Huawie Smalll and Medium Enterprise routers Advanced

Service configurations and Maintenance

Network Div | 02 April 2012 | P001

Table of contenets
 Product Overview
 Introduction to Huawei Commands
 AR Basic Configuration
 VPN Concepts and Types
 CPE Based VPNs ( GRE, DSVPN and IPsec )
 BGP Configration and troubleshooting
 OSPF Configuration
 BFD Princple and configuration
 NAT, ACL and DHCP configurations

Network Div | 02 April 2012 | P001

1. Product Overview
HUAWEI AR1220/2220 SPECIFICATIONS -1
Recommend Access Connection Cards

Item AR1220 Item AR2220

WAN forwarding
WAN forwarding 400 Mbps
600Kpps (packet per second) performance
performance
Chassis Switching
32Gbps
Chassis Switching Capacity
8Gbps
Capacity 4G LTE CARD
Fixed WAN port 3GE(1 COMBO) 3G HSPA+7 CARD
SIC slot quantity 2
SIC slot quantity 4
Fixed WAN port 2GE WSIC slot quantity 2

Fixed LAN port 8FE Memory 2 GB VDSL CARD

ADSL CARD
Memory 512 MB Flash (default) 2 GB

Flash 256 MB
USB 2 USB ports
USB 2 USB ports

(W x D x H) 390 mm x 220 mm x 44.5 mm (W x D x H) 442 mm x 420 mm x 44.5 mm GPON/EPON CARD

All series support card hot swapping and LTE/3G data card.

SIC—smart Interface Card

WSIC—Double-width SIC Network Div | 02 April 2012 | P001
 HUAWEI AR1220/2220 SPECIFICATIONS -2
Item AR1220 Item AR2220
Max dynamic MAC address Max MAC address 4096
2048
learning capacity
Max ARP 4000
Max ARP 2000
Max VLAN numbers 4094
Max VLAN numbers 128
Max IPv4 routing numbers 80k
Max IPv4 routing numbers 30k
Max IPv6 routing numbers 30k
Max IPv6 routing numbers 10k

Max VRF numbers 64 Max VRF numbers 128

Max VPN routing numbers 10k Max VPN routing numbers 30k

Max tunnel interfaces 256 Max tunnel interfaces 1024

Max L2VPN VC Numbers 64 Max L2VPN VC Numbers 128

Max IPSec Tunnels 256 Max IPSec Tunnels 512

Max L2TP tunnels 128 Max L2TP tunnels 512
Max ACL numbers 4K
Max ACL numbers 8K
Max GRE Tunnels 256
Max GRE Tunnels 512
Static White/Black name list 32 Static White/Black name list 128
Max NAT address pools 8 Max NAT address pools 16
Max IP address in each Nat Max IP address in each Nat
255 255
address pool address pool

Network Div | 02 April 2012 | P001

HUAWEI AR3260 SPECIFICATIONS – HQ GATEWAY

SRU40
SRU80

Item AR3260 (Supporting Four Types of SRUs)

1 Gbps (SRU40), 2 Gbps (SRU80), SRU100E
WAN speed with services 2.5 Gbps(SRU100E), 3 Gbps(SRU200E),
4.5 Gbps(SRU200), 5.5Gbps(SRU400)
Switching capacity 160 Gbit/s
SRU200E
SIC slot quantity 4

WSIC slot quantity 2

SRU200
XSIC slot quantity 4 SRU400
SRU40/80: 3GE (2 combo)
Attached routing interface SRU100E: 4*GE Combo+ 2*GE SFP
SRU200E/200/400: 4*GE Combo+ 2*10GE SFP+
Memory 2 GB/8 GB  Hot swapping of the SRU, cards
SD Flash (default/maximum) 2 GB/4 GB  Up to 147 Ethernet interfaces
USB 2.0 2
Dimensions (W x D x H) 442 mm x 470 mm x 130.5 mm

xSIC– Double-Height WSIC

SRU—Switch and Route Processing Unit Network Div | 02 April 2012 | P001
Network Div | 02 April 2012 | P001
Network Div | 02 April 2012 | P001
Network Div | 02 April 2012 | P001
VRP---Versatile Routing Platform

Network Div | 02 April 2012 | P001

 Harware Descriptions (AR 1220)

The existing AR1220 doesn’t have power switch

Network Div | 02 April 2012 | P001

Harware Descriptions (AR 1220)

Network Div | 02 April 2012 | P001

Harware Descriptions (AR 2220)

Network Div | 02 April 2012 | P001

Indicator Descriptions (AR 2220)

Network Div | 02 April 2012 | P001

2.Introduction to Huawei Commands

Network Div | 02 April 2012 | P001

Network Div | 02 April 2012 | P001
 Display Commands
some of the display commands and descriptions in common use
Command Descriptions
display current-configuration Displays the parameters that take effect
currently on the AR

display device Displays information about the AR

display version Displays the version and boards

information of the AR

display this Displays valid configurations in the

current view

display diagnostic-information Collects information about the AR1200-S

when a fault cannot be located or fixed. Send
information to Huawei technical personnel for
fault analysis.
NOTE
This command is not recommended for
routine troubleshooting

display this interface Displays the current status of the interface

display device [ slot slot-id ] Component information is displayed

Network Div | 02 April 2012 | P001
 Display Commands
Command Descriptions
display power view information about the power status

display power system Displayed information includes the power status, power
used by the system (watts), and power used by boards
(watts).

display temperature { all | slot slot-id } view board temperature, including the current
temperature, temperature upper threshold, and
temperature lower threshold.

display fan view the fan status, including the running status,
registration status, fan speed, and working mode.

display cpu-usage [ slot slot-id ] CPU usage statistics are displayed.

display cpu-usage configuration [ slot slot-id ] CPU usage configurations are displayed.

display device [ slot slot-id ] Component information is displayed

display memory-usage [ slot slot-id ] Memory usage statistics are displayed.

display elabel [ slot-id ] [ brief ]

Network Div | 02 April 2012 | P001
 3.AR Basic Configurations
Configuring First Login Through the Console Port
 When the router is powered on for the first time, log in to the router through the console
port to configure or manage the router

1. Connect the console port of Router A to the COM port of Host A using a console cable.
2. Run the terminal emulation program
3. Select the connected port
4. Set communication parameters of the port
5. Press Enter on the subsequent dialog boxes until the command line prompt of the user view
#Please configure the login password (<8-128>)
Enter password:
Confirm password
Configuring Console Password Authentication :
#
user-interface con 0
authentication-mode password //Set the authentication mode
Network Div | 02 April 2012 | P001
set authentication password cipher (Cipher text password)
 Configuring Cont’d
#
telnet server enable // Enable the Telnet server.
telnet server port 10181 // Configure the port number for the Telnet server.
#
aaa
local-user admin password cipher (Cipher text password)
local-user admin privilege level 15
local-user admin service-type telnet
#
user-interface vty 0 4
authentication-mode aaa
Or easily permit telenet as follows:
#
user-interface vty 0 4
user privilege level 15
authentication-mode password
set authentication password cipher ethio@123
#
Setting the router to default configuration:
 factory-configuration reset // confirm with Yes, then restart the router manually
Network Div | 02 April 2012 | P001
 Set Console password by reconfirming it
 Interface Type
 Interfaces of a device are used to exchange data and interact with other network devices.
 Interfaces are classified into
1. physical interface
2. logical interfaces.
 Physical interfaces
• A device provides physical interfaces.
• Physical interfaces are categorized as management interfaces and service interfaces.
o Management interfaces
• Management interfaces are used to log in to devices. Users can use management
interfaces to configure and manage devices.
• Management interfaces do not transmit service data.

Network Div | 02 April 2012 | P001

Interface Type

NOTE
 At any time, only one of the console interface and mini USB interface of a
router can be used as the serial interface. By default, the console interface is
used as the serial interface of the router.

