Operating Huawei v3[1]

1

Huawei Introduction

Basis of VRP CLIBasis of VRP CLIJuly 2006

2

Contents

Introduction to the platform and SO IP address configuration Static routing Dynamic routing (Distance vector algorithms) Dynamic routing (Link state algorithms) Summarization and classless routing Redistribution Link protocols (hdlc & ppp frame-relay) Link protocols (frame-relay) Access lists NAT LAN switching VLAN switching

3

VRP Introduction

Versatile Routing Platform (VRP): Core: TCP/IP stack Integrated Technologies: Routing,

QoS, VPN, security, and VoIP Data Forwarding: IP TurboEngine

technology

4

VRP Functionality

Attribute Description

Network interconnectiv

ity

LAN protocolsEthernet_IIEthernet_SNAPVLANBridge

Link layer protocols

PPP, MPSLIPISDNPPPoEIPoAPPPoAPPPoEoAHDLCFrame RelayLAPBX.25ATM

VPN

L2TP VPNGRE VPNIPSec VPNMPLS VPN (L2/L3)DVPN

5

VRP Functionality (Continued)


Networkprotocols

IP services

ARPStatic domain name resolutionIP UNNUMBEREDDHCP RelayDHCP ServerDHCP Client

Non-IP servicesDLSwIPX

IP Routing

Static routing managementDynamic routing protocols• RIP-1/RIP-2• OSPF• BGP• IS-ISRouting policyPolicy routingMulticast routing protocols• IGMP• PIM-DM• PIM-SM• MBGP• MSDP

6



Networksecurity

Authentication,Authorization,

Accounting (AAA) services

RADIUSCHAP authenticationPAP authentication

Firewalls

Packet filter• Interface-based ACL• Period-based ACLFirewall• Packet filtering firewallASPF (status firewall)

Data securitySupport terminal access securityIPSec & IKE

NAT

Allow the LAN users to access external networks by using the IP addresses in the address poolSupport the operation of associating an ACL with an address poolSupport the operation of associating an ACL with an interfaceAllow the hosts on external networks to access the internal serverAllow configuring the valid time period that the address translation is supportedSupport multiple ALGs

7



MPLS

Basic MPLS functionsMPLS VPNMPLS QoSMPLS TE

Networkreliability

Backup centerVRRPInterface card/fan/power module hot swappable

QoS

Traffic policing Traffic Policing

Congestion management

FIFO, PQ, CQ, WFQ, CBW/LLQ, RTP

Congestion avoidance

WRED

Traffic shaping TS

Interface rate limit LR

FR QoS

MPLS QoS

Dialupnetwork

DCC configurationModem management configuration

8



Configurationmanagement

Command Line Interface

(CLI)

Make local configuration via ConsoleMake remote configuration via the AUX portMake local or remote configuration via Telnet or SSHConfigure hierarchical command protection to safeguard the router against the intrusion of unauthorized usersProvide detailed debugging information to help you make network troubleshootingProvide the network testing tools like tracert and ping commands to help you quickly diagnose whether the network is correctly runningDirectly log in by using the telnet command to manage other routersAdopt the FTP Server/Client model, which makes it possible to download and upload the configuration files and applications by making use of FTPSupport file uploading and downloading with TFTPSupport log functionProvide file system managementSupport user-interface configuration and provide multiple approaches in authentication and authorization of the login users

Support the standard SNMPV3, and be compatible with SNMP V2C, SNMP V1Support Network Time Protocol (NTP)

9

Setup via Console

Router

PC

Console Port

Console Cable

RS-232 Serial Port

10

Setup via Telnet

Ethernet

100BASE-TX

WorkstationRouter

Server Laptop PC

11

Command Views

Command lines are associated with command views: User view like in <Quidway> System view like in [Quidway]

Routing protocol views: OSPF, RIP, BGP, IS-IS…

Interface views: FE, GE, synchronous serial, cE1, E3, cT1, T3, ATM, POS, CPOS, virtual-template, virtual Ethernet, loopback, null, tunnel

User interface view L2TP group view Route mapping view

12

Command Line On-line Help

Enter “?” in any views and you will obtain all the commands in this view and their simple descriptions as well.

<Quidway> ?User view commands: cd Change current directory clock Specify the system clock……

[Quidway] ?System view commands: configure Enter configuration mode delete Erase the configuration file in flash or nvram reboot Reboot the router save Write running configuration to flash or nvram……

13


Enter a command and a “?” separated by a space. If "?" stands for a key word, all the keywords and their simple descriptions will be given.

<Quidway> display ? aaa AAA status and configuration information acl Acl status and configuration information……

14


Enter a command and a “?” separated by a space. If "?" stands for a parameter, descriptions of these parameters will be given.

[Quidway] interface ethernet ?<3-3> Slot number[Quidway] interface ethernet 3?/[Quidway] interface ethernet 3/?<0-0>[Quidway] interface ethernet 3/0?/[Quidway] interface ethernet 3/0/?<0-0>[Quidway] interface ethernet 3/0/0 ?<cr>

15


Enter a character string followed by a “?”. All the commands starting with this string will be displayed.<Quidway> d?

debugging delete dir display

Press <tab> after entering the first several letters of a keyword to display the complete keyword, given that these letters can uniquely identify the keyword in this command.

16

Error Information

Wrong Informantion Cause

Unrecognized command

No such command

No such parameter

Parameter type wrong

Invalid parameter value

Incomplete command Command incomplete

Too many parameters Too many parameters

Ambiguous commandThe string you input can’t indicate a

command uniquely

17

History Command

OperationOperation KeyKey ResultResult

Display the history commands

display history-command

Display the history commands that the user has entered

Access the last history command

Up-arrow key or <Ctrl+P>

Display the earlier history command, if there is any. Otherwise, the system will ring the alarm.

Access the next history command

Down-arrow key or <Ctrl+N>

Display the next history command, if there is any. Otherwise, the system will clear the commands and ring the alarm.

