Huawei Certification HCDA Lab Guide v1.6

HCDA-HNTD
Huawei Certification
HCDA-HNTD
Huawei Networking Technology and Device
Lab Guide
Huawei Technologies Co.,Ltd
HUAWEI TECHNOLOGIES
HCDA-HNTD
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved.
No part of this document may be reproduced or transmitted in any

form or by any means without prior written consent of Huawei
Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei

Technologies Co., Ltd. All other trademarks and trade names mentioned
in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice.

Every effort has been made in the preparation of this document to
ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of
any kind, express or implied.
Huawei Certification
HCDA-HNTD Huawei Networking Technology and Device
Lab Guide
Edition v1.6
HUAWEI TECHNOLOGIES
HCDA-HNTD
Huawei Certification System

Relaying on its strong technical and professional training system,
according to different customers at different levels of ICT technology,
Huawei certification is committed to provide customs with authentic,
professional certification.
Based on characteristics of ICT technologies and customersneeds at
different levels, Huawei certification provides customers with
certification system of four levels.
HCDA (Huawei Certification Datacom Associate) is primary for IP
network maintenance engineers, and any others who want to learn the IP
network knowledge. HCDA certification covers the TCP/IP basics, routing,
switching and other common foundational knowledge of IP networks,
together with Huawei communications products, versatile routing
platform VRP characteristics and basic maintenance.
HCDP (Huawei Certification Datacom Professional-Enterprise) is aimed at
enterprise-class network maintenance engineers, network design
engineers, and any others who want to in depth grasp routing, switching,
network adjustment and optimization technologies. HCDP-Enterprise is
consist of IESN (Implement Enterprise Switch Network), IERN (Implement
Enterprise Routing Network), and IENP (Improving Enterprise Network
performance), which includes advanced IPv4 routing and switching
technology principle, IP technology of network security, high availability
and Qos, as well as the implementation in Huawei products.
HCIE (Huawei Certified Internetwork Expert) is designed to endue
engineers with a variety of IP network technology and proficiency in
maintenance, diagnostics and troubleshooting of Huawei products,
which equips the engineers with competence in planning, design and
optimization of large-scale IP network.
HUAWEI TECHNOLOGIES
HCDA-HNTD
Referenced icon
Router
L3 Switch
L2 Switch
Firewall
Serial line
Ethernet line
HUAWEI TECHNOLOGIES
Net cloud
HCDA-HNTD
Lab environment specification

The Lab environment is suggested below:
Identifier
Device
OS version
R1
AR 2220
Version 5.90 ( V200R001C01SPC300)
R2
AR 2220
Version 5.90 ( V200R001C01SPC300)
R3
AR 2220
Version 5.90 ( V200R001C01SPC300)
S1
S5700-28C-EI-24S
Version 5.70 (V100R006C00SPC800)
S2
S5700-28C-EI-24S
S3
S3700-28TP-EI-AC
S4
S3700-28TP-EI-AC
FW
Eudemon 200E-X2
HUAWEI TECHNOLOGIES
HCDA-HNTD
CONTENTS
Chapter 1 Basic Operations on the VRP Platform ............................................................................................... 1
Lab 1-1 Basic Operations on the VRP Platform ............................................................................................... 1
Chapter 2 Configuring Static Routes and Default Routes .................................................................................. 23
Lab 2-1 Configuring Static Routes and Default Routes .................................................................................. 23
Chapter 3 RIP Configuration ............................................................................................................................. 42
Lab 3-1 Configuring RIPv1 and RIPv2 ............................................................................................................ 42
Lab 3-2 RIPv2 Route Aggregation and Authentication .................................................................................. 59
Chapter 4 OSPF Configuration .......................................................................................................................... 75
Lab 4-1 OSPF Single-area Configuration ....................................................................................................... 75
Lab 4-2 OSPF Multi-area and Authentication Configuration ......................................................................... 90
Chapter 5 RIP and OSPF Route Import ............................................................................................................ 104
Lab 5-1 RIP and OSPF Route Import ........................................................................................................... 104
Chapter 6 Ethernet and STP ........................................................................................................................... 115
Lab 6-1 Ethernet Interface and Link Configuration ..................................................................................... 115
Lab 6-2 STP Configuration .......................................................................................................................... 122
Lab 6-3 VLAN Configuration ....................................................................................................................... 135
Chapter 7 Layer3 Configuration and VRRP ...................................................................................................... 146
Lab 7-1 Configuring Layer 3 Switching ........................................................................................................ 146
Lab 7-2 Configuring the VRRP .................................................................................................................... 160
Chapter 8 WAN Configuration ........................................................................................................................ 176
Lab 8-1 HDLC and PPP Configuration.......................................................................................................... 176
Lab 8-2 FR Configuration (Back to Back) ..................................................................................................... 192
HUAWEI TECHNOLOGIES
HCDA-HNTD
Lab 8-3 FR Configuration (Using FR Switch) ................................................................................................ 213

Chapter 9 Firewall Configuration .................................................................................................................... 230
Lab 9-1 Eudemon Firewall Configuration ................................................................................................... 230
Lab 9-2 Packet Filtering Configuration ....................................................................................................... 245
Lab 9-3 Eudemon Firewall Zone Configuration ........................................................................................... 260
Lab 9-4 NAT Configuration on the Eudemon Firewall ................................................................................. 277
Chapter 10 Comprehensive Exercise .............................................................................................................. 290
Lab 10-1 Comprehensive Exercise .............................................................................................................. 290
HUAWEI TECHNOLOGIES
HCDA-HNTD
Chapter 1 Basic Operations on the VRP Platform

Lab 1-1 Basic Operations on the VRP Platform
Learning Objectives
The objectives of this lab are to learn and understand how to perform
the following operations:
Configure the connection from a personal computer (PC) to a

router using the Windows built-in terminal software.
Configure a device name, time, and time zone.
Configure the value for Console port idle timeout.
Configure the login information.
Configure the login password and super password.
Save and delete a configuration file.
Configure IP addresses for router interfaces.
Test the connectivity between two routers that are connected

directly.
Control a router after using Telnet to another router.
Copy configuration files from one router to another using File

Transfer Protocol (FTP).
Restart a router.
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
Topology
Figure 1.1 Lab topology of the basic operations on the VRP platform
Scenario
A company purchases two AR G3 routers. You need to commission
the two AR G3 routers before using them. Items to be commissioned
include configuration modes, device names, time, passwords, file
management, and restart operations.
Tasks
Step 1 Connect devices.
This step describes how to connect to a router using the Windows XP
built-in HyperTerminal.
Connect a PC to a router using a console cable. Run a terminal
emulation program such as Windows XP HyperTerminal on the PC to
create a connection, as shown in Figure 3.1. The name and icon provided
in the figure are only examples.Creating a connection.
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Select a COM port.Selecting a COM port.
If the PC has multiple COM ports, select a proper one. The serial port
of a PC is usually COM1.Setting port communication parameters.
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
In the COM1 Properties dialog box, click Restore Defaults to retain

the default settings. Click OK.
Turn on the power switch to start the router. If the preceding
parameters are set properly, the terminal window displays the startup
information until the startup process is complete, and the system asks
you to press Enter. If the command prompt, such as <Huawei>, is
displayed on the user interface, you have successfully entered the user
view configuration environment.
Step 2 View the system information.

Run the display version command to view the software version and
hardware information for the system.
<Huawei>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.90 (AR2200 V200R001C01SPC300)
Copyright (C) 2011 HUAWEI TECH CO., LTD
Huawei AR2220 Router uptime is 0 week, 0 day, 0 hour, 2 minutes
BKP 0 version information:
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
......output omit......
The command output includes the VRP operating system version,

device model, and startup time.
Step 3 Change the system time parameter.

The system automatically saves the time. If the time is incorrect, run
the clock datetime command in the user view to change the system
time.
<Huawei>clock datetime 12:00:00 2011-09-15
Run the display clock command to check that the new system time
has taken effect.
<Huawei>display clock
2011-09-15 12:00:21
Thursday
Time Zone(Default Zone Name) : UTC+00:00
Step 4 Use the question mark (?) or press Tab to enter

commands.
The question mark (?) is a wildcard, and the Tab is used as a shortcut
to enter commands.
<Huawei>display ?
aaa
AAA
access-user
accounting-scheme
acl
User access
Accounting scheme
<Group> acl command group
adp-ipv4
Ipv4 information
adp-mpls
Adp-mpls module
anti-attack
arp
Specify anti-attack configurations

<Group> arp command group
arp-limit
atm
Display the number of limitation

ATM status and configuration information
authentication-scheme
Authentication scheme
authorization-scheme
Display AAA authorization scheme
If you want to display all the commands that start with a specific letter
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
or string of letters, enter the desired letters and the question mark (?).
The system displays all the commands that start with the letters you
enter. For example, if you enter dis?, the system displays all the
commands that start with dis.
Make sure that there is a space between the string and the question
mark (?). The system identifies the command corresponding to the string
and displays the parameters of the command. For example, if you enter
dis ? and only the display command starts with dis, the system displays
the parameters of the display command. If multiple commands start
with dis, the system displays an error.
You can also press Tab to complete a command. For example, if you
enter dis and press Tab, the system completes the display command. If
multiple commands start with dis, you can select the appropriate one.
If there are no other commands start with the same letters, you can
type dis or disp to indicate display, and int or inter to indicate interface.
Step 5 Access the system view.

Run the system-view command to access the system view where you
configure interfaces and protocols.
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]
Step 6 Change device names.

To more easily identify devices, set device names during the device
configuration. Change device names based on the lab topology, as
shown below:
Change the name of the R1 router to R1.
[Huawei]sysname R1
[R1]
Change the name of the R2 router to R2.

[Huawei]sysname R2
[R2]
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 7 Configure the login information.

Configure the login information to indicate the login result.
[R1]header shell information "Welcome to Huawei certification lab"
Run the preceding command to configure the login information. To

check whether the login information has been changed, quit out of the
router command line interface, and log back in to view the login
information.
[R1]quit
<R1>quit
Configuration console exit, please press any key to log on
Welcome to Huawei certification lab
<R1>
Note: Login information usually provides warnings of illegal logins.

Do not use words that are welcoming.
Step 8 Configure
the
login
authentication
mode
and
timeout interval of the console port.

The console port by default does not have a login password.
Therefore, users can log in to the device without passwords.
This presents a serious risk to the device. You need to change the
login mode of the console port to the password authentication mode.
The password in the password authentication mode is huawei in plain
text.
If there is no activity on the console port for the period of time
specified by the timeout interval, the system automatically exits. When
this occurs, you need to log in to the system again using the password.
The default timeout interval is 10 minutes. If 10 minutes are not a
reasonable amount of time for the timeout interval, change the timeout
interval to 20 minutes.
[R1]user-interface console 0
[R1-ui-console0]authentication-mode password
[R1-ui-console0]set authentication password simple huawei
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD
[R1-ui-console0]idle-timeout 20 0
Run the display this command to check the configuration results.

[R1-ui-console0]display this
[V200R001C01SPC300]
#
user-interface con 0
authentication-mode password
set authentication password simple huawei
idle-timeout 20 0
Log out of the system and log back in to verify that you need to enter
the password.
[R1-ui-console0]return
<R1>quit
Configuration console exit, please press any key to log on
<R1>
Step 9 Configure IP addresses and descriptions for the

interfaces.
Configure an IP address for the S1/0/0 interface of R1. The IP address
can use the subnet mask length or use a complete subnet mask, such as
24 or 255.255.255.0.
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]description This interface connects to R2-S1/0/0

[R1-Serial1/0/0]display this
[V200R001C01SPC300]
#
interface Serial1/0/0
link-protocol ppp
description This interface connect to R2-S1/0/0
ip address 10.0.12.1 255.255.255.0
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
Return
Run the display interface command to view the interface description.

[R1-Serial1/0/0]display interface Serial2/0/0
Serial1/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2011-09-15 17:38:48
Description:This interface connect to R2-S1/0/0
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is PPP
LCP opened, IPCP stopped
Last physical up time
: 2011-09-16 17:38:45
Last physical down time : 2011-09-16 17:38:34

Current system time: 2011-09-16 17:42:58
Physical layer is synchronous, Baudrate is 64000 bps
Interface is DCE, Cable type is V35, Clock mode is DCECLK
Last 300 seconds input rate 2 bytes/sec 16 bits/sec 0 packets/sec
Last 300 seconds output rate 2 bytes/sec 16 bits/sec 0 packets/sec
Input: 212 packets, 2944 bytes
broadcasts:
errors:
CRC:
dribbles:
frame errors:
0, multicasts:
0, runts:
0, align errors:
0, aborts:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:
Output: 216 packets, 2700 bytes

errors:
0, underruns:
deferred:
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP

Input bandwidth utilization : 0.13%
Output bandwidth utilization : 0.13%
[R1-Serial1/0/0]
The command output shows that the physical status and protocol
status of the interface are UP, and the corresponding physical layer and
data link layer are functional.
The interface link cables are V.35 DCE.
Once you have verified the status, configure the IP address and
description for the interface of R2.
HC Series
HUAWEI TECHNOLOGIES
HCDA-HNTD

[R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0
[R2-Serial1/0/0]description This interface connect to R1-S2/0/0
[R2-Serial1/0/0]
After completing the configuration, run the ping command to test

the connection between R1 and R2.
[R1]ping 10.0.12.2
PING 10.0.12.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=35 ms
--- 10.0.12.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/32/35 ms
Step 10
Configure the telnet login mode.
Set the telnet login mode of R1 to password authentication mode,

password to huawei, and user privilege level to 3.
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode password
[R1-ui-vty0-4]set authentication password simple huawei
[R1-ui-vty0-4]user privilege level 3

[R1-ui-vty0-4]display this
[V200R001C01SPC300]
#
idle-timeout 20 0
user-interface vty 0 4
user privilege level 3
10
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
Return
Set the telnet login mode of R2 to user name and password

authentication mode.
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]quit
Note: You can run the quit command to return to the previous view
or the return command to return to the user view.
[R2]aaa
[R2-aaa]local-user huawei password simple huawei
[R2-aaa]local-user huawei privilege level 15
[R2-aaa]local-user huawei service-type telnet

[R2-aaa]display this
[V200R001C01SPC300]
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user huawei password simple huawei
local-user huawei privilege level 15
local-user huawei service-type telnet
#
Return
Telnet to R2 from R1.

<R1>telnet 10.0.12.2
Press CTRL_] to quit telnet mode
Trying 10.0.12.2 ...
Connected to 10.0.12.2 ...
HC Series
HUAWEI TECHNOLOGIES
11
HCDA-HNTD
Login authentication
Username:huawei
Password:
---------------------------------------------------------------------------User last login information:
---------------------------------------------------------------------------Access Type: Telnet
IP-Address : 10.0.12.1
Time
: 2011-09-14 13:19:59+00:00
---------------------------------------------------------------------------<R2>
Based on the output above, the login is successful.

Telnet to R1 from R2.
<R2>telnet 10.0.12.1
Trying 10.0.12.1 ...
Password:
<R1>
Based on the output above, the login is successful.
Step 11
Configure a super password for the device.
When there are low user rights, for example, the value of user
privilege level is 0 or 1 for the telnet login, you can use the super
command to increase the user rights. To minimize risks caused by illegal
right elevations, set super passwords.
Set a super password for R1. The super password is stored in simple
(plain text) mode.
12
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R1]super password simple Huawei
Run the display current-configuration command to check the

configuration results.
[R1]display current-configuration
#
super password level 3 simple huawei
As shown in the command output, the super password is stored in

plain text, which is relatively unsecure and unsafe.
Set a super password for R2. The super password is stored in cipher
(cipher text) mode.
[R2]super password cipher huawei
#
super password level 3 cipher Q;L]@C0S3[%;LEEP8+INFQ!!
As shown in the command output, the super password is stored in

cipher text, which is more secure and safe.
Step 12
View the file list stored on the current device.
Run the dir command in the user view to display the list of files in the
current directory.
<R1>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 14 2011 11:50:24
1 -rw-
68,288,896 Jul 12 2011 14:17:58
HC Series
web.zip
ar2220_V200R001C01SPC300.cc
HUAWEI TECHNOLOGIES
13
HCDA-HNTD
1,927,476 KB total (1,856,548 KB free)

<R2>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 14 2011 11:50:58
1 -rw-
68,288,896 Jul 12 2011 14:19:02
web.zip
ar2220_V200R001C01SPC300.cc
1,927,476 KB total (1,855,076 KB free)
Step 13
Upload and download files between R1 and R2
using FTP.
Routers are considered as FTP clients by default. In this lab, R1 is
considered as an FTP client, and R2 is considered as an FTP server.
Enable the FTP server function on R2.
[R2]ftp server enable
Info: Succeeded in starting the FTP server
[R2]set default ftp-directory sd1:/
Create a local account ftpuser as the FTP login account on R2.

[R2]aaa
[R2-aaa]local-user ftpuser password cipher huawei
[R2-aaa]local-user ftpuser service-type ftp
[R2-aaa]local-user ftpuser privilege level 15
Log in to R2 from R1 using FTP.

<R1>ftp 10.0.12.2
Trying 10.0.12.2 ...
Press CTRL+K to abort
Connected to 10.0.12.2.
220 FTP service ready.
User(10.0.12.2:(none)):ftpuser
331 Password required for ftpuser.
Enter password:
230 User logged in.
[R1-ftp]
14
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
If the [R1-ftp] prompt is displayed, you have successfully logged in to

the R2 FTP server.
Transfer a file from R1 to the R2 FTP server using FTP.
[R1-ftp]put hq-r.cfg file-from-R1.bak
200 Port command okay.
150 Opening ASCII mode data connection for file-from-R1.bak.
226 Transfer complete.
FTP: 0 byte(s) sent in 0.627 second(s) 0.00byte(s)/sec.
[R1-ftp]
Note: The source file names on the lab device may be different. You
need to use the actual file name. Run the dir command in the R1 user
view to check the file names in the file list.
Run the dir command to view the result of the transfer.
[R1-ftp]dir
150 Opening ASCII mode data connection for *.
-rwxrwxrwx
1 noone
nogroup
1738816 Sep 14 11:50 web.zip
-rwxrwxrwx
1 noone
nogroup 68288896 Jul 12 14:19
ar2220_V200R001C01SPC300.cc
-rwxrwxrwx
1 noone
nogroup
0 Sep 14 14:10 file-from-r1.bak

FTP: 551 byte(s) received in 0.619 second(s) 890.14byte(s)/sec.
The command output lists files on the R2 FTP server.

Download the file-from-r1.bak file from the R2 FTP server to R1 and
change the file name to file-from-r2.bak.
[R1-ftp]get file-from-r1.bak file-from-r2.bak
150 Opening ASCII mode data connection for file-from-r1.bak.
FTP: 0 byte(s) received in 0.591 second(s) 0.00byte(s)/sec.
Exit from the R2 FTP server and check the file list on R1. Make sure
that the file-from-r2.bak file has been downloaded successfully.
[R1-ftp]quit
221 Server closing.
HC Series
HUAWEI TECHNOLOGIES
15
HCDA-HNTD
<R1>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 16 2011 18:44:54
1 -rw-
68,288,896 Jul 12 2011 14:17:58
2 -rw-
0 Sep 16 2011 19:13:00
web.zip
ar2220_V200R001C01SPC300.cc
file-from-r2.bak
1,927,476 KB total (1,856,548 KB free)

<R1>
Delete the files on the devices.

Warning: Delete only the two lab files file-from-r1.bak and
file-from-r2.bak. Do not delete other files; otherwise, the devices
may fail to boot.
Delete the file-from-r1.bak file from R2.
<R2>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 14 2011 11:50:58
1 -rw-
68,288,896 Jul 12 2011 14:19:02
2 -rw-
0 Sep 14 2011 14:10:08
web.zip
ar2220_V200R001C01SPC300.cc
file-from-r1.bak
1,927,476 KB total (1,855,076 KB free)

<R2>delete /unreserved file-from-r1.bak
Warning: The contents of file sd1:/file-from-r1.bak cannot be recycled. Continue?
(y/n)[n]:y
Info: Deleting file sd1:/file-from-r1.bak...succeed.
The /unreserved parameter indicates that the file is to be deleted

permanently and cannot be restored. Use this parameter with caution.
<R2>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 14 2011 11:50:58
1 -rw-
68,288,896 Jul 12 2011 14:19:02
web.zip
ar2220_V200R001C01SPC300.cc
1,927,476 KB total (1,855,076 KB free)
16
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Compare the file list with the preceding file list and make sure that
the file-from-r1.bak file has been deleted.
Delete the file-from-r2.bak file from R1.
<R1>delete /unreserved file-from-r2.bak
Warning: The contents of file sd1:/file-from-r2.bak cannot be recycled. Continue?
(y/n)[n]:y
Info: Deleting file sd1:/file-from-r2.bak...succeed.
<R1>dir
Directory of sd1:/
Idx Attr
Size(Byte) Date
Time(LMT) FileName
0 -rw-
1,738,816 Sep 16 2011 18:44:54
1 -rw-
68,288,896 Jul 12 2011 14:17:58
web.zip
ar2220_V200R001C01SPC300.cc
1,927,476 KB total (1,856,548 KB free)

<R1>
Step 14
Manage configuration files of a device.
Save the current configuration file.

<R1>save
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please wait............
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
Run the following command to view the saved configuration

information:
<R1>display saved-configuration
[V200R001C01SPC300]
#
sysname R1
header shell information "Welcome to Huawei certification lab"
#
board add 0/1 1SA
board add 0/2 1SA
output omit
HC Series
HUAWEI TECHNOLOGIES
17
HCDA-HNTD
Run the following command to view the current configuration

information:
<R1>display current-configuration
[V200R001C01SPC300]
#
sysname R1
#
board add 0/1 1SA
board add 0/2 1SA
board add 0/3 2FE
output omit
A router can store multiple configuration files. You can select the
configuration file to be used after the next startup of the router as
required.
<R1>startup saved-configuration iascfg.zip
This operation will take several minutes, please wait.........
Info: Succeeded in setting the file for booting system
<R1>
Run the following command to select the configuration file to be

used after the next startup:
<R1>display startup
MainBoard:
Startup system software:
sd1:/ar2220_V200R001C01SPC300.cc
Next startup system software:
sd1:/ar2220_V200R001C01SPC300.cc
Backup system software for next startup:

Startup saved-configuration file:
Next startup saved-configuration file:
Startup license file:
Next startup license file:
Startup patch package:
Next startup patch package:
Startup voice-files:
Next startup voice-files:
null
null
sd1:/iascfg.zip
null
null
null
null
null
null
Delete configuration files from the flash memory.

<R1>reset saved-configuration
18
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
This will delete the configuration in the flash memory.

The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
<R1>
Step 15
Restart a router.
Run the reboot command to restart a router.

<R1>reboot
Info: The system is now comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration.
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
Info: system is rebooting ,please wait...
The system asks whether you want to save the current configuration.
Determine whether to save the current configuration based on the
requirements for the lab. If you are unsure whether you should save the
current confirmation, do not save it.
Additional Exercises: Analyzing and Verifying

1. You can use USB cables to connect to the USB ports of AR G3
routers to perform configuration management. For more information,
see the related product guide.
2. Currently, most laptops do not have COM ports. How do we
configure routers without laptop COM ports? List all the methods you
have in mind.
Final Configurations
[V200R001C01SPC300]
#
sysname R1
tftp client-source -i Serial2/0/0
#
voice
HC Series
HUAWEI TECHNOLOGIES
19
HCDA-HNTD
#
http server enable
#
drop illegal-mac alarm
#
l2tp aging 0
#
aaa
domain default
#
interface Ethernet3/0/0
#
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
#
#
interface Cellular0/0/0
link-protocol ppp
#
link-protocol ppp
#
interface NULL0
#
super password level 3 simple huawei
20
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
idle-timeout 10 0
user privilege level 3
#
return
[V200R001C01SPC300]
#
sysname R2
ftp server enable
set default ftp-directory sd1:/
#
board add 0/1 1SA
board add 0/2 1SA
board add 0/3 2FE
#
voice
#
http server enable
#
#
l2tp aging 0
#
dhcp enable
#
aaa
domain default
local-user ftpuser password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user ftpuser privilege level 15
local-user ftpuser service-type ftp
HC Series
HUAWEI TECHNOLOGIES
21
HCDA-HNTD
local-user huawei password simple huawei

local-user huawei privilege level 15
local-user huawei service-type telnet ftp
#
#
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
#
#
#
#
link-protocol ppp
#
link-protocol ppp
#
interface NULL0
#
super password level 3 cipher Q;L]@C0S3[%;LEEP8+INFQ!!
authentication-mode aaa
#
return
22
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Chapter 2 Configuring Static Routes and Default Routes
Chapter 2 Configuring Static Routes and Default

Routes
Lab 2-1 Configuring Static Routes and Default Routes
Learning Objectives
The objectives of this lab are to learn and understand:
Advantages of static routes and default routes over dynamic

routes
Routing functions and operation processes
Procedure for configuring a static route with the next hop as an

interface
Procedure for configuring a static route with the next hop as an IP

address
Method of testing connectivity of a static route
Method of implementing interconnection between the distal

network and external network by configuring a default route
Procedure for testing a default route
Procedure for configuring a backup static route on a router with

redundant links
Method of testing a backup static route
HC Series
HUAWEI TECHNOLOGIES
23
HCDA-HNTD
Topology
Figure 2.1 Lab topology of static routes and default routes
Scenario
Assume that you are a network administrator of a company with a
headquarters (HQ) and two branches. R1 is the router in the HQ, and the
HQ has a network segment. R2 and R3 are the routers in the two
branches. R1 is connected to R2 and R3 through the Ethernet and serial
cables. R2 and R3 are connected through serial cables.
Because the network scale is small, static routes and default routes
are used to implement interworking. For the IP addressing information,
see Figure 2.1.
24
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Tasks
Step 16
Perform basic configurations and configure IP
addresses.
Configure the device names and IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1
[R1-Serial1/0/0]description this port connect to R2-S1/0/0
[R1-Serial1/0/0]quit
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
[R1-GigabitEthernet0/0/0]description this port connect to R3-G0/0/0
[R1-GigabitEthernet0/0/0]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24

configurations.
[R1-LoopBack0]display current-configuration
#
interface GigabitEthernet 0/0/0
description this port connect to R3-G0/0/0
ip address 10.0.13.1 255.255.255.0
#
#
link-protocol ppp
description this port connect to R2-S1/0/0
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
HC Series
HUAWEI TECHNOLOGIES
25
HCDA-HNTD
<Huawei>system-view
[Huawei]sysname R2
[R2]interface serial 1/0/0
[R2-Serial1/0/0]interface serial 2/0/0
[R2-Serial2/0/0]interface loopback0
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
<Huawei>system-view
[Huawei]sysname R3
[R3-GigabitEthernet0/0/0]description this port connect to R1-G0/0/0
26
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
ip address 10.0.13.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
Run the ping command to test network connectivity.