Network Div | 02 April 2012 | P001

 Service interfaces

o Service interfaces transmit services and are classified into the following types:
1. LAN-side interface: used by routers to exchange data with network devices on LANs.
2. WAN-side interface: used by routers to exchange data with devices on external
networks.

Network Div | 02 April 2012 | P001

Service interfaces

Network Div | 02 April 2012 | P001

Service interfaces
 Logical interfaces
• Logical interfaces are manually configured and do not physically exist.
• They can be used to exchange data and transmit service data.

Network Div | 02 April 2012 | P001

Configuring Basic Interface Parameters
 LAN interfaces Configuration Example

interface Ethernet0/0/0
port link-type access
port default vlan 1000
#
interface Vlanif1000
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 5.5.5.1 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.24
#
interface GigabitEthernet0/0/1.3882
dot1q termination vid 3882
ip address 10.133.220.18 255.255.255.252 Network Div | 02 April 2012 | P001
 Configuring Basic Interface Parameters…
 WAN interfaces Configuration Example  VDSL Service
 ADSL Service interface Ethernet2/0/0
interface Virtual-Ethernet0/0/0 Ip address X.X.X.X SubnetMask
# #
interface Atm1/0/0
pvc 8/81  xPON Service
map bridge Virtual-Ethernet0/0/0 #
# interface Pon2/0/0
interface Virtual-Ethernet0/0/0 port mode epon
Ip address X.X.X.X SubnetMask port mode gpon
# epon compatibility dba // for epon case,
 Direct Fiber Services save & restart
interface GigabitEthernet0/0/0 #
combo port mode auto interface Pon2/0/0.1210
Ip address X.X.X.X SubnetMask dot1q termination vid 1210
# Ip address X.X.X.X SubnetMask
 AiroNet Services #
interface GigabitEthernet0/0/1.3882  To get mac address
dot1q termination vid 3882 Display epon-info interface Pon2/0/0
Network Div | 02 April 2012 | P001
Ip address X.X.X.X SubnetMask
Configuring Basic Interface Parameters…
 WAN interfaces Configuration Example…
 Cellular Service For VPN & Internet
# interface Cellular2/0/0
Acl number 3000 // position depend on inserted Service card
rule 1 permit IP source (IP/any) link-protocol ppp
# ip address negotiate
dialer-rule dialer enable-circular
dialer-rule 1 ip permit dialer timer autodial 10
# dialer number *99# autodial
apn profile ettest dialer-group 1
apn ettest nat outbound 3000
# apn-profile et // will take effect after slot reset
apn profile et Or
apn et.com apn-profile ettest // will take effect after restrart
# #
 dis Cellular2/0/0 network
reset slot (slot number)
 dis Cellular 2/0/0 all
#
Network Div | 02 April 2012 | P001
 4.VPN Concepts and Types
 Virtual Private Network (VPN) is a type of private network that uses public
telecommunication, such as the Internet, instead of leased lines to communicate

VPN Classification
With the development of network technologies, the VPN technology is widely applied and many
new VPN technologies emerge. VPNs can be classified into different types:

Network Div | 02 April 2012 | P001

VPN Implementation Layers

Network Div | 02 April 2012 | P001

 AAL5-Atm Adaptive Layer 5
FR—Frame Relay
DLCI—Data link Connection Identifier
PPP-Point-to-point
HDLC-Hihg Level Data Link
AToM—Any Transport over MPLS
P_0030
Network Div | 02 April 2012 | P001
VPN Operation Modes

Network Div | 02 April 2012 | P001

5. CPE Based VPNs ( GRE, DSVPN and IPsec )
GRE
 Tunneling provides a mechanism to transport packets of one protocol within another protocol. The
protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying
the passenger protocol is called as the transport protocol.
 Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as
the transport protocol and can be used for carrying many different passenger protocols.
 The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel
source and tunnel destination addresses at each endpoint.
 The transmission of packets in a Generic Routing Encapsulation (GRE) tunnel involves two
 processes: encapsulation and decapsulation.
 GRE can serve as a Layer 3 tunneling protocol for VPNs.
 GRE also has featrures : enlargement of the operation scope of the network running a hop-limited
protocol, and working in conjunction with the IP Security Protocol (IPSec) to compensate for the IPSec
flaw in multicast data protection.

Figure: Networking diagram of enlarged network operation scope

Network Div | 02 April 2012 | P001

 GRE cont’d
Figure: Networking diagram of GRE-IPSec tunnel application

Network Div | 02 April 2012 | P001

 GRE cont’d

The above diagram shows encapsulation process of GRE packet as it traversers the router and
enters the tunnel interface

Network Div | 02 April 2012 | P001

 Structure of a GRE encapsuated packet

can be 32 to 160 bits long

Original Packet

Network Div | 02 April 2012 | P001

Standard GRE header has the form:

Network Div | 02 April 2012 | P001

  Tunneling
 Encapsulation with delivery header
 The addresses in the delivery header are the addresses of
the head-end and the tail-end of the tunnel
Delivery header
20.1.1.1/30.1.1.1 GRE 10.1.1.1/10.2.1.1

20.1.1.1 30.1.1.1
10.1.1.1/10.2.1.1

10.1.1.1/10.2.1.1 tunnel 10.1.1.1/10.2.1.1

Private 10.1.0.0/16 Private

Public Network 10.2.0.0/16
network site network site

10.1.1.1 10.2.1.1

 GRE provides a stateless, private connection, it is not considered a secure

protocol because it does not use encryption like the IP Security (IPsec
) Encapsulating Security Payload (ESP).
Network Div | 02 April 2012 | P001
GRE Packet Flow

Network Div | 02 April 2012 | P001

 GRE Keepalive
 Before we configure a tunnel policy and set the VPN tunnel type to GRE, you need to enable
the Keepalive function. After Keepalive is enabled, the VPN cannot choose a tunnel with an
unreachable remote end, preventing data loss.

 When Keepalive is disabled on a local end, the tunnel interface status of the local end might
be Up even if the remote end is unreachable. After Keepalive is enabled on the local end, the
tunnel interface status of the local end changes to Down if the remote end is unreachable.
Therefore, when the remote end is unreachable, the VPN cannot choose the GRE tunnel,
preventing data loss.

 The Keepalive function takes effect uni-directionally. To enable the Keepalive function on
both ends of a tunnel, run the keepalive command on each end of the tunnel. The Keepalive
configuration takes effect on one end even if the function is disabled on the other end.
However, it is recommended that we enable the Keepalive function on both ends.
After the Keepalive function is enabled on a GRE tunnel, the tunnel periodically sends
Keepalive packets.
As Prerequisites, The keepalive command can be used only when the encapsulation mode has
been set to GRE on an interface.
[AR-Tunnel0/0/0] keepalive period 12 retry-times 4 //12 seconds keepalive and retry-times to 4
Network Div | 02 April 2012 | P001
 GRE Checksum
 configure an end-to-end check between both ends of a GRE tunnel to improve the GRE tunnel
security. This mechanism prevents the device from incorrectly identifying and receiving invalid
packets

 If the checksum function is enabled on the local end and disabled on the remote end, the local
end does not perform checksum on received packets, but performs checksum on locally
transmitted packets. If the checksum function is disabled on the local end and enabled on the
remote end, the local end performs checksum on received packets, but does not perform
checksum on locally transmitted packets.
#[AR-Tunnel0/0/0] gre checksum

GRE Key
 configure key numbers for both ends of a GRE tunnel to improve GRE tunnel security. This
security mechanism ensures that a device accepts only packets sent from the valid tunnel
interface and discards invalid packets
#[AR-Tunnel0/0/0] gre key plain 1234

Network Div | 02 April 2012 | P001

 Configuring GRE
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
 Configuring reachable routes between the source and destination interfaces

Data Preparation
 Number of the tunnel interface
 Source address and destination address of the tunnel
 IP address of the tunnel interface
 Key of the tunnel interface
 After creating a tunnel interface, specify GRE as the encapsulation type,
 gre checksum
 gre key key-number
Configuring the Keepalive Function //With this function enabled, the VPN does not select
the GRE tunnel that cannot reach the remote end, and data loss can be avoided.
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status.