18

Entering/Exiting System View

Enter the system view from the user view system-view

Return to the user view from the system view quit

Return to the user view from any other view return

19

Command Levels

The system commands are divided into four levels: Visit: includes the commands of network diagnosis tools

such as ping, and the commands for visit to external devices, such as Telnet client

Monitor: Commands used for system maintenance and service fault diagnosis, including display and debugging commands

Config: Service configuration commands including routing commands and the commands at the network layer.

Manage: Commands essential to the system operations and the system support modules. They provide support to services that concerns file system, FTP, TFTP, XModem download, configuration file switch, power control, standby board control, user management, level setting, as well as the parameter setting within a system (the last case involves those non-protocol or non-RFC provisioned commands).

20

Visit Level

The commands in visit level:

Visit: includes the commands of network diagnosis tools such as ping and tracert, and the commands for visit to external devices, such as Telnet client, SSH client, and RLOGIN.

21

Monitor Level

The commands in monitor level:

Commands used for system maintenance and service fault diagnosis, including display and debugging commands.

22

Config Level The commands in config level:

Config: Service configuration commands including routing commands and the commands at the network layer.

23

Manage Level

The commands in manage level:

Manage: Commands essential to the system operations and the system support modules. They provide support to services that concerns file system, FTP, TFTP, XModem download, configuration file switch, power control, standby board control, user management, level setting, as well as the parameter setting within a system (the last case involves those non-protocol or non-RFC provisioned commands).

24

Huawei Introduction

Configuration BasicsConfiguration Basics

25

Basic Configuration Commands

Name devices[Quidway] sysname NE16-A

Erase the configuration saved in flash<Quidway> reset saved-configuration

Reset router <Quidway> reboot

Write the description of a interface[Quidway-Ethernet1/0/0] description NE ethernet

interface Configure the IP address of a interface

[Quidway-Atm1/0/0] ip address 129.102.0.1 255.255.255.0

26

Configuring System Clock Set standard time

clock datetime HH:MM:SS YYYY/MM/DD

Set time zoneclock timezone time-zone-name { add | minus }

offset

Remove time zone settingundo clock timezone

Import summer-time schemeclock summer-time summer-time-zone-name { one-

off | repeating } start-time end-time add-time

Cancel summer-time schemeundo clock summer-time

27

Popular Display Command

Operation CommandDisplay system

versiondisplay version [ slot-id ]

Display system clock

display clock

Display terminal user

display users [ all ]

Display original configuration

display saved-configuration

Display current configuration

display current-configuration

Display the state of debugging switch

display debugging [ interface { interface-type interface-number | interface-name } ] [ module-name ]

…… ……

28

Display filters

A lot of display commands are available for showing system status information. When outputting information, you can add "|" in the command to filter information. Three options are available: begin text: to display information starting

from the line with "text" exclude text: to display information of the

lines with no "text" include text: to display information of the

lines with "text"For example, if you enter the

display current-configuration | include ip command,

the configuration information of the line with "ip" are displayed.

29

Console – first steps<Quidway>display users UI Delay Type Ipaddress Username Userlevel+ 0 CON 0 00:00:00 3<Quidway>display clock03:13:49 UTC Fri 09/30/2005<Quidway>display cpu-usage info-===== Current CPU usage info =====center configuratione CreaCPU Usage Stat. Cycle: 28 (Second) CPU Usage : 8% CPU Usage Stat. Time : 2005-09-30 03:16:03 Enter interface command modesplay CPU Usage Stat. Tick : 0x4(CPU Tick High) 0x5336e964(CPU Tick Low)

Actual Stat. Cycle : 0x0(CPU Tick High) 0x29ca1bc3(CPU Tick Low)

dlsw

TaskName CPU Runtime(CPU Tick High/CPU Tick Low) ipsec Specify IPSec configure informationd

VIDL 92% 0/26989bc6 INFO 0% 0/ 3398ROUT 0% 0/ cc1bfSOCK 0% 0/ e7926VTYD 0% 0/ 9d294IPSP 0% 0/ 4162 IKE 0% 0/ 38d8 TAC 0% 0/ c2a29 SC 0% 0/ a0ba1…

30

Display version<Quidway>display version Copyright Notice: All rights reserved (Dec 10 2004). Without the owner's prior written consent, no decompiling nor reverse-engineering shall be allowed. Huawei-3Com Versatile Routing Platform Software VRP(R) software, Version 3.40, Release 0006 Copyright (c) 2003-2004 Hangzhou Huawei-3Com Tech. Co.,Ltd. All rights

reserved. Copyright (c) 2000-2003 Huawei Tech. Co.,Ltd. All rights reserved. Quidway AR28-09 uptime is 0 week, 0 day, 0 hour, 5 minutes

CPU type: PowerPC 8241 200MHz 128M bytes SDRAM Memory 32M bytes Flash Memory Pcb Version:1.0 Logic Version:1.0 BootROM Version:9.07 [SLOT 0] AUX (Hardware)1.0, (Driver)1.0, (Cpld)1.0 [SLOT 0] 1FE (Hardware)2.0, (Driver)2.0, (Cpld)0.0 [SLOT 0] WAN (Hardware)1.0, (Driver)1.0, (Cpld)1.0<Quidway>

31

Configuring a Banner

A banner shows information displayed at login, login authentication, or configuration.

Operation Command

Configure the banner to be displayed at login.

header incoming incoming-text

Configure the banner to be displayed at login authentication.

header login login-text

Configure the banner to be displayed when a user enters user view.

header shell shell-text

Cancel the banner setting.undo header { incoming | login | shell }

32

Configuring Password for

User Level Switching

You may set user level switching passwords. After that, a user that logs onto the router with a lower user level is required to provide the password before operating on higher level commands.

Operation Command

Configure a user level switching password.

super password [ level user-level ] { simple | cipher } password

Delete the configured password

undo super password [ level user-level ]

To switch the user level use: super [level ]

33

Configuring Command Levels

All the commands are administratively assigned to different views and categorized into four levels: visit, monitor, system, and manage, identified respectively by 0 through 3.

Operation Command

Assign a level to the commands in the specified view.

command-privilege level level view view command-key

Restore the default. undo command-privilege view view command-key

34

User Interface - console Configure the access to the console with a

password:<Quidway>system-view[Quidway] user-interface console 0[Quidway-ui-con0] authentication-mode password[Quidway-ui-con0] set authentication password simple

impsat[Quidway-ui-con0] user priviledge level 1[Quidway-ui-con0] return<Quidway> quitUser interface Con 0 is available.