<R1>ping 10.0.12.2
0.00% packet loss
<R1>ping 10.0.13.3
HC Series
HUAWEI TECHNOLOGIES
27
HCDA-HNTD
0.00% packet loss
<R2>ping 10.0.23.3
0.00% packet loss
Step 17
Test connectivity from R2 to 10.0.13.0/24 and
10.0.3.0/24.
[R2]ping 10.0.13.3
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
[R2]ping 10.0.3.3
Request time out
Request time out
Request time out
Request time out
28
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Request time out

100.00% packet loss
Note: If R2 needs to communicate with the network segment 10.0.3.0,

the routes destined for this network segment must be configured on R2,
and the routes destined for the R2 interface must be configured on R3.
The preceding test result shows that R2 cannot communicate with
10.0.3.3 and 10.0.13.3.
Run the display ip routing-table command to view the routing table
of R2. The routing table does not contain the routes of the two networks.
[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
---------------------------------------------------------------------------Routing Tables: Public
Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.0/8
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
29
HCDA-HNTD
Step 18
Configure static routes on R2.
Configure a static route for destination networks 10.0.13.0/24 and

10.0.3.0/24, with the next hop as R3 interface's IP address 10.0.23.3 ,
preference of 60 is the default and not needed to be set. Also in the
example the preference is not set.
<R2>system-view
[R2]ip route-static 10.0.13.0 24 10.0.23.3
[R2]ip route-static 10.0.3.0 24 10.0.23.3
Note: In the ip route-static command, 24 indicates the subnet mask

length, which can also be expressed in 255.255.255.0.
Step 19
Configure backup static routes.
The data exchanged between R2 and 10.0.13.3 and 10.0.3.3 is

transmitted through the link between R2 and R3. R2 fails to
communicate with 10.0.13.3 and 10.0.3.3 if the link between R2 and R3 is
faulty.
According to the topology, R2 can communicate with R3 through R1
after the link between R2 and R3 is faulty. You can configure a backup
static route to solve the preceding problem. Backup static routes do not
take effect in normal cases. If the link between R2 and R3 is faulty,
backup static routes are used to transfer data.
You must configure preferences for backup static routes to ensure
that the backup static routes are used only when the primary link is faulty.
In this example, the preference of the backup static route is set to 80.
[R1]ip route-static 10.0.3.0 24 10.0.13.3
[R2]ip route-static 10.0.13.0 255.255.255.0 Serial 1/0/0 preference 80
[R2]ip route-static 10.0.3.0 24 Serial 1/0/0 preference 80
[R3]ip route-static 10.0.12.0 24 10.0.13.1
30
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 20
Test the static routes.
View the routing table of R2.

Destinations : 17
Destination/Mask
Proto
Routes : 17
Pre Cost
Flags NextHop
Interface
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
Static 60
RD
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Static 60
RD
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.3.0/24
127.0.0.0/8
10.0.23.3
10.0.23.3
Serial2/0/0
Serial2/0/0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
The routing table contains two static routes that are configured in
step 3. The value of the Proto field is Static, indicating a static route. The
value of the Pre field is 60, indicating the default preference of a route.
Test network connectivity when the link between R2 and R3 works
properly.
[R2]ping 10.0.13.3
HC Series
HUAWEI TECHNOLOGIES
31
HCDA-HNTD

0.00% packet loss
<R2>ping 10.0.3.3
0.00% packet loss
The command output shows that communication is normal.

You can also run the tracert command to view the routers through
which data is transferred.
<R2>tracert 10.0.13.3
traceroute to
10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40,
press CTRL_C to break

1 10.0.23.3 40 ms
31 ms 30 ms
<R2>tracert 10.0.3.3
traceroute to
10.0.3.3(10.0.3.3), max hops: 30 ,packet length: 40,
press CTRL_C to break

1 10.0.23.3 40 ms
30 ms 30 ms
The command output shows that R2 directly sends data to R3.
Step 21
Test the backup static routes.
Disable Serial2/0/0 on R2 and observe the changes in the routing

tables.
32
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Compare the routing tables with the previous routing tables before
Serial2/0/0 was disabled.
[R2]int Serial 2/0/0
[R2-Serial2/0/0]shutdown
Destinations : 13
Destination/Mask
Proto
Routes : 13
Pre Cost
Flags NextHop
Interface
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
Static 80
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.3.0/24
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Static 80
10.0.12.2
Serial1/0/0
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
The next hops and preferences of the two routes in the preceding
information are changed.
Test connectivity between R2 and the destination addresses 10.0.13.3
and 10.0.3.3 on R2.
<R2>ping 10.0.3.3
HC Series
HUAWEI TECHNOLOGIES
33
HCDA-HNTD
0.00% packet loss
<R2>ping 10.0.13.3
0.00% packet loss
The network is not disconnected when the link between R2 and R3 is

shut down.
You can also run the tracert command to view the routers through
which data is transferred.
<R2>tracert 10.0.13.3
traceroute to
10.0.13.3(10.0.13.3), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.0.12.1 40 ms
21 ms 21 ms
2 10.0.13.3 30 ms
21 ms 21 ms
<R2>tracert 10.0.3.3
traceroute to
to break
1 10.0.12.1 40 ms
21 ms 21 ms
2 10.0.13.3 30 ms
21 ms 21 ms
The command output shows that the data sent by R2 reaches R3

through R1.
34
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 22
Configure a default route on R1 to implement
network connectivity.
Enable the interface that was disabled in step 6 on R2.
[R2-Serial2/0/0]undo shutdown
Test connectivity between R1 and R3.

[R1]ping 10.0.23.3
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
R3 cannot be pinged because the route destined for 10.0.23.3 is not

configured on R1.
You can configure a default route on R1 to implement network
connectivity.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.13.3
After the configuration is complete, test connectivity between R1 and

10.0.23.3.
[R1]ping 10.0.23.3
--- 10.0.23.3 ping statistics ---
HC Series
HUAWEI TECHNOLOGIES
35
HCDA-HNTD
5 packet(s) transmitted
0.00% packet loss
Step 23
Configure a backup default route.
If the link between R1 and R3 is faulty, R1 can communicate with

10.0.23.3 and 10.0.3.3 through R2.
However, R1 does not learn about this route by default. You can also
configure a backup default route in this step.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80
[R3]ip route-static 10.0.12.0 24 10.0.23.2 preference 80
Step 24
Test the backup default route.
View the routes of R1 when the link between R1 and R3 works

properly.
<R1>display ip routing-table
Destinations : 16
Destination/Mask
Proto
Routes : 16
Pre Cost
Flags NextHop
0.0.0.0/0
Static 60
RD
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
Static 60
RD
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Direct 0
10.0.13.1
GigabitEthernet0/0/0
10.0.13.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.3.0/24
36
10.0.13.3
Interface
10.0.13.3
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Disable GigabitEthernet0/0/0 on R1 and disable GigabitEthernet0/0/0

on R3, and then view the routes of R1. Compare the current routes with
the routes before GigabitEthernet0/0/0 was disabled.
[R1]interface GigabitEthernet0/0/0
[R1-GigabitEthernet0/0/0]shutdown
[R1-GigabitEthernet0/0/0]quit
Destinations : 12
Destination/Mask
Proto
Routes : 12
Pre Cost
Flags NextHop
0.0.0.0/0
Static 80
RD
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
10.0.12.2
Interface
Serial1/0/0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
According to the preceding routing table, the value of 80 in the Pre

column indicates that backup default route 0.0.0.0 is valid.
Test network connectivity on R1.
[R1]ping 10.0.23.3
HC Series
HUAWEI TECHNOLOGIES
37
HCDA-HNTD

0.00% packet loss
[R1]tracert 10.0.23.3
traceroute to
to break
1 10.0.12.2 30 ms
26 ms 26 ms
2 10.0.23.3 60 ms
53 ms 56 ms
The data packets reach R3 through R2.

You can run the ping command to control other information about
forwarded data packets, such as the source address, data packet size,
and data packet quantity. Consider the following questions:
1. What is the source address of the ping data packets sent from a
router by default?
2. In this lab, is connectivity implemented for all the network
segments?
3. What is the simplest static route configuration for this lab topology
if only static route are configured to implement connectivity?
4. You can specify the next hop address or an interface when
configuring a static route. Consider the differences between the two
configurations. How do non-Huawei vendors configure static routes?
38
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Appendix A: Default Preference of Each Routing Protocol

of Huawei Routers
Routing Protocol and Routing Type
Preference
Direct
OSPF
10
IS-IS
15
Static
60
RIP
100
OSPF ASE
150
BGP
255
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.13.3
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference 80
ip route-static 10.0.3.0 255.255.255.0 10.0.13.3
HC Series
HUAWEI TECHNOLOGIES
39
HCDA-HNTD
#
return
[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 10.0.3.0 255.255.255.0 10.0.23.3
ip route-static 10.0.3.0 255.255.255.0 Serial1/0/0 preference 80
ip route-static 10.0.13.0 255.255.255.0 10.0.23.3
ip route-static 10.0.13.0 255.255.255.0 Serial1/0/0 preference 80
#
return
[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
ip address 10.0.13.3 255.255.255.0
#
interface LoopBack0
40
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
ip address 10.0.3.3 255.255.255.0

#
ip route-static 10.0.12.0 255.255.255.0 10.0.13.1
ip route-static 10.0.12.0 255.255.255.0 10.0.23.2 preference 80
#
return
HC Series
HUAWEI TECHNOLOGIES
41
HCDA-HNTD
Chapter 3 RIP Configuration

Lab 3-1 Configuring RIPv1 and RIPv2
Learning Objectives
Loop prevention mechanism of the Routing Information Protocol

(RIP).
Method of using RIP to exchange routing information between

two routers.
Method of configuring RIPv1.
Method of enabling RIP on a specified network and interface.
Method of using the display and debug commands to test RIP.
Procedure for testing connectivity of the RIP network.
Formats of the network prefixes sent to or received by RIP.
Method of configuring RIPv2.
Differences between RIPv1 and RIPv2.
Method of importing a static route to RIP.
42
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Figure 3.1 Lab topology of RIPv1 and RIPv2
Scenario
Assume that you are a network administrator of a company that has a
small intranet with three routers and five networks. You want to use RIP
to transfer routing information. Considering compatibility, you want to
use RIPv1 at first, but you realize that RIPv2 also has many advantages.
After certain tests, you finally select RIPv2.
HC Series
HUAWEI TECHNOLOGIES
43
HCDA-HNTD
Tasks
Step 1 Perform basic configurations and IP addressing.
Configure basic device information and set IP addresses based on the
topology.
<Huawei>system-view
[Huawei]sysname R1
[R1-Serial1/0/0]interface loopback 0
[R1-LoopBack0]quit

configuration results.
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
<Huawei>system-view
[Huawei]sysname R2
44
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
<Huawei>system-view
[Huawei]sysname R3
[R3-Serial2/0/0]interface loop0
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
HC Series
HUAWEI TECHNOLOGIES
45
HCDA-HNTD
R1 and R2 can communicate with each other.

<R1>ping 10.0.12.2
0.00% packet loss
R2 can successfully ping the IP address 10.0.23.3 of R3.

<R2>ping 10.0.23.3
PING 10.0.23.2: 56
data bytes, press CTRL_C to break

0.00% packet loss
Step 2 Configure RIPv1.

Enable RIP on R1, and then advertise the 10.0.0.0 network segment to
RIP.
[R1]rip 1
[R1-rip-1]network 10.0.0.0
RIP.
46
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R2]rip 1
RIP.
[R3]rip 1
[R3-rip-1]net 10.0.0.0
Step 3 Verify RIPv1 routes.

View the routing tables of R1, R2, and R3. Make sure that these
routers have learned the RIP routes that are highlighted in gray in the
following command output.
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 17
HC Series
Routes : 17
HUAWEI TECHNOLOGIES
47
HCDA-HNTD
Destination/Mask
Proto
Pre Cost
10.0.1.0/24
RIP
10.0.2.0/24
Direct 0
10.0.2.2/32
10.0.2.255/32
10.0.3.0/24
Interface
10.0.12.1
Serial1/0/0
10.0.2.2
LoopBack0
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
RIP
100 1
Flags NextHop
100 1
10.0.23.3
Serial2/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 2
10.0.23.2
Serial2/0/0
10.0.2.0/24
RIP
100 1
10.0.23.2
Serial2/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.23.2
Serial2/0/0
10.0.12.0/24 RIP
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
48
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Test connectivity from R1 to IP address 10.0.23.3. R1 and R3 can

communicate with each other.
[R1]ping 10.0.23.3
0.00% packet loss
You can run the debug command to view RIP periodic updates.
Run the debug command to enable the RIP debugging function. The
debug command can be used only in the user view. Then run the
terminal debugging and terminal monitor commands to display the
debugging information.
The information about RIP interactions between routers is displayed.
<R1>debug rip 1
<R1>terminal debugging
Info: Current terminal debugging is on.
<R1>terminal monitor
Info: Current terminal monitor is on.
Sep 19 2011 19:15:22.630.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1
response on Serial1/0/0 from 10.0.12.2 with 2 RTEs
Sep 19 2011 19:15:22.630.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response
from 10.0.12.2 on Serial1/0/0
Sep 19 2011 19:15:22.630.3+00:00 R1 RM/6/RMDEBUG: 6: 11709: Packet: Version 1,
Cmd response, Length 44
Sep 19 2011 19:15:22.630.4+00:00 R1 RM/6/RMDEBUG: 6: 11758: Dest 10.0.3.0, Cost
2
1
Sep 19 2011 19:15:52.650.1+00:00 R1 RM/6/RMDEBUG: 6: 11647: RIP 1: Receiving v1
response on Serial1/0/0 from 10.0.12.2 with 2 RTEs
Sep 19 2011 19:15:52.650.2+00:00 R1 RM/6/RMDEBUG: 6: 11698: RIP 1: Receive response
HC Series
HUAWEI TECHNOLOGIES
49
HCDA-HNTD
from 10.0.12.2 on Serial1/0/0

1
You can run the undo debug rip or undo debug all command to
disable debugging functions.
<R1>undo debug rip 1
In addition, you can run the commands that have more parameters to
view the debugging information of a certain type. For example, run the
debug rip 1 event command to view the periodical update events sent
or received by routers. You can add the question mark (?) to the
command to query other parameters.
<R1>debug rip 1 event
Sep 19 2011 19:23:44.200.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer
expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update
queue
Sep 19 2011 19:23:44.210.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface
Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue
<R1>undo debug all
Info: All possible debugging has been turned off
Warning: If too many debugging functions are enabled, a large

number of router resources are used. This may lead to break down.
Therefore, use the commands (such as debug all) for enabling
debugging functions in batches with caution.

After the preceding configuration, you need to configure only
version 2 in the RIP sub view.
[R1]rip 1
[R1-rip-1]version 2
[R2]rip 1
[R2-rip-1]version 2
50
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3]rip 1
[R3-rip-1]version 2
Step 5 Verify RIPv2 routes.

View the routing tables of R1, R2, and R3.
Run the display ip routing-table command to view the routing
tables of R1, R2, and R3. Compare the routes that are highlighted in gray
with RIPv1 routes.
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 17
Destination/Mask
10.0.1.0/24
HC Series
Proto
RIP
Routes : 17
Pre Cost
100 1
Flags NextHop
D
10.0.12.1
HUAWEI TECHNOLOGIES
Interface
Serial1/0/0
51
HCDA-HNTD
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 2
10.0.23.2
Serial2/0/0
10.0.2.0/24
RIP
100 1
10.0.23.2
Serial2/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.23.2
Serial2/0/0
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 RIP
127.0.0.0/8
100
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Note: The route learning of RIPv1 is the same of the route learning of
RIPv2. Why is this true?
52
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Test connectivity from R1 to 10.0.23.3.

[R1]ping 10.0.23.3
0.00% packet loss
You can run the debug command to view the RIPv2 periodic updates.
<R1>terminal monitor
Info: Current terminal monitor is on.
<R1>debug rip 1 event
Sep 19 2011 19:55:46.600.1+00:00 R1 RM/6/RMDEBUG: 25: 3873: RIP 1: Periodic timer
expired for interface Serial1/0/0 (10.0.12.1) and its added to periodic update
queue
Sep 19 2011 19:55:46.610.1+00:00 R1 RM/6/RMDEBUG: 25: 4201: RIP 1: Interface
Serial1/0/0 (10.0.12.1) is deleted from the periodic update queue
<R1>undo debug rip 1
<R1>debug rip 1 packet
Sep 19 2011 20:31:34.230.1+00:00 R1 RM/6/RMDEBUG: 6: 11689: RIP 1: Sending response
on interface Serial1/0/0 from 10.0.12.1 to 224.0.0.9
Sep 19 2011 20:31:34.230.3+00:00 R1 RM/6/RMDEBUG: 6: 11777: Dest 10.0.1.0/24,
Nexthop 0.0.0.0, Cost 1, Tag 0
<R1>undo debug all
Info: All possible debugging has been turned off
Step 6 Import a static route to RIPv2.

Add a loopback interface on R3, and then set the IP address to
172.16.3.3/24. Configure a static route to the network segment on R2.
HC Series
HUAWEI TECHNOLOGIES
53
HCDA-HNTD
Import the static route to the RIP routing information so that R1 can
communicate with 172.16.3.3.
Configure the loopback interface on R3.
[R3]interface LoopBack 1

[R1]ping 172.16.3.3
PING 172.16.3.3: 56
Request time out

Request time out
Request time out
Request time out
Request time out
100.00% packet loss
R1 does not have a route to 172.16.3.3. Therefore, the address cannot

be pinged successfully.
Configure the static route on R2.
<R2>system-view
[R2]ip route-static 172.16.3.0 24 10.0.23.3
Import the static route to RIPv2.

[R2]rip 1
[R2-rip-1]import-route static
Step 7 Verify that the static routes are imported to RIPv2

successfully.
View the routing tables of R1, R2, and R3. The route to 172.16.3.0/24
exists in the routing table of R1; the static route to 172.16.3.0/24 exists in
the routing table of R2; no change occurs in the routing table of R3.
54
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
Direct 0
10.0.1.255/32
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
172.16.3.0/24
RIP
100 1
255.255.255.255/32 Direct 0
D
D
127.0.0.1
10.0.12.2
127.0.0.1
InLoopBack0
Serial1/0/0
InLoopBack0
Destinations : 18
Destination/Mask
Proto
Routes : 18
Pre Cost
10.0.1.0/24
RIP
10.0.2.0/24
Direct 0
10.0.2.2/32
10.0.2.255/32
10.0.3.0/24
Interface
10.0.12.1
Serial1/0/0
10.0.2.2
LoopBack0
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
RIP
100 1
Flags NextHop
100 1
10.0.23.3
Serial2/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
HC Series
HUAWEI TECHNOLOGIES
55
HCDA-HNTD
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.3.0/24
Static 60
0
0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
RD
10.0.23.3
Serial2/0/0
127.0.0.1
InLoopBack0
Destinations : 17
Destination/Mask
Proto
Routes : 17
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 2
10.0.23.2
Serial2/0/0
10.0.2.0/24
RIP
100 1
10.0.23.2
Serial2/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.23.2
Serial2/0/0
10.0.12.0/24 RIP
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
172.16.3.0/24
Direct 0
172.16.3.3
LoopBack1
172.16.3.3/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.255/32
Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

R1 can communicate with 172.16.3.3.
[R1]ping 172.16.3.3
PING 172.16.3.3: 56

56
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
0.00% packet loss

When you use RIPv1, a router sends network IDs and other route
update information to its neighbor routers without sending subnet
masks. How do neighbor routers process the route update information
and generate the corresponding subnet masks?
How are RIPv1 and RIPv2 compatible with each other?
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
[V200R001C01SPC300]
#
sysname R2
#
HC Series
HUAWEI TECHNOLOGIES
57
HCDA-HNTD
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
import-route static
#
ip route-static 172.16.3.0 255.255.255.0 10.0.23.3
#
return
[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
description this port connects to R2-S2/0/0
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack1
ip address 172.16.3.3 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
58
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Lab 3-2 RIPv2 Route Aggregation and Authentication

Learning Objectives
Route aggregation advantages
Method used to configure RIPv2 route aggregation
RIP authentication method
Method used to troubleshoot an RIP authentication failure
Topology
Figure 3.2 RIPv2 topology
HC Series
HUAWEI TECHNOLOGIES
59
HCDA-HNTD
Scenario
Assume that you are a network engineer of a company. The company
is small; therefore, RIPv2 is used. There are too many routes; therefore,
route aggregation is required to control and advertise routes.
Malicious attackers may forge a valid router to receive and modify
valid routes, so RIPv2 authentication is used to protect the network.
Tasks
Step 1 Configure IP addresses for interfaces.
Configure device names and IP addresses for R1, R2, and R3.
<Huawei>system
<Huawei>system-view
[Huawei]sysname R1
[R1- Serial1/0/0]interface loopback 0
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
[R3- Serial2/0/0]interface loopback0
60
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3-LoopBack0]interface loopback 2
After you have configured the IP addresses for the interfaces, test
<R1>ping 10.0.12.2
0.00% packet loss
<R2>ping 10.0.23.3
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
61
HCDA-HNTD

Configure RIPv2 on R1, R2, and R3.
[R1]rip 1
[R1-rip-1]version 2
[R2]rip 1
[R2-rip-1]version 2
[R3]rip 1
[R3-rip-1]network 172.16.0.0
[R3-rip-1]version 2

Destinations : 18
Destination/Mask
Proto
Routes : 18
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
172.16.0.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
172.16.1.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
172.16.2.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
62
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
172.16.3.0/24
RIP
100 2
255.255.255.255/32 Direct 0
10.0.12.2
Serial1/0/0
127.0.0.1
InLoopBack0
The information in grey shows that R1 has learned specific routes but
not aggregated routes.
Test network connectivity.
<R1>ping 172.16.0.1
PING 172.16.0.1: 56

0.00% packet loss
Step 3 Configure RIP manual route aggregation on R2.

Run the rip summary-address command on S1/0/0 of R2 to
configure RIP route aggregation. The four routes (172.16.0.0/24,
172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24) are aggregated into one
route (172.16.0.0/16).
[R2]interface serial1/0/0
[R2-Serial1/0/0]rip summary-address 172.16.0.0 255.255.0.0
View the routing table and the aggregated route.

Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
63
HCDA-HNTD
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
10.0.12.2
Serial1/0/0
127.0.0.1
InLoopBack0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1/32 Direct 0
127.255.255.255/32 Direct 0
172.16.0.0/16
RIP
100 2
255.255.255.255/32 Direct 0
The information in grey shows an aggregated route. No specific route

is listed in the routing table.
<R1>ping 172.16.0.1
PING 172.16.0.1: 56

0.00% packet loss
The preceding information shows that route aggregation does not

affect network connectivity.
Step 4 Configure RIP authentication.

Configure plain text authentication between R1 and R2 and MD5
authentication between R2 and R3. Set the authentication password to
huawei.
[R1-Serial1/0/0]rip authentication-mode simple huawei
64
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[R2-Serial2/0/0]rip authentication-mode md5 usual huawei
After the configurations are complete, test network connectivity.

Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.1.0/24 Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
10.0.12.2
Serial1/0/0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
172.16.0.0/16
RIP
100 2
255.255.255.255/32 Direct 0
Destinations : 21
Destination/Mask
HC Series
Proto
Routes : 21
Pre Cost
Flags NextHop
HUAWEI TECHNOLOGIES
Interface
65
HCDA-HNTD
10.0.1.0/24
RIP
10.0.2.0/24
Direct 0
10.0.2.2/32
10.0.2.255/32
10.0.3.0/24
10.0.12.1
Serial1/0/0
10.0.2.2
LoopBack0
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
10.0.23.3
Serial2/0/0
RIP
100 1
100 1
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.0.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.1.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.2.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.3.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
Destinations : 26
Destination/Mask
Proto
Routes : 26
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 2
10.0.23.2
Serial2/0/0
10.0.2.0/24
RIP
100 1
10.0.23.2
Serial2/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.23.2
Serial2/0/0
10.0.12.0/24 RIP
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
66
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
172.16.0.0/24
Direct 0
172.16.0.1
LoopBack2
172.16.0.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.0.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.0/24
Direct 0
172.16.1.1
LoopBack3
172.16.1.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.0/24
Direct 0
172.16.2.1
LoopBack4
172.16.2.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.0/24
Direct 0
172.16.3.1
LoopBack5
172.16.3.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.255/32
Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Step 5 Rectify the RIPv2 fault.