Network Div | 02 April 2012 | P001

Networking diagram of configuring a static route for GRE

Network Div | 02 April 2012 | P001

 Networking diagram of configuring a static route for GRE
Configuration file of Router A
#
sysname RouterA
#
vlan batch 11
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 11
#
interface Ethernet0/0/8
ip address 20.1.1.1 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1
#
return
Network Div | 02 April 2012 | P001
 Networking diagram of configuring a static route for GRE
Configuration file of Router B
#
sysname RouterB
#
interface Ethernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

Network Div | 02 April 2012 | P001

 Networking diagram of configuring a static route for GRE
Configuration file of Router C
#
sysname RouterC
#
vlan batch 11
#
interface Vlanif11
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 11
#
interface Ethernet0/0/8
ip address 30.1.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1
#
return
Network Div | 02 April 2012 | P001
Configuring a Dynamic Routing Protocol for GRE

Figure: Networking diagram of configuring a dynamic routing protocol for GRE

Network Div | 02 April 2012 | P001

 Configuration Roadmap for GRE with Dynamic Routing Protocol
1. Configure IGP on each router in the backbone network to realize the interworking
between these devices. Here OSPF process 1 is used.
2. Create the GRE tunnel between routers that are connected to PCs;Then routers can
communicate through the GRE runnel.
3. Configure the dynamic routing protocol on the network segments through which
PCs access the backbone network. Here OSPF process 2 is used.

Data Preparation
To complete the configuration, you need the following data:
 Source address and destination address of the GRE tunnel
 IP addresses of the interfaces on both ends of the GRE tunnel

Network Div | 02 April 2012 | P001

 GRE with Dynamic—cont’d

Procedure
Step 1 Assign an IP address to each interface
Step 2 Configure IGP for the VPN backbone network
Step 3 Configuring the tunnel interfaces
Step 4 Configure OSPF on the tunnel interfaces

Network Div | 02 April 2012 | P001

 Configuration file of Router B
GRE with Dynamic—cont’d #
sysname RouterB
#
interface Ethernet1/0/0
Step 5 Verify the configuration ip address 20.1.1.2 255.255.255.0
#
[RouterA] display ip routing-table interface Ethernet2/0/0
Configuration Files
Configuration file of Router A ip address 30.1.1.1 255.255.255.0
# #
sysname RouterA ospf 1
# area 0.0.0.0
vlan batch 11
network 20.1.1.0 0.0.0.255
#
interface Vlanif11 network 30.1.1.0 0.0.0.255
ip address 10.1.1.2 255.255.255.0 #
# Return
interface Ethernet0/0/1 Configuration file of Router C
port link-type access #
port default vlan 11 interface Tunnel0/0/1
# sysname RouterC
# ip address 40.1.1.2 255.255.255.0
interface Ethernet0/0/8
ip address 20.1.1.1 255.255.255.0 vlan batch 11 tunnel-protocol gre
# # source 30.1.1.2
interface Tunnel0/0/1 interface Vlanif11 destination 20.1.1.1
ip address 40.1.1.1 255.255.255.0 keepalive period 20 retry-times 3
tunnel-protocol gre ip address 10.2.1.2 255.255.255.0
#
source 20.1.1.1 #
ospf 1
destination 30.1.1.2 interface Ethernet0/0/1
keepalive period 20 retry-times 3
area 0.0.0.0
port link-type access
# network 30.1.1.0 0.0.0.255
port default vlan 11
ospf 1 #ospf 2
area 0.0.0.0 #
area 0.0.0.0
network 20.1.1.0 0.0.0.255 interface Ethernet0/0/8
network 40.1.1.0 0.0.0.255
#ospf 2 ip address 30.1.1.2 255.255.255.0
area 0.0.0.0 network 10.2.1.0 0.0.0.255
#
network 40.1.1.0 0.0.0.255 #
Network Div | 02 April 2012 | P001
network 10.1.1.0 0.0.0.255 return
#
return
DSVPN Overview
 Dynamic Smart Virtual Private Network (DSVPN) is a technology
that allows virtual private networks (VPNs) to be established
dynamically between enterprise branches and between
branches and central offices in the Hub-Spoke model.
 DSVPN technology allows enterprises to connect their central
offices (Hubs) and branches (Spokes) in different areas through
the public network.
 Branches can dynamically establish VPNs with the central office
and with each other.

Network Div | 02 April 2012 | P001

Hub-Spoke networking without DSVPN
 Hub-Spoke tunnels are established between the central office and branches,
and all the data flows transmitted between two branches pass through the
central office.
The network deployment has the following problems:
 When a new branch is added to the network, the Hub needs to add and
maintain the VPN configuration for this branch. When a large number of
branches exist on the network, configuration on the Hub is complicated.
Additionally, the configuration on the Hub must be modified each time the
network topology changes.
 If traffic between two branches passes through the central office, forwarding
the traffic consumes resources of the central office and causes an extra delay
transmission.
 If traffic between two branches does not pass through the central office and
outbound interfaces in the branches use dynamic addresses, they cannot
obtain the address of each other. Therefore, the two branches cannot
establish a direct tunnel.
Network Div | 02 April 2012 | P001
Hub-Spoke networking without DSVPN

Network Div | 02 April 2012 | P001

Hub-Spoke networking with DSVPN
 DSVPN uses the Next Hop Resolution Protocol (NHRP) to collect and maintain
dynamic public network addresses. This allows a device to obtain the public
network address of its peer in advance.
 Branches use dynamic addresses to access the public network and establish
Spoke-Spoke tunnels dynamically with each other for direct communication
between them.
 DSVPN uses the mGRE technology to simplify subnet traffic management and
configuration of GRE and IPSec.
 Simplify configuration on the Hub and Spokes.
 The Hub and Spokes use an mGRE tunnel interface but not multiple GRE
tunnel interfaces to establish tunnels. When a new Spoke is added to the
network, the network administrator does not need to change configurations
on the Hub or any existing Spokes. The administrator only needs to configure
the new Spoke, and then the Spoke dynamically registers with the Hub.
 Reduce the forwarding delay between branch offices.
 Branches can dynamically establish tunnels to directly exchange service data,
reducing the forwarding delay and improvingNetwork
forwarding performance and
Div | 02 April 2012 | P001
efficiency.
Hub-Spoke networking with DSVPN

Network Div | 02 April 2012 | P001

Basic Concepts DSVPN
 an enterprise connects its central office (the Hub) and multiple sparsely
distributed branches (the Spokes) through the public network.

Network Div | 02 April 2012 | P001

 Basic Concepts DSVPN Cont.…
 DSVPN Node
 A DSVPN node is a device on which DSVPN is deployed. A DSVPN node can be a
Spoke or Hub.
 Spoke A Spoke is the network gateway of a branch office.
 Generally, a Spoke uses a dynamic public network address.
 Hub A Hub is a device in the central office and also an important device of the
DSVPN network.
 The Hub receives registration packets from Spokes. On the DSVPN network, the
Hub can use a fixed public network address or a domain name.
 mGRE and mGRE Tunnel Interface
 mGRE is a point-to-multipoint GRE technology developed from GRE. An mGRE tunnel
interface is a logical interface
 The mGRE tunnel interface has the following attributes:
 Source tunnel address
 Destination tunnel address: the destination IP address of an mGRE tunnel is
resolved by the NHRP protocol.
 Tunnel interface IP address: a tunnel interface IP address contains routing
information used for communication between devices.
Network Div | 02 April 2012 | P001
 Basic Concepts DSVPN Cont.…
 NHRP
 NHRP enables a source Spoke on an NBMA network to obtain a dynamic public
network address from a destination Spoke.
 When a Spoke connects to an NBMA network, it sends NHRP Registration Request
packets to the Hub by using the public network address of the outbound interface
as the source address.
 The Hub creates or updates NHRP mapping entries based on the packets received.
 Two Spokes send NHRP Resolution Request and Reply packets to each other to
create or update their NHRP mapping entries.