Press ENTER to get started.password:%Sep 30 03:07:48:621 2005 Quidway SHELL/5/LOGIN:

Console login from con0User privilege changes to 1 level, just equal or less this

level's commands can be used.Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE<Quidway>

35

Privilege level passwords

Configure the priviledge level passwords :[Quidway] super password level 1 simple pass1[Quidway] super password level 2 simple pass2[Quidway] super password level 3 simple pass3

So when a user wishes to change level:<Quidway> super 1Password:User privilege changes to 1 level, just equal or less

this level's commands can be used.Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-

MANAGE<Quidway>

36

Contents and format of the configuration file

The configuration file is a text file in the following format:

Saved in a format of commands. Only non-default parameters are saved for space

economy. Command mode is the basic frame for organizing

these commands. All commands of the same command mode are grouped into a section and blank lines or comment lines (which begin with “#”), are used to separate these sections. Blank lines or comment lines can be one line or multiple lines.

In general, these sections are arranged in the sequence of global configuration, physical interface configuration, logical interface configuration, and routing protocol configuration.

37

Displaying the router configuration

Operation Command

Display the initial configurations of the router

display saved-configuration

Display the configuration files saved in the system for boot.

display startup

Display the configurations in the current view.

display this

Display the current configurations of the router.

display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ isp | post-system | radius-template | system | user-interface| ] ] [ | [ begin | include | exclude ] string ]

38

Saving the current configuration

The user can modify the current configuration of the router through the command line interface. In order to make the current configuration as the startup configuration of the router at the next power-on, the save command is required to save the current configuration into the default storage device.

Operation Command

Save the current configuration save [ file-name ] [ safely ]

Executing this command without the safely keyword can make the speed of saving configuration files fast, but these files cannot survive a reboot or power-off during the saving process; executing this command with the safely keyword, however, makes the saving speed slower, but these files can survive a reboot or power-off during the saving process. By default, fast saving applies.

39

Erasing the configuration file

Using the reset saved-configuration command, you can erase the configuration file in the current storage device of the router. After the configuration file is erased, default configuration parameters will be used for the initialization at the next power-on of the router.

Operation Command

Erase the configuration file in the storage devices

reset saved-configuration

40

Setting the configuration file

Using the startup saved-configuration command, you can set the file to be used at the next boot

Operation Command

Set the configuration file to be used at the next boot.

startup saved-configuration filename

41

Huawei Introduction

User Interface ConfigurationUser Interface Configuration

42

User Interface

User interface (con, vty) view is a new feature provided by the system. Like interface view managing interfaces, the main purpose of this kind of view is the management of asynchronous interfaces working in the flow mode. The emergence of this kind of view allows the user to configure the login parameters of various users in a similar way, for these different kinds of interfaces are usually used for system configuration management.

43

User Interfaces

There are four types of user interfaces commensurate with these configuration modes. They are:

Console port (CON)Console port is a kind of line device port. On a router, a Console port of EIA/TIA-232 DCE type is provided for users to make configuration.

AUX port (AUX)AUX port is also a kind of line device port. On a router, an AUX port of EIA/TIA-232 DTE type is provided for the dialup access via modem.

Asynchronous serial port (TTY)TTY user interface is used if a user logs in the router via an asynchronous serial port or synchronous/asynchronous serial port (working in asynchronous mode)

Virtual line (VTY)Virtual port is a logical terminal line that is used for Telnet access to the router and is generally known as VTY (Virtual Type line).

44

User Interface

Perform the following tasks to configure a user interface: Enter user interface view Configure the protocol supported by the

current user interface Configure the attributes of asynchronous

interface Configure terminal attributes Configure user management Set modem attributes Set the redirection function Configure incoming and outgoing call

restriction on VTY user interface

45

Example: VTY access

How to disable telnet access. Note that no access-lists are required to close the interface:

[Quidway] user-interface vty 0 4[Quidway-ui-vty0-4] undo shell

Following will be displayed after the access of a Telnet terminal.

% connection refused by remote host!

Particular filtering can be done through acl: [Quidway-ui-vty0-4] acl acl-number { inbound |

outbound }

46

Displaying…

Displaying the information of users on all user interfaces

Displaying the physical attributes and some configurations on a user interface

Operation Command

Display the use information on all the user interfaces

display users [ all ]

Operation Command

Display the physical attributes and some configurations on a user interface

display user-interface [ type-name number ] [ number ]

47

User Priority

Similar to the priority of commands, the user priority is divided into Visit, Monitor, System and Manage, with the priority identifier from 0 to 3.

User Priority

Name Command

0 Visit Ping, tracert, telnet

1 Monitor ping, tracert, telnet, display, debugging

2 SystemAll configuration commands (except the Manage command) and the commands with the priority level 0 and 1.

3 ManageAll commands (includes file system, FTP and TFTP commands)

48

Configuring User Authentication Mode

How to enable the use of passwords:

[Quidway] authentication-mode password

How to set the password:[Quidway] set authentication password

{ cipher | simple } password

49

Performing Password Authentication

The user need enter the password huawei when logging on the system from the VTY 0 by password authentication. The user priority is 3. The operation commands are shown as follows:<Quidway> system-view[Quidway] user-interface vty 0[Quidway-ui-vty0] authentication-mode password[Quidway-ui-vty0] set authentication password

simple huawei[Quidway-ui-vty0] user privilege level 3

50

Huawei Introduction

Interface ConfigurationInterface Configuration

51

Configuring an interface

[Quidway] interface serial 0[Quidway-Serial0] ?