Change the authentication password on S1/0/0 of R2 to huawei2.
[R2-Serial1/0/0]rip authentication-mode simple huawei2
Run the following command to delete the routes learned by R1 from

R2 before the authentication password on R2 is changed.
<R1>reset ip routing-table statistics protocol rip

Destinations : 11
Destination/Mask
Proto
Routes : 11
Pre
Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
67
HCDA-HNTD
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Because R1 and R2 use different RIP authentication passwords, R1

cannot receive any RIP route from R2.
Restore the authentication password on S1/0/0 of R2 to huawei.
Change the authentication mode on S2/0/0 of R2 to plain text

authentication.
Run the following command to delete the routes learned by R3 from

R2 before you change the authentication password.
<R3>reset ip routing-table statistics protocol rip

Destinations : 23
Destination/Mask
Proto
Routes : 23
Pre
Cost
Flags NextHop
Interface
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
68
127.0.0.1
HUAWEI TECHNOLOGIES
InLoopBack0
HC Series
HCDA-HNTD
172.16.0.0/24
Direct 0
172.16.0.1
LoopBack2
172.16.0.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.0.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.0/24
Direct 0
172.16.1.1
LoopBack3
172.16.1.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.0/24
Direct 0
172.16.2.1
LoopBack4
172.16.2.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.0/24
Direct 0
172.16.3.1
LoopBack5
172.16.3.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.255/32
Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Because R2 and R3 use different RIP authentication modes, R3 cannot

receive any RIP route from R2.
Restore the authentication mode on S2/0/0 of R2 to MD5.
Verify that routes in routing tables of R1, R2, and R3 are correct.
Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
Direct 0
10.0.1.255/32
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.3.0/24
RIP
100 2
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.12.2
Serial1/0/0
10.0.23.0/24 RIP
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
69
HCDA-HNTD
127.255.255.255/32 Direct 0
172.16.0.0/16
RIP
100
0
2
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2
Serial1/0/0
127.0.0.1
InLoopBack0
Destinations : 21
Destination/Mask
Proto
Routes : 21
Pre Cost
10.0.1.0/24
RIP
10.0.2.0/24
Direct 0
10.0.2.2/32
10.0.2.255/32
10.0.3.0/24
Interface
10.0.12.1
Serial1/0/0
10.0.2.2
LoopBack0
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
10.0.23.3
Serial2/0/0
RIP
100 1
Flags NextHop
100 1
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.0.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.1.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.2.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
172.16.3.0/24
RIP
100 1
10.0.23.3
Serial2/0/0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
Destinations : 26
Destination/Mask
70
Proto
Routes : 26
Pre Cost
Flags NextHop
HUAWEI TECHNOLOGIES
Interface
HC Series
HCDA-HNTD
10.0.1.0/24
RIP
100 2
10.0.23.2
Serial2/0/0
10.0.2.0/24
RIP
100 1
10.0.23.2
Serial2/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.23.2
Serial2/0/0
10.0.12.0/24 RIP
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.0.0/24
Direct 0
172.16.0.1
LoopBack2
172.16.0.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.0.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.0/24
Direct 0
172.16.1.1
LoopBack3
172.16.1.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.1.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.0/24
Direct 0
172.16.2.1
LoopBack4
172.16.2.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.2.255/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.0/24
Direct 0
172.16.3.1
LoopBack5
172.16.3.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.3.255/32
Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

You can use debug commands to troubleshoot faults. In step 5, the
authentication passwords or authentication modes on two routers are
different. Use debug commands to view relevant information.
Appendix A:
RIP Debugging Commands on Huawei
Routers
<Huawei>debugging rip 1 ?
brief
Brief information about RIP events
error
Information about RIP Errors
event
Information about RIP events
HC Series
HUAWEI TECHNOLOGIES
71
HCDA-HNTD
packet
All RIP packets
receive
Received RIP packet information
route-processing
Information about RIP Route-Processing
send
Sent RIP packet information
timer
Information about RIP timers
<cr>
Please press ENTER to execute command
The preceding lists some debugging commands, which can be used

for reference.
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
rip authentication-mode simple huawei
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
Return
[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
rip authentication-mode simple huawei
rip summary-address 172.16.0.0 255.255.0.0
#
72
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
rip authentication-mode md5 usual gg^dP=F.[>=H)H2[EInB~.2#
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
[V200R001C01SPC300]
#
sysname R3
#
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
rip authentication-mode md5 usual gg^dP=F.[>=H)H2[EInB~.2#
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.3.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
HC Series
HUAWEI TECHNOLOGIES
73
HCDA-HNTD
network 172.16.0.0
#
Return
74
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Chapter 4 OSPF Configuration

Lab 4-1 OSPF Single-area Configuration
Learning Objectives
Router ID usage.
Method used to enable OSPF on a specified interface or network.
Method used to view OSPF operations using display commands.
Method to use OSPF to advertise default routes.
Method used to change the OSPF hello interval and dead interval.
Method used to change the OSPF route priority.
DR or BDR election on the Ethernet.
HC Series
HUAWEI TECHNOLOGIES
75
HCDA-HNTD
Topology
Figure 4.1 OSPF single area topology
Scenario
Assume that you are a network administrator of a company. The
company will use OSPF to exchange routes. All the routers belong to
OSPF area 0. OSPF is required to advertise default routes and the DR or
BDR will be elected.
Tasks
<Huawei>system-view
[Huawei]sysname R1
76
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[R1-Serial1/0/0]interface GigabitEthernet 0/0/0
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
Step 2 Configure OSPF.

Use Loopback0's IP address 10.0.1.1 as the router ID, use OSPF
process 1 (default OSPF process), and specify network segments
10.0.12.0/24, 10.0.13.0/24, and 10.0.1.0/24 in OSPF area 0.
[R1]ospf 1 router-id 10.0.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
A router can run multiple OSPF processes and different routers in a

routing domain can use identical or different OSPF process IDs. You must
specify the wildcard mask in the network command.
process 10, and specify network segments 10.0.12.0/24 and 10.0.2.0/24
in OSPF area 0.
HC Series
HUAWEI TECHNOLOGIES
77
HCDA-HNTD

[R2-ospf-10]area 0

process 100, and specify network segments 10.0.13.0/24 and 10.0.3.0/24
in OSPF area 0.
[R3-ospf-100]area 0
Step 3 Verify the OSPF configuration.

After OSPF route convergence is complete, view routing tables of R1,
R2, and R3.
Destinations : 16
Destination/Mask
Proto
Routes : 16
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.2/32
OSPF
10
1562 D
10.0.12.2
Serial1/0/0
10.0.3.3/32
OSPF
10
10.0.13.3
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Direct 0
10.0.13.1
10.0.13.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
78
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Interface
10.0.1.1/32
OSPF
1562
10.0.12.1
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
OSPF
1563
10.0.12.1
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
1563
10.0.12.1
Serial1/0/0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.3.3/32
10.0.13.0/24 OSPF
127.0.0.0/8
10
Flags NextHop
10
10
Serial1/0/0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 16
Destination/Mask
Proto
Routes : 16
Pre Cost
Flags NextHop
Interface
10.0.1.1/32
OSPF
10
10.0.13.1
10.0.2.2/32
OSPF
10
1563 D
10.0.13.1
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
1563 D
10.0.13.1
10.0.13.0/24 Direct 0
10.0.13.3
10.0.13.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
10.0.12.0/24 OSPF
127.0.0.0/8
10
79
HCDA-HNTD
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
172.16.0.0/24
Direct 0
172.16.0.1
LoopBack2
172.16.0.1/32
Direct 0
127.0.0.1
InLoopBack0
172.16.0.255/32
Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Test network connectivity between R2 and R1 at 10.0.1.1 and

between R2 and R3 at 10.0.3.3.
[R2]ping 10.0.1.1
0.00% packet loss
[R2]ping 10.0.3.3
0.00% packet loss
Run the display ip routing-table protocol ospf command to view

the learned routes. Use the display on R1 as an example. The
configurations on R2 and R3 are similar.
[R1]display ip routing-table protocol ospf
80
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
---------------------------------------------------------------------------Public routing table : OSPF

Destinations : 2
Routes : 2
OSPF routing table status : <Active>

Destinations : 2
Destination/Mask
Proto
Routes : 2
Pre Cost
Flags NextHop
Interface
10.0.2.2/32
OSPF
10
1562 D
10.0.12.2
Serial1/0/0
10.0.3.3/32
OSPF
10
10.0.13.3
OSPF routing table status : <Inactive>

Destinations : 0
Routes : 0
Run the display ospf peer command to view the OSPF neighbor
status.
[R1]display ospf peer
OSPF Process 1 with Router ID 10.0.1.1
Neighbors
Area 0.0.0.0 interface 10.0.12.1(Serial1/0/0)'s neighbors
Router ID: 10.0.2.2
State: Full
DR: None
Address: 10.0.12.2
Mode:Nbr is Master Priority: 1
BDR: None
MTU: 0
Dead timer due in 30 sec

Retrans timer interval: 5
Neighbor is up for 00:09:19
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 10.0.13.1(GigabitEthernet0/0/0)'s neighbors
Router ID: 10.0.3.3
State: Full
Address: 10.0.13.3
DR: 10.0.13.1
BDR: 10.0.13.3 MTU: 0

The display ospf peer command displays detailed information about

neighbors. The preceding information shows that R1 has two neighbors:
HC Series
HUAWEI TECHNOLOGIES
81
HCDA-HNTD
R2 (Router ID: 10.0.2.2) and R3 (Router ID:10.0.3.3). The neighbors are in

full state. You can also run the display ospf peer brief command to view
brief information about neighbors.
[R1]display ospf peer brief
Peer Statistic Information
---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
0.0.0.0
10.0.3.3
Full
---------------------------------------------------------------------------[R2]display ospf peer brief

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.1.1
Full

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
0.0.0.0
10.0.1.1
State
Full
----------------------------------------------------------------------------
Step 4 Change the OSPF hello interval and dead interval.

Run the display ospf interface GigabitEthernet 0/0/0 command on
R1 to view the default OSPF hello interval and dead interval.
[R1]display ospf interface GigabitEthernet 0/0/0
Interfaces
Interface: 10.0.13.1 (GigabitEthernet0/0/0)
82
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Cost: 1
State: DR
Type: Broadcast
MTU: 1500
Priority: 1
Designated Router: 10.0.13.1
Backup Designated Router: 10.0.13.3
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Run the ospf timer command to change the OSPF hello interval and
dead interval on GE0/0/0 of R1 to 15s and 60s respectively.
[R1-GigabitEthernet0/0/0]ospf timer hello 15
[R1-GigabitEthernet0/0/0]ospf timer dead 60
[R1-GigabitEthernet0/0/0]display ospf interface GigabitEthernet 0/0/0
Interfaces

Cost: 1
State: DR
Type: Broadcast
MTU: 1500
Priority: 1
Check the OSPF neighbor status on R1.

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
----------------------------------------------------------------------------
The preceding information shows that R1 has only one neighbor, R2.
Because OSPF hello intervals and dead intervals on R1 and R3 are
different, R1 and R3 cannot establish an OSPF neighbor relationship.
Run the ospf timer command to change the OSPF hello interval and
dead interval on GE0/0/0 of R3 to 15s and 60s respectively.
[R3-GigabitEthernet0/0/0]ospf timer hello 15
HC Series
HUAWEI TECHNOLOGIES
83
HCDA-HNTD
[R3-GigabitEthernet0/0/0]ospf timer dead 60

[R3-GigabitEthernet0/0/0]display ospf interface GigabitEthernet 0/0/0
Interfaces

Cost: 1
State: DR
Type: Broadcast
MTU: 1500
Priority: 1
Check the OSPF neighbor status on R1 again.

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
0.0.0.0
10.0.3.3
Full
----------------------------------------------------------------------------
Step 5 Configure OSPF to advertise default routes and verify

the configuration.
Configure OSPF to advertise default routes on R3.
[R3]ip route-static 0.0.0.0 0 LoopBack 2
[R3]ospf 100
[R3-ospf-100]default-route-advertise
View routing tables of R1 and R2. You can see that R1 and R2 have
learned the default routes advertised by R3.
84
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Destinations : 17
Destination/Mask
0.0.0.0/0
Proto
O_ASE
Routes : 17
Pre Cost
150
Flags NextHop
Interface
10.0.13.3
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.2/32
OSPF
10
1562 D
10.0.12.2
Serial1/0/0
10.0.3.3/32
OSPF
10
10.0.13.3
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Direct 0
10.0.13.1
10.0.13.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
0.0.0.0/0
O_ASE
150
10.0.1.1/32
OSPF
10
1562
10.0.2.0/24
Direct 0
10.0.2.2/32
10.0.2.255/32
Flags NextHop
10.0.12.1
Serial1/0/0
10.0.12.1
Serial1/0/0
10.0.2.2
LoopBack0
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
OSPF
1563
10.0.12.1
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.3.3/32
10
10.0.12.255/32 Direct 0
Interface
127.0.0.1
InLoopBack0
1563
10.0.12.1
Serial1/0/0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
10.0.13.0/24 OSPF
127.0.0.0/8
10
85
HCDA-HNTD
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Run the ping command to test connectivity between R2 and

Loopback2 at 172.16.0.1.
<R2>ping 172.16.0.1
PING 172.16.0.1: 56

0.00% packet loss
Step 6 Control OSPF DR or BDR election.

Run the display ospf peer command to view the DR and BDR of R1
and R3.
[R1]display ospf peer 10.0.3.3
Neighbors
Router ID: 10.0.3.3
State: Full
Address: 10.0.13.3
DR: 10.0.13.3
BDR: 10.0.13.1 MTU: 0

The preceding information shows that R3 is the DR and R1 is the BDR.

This is because R3's router ID 10.0.3.3 is greater than R1's router ID
10.0.1.1. R1 and R3 use the default priority of 1, so their router IDs are
86
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
used for DR or BDR election.

Run the ospf dr-priority command to change DR priorities of R1 and
R3.
[R1-GigabitEthernet 0/0/0]ospf dr-priority 200
[R3-GigabitEthernet0/0/0]ospf dr-priority 100
By default, a DR or BDR is elected in non-preemption mode. After

router priorities are changed, a DR is not re-elected, so you must reset
the OSPF neighbor relationship between R1 and R3.
Shut down and re-enable GE0/0/0 interfaces on R1 or R3 to reset the
OSPF neighbor relationship between R1 and R3.
[R1-GigabitEthernet0/0/0]shutdown
[R1-GigabitEthernet0/0/0]undo shutdown
Run the display ospf peer command to view the DR and BDR of R1
and R3.
[R1-GigabitEthernet 0/0/0]display ospf peer 10.0.3.3
Neighbors
Router ID: 10.0.3.3
State: Full
Address: 10.0.13.3
DR: 10.0.13.1
BDR: 10.0.13.3 MTU: 0

According to the preceding information, R1's priority is higher than

R3's priority, so R1 becomes DR and R3 becomes the BDR.
HC Series
HUAWEI TECHNOLOGIES
87
HCDA-HNTD

Why are OSPF hello interval and dead interval changed?
Must OSPF hello intervals and dead intervals of all the routers in an
OSPF area be the same? Must the OSPF hello interval and dead interval
of a router be the same? Why?
In which network is DR or BDR elected?
R1, R2, and R3 are configured with loopback interfaces and use
24-bit mask. Why does the mask have 32 bits after other routers learn
networks connected to loopback interfaces?
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
ip address 10.0.13.1 255.255.255.0
ospf dr-priority 200
ospf timer hello 15
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.12.0 0.0.0.255
#
return
[V200R001C01SPC300]
88
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.0.12.0 0.0.0.255
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
ospf dr-priority 100
ospf timer hello 15
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
default-route-advertise
area 0.0.0.0
network 10.0.13.0 0.0.0.255
network 10.0.3.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 LoopBack2
#
return
HC Series
HUAWEI TECHNOLOGIES
89
HCDA-HNTD
Lab 4-2 OSPF Multi-area and Authentication Configuration

Learning Objectives
OSPF multi-area advantages.
Route exchange in multiple OSPF areas.
OSPF multi-area configuration commands.
OSPF authentication configuration.
Troubleshooting method used when the setup of an OSPF

neighbor relationship fails.
Topology
90
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Figure 4.2 OSPF multi area topology
Scenario
company will use OSPF to advertise routes. As the network scale
increases, OSPF multi-area is used to plan the company network. OSPF
authentication is required to ensure security. During this configuration,
you will learn about OSPF LSA types and functions.
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
HC Series
HUAWEI TECHNOLOGIES
91
HCDA-HNTD
Step 2 Configure multiple OSPF areas.

R1 functions as the ABR. Specify network segment 10.0.12.0/24 in
area 0 and network segments 10.0.13.0/24 and 10.0.1.0/24 in area 1.
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]area 1
Add R2 to the backbone area, area 0.

[R2-ospf-1]area 0
R3 functions as the ASBR. Specify network segments 10.0.13.0/24

and 10.0.3.0/24 in area 1. The network segment 172.16.0.0/24 does not
belong to any OSPF area.
[R3-ospf-1]area 1
Step 3 Verify OSPF routes.

View routing tables of R1, R2, and R3. Verify that each router has
learned the following routes marked in grey.
Destinations : 2
92
Routes : 2
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Destinations : 2
Destination/Mask
Routes : 2
Proto
Pre Cost
Flags NextHop
Interface
10.0.2.2/32 OSPF
10
1562
10.0.12.2
Serial1/0/0
10.0.3.3/32 OSPF
10
10.0.13.3

Destinations : 0
Routes : 0

Destinations : 3
Routes : 3

Destinations : 3
Destination/Mask
Routes : 3
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.1/32
OSPF
10
1562
10.0.12.1
Serial1/0/0
10.0.3.3/32
OSPF
10
1563
10.0.12.1
Serial1/0/0
10.0.13.0/24 OSPF
10
1563
10.0.12.1
Serial1/0/0

Destinations : 0
Routes : 0

Destinations : 3
Routes : 3

Destinations : 3
Destination/Mask
Routes : 3
Proto
Pre Cost
10.0.1.1/32 OSPF
10
10.0.2.2/32 OSPF
10
1563
10.0.12.0/24 OSPF
10
1563
Flags NextHop
D
D
D
Interface
10.0.13.1
10.0.13.1
10.0.13.1

Destinations : 0
HC Series
Routes : 0
HUAWEI TECHNOLOGIES
93
HCDA-HNTD
Test network connectivity between R3 and R1 , R3 and R2.

[R3]ping 10.0.1.1
0.00% packet loss
[R3]ping 10.0.2.2
0.00% packet loss
Check the OSPF neighbor status.

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
0.0.0.1
10.0.3.3
Full
94
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.1.1
Full

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
0.0.0.1
10.0.1.1
State
Full
----------------------------------------------------------------------------
Verify that the OSPF process ID and router ID of each router is correct
and the neighbor relationships are in full state.
Step 4 Import external routes and verify the configuration.

Run the import-route command on R3 to import direct routes.
[R3]ospf 1
[R3-ospf-1]import-route direct
View routing tables of R1 and R2. R1 and R2 have learned the route
10.0.3.0/24 and 172.16.0.0/24.
Destinations : 4
Routes : 4

Destinations : 4
Destination/Mask
10.0.2.2/32 OSPF
HC Series
Proto
10
Routes : 4
Pre Cost
1562
Flags NextHop
10.0.12.2
HUAWEI TECHNOLOGIES
Interface
Serial1/0/0
95
HCDA-HNTD
10.0.3.0/24 O_ASE
150 1
10.0.13.3
10.0.3.3/32 OSPF
10
10.0.13.3
172.16.0.0/24 O_ASE
1
150 1
10.0.13.3

Destinations : 0
Routes : 0

Destinations : 5
Routes : 5

Destinations : 5
Destination/Mask
Routes : 5
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.1/32
OSPF
10
1562
10.0.12.1
Serial1/0/0
10.0.3.0/24
O_ASE
150
10.0.12.1
Serial1/0/0
10.0.3.3/32
OSPF
10
1563
10.0.12.1
Serial1/0/0
10.0.13.0/24 OSPF
10
1563
10.0.12.1
Serial1/0/0
10.0.12.1
Serial1/0/0
172.16.0.0/24
O_ASE
150

Destinations : 0
Routes : 0
The routes in grey are imported routes. The value of Proto is O_ASE,
indicating an external route.
Run the ping command with the source address specified to test
[R2]ping -a 10.0.2.2 10.0.3.3
0.00% packet loss
96
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[R2]ping -a 10.0.2.2 172.16.0.1
PING 172.16.0.1: 56

0.00% packet loss
Run the display ospf lsdb command to view the LSDB of R1.
[R1]display ospf lsdb
Link State Database
Area: 0.0.0.0
Type
LinkState ID
AdvRouter
Age Len
Sequence
Metric
Router
10.0.2.2
10.0.2.2
908 60
80000003
1562
Router
10.0.1.1
10.0.1.1
918 48
80000003
1562
Sum-Net
10.0.13.0
10.0.1.1
1022 28
80000001
Sum-Net
10.0.3.3
10.0.1.1
720 28
80000001
Sum-Net
10.0.1.1
10.0.1.1
1016 28
80000001
Sum-Asbr
10.0.3.3
10.0.1.1
393 28
80000001
Age Len
Sequence
Metric
Area: 0.0.0.1
Type
LinkState ID
AdvRouter
Router
10.0.3.3
10.0.3.3
394 48
80000005
Router
10.0.1.1
10.0.1.1
719 48
80000006
Network
10.0.13.1
10.0.1.1
719 32
80000002
Sum-Net
10.0.12.0
10.0.1.1
1022 28
80000001
1562
Sum-Net
10.0.2.2
10.0.1.1
908 28
80000001
1562
AS External Database
Type
AdvRouter
Age Len
Sequence
External
LinkState ID
10.0.3.0
10.0.3.3
395 36
80000001
External
10.0.13.0
10.0.3.3
395 36
80000001
HC Series
HUAWEI TECHNOLOGIES
Metric
97
HCDA-HNTD
External

172.16.0.0
10.0.3.3
395 36
80000001
The preceding information is the brief information about the LSDB.

The LSDB contains one ASBR-summary-LSA (Type4 LSA) and three
AS-external-LSAs (Type5 LSAs).
You can also run the following commands to view detailed
information about LSAs. The following three commands display the
Type3 LSA, Type4 LSA, and Type5 LSA respectively.
[R1]display ospf lsdb summary 10.0.3.3
Area: 0.0.0.0
Link State Database
Type
: Sum-Net
Ls id
: 10.0.3.3
Adv rtr
: 10.0.1.1
Ls age
: 869
Len
: 28
Options
seq#
: 80000001
chksum
: 0x4cf3
Net mask : 255.255.255.255

Tos 0 metric: 1
Priority : Low
Area: 0.0.0.1
Link State Database
[R1]display ospf lsdb asbr

Area: 0.0.0.0
Link State Database
Type
: Sum-Asbr
Ls id
: 10.0.3.3
Adv rtr
: 10.0.1.1
Ls age
: 591
Len
: 28
Options
98
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
seq#
: 80000001
chksum
: 0x3e01
Tos 0 metric: 1
Area: 0.0.0.1
Link State Database
[R1]display ospf lsdb ase 172.16.0.0
Link State Database
Type
: External
Ls id
: 172.16.0.0
Adv rtr
: 10.0.3.3
Ls age
: 607
Len
: 36
Options
seq#
: 80000001
chksum
: 0xf70c
Net mask : 255.255.255.0

TOS 0 Metric: 1
E type
: 2
Forwarding Address : 0.0.0.0

Tag
: 1
Priority : Low
Step 5 Configure OSPF authentication and verify

the configuration.
Configure S1/0/0 on R1 in interface authentication mode, use the
plain text, and set the password to Huawei.
[R1-Serial1/0/0]ospf authentication-mode simple plain huawei
On R1, check the neighbor status.

----------------------------------------------------------------------------
HC Series
HUAWEI TECHNOLOGIES
99
HCDA-HNTD
Area Id
Interface
Neighbor id
0.0.0.1
10.0.3.3
State
Full
----------------------------------------------------------------------------
R1 and R2 cannot establish an OSPF neighbor relationship because

they use different OSPF authentication modes.
Configure S1/0/0 on R2 in interface authentication mode, use the
plain text, and set the password to Huawei.
[R2-Serial1/0/0]ospf authentication-mode simple plain huawei

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
0.0.0.1
10.0.3.3
Full
----------------------------------------------------------------------------
R1 and R2 can reestablish an OSPF neighbor relationship because

they use the same authentication modes and passwords.
Configure area authentication, MD5 encryption, and password
Huawei in cipher text in area 1 on R1.
[R1]ospf 1
[R1-ospf-1]area 1
[R1-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
----------------------------------------------------------------------------
100
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
R1 and R3 cannot establish an OSPF neighbor relationship because

they use different OSPF authentication modes.
Configure area authentication, MD5 encryption, and password
Huawei in cipher text in area 1 on R3.
[R3]ospf 1
[R3-ospf-1]area 1
[R3-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher huawei

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.2.2
Full
0.0.0.1
10.0.3.3
Full
----------------------------------------------------------------------------
R1 and R3 can reestablish an OSPF neighbor relationship because

they use the same authentication modes and passwords.