Network Div | 02 April 2012 | P001

 Basic Concepts DSVPN Cont.…
 Hub-Spoke Tunnel
 On a DSVPN network, Spoke information is not configured on the Hub, but the
public network address or domain name of the Hub is statically configured on
Spokes.
 When a Spoke connects to the NBMA network, it sends NHRP Registration Request
packets to the Hub to report the public network address of its outbound interface.
 The Hub creates or updates NHRP mapping entries based on the packets received.
 Spoke-Spoke Tunnel
 When one Spoke transmits data to another Spoke, the source Spoke checks the
routing table to obtain the private address of the next hop.
 If the Spoke fails to obtain the public network address corresponding to the private
address in the local NHRP mapping entries, it sends NHRP Resolution Request
packets to obtain the public network address of the destination Spoke.
 After obtaining the NHRP Resolution Reply packets, the Spokes use the mGRE
interface to dynamically establish a VPN tunnel for data transmission between
them.
 The tunnel is automatically removed if no packet is forwarded through it within a
period.
Network Div | 02 April 2012 | P001
 Basic Principles DSVPN
 The DSVPN technology can be used in two scenarios:
 Non-Shortcut Scenario of DSVPN
• Branches learn routes from each other.
• A small- or medium-sized network has a few of branches, and the branches can learn
routes from each other by deploying Non-Shortcut Scenario of DSVPN.
• In this scenario, the next hop to a destination subnet is the tunnel address of the
destination branch.
• This deployment has a low requirement on the performance of the Hub and Spokes
because the devices only have to learn a small number of routes.
 Shortcut Scenario of DSVPN
• Branches have only summarized routes to the central office.
• On a large-sized network with many branch subnets, Spokes need to learn many routes
from other branches.
• If the shortcut function is not configured, the Spokes have to save routing information
on the entire network.
• This requires Spokes to maintain a large routing table and provide high performance
because many CPU and memory resources are consumed for computing of dynamic
routing protocols. To reduce the number of routes saved on Spokes, Shortcut Scenario
of DSVPN can be deployed. In this scenario, the next hop to a destination subnet is the
Network Div | 02 April 2012 | P001
tunnel address of the Hub.
 Basic Principles DSVPN Cont.…
 Non-Shortcut Scenario of DSVPN Working Principle

Network Div | 02 April 2012 | P001

 Basic Principles DSVPN Cont.…
 Non-Shortcut Scenario working process is as follows:
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping
entries, and sends NHRP Registration Reply packets to the Spokes.
3. Spokes obtain routes to destination subnets using static routing or a dynamic routing
protocol. For a branch, the next hop address of the route to the destination branch is
the tunnel address of peer Spoke.
4. To forward a packet, a source Spoke need to obtain the public network address
mapping the tunnel address of the destination Spoke.
5. If local NHRP mapping table does not contain the public network address mapping the
tunnel address of the destination Spoke, the source Spoke needs to obtain the public
network address from the Hub.
6. The source Spoke sends an NHRP Resolution Request packet to request the public
network address mapping the tunnel address of the destination Spoke.
7. The Hub receives the NHRP Resolution Request packet and forwards the packet to the
destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke in
response to the received NHRP Resolution Request packet.
Network Div | 02 April 2012 | P001
9. The source and destination Spokes can directly exchange data traffic.
 Basic Principles DSVPN Cont.…
 Shortcut Scenario of DSVPN Working Principle

Network Div | 02 April 2012 | P001

 Basic Principles DSVPN Cont.…
 Shortcut Scenario working process is as follows:
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the
Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping
entries and sends NHRP Registration Reply packets to the Spokes.
3. Branch Spokes obtain the summarized routes to the central office according to
static configurations or using a routing protocol.
4. The source Spoke finds the public network address of the next hop, encapsulates a
data packet, and forwards the packet to the Hub.
5. After receiving the packet, the Hub sends the packet to the destination Spoke and
sends an NHRP Redirect packet to the source Spoke.
6. The source Spoke receives the NHRP Redirect packet and sends an NHRP
Resolution Request packets to the destination Spoke.
7. After receiving the NHRP Resolution Request packets, the Hub forwards the
packets to the destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source
Spoke in response to the received NHRP Resolution Request packet.
9. The source and destination Spokes can directly exchange data traffic.
Network Div | 02 April 2012 | P001
 Configuration DSVPN
 This section provides the default DSVPN configuration.

 Perform the following operations on the Hub and Spokes to configure DSVPN.
 Configuring mGRE
 Configuring Routes
 Configuring NHRP
 (Optional) Configuring an IPSec Profile
 Checking the Configuration Network Div | 02 April 2012 | P001
 Configuration DSVPN Cont.…
 Configuring mGRE
 To implement DSVPN, create a tunnel interface and set the interface type to Multipoint
GRE (mGRE).
 You only need to configure the source address or source interface but not the
destination address on the mGRE interface.
 An mGRE tunnel interface has multiple remote ends and allows multiple GRE tunnels to
be established on the interface. This simplifies GRE configuration on devices.
 Perform the following operations on the Hub and Spokes.
 Step1:A tunnel interface is created and the tunnel interface view is displayed.
interface tunnel interface-number
 Step2:The IP address of the tunnel interface is configured.
ip address ip-address { mask | mask-length }
 Step3:The tunnel encapsulation mode is set to mGRE.
tunnel-protocol gre p2mp
 Step4:The source address or source interface is configured for the tunnel interface.
source { [ vpn-instance vpn-instance-name ] source-ip-address | interface-type
interface-number }