Bandwidth bandwidth information parameterBaudrate Set transmite and receive baudrateLink-protocol Set encapsulation for interfaceIp Interface Internet Protocol configure commandShutdown Shutdown the selected interfaceUndo Negate a command or set its defaultDialer Dial-On-Demand routing (DDR) commandLoopback Configure internal loopback on an interfaceMtu Maximum transmission unit…

52

display interface<Quidway>dis int s1/0/0Serial1/0/0 current state : DOWNLine protocol current state : DOWNDescription : HUAWEI, Quidway Series, Serial1/0/0 InterfaceThe Maximum Transmit Unit is 1500, Hold timer is 10(sec)Link layer protocol is PPPLCP initialInternet Address is 1.2.1.1/24Interface is no cablecode nrzi not set, idle-mark not set, loopback not setOutput queue : (Urgent queue : Size/Length/Discards) 0/50/0Output queue : (Protocol queue : Size/Length/Discards)

0/500/0Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0 Last 5 minutes input rate 0 bytes/sec, 0 packets/sec Last 5 minutes output rate 0 bytes/sec, 0 packets/secInput: 0 packets, 0 bytesOutput:0 packets, 0 bytesDCD=DOWN DTR=DOWN DSR=DOWN RTS=DOWN

CTS=DOWN

Physical layer state information

Data-link layer state information

Interface description

MTU and timer of interface

Data-link encapsulation

DTE, DCE or no cable

Physical Layer

Data transmit

53

Interface configurationFeatures of the synchronous serial interface are as

follows. It can work in two modes: DTE and DCE. Usually,

the synchronous serial interface serves as DTE and receives the clock provided by DCE.

The synchronous serial interface can connect multiple cables externally, such as V.24, and V.35. The VRP can automatically distinguish types of cables connected externally and select electrical characters. Generally, you do not need to perform configuration manually.

The link layer protocols supported by synchronous serial interface include PPP, FR, LAPB and X.25, etc.

It supports network layer protocol IP. Type of external cable and the operating mode (DTE/DCE) of the synchronous serial interface can be viewed with display interface serial command.

54

Interface configurationWhen two synchronous serial interfaces are connected, the baud rate on line is determined at DCE-side. Therefore, when the synchronous serial interfaces act as DCE, the baud rate is to be set. The default baud rate of synchronous serial interface is 64000bit/s.

[Quidway-Serial0/0]baudrate ? 300 only for async mode 600 only for async mode 1200 for syn & asyn mode 2400 for syn & asyn mode 4800 for syn & asyn mode 9600 for syn & asyn mode ...... 115200 for syn & asyn mode 128000 only for syn mode 384000 only for syn mode 2048000 only for syn mode Note: The baudrate must not exceed 64Kbps when using a V.24 cable!

55

Huawei Introduction

Routing ConfigurationRouting Configuration

56

Displaying the routing table

[Quidway]display ip routingRouting Tables:Destination/Mask proto pref Metric Nexthop

Interface 0.0.0.0/0 Static 60 0 120.0.0.2

Serial0 8.0.0.0/8 RIP 100 3 120.0.0.2

Serial0 9.0.0.0/8 OSPF 10 50 20.0.0.2

Ethernet0 9.1.0.0/16 RIP 100 4 120.0.0.2

Serial0 11.0.0.0/8 Static 60 0 120.0.0.2

Serial0 20.0.0.0/8 Direct 0 0 20.0.0.1

Ethernet0 20.0.0.1/32 Direct 0 0 127.0.0.1

LoopBack0 ......

A route is the path information to guide IP packets to be transferred.

57

Route Preference

The route obtained by the protocol of the highest preference is preferred and added in the routing table.

Routing Protocol Preference

DIRECT 0

OSPF 10

STATIC 60

RIP 100

IBGP 130

OSPF ASE 150

EBGP 170

UNKNOWN 255

58

Route Metric

The route metric identifies the cost for arriving at the destination of the route. Generally, the route metric value will be influenced by the line delay, bandwidth, line seizure ratio, degree of line reliability, hop count, MTU, etc.

Different dynamic routing protocols will select one or several factor(s) to calculate the metric value.

The metric value of the static route is 0.

59

Static Route Configuration

[Quidway]ip route-static <ip_address> [ <mask> | <masklen> ] <interface_name> | <gateway_address> [ preference <preference_value> ] [ reject | blackhole ]

Examples:[Quidway] ip route-static 129.1.0.0 16 10.0.0.2[Quidway] ip route-static 129.1.0.0 255.255.0.0 10.0.0.2[Quidway] ip route-static 129.1.0.0 16 Serial 2[Quidway] ip route-static 0.0.0.0 0.0.0.0 10.0.0.2

•Destination unreachable route: when the static route towards a destination is of the "reject" parameter, all IP packets to the destination will be rejected. Besides, with the ICMP message, the source host will be notified of the unreachable destination.•Destination blackhole route: when the static route towards a destination is of the "blackhole" parameter, all IP packets to the destination will be discarded. However, no message is sent to the source host

60

Dynamic routing

What is purpose of the dynamic routing protocols?

Route calculation. The dynamic routing protocols calculate the route from a router to other network segments in a network.

How to do this? All routers send their known route-related information

to the neighboring router, so that each router will receive all routing information in the network.

Then based on an algorithm, the final route is calculated out (in fact, the next hop and metric of the route are calculated out).

61

Overview of RIP

RIP is the abbreviation of Routing Information Protocol.

RIP is a special implementation of the distance-vector routing protocol.

RIP (in two versions: RIP-1 and RIP-2) is applied to small and medium-sized networks.

RIP-2 uses the multicast (224.0.0.9) for transmission, and supports authentication and VLSM.

RIP support split horizon, route poison reverse, and triggered updated.

