
traffic policy p1
#
interface 10GE1/0/1
traffic-policy p1 outbound
#
return
3.1.14.2 Traffic Statistics Collection
3.1.14.2.1 Example for Configuring MQC-based Traffic Statistics Collection
In Figure 3-88, Host1 sends packets with the 802.1p value of 6 to DeviceA.
Statistics on service packets need to be collected to properly allocate bandwidth
resources.
Figure 3-88 Network diagram of traffic statistics collection

NOTE
Procedure
# On DeviceA, create Layer 2 ACL 4000 to match packets with the 802.1p value of
6.
[DeviceA] acl 4000
[DeviceA-acl-L2-4000] rule permit 8021p 6
[DeviceA-acl-L2-4000] quit

# On DeviceA, create traffic classifier c1 and match ACL 4000.

Switches

# On DeviceA, create traffic behavior b1 and define the traffic statistics collection
action in the traffic behavior.
[DeviceA-behavior-b1] statistics enable
Step 4 Configure a traffic policy and apply it to the interface.

# On DeviceA, create traffic policy p1, in which traffic classifier c1 is associated
with traffic behavior b1.
# Apply traffic policy p1 to the inbound direction of 10GE 1/0/1.

[DeviceA-10GE1/0/1] traffic-policy p1 inbound
[DeviceA] quit
----End

L2 ACL 4000, 1 rule
ACL's step is 5
rule 5 permit 8021p 6 (0 times matched)

Classifier: c1
Type: OR
Rule(s):
if-match acl 4000

Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Statistics: enable
# Check traffic statistics.

<DeviceA> display traffic-policy statistics interface 10ge 1/0/1 inbound
Traffic policy: p1, inbound
--------------------------------------------------------------------------------
Slot: 1
Item Packets Bytes pps bps
-------------------------------------------------------------------------------
Matched 212185 22067448 1600 1379215
Passed 212185 22067448 1600 1379215
Dropped 0 0 0 0
Filter 0 0 0 0

Switches
CAR 0 0 0 0
-------------------------------------------------------------------------------
You can view the statistics on service packets on 10GE 1/0/1.
DeviceA
#
sysname DeviceA
#
vlan batch 100
#
acl number 4000
rule 5 permit 8021p 6
#
if-match acl 4000
#
traffic behavior b1
statistics enable
#
traffic policy p1
#
interface 10GE1/0/1
#
return
3.1.14.3 Redirection
3.1.14.3.1 Example for Configuring Redirection to an Interface
In Figure 3-89, the server connects to the Internet through DeviceA, DeviceB, and
DeviceD. All traffic from the Internet needs to be redirected to DeviceC for filtering
to ensure the security of traffic to the server.
Figure 3-89 Network diagram of redirecting packets to an interface

NOTE
In this example, interface 1, interface 2, interface 3, and interface 4 represent 10GE 1/0/1, 10GE 1/0/2, 10GE

Switches
Procedure
Step 1 Create VLANs and configure interfaces to ensure Layer 2 connectivity.
# Create VLAN 200 and VLAN 300 on DeviceB.

# Configure 10GE 1/0/1 on DeviceB as a trunk interface and add it to VLAN 200
and VLAN 300. Configure 10GE 1/0/2 and 10GE 1/0/3 on DeviceB as access
interfaces, and add 10GE 1/0/2 to VLAN 200 and 10GE 1/0/3 to VLAN 300.
# Create VLAN 200 and VLAN 300 on DeviceA.

Switches
# Configure 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, and 10GE 1/0/4 on DeviceA as
trunk interfaces and add them to VLAN 200 and VLAN 300. To prevent loops, add
10GE 1/0/3 and 10GE 1/0/4 to the same port isolation group and disable MAC
address learning on 10GE 1/0/4 to prevent MAC address flapping.
[DeviceA-10GE1/0/4] mac-address learning disable
Step 2 Configure redirection to an interface on DeviceA.

# Configure a traffic classifier. Configure a matching rule based on all data
packets in the traffic classifier c1.
[DeviceA-classifier-c1] if-match any
# Configure a traffic behavior. Define redirection to a specified interface in the

traffic behavior b1.
[DeviceA-behavior-b1] redirect interface 10ge 1/0/3
# Create a traffic policy p1, and bind the traffic classifier c1 and traffic behavior
b1 to the traffic policy.
# Apply the traffic policy to the inbound direction of 10GE 1/0/1.

----End


Switches
<DeviceA> display traffic classifier

Classifier: c1
Type: OR
Rule(s):
if-match any
Total classifier number is 1
# Check the traffic behavior configuration.

<DeviceA> display traffic behavior
Traffic Behavior Information:
Behavior: b1
Redirect:
Redirect interface 10GE1/0/3
Total behavior number is 1

<DeviceA> display traffic policy
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Redirect:
Redirect interface 10GE1/0/3
Total policy number is 1
# Check the traffic policy application records.

<DeviceA> display traffic-policy applied-record
Total records : 1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
● DeviceA
#
sysname DeviceA
#
vlan batch 200 300
#
if-match any
#
traffic behavior b1
redirect interface 10GE 1/0/3
#
traffic policy p1
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3

Switches

#
interface 10GE1/0/4
mac-address learning disable
#
return
● DeviceB
#
sysname DeviceB
#
vlan batch 200 300
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.14.3.2 Example for Configuring Redirection to a Next-Hop Address
In Figure 3-90, DeviceA functioning as a Layer 3 forwarding device is routable to
NetworkA and is connected to the Internet through two links. One uplink is a
high-speed link with the gateway at 10.1.20.1/24, and the other is a low-speed
link with the gateway at 10.1.30.1/24. The user requires that DeviceA forward
packets from network segments 192.168.100.0/24 and 192.168.101.0/24 to the
Internet through the high-speed link and low-speed link, respectively.
Figure 3-90 Network diagram of redirection to a next-hop address

NOTE

Switches
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 10, VLAN 20, and VLAN 30 on DeviceA.
# Configure 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3 on DeviceA as trunk
interfaces and add them to corresponding VLANs.
# Create VLANIF 10, VLANIF 20, and VLANIF 30 and configure IP addresses for
them.

Switches
Step 2 Configure ACL rules.

# Create advanced ACLs 3001 and 3002 on DeviceA to allow packets on network
segments 192.168.100.0/24 and 192.168.101.0/24 to pass through.
[DeviceA] acl 3001
[DeviceA-acl4-advance-3001] rule permit ip source 192.168.100.0 0.0.0.255
[DeviceA] acl 3002

# Create traffic classifiers c1 and c2 on DeviceA, and bind c1 to ACL 3001 and c2
to ACL 3002.

# Create traffic behaviors b1 and b2 on DeviceA and configure actions that
redirect packets to IP addresses 10.1.20.1 and 10.1.30.1.
[DeviceA-behavior-b1] redirect nexthop 10.1.20.1
[DeviceA-behavior-b2] redirect nexthop 10.1.30.1
Step 5 Configure a traffic policy and apply it to an interface.

# Create a traffic policy p1 on DeviceA, and bind the traffic classifier c1 to the
traffic behavior b1 and the traffic classifier c2 to the traffic behavior b2.

----End

Classifier: c1
Type: OR
Rule(s):
if-match acl 3001
Classifier: c2
Type: OR

Switches
Rule(s):
if-match acl 3002

Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Redirect:
Redirect nexthop
10.1.20.1
Classifier: c2
Type: OR
Behavior: b2
Redirect:
Redirect nexthop
10.1.30.1

Total records : 1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
vlan batch 10 20 30
#
acl number 3001
#
acl number 3002
#
if-match acl 3001
#
if-match acl 3002
#
traffic behavior b1
redirect nexthop 10.1.20.1
#
traffic behavior b2
redirect nexthop 10.1.30.1
#
traffic policy p1
#
interface Vlanif10
ip address 10.1.10.2 255.255.255.0

Switches
#
interface Vlanif20
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.30.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.14.3.3 Example for Configuring Association Between Redirection to a Next-Hop

Address and NQA
In Figure 3-91, DeviceA is the upper-layer device of DeviceB and DeviceB is the
user gateway. There are reachable routes between DeviceA and DeviceB. DeviceA
is connected to the Internet through two links: high-speed link with the gateway
at 10.1.20.1/24 and low-speed link with the gateway at 10.1.30.1/24. A default
route has been configured on DeviceA to ensure that traffic is transmitted through
the high-speed link by default. The customer requirements are as follows:
● Packets from the network segment 192.168.101.0/24 are redirected to the
low-speed link for transmission, alleviating the bandwidth pressure of the
high-speed link.
● If the low-speed link fails, packets from the network segment
192.168.101.0/24 can be rapidly switched back to the high-speed link to
minimize communication interruption caused by the link fault.
Figure 3-91 Network diagram of association between redirection to a next-hop

address and NQA
NOTE

Switches
Procedure

Switches

[DeviceD-10GE1/0/1] port trunk allow-pass vlan 20
Step 2 On DeviceA, configure an NQA test instance.

[DeviceA] nqa test-instance user test
[DeviceA-nqa-user-test] test-type icmp
[DeviceA-nqa-user-test] destination-address ipv4 10.1.30.1
[DeviceA-nqa-user-test] frequency 11
[DeviceA-nqa-user-test] probe-count 2
[DeviceA-nqa-user-test] interval seconds 5
[DeviceA-nqa-user-test] timeout 4
[DeviceA-nqa-user-test] start now
[DeviceA-nqa-user-test] quit
# Create advanced ACL 3001 on DeviceA to allow packets from the network
segment 192.168.101.0/24 to pass through.
[DeviceA] acl 3001
# Create a traffic classifier c1 on DeviceA and reference ACL 3001.

# Create a traffic behavior b1 on DeviceA to redirect packets to the IP address

10.1.30.1, and associate NQA with redirection to a next-hop address.
[DeviceA-behavior-b1] redirect nexthop 10.1.30.1 track nqa user test
Step 6 Configure a traffic policy and apply it to an interface.
# Create a traffic policy p1 on DeviceA, and bind the traffic classifier c1 and traffic
behavior b1 to the traffic policy.