Network Div | 02 April 2012 | P001

 Configuration DSVPN Cont.…
 Configuring Routes
 The routes forwarded by a tunnel must be available on branches and the central office
so that packets encapsulated with mGRE can be forwarded correctly.
 These routes can be static routes or dynamic routes.
 DSVPN provides two route deployments to meet the requirements in different
scenarios.
• Non-Shortcut Scenario of DSVPN: Branches learn routes from each other.
• Shortcut Scenario of DSVPN: Branches have only summarized routes to the central
office.
 Configuring a static route
o Non-Shortcut Scenario of DSVPN
• You must configure static routes on both the Hub and Spokes
• Set the next hop as the address of the tunnel interface on the peer device.
o Shortcut Scenario of DSVPN
• You must configure static routes on both the Hub and Spokes.
• Set the next hop of the Hub as the tunnel interface address of the destination
Spoke
• Set the next hop of a Spoke as the tunnel interface address of the Hub.
Network Div | 02 April 2012 | P001
Configuration DSVPN Cont.…
 Configuring NHRP
 Configure the Hub
Step 1:The tunnel interface view is displayed.
interface tunnel interface-number
Step 2: A DSVPN domain is configured for the tunnel interface. By default, a tunnel
interface belongs to DSVPN domain 0. (Optional)
nhrp network-id number
Step 3: Dynamically registered branches are added to the NHRP multicast member table.
By default, no dynamically registered Spoke is added to the NHRP multicast member table.
nhrp entry multicast dynamic
Step 4:The NHRP authentication string is configured. By default, no NHRP authentication
string is configured.(Optional)
nhrp authentication { simple string | cipher cipher-string }
Step 5:The aging time of NHRP mapping entries is configured. By default, the aging time of
NHRP mapping entries is 7200 seconds..(Optional)
nhrp entry holdtime seconds seconds
Step 6: The NHRP redirect function is enabled. Perform this operation only in the shortcut
scenario. By default, the NHRP redirect function is disabled.
nhrp redirect Network Div | 02 April 2012 | P001
 Configuration DSVPN Cont.…
 Configuring NHRP
 Configure the Spoke
Step 1:The tunnel interface view is displayed.
interface tunnel interface-number
Step 2: A DSVPN domain is configured for the tunnel interface. By default, a tunnel interface belongs to DSVPN
domain 0. (Optional)
nhrp network-id number
Step 3: An NHRP mapping entry is configured.
nhrp entry protocol-address { dns-name | nbma-address } [ register ]
Step 4:New NHRP mapping entries are allowed to override conflicting NHRP mapping entries during NHRP
registration. (Optional)
nhrp registration no-unique
Step 5:The NHRP authentication string is configured. By default, no NHRP authentication string is configured.
(Optional)
nhrp authentication { simple string | cipher cipher-string }
Step 6:The NHRP registration interval is configured. By default, a Spoke registers with the Hub at an interval of 1800
seconds.(Optional)
nhrp registration interval seconds
Step 7:The aging time of NHRP mapping entries is configured. By default, the aging time of NHRP mapping entries is
7200 seconds..(Optional)
nhrp entry holdtime seconds seconds
Step 8: The NHRP shortcut function is enabled.Perform this operation on the Spoke only in the shortcut scenario.
nhrp shortcut
Network Div | 02 April 2012 | P001
Sample DSVPN Configuration
 Example for Configuring Non-Shortcut Scenario of DSVPN (Static Route)
 The Spokes use dynamic addresses to connect to the public network.
 The enterprise wants to establish a VPN between the Spokes.

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration Cont.…
1. Assign an IP address to each interface.
 Configure IP addresses for the interfaces of each Router.
 Configure IP addresses for interfaces of Hub.

<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit

 Configure IP addresses for interfaces of the Spoke1 and Spoke2

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration Cont.…
2. Configure routes between the Routers.
 Configure OSPF on each Router to provide reachable routes to the public network.
 Configure OSPF on Hub.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit #
Configure OSPF on Spoke1.
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
Configure OSPF on Spoke2.
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
Network Div | 02 April 2012 | P001
Sample DSVPN Configuration Cont.…

3. Configure static routes.

 Configure Hub.
[Hub] ip route-static 192.168.1.0 255.255.255.0 172.16.1.2
[Hub] ip route-static 192.168.2.0 255.255.255.0 172.16.1.3
 Configure Spoke1.
[Spoke1] ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
[Spoke1] ip route-static 192.168.2.0 255.255.255.0 172.16.1.3
 Configure Spoke2.
[Spoke2] ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
[Spoke2] ip route-static 192.168.1.0 255.255.255.0 172.16.1.2

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration Cont.…
4. Configure tunnel interfaces.
 Configure tunnel interfaces on Hub and Spokes and configure static NHRP peer entries
of Spoke1 and Spoke2.
 Configure a tunnel interface on Hub.
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] tunnel-protocol gre p2mp
[Hub-Tunnel0/0/0] source gigabitethernet 1/0/0
[Hub-Tunnel0/0/0] nhrp entry multicast dynamic
 Configure a tunnel interface and a static NHRP peer entry of Hub on Spoke1.
[Spoke1] interface tunnel 0/0/0
[Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
 Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke2.
[Spoke2] interface tunnel 0/0/0
[Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
Network Div | 02 April 2012 | P001
Sample DSVPN Troubleshooting
5. Verify the configuration.
 Check the NHRP mapping entries of Spoke1 and Spoke2.
 Run the display nhrp peer all command on Spoke1. The command output is as follows:

 Run the display nhrp peer all command on Spoke2. The command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
 Verify the configuration.
 Check the NHRP mapping entries of Hub.
 Run the display nhrp peer all command on Hub. The command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
6. Check the static routes.
 Check the static routes on Hub.
 Run the display ip routing-table protocol static command on Hub. The
command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
 Check the static routes on Spokes.

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
 Ping 192.168.2.1 on Spoke1. ping -a 192.168.1.1 192.168.2.1
 You can see that Spoke1 and Spoke2 have learned dynamic NHRP mapping
entries from each other.

DSVPN
Non-ShortCut Config F

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration
 Example for Configuring Shortcut Scenario of DSVPN (OSPF)

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration
1. Assign an IP address to each interface.
 Configure IP addresses for the interfaces of each Router.
 Configure IP addresses for interfaces of Hub.

<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit [Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit

 Configure IP addresses for interfaces of the Spoke1 and Spoke2

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration
2. Configure routes between the Routers.
 Configure OSPF on each Router to provide reachable routes to the public network.
 Configure OSPF on Hub.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
Configure OSPF on Spoke1.
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
Configure OSPF on Spoke2.
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit Network Div | 02 April 2012 | P001
[Spoke2-ospf-2] quit
Sample DSVPN Configuration
3. Configure the basic OSPF functions.
Configure Hub.
[Hub] ospf 1 router-id 172.16.1.1
[Hub-ospf-1] area 0.0.0.0
[Hub-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0] quit
Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2
[Spoke1-ospf-1] area 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
Configure Spoke2.
[Spoke2] ospf 1 router-id 172.16.1.3
[Spoke2-ospf-1] area 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit Network Div | 02 April 2012 | P001
Sample DSVPN Configuration
4. Configure tunnel interfaces.
 Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hub and Spokes.
 Enable the NHRP redirect function on Hub.
 Configure NHRP mapping entries of Hub and enable the NHRP shortcut function on
Spoke1 and Spoke2.

 On Hub, configure a tunnel interface, configure OSPF, and enable the NHRP redirect
function.

[Hub] interface tunnel 0/0/0

[Hub-Tunnel0/0/0] tunnel-protocol gre p2mp
[Hub-Tunnel0/0/0] source gigabitethernet 1/0/0
[Hub-Tunnel0/0/0] nhrp entry multicast dynamic
[Hub-Tunnel0/0/0] ospf network-type p2mp
[Hub-Tunnel0/0/0] ospf dr-priority 100
[Hub-Tunnel0/0/0] nhrp redirect
[Hub-Tunnel0/0/0] quit

Network Div | 02 April 2012 | P001

Sample DSVPN Configuration
4. Configure tunnel interfaces. ..
 On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hub,
and enable the NHRP shortcut function.
[Spoke1] interface tunnel 0/0/0
[Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
[Spoke1-Tunnel0/0/0] ospf network-type p2mp
[Spoke1-Tunnel0/0/0] ospf dr-priority 0
[Spoke1-Tunnel0/0/0] nhrp shortcut
 On Spoke2, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
[Spoke2] interface tunnel 0/0/0
[Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
[Spoke2-Tunnel0/0/0] ospf network-type p2mp
[Spoke2-Tunnel0/0/0] ospf dr-priority 0
[Spoke2-Tunnel0/0/0] nhrp shortcut Network Div | 02 April 2012 | P001
Sample DSVPN Troubleshooting
5. Verify the configuration.
 Check the NHRP mapping entries of Spoke1 and Spoke2.
 Run the display nhrp peer all command on Spoke1. The command output is as follows:

 Run the display nhrp peer all command on Spoke2. The command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
5. Verify the configuration. …
 Check the NHRP mapping entries of Hub.
 Run the display nhrp peer all command on Hub. The command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…
6. Check OSPF routing information.
 Check the OSPF routing information on Hub.
 Run the display ospf 1 routing command on Hub.
 The command output is as follows:

Network Div | 02 April 2012 | P001

Sample DSVPN Troubleshooting Cont.…

Configuration
Files

Network Div | 02 April 2012 | P001

 IPSec
 IPSec is a protocol suite for securing IP networks by authenticating and encrypting IP packets.
 The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality, integrity and prevent Anti-replay of
data packets.
 IPSec uses the two security protocols i.e. Authentication Header (AH) and Encapsulating
Security Payload (ESP) which provide security services, and IKE provides key exchange.
 IPSec authenticates and encrypts data within IP packets by using Encapsulating Security
Payload (ESP), thus providing confidentiality and integrity for tunneled traffic.
 Key exchange and SA establishment in IPSec is implemented by the Internet Key Exchange
(IKE) protocol, which simplifies use and management of IPSec.
 A Security Association (SA) is a one-way connection that provides security services between
IPsec peers, SAs determine the security protocols and the keys.
Two devices that use IPSec to protect a path between them are called peers. an endpoint can be
either a gateway router or a host.
IPSec peers can establish SAs only if they have the same parameter settings configured manually
or negotiated through IKE.