62

Configuration Commands of RIP

Start the RIP and enter the RIP view [Quidway] rip

Enable RIP in the speciafied network [Quidway-rip] network network-number

Specify the interface version (in interface view)

rip version 1

rip version 2 [broadcast | multicast]

Specify the working state of an interface (under interface view)

rip work

rip input

rip output

Configure the RIP-2 route aggregation summary

Set the interval to update the RIP route timers updates time

Set an RIP route timeout time timers timeout time

63

Display the RIP Configuration Information

[Quidway]display rip RIP is running public net VPN-Instance Checkzero is on Default cost : 1 Summary is on Preference : 100 Period update timer : 30 Timeout timer : 180 Garbage-collection timer : 120 No peer router Network : 192.168.2.0

64

Debugging Information of the RIP

<Quidway> terminal debugging% Current terminal debugging is on

<Quidway> debugging rip packetRip packet debugging is on

RIP : receive Response from 120.0.0.2packet : vers 1,cmd Response,length 24 dest 110.0.0.0, Metric 1RIP : send 20.0.0.1 to 255.255.255.255packet : vers 1,cmd Response,length 44 dest 110.0.0.0, Metric 2 dest 120.0.0.0, Metric 1

65

Overview of OSPF Adaptable to large-scale networks High speed of route change and

convergence No route self-loop Supporting variable length subnetwork

mask VLSM Supporting area division Supporting equivalent value route Providing level-by-level route management Supporting verification Supporting transmission of protocol

messages by multicast addresses

66

Configuration Commands for OSPF

Operation Command

Configure the Router ID of the router (System view)

router id A.B.C.D

Start the OSPF Protocol (System view)

ospf [ process-id ]

Entering OSPF Area View (OSPF view)

area area-id

Specifying the Network Segment (area view)

network ip-address wildcard-mask

Set the priority of an interface in DR election: (Interface View)

ospf dr-priority value

67

Advanced Configuration Commands for OSPF

Operation Command

Create and configure an OSPF virtual link: (OSPF area View)

vlink-peer router-id [ hello seconds] [ retransmit seconds ] [ trans-delay seconds ] [ dead seconds] [ simple password | md5 keyid key ]

Configuring the Route Aggregation of OSPF Area: (OSPF area view)

abr-summary ip-address mask [ advertise | not-advertise ]

Configuring Aggregation of Imported Routes by OSPF (OSPF view)

asbr-summary ip-address mask [ not-advertise | tag value ]

68

Testing Tools<Quidway>ping ? -a Select source IP address -c Specify the number of echo requests to send -d Specify the SO_DEBUG option on the socket being used -h Specify TTL value for echo requests to be sent -i Select the interface sending packets -n Numeric output only. No attempt will be made to lookup host addresses for symbolic names -p No more than 8 "pad" hexadecimal characters to fill out the sent packet. For example, -p f2 will fill the sent packet with f and 2 repeatedly -q Quiet output. Nothing is displayed except the summary lines

at startup time and when finished -r Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route -s Specifies the number of data bytes to be sent -t Timeout in milliseconds to wait for each reply -tos Specify TOS value for echo requests to be sent -v Verbose output. STRING<1-20> IP address or hostname of a remote system ip IP Protocol

69

More testing tools

<Quidway>tracert ? -a Select source ip address -f First time to live -m Maximum time to live -p UDP port number -q Number of probe packet -w Timeout in milliseconds to wait

for each reply STRING<1-20> IP address or hostname

of a remote system

70

And more...

<Quidway>terminal ? debugging Enable/disable debug

information to terminal logging Enable/disable log

information to terminal monitor Enable/disable information

output to current terminal trapping Enable/disable trap

information to terminal

71

Huawei Introduction

Access Lists

72

IP packet filtering For any packet a router needs to transfer, first

obtain its packet header information and then compare it with the set rules. Whether to transfer or to discard a packet depends on the comparison results. The key technology to implement packet filtering is access control list.

R

Internet

Headquarters of a company

Internal Network

Unauthorized user

Branch Office

73

Access Lists

According to application purpose, ACL falls into three groups: Basic ACL Advanced ACL Interface-based ACL

acl number acl-number [ match-order { config | auto } ]

Kinds of list Range for a number to identify

Basic ACL 2000-2999

Advanced ACL 3000 － 3999

Interface-based ACL Interface-based ACL

74

Configuration of Basic ACL

The command format for configuring a Basic ACL is as follows:

acl { number acl-number} [ match-order { config | auto } ]

rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]

75

Advanced Access Lists

In addition to source address of a packet, advanced lists can also use destination address and protocol number (TCP, UDP, etc.).

For the packets transmitted through TCP and UDP, the destination port number can also be used to differentiate the packets. rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-mask | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type icmp-type icmp-code ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]

76

Configuration Steps of ACL for Firewall

The following applications can be extended as required: Set the default filtering mode of firewall Enable/disable the filtering based on time

range Set special time range Designate log host

Internet

Headquarters of a company

Enable Firewall

Rules of ACL

Apply the ACL to interface

77

Commands for Configuring Firewall Attributes

Enable/disable firewallfirewall { enable | disable }

Set the default filtering mode of firewallfirewall default { permit|deny }

Display the status information of firewalldisplay firewall

78

Apply Access Control List on the Interface

Apply the access control list on the interface. Designate whether it is in the OUT or IN

direction on the interface.

Ethernet0

The access control list 101 applies to the interface Ethernet0 and is effective in out direction

Serial0

The access control list 3 applies to the interface Serial0 and is effective in in direction

firewall packet-filter { acl-number } { inbound | outbound }

79

Basic Access List

172.16.3.0172.16.4.0

E0 E1

S0

172.16.4.13

Internet

Permit 172.16.3.0/24 network only

[Quidway] firewall enable[Quidway] acl number 2000 [Quidway-acl-basic-2000] rule 0 permit source 172.16.3.0

0.0.0.255[Quidway-acl-basic-2000] quit

[Quidway] interface Serial 0/0[Quidway-Serial0/0] firewall packet-filter 2000 outbound

80

Advanced Access List

172.16.3.0172.16.4.0Internet

non 172.16.0.0

E0 E1

S0

172.16.4.13

Deny FTP for E0 from 172.16.4.0/24

[Quidway] firewall enable[Quidway] acl number 3000[Quidway-acl-adv-3000] rule 0 deny tcp source 172.16.4.0 0.0.0.255

destination 172.16.3.0 0.0.0.255 destination-port eq 21[Quidway-acl-adv-3000] rule 1 deny tcp source 172.16.4.0 0.0.0.255

destination 172.16.3.0 0.0.0.255 destination-port eq 20[Quidway-acl-adv-3000] rule 2 permit ip source 172.16.4.0 0.0.0.255

destination 172.16.3.0 0.0.0.255[Quidway-Ethernet0/0] interface Ethernet 0/0[Quidway-Ethernet0/0] firewall packet-filter 3000 outbound

81

Packet Filtering based on time range

"Special rules for special time range"

Internet

Rules of ACL

During working hour (8: 00 a.m.- 5: 00 p.m.), only special sites can be accessed. Other

sites can be accessed in teh rest time.