Switches

[DeviceA] quit
----End

ACL's step is 5
rule 5 permit ip source 192.168.101.0 0.0.0.255 (0 times matched)

Classifier: c1
Type: OR
Rule(s):
if-match acl 3001

Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Redirect:
Redirect nexthop
10.1.30.1 track nqa user test

Total records : 1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
# Check the NQA test result. If "Completion:success" and "Lost packet ratio: 0 %"
are displayed, the NQA test succeeds and the link is normal.
<DeviceA> display nqa results test-instance user test
NQA entry(user, test) :test flag is active ,test type is ICMP

1 . Test 1 result The test is finished
Send operation times: 2 Receive response times: 2
Completion:success RTD over thresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination IP address:10.1.30.1
Min/Max/Average completion time: 3/4/3
Sum/Square-Sum completion time: 7/25
Last response packet receiving tim: 2020-04-09 09:55:38.2
Lost packet ratio: 0 %

Switches
● DeviceA
#
sysname DeviceA
#
vlan batch 10 20 30
#
acl number 3001
#
if-match acl 3001
#
traffic behavior b1
redirect nexthop 10.1.30.1 track nqa user test
#
traffic policy p1
#
interface Vlanif10
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif20
ip address 10.1.30.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.10.2 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
nqa test-instance user test
test-type icmp
destination-address ipv4 10.1.30.1
interval seconds 5
timeout 4
probe-count 2
frequency 11
start now
#
return
● DeviceC
#
sysname DeviceC
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.20.1 255.255.255.0
#
interface 10GE1/0/1
#
return
● DeviceD

Switches
#
sysname DeviceD
#
vlan batch 20
#
interface Vlanif20
ip address 10.1.30.1 255.255.255.0
#
interface 10GE1/0/1
#
return
3.1.14.3.4 Example for Configuring Redirection to Implement Route Selection
In Figure 3-92, the PC needs to access the server through link A, link B, and link C
(is used by default) in descending order of priority.
Figure 3-92 Network diagram for configuring redirection to implement route

selection
NOTE

Switches
1. Configure a dynamic routing protocol to generate a route or configure a static
route destined for the server and specify 10.1.1.2/24 as the next-hop address
so that packets pass through link A.
2. Redirect the packets that match the network segment where the server
resides to the next-hop address 10.1.2.2/24 and allow the packets to pass
through link B; specify low-preference for redirection to a next-hop address;
configure a high priority for the traffic classifier when binding the traffic
classifier and the traffic behavior to the traffic policy. In this way, packets
preferentially pass through link A.
3. Configure the device to redirect the packets matching all network segments
to the next-hop address 10.1.3.2/24 instead of sending packets through the
default route, and allow the packets to pass through link C; specify low-
preference for redirection to a next-hop address; configure a low priority for
the traffic classifier when binding the traffic classifier and the traffic behavior
to the traffic policy. In this way, packets preferentially pass through links A
and B.
After the configuration is complete, DeviceA handles packets in one of the
following ways (listed in descending order of priority): forwards packets according
to the route generated by a routing protocol or static route > redirects packets
matching the network segment where the server resides to a next-hop address >
redirects packets matching the entire network segment to a next-hop address.
Procedure
# Create VLANs 10, 20, and 30 on DeviceA.
# Configure 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3 on DeviceA as trunk
interfaces and add them to VLAN 10, VLAN 20, and VLAN 30, respectively.
# Create VLANIF 10, VLANIF 20, and VLANIF 30 and configure IP addresses for
them.

Switches
Step 2 Configure a static route to the server.

# Configure a static route to the server and specify 10.1.1.2 as the next-hop
address.

# On DeviceA, create ACLs 3001 and 3002 to allow packets with destination IP
addresses 10.1.4.0/24 and 0.0.0.0/0 to pass through, respectively.
[DeviceA] acl 3001
[DeviceA-acl4-advance-3001] rule permit ip destination 10.1.4.0 0.0.0.255
[DeviceA] acl 3002
[DeviceA-acl4-advance-3002] rule permit ip destination 0.0.0.0 255.255.255.255
# On DeviceA, create traffic classifiers c1 and c2 that match ACLs 3001 and 3002
respectively, and specify a higher priority for c1 than that for c2.

# Create traffic behaviors b1 and b2 on DeviceA, set next-hop addresses to which
packets are to be redirected to 10.1.2.2 and 10.1.3.2 in b1 and b2 respectively, and
specify low-preference so that redirection to next-hop addresses has a lower
priority than the route generated by a dynamic routing protocol or a static route.
[DeviceA-behavior-b1] redirect nexthop 10.1.2.2 low-precedence
[DeviceA-behavior-b2] redirect nexthop 10.1.3.2 low-precedence
Step 5 Configure a traffic policy.

# Create a traffic policy p1 on DeviceA, and bind the traffic classifiers and traffic
behaviors to the traffic policy.
# Apply the traffic policy p1 to the system. After the configuration is complete, all
packets received by DeviceA match the traffic policy p1.
[DeviceA] traffic-policy p1 global inbound
[DeviceA] quit
----End

Switches

ACL's step is 5
rule 5 permit ip destination 10.1.4.0 0.0.0.255 (0 times matched)
ACL's step is 5
rule 5 permit ip (0 times matched)

Classifier: c1
Type: OR
Rule(s):
if-match acl 3001
Classifier: c2
Type: OR
Rule(s):
if-match acl 3002

Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Redirect:
Redirect nexthop
10.1.2.2
Classifier: c2
Type: OR
Behavior: b2
Redirect:
Redirect nexthop
10.1.3.2

Total records : 1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
p1 Global(IN) 1 success
--------------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
vlan batch 10 20 30
#

Switches
traffic-policy p1 global inbound

#
acl number 3001
#
acl number 3002
rule 5 permit ip
#
if-match acl 3001
#
if-match acl 3002
#
traffic behavior b1
redirect nexthop 10.1.2.2 low-precedence
#
traffic behavior b2
redirect nexthop 10.1.3.2 low-precedence
#
traffic policy p1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
ip route-static 10.1.4.0 255.255.255.0 10.1.1.2
#
return
3.1.14.4 Re-marking
3.1.14.4.1 Example for Configuring MQC-based Re-marking
On the network shown in Figure 3-93, packets sent from Host1 and Host2 to
DeviceB are identified by different VLAN IDs (10 and 20, respectively). DeviceB re-
marks the VLAN packets received from Host1 and Host2 so that the internal
priority of the packets sent by Host1 is higher than that of the packets sent by
Host2 on DeviceA. This ensures the experience of services on Host1.

Switches
Figure 3-93 Network diagram of re-marking

NOTE
Procedure
Step 1 Create VLANs and configure interfaces so that DeviceB can communicate with
Host1, Host2, and DeviceA.
# Create VLAN 10, VLAN 20, and VLAN 30 on DeviceB.
# Configure 10GE 1/0/1 as a trunk interface and add it to VLAN 30. Configure
10GE 1/0/2 and 10GE 1/0/3 as access interfaces and add them to VLAN 10 and
VLAN 20, respectively.
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and configure IP addresses for
them.

Switches

# Create and configure traffic classifiers c1 and c2 on DeviceB to classify packets
based on VLAN IDs.
[DeviceB] traffic classifier c1
[DeviceB-classifier-c1] if-match vlan 10
[DeviceB-classifier-c1] quit

# Create and configure traffic behaviors b1 and b2 on DeviceB to re-mark the
802.1p value of VLAN packets sent from Host1 into 4 and the 802.1p value of
VLAN packets sent from Host2 into 2. In this manner, the priority of packets from
Host1 is higher than that of packets from Host2.
[DeviceB] traffic behavior b1
[DeviceB-behavior-b1] remark 8021p 4
[DeviceB-behavior-b1] quit
[DeviceB-behavior-b2] remark 8021p 2
Step 4 Configure traffic policies and apply them to interfaces.

# Create traffic policies p1 and p2 on DeviceB, bind the traffic classifiers and
traffic behaviors to the traffic policies, and apply the traffic policy p1 to 10GE
1/0/2 in the inbound direction and the traffic policy p2 to 10GE 1/0/3 in the
inbound direction to re-mark packet priorities.
[DeviceB] traffic policy p1
[DeviceB-trafficpolicy-p1] classifier c1 behavior b1
[DeviceB-trafficpolicy-p1] quit
[DeviceB-10GE1/0/2] traffic-policy p1 inbound
[DeviceB] quit
----End

<DeviceB> display traffic classifier
Classifier: c1
Type: OR
Rule(s):

Switches
if-match vlan 10
Classifier: c2
Type: OR
Rule(s):
if-match vlan 20

<DeviceB> display traffic policy
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Remark:
Remark 8021p 4
Policy: p2
Classifier: c2
Type: OR
Behavior: b2
Remark:
Remark 8021p 2

<DeviceB> display traffic-policy applied-record
Total records : 2
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
DeviceB
#
sysname DeviceB
#
vlan batch 10 20 30
#
if-match vlan 10
#
if-match vlan 20
#
traffic behavior b1
remark 8021p 4
#
traffic behavior b2
remark 8021p 2
#
traffic policy p1
#
traffic policy p2
#
interface Vlanif10

Switches
ip address 192.168.10.1 255.255.255.0

#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.100.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.14.5 Traffic Policing, Traffic Shaping, and Interface-based Rate Limiting
3.1.14.5.1 Example for Configuring Traffic Shaping to Limit the Rate of Different
Services
In Figure 3-94, three servers are deployed to provide voice, video, and data
services, and service packets traverse DeviceA, DeviceB, and DeviceC to reach the
external network. The interface connected to the voice service host joins VLAN 10;
the interface connected to the video service host joins VLAN 20; the interface
connected to the data service host joins VLAN 30.
Figure 3-94 Network diagram for configuring traffic shaping

NOTE

Switches
Packets of voice, video, and data services are identified by 802.1p priorities 5, 3,
and 2 respectively. However, jitter may occur when packets from interface 2 on
DeviceB reach DeviceC. Table 3-2 lists the bandwidth requirements to limit jitter
and ensure services.
Table 3-2 Bandwidth for each service on DeviceB

Service Type CIR (kbit/s) PIR (kbit/s)
Voice 3000 5000
Video 5000 8000
Data 2000 3000
Procedure
Step 1 On DeviceB, create VLANs and add interfaces to these VLANs so that users can
access the network through DeviceB.
# Create VLANs 10, 20, and 30.
# Set the access mode of interfaces 10GE 1/0/1 and 10GE 1/0/2 to trunk, and add
them to VLANs 10, 20, and 30.