Network Div | 02 April 2012 | P001

 IPSec Cont’d

 At least two SAs need to be set up on one IPSec tunnel to protect data flows in a bidirectional
exchange
 Data packets are sent from peer A to peer B. Peer A encrypts data packets and transmits
them over the IPSec tunnel. After the data packets reach peer B, peer B decrypts them to
obtain the original data. When packets are sent from peer B to peer A, the process is the
same except that a different SA is used.

Figure: SA and IPSec tunnel

Network Div | 02 April 2012 | P001

 IPSec Cont’d
An SA is uniquely identified by a combination of the following parameters:
 A random number called the Security Parameter Index(SPI)
 destination IP address
 Security protocol header, either AH or ESP
SA can be set up in either of the following modes:
Manual mode: All information required must be manually configured.
IKE negotiation mode: IPSec peers uses IKE to negotiate keys and dynamically create and
maintain SAs.
Both an AH header and ESP header contain a 32-bit SPI and a 32-bit sequence number.

The manual mode applies to small-scale networks or scenarios where only a few IPSec peers
exist. The IKE negotiation mode applies to medium- and large-scale networks

Network Div | 02 April 2012 | P001

 IPSec Cont’d
IPSec provides the following security services for traffic at the IP layer:

 Data origin authentication—Identifying who sent the data.

 Confidentiality(encryption)—Ensuring that the data has not been read en route.
 Connectionless integrity(authentication)—Ensuring the data has not been changed en route
 Anti-Replay protection—Detecting packets recieved more than once to help protect agains
denial of service attacks

Network Div | 02 April 2012 | P001

 IPSec Cont’d

ISAKMP (Internet Security Association and Key Management Protocol), also called IKE
(Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to
build an IPsec security association.
ISAKMP negotiation consists of two phases: Phase 1 and Phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages
Phase 2 creates the tunnel that protects data. IPSec then comes into play to encrypt
the data using encryption algorithms and provides authentication, encryption and anti-replay
services.

Network Div | 02 April 2012 | P001

 IPSec Cont’d
Table : Default ISAKMP profiles

Network Div | 02 April 2012 | P001

 IPSec Cont’d

The entries in the Default ISAKMP profiles table are explained as below:

Network Div | 02 April 2012 | P001

 IPSec Cont’d

Table : Default IPSec profiles

Cipher Block Chaining (CBC)

Hashed Message Authentication Codes (HMAC)
cryptographically secure Message Digest 5 (MD5)
Perfect Forward Secrecy (PFS) –Key Agreemnet Protocol
 

Network Div | 02 April 2012 | P001

 IPSec Cont’d
The entries in the Default IPSec profiles table are explained as below:

Network Div | 02 April 2012 | P001

 IPSec Cont’d
Data Encapsulation mode:
IPSec encapsulates IP packets by adding an AH or ESP header and ESP tail to original IP
packets for authentication and encryption. The following two IPSec encapsulation
modes are available:
Transport mode: AH or ESP is inserted after the IP header but before all transport layer
protocols,The transport mode protects the original data packet payloads

Figure : Packet format in transport mode

Network Div | 02 April 2012 | P001
 IPSec Cont’d
Encapsulation cont’d:
Tunnel mode: An AH or ESP header is inserted before the original IP header, and the new IP
header (IPSec peer IP address) is then inserted before the AH or ESP header. The tunnel mode
shields internal host IP addresses and protects security of original data packets on an end-to-end
connection.
 The tunnel mode is more secure than the transport mode. In tunnel mode, the entire IP
packet is encrypted and authenticated, and a peer IP address can be used to hide a client IP
address.
 The tunnel mode adds an additional IP header to each packet and therefore consumes more
bandwidth.

Figure : Packet format in tunnel mode

Network Div | 02 April 2012 | P001
 IPSec Cont’d
Modes for Defining Data Flows to Be Protected

IPSec supports the following modes to define data flows to be protected:

 Using ACLs
On an IPSec tunnel established in manual mode or IKE negotiation mode, an ACL is used to
define data flows to be protected. The packets that match the permit clauses in the ACL are
protected, and the packets that match the deny clauses are not protected. The ACL can define
packet attributes such as the IP address, port number, and protocol type, which provide
flexibility in defining define IPSec policies.
 using a tunnel interface
An IPSec tunnel interface is a Layer 3 logical interface. All the packets that are routed to the
IPSec tunnel interface are protected by IPSec. This mode has the following advantages:
 Simplifies configuration
we only need to import data flows protected by IPSec to the IPSec tunnel interface. We do
not need to use ACLs to define the characteristics of traffic to be encrypted and decrypted.
 Supports more types of traffic
An IPSec tunnel interface protects traffic of dynamic routing protocols and multicast traffic.
 using efficient VPN policy-whic is client/server model
Network Div | 02 April 2012 | P001
 IPSec Cont’d
Configuration Task Summary
Two IPSec peers establish inbound and outbound security associations (SAs) to form a
secure IPSec tunnel through which data packets can be transmitted securely on the
Internet.

Table: IPSec configuration task summary Network Div | 02 April 2012 | P001
 IPSec Configuration Cont’d
 For our test senarios, we are going to use tunnel interface to establish an IPSec tunnel,
 A tunnel interface is a Layer 3 logical interface where the encapsulation protocol of GRE,
mGRE, and IPSec, the device can provide IPSec service. All the packets routed to the IPSec
tunnel interface are protected by IPSec. The tunnel interface can simplify IPSec parameters.

Pre-configuration Tasks
Before using an IPSec tunnel interface to establish an IPSec tunnel, complete the following tasks:
 Configuring a reachable route between source and destination interfaces
 Determining data flows to be protected by IPSec and importing data flows to the IPSec
tunnel interface
 Determining parameters in an IPSec proposal

Network Div | 02 April 2012 | P001

 IPSec Configuration Cont’d
configuration roadmap :
1. Assign IP addresses to interfaces.
2. Configure static/dynamic routes to peers.
3. Configure IKE proposals //IKE proposals are sets of parameters for Phase I IPSec negotiations.
4. Specify the local IDs and IKE peers required in IKE negotiation.
5. Configure IPSec proposals //lists protocols and algorithms to be negotiated IPsec peer.
6. Configure IPSec profiles and bind the IPSec proposals and IKE peers to the IPSec profiles.
7. Apply the IPSec profiles to the IPSec tunnel interfaces.
Note:
The ike identity command creates an identity filter set and enter the identity filter set view.
#
ike identity identity-name //control user access
ip address 10.134.198.100 255.255.255.252 //allowed remote IP address to establish an IPSec
tunnel
#
The remote peer parameters defined in an identity filter set include the name and IP
address of the peer. Only initiators that match the identity filter set can establish an IPSec
tunnel with the device, improving access security.
Configure an allowed peer in the identity filter set view and reference this identity filter set
with match ike-identity command in the policy template view or IPSec profile view.
Network Div | 02 April 2012 | P001
#
ipsec profile profilename
 IPSec Cont’d
Default Configuration

Table: Default IPSec configuration

Network Div | 02 April 2012 | P001

Example for Establishing an IPSec Tunnel Using an IPSec Tunnel Interface
An IPSec tunnel can be established using an IPSec tunnel interface. This method
simplifies the IPSec configuration, reduces costs between devices on the IPSec
network, and makes service application flexible.