82

Configuring Time Range

Time range commandtime-range time-name [ start-time

to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

Display timerange commanddisplay time-range { all | time-

name }

83

Huawei Introduction

Network Address Translation

84

Background of Address Translation

Because of increasingly insufficient IP address resources.

Multiple hosts in a LAN to access Internet by a public IP address, address translation can be used.

Network security protection: Address translation technology can effectively hide the hosts of the internal LAN.

Meanwhile, address translation can provide such services as FTP, WWW and Telnet of the internal network to external network according to the requirements of users.

85

Configuration of Address Translation

Define an ACL to specify what kind of host can access Internet.

Adopt EASY IP or address pool to provide public address.

According to the selected mode (address pool or easy IP), address translation is permitted on the interface connected to Internet.

86

Configuration of Static NAT

Create the mapnat static {inside-address}

{outside-address}

Associate it to the corresponding interface nat outbound static

87

Configuration of Dynamic NAT

EASY IP for NAT (associate the ACL with an interface).nat outbound acl-number

Configure a NAT address pool.nat address-group group-number start-addr end-

addr

Use address pool to achieve NAT (associate the ACL with an address pool).nat outbound acl-number address-group group-

number [ no-pat ]

88

Monitoring and Maintenance of NAT

Display the configuration of address translationdisplay nat { address-group | aging-time |

all | outbound | server | statistics | session [ vpn-instance vpn-instance-name ] [ slot slot-number ] [ destination ip-addr ] [source global global-addr | source inside inside-addr ] }

Enable the debugging of NATdebugging nat { event | packet [ interface

{ interface-type interface-number | interface-name } ]| alg }

Clear the connection of address translationreset nat {log-entry | session}

89

Dynamic NAT (1)

Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface Serial0/0/0 connects to ISP.

[Quidway] acl number 2001[Quidway-acl-basic-2001] rule permit source

10.110.10.0 0.0.0.255[Quidway-acl-basic-2001] rule deny

90

Dynamic NAT (2)

Configure the address pool.[Quidway] nat address-group 1

202.110.10.10 202.110.10.12Allow address translation and use the

addresses of address pool 1 for addresstranslation. During translation, the

information of TCP/UDP port is used.[Quidway-Serial0/0/0] nat outbound

2001 address-group 1

91

Delete the previous configuration.[Quidway-Serial0/0/0] undo nat

outbound 2001 address-group 1 Configure simple address

translation (not using the TCP/UDP port information to perform the address translation)[Quidway-Serial1/0/0] nat outbound

2001 address-group 1 no-pat

Dynamic NAT (3)

92

Delete the previous configuration.[Quidway-Serial0/0/0] undo nat

outbound 2001 address-group 1 Configure simple address

translation (using EASY IP, that is the interface address to perform the address translation)[Quidway-Serial1/0/0] nat outbound

2001

Dynamic NAT (4)

93

Huawei Introduction

WAN Services

94

PPP

The link-protocol PPP command is the interface configuration command. It specifies the encapsulation type of a WAN interface as PPP. By default, the encapsulated Link Layer protocol is the PPP in Quidway routers.

Operation Command

Encapsulate PPP link-protocol ppp

Configure authentication methodppp authentication-mode {pap | chap}

Configure user name and password

local-user username {simple |cipher} password

95

Typical PPP Configuration

Authenticated PartyAuthenticating Party

Quidway #1 Quidway #2

PAP authenticationS0/0 S0/0

[Quidway]local-user quidway2 password simple quidway[Quidway]interface serial 0/0[Quidway-Serial0/0]ppp authentication-mode pap

[Quidway]interface serial 0 [Quidway-Serial0/0]ppp pap local-user quidway2 password simple quidway

96

HDLC

The VRP supports the HDLC protocol encapsulation, and is compatible with mainstream equipments of other companies. link-protocol hdlc

The keepalive time delay of the HDLC protocol is used to set the scope of the keepalive packet to detect the link status.timer hold [ seconds ]

97

Introduction to Frame Relay

LAN LANFRDLCI

DLCI

DCE

DCE

DTEDTE

Local Management

Interface (LMI)

Permanent Virtual Circuit (PVC) use

data link connection identifiers (DLCI)

The frame relay protocol is a kind of fast packet switching technology developed from the X.25 packet switching technology, it is a kind of improved X.25 protocol.

The frame relay is based upon virtual circuits.

98

Frame Relay Configuration Commands

Encapsulate the frame relay protocolEncapsulate the frame relay protocollink-protocol fr [ ietf | nonstandard ]

Configure the terminal type of the frame relay interfacefr interface-type ｛ dce | dte | nni ｝

Select the LMI typefr lmi type { ansi | nonstandard | q933a

}

99

Configure Frame Relay Address Mapping

Configure Frame Relay static address Configure Frame Relay static address mapping:mapping:fr map ip { protocol-address [ ip-mask ] |

default } dlci [ broadcast ] [ nonstandard | ietf ]

Configure Frame Relay dynamic inverse dynamic inverse arparpfr inarp [ ip ] [ dlci ]

The frame relay address mapping sets up the mapping relationship between the remote protocol address and the local DLCI. This address mapping can be static or dynamic.

100

Configure Local Virtual Circuits of Frame Relay

Allocate a virtual circuit number to the Frame Relay interfaceAllocate a virtual circuit number to the Frame Relay interfacefr dlci dlci-number

When the Frame Relay interface type is DCE or NNI, the interface (either main interface or sub-interface) should be configured manually with virtual circuits.When the Frame Relay interface type is DTE, for the main interface, the system will determine the virtual circuit automatically according to the opposite equipment; the sub-interface must be configured with virtual circuits manually.