Switches

Step 2 Set priorities for DeviceA's interfaces connected to the hosts to differentiate
packets of different services.
# On DeviceA, set the priorities of 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3 to 5, 3,
and 2, respectively, and add 10GE 1/0/4 to VLANs 10, 20, and 30.
[DeviceA-10GE1/0/1] port priority 5
Step 3 Configure queue-based traffic shaping to limit the bandwidth of voice, video, and
data services.
# Configure queue-based traffic shaping on DeviceB. Set the CIR values of voice,
video, and data services to 3000 kbit/s, 5000 kbit/s, and 2000 kbit/s, respectively.
[DeviceB-10GE1/0/2] qos queue 5 shaping cir 3000 pir 5000 kpbs
----End

# Display statistics about queues in the outbound direction on 10GE 1/0/2.
[DeviceB] display qos queue statistics interface 10ge 1/0/2
Queue CIR/PIR Passed Pass Rate Dropped Drop Rate Drop Time
(% or kbps) (Packets/Bytes) (pps/bps) (Packets/Bytes) (pps/
bps)
----------------------------------------------------------------------------------------------
0 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
1 0 0 0 0 0 -
10000000 0 0 0 0

Switches
----------------------------------------------------------------------------------------------
2 2000 54584 0 0 0 -
3000 5676736 0 0 0
----------------------------------------------------------------------------------------------
3 5000 49648 0 0 0 -
8000 5163392 0 0 0
----------------------------------------------------------------------------------------------
4 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
5 3000 49998 0 0 0 -
5000 5199792 0 0 0
----------------------------------------------------------------------------------------------
6 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
7 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
● DeviceB
#
sysname DeviceB
#
vlan batch 10 20 30
#
interface 10GE1/0/1
portswitch
#
interface 10GE1/0/2
portswitch
qos queue 2 shaping cir 2000 kbps pir 3000 kbps
#
return
● DeviceA
#
sysname DeviceA
#
vlan batch 10 20 30
#
interface 10GE1/0/1
portswitch
port priority 5
#
interface 10GE1/0/2
portswitch
port priority 3
#
interface 10GE1/0/3
portswitch
port priority 2
#
interface 10GE1/0/4
portswitch

Switches
#
return
3.1.14.5.2 Example for Configuring Traffic Shaping Based on Priority Mapping in a

DiffServ Domain
In Figure 3-95, packets of voice, video, and data services from the user side
traverse DeviceA, DeviceB, and DeviceC to reach the external network.

NOTE
respectively.
and 2, respectively. The interface bandwidth is limited to 10000 kbit/s. However,
jitter may occur when packets from interface 2 on DeviceB reach DeviceC. To
reduce jitter and ensure the bandwidth for various services, the following
bandwidth requirements must be met:
Table 3-3 Bandwidth provided for each service on DeviceB

Voice 3000 5000
Video 5000 8000
Data 2000 3000

Switches
Procedure
Step 1 On DeviceB, create a VLAN and configure interfaces so that users can access the
network through DeviceB.
# Create VLAN 10.
# Add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 10 as trunk interfaces.

Step 2 Configure priority mapping.

# Create DiffServ domain ds1 and map 802.1p priorities 6, 5, and 2 to PHBs CS7,
EF, and AF2, respectively.
[DeviceB] diffserv domain ds1
[DeviceB-dsdomain-ds1] 8021p-inbound 6 phb cs7 //Map 802.1p priorities of different service packets to
different PHBs to ensure that the service packets enter different queues.
[DeviceB-dsdomain-ds1] 8021p-inbound 5 phb ef
[DeviceB-dsdomain-ds1] 8021p-inbound 2 phb af2
[DeviceB-dsdomain-ds1] quit
[DeviceB-10GE1/0/1] trust upstream ds1
Step 3 Configure traffic shaping on an interface.

# Configure traffic shaping on an interface of DeviceB to limit the rate of the
interface to 10000 kbit/s.
[DeviceB-10GE1/0/2] qos lr cir 10000 outbound //Configure interface-based rate limiting in the outbound
direction of the interface to limit the total bandwidth.
Step 4 Configure queue-based traffic shaping on an interface.

# Configure queue-based traffic shaping on an interface of DeviceB. Set the CIR
values of voice, video, and data service packets to 3000 kbit/s, 5000 kbit/s, and
2000 kbit/s, respectively, and their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000
kbit/s, respectively.
[DeviceB-10GE1/0/2] qos queue 7 shaping cir 3000 pir 5000 //Set the CIR value of voice packets entering
queue 7 to 3000 kbit/s according to the default mappings between PHBs and local priorities.
[DeviceB-10GE1/0/2] qos queue 5 shaping cir 5000 pir 8000
----End

# Check queue-based traffic statistics in the outbound direction of 10GE 1/0/2.

Switches

bps)
----------------------------------------------------------------------------------------------
0 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
1 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
2 2000 54584 0 0 0 -
3000 5676736 0 0 0
----------------------------------------------------------------------------------------------
3 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
4 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
5 5000 49648 0 0 0 -
8000 5163392 0 0 0
----------------------------------------------------------------------------------------------
6 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
7 3000 49998 0 0 0 -
5000 5199792 0 0 0
----------------------------------------------------------------------------------------------
● DeviceB
#
sysname DeviceB
#
vlan batch 10
#
diffserv domain ds1
8021p-inbound 6 phb cs7
8021p-inbound 5 phb ef
8021p-inbound 2 phb af2
#
interface 10GE1/0/1
portswitch
trust upstream ds1
#
interface 10GE1/0/2
qos lr cir 10000 outbound
qos queue 2 shaping cir 2000 pir 3000
#
return
3.1.14.5.3 Example for Configuring Traffic Shaping Based on Trusted 802.1p

Priorities
In Figure 3-95, packets of voice, video, and data services from the user side
traverse DeviceA, DeviceB, and DeviceC to reach the external network.

Switches

NOTE
respectively.
and 2, respectively. The interface bandwidth is limited to 10000 kbit/s. However,
jitter may occur when packets from interface 2 on DeviceB reach DeviceC. To
reduce jitter and ensure the bandwidth for various services, the following
bandwidth requirements must be met:
Table 3-4 Bandwidth provided for each service on DeviceB

Voice 3000 5000
Video 5000 8000
Data 2000 3000
Procedure
Step 1 On DeviceB, create a VLAN and configure interfaces so that users can access the
# Create VLAN 10.
# Add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 10 as trunk interfaces.


Switches

Step 2 Configure the packet priority trusted by an interface.

# Configure an interface to trust 802.1p priorities of packets.
[DeviceB-10GE1/0/1] trust 8021p outer //Configure the interface to trust 802.1p priorities so that packets
enter different queues based on the default mappings between 802.1p priorities, local priorities, and queues.
Step 3 Configure traffic shaping on an interface.

# Configure traffic shaping on an interface of DeviceB to limit the rate of the
interface to 10000 kbit/s.
[DeviceB-10GE1/0/2] qos lr cir 10000 outbound //Configure interface-based rate limiting in the outbound
direction of the interface to limit the total bandwidth.
Step 4 Configure queue-based traffic shaping on an interface.

# Configure queue-based traffic shaping on an interface of DeviceB. Set the CIR
values of voice, video, and data service packets to 3000 kbit/s, 5000 kbit/s, and
2000 kbit/s, respectively, and their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000
kbit/s, respectively.
[DeviceB-10GE1/0/2] qos queue 6 shaping cir 3000 pir 5000 //Set the CIR value of voice packets entering
queue 6 to 3000 kbit/s according to the default mappings between PHBs and local priorities.
----End

# Check queue-based traffic statistics in the outbound direction of 10GE 1/0/2.
bps)
----------------------------------------------------------------------------------------------
0 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
1 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
2 2000 54584 0 0 0 -
3000 5676736 0 0 0
----------------------------------------------------------------------------------------------
3 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
4 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
5 5000 49648 0 0 0 -
8000 5163392 0 0 0
----------------------------------------------------------------------------------------------
6 3000 49998 0 0 0 -

Switches
5000 5199792 0 0 0
----------------------------------------------------------------------------------------------
7 0 0 0 0 0 -
10000000 0 0 0 0
----------------------------------------------------------------------------------------------
● DeviceB
#
sysname DeviceB
#
vlan batch 10
#
interface 10GE1/0/1
portswitch
trust 8021p outer
#
interface 10GE1/0/1
trust 8021p outer
#
interface 10GE1/0/2
portswitch
qos lr cir 10000 outbound
1/0/1
#
return
3.1.14.5.4 Example for Configuring Traffic Policing to Limit the Rate of Each IP
Address on a Network Segment
Users on an enterprise network send packets through DeviceA and DeviceB, and
access the external network through DeviceC. Users reside on two different
network segments. It is required that the rate of traffic from each IP address on
network segment 192.168.1.0/24 be limited to 64 kbit/s and the rate of traffic
from each IP address on network segment 192.168.2.0/24 be limited to 128
kbit/s.
Figure 3-97 Network diagram for configuring traffic policing

NOTE
respectively.

Switches
Procedure
Step 1 Create VLANs and configure interfaces so that enterprise users can access the
# Create VLANs 10 and 20 on DeviceB and add 10GE 1/0/1 to the VLANs.
# Configure VLANIF interfaces on DeviceB and configure IP addresses for them.


# On DeviceB, create ACL rules to match packets from enterprise users, and create
traffic classifiers c1 and c2 to classify service flows from different enterprise users
based on their IP addresses.
[DeviceB] acl 2001
[DeviceB-acl4-basic-2001] rule permit source 192.168.1.0 0.0.0.255
[DeviceB-acl4-basic-2001] quit
[DeviceB] acl 2002
[DeviceB-acl4-basic-2002] rule permit source 192.168.2.0 0.0.0.255
[DeviceB-acl4-basic-2002] quit
[DeviceB-classifier-c1] if-match acl 2001
[DeviceB-classifier-c2] if-match acl 2002
Step 3 Configure traffic behaviors and define traffic policing.