Information in step 4:
10.0.3.0/24
O_ASE
150
10.0.12.1
Serial1/0/0
10.0.3.3/32
OSPF
10
1563
10.0.12.1
Serial1/0/0
The preceding routes have the same source interface, Loopback0 on

R3. Other routers learn two routes. Does this lead to any problem and
how to solve this problem?
Analyze Type4 LSA generation, transfer, and conversion.
[V200R001C01SPC300]
#
sysname R1
#
HC Series
HUAWEI TECHNOLOGIES
101
HCDA-HNTD
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
ospf authentication-mode simple plain huawei
#
ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
area 0.0.0.1
authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2#
network 10.0.13.0 0.0.0.255
network 10.0.1.0 0.0.0.255
#
return
[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
ospf authentication-mode simple plain huawei
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
network 10.0.2.0 0.0.0.255
#
return
[V200R001C01SPC300]
102
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
import-route direct
area 0.0.0.1
authentication-mode md5 1 cipher gg^dP=F.[>=H)H2[EInB~.2#
network 10.0.3.0 0.0.0.255
network 10.0.13.0 0.0.0.255
#
return
HC Series
HUAWEI TECHNOLOGIES
103
HCDA-HNTD
Chapter 5 RIP and OSPF Route Import

Lab 5-1 RIP and OSPF Route Import
Learning Objectives
Route import advantages
Method used to import OSPF routes to RIP
Method used to import RIP routes to OSPF
Topology
104
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Figure 5.1 Topology for OSPF and RIP route import
Scenario
Assume that you are a network administrator of a company, and the
company network uses RIPv2 and OSPF. RIP needs to import OSPF
routes and OSPF needs to import RIP routes to enable communication
between RIP-enabled devices and OSPF-enabled devices. The metrics of
different routing protocols are different.
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
HC Series
HUAWEI TECHNOLOGIES
105
HCDA-HNTD

[R3-LoopBack2]interface LoopBack 3
Step 2 Configure OSPF and verify the OSPF configuration.

Enable OSPF on R1 and R2 and add them to area 0.
[R1-ospf-1]area 0
[R2-ospf-1]area 0
View routing tables of R1 and R2. The following information shows

that R1 has learned a route to another network segment using OSPF.
Destinations : 1
Routes : 1

Destinations : 1
Destination/Mask
10.0.2.2/32
Proto
OSPF
Routes : 1
Pre Cost
10
1562
Flags NextHop
D
10.0.12.2
Interface
Serial1/0/0

Destinations : 0
Routes : 0

[R2]
106
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
R2 is directly connected to network segments in the OSPF area;

therefore, R2 does not learn other routes using OSPF.
Step 3 Configure RIPv2 and verify the RIPv2 configuration.

Enable RIPv2 process 1 on R1, and specify the network segment
10.0.0.0 in RIP process 1.
[R1]rip 1
[R1-rip-1]version 2
Enable RIPv2 process 1 on R3, and specify network segments

172.16.0.0 and 10.0.0.0 in RIP process 1.
[R3]rip 1
[R3-rip-1]version 2
[R3-rip-1]network 172.16.0.0
View routing tables of R1 and R3. The following information shows

that R1 has learned the corresponding routes using RIP.
[R1]display ip routing-table protocol rip
---------------------------------------------------------------------------Public routing table : RIP
Destinations : 5
Routes : 5
RIP routing table status : <Active>

Destinations : 5
Destination/Mask
10.0.3.0/24 RIP
Proto
Routes : 5
Pre Cost
100 1
Flags NextHop
10.0.13.3
Interface
172.16.0.0/24 RIP
100 1
10.0.13.3
172.16.1.0/24 RIP
100 1
10.0.13.3
172.16.2.0/24 RIP
100 1
10.0.13.3
172.16.3.0/24 RIP
100 1
10.0.13.3
RIP routing table status : <Inactive>

Destinations : 0
Routes : 0
HC Series
HUAWEI TECHNOLOGIES
107
HCDA-HNTD

Destinations : 2
Routes : 2

Destinations : 2
Destination/Mask
10.0.1.0/24 RIP
10.0.12.0/24 RIP
Proto
Routes : 2
Pre Cost
100 1
Flags NextHop
100 1
10.0.13.1
D
Interface
10.0.13.1

Destinations : 0
Routes : 0
Step 4 Import RIPv2 and OSPF routes and verify the

configuration.
R2 and R3 do not learn routes from each other because they belong
to different routing areas. On R1, import RIP routes into the OSPF
routing table.
[R1]ospf 1
[R1-ospf-1]import-route rip 1 cost 100
On R1, import OSPF routes into the RIP routing domain.

[R1]rip 1
[R1-rip-1]import-route ospf 1 cost 1
View the routing tables of R1, R2, and R3.

Destinations : 20
Destination/Mask
Proto
Routes : 20
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
108
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
10.0.2.2/32
OSPF
10
1562 D
10.0.3.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.13.3
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
10.0.13.1
10.0.13.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
10.0.13.0/24
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.0.0/24
RIP
100 1
10.0.13.3
172.16.1.0/24
RIP
100 1
10.0.13.3
172.16.2.0/24
RIP
100 1
10.0.13.3
172.16.3.0/24
RIP
100 1
10.0.13.3
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
The R1 routing table remains unchanged after route import. This is

because R1 is located in both OSPF and RIP routing domains. Before
routes are imported, R1 has learned all the routes.
R2 and R3 have learned the following routes.
Destinations : 7
Routes : 7

Destinations : 7
Destination/Mask
Proto
Routes : 7
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
10.0.3.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
10.0.13.0/24 O_ASE
150
100
10.0.12.1
Serial1/0/0
172.16.0.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
172.16.1.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
172.16.2.0/24
O_ASE
150 100
10.0.12.1
Serial1/0/0
172.16.3.0/24
O_ASE
150
10.0.12.1
Serial1/0/0
100

Destinations : 0
HC Series
Routes : 0
HUAWEI TECHNOLOGIES
109
HCDA-HNTD

Destinations : 3
Routes : 3

Destinations : 3
Destination/Mask
Routes : 3
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 1
10.0.13.1
10.0.2.2/32
RIP
100 2
10.0.13.1
10.0.12.0/24 RIP
100 1
10.0.13.1

Destinations : 0
Routes : 0
Test network connectivity. On R2, run the ping command specifying

the source address.
[R2]ping -a 10.0.2.2 10.0.3.3
0.00% packet loss
[R2]ping -a 10.0.2.2 172.16.0.1
110
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

0.00% packet loss
Configure RIP route aggregation on G0/0/0 of R3.

[R3-GigabitEthernet0/0/0]rip summary-address 172.16.0.0 255.255.252.0
View routing tables of R1 and R2 and compare routing tables in this

step with the routing tables in step 3.
Destinations : 17
Destination/Mask
Routes : 17
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
OSPF
1562
10.0.12.2
Serial1/0/0
10.0.2.2/32
10.0.3.0/24 RIP
10
100 1
10.0.13.3
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.13.0/24 Direct 0
10.0.13.1/32 Direct 0
10.0.13.255/32 Direct 0
D
0
10.0.13.1
D
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
172.16.0.0/22 RIP
100 1
255.255.255.255/32 Direct 0
D
D
127.0.0.1
10.0.13.3
D
127.0.0.1
InLoopBack0
InLoopBack0

HC Series
HUAWEI TECHNOLOGIES
111
HCDA-HNTD
Destinations : 4
Routes : 4

Destinations : 4
Destination/Mask
Routes : 4
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
10.0.3.0/24
O_ASE
150
100
10.0.12.1
Serial1/0/0
10.0.13.0/24 O_ASE
150
100
10.0.12.1
Serial1/0/0
150
100
10.0.12.1
Serial1/0/0
172.16.0.0/22
O_ASE

Destinations : 0
Routes : 0
R1 and R2 learn the aggregated route 172.16.0.0/22 but not the

specific route 172.16.0.0/24.

An external route refers to a route imported from another routing
protocol. How do OSPF and RIP identify external routes? What is the
difference between external routes and routes learned by a protocol?
Which types of routes are more reliable?
Can route aggregation be performed on R1?
The default configurations are used for route import. Which
parameters are optional when RIP routes are imported into OSPF? What
are the functions of these parameters?
[V200R001C01SPC300]
#
sysname R1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
#
112
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
ip address 10.0.13.1 255.255.255.0

#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
import-route rip 1 cost 100
area 0.0.0.0
network 10.0.12.0 0.0.0.255
#
rip 1
version 2
network 10.0.0.0
import-route ospf 1 cost 1
#
return
[V200R001C01SPC300]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.12.0 0.0.0.255
network 10.0.2.0 0.0.0.255
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
HC Series
HUAWEI TECHNOLOGIES
113
HCDA-HNTD
rip summary-address 172.16.0.0 255.255.252.0

#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack2
ip address 172.16.0.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.3.1 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
#
114
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Chapter 6 Ethernet and STP

Lab 6-1 Ethernet Interface and Link Configuration
Learning Objectives
Statistics on an Ethernet interface.
Interface rate and duplex mode.
Method used to configure the Ethernet interface rate and duplex

mode.
Method used to configure manual link aggregation.
Topology
Figure 6.1 Switch topology
Scenario
Assume that you are a network administrator of a company that has
two Huawei S5700 switches. You need to commission the switches. The
Ethernet interface rate and duplex mode will be tested.
HC Series
HUAWEI TECHNOLOGIES
115
HCDA-HNTD
Tasks
Step 1 Perform basic configurations on Ethernet switches.
Auto-negotiation is enabled on Huawei switch interfaces by default.
In this example, the rate and duplex mode of G0/0/9 and G0/0/10 on S1
and S2 are set manually.
Change the system name and view detailed information about
G0/0/9 and G0/0/10 on S1.
<Quidway>system-view
[Quidway]sysname S1
[S1]display interface GigabitEthernet 0/0/9
GigabitEthernet0/0/9 current state : UP
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface
Switch Port,PVID :
1,The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6

Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi
: AUTO
Last 300 seconds input rate 752 bits/sec, 0 packets/sec

Last 300 seconds output rate 720 bits/sec, 0 packets/sec
Input peak rate 1057259144 bits/sec,Record time: 2008-10-01 00:08:58
Output peak rate 1057267232 bits/sec,Record time: 2008-10-01 00:08:58
Unicast
Broadcast
CRC
70,Multicast
6643714,Jumbo
0,Giants
5011357
:
:
0
0
Jabbers
0,Throttles
Runts
0,DropEvents
Alignments
0,Symbols
Ignoreds
0,Frames
Discard
69,Total Error

Unicast
Broadcast
Collisions
345,Multicast
6642808,Jumbo
0,Deferreds
:
:
Late Collisions:
0,ExcessiveCollisions:
Buffers Purged :
116
5009016
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Discard
5,Total Error
Input bandwidth utilization threshold : 100.00%

Output bandwidth utilization threshold: 100.00%
Switch Port,PVID :

Duplex: FULL, Negotiation: ENABLE
Mdi
: AUTO
Last 300 seconds input rate 1312 bits/sec, 0 packets/sec

Last 300 seconds output rate 72 bits/sec, 0 packets/sec
Input peak rate 1057256792 bits/sec,Record time: 2008-10-01 00:08:58
Output peak rate 1057267296 bits/sec,Record time: 2008-10-01 00:08:58
Unicast
Broadcast
CRC
115,Multicast
6642648,Jumbo
3,Giants
5009062
:
:
0
0
Jabbers
0,Throttles
Runts
0,DropEvents
Alignments
0,Symbols
Ignoreds
0,Frames
Discard
218,Total Error

Unicast
Broadcast
Collisions
245,Multicast
6643751,Jumbo
0,Deferreds
:
:
Late Collisions:
0,ExcessiveCollisions:
Buffers Purged :
Discard
107,Total Error
5011284
Input bandwidth utilization threshold : 100.00%

Output bandwidth utilization threshold: 100.00%
Set the rate of G0/0/9 and G0/0/10 on S1 to 100 Mbit/s and

configure them to work in full duplex mode.
HC Series
HUAWEI TECHNOLOGIES
117
HCDA-HNTD
[S1]interface GigabitEthernet 0/0/9

[S1-GigabitEthernet0/0/9]undo negotiation auto
[S1-GigabitEthernet0/0/9]speed 100
[S1-GigabitEthernet0/0/9]duplex full
[S1-GigabitEthernet0/0/9]quit
Before changing the interface rate and duplex mode, disable

auto-negotiation.
Set the rate of G0/0/9 and G0/0/10 on S2 to 100 Mbit/s and
configure them to work in full duplex mode.
[Quidway]sysname S2
[S2-GigabitEthernet0/0/9]quit
Verify the rate and duplex mode of G0/0/9 and G0/0/10 on S1.
Switch Port,PVID :

Duplex: FULL, Negotiation: DISABLE
Mdi
: AUTO
output omit
118
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Switch Port,PVID :

Duplex: FULL, Negotiation: DISABLE
Mdi
: AUTO
output omit
Step 2 Configure manual link aggregation.

Create Eth-Trunk 1 on S1 and S2. Delete the default configurations
from G0/0/9 and G0/0/10 on S1 and S2, and then add G0/0/9 and
G0/0/10 to Eth-Trunk 1.
[S1]interface Eth-Trunk 1
[S1-Eth-Trunk1]quit
[S1-GigabitEthernet0/0/9]eth-trunk 1
[S1-GigabitEthernet0/0/9]int GigabitEthernet 0/0/10
[S2-Eth-Trunk1]quit
[S2-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
Verify the Eth-Trunk configuration.

[S1]display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to MAC
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up
Number Of Up Port In Trunk: 2
---------------------------------------------------------------------------PortName
Status
Weight
Up
Up
HC Series
HUAWEI TECHNOLOGIES
119
HCDA-HNTD
[S2]display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL
Hash arithmetic: According to MAC
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8

Operate status: up
Number Of Up Port In Trunk: 2
---------------------------------------------------------------------------PortName
Status
Weight
Up
Up
The greyed lines in the preceding information indicate that the

Eth-Trunk works properly.

When auto-negotiation is enabled on switches, which protocol is
used? What is the working principle?
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
interface Eth-Trunk1
#
eth-trunk 1
undo negotiation auto
speed 100
#
eth-trunk 1
speed 100
#
return
#
120
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
sysname S2
#
#
eth-trunk 1
speed 100
#
eth-trunk 1
speed 100
#
return
HC Series
HUAWEI TECHNOLOGIES
121
HCDA-HNTD
Lab 6-2 STP Configuration

Learning Objectives
Method used to enable and disable STP.
Difference between STP modes.
Method used to change the bridge priority to control root bridge

election.
Method used to change the port priority to control election of the

root port and designated port.
Method used to configure an edge port.
Topology
Figure 6.2 STP topology
122
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
company network consists of two layers: core layer and access layer. The
network uses a redundancy design. STP will be used to prevent loops.
STP has different modes. You can set the bridge priority to control STP
root bridge election, and configure features to speed up STP route
convergence at the edge network.
Tasks
Step 1 Configure STP and verify the STP configuration.
Irrelevant interfaces must be disabled to ensure test result accuracy.
Shut down E0/0/1 on S3 before starting STP configuration. Ensure
that the devices start without any configuration files. If STP is disabled,
run the stp enable command to enable STP.
In the lab, traditional STP is used.
[Quidway]sysname S1
[S1]stp mode stp
[S1]stp root secondary
[Quidway]sysname S2
[S2]stp mode stp
[S2]stp root primary
[Quidway]sysname S3
[S3]stp mode stp
[Quidway]sysname S4
[S4]stp mode stp
HC Series
HUAWEI TECHNOLOGIES
123
HCDA-HNTD
Run the display stp brief command to view brief information about
STP.
[S1]display stp brief
MSTID
Port
Role STP State
Protection
ROOT FORWARDING
NONE
ALTE DISCARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE

MSTID
Port
Role STP State
Protection
DESI FORWARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE

MSTID
Port
Role STP State
Protection
Ethernet0/0/13
ALTE
DISCARDING
NONE
Ethernet0/0/23
ROOT FORWARDING
NONE

MSTID
Port
Role STP State
Protection
Ethernet0/0/14
ALTE DISCARDING
NONE
Ethernet0/0/24
ROOT FORWARDING
NONE
Run the display stp interface command to view the STP status of a
port.
[S1]display stp interface GigabitEthernet 0/0/10
----[CIST][Port10(GigabitEthernet0/0/10)][DISCARDING]---Port Protocol
Port Role
Port Priority
:enabled
:Alternate Port
:128
Port Cost(Dot1T )
:Config=auto / Active=20000
Desg. Bridge/Port
:0.0018-82e1-aea6 / 128.10
Port Edged
:Config=default / Active=disabled
Point-to-point
:Config=auto / Active=true
Transit Limit
:147 packets/hello-time
Protection Type
:None
124
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Port Stp Mode
:STP
Port Protocol Type

PortTimes
TC or TCN send
:Config=auto / Active=dot1s
:Hello 2s MaxAge 20s FwDly 15s RemHop 0
:2
TC or TCN received
BPDU Sent
:64
:24
TCN: 0, Config: 0, RST: 24, MST: 0

BPDU Received
:350601
Step 2 Control root bridge election.

Run the display stp command to view information about the root
bridge.
[S2]display stp
-------[CIST Global Info][Mode STP]------CIST Bridge
:0
.0018-82e1-aea6
Bridge Times
:Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC
:0
.0018-82e1-aea6 / 0
CIST RegRoot/IRPC
:0
.0018-82e1-aea6 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled
CIST Root Type
:PRIMARY root
TC or TCN received :41

TC count per hello :0
STP Converge Mode
:Nomal
Time since last TC :0 days 0h:1m:6s

output omit
Configure S2 as the root bridge and S1 as the backup root bridge.

The device with the same value of CIST Bridge and CIST Root/ERPC is
the root bridge.
A smaller bridge priority value indicates a higher bridge priority.
Change the priorities of S1 and S2 to 4096 and 8192 respectively so that
S1 becomes the root bridge.
[S1]undo stp root
[S1]stp priority 4096
[S2]undo stp root
[S2]stp priority 8192
HC Series
HUAWEI TECHNOLOGIES
125
HCDA-HNTD
Run the display stp command to view information about the new
root bridge.
[S1]display stp
:4096 .0018-82e1-aea6
Bridge Times
CIST Root/ERPC
:4096 .0018-82e1-aea6 / 0
CIST RegRoot/IRPC
:4096 .0018-82e1-aea6 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled

STP Converge Mode
:Nomal

output omit
[S2]display stp
:8192 .0018-82e1-ae82
Bridge Times
CIST Root/ERPC
:4096 .0018-82e1-aea6 / 20000
CIST RegRoot/IRPC
:8192 .0018-82e1-ae82 / 0
CIST RootPortId
:128.9
BPDU-Protection
:disabled

STP Converge Mode
:Nomal

output omit
The greyed lines in the preceding information indicate that S1 has

become the new root bridge.
Shut down G0/0/9, G0/0/10, G0/0/13, and G0/0/14 on S1 to isolate
S1.
[S1-GigabitEthernet0/0/9]shutdown
126
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[S2]display stp
:8192 .0018-82e1-ae82
Bridge Times
CIST Root/ERPC
:8192 .0018-82e1-ae82 / 0
CIST RegRoot/IRPC
:8192 .0018-82e1-ae82 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled

STP Converge Mode
:Nomal

output omit
The greyed lines in the preceding information indicate that S2

becomes the root bridge when S1 is faulty.
Start the shutdown interfaces on S1.
[S1-GigabitEthernet0/0/9]undo shutdown
[S1]display stp
:4096 .0018-82e1-aea6
Bridge Times
CIST Root/ERPC
:4096 .0018-82e1-aea6 / 0
CIST RegRoot/IRPC
:4096 .0018-82e1-aea6 / 0
CIST RootPortId
:0.0
BPDU-Protection
:disabled

HC Series
HUAWEI TECHNOLOGIES
127
HCDA-HNTD
STP Converge Mode
:Nomal

output omit
[S2]display stp
:8192 .0018-82e1-ae82
Bridge Times
CIST Root/ERPC
:4096 .0018-82e1-aea6 / 20000
CIST RegRoot/IRPC
:8192 .0018-82e1-ae82 / 0
CIST RootPortId
:128.9
BPDU-Protection
:disabled

STP Converge Mode
:Nomal

output omit
The greyed lines in the preceding information indicate that S1 has

restored and became the root bridge.
Step 3 Control root port election.

Run the display stp brief command on S2 to view the roles of
interfaces.
MSTID
Port
Role STP State
Protection
ROOT FORWARDING
NONE
ALTE DISCARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE
The preceding information shows that G0/0/9 is the root port and
G0/0/10 is the alternate port. You can change port priorities so that
G0/0/10 becomes the root port and G0/0/9 becomes the alternate port.
Change priorities of G0/0/9 and G0/0/10 on S1.
The default port priority is 128. A larger port priority value indicates a
lower priority. The priorities of G0/0/9 and G0/0/10 on S1 are set to 32
128
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
and 16; therefore, G0/0/10 on S2 becomes the root port.

[S1-GigabitEthernet0/0/9]stp port priority 32
[S1-GigabitEthernet0/0/10]stp port priority 16
Note that the port priorities are changed on S1, not S2.
----[CIST][Port9(GigabitEthernet0/0/9)][FORWARDING]---Port Protocol
:enabled
Port Role
:Designated Port
Port Priority
:32
Port Cost(Dot1T )
Desg. Bridge/Port
:4096.0018-82e1-aea6 / 32.9
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:STP
Port Protocol Type

PortTimes
TC or TCN send
:0
TC or TCN received
BPDU Sent
:0
:229

BPDU Received
:3

----[CIST][Port10(GigabitEthernet0/0/10)][FORWARDING]---Port Protocol
Port Role
Port Priority
:enabled
:Designated Port
:16
Port Cost(Dot1T )
Desg. Bridge/Port
:4096.0018-82e1-aea6 / 16.10
Port Edged
Point-to-point
Transit Limit
Protection Type
:None
Port Stp Mode
:STP
Port Protocol Type

PortTimes
HC Series
HUAWEI TECHNOLOGIES
129
HCDA-HNTD
TC or TCN send
:0
TC or TCN received
BPDU Sent
:0
:210

BPDU Received
:3
Run the display stp brief command on S2 to view the role of

interfaces..
MSTID
Port
Role STP State
Protection
ALTE DISCARDING
NONE
ROOT FORWARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE
The greyed lines in the preceding information indicate that G0/0/10

on S2 has become the root port and G0/0/9 has become the alternate
port.
Shut down G0/0/10 on S2 and view the port roles.
<S2>display stp brief
MSTID
Port
Role STP State
Protection
ROOT FORWARDING
NONE
DESI FORWARDING
NONE
DESI FORWARDING
NONE
The greyed line in the preceding information indicates that G0/0/9

has become the root port.
Step 4 Configure an edge port.

Configure ports connected to the user terminals as edge ports. An
edge port can transition to the forwarding state without participating in
the STP calculation. In this example, E0/0/3 and E0/0/4 on S3 are
configured as edge ports.
[S3]interface Ethernet0/0/3
130
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[S3-Ethernet0/0/3]stp edged-port enable

[S3-Ethernet0/0/3]interface Ethernet0/0/4
[S3-Ethernet0/0/4]stp edged-port enable
After the configurations are complete, connect the network cable of

a computer to E0/0/3 on S3 and run the display stp brief command to
view the port status. You can see that E0/0/2 enters the forwarding
state immediately.
When the network cable of the computer is connected to a non-edge
port such as E0/0/5, the port enters the forwarding state about 30s
after the link becomes Up.

Why does root bridge election need to be controlled? How is root
bridge election controlled?
What is the transition process when a port changes from the
blocking state to the forwarding state? How much time does the
transition process take?
Which method can be used to accelerate STP route convergence?
#
sysname S1
#
vlan batch 1
#
stp mode stp
stp instance 0 priority 4096
stp enable
#
stp instance 0 port priority 32
ntdp enable
ndp enable
bpdu enable
HC Series
HUAWEI TECHNOLOGIES
131
HCDA-HNTD
#
stp instance 0 port priority 16
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
return
#
sysname S2
#
vlan batch 1
#
stp mode stp
stp instance 0 priority 8192
stp enable
#
ntdp enable
ndp enable
bpdu enable
#
shutdown
ntdp enable
ndp enable
bpdu enable
#
132
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
return
#
sysname S3
#
stp mode stp
stp enable
#
shutdown
bpdu enable
#
stp edged-port enable

bpdu enable
#
stp edged-port enable
bpdu enable
#
bpdu enable
#
bpdu enable
#
return
#
sysname S4
#
HC Series
HUAWEI TECHNOLOGIES
133
HCDA-HNTD
stp mode stp

stp enable
#
bpdu enable
#
bpdu enable
#
bpdu enable
#
return
134
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Lab 6-3 VLAN Configuration

Learning Objectives
VLAN functions.
VLAN security.
VLAN configurations.
Access port and trunk port configuration.
Method used to add a port to a VLAN.
Hybrid port configuration.
Topology
Figure 6.3 VLAN topology
Scenario
Assume that you are a network administrator of a company and need
to configure VLANs on the network. Your company has two switches.
You need to configure VLANs and relevant features.
HC Series
HUAWEI TECHNOLOGIES
135
HCDA-HNTD
Tasks
Step 1 Configure an Eth-Trunk.
In this lab, Ethernet0/0/1 and Ethernet0/0/23 on S3 and
Ethernet0/0/14 on S4 need to be shut down.
Two links exist between S1 and S2. If STP is enabled, one link will be
disabled, which wastes bandwidth. If STP is not used, loops may occur. In
this situation, you can configure an Eth-Trunk.
Before configuring an Eth-Trunk, delete the original configurations
on the member interfaces.
You can add physical interfaces to an Eth-Trunk in the interface view
or in the Eth-Trunk view.
On S1, add interfaces to an Eth-Trunk in the interface view.
[Quidway]sysname S1
[S1] interface eth-trunk 1
[S1-Eth-Trunk1]quit
[S1]interface gigabitethernet0/0/9
[S1-gigabitethernet0/0/9]eth-trunk 1
[S1-gigabitethernet0/0/9]interface gigabitethernet0/0/10
[S1-gigabitethernet0/0/10]eth-trunk 1
On S2, add interfaces to an Eth-Trunk in the Eth-Trunk view.