101

Configure Frame Relay Subinterface

Create frame relay subinterface and enter Create frame relay subinterface and enter the subinterface configuration modethe subinterface configuration mode

interface type number.subinterface-number [p2mp | p2p]

Configure the virtual circuit number for Configure the virtual circuit number for the frame relay subinterfacesthe frame relay subinterfaces

Configure Sub-Interface PVC and Configure Sub-Interface PVC and Establish Address MappingEstablish Address Mapping

The command for creating the address mapping is the same as that of the physical interface, you may either use the static or dynamic address mapping. The static address mapping is only needed in point-to-multipoint condition..

102

Configure Frame Relay PVC Switching

Enable the Frame Relay switchingEnable the Frame Relay switchingfr switching

Configure Frame Relay switched route Assign a PVC number for Frame Relay

interface (DCE or NNI)fr dlci dlci-number

Configure the route for Frame Relay PVC switching

fr dlci-switch in-dlci interface type number dlci out-dlci

Note: If the frame relay switching is used, interface type must be DCE or NNI

103

Typical Frame Relay Configuration Example I

DLCI 100

Router A Router BEncapsulated as frame relay

DCE DTE

fr switchinginterface serial 1ip address 202.38.163.251 255.255.255.0link-protocol frfr interface-type dcefr dlci 100fr inarpor fr map ip 202.38.163.252 dlci 100

interface serial 1 ip address 202.38.163.252 255.255.255.0link-protocol frfr interface-type dtefr inarpor fr map ip 202.38.163.251dlci 100

202.38.163.251 202.38.160.252

104

IP 202.38.11.251DLCI 50 DLCI 70

IP:202.38.11.252

Router B

Router A

Router C

DLCI 60DLCI 80

Frame Relay

Router D (FR Switch)

Serial0/0 Serial1/0

Serial2/0

LANs interconnection through frame relay network

Typical Frame Relay Configuration Example II

105

Typical Frame Relay Configuration Example II (Continued)

Configure Router D (FR Switching):Configure Router D (FR Switching):# Enable the Frame Relay to carry out PVC switching[RouterD] fr switching# Encapsulate FR on interface and set interface type. Here, take serial0 as an example, and other interfaces are configured similarly.[RouterD-Serial0/0] link-protocol fr[RouterD-Serial0/0] fr interface-type dce# Enable the Frame Relay to carry out PVC switching[RouterD-Serial0/0] fr dlci-switch 50 interface serial 1/0 dlci 70[RouterD-Serial0/0] fr dlci-switch 60 interface serial 2/0 dlci 80[RouterD-Serial1/0] fr dlci-switch 70 interface serial 0/0 dlci 50[RouterD-Serial2/0] fr dlci-switch 80 interface serial 1/0 dlci 60Configure Router A:Configure Router A:# Configure interface IP address[Quidway-Serial0/1]ip address 202.38.11.251 255.255.255.0# Configure the link layer protocol of the interface to Frame Relay[Quidway-Serial0/1]link-protocol fr[Quidway-Serial0/1]fr interface-type dte# Configure static address mapping[Quidway-Serial0/1]fr map ip 202.38.11.252 50[Quidway-Serial0/1]fr map ip 202.38.11.253 60

106

Frame Relay Monitor and Maintenance

Enable the information-debugging of Enable the information-debugging of Frame RelayFrame Relaydebugging fr {all / compress / congestion / de

/ event / fragment / inarp / lmi / mfr / packet / transmit-rate} [ interface type number ]

View the Frame Relay status on each View the Frame Relay status on each interface.interface.display fr interface interface-type interface-

num View the Frame Relay address mapping View the Frame Relay address mapping

table.table.display fr map-info [ interface interface-

type interface-num ]

107

Frame Relay Troubleshooting

The Physical Layer is DOWN check the physical lines check the remote equipment

The Physical Layer is UP, but the Link Layer is DOWN Protocol encapsulation Whether does DTE/DCE corresponds to each other Monitor the transmitting/receiving status of the LMI

message The Link Layer protocol is UP, but it cannot ping through the remote equipment

Whether the Link Layer protocols of the equipment at both ends are in Up status

Whether the address mapping is correct check the routing table to see whether there is route to the

remote equipment

108

Frame Relay Summary Use the local DLCI as the frame relay PVC

identifier to the destination end The QUIDWAY supports three LMI types:

ANSI （ Annex D） CCITT （ Annex A） nonstandard

Configure static frame relay MAP Configure subinterface to avoid the problem of

split horizon concerning routing update By default, the Inverse ARP can find remote

protocol address for the local DLCI automatically Use the commands display and debug to

monitor the frame relay

109

Huawei Introduction

VLAN Switching

110

LAN Switching

System configuration is similar to router´s.

User-interfaces are equally defined

111

Select port duplex

[Quidway-Ethernet0/1]duplex ? auto Enable port's duplex negotiation

automatically full Full-duplex half Half-duplex

112

Select port speed

[Quidway-Ethernet0/1]speed ? 10 Specify speed of current port

10Mb/s 100 Specify speed of current port

100Mb/s auto Enable port's speed negotiation

automatically

113

Configure a vlan IP Address

In vlan-interface view:[Quidway]interface Vlan-interface 1

[Quidway-Vlan-interface1]ip address

192.168.1.1 255.255.255.0

Add static routes in system view:[Quidway]ip route-static 0.0.0.0

0.0.0.0 192.168.1.254

114

Format of 802.1q Frame

DA SA Type Data CRC

Standard Ethernet Frame

DA SA Type Data CRCtag

TPID Priority CFI VLAN ID

TCI

Ethernet Frame with IEEE802.Iq Flag

115

Link Type

Access LinkAccess Link

Trunk Link or Hybrid LinkTrunk Link or Hybrid Link

116

Frame Changes in Network Communication

vlan 2 vlan 1

vlan 1 vlan 2

Ethernet frame with tag

Ethernet frame with tag

Ethernet frame without tag

117

Trunk and VLAN

VLAN 4VLAN 4

VLAN 2VLAN 2 VLAN 4VLAN 4 VLAN 3VLAN 3 VLAN 2VLAN 2 VLAN 4VLAN 4 VLAN 5VLAN 5 VLAN 5VLAN 5 VLAN 2VLAN 2

VLAN 5VLAN 5

Directed Broadcast Directed Broadcast

Trunk LinkTrunk Link

118

VLAN Basic Configuration

Enter into the VLAN view, If the specific VLAN is not created, then create it:vlan vlan_id