# On DeviceB, create traffic behaviors b1 and b2 to perform traffic policing for
packets from different enterprise users.
[DeviceB-behavior-b1] car cir 64

Switches
Step 4 Configure a traffic policy and apply it to an inbound interface.
# On DeviceB, create traffic policy p1, bind traffic classifiers to traffic behaviors in
the traffic policy, and apply the traffic policy to the inbound direction of 10GE
1/0/1 to perform traffic policing for packets from two different network segments.
----End

After the preceding configurations are complete, check the traffic policing
configuration on DeviceB.

[DeviceB] display traffic classifier
Classifier: c1
Type: OR
Rule(s):
if-match acl 2001
Classifier: c2
Type: OR
Rule(s):
if-match acl 2002

[DeviceB] display traffic policy p1
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Committed Access Rate:
CIR 64 (Kbps), PIR 64 (Kbps), CBS 10000 (Bytes), PBS 10000 (Bytes)
Color Mode: color blind
Conform Action: pass
Yellow Action: pass
Exceed Action: discard
Classifier: c2
Type: OR
Behavior: b2
Yellow Action: pass

Switches
● DeviceB
#
sysname DeviceB
#
vlan batch 10 20
#
acl 2001
rule permit source 192.168.1.0 0.0.0.255
#
acl 2002
rule permit source 192.168.2.0 0.0.0.255
#
if-match acl 2001
#
if-match acl 2002
#
traffic behavior b1
car cir 64
#
traffic behavior b2
car cir 128
#
traffic policy p1
classifier c1 behavior b1
classifier c2 behavior b2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface 10GE1/0/1
portswitch
#
return
3.1.14.5.5 Example for Configuring Traffic Policing to Limit the Rate on an

Interface
In Figure 3-98, the host sends packets through DeviceA. It is required that the
bandwidth of the packets sent by the host should not exceed 100 Mbit/s.
Figure 3-98 Networking of interface-based rate limiting

NOTE

Switches
Procedure
Step 1 Configure a CAR profile.
# On DeviceA, create a CAR profile named car1 to police traffic from the host.
[DeviceA] qos car car1 cir 100000
Step 2 Apply the CAR profile.

# On DeviceA, apply CAR profile car1 to the inbound direction of 10GE 1/0/1 to
police the traffic from the host.
[DeviceA-10GE1/0/1] qos car inbound car1
----End

# Check the CAR profile configuration.
[DeviceA] display qos car car1
----------------------------------------------------------------
CAR Name : car1
CAR Index : 0
car cir 100000 kbps cbs 800000 bytes
Applied number on behavior : 0
Applied number on interface inbound : 1
10GE1/0/1
Applied number on Eth-Trunk inbound : 0
Applied number on interface outbound : 0
Applied number on Eth-Trunk outbound : 0
# Send packets to 10GE 1/0/1 at the rates of 60000 kbit/s and 110000 kbit/s,
respectively, and then run the display qos car statistics command to check the
traffic statistics. If the configuration is successful, all packets are successfully
forwarded when they are sent to 10GE 1/0/1 at 60000 kbit/s; however, some
packets are discarded when packets are sent to 10GE 1/0/1 at 110000 kbit/s.
DeviceA

Switches
#
sysname DeviceA
#
qos car car1 cir 100000 kbps
#
interface 10GE1/0/1
qos car inbound car1
#
return
3.1.14.5.6 Example for Configuring MQC-based Traffic Policing (Level-1 CAR)
In Figure 3-99, packets sent by Host1, Host2, and Host3 traverse DeviceA,
DeviceB, and DeviceC to reach the external network. Interface 1 (connected to
Host1), interface 2 (connected to Host2), and interface 3 (connected to Host3)
join VLAN 10, VLAN 20, and VLAN 30, respectively.
Figure 3-99 Networking for configuring MQC to implement traffic policing

NOTE
The rates of traffic from tenants must be limited within proper ranges on DeviceB.
Table 3-5 lists the required CIR values for uplink traffic from tenants.

Switches
Table 3-5 CIR values for uplink traffic from tenants on DeviceB
Host CIR (kbit/s)
Host1 2000
Host2 4000
Host3 8000
Procedure
Step 1 Create VLANs and configure interfaces so that hosts can access the network
through DeviceB.
# Create VLANs 10, 20, and 30 on DeviceA and add interfaces to the
corresponding VLANs.
# Create VLANs 10, 20, and 30 on DeviceB and add 10GE 1/0/1 to the VLANs.
# Configure VLANIF interfaces on DeviceB and configure IP addresses for them.


Switches
# On DeviceB, configure traffic classifiers c1, c2, and c3 to match service flows
from different hosts based on VLAN IDs.
Step 3 Configure traffic behaviors and define traffic policing.

# On DeviceB, create traffic behaviors b1, b2, and b3 to police packets from
different hosts.
[DeviceB-behavior-b1] statistics enable
Step 4 Configure a traffic policy and apply it to an inbound interface.

# On DeviceB, create traffic policy p1, bind configured traffic behaviors and traffic
classifiers to this traffic policy, and apply the traffic policy to the inbound direction
of 10GE 1/0/1 to police packets from hosts.
----End

After the configuration is complete, check the traffic policing configuration on
DeviceB.
[DeviceB] display traffic classifier
Classifier: c1
Type: OR
Rule(s):
if-match vlan 10
Classifier: c2
Type: OR
Rule(s):
if-match vlan 20

Switches
Classifier: c3
Type: OR
Rule(s):
if-match vlan 30

[DeviceB] display traffic policy p1
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
CIR 2000 (Kbps), PIR 2000 (Kbps), CBS 16000 (Bytes), PBS16000 (Bytes)
Yellow Action: pass
Statistics: enable
Classifier: c2
Type: OR
Behavior: b2
Yellow Action: pass
Statistics: enable
Classifier: c3
Type: OR
Behavior: b3
Yellow Action: pass
Statistics: enable
# Display statistics about the traffic policy applied to 10GE 1/0/1.

[DeviceB] display traffic-policy statistics interface 10ge 1/0/1 inbound
Traffic policy: p1, inbound
--------------------------------------------------------------------------------
Slot: 1
Item Packets Bytes pps bps
-------------------------------------------------------------------------------
Matched 363949175 46585494400 8460795 8663854896
Passed 363949175 46585494400 8460795 8663854896
Dropped 0 0 0 0
Filter 0 0 0 0
CAR 0 0 0 0
-------------------------------------------------------------------------------
The preceding command output shows that the traffic policy p1 is applied to 10GE
1/0/1.
● DeviceB
#
sysname DeviceB

Switches
#
vlan batch 10 20 30
#
if-match vlan 10
#
if-match vlan 20
#
if-match vlan 30
#
traffic behavior b1
statistics enable
car cir 2000 kbps
#
traffic behavior b2
statistics enable
car cir 4000 kbps
#
traffic behavior b3
statistics enable
car cir 8000 kbps
#
traffic policy p1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface 10GE1/0/1
portswitch
#
return
● DeviceA
#
sysname DeviceA
#
vlan batch 10 20 30
#
interface 10GE1/0/1
portswitch
#
interface 10GE1/0/2
portswitch
#
interface 10GE1/0/3
portswitch
#
interface 10GE1/0/4
portswitch
#
return

Switches
3.1.14.6 Congestion Avoidance
3.1.14.6.1 Example for Configuring WRED
Host1 and Host2 provide voice, video, and data services, for which traffic is
transmitted through DeviceB and then DeviceA. To reduce the impact of network
congestion and guarantee high-priority, latency-sensitive services, set congestion
avoidance parameters according to Table 3-6.
Table 3-6 Congestion avoidance parameters
Service Color Lower Upper Drop CoS

Type Drop Drop Probabilit
Threshold Threshold y (%)
(%) (%)
Voice Green 80 100 10 EF
Video Yellow 60 80 20 AF3
Data Red 40 60 40 AF1
Figure 3-100 Network diagram of congestion avoidance

NOTE
Procedure
Step 1 Configure VLANs for interfaces so that devices can communicate with each other
at the link layer.

Switches
# Configure 10GE 1/0/3 on DeviceB as a trunk interface. Add 10GE 1/0/1 to VLAN
100, 10GE 1/0/2 to VLAN 200, and 10GE 1/0/3 to VLAN 100 and VLAN 200.
Step 2 Configure priority mapping to map 802.1p values in voice, data, and video packets
to different CoS values and colors.
# Create the DiffServ domain ds1, map 802.1p values 6, 5, and 2 to CoS values EF,
AF3, and AF1, respectively, and color packets green, yellow, and red.
[DeviceB-dsdomain-ds1] 8021p-inbound 6 phb ef green
[DeviceB-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[DeviceB-dsdomain-ds1] 8021p-inbound 2 phb af1 red
# Bind the DiffServ domain to the inbound interfaces 10GE 1/0/1 and 10GE 1/0/2
on DeviceB.
Step 3 Configure a WRED drop profile to mitigate or eliminate congestion.

# Create WRED drop profile wred1 on DeviceB and set WRED parameters for
green, yellow, and red packets in this drop profile.
[DeviceB] drop-profile wred1
[DeviceB-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage 10
[DeviceB-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20
[DeviceB-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[DeviceB-drop-wred1] quit
# Apply the WRED drop profile wred1 to queues on the outbound interface of
DeviceB.
[DeviceB-10GE1/0/3] qos queue 5 wred wred1
----End

# Check the configuration of the DiffServ domain ds1. You can see that 802.1p
values 6, 5, and 2 are mapped to CoS values EF, AF3, and AF1 and to colors green,
yellow, and red, respectively.