[Quidway]sysname S2
[S2]interface eth-trunk 1
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/9
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10
By default, the link type of a interface is hybrid. You can change the
link type to trunk.
By default, a interface of trunk type rejects data from any VLANs.
136
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[S1-Eth-Trunk1]port link-type trunk

[S1-Eth-Trunk1]port trunk allow-pass vlan all
[S2-Eth-Trunk1]port link-type trunk
[S2-Eth-Trunk1]port trunk allow-pass vlan all
Step 2 Configure VLANs.

Use S3, R1, R3, and S4 as hosts to perform the VLAN configuration.
S3 belongs to VLAN 3, R1 and R3 belong to VLAN 4, and S4 belongs to
VLAN 5.
There are two methods to configure VLANs with consecutive IDs.
There are two methods to define mapping between VLANs and
interfaces.
[S1]interface GigabitEthernet0/0/13
[S1-GigabitEthernet0/0/13]port link-type access
[S1-GigabitEthernet0/0/13]interface GigabitEthernet0/0/1
[S1-GigabitEthernet0/0/1]vlan 3
[S1-vlan3]port GigabitEthernet0/0/13
[S1-vlan3]vlan 4
[S1-vlan4]port GigabitEthernet0/0/1
[S1-vlan4]vlan 5
[S2]vlan batch 3 to 5
[S2-GigabitEthernet0/0/3]port default vlan 4
Step 3 Plan IP addresses.

Use S3, R1, R3, and S4 as clients to perform the VLAN configuration.
Configure IP addresses for interfaces. Physical interfaces on switches
cannot be configured with IP addresses, so VLANIF 1 is assigned an IP
address.
HC Series
HUAWEI TECHNOLOGIES
137
HCDA-HNTD
[Quidway]sysname S3
[S3]interface vlanif 1
[S3-vlanif1]ip address 10.0.3.3 24
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R3
[Quidway]sysname S4
[S4]interface vlanif 1
[S4-vlanif1]ip address 10.0.5.4 24
Step 4 Perform a test.

Run the ping command. R1 and R3 in VLAN 4 can communicate with
each other, and devices in different VLANs cannot communicate.
[R3]ping 10.0.4.1
0.00% packet loss
Test communication between R1 and S3, and between R3 and S4.

Configure a management address for each VLAN on S1. By doing this,
138
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
S1 connects to three clients that belong to VLAN 3, VLAN 4, and VLAN 5

respectively.
[S1]interface Vlanif 3
[S1-Vlanif3]ip address 10.0.3.11 24
[S1-Vlanif3]interface Vlanif 4
After the configurations are complete, test communication between

clients in VLANs on S1.
[S1]ping 10.0.3.3
0.00% packet loss
[S1]ping 10.0.4.1
0.00% packet loss
[S1]ping 10.0.4.3
HC Series
HUAWEI TECHNOLOGIES
139
HCDA-HNTD

0.00% packet loss
[S1]ping 10.0.5.4
0.00% packet loss
Step 5 Configure a hybrid interface.

A hybrid interface is similar to a trunk interface, but it allows users in
different VLANs to communicate if these users are on the same network
segment.
Change IP addresses of S3 and R3.
Set the link type of G0/0/13 on S1 to hybrid and configure VLAN 3 as

its default VLAN. Add G0/0/13 to VLAN 3 and VLAN 4 in untagged mode.
Before changing the interface type, delete any existing configuration on
140
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
the interface.
[S1] interface GigabitEthernet0/0/13
[S1-GigabitEthernet0/0/13]undo port default vlan
[S1-GigabitEthernet0/0/13]port link-type hybrid
[S1-GigabitEthernet0/0/13]port hybrid pvid vlan 3
[S1-GigabitEthernet0/0/13]port hybrid untagged vlan 3 to 4
Set the link type of G0/0/3 on S2 to hybrid and configure VLAN 4 as

its default VLAN. Add G0/03 to VLAN 3 and VLAN 4 in untagged mode.
[S2]interface GigabitEthernet0/0/3
[S2-GigabitEthernet0/0/3]undo port default vlan
[S2-GigabitEthernet0/0/3]port link-type hybrid
[S2-GigabitEthernet0/0/3]port hybrid pvid vlan 4
[S2-GigabitEthernet0/0/3]port hybrid untagged vlan 3 to 4
S3 and R3 can communicate even though they are located in

different network segments.
[S3]ping 10.0.6.4
0.00% packet loss

In which scenario is a hybrid interface used?
#
HC Series
HUAWEI TECHNOLOGIES
141
HCDA-HNTD

sysname S1
#
vlan batch 1 3 to 5
#
interface Vlanif1
#
interface Vlanif3
ip address 10.0.3.11 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.11 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.11 255.255.255.0
#
interface MEth0/0/1
#
port link-type trunk
port trunk allow-pass vlan 2 to 4094
bpdu enable
#
port link-type access
port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port hybrid pvid vlan 3
port hybrid untagged vlan 3 to 4
142
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
return
#
sysname S2
#
vlan batch 1 3 to 5
#
interface Vlanif1
#
interface MEth0/0/1
#
bpdu enable
#
port hybrid pvid vlan 4
port hybrid untagged vlan 3 to 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
HC Series
HUAWEI TECHNOLOGIES
143
HCDA-HNTD
port default vlan 5

ntdp enable
ndp enable
bpdu enable
#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.6.3 255.255.255.0
#
bpdu enable
#
return
#
sysname S4
#
interface Vlanif1
ip address 10.0.5.4 255.255.255.0
#
bpdu enable
#
return
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.4.1 255.255.255.0
#
return
144
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.6.4 255.255.255.0
#
return
HC Series
HUAWEI TECHNOLOGIES
145
HCDA-HNTD
Chapter 7 Layer3 Configuration and VRRP

Lab 7-1 Configuring Layer 3 Switching
Learning Objectives
Layer 3 switching advantages.
Similarities and differences between Layer 3 switching and Layer 3

routing.
Method of configuring VLANIF interfaces.
Method of configuring communication between VLANs.
Method of configuring Open Shortest Path First (OSPF) between

VLANIF interfaces.
Topology
Figure 7.1 Lab topology of Layer 3 switching
146
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company and the
current network of your company has four users: S3, R1, R3, and S4. The
users belong to different virtual local area networks (VLANs). S3 belongs
to VLAN 3, R1 belongs to VLAN 4, R3 belongs to VLAN 6, and S4 belongs
to VLAN 7. Users in these VLANs can communicate with each other. S1
and S2 communicate with each other through a Layer 3 link, so routing
protocols are used.
Tasks
Step 1 Configure the links between S1 and S2 as Eth-Trunk
links.
In this example, Ethernet0/0/1 and Ethernet0/0/23 of S3 and
Ethernet0/0/14 of S4 must be disabled.
[Quidway]sysname S1
[S1-Eth-Trunk1]quit
[Quidway]sysname S2
[S2-Eth-Trunk1]quit
HC Series
HUAWEI TECHNOLOGIES
147
HCDA-HNTD
Step 2 Configure VLAN 3 to VLAN 7 in batches for S1 and

S2.
Check the creation of VLANs.

[S1]display vlan
The total number of vlans is : 6
---------------------------------------------------------------------------U: Up;
D: Down;
TG: Tagged;
MP: Vlan-mapping;
UT: Untagged;
ST: Vlan-stacking;
#: ProtocolTransparent-vlan;
*: Management-vlan;
---------------------------------------------------------------------------VID Type
Ports
--------------------------------------------------------------------------1
common UT:GE0/0/1(U)
common
common
common
common
common
GE0/0/2(U)
GE0/0/3(U)
GE0/0/4(D)
GE0/0/5(D)
GE0/0/6(D)
GE0/0/7(D)
GE0/0/8(D)
GE0/0/9(U)
GE0/0/10(U)
GE0/0/11(D)
GE0/0/12(D)
GE0/0/13(U)
GE0/0/14(U)
GE0/0/15(D)
GE0/0/16(D)
GE0/0/17(D)
GE0/0/18(D)
GE0/0/19(D)
GE0/0/20(D)
GE0/0/21(U)
GE0/0/22(U)
GE0/0/23(U)
GE0/0/24(D)
VID Status Property
MAC-LRN Statistics Description
--------------------------------------------------------------------------1
enable default
enable disable
VLAN 0001
enable default
enable disable
VLAN 0003
enable default
enable disable
VLAN 0004
enable default
enable disable
VLAN 0005
enable default
enable disable
VLAN 0006
enable default
enable disable
VLAN 0007
148
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[S2]display vlan
The total number of vlans is : 6
---------------------------------------------------------------------------U: Up;
D: Down;
TG: Tagged;
MP: Vlan-mapping;
UT: Untagged;
ST: Vlan-stacking;
#: ProtocolTransparent-vlan;
*: Management-vlan;
---------------------------------------------------------------------------VID Type
Ports
---------------------------------------------------------------------------1
common UT:GE0/0/1(U)
common
common
common
common
common
GE0/0/2(U)
GE0/0/3(U)
GE0/0/4(D)
GE0/0/5(D)
GE0/0/6(D)
GE0/0/7(D)
GE0/0/8(D)
GE0/0/9(U)
GE0/0/10(U)
GE0/0/11(D)
GE0/0/12(D)
GE0/0/13(D)
GE0/0/14(D)
GE0/0/15(D)
GE0/0/16(D)
GE0/0/17(D)
GE0/0/18(D)
GE0/0/19(D)
GE0/0/20(D)
GE0/0/21(D)
GE0/0/22(D)
GE0/0/23(U)
GE0/0/24(U)
VID Status Property
MAC-LRN Statistics Description
---------------------------------------------------------------------------1
enable default
enable disable
VLAN 0001
enable default
enable disable
VLAN 0003
enable default
enable disable
VLAN 0004
enable default
enable disable
VLAN 0005
enable default
enable disable
VLAN 0006
enable default
enable disable
VLAN 0007
Step 3 Set the types of Eth-Trunk links between S1 and S2 to

access. The links belong to VLAN 5.
Add G0/0/1 and G0/0/13 of S1 to VLAN 4 and VLAN 3 respectively,
and add G0/0/3 and G0/0/24 of S2 to VLAN 6 and VLAN 7 respectively.
[S1-Eth-Trunk1]port link-type access
[S1-Eth-Trunk1]port default vlan 5
[S1-Eth-Trunk1]interface GigabitEthernet 0/0/1
HC Series
HUAWEI TECHNOLOGIES
149
HCDA-HNTD

[S2-Eth-Trunk1]port link-type access
[S2-Eth-Trunk1]port default vlan 5
[S2-Eth-Trunk1]interface GigabitEthernet 0/0/3
Step 4 Configure gateway IP addresses for the VLANs of S1

and S2.
S1 provides gateway services for VLAN 3 to VLAN 5, while S2
provides gateway services for VLAN 5 to VLAN 7. Therefore, configure IP
addresses for VLANIF 3, VLANIF 4, and VLANIF 5 on S1, and configure IP
addresses for VLANIF 5, VLANIF 6, and VLANIF 7 on S2.
150
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 5 Configure IP addresses and default routes for S3, R1,

R3, and S4.
[Quidway]sysname S3
[S3-Vlanif1]quit
[S3]ip route-static 0.0.0.0 0 10.0.3.1
Note: Physical interfaces on switches cannot be configured with IP

addresses, so IP addresses are configured for VLANIF interfaces. S3
belongs to VLAN 3 on S1; however, E0/0/13 on S3 belongs to VLAN 1. In
this case, configure an IP address for VLANIF 1 on S3 so that S3 belongs
to VLAN 3. The configuration of S4 is similar.
<Huawei>system-view
[Huawei]sysname R1
[R1]ip route-static 0.0.0.0 0 10.0.4.1
<Huawei>system-view
[Huawei]sysname R3
[R3]ip route-static 0.0.0.0 0 10.0.6.1
[Quidway]sysname S4
[S4-Vlanif1]quit
[S4]ip route-static 0.0.0.0 0 10.0.7.1
Step 6 Test connectivity between VLAN 3 and VLAN 4.

Test connectivity between S3 and R1.
HC Series
HUAWEI TECHNOLOGIES
151
HCDA-HNTD
[R1]ping 10.0.3.33
0.00% packet loss

[R1]ping 10.0.6.33
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
R1 and R3 fail to communicate with each other. Run the tracert

command to troubleshoot the fault:
[R1]tracert 10.0.6.33
traceroute to
to break
1 10.0.4.1 62 ms
2
4 ms 4 ms
According to the command output, R1 has sent the data packet to

the destination address 10.0.6.33, but the gateway at 10.0.4.1 responds
that the network is unreachable.
Then check whether the network is unreachable on the gateway (S1).
152
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[S1]display ip routing-table
Destinations : 8
Destination/Mask
Routes : 8
Proto Pre Cost
Flags NextHop
Interface
10.0.3.0/24
Direct 0
10.0.3.1
10.0.3.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.4.0/24
Direct 0
10.0.4.1
Vlanif4
10.0.4.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.5.0/24
Direct 0
10.0.5.1
Vlanif5
10.0.5.1/32
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Vlanif3
According to the command output, S1 does not have a route to the

network segment 10.0.6.0 because the network segment is not directly
connected to S1. In addition, no static route or dynamic routing protocol
is configured.
Step 7 Enable OSPF on S1 and S2.

[S1]ospf 1
[SW2-ospf-1]area 0
[S1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
[S2]ospf 1
[SW2-ospf-1]area 0
After the configuration, wait until S1 and S2 exchange OSPF routes.

View the routing table of S1.
[S1]display ip routing-table
Destinations : 10
HC Series
Routes : 10
HUAWEI TECHNOLOGIES
153
HCDA-HNTD
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.0.3.0/24
Direct 0
10.0.3.1
Vlanif3
10.0.3.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.4.0/24
Direct 0
10.0.4.1
Vlanif4
10.0.4.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.5.0/24
Direct 0
10.0.5.1
Vlanif5
10.0.5.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.6.0/24
OSPF
10
10.0.5.2
Vlanif5
OSPF
10.0.7.0/24
10
10.0.5.2
Vlanif5
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
S1 has learned two routes using OSPF.

[R1]ping 10.0.6.33
0.00% packet loss
[R1]ping 10.0.7.44
0.00% packet loss
154
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

If the links between S1 and S2 are trunk links, can users in VLANs
communicate with each other without using any routing protocols?
#
sysname S1
#
vlan batch 1 3 to 7
#
interface Vlanif1
#
interface Vlanif3
ip address 10.0.3.1 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.1 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.1 255.255.255.0
#
HC Series
HUAWEI TECHNOLOGIES
155
HCDA-HNTD
interface MEth0/0/1
#
port default vlan 5
#
port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port default vlan 3
ntdp enable
ndp enable
bpdu enable
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return
#
sysname S2
#
vlan batch 1 3 to 7
#
156
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
interface Vlanif1
#
interface Vlanif5
ip address 10.0.5.2 255.255.255.0
#
interface Vlanif6
ip address 10.0.6.1 255.255.255.0
#
interface Vlanif7
ip address 10.0.7.1 255.255.255.0
#
interface MEth0/0/1
#
port default vlan 5
#
port default vlan 6
ntdp enable
ndp enable
bpdu enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
eth-trunk 1
undo ntdp enable
undo ndp enable
#
port default vlan 7
ntdp enable
ndp enable
bpdu enable
#
ospf 1
area 0.0.0.0
HC Series
HUAWEI TECHNOLOGIES
157
HCDA-HNTD
network 10.0.0.0 0.255.255.255

#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.3.33 255.255.255.0
#
bpdu enable
#
ip route-static 0.0.0.0 0.0.0.0 10.0.3.1
#
return
#
sysname S4
#
interface Vlanif1
ip address 10.0.7.44 255.255.255.0
#
bpdu enable
#
ip route-static 0.0.0.0 0.0.0.0 10.0.7.1
#
return
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.4.11 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
158
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.6.33 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.1
#
return
HC Series
HUAWEI TECHNOLOGIES
159
HCDA-HNTD
Lab 7-2 Configuring the VRRP

Learning Objectives
Functions of load balancing.
Working principles of the Virtual Router Redundancy Protocol

(VRRP).
Method of configuring one VRRP group on a Layer 3 switching

network.
Method of configuring VRRP authentication.
Method of configuring VRRP to trace the interface status.
Method of using VRRP to implement load balancing.
160
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Figure 7.2 Lab topology of the VRRP configuration
Scenario
Assume that you are a network administrator of a company and the
current network of your company has two users: R2 and R3. A loopback
interface of R1 simulates an Internet server. The network has two
gateways, and you use VRRP to implement gateway redundancy.
Tasks
Step 1 Perform basic configurations and IP addressing.
In this lab, GigabitEthernet0/0/9, GigabitEthernet0/0/13 and
GigabitEthernet0/0/14 on S1 need to be shut down.
The user network uses VLAN 1; S1 connects to R1 using VLAN 2; S2
connects to R1 using VLAN 3; a loopback interface has been configured
on R1; IP addresses and default gateways have been configured on R2
HC Series
HUAWEI TECHNOLOGIES
161
HCDA-HNTD
and R3.
The router R1 simulates a wide area network (WAN), while its
loopback interface simulates a server on the WAN.
[Huawei]sysname R1
[R1]interface LoopBack 0
[R1-LoopBack0]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
The router R2 simulates one PC on a local area network (LAN), using

the network segment 10.0.123.0/24 and the gateway 10.0.123.1.
The router R3 simulates another PC on the LAN, using the network
segment 10.0.123.0/24 and the gateway 10.0.123.1.
<Huawei>system-view
[Huawei]sysname R2
[R2]ip route-static 0.0.0.0 0 10.0.123.1
<Huawei>system-view
[Huawei]sysname R3
[R3]ip route-static 0.0.0.0 0 10.0.123.1
Create VLAN 1 to VLAN 3 on the switch S1. The default link type of
interfaces is hybrid. Configure G0/0/10 as a Trunk interface and
configure it to allow all VLANs. Configure G0/0/1 as an access interface
and add it to VLAN 2. Configure G0/0/2 as an access interface and add it
to VLAN 1. Create VLANIF 1 to provide gateway for VLAN 1 and assign IP
address 10.0.123.2/24 to VLANIF 1. Create VLANIF 2 as a Layer 3 link
connecting to R1 and assign IP address 10.0.11.1/24 to VLANIF 2.
<Huawei>system-view
[Huawei]sysname S1
162
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[S1-GigabitEthernet0/0/10]port link-type trunk
[S1-GigabitEthernet0/0/10]port trunk allow-pass vlan all
[S1-GigabitEthernet0/0/2]interface Vlanif 1
[S1-Vlanif1]interface vlanif 2
Create VLAN 1 to VLAN 3 for the switch S2. The interfaces by default
adopt the hybrid mode. Define G0/0/10 as a Trunk interface to allow the
access of all VLANs. Define G0/0/1 as an access interface belonging to
VLAN 3. Define G0/0/3 as an access interface belonging to VLAN 1. Set
the IP address of VLANIF 1 to 10.0.123.3/24 and use VLANIF 1 to provide
gateway services for VLAN 1. Set the IP address of VLANIF 2 to
10.0.12.1/24 and use VLANIF 2 as a Layer 3 link for connecting to R1.
<Huawei>system-view
[Huawei]sysname S2
[S2-GigabitEthernet0/0/10]port link-type trunk
[S2-GigabitEthernet0/0/10]port trunk allow-pass vlan all
[S2-GigabitEthernet0/0/3]interface Vlanif 1
After completing the configuration, test connectivity of direct links.

Use the ping command to test the connections to S1, R1, R2, and R3 on
S2. Use -c 1 in the ping command to configure the system to send only
HC Series
HUAWEI TECHNOLOGIES
163
HCDA-HNTD
one ping packet. If you do not use this parameter, the system sends five
packets by default.
[S2]ping -c 1 10.0.12.2
0.00% packet loss
[S2]ping -c 1 10.0.123.2
PING 10.0.123.2: 56

0.00% packet loss
[S2]ping -c 1 10.0.123.4
PING 10.0.123.4: 56

0.00% packet loss
[S2]ping -c 1 10.0.123.5
PING 10.0.123.5: 56

0.00% packet loss
164
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 2 Configure the OSPF routing protocol to implement

the route connectivity between S1, S2, and R1.
[S1]ospf 1
[S1-ospf-1]area 0
[S1-ospf-1-area-0.0.0.0]quit
[S1-ospf-1]silent-interface Vlanif 1
[S2]ospf 1
[S2-ospf-1]area 0
[S2-ospf-1-area-0.0.0.0]quit
[S2-ospf-1]silent-interface Vlanif 1
[R1]ospf 1
[R1-ospf-1]area 0
After completing the configuration, wait until the network

convergence is complete. Then test the network connectivity.
[S2]ping -c 1 10.0.11.1
0.00% packet loss
[S2]ping -c 1 10.0.1.1
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
165
HCDA-HNTD
[S2]ping -c 1 10.0.12.2
0.00% packet loss
Step 3 Configure VRRP to implement gateway redundancy.

Configure VRRP on S1. Create VRRP group 1 and set its priority to
105. By default, the priority is 100.
[S1-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1
[S1-Vlanif1]vrrp vrid 1 priority 105
[S2-Vlanif1]vrrp vrid 1 virtual-ip 10.0.123.1
After the configuration, run the ping command on R2 and R3 to test

whether they can communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1
0.00% packet loss
[R3]ping -c 1 10.0.1.1
0.00% packet loss
166
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Check the VRRP state on S1.

[S1]display vrrp
Vlanif1 | Virtual Router 1
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.2
PriorityRun : 105
PriorityConfig : 105
MasterPriority : 105
Preempt : YES
Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Config track link-bfd down-number : 0
Currently, R2 and R3 send data packets to the Internet server through

S1. Shut down VLANIF 1 on S1, and then test whether the traffic can be
switched to S2.
[S1-Vlanif1]shutdown
Run the ping command on R2 and R3 to test whether they can

communicate with the simulated Internet server.
[R2]ping -c 1 10.0.1.1
0.00% packet loss
[R3]ping -c 1 10.0.1.1
HC Series
HUAWEI TECHNOLOGIES
167
HCDA-HNTD

0.00% packet loss
S1 stops running at present. Check the VRRP state on S1 and S2.

[S1]display vrrp
State : Initialize
Virtual IP : 10.0.123.1
Master IP : 0.0.0.0
PriorityRun : 105
MasterPriority : 0
Preempt : YES
Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
[S2]display vrrp
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.3
PriorityRun : 100
Preempt : YES
Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
168
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 4 Configure interface tracking.

Enable the VLANIF 1 interface on S1. Specify G0/0/1 for S1 and S2 to
track.
[S1-Vlanif1]undo shutdown

[S1]display vrrp
State : Master
Virtual IP : 10.0.123.1
Master IP : 10.0.123.2
PriorityRun : 105
Preempt : YES
Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Currently, R2 and R3 send data to the Internet server through S1. If

G0/0/1 of S1 or G0/0/1 of R1 is disabled, traffic cannot be switched to S2.
Disable G0/0/1 of S1.

[S1]display vrrp brief
VRID State
Interface
Type
Virtual IP
-------------------------------------------------------1
Master
Vlanif1
Normal 10.0.123.1
Note: You can use the brief parameter to display only the brief
information.
HC Series
HUAWEI TECHNOLOGIES
169
HCDA-HNTD
Test connectivity between R2 and the Internet server.

[R2]ping -c 1 10.0.1.1
Request time out
100.00% packet loss
The command output shows that R2 cannot communicate with the

Internet server.
Enable G0/0/1 of S1.
Configure VRRP to track G0/0/1 on S1 and S2. If G0/0/1 of S1 is

disabled, the VRRP priority of S1 is reduced by 10. In this case, S2
replaces S1 as the VRRP master device.
[S1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10
[S2-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 10
Test the network connectivity.

R2 can communicate with the Internet server.
[R2]ping -c 1 10.0.1.1
0.00% packet loss
Disable G0/0/1 of S1.

170
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Test connectivity between R2 and the Internet server.