Delete a VLAN undo vlan vlan_id

Add/delete Ethernet interface for a specific VLAN[undo] port interface-list

Interface-list: Ethernet 2/0/1 to Ethernet 2/0/24

119

Access Link Configuration

Setting the Ethernet interface’s link-typeport link-type access undo port link-type

Set the PVID for access interface (interface view)port access vlan vlan-id

Reset the PVID to default valueundo port access vlan Default : VLAN 1

120

Trunk Link Configuration

Setting the Ethernet interface’s link-typeport link-type trunk undo port link-type

Setting Trunk interface’s PVIDport trunk pvid vlan vlan_idundo port trunk pvid Default VLAN ID: 1

set/cancel VLANs that can pass through trunk interface [undo] port trunk permit vlan

{ vlan_id_list | all }

121

What happens in a network What happens in a network with loops? with loops?

How to avoid the loops?How to avoid the loops?

STP resolves this problem STP resolves this problem and provides link and provides link redundancy.redundancy.

Review of Spanning TreeReview of Spanning Tree

122

Applications of Transparent Bridge

Expand LAN scaleFree dynamic learning of site address information

Problem: frames or packets might be forwarded circularly and continuously, resulting in network congestion

123

Why we need spanning tree protocol?

To remove path loops that might exist in the bridging network by blocking redundant links

To activate redundant backup links to restore network connection when the current active path fails

ROOTROOTLAN ALAN A LAN BLAN B

LAN CLAN C

LAN DLAN D

LAN ELAN E

124

Basic Principle of Spanning Tree Protocol

Transmits BPDUs among network bridges and do the following jobs:

Select one from all bridges in the network as the root;Calculate the shortest path from itself to the root;For each LAN ， first select a bridge nearest to the root as a designated bridge, to handle the data forwarded on its LAN;The bridge selects a root port, and the path given from this port will be the optimal path from this bridge to the root; Select ports (designated ports) contained on the spanning tree except the root port.

127

Statuses of interface

Port AbilityPort Ability

Not receive/send any messageNot receive/send any messageDisabledDisabled

BlockingBlocking

ListeningListening

LearningLearning

Port StatuesPort Statues

ForwardingForwarding

Not receive/forward data, receive but not Not receive/forward data, receive but not transfer BPDUs, and not learn addressestransfer BPDUs, and not learn addresses

Not receive/forward data, receive and transfer Not receive/forward data, receive and transfer BPDUs, but not learn addressesBPDUs, but not learn addresses

Not receive/forward data, receive and Not receive/forward data, receive and transfer BPDUs, and start to learn addressestransfer BPDUs, and start to learn addresses

Receive and forward data, receive and Receive and forward data, receive and transfer BPDUs, and learn addressestransfer BPDUs, and learn addresses

128

Configure Spanning Tree

Enable/disable the STP in system-Enable/disable the STP in system-viewview

[Quidway] stp enable/disable[Quidway] stp enable/disable

Enable/disable the STP on the Enable/disable the STP on the interfaceinterface

[Quidway-Ethernet0/1] stp [Quidway-Ethernet0/1] stp enable/disableenable/disable

129

Configurable Parameters of Spanning Trees

Configurable parameters of a spanninConfigurable parameters of a spanning tree include:g tree include:

Bridge PriorityBridge PriorityPort PriorityPort PriorityPath cost of a link corresponding to Path cost of a link corresponding to the portthe port （（ PortPathCostPortPathCost ））Three important timer parameters:Three important timer parameters:（（ Hello Time/Max Age/ForwardDelaHello Time/Max Age/ForwardDelayy ））Bridge Diameter of whole switched Bridge Diameter of whole switched networknetwork （（ BridgeDiameterBridgeDiameter ））

130

Determine the Root by Configuration

BBridge ID consists of two parts:ridge ID consists of two parts:BridgePriority+BridgeMacAddressBridgePriority+BridgeMacAddress

Configure the Bridge Priority Configure the Bridge Priority [Quidway] stp priority [Quidway] stp priority bridge-bridge-prioritypriority

131

Interface Cost

Configure the cost of interfaceConfigure the cost of interface[Quidway-Ethernet0/1] stp cost [Quidway-Ethernet0/1] stp cost costcost

Default Value determined by Default Value determined by bandwidthbandwidth

InterfaceInterface bandwidthbandwidth Value rangeValue range

10Mb/s10Mb/s

100Mb/s100Mb/s

1Gb/s1Gb/s

10Gb/s10Gb/s

2,0002,000

200200

2020

22

200200 －－ 20,00020,000

2020 －－ 2,0002,000

22 －－ 200200

22 －－ 2020

11 －－ 200,000200,000

11 －－ 200,000200,000

11 －－ 200,000200,000

11 －－ 200,000200,000

Default ValueDefault ValueRecommended Recommended

value rangevalue range

132

Interface Priority

Port ID consists of two parts:Port ID consists of two parts: PortPriority+PortPortPriority+Port number number

Configure the interface PriorityConfigure the interface Priority

[Quidway-Ethernet0/1] [Quidway-Ethernet0/1] stp port prioritystp port priority port-port-prioritypriority

LANLAN

Parallel LinkParallel LinkMultiple ports connected to one network segmentMultiple ports connected to one network segment

133

Timer of STP

Set the value of forward-delay timer[Quidway] stp timer forward-delay centiseconds Default value: 15 seconds

Set the value of Hello timer[Quidway] stp timer hello centiseconds Default value: 2 seconds

Set the value of Max-age timer[Quidway] stp timer max-age centiseconds Default value: 20 seconds

134

Maintenance

Display the information of STP sDisplay the information of STP stattatuuss

display stp [ interface display stp [ interface interface_listinterface_list ]]

Clear the information of STPClear the information of STPreset stp [ interface reset stp [ interface interface_list interface_list ]]

135

Huawei Introduction

EndThank you!!!

Operating Huawei v3[1]

Documents

Transcript of Operating Huawei v3[1]