Switches
<DeviceB> display diffserv domain ds1

Diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 1 phb af1 green
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-inbound 6 phb ef green
8021p-inbound 7 phb cs7 green
8021p-outbound be green map 0
8021p-outbound be yellow map 0
8021p-outbound be red map 0
...
# Check the configuration of the WRED drop profile wred1. You can see WRED
parameter settings of green, yellow, and red packets in this profile.
<DeviceB> display drop-profile wred1
Drop-profile[1]: wred1
Color Mode Low-limit High-limit Unit Discard(%)
-----------------------------------------------------------------
Green Percentage 80 100 % 10
Yellow Percentage 60 80 % 20
Red Percentage 40 60 % 40
-----------------------------------------------------------------
# Check the configuration of 10GE 1/0/3. You can see the scheduling parameters
of queues with different CoS values.
<DeviceB> display qos configuration interface 10GE 1/0/3
interface 10GE1/0/3
--------------------------------------------------------------------------
trust flag : outer 8021p
diffserv domain : default
dei enable : disable
port priority :0
phb marking 8021p : enable
phb marking dscp : disable
phb marking exp : -
port wred :-
port lr : cir = -, cbs = -
port car inbound : -
port car outbound : -
schedule profile : -
--------------------------------------------------------------------------
queue shaping schedule wred
cir pir
cbs pbs
--------------------------------------------------------------------------
0 - - pq -
- -
1 - - pq wred1
- -
2 - - pq -
- -
3 - - pq wred1
- -
4 - - pq -
- -
5 - - pq wred1
- -
6 - - pq -
- -

Switches
7 - - pq -
- -
--------------------------------------------------------------------------
DeviceB
#
sysname DeviceB
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
vlan batch 100 200
#
diffserv domain ds1
#
interface 10GE1/0/1
trust upstream ds1
#
interface 10GE1/0/2
trust upstream ds1
#
interface 10GE1/0/3
qos queue 1 wred wred1
#
return
3.1.14.7 Congestion Management
3.1.14.7.1 Example for Configuring Congestion Management
Host1 and Host2 provide voice, video, and data services. Traffic from these
services is transmitted through DeviceB and then DeviceA. To reduce the impact of
network congestion and guarantee high-priority services that require low latency,
set congestion management parameters according to Table 3-7.
Table 3-7 Congestion management parameters
Service Type Color CoS Scheduling Scheduling

Mode Weight
Voice Green EF PQ -

Switches
Service Type Color CoS Scheduling Scheduling

Mode Weight
Video Yellow AF3 WDRR 100
Data Red AF1 WDRR 50
Figure 3-101 Network diagram of congestion management

NOTE
Procedure
Step 1 Configure VLANs for each interface so that devices can communicate with each
other at the link layer.
# Configure 10GE1/0/3 on DeviceB as a trunk interface. Add 10GE 1/0/1 to VLAN

100, 10GE 1/0/2 to VLAN 200, and 10GE 1/0/3 to VLAN 100 and VLAN 200. The
portswitch command is supported only on the S6730-H-V2, S5755-H and S5732-
H-V2.

Switches
Step 2 Configure priority mapping to map 802.1p values in voice, video, and data packets
# Create DiffServ domain ds1, map 802.1p values 6, 5, and 2 to CoS values EF,
AF3, and AF1, respectively, and color the packets green, yellow, and red,
respectively.
# Bind the DiffServ domain to the inbound interfaces 10GE 1/0/1 and 10GE 1/0/2
on DeviceB.
[DeviceB-10GE1/0/1] trust 8021p outer
[DeviceB-10GE1/0/2] trust 8021p outer
Step 3 Configure congestion management. Set scheduling parameters such as the

scheduling mode and weight to implement differentiated scheduling for queues
with different priorities.
# Configure scheduling parameters for queues with different CoS values on the
outbound interface 10GE 1/0/3 of DeviceB.
[DeviceB-10GE1/0/3] qos pq 5 to 7 drr 0 to 4
[DeviceB-10GE1/0/3] qos queue 3 drr weight 100
[DeviceB] quit
----End

# Check the configuration of DiffServ domain ds1.
...
In the DiffServ domain, 802.1p values 6, 5, and 2 are mapped to CoS values EF,
AF3, and AF1, respectively, and packets are colored green, yellow, and red,
respectively.
# Check the configuration of 10GE 1/0/3. You can see the scheduling parameters
of queues with different CoS values.

Switches
<DeviceB> display qos configuration interface 10ge 1/0/3

interface 10GE1/0/3
--------------------------------------------------------------------------
trust flag :-
diffserv domain : default
dei enable :-
port priority :0
phb marking 8021p : disable
phb marking dscp : disable
phb marking exp : -
port wred :-
port lr : cir = -, cbs = -
port car inbound : -
port car outbound : -
schedule profile : -
--------------------------------------------------------------------------
queue shaping schedule wred
cir pir
cbs pbs
--------------------------------------------------------------------------
0 - - drr -
- - weight = 1
1 - - drr -
- - weight = 50
2 - - drr -
- - weight = 1
3 - - drr -
- - weight = 100
4 - - drr -
- - weight = 1
5 - - pq -
- -
6 - - pq -
- -
7 - - pq -
- -
--------------------------------------------------------------------------
DeviceB
#
sysname DeviceB
#
vlan batch 100 200
#
diffserv domain ds1
#
interface 10GE1/0/1
trust upstream ds1
#
interface 10GE1/0/2
trust upstream ds1
#
interface 10GE1/0/3

Switches

qos pq 5 to 7
qos queue 1 drr weight 50
#
return
3.1.14.7.2 Example for Configuring Congestion Avoidance and Congestion

Management (PQ+WDRR Scheduling and WRED Profile)
DeviceB is connected to DeviceA through interface 1. The 802.1p priorities of
voice, video, and data service packets from the Internet are 6, 5, and 2,
respectively. Packets of these services can reach users through DeviceA and
DeviceB, as shown in Figure 3-102. Because the rate of the inbound interface
interface 1 on DeviceB is higher than the rates of outbound interfaces interface 2
and interface 3, congestion may occur on the two outbound interfaces.
To reduce the impact of network congestion and guarantee high-priority and

latency-sensitive services, set congestion avoidance and congestion management
parameters according to Table 3-8 and Table 3-9.
Table 3-8 Congestion avoidance parameter settings
Service Type Color Lower Upper Drop

Threshold Threshold Probability
(%) (%)
Voice Green 80 100 10
Video Yellow 60 80 20
Data Red 40 60 40
Table 3-9 Congestion management parameter settings
Service Type CoS Value WDRR
Voice EF 0
Video AF3 100
Data AF1 50
Figure 3-102 Network diagram for configuring congestion avoidance and

congestion management
NOTE

Switches
Procedure
Step 1 Configure VLANs for each interface so that devices can communicate with each
other at the link layer.
The portswitch command is supported only on the S6730-H-V2, S5755-H and

S5732-H-V2.
Step 2 Configure priority mapping to map 802.1p values in voice, video, and data packets
# Create DiffServ domain ds1, map 802.1p values 6, 5, and 2 to CoS values EF,
AF3, and AF1, respectively, and color the packets green, yellow, and red,
respectively.

Switches

# Bind the DiffServ domain to the inbound interface 10GE 1/0/1 of DeviceB.
[DeviceB-10GE1/0/1] trust 8021p inner
Step 3 Configure congestion avoidance.
# On DeviceB, create WRED drop profile wred1 and set parameters for green,
yellow, and red packets in the WRED drop profile.
[DeviceB] drop-profile wred1
[DeviceB-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage 10 //Configure the
WRED drop profile and set the upper and lower drop thresholds and maximum drop probability for green
packets.
[DeviceB-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20 //Configure the
device to discard packets with the maximum drop probability of 20% when the percentage of the yellow
packet length to the queue length reaches 60%. Configure the device to discard all newly arrived packets
when the percentage of the yellow packet length to the queue length reaches 80%.
[DeviceB-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[DeviceB-drop-wred1] quit
# Apply WRED drop profile wred1 to outbound interfaces 10GE 1/0/2 and 10GE
1/0/3 on DeviceB.
Step 4 Configure congestion management. Set scheduling parameters such as the

scheduling mode and weight to implement differentiated scheduling for queues
with different priorities.
# Set scheduling parameters for queues with different CoS values on outbound
interfaces 10GE 1/0/2 and 10GE 1/0/3 on DeviceB.
[DeviceB-10GE1/0/2] qos pq 5 to 7 drr 0 to 4 //Configure PQ scheduling for queues 5 to 7 and WDRR
scheduling for queues 0 to 4.
[DeviceB-10GE1/0/2] qos queue 3 drr weight 100 //Set the WDRR scheduling weight of queue 3 to 100.
[DeviceB-10GE1/0/2] qos queue 1 drr weight 50 //Set the WDRR scheduling weight of queue 1 to 50.
According to the preceding configurations, packets in queue 1 and queue 3 are scheduled based on the
ratio of 1:2.
[DeviceB-10GE1/0/3] qos pq 5 to 7 drr 0 to 4 //Configure PQ scheduling for queues 5 to 7 and WDRR
scheduling for queues 0 to 4.
[DeviceB] quit
----End

Switches

# Check the configuration of DiffServ domain ds1.
...
In the DiffServ domain, 802.1p values 6, 5, and 2 are mapped to CoS values EF,
AF3, and AF1, respectively, and packets are colored green, yellow, and red,
respectively.
# Check the WRED drop profile configuration.

[DeviceB] display drop-profile wred1
Drop-profile[7]: wred1
Color Mode Low-limit High-limit Unit Discard(%)
-----------------------------------------------------------------
Green Percentage 80 100 % 10
Yellow Percentage 60 80 % 20
Red Percentage 40 60 % 40
-----------------------------------------------------------------
DeviceB
#
sysname DeviceB
#
vlan batch 2 5 to 6
#
diffserv domain ds1
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
interface 10GE1/0/2
qos pq 5 to 7 drr 0 to 4
#
interface 10GE1/0/3
qos pq 5 to 7 drr 0 to 4

Switches

#
interface 10GE1/0/1
trust upstream ds1
trust 8021p inner
#
return
3.1.14.8 MPLS QoS
3.1.14.8.1 Example for Configuring MPLS QoS
Enterprises A and B use BGP/MPLS IP VPN to connect their headquarters and
branches. In Figure 3-103, CE1 and CE3 connect to the headquarters and branch
of enterprise A, and CE2 and CE4 connect to the headquarters and branch of
enterprise B. Enterprise A uses VPN vpna, and enterprise B uses VPN vpnb.
Enterprise A has a high service level and requires better QoS guarantee.
Figure 3-103 Network diagram of MPLS QoS

NOTE
In this example, interface1, interface2, and interface3 represent 1/0/1, 1/0/2, and 1/0/3,
respectively.