[R2]ping -c 1 10.0.1.1
0.00% packet loss
R2 can communicate with the Internet server. Check the VRRP state
on S1.
[S1]display vrrp
State : Backup
Virtual IP : 10.0.123.1
Master IP : 10.0.123.3
PriorityRun : 95
Preempt : YES
Delay time : 0
TimerRun : 1
TimerConfig : 1
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track IF : GigabitEthernet0/0/1
Priority reduced : 10
IF state : DOWN

The configuration in this lab implements the redundancy of two
Layer 3 switches, which can effectively prevent single-point failures.
However, only one Layer 3 switch processes services, resulting in
HC Series
HUAWEI TECHNOLOGIES
171
HCDA-HNTD
resource waste.
Design a scheme based on the current topology to implement
redundancy and load balancing.
#
sysname S1
#
vlan batch 1 to 3
#
interface Vlanif1
ip address 10.0.123.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.123.1
vrrp vrid 1 priority 105
vrrp vrid 1 track interface GigabitEthernet0/0/1
#
interface Vlanif2
ip address 10.0.11.1 255.255.255.0
#
shutdown
port default vlan 2
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
172
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
bpdu enable
#
interface NULL0
#
ospf 1
silent-interface Vlanif1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return
#
sysname S2
#
vlan batch 1 to 3
#
interface Vlanif1
ip address 10.0.123.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.123.1
vrrp vrid 1 track interface GigabitEthernet0/0/1
#
interface Vlanif3
ip address 10.0.12.1 255.255.255.0
#
port default vlan 3
ntdp enable
ndp enable
bpdu enable
#
ntdp enable
ndp enable
bpdu enable
#
ospf 1
HC Series
HUAWEI TECHNOLOGIES
173
HCDA-HNTD
silent-interface Vlanif1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.11.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
#
return
[V200R001C01SPC300]
#
sysname R2
#
ip address 10.0.123.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.123.1
#
174
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.123.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.123.1
#
#
return
HC Series
HUAWEI TECHNOLOGIES
175
HCDA-HNTD
Chapter 8 WAN Configuration

Lab 8-1 HDLC and PPP Configuration
Learning Objectives
WAN technologies.
PPP implementation.
Method used to configure HDLC on a serial link.
Method used to change the clock frequency on a serial link.
Method used to configure PPP on a serial link.
Method used to configure PAP authentication on the PPP link.
Method used to configure CHAP authentication on the PPP link.
Negotiation on the PPP link.
Topology
Figure 8.1 HDLC and PPP configuration
176
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are
routers. R1 is located in the headquarters, and R2 and R3 are located in
two branches. The headquarters and branches need to be
interconnected. Use HDLC and PPP on WAN links and use different
authentication modes to ensure security.
Tasks
Step 1 Configure IP addresses.
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
Step 2 Enable HDLC on serial interfaces.

[R1-Serial1/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R1-Serial1/0/0]
HC Series
HUAWEI TECHNOLOGIES
177
HCDA-HNTD

[R2-Serial2/0/0]
[R3-Serial2/0/0]
After HDLC is enabled the on serial interfaces, view the serial

interface status. Use the display on R1 as an example.
[R1]display interface Serial1/0/0
Description:HUAWEI, AR Series, Serial1/0/0 Interface
Link layer protocol is nonstandard HDLC
: 2011-10-09 14:39:44

broadcasts:
0, multicasts:
errors:
0, runts:
0, giants:
CRC:
0, align errors:
dribbles:
0, aborts:
frame errors:
0, overruns:
0
0
0, no buffers:

errors:
0, underruns:
deferred:
0, collisions:
178
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Test connectivity of the directly connected link after verifying that the
physical status and protocol status of the interface are Up.
[R2]ping 10.0.12.1
0.00% packet loss
[R2]ping 10.0.23.3
0.00% packet loss

[R1]rip
[R1-rip-1]version 2
[R2]rip
[R2-rip-1]version 2
HC Series
HUAWEI TECHNOLOGIES
179
HCDA-HNTD
[R3]rip
[R3-rip-1]version 2
After the configurations are complete, check whether all the routes
are learned. Verify that corresponding routes are learned by RIP.
Destinations : 8
Destination/Mask
Routes : 8
Proto
Pre Cost
Flags NextHop
Interface
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct
10.0.23.0/24 RIP
100 1
127.0.0.0/8
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
Direct
10.0.12.2
Serial1/0/0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
On R1, run the ping command to test connectivity between R1 and

R3.
[R1]ping 10.0.23.3
0.00% packet loss
180
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 4 View the type of the cable connected to the serial

interface, interface status, and clock frequency, and
change the clock frequency.
Link layer protocol is nonstandard HDLC
: 2011-10-09 16:25:55

Physical layer is synchronous, Virtualbaudrate is 64000 bps
Interface is DTE, Cable type is V35, Clock mode is TC
broadcasts:
0, multicasts:
errors:
CRC:
0, runts:
0, align errors:
dribbles:
0, aborts:
frame errors:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:

The preceding information shows that S1/0/0 on R2 connects to a

DCE cable and the clock frequency is 64000 bit/s.
The DCE controls the clock frequency and bandwidth.
Change the clock frequency on the link between R1 and R2 to
128000 bit/s. This operation must be performed on the DCE, R1.
HC Series
HUAWEI TECHNOLOGIES
181
HCDA-HNTD
[R1-Serial1/0/0]baudrate 128000
After the configurations are complete, view the serial interface status.
LCP opened, IPCP opened
: 2011-10-10 11:56:38

broadcasts:
errors:
CRC:
0, multicasts:
0, runts:
0, align errors:
dribbles:
frame errors:
0, aborts:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:

Step 5 Configure PPP on serial interfaces between R1 and

R2 and between R2 and R3.
Configure PPP. Both ends of the link must use the same
encapsulation mode. If both ends of the link use different encapsulation
modes, interfaces may become Down.
182
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R1-Serial1/0/0]link-protocol ppp
[R1-Serial1/0/0]

[R2-Serial2/0/0]

[R3-Serial2/0/0]
After the configurations are complete, test link connectivity.

[R2]ping 10.0.12.1
0.00% packet loss
[R2]ping 10.0.23.3
HC Series
HUAWEI TECHNOLOGIES
183
HCDA-HNTD

0.00% packet loss
If the ping operation fails, check the interface status and check
whether the link layer protocol type is correct.
: 2011-10-10 16:26:25

broadcasts:
errors:
CRC:
0, multicasts:
0, runts:
0, align errors:
dribbles:
frame errors:
0, aborts:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:

184
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Step 6 Check routing entry changes.

After PPP configurations are complete, routers establish connections
at the data link layer. The local device sends a route to the peer device.
The route contains the interface IP address and a 32-bit mask.
The following information uses R2 as an example. You can see the
routes to R1 and R3.
Destinations : 12
Destination/Mask
Proto
Routes : 12
Pre Cost
Flags NextHop
Interface
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Think about the origin and functions of the two routes. Check the
following items:
If HDLC is used, do the two routes exist?
Can R1 and R2 communicate using HDLC or PPP when the IP
addresses of S1/0/0 interfaces on R1 and R2 are located on different
network segments?
HC Series
HUAWEI TECHNOLOGIES
185
HCDA-HNTD
Step 7 Enable PAP authentication on the PPP link between

R1 and R2.
Configure R1 as the authentication server. After R2 sends an
authentication request to R1, R1 sends a response message to R2,
requesting R2 to use PAP authentication and send its password to R1.
Configure PAP authentication on R1.
[R1-Serial1/0/0]ppp authentication-mode pap
[R1]aaa
[R1-aaa]local-user huawei password simple hello
info: A new user added
[R1-aaa]local-user huawei service-type ppp
Configure PAP authentication on R2.

[R2-Serial1/0/0]ppp pap local-user huawei password simple hello
After the configurations are complete, test connectivity between R1 and

R2.
Step 8 Enable CHAP authentication on the PPP link between

R2 and R3.
Configure R3 as the authentication server. After R2 sends an
authentication request to R3, R3 sends a response message to R2,
requesting R2 to use CHAP authentication and send its user name and
password to R3.
[R3-Serial2/0/0]ppp authentication-mode chap
186
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3]aaa
[R3-aaa]local-user user1 password cipher huawei
info: A new user added
[R3-aaa]local-user user1 service-type ppp
[R3-aaa]quit
On R3, the following information is displayed.

Oct 10 2011 16:46:03+00:00 R3 %%01PPP/4/PEERNOCHAP(l)[9]:On the interface
Serial2/0/0, authentication failed and PPP link was closed because CHAP was
disabled on the peer.
Oct 10 2011 16:46:03+00:00 R3 %%01PPP/4/RESULTERR(l)[10]:On the interface
Serial2/0/0, LCP negotiation failDCD=UP DTR=UP DSR=UP RTS=UP CTS=UP
The greyed line indicates that authentication failed.

Configure R2 as the CHAP client.
[R2-Serial2/0/0]ppp chap user user1
[R2-Serial2/0/0]ppp chap password cipher huawei
After the configurations are complete, the interface becomes Up. The
ping command output is as follows:
[R2]ping 10.0.23.3
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
187
HCDA-HNTD
Step 9 Run the debug command to view negotiation of the

PPP connection between R2 and R3. The PPP connection
is established by CHAP.
Use R2 as an example. View the PPP negotiation process between R2
and R3. Disable S2/0/0 on R2, run the debug command, and enable
S2/0/0 on R2.
First shut down S2/0/0 on R2.
Run the debugging ppp chap all command. By default, the

debugging information is displayed. Run the terminal debugging
command to display the debugging information on the console port.
[R2-Serial2/0/0]return
<R2>debugging ppp chap all
Enable S2/0/0 on R2.

<R2>system-view
The following debugging information is displayed on the console

port:
PPP State Change:
Serial2/0/0 CHAP : Initial --> ListenChallenge
Oct 10 2011 17:54:48.830.1+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 25
State ListenChallenge, code Challenge(01), id 1, len 21
Value_Size: 16 Value: 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87 94 3 f0 1
Name:
Oct 10 2011 17:54:48.830.2+00:00 R2 PPP/7/debug2:
PPP Event:
188
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Serial2/0/0 CHAP Receive Challenge Event

state ListenChallenge
Oct 10 2011 17:54:48.830.3+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Output CHAP(c223) Pkt, Len 37
State ListenChallenge, code Response(02), id 1, len 33
Value_Size: 16 Value: 4b 6 73 d1 48 c2 55 8d da a6 c7 3e 21 e9 44 48
Name: user1@system
Oct 10 2011 17:54:48.830.4+00:00 R2 PPP/7/debug2:
PPP State Change:
Serial2/0/0 CHAP : ListenChallenge --> SendResponse
Oct 10 2011 17:54:48.850.1+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 20
State SendResponse, code SUCCESS(03), id 1, len 16
Message: Welcome to .
Oct 10 2011 17:54:48.850.2+00:00 R2 PPP/7/debug2:
PPP Event:
Serial2/0/0 CHAP Receive Success Event
state SendResponse
Oct 10 2011 17:54:48.850.3+00:00 R2 PPP/7/debug2:
PPP State Change:
Serial2/0/0 CHAP : SendResponse --> ClientSuccess
The greyed line shows the interface status change.

Run the debugging ppp pap all command to view PPP negotiation
when PAP authentication is used between R1 and R2. Compare the
debugging ppp pap all command output with the debugging ppp
chap all command output to learn about difference between PAP
authentication and CHAP authentication.

Why CHAP is more secure than PAP?
[V200R001C01SPC300]
#
sysname R1
HC Series
HUAWEI TECHNOLOGIES
189
HCDA-HNTD
#
aaa
domain default
local-user huawei password simple hello
local-user huawei service-type ppp
#
link-protocol ppp
ppp authentication-mode pap
ip address 10.0.12.1 255.255.255.0
baudrate 128000
#
rip 1
version 2
network 10.0.0.0
#
return
[V200R001C01SPC300]
#
sysname R2
#
aaa
domain default
#
link-protocol ppp
ppp pap local-user huawei password simple hello
190
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
ip address 10.0.12.2 255.255.255.0

#
link-protocol ppp
ppp chap user user1
ppp chap password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
ip address 10.0.23.2 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
[V200R001C01SPC300]
#
sysname R3
#
aaa
authentication-scheme system
domain default
domain system
local-user user1 password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
local-user user1 service-type ppp
#
link-protocol ppp
ppp authentication-mode chap
ip address 10.0.23.3 255.255.255.0
#
rip 1
version 2
network 10.0.0.0
#
return
HC Series
HUAWEI TECHNOLOGIES
191
HCDA-HNTD
Lab 8-2 FR Configuration (Back to Back)

Learning Objectives
PVC functions.
Frame Relay (FR) implementation.
Method used to configure FR on a serial link.
Method used to configure mapping between IP addresses and

DLCIs on the FR network.
Method used to configure RIP on the FR network.
Method used to configure OSPF on the FR network.
Topology
Figure 8.2 FR topology
Scenario
You are a network administrator of a company. R1, R2, R3 in 0 are
routers. R1 is located in the headquarters, and R2 and R3 are located in
two branches. The headquarters and branches need to be
interconnected. You need to configure FR on WAN links and mapping
between DLCIs and IP addresses.
192
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
[R2-LoopBack0]interface Serial 2/0/0
<Huawei>system-view
[Huawei]sysname R3
After the IP addresses are configured, test network connectivity.

[R2]ping 10.0.12.1
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
193
HCDA-HNTD
[R2]ping 10.0.23.3
0.00% packet loss
Step 2 Configure FR in back-to-back mode between R1 and

R2 and use static address mapping.
The router configurations vary depending on whether it is connected
to DCE or DTE port. Check whether R1 or R2 connects to the DCE port of
the serial interface cable.
: 2011-10-11 14:40:34

broadcasts:
errors:
194
0, multicasts:
0, runts:
0
0, giants:
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
CRC:
dribbles:
frame errors:
0, align errors:
0, aborts:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:

The preceding information shows that S1/0/0 on R1 connects to the

DCE port of the serial interface cable.
[R1-Serial1/0/0]link-protocol fr
[R1-Serial1/0/0]fr interface-type dce
[R1-Serial1/0/0]undo fr inarp
[R1-Serial1/0/0]fr dlci 102
[R1-fr-dlci-Serial1/0/0-102]quit
[R1-Serial1/0/0]fr map ip 10.0.12.2 102 broadcast
S1/0/0 on R2 connects to the DTE port of the serial interface cable.

[R2-Serial1/0/0]fr interface-type dte
[R1-Serial1/0/0]undo fr inarp [R2-Serial1/0/0]fr map ip 10.0.12.1 102 broadcast
After the configurations are complete, test link connectivity between

R1 and R2.
[R2]ping 10.0.12.1
HC Series
HUAWEI TECHNOLOGIES
195
HCDA-HNTD
0.00% packet loss
If communication between R1 and R2 is abnormal before step 1 is

performed, the FR configuration is incorrect. Perform the following
operations to troubleshoot the fault.
Compare the display fr map-info command output on R1 with that
on R2. Use R1 as an example.
[R1]display fr map-info
Map Statistics for interface Serial1/0/0 (DCE)
DLCI = 102, IP 10.0.12.2, Serial1/0/0
create time = 2011/10/11 14:44:45, status = ACTIVE
encapsulation = ietf, vlink = 6, broadcast
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE
LMI status enquiry received 21, LMI status sent 21
LMI status enquiry timeout 9, LMI message discarded 2
: 2011-10-11 14:44:25

broadcasts:
errors:
CRC:
0, multicasts:
0, runts:
0, align errors:
dribbles:
frame errors:
0, aborts:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:
196
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

[R1]display fr lmi-info interface Serial 1/0/0
Frame relay LMI statistics for interface Serial1/0/0 (DCE, Q933)
T392DCE = 15, N392DCE = 3, N393DCE = 4
in status enquiry = 31, out status = 31
status enquiry timeout = 9, discarded messages = 2
Step 3 Configure FR in back-to-back mode between R2 and

R3 and use dynamic address mapping.
The router configurations vary depending on whether it is connected
to DCE or DTE port. Check whether R2 or R3 connects to the DCE port of
the serial port cable.
: 2011-10-11 09:43:20

broadcasts:
errors:
CRC:
dribbles:
frame errors:
0, multicasts:
0, runts:
0, align errors:
0, aborts:
0
0, giants:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:
HC Series
HUAWEI TECHNOLOGIES
197
HCDA-HNTD

The greyed line indicates that S2/0/0 on R3 connects to the DCE port.
[R2-Serial2/0/0]fr interface-type dte
[R2-Serial2/0/0]fr inarp
S2/0/0 on R3 connects to the DCE port of the serial port cable.

[R3-Serial2/0/0]fr interface-type dce

[R3-Serial2/0/0]fr dlci 203
[R3-fr-dlci-Serial2/0/0-203]quit
[R3-Serial2/0/0]fr inarp
After the configurations are complete, test connectivity between R2

and R3.
[R3]ping 10.0.23.2
0.00% packet loss
If R2 fails to communicate with R3, locate the fault using the

following command output.
198
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE
LMI status enquiry received 28, LMI status sent 28
LMI status enquiry timeout 0, LMI message discarded 8
: 2011-10-11 15:01:31

broadcasts:
errors:
CRC:
dribbles:
frame errors:
0, multicasts:
0, runts:
0
0, giants:
0, align errors:
0, aborts:
0, overruns:
0, no buffers:
0, collisions:

errors:
0, underruns:
deferred:

[R3]display fr lmi-info
Frame relay LMI statistics for interface Serial2/0/0 (DCE, Q933)
T392DCE = 15, N392DCE = 3, N393DCE = 4
in status enquiry = 31, out status = 31
status enquiry timeout = 0, discarded messages = 8
[R3]display fr map-info
DLCI = 203, IP INARP 10.0.23.2, Serial2/0/0
Pay attention to the greyed lines. Compare the information on R1

HC Series
HUAWEI TECHNOLOGIES
199
HCDA-HNTD
with that on R2.
Step 4 Configure RIPv2 between R1 and R2 and configure a

neighbor relationship.
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]undo summary
[R2]rip
[R2-rip-1]version 2
View the R1 routing table.

Destinations : 13
Destination/Mask
Proto
Routes : 13
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.12.2
Serial1/0/0
10.0.12.0/24 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.2/32 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
100 1
10.0.23.0/24 RIP
10.0.12.2
Serial1/0/0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
The preceding information shows that R1 has learned routes. Test

200
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
network connectivity on R1.

[R1]ping 10.0.23.2
0.00% packet loss
The preceding information shows that communication between R1

and R2 is normal.
R1 fails to communicate with R3 because R3 is not running any
routing protocol.
R1 and R2 run RIPv2. They can learn routes from each other because
the network supports broadcast.
Run the display fr map-info interface Serial 1/0/0 command on R2
to check whether R2 supports broadcast. Use R2 as an example.
[R2]display fr map-info interface Serial 1/0/0
Map Statistics for interface Serial1/0/0 (DTE)
DLCI = 102, IP 10.0.12.1, Serial1/0/0
Modify configurations of R1 and R2 and disable broadcast.

[R1-Serial1/0/0]undo fr map ip 10.0.12.2 102
[R1-Serial1/0/0]fr map ip 10.0.12.2 102
[R2-Serial1/0/0]fr map ip 10.0.12.1 102
To enable R1 and R2 to update routes, run shutdown and undo

shutdown on an interface of R1 or R2. Use R2 as an example.
HC Series
HUAWEI TECHNOLOGIES
201
HCDA-HNTD
After the configurations are complete, check the routes. Use R2 as an

example.
Destinations : 15
Destination/Mask
Proto
Routes : 15
Pre Cost
Flags NextHop
Interface
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
R1 and R2 cannot exchange routes because broadcast is disabled.

Run the ping command on R2.
[R2]ping 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
202
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
100.00% packet loss
Run the display fr map-info interface Serial 1/0/0 command on R2

to check whether R2 supports broadcast.
DLCI = 102, IP 10.0.12.1, Serial1/0/0
encapsulation = ietf, vlink = 13
There is no broadcast field, indicating that R2 does not support

broadcast.
Configure a RIP neighbor relationship between R1 and R2 and
configure them to exchange routes in unicast mode.
[R1]rip
[R1-rip-1]peer 10.0.12.2
[R2]rip
[R2-rip-1]peer 10.0.12.1
After the configurations are complete, check the routes on R2.

Destinations : 16
Destination/Mask
Proto
10.0.1.0/24 RIP
Routes : 16
Pre Cost
100 1
Flags NextHop
Interface
10.0.12.1
Serial1/0/0
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 Direct 0
10.0.12.2
Serial1/0/0
10.0.12.1/32 Direct 0
10.0.12.1
Serial1/0/0
10.0.12.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.255/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.2/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.3/32 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
HC Series
HUAWEI TECHNOLOGIES
203
HCDA-HNTD
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Run the ping command to test network connectivity.

[R2]ping 10.0.1.1
0.00% packet loss
By default, route aggregation is enabled in RIPv2; therefore, there is

only one RIP route on R1.
Step 5 Configure OSPF between R2 and R3 and configure an

OSPF neighbor relationship between them.
[R2]router id 10.0.2.2
[R2]ospf 1
[R2-ospf-1]area 0
[R3]router id 10.0.3.3
[R3]ospf 1
[R3-ospf-1]area 0
After the configurations are complete, check the routes on R3.

----------------------------------------------------------------------------
204
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Routing Tables: Public

Destinations : 11
Destination/Mask
Proto
Routes : 11
Pre Cost
Flags NextHop
Interface
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
The preceding information shows that R3 does not learn the routes
sent by R2.
By default, OSPF considers that the network mode on the FR-enabled
port is NBMA and devices do not detect neighbors.
[R3]display ospf interface Serial 2/0/0
Interfaces
Interface: 10.0.23.3 (Serial2/0/0)

Cost: 1562
State: Waiting
Type: NBMA
MTU: 1500
Priority: 1
Check the OSPF neighbor. Use R3 as an example.

R3 does not discover a neighbor. You must manually configure an

OSPF neighbor relationship.
HC Series
HUAWEI TECHNOLOGIES
205
HCDA-HNTD
[R2]ospf 1
[R2-ospf-1]peer 10.0.23.3
[R3]ospf 1
[R3-ospf-1]peer 10.0.23.2
After the configurations are complete, check the OSPF neighbor

relationship on R3.
Neighbors
Router ID: 10.0.2.2
State: Full
Address: 10.0.23.2
Mode:Nbr is Slave Priority: 1
DR: 10.0.23.2
BDR: None
MTU: 0

The preceding information shows that the OSPF neighbor

relationship has been set up.
Check the routing tables. Use R3 as an example.
Destinations : 13
Destination/Mask
Proto
10.0.2.2/32
OSPF
10.0.3.0/24
Routes : 13
Pre Cost
Interface
1562
10.0.23.2
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
3124
10.0.23.2
Serial2/0/0
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 OSPF
206
10
Flags NextHop
10
HUAWEI TECHNOLOGIES
Serial2/0/0
HC Series
HCDA-HNTD
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Test network connectivity between R3 and R2.

[R3]ping 10.0.2.2
0.00% packet loss
Step 6 Configure OSPF between R2 and R3 and change the

network type to broadcast.
Run OSPF on the FR network. You can manually configure a neighbor
relationship or configure OSPF on a broadcast network to discover
neighbors.
Delete the configured neighbors on R2 and R3 shown in step 5.
[R2]ospf 1
[R2-ospf-1]undo peer 10.0.23.3
[R3]ospf 1
[R3-ospf-1]undo peer 10.0.23.2
Check whether the FR-enabled interface supports broadcast.

DLCI = 203, IP INARP 10.0.23.2, Serial2/0/0
HC Series
HUAWEI TECHNOLOGIES
207
HCDA-HNTD
Determine the OSPF network type on the port.

Interfaces

Cost: 1562
State: DR
Type: NBMA
MTU: 1500
Priority: 1
Change the network type to broadcast.

[R2-Serial2/0/0]ospf network-type broadcast
[R3-Serial2/0/0]ospf network-type broadcast
Run the shutdown and undo shutdown commands on S2/0/0 of R3

to update neighbors.
After the OSPF neighbor relationship is established, check the OSPF

neighbor relationship.
Neighbors
Router ID: 10.0.2.2
State: Full
Address: 10.0.23.2
Mode:Nbr is Slave Priority: 1
DR: 10.0.23.3 BDR: 10.0.23.2 MTU: 0

208
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Check the routing table of R3 and test connectivity between R3 and

R2. Use R3 as an example.
Destinations : 13
Destination/Mask
Proto
10.0.2.2/32
OSPF
10.0.3.0/24
Routes : 13
Pre
Flags NextHop
Interface
1562
10.0.23.2
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
3124
10.0.23.2
Serial2/0/0
10.0.23.0/24 Direct 0
10.0.23.3
Serial2/0/0
10.0.23.2/32 Direct 0
10.0.23.2
Serial2/0/0
10.0.23.3/32 Direct 0
127.0.0.1
InLoopBack0
10.0.23.255/32 Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
10.0.12.0/24 OSPF
127.0.0.0/8
10
Cost
10
Serial2/0/0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

Interfaces

Cost: 1562
State: DR
Type: Broadcast
MTU: 1500
Priority: 1
[R3]ping 10.0.2.2
HC Series
HUAWEI TECHNOLOGIES
209
HCDA-HNTD

0.00% packet loss

How is the broadcast function on an FR-enabled interface used? If
possible, verify this configuration.
[V200R001C01SPC300]
#
sysname R1
#
link-protocol fr
fr interface-type dce
undo fr inarp
fr dlci 102
fr map ip 10.0.12.2 102
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
rip 1
undo summary
version 2
peer 10.0.12.2
network 10.0.0.0
210
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
return
[V200R001C01SPC300]
#
sysname R2
#
router id 10.0.2.2
#
link-protocol fr
fr dlci 102
undo fr inarp
fr map ip 10.0.12.1 102
ip address 10.0.12.2 255.255.255.0
#
link-protocol fr
ip address 10.0.23.2 255.255.255.0
ospf network-type broadcast
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
rip 1
undo summary
version 2
peer 10.0.12.1
network 10.0.0.0
#
return
[V200R001C01SPC300]
#
sysname R3
#
router id 10.0.3.3
HC Series
HUAWEI TECHNOLOGIES
211
HCDA-HNTD
#
link-protocol fr
fr interface-type dce
fr dlci 203
ip address 10.0.23.3 255.255.255.0
ospf network-type broadcast
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
Return
212
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Lab 8-3 FR Configuration (Using FR Switch)

Learning Objectives
How to configure frame relay (FR) router interfaces when an FR

switch is used on the network.
How to configure RIP in hub-spoke mode.
How to configure OSPF in hub-spoke mode.
How to configure FR interfaces when the OSPF network type is set

to point-to-multipoint.
Topology
Figure 8.3 Lab topology for FR configuration
HC Series
HUAWEI TECHNOLOGIES
213
HCDA-HNTD
Scenario
Assume that you are a network administrator of a company. R1, R2,
R3 in Figure 8.3 are routers. R1 is located at the company headquarters,
and R2 and R3 are located in two branches. To interconnect the
headquarters and branches, you need to configure FR on WAN links in
hub-spoke mode.
Tasks
Set basic parameters, such as IP addresses. When configuring FR
encapsulation, you must disable the Inarp function and manually define
mapping between the PVC DLCI numbers and IP addresses.
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
214
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
<Huawei>system-view
[Huawei]sysname R3
After the IP addresses are configured, test network connectivity.