Figure:Networking diagram for establishing an IPSec tunnel using the IPSec tunnel interface

Network Div | 02 April 2012 | P001

Configuration Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0.
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
# Assign an IP address to the interface of RouterB.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Step 2 Configure static routes to the peers on RouterA and RouterB.
# Configure a static route to the remote peer on RouterA. This example assumes that the next
hop address in the route to RouterB is 202.138.163.2.
[Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
# Configure a static route to the remote peer on RouterB. This example assumes that the next
hop address in the route to RouterB is 202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Step 3 Create IKE proposals on RouterA and RouterB.
# Create an IKE proposal on RouterA.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] dh group5 //Diffie-Hellman , Group 5 Uses the 1536-bit
[Huawei-ike-proposal-1] authentication-algorithm aes_xcbc_mac_96
[Huawei-ike-proposal-1] prf aes_xcbc_128
[Huawei-ike-proposal-1] quit
# Create an IKE proposal on RouterB.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] dh group5
[Huawei-ike-proposal-1] authentication-algorithm aes_xcbc_mac_96
[Huawei-ike-proposal-1] prf aes_xcbc_128
Network Div | 02 April 2012 | P001
[Huawei-ike-proposal-1] quit
Configuration Procedure Cont’d
Step 4 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike peer spub v2
[Huawei-ike-peer-spub] ike-proposal 1
[Huawei-ike-peer-spub] pre-shared-key huawei
[Huawei-ike-peer-spub] quit
# Configure the local ID and IKE peer on RouterB.
[Huawei] ike peer spua v2
[Huawei-ike-peer-spua] ike-proposal 1
[Huawei-ike-peer-spua] pre-shared-key huawei
[Huawei-ike-peer-spua] quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
----------------------------------------
Step 5 Create IPSec proposals on RouterA and RouterB.
# Create an IPSec proposal on RouterA.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1] transform ah-esp
[Huawei-ipsec-proposal-tran1] ah authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1] esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1] esp encryption-algorithm 3des
[Huawei-ipsec-proposal-tran1] quit
# Create an IPSec proposal on RouterB.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1] transform ah-esp
[Huawei-ipsec-proposal-tran1] ah authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1] esp authentication-algorithm sha1
[Huawei-ipsec-proposal-tran1] esp encryption-algorithm 3des
[Huawei-ipsec-proposal-tran1] quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal Network Div | 02 April 2012 | P001
Configuration Procedure Cont’d
Step 6 Create IPSec profiles on RouterA and RouterB.
# Create an IPSec profile on RouterA.
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] proposal tran1
[Huawei-ipsec-profile-profile1] ike-peer spub
[Huawei-ipsec-profile-profile1] quit
# Create an IPSec profile on RouterB.
[Huawei] ipsec profile profile2
[Huawei-ipsec-profile-profile1] proposal tran1 Configuration File
[Huawei-ipsec-profile-profile1] ike-peer spua
[Huawei-ipsec-profile-profile1] quit
Step 7 Apply the IPSec profiles to the interfaces of RouterA and RouterB.
# Apply the IPSec profile to the interface of RouterA.
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 192.168.1.1 24
[Huawei-Tunnel0/0/0] tunnel-protocol gre
[Huawei-Tunnel0/0/0] source 202.138.163.1
[Huawei-Tunnel0/0/0] destination 202.138.162.1
[Huawei-Tunnel0/0/0] ipsec profile profile1
[Huawei-Tunnel0/0/0] quit
# Apply the IPSec profile to the interface of RouterB.
[Huawei] interface tunnel 0/0/0
[Huawei-Tunnel0/0/0] ip address 192.168.1.2 24
[Huawei-Tunnel0/0/0] tunnel-protocol gre
[Huawei-Tunnel0/0/0] source 202.138.162.1
[Huawei-Tunnel0/0/0] destination 202.138.163.1
[Huawei-Tunnel0/0/0] ipsec profile profile2
Step 8 Verify the configuration.
Run the display ipsec profile command on RouterA and RouterB to view the configurations of
the IPSec profiles. Take the display on RouterA as an example.
Network Div | 02 April 2012 | P001
[Huawei] display ipsec profile
===========================================
6.BGP （ Border Gateway Protocol ）

 BGP is a kind of EGP

 BGP is a commonly used standard protocol
 Version used now ： BGPv4
 BGP use AS number to avoid route loop
 Inner routing protocol: RIP/IGRP/OSPF/EIGRP/ISIS

Network Div | 02 April 2012 | P001

Autonomous Systems
 AS(autonomous system ) is a big network that under the same technique
management.
 IGPs work in the same AS （ autonomous system ）
 EGPs connect different AS （ autonomous system ）

Network Div | 02 April 2012 | P001

AS （ Autonomous Systems ）
 Every AS has its own AS number
 Routing policy in each AS is independent
 AS number ： 1 ~ 65535--

X-GW-Routers#show running-config bgp

router bgp 24757

Network Div | 02 April 2012 | P001

BGP is used among ASs

 BGP is used among ASs to ensure that there is no loop in the network

Network Div | 02 April 2012 | P001

When to use BGP?
 BGP is suitable in these occasions:
• One AS allow data stream to pass through it to reach another AS (such as ISP)
• One AS has several exits to other ASs
• One AS wants to control the data stream within itself
 Of course, you need to be familiar with the operation and function of BGP to make
good use of it

When we don’t use BGP?

 BGP is not effective for all occasions. In the following occasions we don’t use BGP :
• There is only one exit to Internet or other AS
• Within your AS ,you don’t care about route policy and route selection
• If the router is not powerful enough to handle too many changes and updates
in route
• Limited understanding for route filtering and route selection
• Bandwidth between ASs is limited
 At this time we can use static route

Network Div | 02 April 2012 | P001

BGP Facts
 BGP is a kind of enhanced distance vector routing protocol
 Transmission protocol ： TCP ， port number ： 179
 Support CIDR （ classless inter domain routing ）
 Route updates only send added route
 Rich in route filtering and route policy configuration

Network Div | 02 April 2012 | P001

Peers = Neighbors
 Two routers establish TCP connection between
 each other to exchange BGP route information after TCP connection is established.
 The relationship between them is peer or neighbor.
 BGP peer/neighbors is divided into two types: IBGP and EBGP .

• Internal BGP
• Neighbors/Peers are in the same AS
• Neighbors/Peers do not need to be directly
connected

External BGP
 Neighbors/Peers are in different ASs
（ autonomous systems ）
 Neighbors/Peers are usually directly
connected
Network Div | 02 April 2012 | P001
Internal BGP

 There can be several non-BGP routers between peers

 BGP information can be passed through non-BGP topology

Network Div | 02 April 2012 | P001

BGP message types
 BGP has four kinds of messages:
• OPEN – used to establish BGP connection
• KEEPALIVE – used to keep BGP connection
• UPDATE – used to update or withdraw BGP route
• NOTIFICATION – BGP error notification

OPEN Messages
 OPEN message is used to establish BGP connection.
 It includes following contents:
• Version number
• AS number
• Keep time
• BGP identification
• Optional parameters

Network Div | 02 April 2012 | P001

BGP KEEPALIVE Message

 By default keepalive message are sent every 60 seconds(between peers)

 Hold time interval is 180 seconds
 Keepalive message will reset Hold timer to 0 If Hold timer expires, the peer will be
regarded as dead
 Keepalive message is 19 bytes long

Network Div | 02 April 2012 | P001

BGP UPDATE Messages

 The route with same attributes can be sent out in one update message
 Update message can also be used to withdraw those unreachable routes
 If the route is stable there is no update message
 Update can only be aimed at the attributes of the routes
 Update packets have the same function as keepalive packets to reset hold timer

Network Div | 02 April 2012 | P001

BGP NOTIFICATION Messages

 When error is detected, Notification message is sent out

 Notification message will close BGP session
 Possible error information ： certification failure, route loop etc.