Switches
Configure MPLS QoS on PE1 and PE2, enable the pipe mode for VPNs vpna and
vpnb, and set the MPLS EXP values of VPNs vpna and vpnb to 4 and 3,
respectively, to provide better QoS guarantee for services of enterprise A.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that the PEs and P on the
backbone network can communicate with each other.
# Configure PE1.
[PE1-10GE1/0/3] ip address 172.16.1.1 24
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P

Switches
[P] interface loopback 1

[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P-10GE1/0/1] ip address 172.16.1.2 24
[P-10GE1/0/1] quit
[P-10GE1/0/2] ip address 172.17.1.1 24
[P-10GE1/0/2] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2-10GE1/0/3] ip address 172.17.1.2 24
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

established between PE1, P, and PE2. Run the display ip routing-table command.
The command output shows that the PEs have learned the routes to each other's
Loopback1.
Step 2 Configure basic MPLS functions and MPLS LDP on the MPLS backbone network to
establish LDP LSPs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-10GE1/0/3] mpls
[PE1-10GE1/0/3] mpls ldp
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-10GE1/0/1] mpls
[P-10GE1/0/1] mpls ldp
[P-10GE1/0/1] quit
[P-10GE1/0/2] mpls
[P-10GE1/0/2] mpls ldp
[P-10GE1/0/2] quit

Switches
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-10GE1/0/3] mpls
[PE2-10GE1/0/3] mpls ldp
After the configuration is complete, LDP sessions can be established between PE1
and P and between P and PE2. Run the display mpls ldp session command. The
command output shows that the Status field displays Operational.
[PE1] display mpls ldp session
LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
Step 3 Configure VPN instances on PEs and connect CEs to PEs.

# Configure PE1.
[PE1-10GE1/0/1] ip binding vpn-instance vpna
[PE1-10GE1/0/1] ip address 10.1.1.2 24
[PE1-10GE1/0/2] ip binding vpn-instance vpnb
[PE1-10GE1/0/2] ip address 10.2.1.2 24
# Configure PE2.
[PE2-10GE1/0/1] ip binding vpn-instance vpna

Switches
[PE2-10GE1/0/1] ip address 10.3.1.2 24

[PE2-10GE1/0/2] ip binding vpn-instance vpnb
[PE2-10GE1/0/2] ip address 10.4.1.2 24
# Configure IP addresses for interfaces on CEs according to Figure 3-103. The

configuration procedure is not mentioned here.
After the configuration is complete, each PE can ping the connected CE
successfully.
NOTE
If multiple interfaces on a PE are bound to the same VPN, you need to specify the source IP
address when running the ping -vpn-instance command to ping the CE connected to the
remote PE. That is, you need to specify the -a source-ip-address parameter when running
the ping -vpn-instance vpn-instance-name -a source-ip-address command. Otherwise, the
ping may fail.
The following example uses the command output on PE1 to show that PE1 can
ping CE1.

0.00% packet loss
Step 4 Establish an MP-IBGP peer relationship between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer command on PEs.
The command output shows that a BGP peer relationship has been established
between PEs and is in Established state.
[PE1] display bgp peer

Switches

3.3.3.9 4 100 12 6 0 00:02:21 Established 0
# Configure CE1.
[CE1] bgp 65410
The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1,
and are not mentioned here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
The configuration of PE2 is similar to that of PE1, and is not mentioned here.
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on PEs. The command output shows that BGP peer relationships have
been established between PEs and CEs and are in Established state.
The following example uses the command output on PE1 to show that a peer
relationship has been established between PE1 and CE1.

10.1.1.1 4 65410 11 9 0 00:07:25 Established 1
Step 6 Configure a DiffServ mode.

# Configure PE1.
[PE1] mpls-qos ingress use vpn-label-exp
[PE1-vpn-instance-vpna-af-ipv4] diffserv-mode pipe mpls-exp 4
[PE1-vpn-instance-vpnb-af-ipv4] diffserv-mode pipe mpls-exp 3
# Configure PE2.

Switches
[PE2] mpls-qos ingress use vpn-label-exp

[PE2-vpn-instance-vpna-af-ipv4] diffserv-mode pipe mpls-exp 4
[PE2-vpn-instance-vpnb-af-ipv4] diffserv-mode pipe mpls-exp 3
----End
● PE1
#
sysname PE1
#
mpls-qos ingress use vpn-label-exp
#
ipv4-family
diffserv-mode pipe mpls-exp 4
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
ip address 10.1.1.2 255.255.255.0
#
ip address 10.2.1.2 255.255.255.0
#
ip address 172.16.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable

Switches
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.16.1.0 0.0.0.255
#
return
● P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp
#
ip address 172.17.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
● PE2
#
sysname PE2
#
mpls-qos ingress use vpn-label-exp
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp

Switches
#
ip address 10.3.1.2 255.255.255.0
#
ip address 10.4.1.2 255.255.255.0
#
ip address 172.17.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.17.1.0 0.0.0.255
#
return
● CE1 at the headquarters egress of enterprise A
#
sysname CE1
#
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
● CE2 at the headquarters egress of enterprise B
#
sysname CE2
#
ip address 10.2.1.1 255.255.255.0
#
bgp 65420

Switches
#
ipv4-family unicast
import-route direct
#
return
● CE3 at the branch egress of enterprise A

#
sysname CE3
#
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
● CE4 at the branch egress of enterprise B

#
sysname CE4
#
vlan batch 50
#
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
3.1.15 System Monitoring
3.1.15.1 Mirroring
3.1.15.1.1 Example for Configuring Local N:1 Port Mirroring
On the network shown in Figure 3-104, the marketing department, R&D
department, and administration department of an enterprise access the Internet
through DeviceA, and the Server acting as a monitoring device is directly
connected to DeviceA. Internet access traffic of the three departments needs to be
monitored through the Server.

Switches
Figure 3-104 Networking diagram of local port mirroring

NOTE
Procedure
Step 1 Configure 10GE1/0/4 on DeviceA as a local observing port.
[DeviceA] observe-port 1 interface 10ge 1/0/4
Step 2 On DeviceA, configure 10GE1/0/1, 10GE1/0/2, and 10GE1/0/3 as mirrored ports to

copy the received packets to the local observing port.
[DeviceA-10GE1/0/1] port-mirroring observe-port 1 inbound
----End

Switches

# Check the mirroring configuration
[DeviceA] display port-mirroring
Observe port mirroring:
-----------------------------------------------------------------------------
MirroringPort Direction ObservePort : Interface
-----------------------------------------------------------------------------
10GE1/0/1 Inbound 1 : 10GE1/0/4
10GE1/0/2 Inbound 1 : 10GE1/0/4
10GE1/0/3 Inbound 1 : 10GE1/0/4
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
observe-port 1 interface 10GE1/0/4
#
interface 10GE1/0/1
port-mirroring observe-port 1 inbound
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.15.1.2 Example for Configuring Local 1:1 Port Mirroring
On the network shown in Figure 3-105, the administration department of an
enterprise accesses the Internet through DeviceA, and the Server acting as a
monitoring device is directly connected to DeviceA. Internet access traffic of the
administration department needs to be monitored through the Server.

NOTE
respectively.

Switches
Procedure
Step 1 Configure 10GE1/0/2 on DeviceA as a local observing port.
Step 2 On DeviceA, configure 10GE1/0/1 as a mirrored port to monitor the packets sent
by the administration department.
----End

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10GE1/0/1 Inbound 1 : 10GE1/0/2
-----------------------------------------------------------------------------
DeviceA

Switches
#
sysname DeviceA
#
#
interface 10GE1/0/1
#
return
3.1.15.1.3 Example for Configuring Local 1:N Port Mirroring (Using an Observing
Port)
On the network shown in Figure 3-106, hosts access the Internet through
DeviceA, which is directly connected to three monitoring devices: ServerA, ServerB,
and ServerC. Internet access traffic of the hosts needs to be mirrored to different
servers for monitoring and analysis purposes.

NOTE
In this example, interfaces 1, 2, 3, and 4 indicate 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, and
10GE 1/0/4, respectively.
Procedure
Step 1 Configure 10GE 1/0/2, 10GE 1/0/3, and 10GE 1/0/4 on DeviceA as observing ports.

Switches
Step 2 Configure 10GE 1/0/1 on DeviceA as a mirrored port to copy incoming traffic to
observing ports 1, 2, and 3.
----End

# Check the observing port configuration.
[DeviceA] display observe-port
-----------------------------------------------------------------------------
Index : 1
Interface: 10GE1/0/2
-----------------------------------------------------------------------------
Index : 2
-----------------------------------------------------------------------------
Index : 3
-----------------------------------------------------------------------------
# Check the mirroring configuration.

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10GE1/0/1 Inbound 1 : 10GE1/0/2
Inbound 2 : 10GE1/0/3
Inbound 3 : 10GE1/0/4
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
#
interface 10GE1/0/1
#
return

Switches
3.1.15.1.4 Example for Configuring Local 1:N Port Mirroring (Using an Observing
Port Group)
DeviceA, which is directly connected to three monitoring devices: ServerA, ServerB,
and ServerC. Internet access traffic of the hosts needs to be mirrored to different
servers for monitoring and analysis purposes.

NOTE
In this example, interfaces 1, 2, 3, and 4 indicate 10GE 1/0/1, 10GE 1/0/2, 10GE 1/0/3, and
10GE 1/0/4, respectively.
Procedure
Step 1 Configure an observing port group on DeviceA and add 10GE 1/0/2, 10GE 1/0/3,
and 10GE 1/0/4 to the observing port group.
[DeviceA] observe-port group 1
[DeviceA-observe-port-group-1] group-member 10ge 1/0/2 to 10ge 1/0/4
[DeviceA-observe-port-group-1] quit
Step 2 Configure 10GE 1/0/1 on DeviceA as a mirrored port to copy incoming traffic to
observing port group 1.