[R1]ping 10.0.123.2
PING 10.0.123.2: 56

0.00% packet loss
[R1]ping 10.0.123.3
PING 10.0.123.3: 56

0.00% packet loss
Run the following commands to view the FR encapsulation
HC Series
HUAWEI TECHNOLOGIES
215
HCDA-HNTD
information for the R1 interfaces.

[R1]display fr interface Serial 2/0/0
Serial2/0/0, DTE, physical up, protocol up
DLCI = 102, IP 10.0.123.2, Serial2/0/0
DLCI = 103, IP 10.0.123.3, Serial2/0/0
Step 2 Configure RIPv2 among R1, R2, and R3.

Configure RIPv2 and ensure that all network segments are in the RIP
area. By default, static neighbors are not configured. The automatic
summary function must be disabled. In addition, the RIP split horizon
function for FR interfaces is disabled by default because an FR network
has its own unique features. You do not need to modify the split horizon
configurations for this exercise.
[R1]rip 1
[R1-rip-1]version 2
[R2]rip 1
[R2-rip-1]version 2
[R3]rip 1
[R3-rip-1]version 2
View the routing tables on R1, R2, and R3 to check the learned
routes.
----------------------------------------------------------------------------
216
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Public routing table : RIP

Destinations : 2
Routes : 2

Destinations : 2
Destination/Mask
Routes : 2
Proto
Pre Cost
Flags NextHop
Interface
10.0.2.0/24
RIP
100 1
10.0.123.2
Serial2/0/0
10.0.3.0/24
RIP
100 1
10.0.123.3
Serial2/0/0

Destinations : 0
Routes : 0

Destinations : 2
Routes : 2

Destinations : 2
Destination/Mask
Routes : 2
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 1
10.0.123.1
Serial3/0/0
10.0.3.0/24
RIP
100 2
10.0.123.1
Serial3/0/0

Destinations : 0
Routes : 0

Destinations : 2
Routes : 2

Destinations : 2
Destination/Mask
10.0.1.0/24
HC Series
Proto
RIP
Routes : 2
Pre Cost
100 1
Flags NextHop
D
10.0.123.1
HUAWEI TECHNOLOGIES
Interface
Serial1/0/0
217
HCDA-HNTD
10.0.2.0/24
RIP
100 2
10.0.123.1
Serial1/0/0

Destinations : 0
Routes : 0
Perform a test on R3 to detect network connectivity.

[R3]ping 10.0.1.1
0.00% packet loss
[R3]ping 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
The preceding test results indicate that R3 and R2 are disconnected.

Check the routes to find out why R3 and R2 are disconnected.
The procedure for diagnosing this fault is as follows:
View the R3 routing table and check whether any route is destined
for the IP address 10.0.2.2.
If there is such a route, find out the next hop IP address of this route.
Then check whether R3 can reach the next hop and whether there is
mapping between Layer-3 IP addresses and Layer-2 PVCs.
218
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
If R3 can reach the next hop and there is mapping between Layer-3 IP
addresses and Layer-2 PVCs, check the devices on the route to
determine whether there is any route that can reach IP address 10.0.2.2,
whether the next hop of this route is reachable, and whether there is
mapping between Layer-3 IP addresses and Layer-2 PVCs.
If there is a route that can reach IP address 10.0.2.2 and there is
mapping between Layer-3 IP addresses and Layer-2 PVCs, check R2 to
determine whether there is any route that reaches the destination IP
address of response packets and whether the next hop of this route is
reachable.
If the next hop of this route is unreachable and the destination IP
address of the response packets is 10.0.123.3, R2 has the route that
reaches this address but there is no mapping between Layer-3 IP
addresses and Layer-2 PVCs.
The following is the output of the commands used in the preceding
fault diagnosis procedure.
Destinations : 13
Destination/Mask
Proto
Routes : 13
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
RIP
100 1
10.0.123.1
Serial1/0/0
10.0.2.0/24
RIP
100 2
10.0.123.1
Serial1/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.0/24
Direct 0
10.0.123.3
Serial1/0/0
10.0.123.1/32
Direct 0
10.0.123.1
Serial1/0/0
10.0.123.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.255/32
Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

DLCI = 301, IP 10.0.123.1, Serial1/0/0
HC Series
HUAWEI TECHNOLOGIES
219
HCDA-HNTD

Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.0/24
RIP
100 1
10.0.123.2
Serial2/0/0
10.0.3.0/24
RIP
100 1
10.0.123.3
Serial2/0/0
10.0.123.0/24
Direct 0
10.0.123.1
Serial2/0/0
10.0.123.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.2/32
Direct 0
10.0.123.2
Serial2/0/0
10.0.123.3/32
Direct 0
10.0.123.3
Serial2/0/0
10.0.123.255/32
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

DLCI = 102, IP 10.0.123.2, Serial2/0/0
DLCI = 103, IP 10.0.123.3, Serial2/0/0
Destinations : 13
Destination/Mask
10.0.1.0/24
220
Proto
RIP
Routes : 13
Pre Cost
100 1
Flags NextHop
D
10.0.123.1
HUAWEI TECHNOLOGIES
Interface
Serial3/0/0
HC Series
HCDA-HNTD
10.0.2.0/24
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.1
Serial3/0/0
10.0.3.0/24
RIP
100 2
10.0.123.0/24
Direct 0
10.0.123.2
Serial3/0/0
10.0.123.1/32
Direct 0
10.0.123.1
Serial3/0/0
10.0.123.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.255/32
Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
127.0.0.1/32 Direct 0
D
D
127.0.0.1
InLoopBack0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

DLCI = 201, IP 10.0.123.1, Serial3/0/0
The conclusion is that R2 has no PVC reaching IP address 10.0.123.3.
Step 3 Modify network parameters to enable the

connection between R2 and R3.
The fault diagnosis results in step 2 indicate that there is no virtual
circuit between the FR interfaces on R2 and R3. In this case, configure the
mapping between IP addresses and PVCs to enable communications
between FR interfaces on R2 and R3 through R1.
After you configure the mapping between IP addresses and PVCs,

check the IP address-PVC mapping tables on R2 and R3 and detect
HC Series
HUAWEI TECHNOLOGIES
221
HCDA-HNTD
DLCI = 301, IP 10.0.123.1, Serial1/0/0

DLCI = 301, IP 10.0.123.2, Serial1/0/0
[R3]ping 10.0.2.2
0.00% packet loss
Step 4 Configure OSPF between R1 and R2.

Delete the RIP configurations added in step 2 and the IP address-PVC
mapping of R2 and R3 that is established in step 3.
[R1]undo rip 1
Warning: The RIP process will be deleted. Continue?[Y/N]y
[R1]
[R2]undo rip 1
[R2]
[R3]undo rip 1
222
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3]
Configure single-area OSPF on R1, R2, and R3.

[R1-ospf-1]area 0
[R2-ospf-1]area 0
[R3-ospf-1]area 0
After basic parameters are set, OSPF cannot establish neighbor

relationships. By default, OSPF determines that the FR network can
identify the NBMA network. As a result, OSPF does not support
broadcast and cannot automatically discover neighbors.
[R3]display ospf interface Serial 1/0/0 verbose
Interfaces

Cost: 1562
State: DR
Type: NBMA
MTU: 1500
Priority: 1
IO Statistics
Type
Hello
Input
Output
DB Description
Link-State Req
Link-State Update
Link-State Ack
OpaqueId: 0
PrevState: Waiting
There are various methods for running OSPF on an FR network. This

exercise demonstrates how to run OSPF on the FR network by setting the
HC Series
HUAWEI TECHNOLOGIES
223
HCDA-HNTD
OSPF network type of the interface to point-to-multipoint.
Step 5 Set the OSPF network type of the interface to

point-to-multipoint.
[R1-Serial2/0/0]ospf network-type p2mp
After you set the OSPF network type, wait until the neighbor
relationship is established. Then check the neighbor relationship and
route information.
---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial2/0/0
10.0.2.2
Full
0.0.0.0
Serial2/0/0
10.0.3.3
Full
---------------------------------------------------------------------------[R1]display ip routing-table
Destinations : 14
Destination/Mask
Proto
Routes : 14
Pre Cost
Flags NextHop
Interface
10.0.1.0/24
Direct 0
10.0.1.1
LoopBack0
10.0.1.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.1.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.2/32
OSPF
10
1562
10.0.123.2
Serial2/0/0
10.0.3.3/32
OSPF
10
1562
10.0.123.3
Serial2/0/0
10.0.123.1
Serial2/0/0
10.0.123.0/24
224
Direct 0
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
10.0.123.1/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.2/32
Direct 0
10.0.123.2
Serial2/0/0
10.0.123.3/32
Direct 0
10.0.123.3
Serial2/0/0
10.0.123.255/32
Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial3/0/0
10.0.1.1
Full
Destinations : 14
Destination/Mask
Proto
10.0.1.1/32
OSPF
10.0.2.0/24
Routes : 14
Pre Cost
Interface
1562
10.0.123.1
Direct 0
10.0.2.2
LoopBack0
10.0.2.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.2.255/32
Direct 0
127.0.0.1
InLoopBack0
OSPF
10.0.3.3/32
10
Flags NextHop
3124
10.0.123.1
Serial3/0/0
10.0.123.0/24
Direct 0
10.0.123.2
Serial3/0/0
10.0.123.1/32
Direct 0
10.0.123.1
Serial3/0/0
10.0.123.2/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.3/32
OSPF
3124
10.0.123.1
Serial3/0/0
127.0.0.1
InLoopBack0
10.0.123.255/32
127.0.0.0/8
10
Serial3/0/0
10
Direct 0
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0

HC Series
HUAWEI TECHNOLOGIES
225
HCDA-HNTD

---------------------------------------------------------------------------Area Id
Interface
Neighbor id
State
0.0.0.0
Serial1/0/0
10.0.1.1
Full
Destinations : 14
Destination/Mask
Routes : 14
Proto
Pre Cost
Flags NextHop
Interface
10.0.1.1/32
OSPF
10
1562
10.0.123.1
Serial1/0/0
10.0.2.2/32
OSPF
10
3124
10.0.123.1
Serial1/0/0
10.0.3.0/24
Direct 0
10.0.3.3
LoopBack0
10.0.3.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.3.255/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.0/24
Direct 0
10.0.123.3
Serial1/0/0
10.0.123.1/32
Direct 0
10.0.123.1
Serial1/0/0
10.0.123.2/32
OSPF
3124
10.0.123.1
Serial1/0/0
10.0.123.3/32
Direct 0
127.0.0.1
InLoopBack0
10.0.123.255/32
Direct 0
127.0.0.1
InLoopBack0
127.0.0.0/8
10
Direct 0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
127.0.0.1
InLoopBack0
127.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
255.255.255.255/32 Direct 0
127.0.0.1
InLoopBack0
Perform a network connectivity test on R3.

[R3]ping 10.0.1.1
0.00% packet loss
226
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[R3]ping 10.0.2.2
0.00% packet loss
[R3]ping 10.0.123.2
PING 10.0.123.2: 56

0.00% packet loss

As mentioned in step 4, there are various methods for running OSPF
on the FR network that are achieved by changing the network type of the
interface.
By default, OSPF determines that the FR network does not support
broadcast and cannot automatically discover neighbors. Is it possible to
achieve the connectivity of an OSPF network by manually defining the
neighbor relationship? How?
In step 5, the R2-R3 communications are successful even when the IP
address-PVC mapping between them is not manually configured. Why?
HC Series
HUAWEI TECHNOLOGIES
227
HCDA-HNTD
[V200R001C01SPC300]
#
sysname R1
#
link-protocol fr
undo fr inarp
fr map ip 10.0.123.2 102 broadcast
ip address 10.0.123.1 255.255.255.0
ospf network-type p2mp
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return
[V200R001C01SPC300]
#
sysname R2
#
link-protocol fr
undo fr inarp
ip address 10.0.123.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
228
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
return
[V200R001C01SPC300]
#
sysname R3
#
link-protocol fr
undo fr inarp
ip address 10.0.123.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
return
HC Series
HUAWEI TECHNOLOGIES
229
HCDA-HNTD
Chapter 9 Firewall Configuration

Lab 9-1 Eudemon Firewall Configuration
Learning Objectives
How to log in to the Eudemon firewall.
How to change the firewall device name.
How to change the system time and time zone.
How to modify the login banner.
How to change the login password.
How to view, save, and delete firewall configurations.
How to configure the VLAN/interface IP address and detect

How to restart the firewall.
Topology
Figure 9.1 Lab topology for Eudemon firewall configuration
230
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
company bought a Eudemon 200E firewall and intends to connect it to
S1, the core switch, to filter packets transmitted across different VLANs.
You need to familiarize yourself with various operations of the firewall.
Tasks
Step 1 Log in to the firewall and change its name.
Like a router, a firewall provides a console interface, which can
connect to the COM interface on a computer. The computer can connect
to the firewall using the super terminal software that comes with the
Windows operating system. For details, see "Lab 1-1 Basic Operations on
the VRP Platform."
The firewall provides default configurations and the default user
name and password are admin and Admin@123. Enter the
case-sensitive user name and password when logging in to the firewall.
***********************************************************
*
*
All rights reserved 2008-2011

Without the owner's prior written consent,
*
*
* no decompiling or reverse-engineering shall be allowed. *

* Notice:
This is a private communication system.

Unauthorized access or use may lead to prosecution.
***********************************************************
User interface con0 is available
Please Press ENTER.
HC Series
HUAWEI TECHNOLOGIES
231
HCDA-HNTD
Username:admin
Password:
NOTICE:This is a private communication system.
<Eudemon 200E>
The method for changing the firewall name is the same as that for
changing the router name.
Because both the firewall and router use the VRP operating system,
the command level and help operations for them are the same.
<Eudemon 200E>system-view
[Eudemon 200E]sysname FW
[FW]
Step 2 Change the time and time zone for the firewall.
By default, the time zone is not defined on the firewall. Therefore, the
firewall system time may be inconsistent with the actual time. You should
change the time and time zone information based on the actual
information for your location. During the exercise, the time zone GMT+8
is used and the standard time is defined.
<FW>clock timezone 1 add 08:00:00
<FW>display clock
2011-11-17 18:39:48
Thursday
Time Zone : 1 add 08:00:00
<FW>clock datetime 10:36:00 2011/11/17
<FW>display clock
2011-11-17 10:36:09
Thursday
Time Zone : 1 add 08:00:00
Step 3 Change the login banner information.

Change the login banner information. The following login banner
information is displayed by default after you successfully log in to the fire
wall.
<FW>quit
232
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Please Press ENTER.
Username:admin
Password:
<FW>
The firewall device warns about unauthorized access using the

banner information.
The administrator can change the login banner information as
needed. Different banner information is displayed before and after you
log in to the firewall.
[FW]header login information ^
Info: The banner text supports 220 characters max, including the start and the
end character. If you want to enter more than this, use banner file instead.
Input banner text, and quit with the character '^':
Welcome to Eudemon 200E ^
[FW]header shell information ^
Info: The banner text supports 220 characters max, including the start and the
end character. If you want to enter more than this, use banner file instead.
Input banner text, and quit with the character '^':
Welcome to Eudemon 200E
You are logining in system Please donot delete system config files
^
[FW]
Log out of the firewall system and then log in to the system again to
check whether the change takes effect.
Please Press ENTER.
Username:admin
HC Series
HUAWEI TECHNOLOGIES
233
HCDA-HNTD
Password:
<FW>
If the preceding information is displayed, the banner information is

successfully changed. Note that the default notice information cannot be
deleted or replaced.
Step 4 Change the login user name and password.

The default user name and password are admin and Admin@123.
You can change them as needed. For this exercise, create a level-3 user.
The user name and password are user1 and huawei@123. By default,
only the user admin is allowed to log in to the firewall system using the
console interface. Therefore, a newly created user is allowed to log in to
the system using the console interface only after the authentication
mode is set to aaa. In addition, specify the applicable scope of the newly
created user. In this exercise, the applicable scope is set to terminal,
indicating that this user is allowed to log in to the system using the
console interface.
[FW]aaa
[FW-aaa]local-user user1 password simple huawei@123
[FW-aaa]local-user user1 service-type terminal
[FW-aaa]local-user user1 level 3
[FW-aaa]quit
[FW]user-interface console 0
[FW-ui-console0]authentication-mode aaa
After you set the authentication mode to aaa, log out of the system
and check whether the newly created user name and password take
effect.
[FW-ui-console0]return
<FW>quit
*************************************************************************
*
Copyright(C) 2008-2011 Huawei Technologies Co., Ltd.
234
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
*
All rights reserved
*
*

*
Without the owner's prior written consent,
no decompiling or reverse-engineering shall be allowed.
*************************************************************************
User interface con0 is available
Please Press ENTER.

Username:user1
Password:
<FW>
To save time during the exercise, you can set the authentication
mode that does not require a user name and password.
[FW]user-interface console 0
[FW-ui-console0]authentication-mode none
After setting this authentication mode, you can log in to the system
directly.
<FW>quit
Please Press ENTER.
<FW>
HC Series
HUAWEI TECHNOLOGIES
235
HCDA-HNTD
Step 5 View, save, and delete firewall configurations.

On a firewall, run the display current-configuration command to view the
configurations that are running and run the display saved-configuration
command to view the configurations that have been saved.
<FW>display current-configuration
#
sysname FW
#
undo firewall ipv6 session link-state check
#
vlan batch 1
#
undo firewall session link-state check
#
#
runmode firewall
#
update schedule ips daily 7:40
update schedule av daily 7:40
security server domain sec.huawei.com
#
web-manager enable
#
l2fwdfast enable
---- More ----<FW>display saved-configuration
Error:No startup config.
<FW>
As shown in the preceding example, if no configurations are saved,

the related information is unavailable.
If the configurations have been saved, information similar to the
following is displayed.
<FW>save
15:05:50 2011/11/17
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
236
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Info:Please input the file name(*.cfg,*.zip)[vrpcfg.zip]:

Now saving the current configuration to the device.................
Info:The current configuration was saved to the device successfully..
<FW>display saved-configuration
# Last configuration was changed at 2011/11/17 15:05:59 from console0
#*****BEGIN****public****#
#
sysname FW
#
#
vlan batch 1
#
#
#
runmode firewall
#
#
output omit
Run the delete flash:/vrpcfg.zip command to delete the

configurations that have been saved.
<FW>delete flash:/vrpcfg.zip
Be Careful! Deleting the next startup config file will lose your configuration.
Delete flash:/vrpcfg.zip?[Y/N]:y
%Deleting file flash:/vrpcfg.zip...
Step 6 Configure the VLAN and interface IP address.

On the firewall, E0/0/0 is a Layer-3 interface and E1/0/0 to E1/0/7 are
Layer-2 interfaces. Layer-2 interface IP addresses cannot be configured
directly but must be configured on the related VLANIF interfaces. By
default, VLAN1 is available on the firewall device and the VLANIF1 IP
address has been assigned. Create VLAN2 and VLANIF2 and configure
their IP addresses as 10.0.2.1/24. In addition, delete VLANIF1.
[FW]undo interface Vlanif 1
HC Series
HUAWEI TECHNOLOGIES
237
HCDA-HNTD
[FW]vlan 2
[FW-vlan-2]interface vlanif 2
[FW-Vlanif2]ip address 10.0.2.1 24
Configure E1/0/0 to access VLAN2.

[FW]interface Ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 2
Configure the IP address for E0/0/0 as 10.0.1.1/24 and the IP address

for E2/0/0 as 10.0.3.1/24.
[FW-Ethernet0/0/0]ip address 10.0.1.1 24
[FW-Ethernet0/0/0]interface Ethernet 2/0/0
On S1, configure G0/0/21, G0/0/22, and G0/0/23 to access VLAN1,

VLAN2, and VLAN3, respectively. Configure the IP addresses of VLANIF1,
VLANIF2 and VLANIF3 as 10.0.2.2/24, 10.0.2.2/24, and 10.0.3.2/24.
[Quidway]sysname S1
[S1]vlan batch 2 3
[S1-GigabitEthernet0/0/23]interface vlanif 1
Detect network connectivity.

[S1]ping 10.0.1.1
238
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

0.00% packet loss
[S1]ping 10.0.2.1
0.00% packet loss
[S1]ping 10.0.3.1
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
239
HCDA-HNTD
Step 7 Restart the firewall.

After all configurations are complete and the test is successful, delete
the configuration files and restart the firewall to clear the configurations.
After you restart the firewall, a message is displayed, asking you whether
to save the current configuration. Delete the current configuration.
<FW>reboot
Info:Reading saved configuration failed.
System will reboot, could you want to save current configuration [Y/N]?n
System will reboot, continue?[Y/N]:y

The login banner contains mainly warning information. Is there any
other information that can be included in the login banner?
[FW]display current-configuration
#
sysname FW
#
#
vlan batch 1 to 2
#
#
runmode firewall
#
#
web-manager enable
#
l2fwdfast enable
#
interface Vlanif2
ip address 10.0.2.1 255.255.255.0
240
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
link-protocol ppp
#
ip address 10.0.1.1 255.255.255.0
#
portswitch
port access vlan 2
#
portswitch
#
portswitch
#
portswitch
#
portswitch
#
portswitch
#
portswitch
#
portswitch
#
ip address 10.0.3.1 255.255.255.0
#
HC Series
HUAWEI TECHNOLOGIES
241
HCDA-HNTD
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type web terminal
local-user admin level 3
local-user user1 password simple huawei@123
local-user user1 service-type terminal
local-user user1 level 3
#
#
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1
#
header shell information "Welcome to Eudemon 200E
"
header login information "Welcome to Eudemon 200E "
banner enable
#
authentication-mode none
user-interface tty 2
242
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
modem both
#
slb
#
cwmp
#
right-manager server-group
#
return
#
sysname S1
#
dns resolve
#
vlan batch 2 to 3
#
stp enable
#
interface Vlanif1
ip address 10.0.1.2 255.255.255.0
#
interface Vlanif2
ip address 10.0.2.2 255.255.255.0
#
interface Vlanif3
ip address 10.0.3.2 255.255.255.0
#
ntdp enable
ndp enable
bpdu enable
#
port default vlan 2
ntdp enable
ndp enable
HC Series
HUAWEI TECHNOLOGIES
243
HCDA-HNTD
bpdu enable
#
port default vlan 3
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
return
244
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Lab 9-2 Packet Filtering Configuration

Learning Objectives
How to configure packet filtering on the firewall interface
Topology
Figure 9.2 Lab topology for packet filtering configuration on the

Eudemon firewall
Scenario
company's network at the headquarters is divided into three zones. You
HC Series
HUAWEI TECHNOLOGIES
245
HCDA-HNTD
intend to control inter-zone traffic using the firewall. On S1, you need to
configure three network segments: G0/0/1 and G0/0/21 for accessing
VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3 to
G0/0/23 for accessing VLAN13.
You need to achieve the following configurations to meet work
requirements:
The Telnet and ICMP ping services at the IP address 10.0.3.3 are
available for all other network segments.
The 10.0.2.0/24 network segment can access the 10.0.1.0/24

network segment.
Other access modes are not allowed.
Tasks
Configure names and IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
246
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Note that E1/0/0 is an interface on the Layer-2 switch and you cannot
directly set an IP address for it. In this exercise, configure the VLAN12
and VLANIF12 on the firewall. In addition, configure the IP address
10.0.20.254/24 for the gateway in the 10.0.20.0/24 network segment. By
default, the firewall automatically assigns an IP address for its VLANIF1.
Delete this configuration to prevent any interference during the exercise.
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface Vlanif 12
[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]quit
[FW-Ethernet0/0/0]interface ethernet 2/0/0
On S1, configure the VLAN and map the VLAN and associated
interface.
[Quidway]sysname S1
HC Series
HUAWEI TECHNOLOGIES
247
HCDA-HNTD

After the configurations are complete, perform a test on the firewall

to detect the network connectivity in the same zone.
[FW]ping 10.0.10.1
Request time out
20.00% packet loss
[FW]ping 10.0.20.2
Request time out
20.00% packet loss
[FW]ping 10.0.30.3
Request time out
248
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

20.00% packet loss
Step 2 Configure static routes
to
implement
network
connectivity.
Configure default routes on R1, R2, and R3 and specific static routes
on the firewall to implement the connectivity between the three network
segments that are connected by three Loopback0 interfaces.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[FW]ip route-static 10.0.1.0 24 10.0.10.1
After the configurations are complete, perform a connectivity test on

R1 to find out whether the network segments that connect to R1 using
Loopback0 interfaces can communicate with other network segments.
[R1]ping -a 10.0.1.1 10.0.2.2
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
249
HCDA-HNTD

[R1]ping -a 10.0.1.1 10.0.3.3
0.00% packet loss
Step 3 Configure the access control.