Switches

[DeviceA-10GE1/0/1] port-mirroring observe-port group 1 inbound
----End

# Check the configuration of the observing port group.
GroupId MemberPorts
-----------------------------------------------------------------------------
1 10GE1/0/2 10GE1/0/3 10GE1/0/4
-----------------------------------------------------------------------------

Observe port group mirroring:
-----------------------------------------------------------------------------
MirroringPort Direction ObserveGroup
-----------------------------------------------------------------------------
10GE1/0/1 Inbound 1
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
observe-port group 1
group-member 10GE1/0/2
#
interface 10GE1/0/1
port-mirroring observe-port group 1 inbound
#
return
3.1.15.1.5 Example for Configuring Local M:N Port Mirroring
DeviceA, which is directly connected to monitoring devices ServerA and ServerB.
Internet access traffic of the hosts needs to be mirrored to ServerA and ServerB for
monitoring and analysis purposes.

NOTE

Switches
Procedure
Step 1 Configure an observing port group on DeviceA, and add 10GE 1/0/4 and 10GE
1/0/5 to the observing port group.
[DeviceA] observe-port group 1
[DeviceA-observe-port-group-1] group-member 10ge 1/0/4 to 10ge 1/0/5
[DeviceA-observe-port-group-1] quit
Step 2 Configure 10GE 1/0/1, 10GE 1/0/2, and 10GE 1/0/3 on DeviceA as mirrored ports
to copy incoming traffic to observing port group 1.
----End

# Check the configuration of the observing port group.
-----------------------------------------------------------------------------

Switches
Index : 1
-----------------------------------------------------------------------------
Index : 2
-----------------------------------------------------------------------------
GroupId MemberPorts
-----------------------------------------------------------------------------
1 10GE1/0/4 10GE1/0/5
-----------------------------------------------------------------------------

Observe port group mirroring:
-----------------------------------------------------------------------------
MirroringPort Direction ObserveGroup
-----------------------------------------------------------------------------
10GE1/0/1 Inbound 1
10GE1/0/2 Inbound 1
10GE1/0/3 Inbound 1
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
observe-port group 1
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
interface 10GE1/0/3
#
return
3.1.15.1.6 Example for Configuring MQC-based Local Flow Mirroring (1:1)
On the network shown in Figure 3-109, the R&D and marketing departments of
an enterprise use the 192.168.1.0/24 and 192.168.2.0/24 network segments
respectively to communicate with each other through DeviceA. The Server acting
as a monitoring device is directly connected to DeviceA. The traffic sent from the
R&D department to the marketing department needs to be monitored by the
Server.
Figure 3-109 Example for configuring MQC-based local flow mirroring

NOTE
respectively.

Switches
Procedure
Step 1 Configure 10GE1/0/2 on DeviceA as an observing port.
Step 2 On DeviceA, create traffic classifier c1 and configure a rule to match packets with
the source address 192.168.1.0/24 and destination address 192.168.2.0/24.
[DeviceA] acl number 3000
[DeviceA-acl4-advance-3000] rule permit ip source 192.168.1.0 24 destination 192.168.2.0 24
Step 3 On DeviceA, create traffic behavior b1 and configure the flow mirroring action.
[DeviceA-behavior-b1] mirroring observe-port 1
Step 4 On DeviceA, create traffic policy p1 and bind the traffic classifier and traffic
behavior to the traffic policy. Apply the traffic policy to the inbound direction of
10GE1/0/1 to monitor the packets sent from the R&D department to the
marketing department.
----End

Switches

[DeviceA] display traffic classifier c1
Classifier: c1
Type: OR
Rule(s):
if-match acl 3000

[DeviceA] display traffic policy p1
Policy: p1
Classifier: c1
Type: OR
Behavior: b1
Mirroring observe-port 1

Traffic mirroring:
-----------------------------------------------------------------------------
TrafficBehavior ObservePort : Interface
-----------------------------------------------------------------------------
b1 1 : 10GE1/0/2
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
#
acl number 3000
#
if-match acl 3000
#
traffic behavior b1
mirroring observe-port 1
#
traffic policy p1
#
interface 10GE1/0/1
#
return
3.1.15.1.7 Example for Configuring Local VLAN Mirroring
On the network shown in Figure 3-110, HostA and HostB belong to VLAN 10 and
access the Internet through DeviceA, which is directly connected to the monitoring
device Server. Internet access traffic of hosts in VLAN 10 needs to be monitored on
the Server.

Switches
Figure 3-110 Networking diagram of local VLAN mirroring

NOTE
respectively.
Procedure
Step 1 Create VLAN 10 on DeviceA, and add 10GE 1/0/1 and 10GE 1/0/2 to VLAN 10.
Step 2 Configure 10GE 1/0/3 on DeviceA as an observing port.

Step 3 Configure VLAN mirroring on DeviceA to copy packets received by interfaces in

VLAN 10 to the observing port.
[DeviceA] vlan 10
[DeviceA-vlan10] mirroring observe-port 1 inbound
----End

VLAN mirroring:

Switches
-----------------------------------------------------------------------------
VLAN Direction ObservePort : Interface
-----------------------------------------------------------------------------
VLAN 10 Inbound 1 : 10GE1/0/3
-----------------------------------------------------------------------------
DeviceA
#
sysname DeviceA
#
vlan batch 10
#
#
vlan 10
mirroring observe-port 1 inbound
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
3.1.15.2 NetStream
3.1.15.2.1 Example for Configuring Original Flow Statistics Export
On the network shown in Figure 3-111, Host1 and Host2 communicate with
DeviceA through DeviceB. To support network planning, the network administrator
wants the NetStream server to collect statistics about the traffic transmitted
between the hosts and DeviceA.
Figure 3-111 NetStream networking diagram

NOTE
respectively.

Switches
Procedure
Step 1 Configure IP addresses for interfaces on DeviceB according to Figure 3-111.
[DeviceB] vlan 110
[DeviceB-10GE1/0/1] port trunk pvid vlan 110
[DeviceB] vlan 120
Step 2 Configure NetStream sampling.
# Configure NetStream sampling for the incoming and outgoing traffic on 10GE
1/0/1 and set the sampling rate to 8192.
[DeviceB-10GE1/0/1] netstream sampler ip random-packets 8192 inbound
[DeviceB-10GE1/0/1] netstream sampler ip random-packets 8192 outbound
Step 3 Configure NetStream flow aging.
# Set the inactive flow aging time to 100 seconds, and enable FIN- and RST-based
aging.
[DeviceB] netstream timeout ip inactive 100
[DeviceB] netstream timeout ip tcp-session
Step 4 Configure NetStream original flow statistics export.

Switches
# Set the source IP address of the exported packets carrying original flow statistics
to 10.1.2.1, destination IP address to 10.1.2.2, destination port number to 6000,
and DSCP value to 0.
[DeviceB] netstream export ip source 10.1.2.1
[DeviceB] netstream export ip host 10.1.2.2 6000 dscp 0
Step 5 Configure the version of exported packets.

By default, the version of exported packets is V9.
Step 6 Enable original flow statistics collection on an interface.
# Enable original flow statistics collection for incoming and outgoing packets on
10GE 1/0/1.
[DeviceB] assign forward enp netstream enable
[DeviceB-10GE1/0/1] netstream outbound ip
[DeviceB-10GE1/0/1] netstream inbound ip

# View flow statistics.
[DeviceB] display netstream statistics ip slot 1
Last time when statistics were cleared: -
-------------------------------------------------------------------------------
Packet Length : Number
-------------------------------------------------------------------------------
1 ~ 64 : 0
65 ~ 128 : 14
129 ~ 256 : 1
257 ~ 512 : 0
513 ~ 1024 : 0
1025 ~ 1500 : 0
longer than 1500 : 0
-------------------------------------------------------------------------------
StreamType
Current Aged Created Exported Exported
(streams) (streams) (streams) (streams) (Packets)
-------------------------------------------------------------------------------
origin
0 0 0 0 0
-------------------------------------------------------------------------------
----End
DeviceB
#
sysname DeviceB
#
vlan batch 110 120
#
netstream timeout ip inactive 100
netstream timeout ip tcp-session
netstream export ip source 10.1.2.1
netstream export ip host 10.1.2.2 6000 dscp 0
assign forward enp netstream enable
#
interface Vlanif110
ip address 10.1.1.1 255.255.255.0
#

Switches
interface Vlanif120
ip address 10.1.2.1 255.255.255.0
#
interface 10GE1/0/1
netstream inbound ip
netstream outbound ip
netstream sampler ip random-packets 8192 inbound
netstream sampler ip random-packets 8192 outbound
#
interface 10GE1/0/2
#
return
3.1.15.2.2 Example for Configuring Flexible Flow Statistics Export
On the network shown in Figure 3-112, Host1 and Host2 communicate with
DeviceA through DeviceB. To support network planning, the network administrator
wants the NetStream server to collect statistics about the traffic transmitted
between the hosts and DeviceA.
Figure 3-112 NetStream networking diagram

NOTE
respectively.
Procedure
Step 1 Configure IP addresses for interfaces on DeviceB according to Figure 3-112.
[DeviceB] vlan 110

Switches
[DeviceB] vlan 120
Step 2 Configure a flexible flow statistics template.

# Create a flexible flow statistics template named record1 to aggregate flows
based on source and destination addresses, and configure the exported packets to
include the number of bytes and packets.
[DeviceB] netstream record record1 ip
[DeviceB-netstream-record-ipv4-record1] match ip destination-address
[DeviceB-netstream-record-ipv4-record1] match ip source-address
[DeviceB-netstream-record-ipv4-record1] collect counter bytes
[DeviceB-netstream-record-ipv4-record1] collect counter packets
[DeviceB-netstream-record-ipv4-record1] quit
Step 3 Configure NetStream sampling.

# Configure NetStream sampling for the incoming and outgoing traffic on 10GE
1/0/1 and set the sampling rate to 1024.
[DeviceB-10GE1/0/1] netstream sampler ip random-packets 1024 inbound
[DeviceB-10GE1/0/1] netstream sampler ip random-packets 1024 outbound
Step 4 Configure NetStream flexible flow statistics export.

# Set the source IP address of the exported packets carrying flexible flow statistics
to 10.1.2.1, destination IP address to 10.1.2.2, destination port number to 6000,
and DSCP value to 0.
[DeviceB] netstream export ip source 10.1.2.1
[DeviceB] netstream export ip host 10.1.2.2 6000 dscp 0
Step 5 Enable flexible flow statistics collection on an interface.