Before you configure the access control, you should analyze the
traffic direction in advance based on the following requirements:
The 10.0.20.0/24 and 10.0.2.0/24 network segments can access all

applications in the 10.0.10.0/24 and 10.0.1.0/24 network
segments.
The Telnet and ping functions on the host (IP address: 10.0.3.3/24)
are available for the 10.0.20.0/24 and 10.0.2.0/24 network
segments.
The Telnet and ping functions for the host (IP address: 10.0.3.3/24)
are available for 10.0.10.0/24 and 10.0.1.0/24 network segments.
Other access modes are not allowed.
Use the following methods to meet the requirements:

Use an ACL to disable the 10.0.30.0/24 and 10.0.3.0/24 network
segments from accessing other network segments.
Use an ACL to disable other network segments from accessing
the 10.0.20.0/24 and 10.0.2.0/24 network segments.
Use an ACL to enable other network segments to access the
Telnet and ping functions at IP address 10.0.3.3.
250
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Note that the session link-state check function on the firewall must
be enabled and the ACL must be deployed.
Configure three ACLs: ACL3000, ACL3001, and ACL3002.
[FW]firewall session link-state check
[FW]acl number 3000
[FW-acl-adv-3000]rule 5 permit tcp destination 10.0.3.3 0 destination-port eq
telnet
[FW-acl-adv-3000]rule 10 permit icmp destination 10.0.3.3 0
[FW-acl-adv-3000]rule 15 deny ip
[FW-acl-adv-3000]quit
[FW]acl number 3001
[FW-acl-adv-3001]quit
[FW]acl number 3002
To enable other network segments to access the Telnet and ping

functions at IP address 10.0.3.3, deploy ACL3000 on the E2/0/0 egress.
To disable other network segments from accessing the 10.0.20.0/24
and 10.0.2.0/24 network segments, deploy ACL3001 on the VLANIF12
egress.
To disable the 10.0.30.0/24 and 10.0.3.0/24 network segments from
accessing other network segments, deploy ACL3002 on the E/2/0/0
ingress.
[FW-Vlanif12]firewall packet-filter 3001 outbound
[FW-Vlanif12]quit
[FW-Ethernet2/0/0]firewall packet-filter 3000 outbound
[FW-Ethernet2/0/0]firewall packet-filter 3002 inbound
After the configurations are complete, test network connectivity.

Enable the Telnet function on R3 for the test.
[R3-ui-vty0-4]authentication-mode none
Information similar to the following indicates that the Telnet and

ping access between R1 and the IP address 10.0.3.3 is available but other
access modes are unavailable.
HC Series
HUAWEI TECHNOLOGIES
251
HCDA-HNTD
[R1]ping -a 10.0.1.1 10.0.3.3

0.00% packet loss
[R1]ping -a 10.0.1.1 10.0.30.3
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
[R1]ping -a 10.0.1.1 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
[R1]ping -a 10.0.1.1 10.0.20.2
252
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
[R1]quit
<R1>telnet 10.0.3.3
Trying 10.0.3.3 ...
<R3>quit
Configuration console exit, please retry to log on
The connection was closed by the remote host
<R1>
Information similar to the following indicates that the Telnet and

ping access between R2 and the IP address 10.0.3.3 is available. R2 can
access the 10.0.1.0/24 and 10.0.10.0/24 network segments. Other access
modes are unavailable.
<R2>ping 10.0.1.1
0.00% packet loss
<R2>ping 10.0.10.1
HC Series
HUAWEI TECHNOLOGIES
253
HCDA-HNTD

0.00% packet loss
<R2>ping 10.0.3.3
0.00% packet loss
<R2>ping 10.0.30.3
PING 10.0.30.3: 56
Request time out

Request time out
Request time out
Request time out
Request time out
100.00% packet loss
<R2>telnet 10.0.3.3
Trying 10.0.3.3 ...
254
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

<R3>quit
<R2>
Information similar to the following indicates that R3 cannot access

other network segments.
[R3]ping -c 1 10.0.1.1
Request time out
100.00% packet loss
[R3]ping -c 1 10.0.10.1
Request time out
100.00% packet loss
[R3]ping -c 1 10.0.20.2
Request time out
100.00% packet loss
[R3]ping -c 1 10.0.2.2
Request time out
HC Series
HUAWEI TECHNOLOGIES
255
HCDA-HNTD
100.00% packet loss
[R3]ping -c 1 10.0.30.254
PING 10.0.30.254: 56
Request time out

100.00% packet loss

During this exercise, R3 cannot send packets to the IP address
10.0.2.2. When R2 uses 10.0.2.2 as the source address to send packets to
R3, the response packets can pass through the firewall. Why? How does
the firewall enable this function?
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
return
[V200R001C01SPC300]
#
sysname R2
256
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.30.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
#
return
#
sysname FW
#
vlan batch 1 12
#
firewall session link-state check
#
#
runmode firewall
#
acl number 3000
rule 5 permit tcp destination 10.0.3.3 0 destination-port eq telnet
rule 10 permit icmp destination 10.0.3.3 0
HC Series
HUAWEI TECHNOLOGIES
257
HCDA-HNTD
rule 15 deny ip
#
acl number 3001
rule 5 deny ip
#
acl number 3002
rule 5 deny ip
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
firewall packet-filter 3001 outbound
#
ip address 10.0.10.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
firewall packet-filter 3002 inbound
firewall packet-filter 3000 outbound
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.30.3
#
return
#
sysname S1
#
dns resolve
#
vlan batch 11 to 13
#
stp enable
#
258
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
port default vlan 11
#
#
#
#
#
#
return
HC Series
HUAWEI TECHNOLOGIES
259
HCDA-HNTD
Lab 9-3 Eudemon Firewall Zone Configuration

Learning Objectives
How to configure firewall security zones
Parameter settings for security zones
How to filter packets transmitted between different zones
Topology
Figure 9.3 Lab topology for Eudemon firewall zone configuration
260
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Scenario
company's network at headquarters is divided into three zones: trust,
untrust, and DMZ. You intend to control inter-zone traffic using the
firewall. On S1, configure three network segments: G0/0/1 to G0/0/21 for
accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12, and G0/0/3
to G0/0/23 for accessing VLAN13.
You need to achieve the following configurations to meet work
requirements:
Users in the trust zone can access users in the untrust zone.
Users in the trust and untrust zones can access users in the DMZ
zone.
Users in the untrust zone cannot directly access users in the trust
zone.
Users in the DMZ zone cannot directly access users in the trust
and untrust zones.
Tasks
Set IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
HC Series
HUAWEI TECHNOLOGIES
261
HCDA-HNTD

<Huawei>system-view
[Huawei]sysname R3
directly set an IP address for it. In this exercise, configure the VLAN12,
the VLANIF12 interface, and the IP address 10.0.20.254/24 for the
gateway in the inside zone. By default, the firewall automatically assigns
an IP address for its VLANIF1. Delete this configuration to prevent any
interference during the exercise.
[FW]vlan 12
[FW-vlan-12]quit
Configure the VLAN on S1 based on requirements.

[Quidway]sysname S1
262
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

After the configurations are complete, perform a test on the firewall

to detect the network connectivity in the same zone.
[FW]ping 10.0.10.1
Request time out
20.00% packet loss
[FW]ping 10.0.20.2
Request time out
20.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
263
HCDA-HNTD
[FW]ping 10.0.30.3
Request time out
20.00% packet loss
to
implement
network
connectivity.
Configure default routes on R1, R2, and R3 and specific static routes
on the firewall to implement the connectivity between the three network
segments that are connected by three Loopback0 interfaces.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
After the configurations are complete, test the connectivity between

the network segments that connect to each other using Loopback0
interfaces.
[R1]ping -a 10.0.1.1 10.0.2.2
264
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

0.00% packet loss
[R1]ping -a 10.0.1.1 10.0.3.3
0.00% packet loss
Step 3 Configure interfaces to access security zones.

By default, the firewall isolates the network into four zones: local,
trust, untrust, and DMZ.
In this exercise, only trust, untrust, and DMZ zones are involved.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
By default, devices in all zones can communicate with each other.

Information similar to the following indicates that the
communication from the untrust zone to the trust zone is normal.
<R1>ping -a 10.0.1.1 10.0.2.2
HC Series
HUAWEI TECHNOLOGIES
265
HCDA-HNTD

0.00% packet loss
Information similar to the following indicates that communication

from the untrust zone to the DMZ zone is normal.
[R1]ping -a 10.0.1.1 10.0.3.3
0.00% packet loss

from the trust zone to the untrust zone is normal.
[R2]ping -a 10.0.2.2 10.0.1.1
0.00% packet loss
266
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

from the trust zone to the DMZ zone is normal.
[R2]ping -a 10.0.2.2 10.0.3.3
0.00% packet loss

from the DMZ zone to the untrust zone is normal.
[R3]ping -a 10.0.3.3 10.0.1.1
0.00% packet loss

from the DMZ zone to the trust zone is normal.
[R3]ping -a 10.0.3.3 10.0.2.2
HC Series
HUAWEI TECHNOLOGIES
267
HCDA-HNTD

0.00% packet loss
Configure the inter-zone policies to allow users in the trust zone to

access other zones but not allow other zones to access each other.
[FW]firewall packet-filter default deny all
[FW]firewall packet-filter default permit interzone trust untrust direction
outbound
[FW]firewall packet-filter default permit interzone trust dmz direction outbound
After the configurations are complete, test the inter-zone

connectivity.
from the untrust zone to the trust zone is normal.
[R1]ping -a 10.0.1.1 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss

from the untrust zone to the DMZ zone is normal.
[R1]ping -a 10.0.1.1 10.0.3.3
Request time out
Request time out
Request time out
268
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Request time out

Request time out
100.00% packet loss

from the trust zone to the untrust zone is normal.
[R2]ping -a 10.0.2.2 10.0.1.1
0.00% packet loss

from the trust zone to the DMZ zone is normal.
[R2]ping -a 10.0.2.2 10.0.3.3
0.00% packet loss

from the DMZ zone to the untrust zone is normal.
HC Series
HUAWEI TECHNOLOGIES
269
HCDA-HNTD
[R3]ping -a 10.0.3.3 10.0.1.1

Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss

from the DMZ zone to the trust zone is normal.
[R3]ping -a 10.0.3.3 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Step 4 Configure the specific server used to allow the

untrust zone to access the DMZ zone.
In the DMZ zone, configure the server with IP address 10.0.3.3 to
enable two functions: the Telnet service available for the untrust zone
and ICMP ping for the network connectivity test.
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound]policy 1
[FW-policy-interzone-dmz-untrust-inbound-1]policy service service-set icmp
[FW-policy-interzone-dmz-untrust-inbound-1]policy destination 10.0.3.3 0
[FW-policy-interzone-dmz-untrust-inbound-1]action permit
[FW-policy-interzone-dmz-untrust-inbound-1]quit
270
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
[FW-policy-interzone-dmz-untrust-inbound-2]policy service service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-3]action deny
You must enable the Telnet function on R3 before performing the

Telnet test.

[R1]ping 10.0.3.3
0.00% packet loss
[R1]ping -a 10.0.1.1 10.0.3.3
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
271
HCDA-HNTD
[R1]ping 10.0.30.3
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
<R1>telnet 10.0.3.3
Trying 10.0.3.3 ...
<R3>quit
<R1>telnet 10.0.30.3
Trying 10.0.30.3 ...
The preceding test results indicate how the data transmitted

between zones is filtered. Except for the permitted data, all other data is
filtered out.

In this exercise, you can replace the switch with the firewall to make
configuration easier. However, most of the time, the scenario in this
exercise is used in actual applications. What is the advantage of this
application scenario?
[V200R001C01SPC300]
272
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
return
[V200R001C01SPC300]
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.30.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
HC Series
HUAWEI TECHNOLOGIES
273
HCDA-HNTD
#
return
#
sysname FW
#
firewall packet-filter default deny interzone local trust direction inbound
firewall packet-filter default deny interzone local trust direction outbound
firewall packet-filter default deny interzone local untrust direction inbound
firewall packet-filter default deny interzone local untrust direction outbound
firewall packet-filter default deny interzone local dmz direction inbound
firewall packet-filter default deny interzone local dmz direction outbound
firewall packet-filter default deny interzone trust untrust direction inbound
firewall packet-filter default deny interzone trust dmz direction inbound
firewall packet-filter default deny interzone dmz untrust direction inbound
firewall packet-filter default deny interzone dmz untrust direction outbound
#
vlan batch 1 12
#
#
#
runmode firewall
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 10.0.10.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
274
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
set priority 85
add interface Vlanif12
#
set priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.30.3
#
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 10.0.3.3 0
policy 2
action permit
policy service service-set telnet
policy 3
action deny
#
return
#
sysname S1
#
dns resolve
#
vlan batch 11 to 13
#
stp enable
#
HC Series
HUAWEI TECHNOLOGIES
275
HCDA-HNTD
#
#
#
#
#
#
#
Return
276
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Lab 9-4 NAT Configuration on the Eudemon Firewall

Learning Objectives
How to configure a network address translation (NAT) server on

the Eudemon firewall.
How to configure the Easy IP feature on the Eudemon firewall.
Topology
Figure 9.4 Lab topology for NAT configuration on the Eudemon firewall
HC Series
HUAWEI TECHNOLOGIES
277
HCDA-HNTD
Scenario
company network is isolated into three zones by the Eudemon firewall:
untrust zone, trust zone, and demilitarized zone (DMZ). You need to
release the Telnet service that is provided by a server with IP address
10.0.3.3 in the DMZ zone. The external IP address of the server is
10.0.10.20/24. Users in the trust zone can access the untrust zone by
means of Easy IP. Other access methods are not allowed.
On S1, you need to configure three network segments: G0/0/1 to
G0/0/21 for accessing VLAN11, G0/0/2 to G0/0/22 for accessing VLAN12,
and G0/0/3 to G0/0/23 for accessing VLAN13.
Tasks
Configure IP addresses for R1, R2, and R3.
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
278
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
directly set an IP address for it. In this exercise, you need to configure
VLAN12, the VLANIF12 interface, and the IP address 10.0.20.254/24 for
the gateway in the trust zone. By default, the firewall automatically
assigns an IP address for its VLANIF1. You need to delete this
configuration to prevent any interference during the experiment.
[FW]vlan 12
[FW-vlan-12]quit
Configure VLANs on S1 as required.

[Quidway]sysname S1
HC Series
HUAWEI TECHNOLOGIES
279
HCDA-HNTD

After the configurations are complete, test link connectivity in the

same zone on the firewall.
[FW]ping 10.0.10.1
Request time out
20.00% packet loss
[FW]ping 10.0.20.2
Request time out
20.00% packet loss
[FW]ping 10.0.30.3
Request time out
280
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD

20.00% packet loss
to
implement
network
connectivity.
Configure default routes on R2 and R3 and specific static routes on
the firewall to implement the connectivity between the three network
segments that are connected by three Loopback0 interfaces. R1, an
Internet device, does not require you to define default routes because R1
does not need to know any private network information about the trust
and DMZ zones.
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
Test the link connectivity of the three network segments on the

firewall: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24.
[FW]ping 10.0.1.1
0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
281
HCDA-HNTD
[FW]ping 10.0.2.2
0.00% packet loss
[FW]ping 10.0.3.3
0.00% packet loss
Step 3 Configure interfaces for accessing security zones.

By default, the firewall has four zones: local, trust, untrust, and DMZ
zones.
In this experiment, only trust, untrust, and DMZ zones are involved.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
282
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
By default, devices in all zones can communicate with each other.

However, currently devices in the untrust zone cannot communicate with
devices in the trust and DMZ zones because NAT is not defined.
Step 4 Configure interzone packet filtering.

Packets can be sent from 10.0.2.0 in the trust zone to the untrust
zone. Telnet requests can be sent from the untrust zone to the target
server with IP address 10.0.3.3 in the DMZ zone.
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy 0
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]action permit
[FW-policy-interzone-trust-untrust-outbound-0]quit
[FW-policy-interzone-trust-untrust-outbound]quit
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet
Step 5 Configure the Easy IP feature to enable the trust and

untrust zones to access each other.
Configure the Easy IP feature, perform NAT translation, and bind the
NAT to E0/0/0.
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 0
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0
After the configurations are complete, check whether the trust and
untrust zones can access each other.
[R2]ping 10.0.1.1
HC Series
HUAWEI TECHNOLOGIES
283
HCDA-HNTD

Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
[R2]ping -a 10.0.2.2 10.0.1.1
0.00% packet loss
The preceding information shows that the connectivity between R2

and 10.0.1.1 is not working. After you perform the expanded ping and
specify the source IP address of packets as 10.0.2.2, the connectivity is
implemented. The cause of this problem is that packets are directly sent
to 10.0.1.1 and the source IP address of packets is 10.0.20.2, which is not
within the client IP address range of NAT translation.
Step 6 Release the Telnet service that is provided by the

internal server with IP address 10.0.3.3.
Configure the Telnet service on R3 with IP address 10.0.3.3 and map
it to 10.0.10.20.
[FW]nat server protocol tcp global 10.0.10.20 telnet inside 10.0.3.3 telnet
284
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Enable the Telnet function on R3 and test it on R1. Note that the
external IP address of R3 is 10.0.10.20. When R1 needs to access 10.0.3.3,
the destination address must be 10.0.10.20.
<R1>telnet 10.0.10.20
Trying 10.0.10.20 ...
<R3>

In this exercise, the simple Telnet service is selected for release. If the
FTP application service needs to be released, what are the differences
between releasing the two services in terms of principles and
configurations?
Analyze how the firewall processes FTP data from the aspect of two
modes (proactive testing and passive monitoring) of the FTP application
service.
[V200R001C01SPC300]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
return
[V200R001C01SPC300]
HC Series
HUAWEI TECHNOLOGIES
285
HCDA-HNTD
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C01SPC300]
#
sysname R3
#
ip address 10.0.30.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
#
return
#
sysname FW
#
nat server 0 protocol tcp global 10.0.10.20 telnet inside 10.0.3.3 telnet
#
vlan batch 1 12
#
#
#
runmode firewall
286
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 10.0.10.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif12
#
set priority 5
#
firewall zone dmz
set priority 50
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.30.3
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.0.2.0 0.0.0.255
#
policy interzone dmz untrust inbound
policy 0
action permit
policy service service-set telnet
HC Series
HUAWEI TECHNOLOGIES
287
HCDA-HNTD

#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255
easy-ip Ethernet0/0/0
#
return
#
sysname S1
#
dns resolve
#
vlan batch 11 to 13
#
stp enable
#
#
#
#
#
#
#
288
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
#
return
HC Series
HUAWEI TECHNOLOGIES
289
HCDA-HNTD
Chapter 10 Comprehensive Exercise

Lab 10-1 Comprehensive Exercise
Learning Objectives
The objective of this lab is to test whether you have understood how
to configure the following items:
Frame Relay (FR).
Virtual Local Area Network (VLAN).
Layer 3 switching.
Open Shortest Path First (OSPF).
OSPF operating mode on a Non-Broadcast Multi-Access (NBMA)

network.
Dynamic Host Configuration Protocol (DHCP) function.
DHCP relay.
Firewall.
Network Address Translation (NAT).
290
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
Topology
Figure 10.1 Topology for the comprehensive exercise
Scenario
Assume that you are a network administrator of a company.
The company network is divided into three areas: headquarters
network area, company branch network area, and branch office network
area. The three network areas communicate with each other using the FR
network connected to routers: R1, R2 and R3. Private lines are leased to
provide line backups for network services.
Router R1 resides in the headquarters network area, router R2 resides
in the company branch network area and router R3 resides in the branch
office network.
The firewall located in HQ area divides it into three zones:
Demilitarized Zone (DMZ), internal network zone and external network
zone.
For details about interface and IP address configurations, see the
preceding figure.
HC Series
HUAWEI TECHNOLOGIES
291
HCDA-HNTD
Tasks
The purpose of this comprehensive exercise is to test whether you
have understood the configuration methods described in the previous
19 labs. Therefore, only a brief description of the configuration
procedures and verification methods, not specific commands, is
provided.
Step 1 Perform basic configuration and set IP addresses.

Set IP addresses and configure VLANs based on the topology, and
configure the FR function to achieve communication between different
network areas. Test the network connectivity.
Layer 3 switching needs to be configured only for S1. The IP

addresses of VLANIFs on S1 must be the same as those displayed in the
preceding topology.
R3 uses physical interface G0/0/2 to provide services for VLAN21,
VLAN22, and VLAN23.
Inverse Address Resolution Protocol (InARP) must be disabled on FR
interfaces. The mapping between Data Link Connection Identifiers (DLCIs)
of permanent virtual circuits (PVCs) on the FR interfaces and the peer IP
addresses for the PVCs must be defined on R1, R2, and R3. No virtual
circuit exists between R2 and R3.
E1/0/0 on the firewall must be connected to the DMZ, but no IP
address can be configured for this interface. This comprehensive exercise
requires that an IP address be configured for VLANIF100 and the default
interface VLANIF1 be deleted from the firewall.
Step 2 Configure OSPF.

Configure OSPF on R1, R2, R3, S1, and the firewall. Ensure that all the
network segments belong to area 0. On FR interfaces, configure OSPF to
operate in NBMA mode, the default mode.
Configure all of the interfaces that do not need to send OSPF
messages as silent interfaces. Enable MD5 authentication on the
10.0.123.0/24 network segment and set the authentication password to
292
HUAWEI TECHNOLOGIES
HC Series
HCDA-HNTD
huawei.
On the firewall, configure a default route with the next hop of
10.0.200.2. Set the route type to Type 1 and cost value to 20, and import
this route to the OSPF area in permanent advertisement mode.
Step 3 Configure the DHCP service.

Configure the DHCP service on R1 to serve the devices on network
segments including 10.0.11.0/24, 10.0.12.0/24, 10.0.13.0/24, 10.0.21.0/24,
10.0.22.0/24, and 10.0.23.0/24. Set the IP address of the Domain Name
Server (DNS) to 10.0.200.200 and the IP address validity to three hours.
Configure the DHCP relay function on R3 and ensure that the users in
VLAN21, VLAN22, and VLAN23 can automatically obtain IP addresses.
Configure VLANIF23 on S4 and test the DHCP service on the
10.0.23.0/24 segment.
Configure VLANIF13 on S3 and test the DHCP service on the
10.0.13.0/24 segment.
Step 4 Configure the firewall.

Configure firewall functions and ensure that users on the internal
network can access the external network, but users on the external
network cannot access the internal network or the DMZ and users in the
DMZ cannot access any network. By default, users on the internal
network cannot access the DMZ.
A server with IP address 10.0.100.11/24 resides in the DMZ to provide
Telnet, File Transfer Protocol (FTP), and Hypertext Transfer Protocol
(HTTP) services. The HTTP service is available to all areas, the FTP service
is available to all addresses on the internal network, and the Telnet
service is available only to 10.0.13.100/24.
Step 5 Configure NAT on the firewall.

Configure NAT on the firewall and enable the Easy-IP function so that
users in the headquarters network area, company branch network area,
and branch office network area can access the external network by
means of NAT.
HC Series
HUAWEI TECHNOLOGIES
293
HCDA-HNTD

What are the advantages and disadvantages of this topology used
for the comprehensive exercise?
294
HUAWEI TECHNOLOGIES
HC Series

Huawei Certification HCDA Lab Guide v1.6

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Certification HCDA Lab Guide v1.6

Uploaded by

Copyright:

Available Formats

HCDA-HNTD

Huawei Technologies Co.,Ltd

Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved.

No part of this document may be reproduced or transmitted in any

and other Huawei trademarks are trademarks of Huawei

The information in this document is subject to change without notice.

Huawei Certification System

Lab environment specification

Version 5.90 ( V200R001C01SPC300)

Version 5.90 ( V200R001C01SPC300)

Version 5.90 ( V200R001C01SPC300)

Version 5.70 (V100R006C00SPC800)

Version 5.70 (V100R006C00SPC800)

Version 5.70 (V100R006C00SPC800)

Version 5.70 (V100R006C00SPC800)

Version 5.30 (V100R005C00SPC100)

Lab 8-3 FR Configuration (Using FR Switch) ................................................................................................ 213

Chapter 1 Basic Operations on the VRP Platform

Chapter 1 Basic Operations on the VRP Platform

Configure the connection from a personal computer (PC) to a

Configure a device name, time, and time zone.

Configure the value for Console port idle timeout.

Configure the login information.

Configure the login password and super password.

Save and delete a configuration file.

Configure IP addresses for router interfaces.

Test the connectivity between two routers that are connected

Control a router after using Telnet to another router.

Copy configuration files from one router to another using File

Chapter 1 Basic Operations on the VRP Platform

Chapter 1 Basic Operations on the VRP Platform

Select a COM port.Selecting a COM port.

Chapter 1 Basic Operations on the VRP Platform

In the COM1 Properties dialog box, click Restore Defaults to retain

Step 2 View the system information.

Chapter 1 Basic Operations on the VRP Platform

The command output includes the VRP operating system version,

Step 3 Change the system time parameter.

Step 4 Use the question mark (?) or press Tab to enter

Specify anti-attack configurations

Display the number of limitation

Display AAA authorization scheme

Chapter 1 Basic Operations on the VRP Platform

Step 5 Access the system view.

Step 6 Change device names.

Change the name of the R2 router to R2.

Chapter 1 Basic Operations on the VRP Platform

Step 7 Configure the login information.

Run the preceding command to configure the login information. To

Note: Login information usually provides warnings of illegal logins.

timeout interval of the console port.

Chapter 1 Basic Operations on the VRP Platform

Run the display this command to check the configuration results.

Step 9 Configure IP addresses and descriptions for the

Run the display this command to check the configuration results.

Chapter 1 Basic Operations on the VRP Platform

Run the display interface command to view the interface description.

Last physical down time : 2011-09-16 17:38:34

Output: 216 packets, 2700 bytes

DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP

Chapter 1 Basic Operations on the VRP Platform

[R2]interface Serial 1/0/0

After completing the configuration, run the ping command to test

Configure the telnet login mode.