# Enable flexible flow statistics collection for incoming and outgoing packets on
10GE 1/0/1, and apply the flexible flow statistics template to the interface.
[DeviceB] assign forward enp netstream enable
[DeviceB-10GE1/0/1] netstream record record1 ip inbound
[DeviceB-10GE1/0/1] netstream record record1 ip outbound
[DeviceB-10GE1/0/1] netstream inbound ip
[DeviceB-10GE1/0/1] netstream outbound ip

# View flow statistics.
[DeviceB] display netstream statistics ip slot 1
Last time when statistics were cleared: -

Switches
-------------------------------------------------------------------------------
Packet Length : Number
-------------------------------------------------------------------------------
1 ~ 64 : 15
65 ~ 128 : 14
129 ~ 256 : 1
257 ~ 512 : 0
513 ~ 1024 : 0
1025 ~ 1500 : 0
longer than 1500 : 0
-------------------------------------------------------------------------------
StreamType
Current Aged Created Exported Exported
(streams) (streams) (streams) (streams) (Packets)
-------------------------------------------------------------------------------
origin
0 0 0 0 0
-------------------------------------------------------------------------------
record1
2 2 4 2 2
-------------------------------------------------------------------------------
----End
DeviceB
#
sysname DeviceB
#
vlan batch 110 120
#
netstream export ip source 10.1.2.1
netstream export ip host 10.1.2.2 6000 dscp 0
assign forward enp netstream enable
#
netstream record record1 ip
collect counter bytes
collect counter packets
match ip destination-address
match ip source-address
#
interface Vlanif110
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif120
ip address 10.1.2.1 255.255.255.0
#
interface 10GE1/0/1
netstream inbound ip
netstream outbound ip
netstream sampler ip random-packets 1024 inbound
netstream sampler ip random-packets 1024 outbound
netstream record record1 ip inbound
netstream record record1 ip outbound
#
interface 10GE1/0/2
#
return

Switches
3.1.15.3 IFIT
3.1.15.3.1 Example for Configuring IFIT Measurement Based on Whitelist Rules
On the network shown in Figure 3-113, users want to use the NMS to monitor
network traffic in real time to quickly detect abnormal traffic and locate faults.
You can configure IFIT measurement on devices so that the devices can
periodically send packet loss and delay measurement information to the NMS for
summary, analysis, and display.
Figure 3-113 Network diagram of IFIT measurement

NOTE
1. Configure packet loss and delay measurement on the link between DeviceA
and DeviceC to periodically collect packet loss and delay measurement data.
– Enable IFIT measurement on DeviceA, define a measurement flow based
on the 5-tuple, bind a whitelist rule to the inbound interface of DeviceA,
and configure the color bit and measurement interval.
– Bind a whitelist rule to the outbound interface on DeviceA and interfaces
on DeviceB and DeviceC, and ensure that the color bit and measurement
interval configured on DeviceB and DeviceC are the same as those
configured on the inbound interface of DeviceA.
2. Configure the function of periodically reporting traffic measurement
information to iMaster NCE-CampusInsight through telemetry.

Switches
NOTE
Before performing IFIT measurement, ensure that:

● Static routes or dynamic routing protocols have been configured on the devices to
ensure network connectivity between the devices.
● NTP has been configured on the devices to implement clock synchronization between
the devices. For details, see NTP Configuration.
● The devices have been connected to the NMS.
Only IFIT-related configurations are listed here.
Procedure
1. Configure packet loss and delay measurement on the link between DeviceA
and DeviceC to periodically collect packet loss and delay measurement data.
# Configure IFIT measurement on devices. The following example describes
the configuration of DeviceA. The configurations of DeviceB and DeviceC are
similar to the configuration of DeviceA, excluding the measurement point
types and directions configured for native IP flow learning bound to different
device interfaces. For details, see Configuration Scripts.
[DeviceA] ifit
[DeviceA-ifit] whitelist-group ntvifit mode native-ip
[DeviceA-ifit-whitelist-group-ntvifit] rule 1to100 ipv4 source 192.168.1.0 32 destination
192.168.100.0 32 protocol tcp source-port 2000 to 6000
[DeviceA-ifit-whitelist-group-ntvifit] quit
[DeviceA-ifit] flow-learning native-ip
[DeviceA-ifit-native-ip] color-flag tos-bit bit3
[DeviceA-ifit-native-ip] interval 10
[DeviceA-ifit-native-ip] flow-learning interface 10GE 1/0/1 rule 1to100 ingress bidirectional
[DeviceA-ifit-native-ip] flow-learning interface 10GE 1/0/2 rule 1to100 transit-output bidirectional
[DeviceA-ifit-native-ip] quit
[DeviceA-ifit] quit
2. Configure devices to periodically report traffic measurement information to
iMaster NCE-CampusInsight. The following example describes the
configuration of DeviceA. The configurations of DeviceB and DeviceC are
[DeviceA] telemetry
[DeviceA-telemetry] destination-group ifit
[DeviceA-telemetry-destination-group-ifit] ipv4-address 10.10.10.10 port 10001 protocol grpc
[DeviceA-telemetry-destination-group-ifit] quit
[DeviceA-telemetry] sensor-group ifit
[DeviceA-telemetry-sensor-group-ifit] sensor-path huawei-ifit:ifit/huawei-ifit-statistics:flow-native-
ip-statistics/flow-native-ip-statistic
[DeviceA-telemetry-sensor-group-ifit-path] quit
[DeviceA-telemetry-sensor-group-ifit] quit
[DeviceA-telemetry] subscription ifit

Switches
[DeviceA-telemetry-subscription-ifit] sensor-group ifit

[DeviceA-telemetry-subscription-ifit] destination-group ifit
NOTE
You are advised to configure devices to send data using the secure TLS encryption
mode. For details, see Telemetry Configuration.
● DeviceA
#
sysname DeviceA
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ifit
whitelist-group ntvifit mode native-ip
rule 1to100 ipv4 source 192.168.1.0 32 destination 192.168.100.0 32 protocol tcp source-port 2000
to 6000
flow-learning native-ip
color-flag tos-bit bit3
interval 10
flow-learning interface 10GE1/0/1 rule 1to100 ingress bidirectional
flow-learning interface 10GE1/0/2 rule 1to100 transit-output bidirectional
#
telemetry
#
sensor-group ifit
sensor-path huawei-ifit:ifit/huawei-ifit-statistics:flow-native-ip-statistics/flow-native-ip-statistic
#
destination-group ifit
ipv4-address 10.10.10.10 port 10001 protocol grpc
#
subscription ifit
sensor-group ifit
#
● DeviceB
#
sysname DeviceB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.3.2 255.255.255.0
#
interface 10GE1/0/1

Switches
#
interface 10GE1/0/2
#
ifit
to 6000
interval 10
flow-learning interface 10GE1/0/2 rule 1to100 transit-input bidirectional
flow-learning interface 10GE1/0/1 rule 1to100 transit-output bidirectional
#
telemetry
#
sensor-group ifit
#
#
subscription ifit
sensor-group ifit
#
return
● DeviceC
#
sysname DeviceC
#
interface Vlanif100
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif200
ip address 10.1.4.3 255.255.255.0
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
ifit
to 6000
interval 10
flow-learning interface 10GE1/0/1 rule 1to100 transit-input bidirectional
flow-learning interface 10GE1/0/2 rule 1to100 egress bidirectional
#
telemetry
#
sensor-group ifit
#
#
subscription ifit
sensor-group ifit

Switches
#
return

CloudEngine S5700, S6700 Switches Configuration Examples (V600)

Uploaded by

Copyright:

Available Formats

CloudEngine S5700, S6700 Switches Configuration Examples (V600)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CloudEngine S5700, S6700 Switches Configuration Examples (V600)

Uploaded by

Copyright:

Available Formats

CloudEngine S3700, S5700, and S6700 Series

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. i

1 About This Document.............................................................................................................1

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. ii

2.2.1.1 Key Points of Network Connectivity Deployment.............................................................................................. 37

3 Switch Feature Configuration Examples....................................................................... 303

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iii

3.1.2.4.3 Example for Configuring a Device as an SFTP Server................................................................................. 329

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. iv

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. v

3.1.11 High Availability............................................................................................................................................................ 575

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vi

3.1.14.4.1 Example for Configuring MQC-based Re-marking.................................................................................... 684

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. vii

1 About This Document

Indicates a hazard with a high level of

Indicates a hazard with a medium

Indicates a hazard with a low level of

Indicates a potentially hazardous

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 1

Supplements the important

Boldface The keywords of a command line are in boldfaces.

Italic Command arguments are in italic.

[] Items (keywords or arguments) in square brackets

{ x | y | ... } Alternative items are grouped in braces and

[ x | y | ... ] Optional alternative items are grouped in square

{ x | y | ... } * Alternative items are grouped in braces and

[ x | y | ... ] * Optional alternative items are grouped in square

&<1-n> This parameter before the & sign can be repeated 1

# This parameter before the # sign can be repeated 1

Interface Numbering Conventions

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 2

– When configuring a cleartext password, do not start and end the

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 3

Reference Standards and Protocols

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 4

2 Campus Configuration Examples

2.1 Quick Configuration Guide

2.1 Quick Configuration Guide

2.1.1 Before You Start

Before configuring any data, complete the following tasks:

2.1.2 Small Campus Networks

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 5

2.1.2.1 Networking Diagram

Figure 2-1 Typical small campus network

● On a small campus network, the S5735-L-V2 is usually deployed at the access

Issue 05 (2023-11-15) Copyright © Huawei Technologies Co., Ltd. 6

● The DHCP snooping function is configured on access switches to prevent

2.1.2.2 Data Plan

Operation Item Data Description

Configure Manage 10.10.1.1/24 The management IP address is

Configure Eth- Static LACP The Eth-Trunk works in load

Port type The Trunk port This configuration is for Trunk

VLAN ID ACC1: VLAN 10 VLAN 1 is the default VLAN on

Configure DHCP CORE Configure the DHCP server

Address VLAN 10: IP address Terminals in department A