Network Div | 02 April 2012 | P001

BGP connection status

 Idle ： This is the first status when BGP initiates

 Connect ： the status when BGP is waiting for the success of TCP connection
 Active ： the status when BGP restart to establish TCP connection
 Open sent ： when TCP establishing succeeds ， BGP begin to send OPEN message and
wait for OPEN message from counterpart
 Open confirm ： after receiving OPEN message from neighbor, BGP waits for Keepalive
message or Notification message
 Established ： this is the last stage or stable status for the neighbors to negotiate ， BGP
begin to exchange Update packets between each other

Network Div | 02 April 2012 | P001

BGP route announcing method
1—network command
 In network mode, BGP imports the routes in the IP routing table one by one to BGP
routing tables.
 The network mode is more accurate than the import mode.
2—import-route command
 In import mode, IGP routes, including RIP, OSPF, and IS-IS routes, are imported into BGP
routing tables based on protocol type.
 BGP can also import static routes and direct routes in import mode.
3—aggregate command
 Aggregate the routes to one summary route and advertise to other BGP neighbors,
therefore can reduce the size of IP routing table significantly.

Network Div | 02 April 2012 | P001

BGP configuration steps
 Enable BGP routing process, <as-number> is the AS system ID of router, 1~65535.
• <Huawei> system-view
• [Huawei] bgp 65108
• [Huawei-bgp]
 Configure the peer enable command enables a BGP device to exchange
routes with a specified peer.
 Enable a BGP device from exchanging IPv4 routes with a specified peer.
<Huawei> system-view
[Huawei] bgp 65108
[Huawei-bgp] peer 10.1.1.2 as-number 65108
[Huawei-bgp] ipv4-family unicast
[Huawei-bgp-af-ipv4] peer 10.1.1.2 enable
 Enable a BGP device to exchange BGP-VPNv4 routes with a specified peer.
<Huawei> system-view
[Huawei] bgp 65108
[Huawei-bgp] peer 10.1.1.2 as-number 65108
[Huawei-bgp] ipv4-family vpnv4
[Huawei-bgp-af-vpnv4] peer 10.1.1.2 enable
Network Div | 02 April 2012 | P001
BGP configuration steps…
 Example :- Import routes from RIP process 1.
<Huawei> system-view
[Huawei] bgp 65108
[Huawei-bgp] ipv4-family unicast
[Huawei-bgp-af-ipv4] import-route rip 1
 Example :-Configure BGP to import the local route 10.0.0.0/16 using network
command.
<Huawei> system-view
[Huawei] bgp 65108
[Huawei-bgp] ipv4-family unicast
[Huawei-bgp-af-ipv4] network 10.0.0.0 255.255.0.0
 Example :- Create an aggregated route.
The path that is used to advertise this route is an AS-SET consisting of all aggregated
paths.
<Huawei> system-view
[Huawei] bgp 65108
[Huawei-bgp] ipv4-family unicast
[Huawei-bgp-af-ipv4] aggregate 172.16.0.0 255.255.0.0 as-set
Network Div | 02 April 2012 | P001
BGP Troubleshooting Commands

 display current-configuration configuration bgp

 display bgp peer
 display bgp peer verbose
 display bgp routing-table peer IP_ADDR<X.X.X.X> advertised-routes
 display bgp routing-table peer IP_ADDR<X.X.X.X> received-routes
 display bgp vpnv4 all peer
 display bgp vpnv4 all peer verbose
 display bgp vpnv4 all routing-table
 display bgp vpnv4 all routing-table peer IP_ADDR<X.X.X.X> advertised-routes
 display bgp vpnv4 all routing-table peer IP_ADDR<X.X.X.X> received-routes

Network Div | 02 April 2012 | P001

 7.OSPF Configuration
OSPF (Open Shortest Path First)
 OSPF is a link-state IGP. At present, OSPFv2 is intended for IPv4.
Defined by the Internet Engineering Task Force (IETF), the Open Shortest Path First
(OSPF) protocol is an Interior Gateway Protocol (IGP) implemented on the basis of
the link status.

NOTE
In this case, OSPF refers to OSPFv2, unless otherwise specified.

Network Div | 02 April 2012 | P001

OSPF Features
OSPF has the following features:
 Wide applications: OSPF is applicable to networks of various sizes and even to the network
consisting of hundreds of routers.
 Fast convergence: Once the network topology changes, Update packets are transmitted to
synchronize the link state databases (LSDBs) of all the routers within the Autonomous
System (AS).
 Loop-free :According to the collected link status, OSPF calculates routes with the shortest
path tree algorithm. This algorithm ensures the generation of loop-free routes.
 Area division:An AS can be divided into different areas to facilitate AS management. After
the area partition, an LSDB stores routing information only of the local area. The reduce of
LSDB size dramatically reduces memory and CPU usage. In addition, less bandwidth is
consumed because of the decrease in routing information transmitted within the AS.
 Equal-cost routes: OSPF supports multiple equal-cost routes to the same destination.
 Routing hierarchy:Four types of routing are available. They are listed in the descending
order of priority: intra-area routes, inter-area routes, Type 1 external routes, and Type 2
external routes.
 Authentication:Area-based and interface-based packet authentication guarantees the
security of packet interaction.
 Multicast:Multicast packets are transmitted only on certain types of links to reduce the
Network Div | 02 April 2012 | P001
interference for some devices.
 Process of OSPF Route Calculation
The process of calculating OSPF routes is as follows:
1. Based on the surrounding network topology, each OSPF device originates a Link State
Advertisement (LSA). The router then transmits Update packets containing the LSAs to other
OSPF devices.
2. Each OSPF device collects the LSAs from other devices, and all these LSAs compose the
LSDB. An LSA describes the network topology around a router, whereas an LSDB
describes the network topology of the whole AS.
3. OSPF devices transform the LSDB into a weighted directed map. The weighted directed
map reflects the topology of the entire network. All routers in the same area have the same
map.
4. According to the directed map, each router uses the Shortest Path First (SPF) algorithm to
calculate the shortest path tree, regarding itself as the root. The tree displays the routes to
each node in the AS.

Network Div | 02 April 2012 | P001

 OSPF Area Division
Area Division
The number of routers increases with the unceasing expansion of the network scale. This leads
to a large LSDB on each router. As a result, the load of each router is very heavy. OSPF solves
this problem by dividing an AS into different areas. An area is regarded as a device group
logically. Each group is identified by an area ID. On the border of an area resides a router rather
than a link. A network segment (or a link) belongs to only one area. That is, the area to which
each OSPF interface belongs must be specified,

 After area division, route aggregation can be performed

on border routers to reduce the number of LSAs
advertised to other areas. Route aggregation also
minimizes the influence caused by changes in the
topology.
Figure : OSPF area division

Network Div | 02 April 2012 | P001

 Router Types
OSPF routers are classified into the following types according to their locations in the AS:
• Internal routers
All interfaces of the routers of this type belong to the same OSPF area.
• Area border routers (ABRs)
The routers of this type can belong to more than two areas, but one of the areas must be a
backbone area. An ABR is used to connect the backbone area to the non-backbone areas.
An ABR can be physically or logically connected to the backbone area.
• Backbone routers
A minimum of one interface on the router of this type belongs to the backbone area.
Therefore, all ABRs and the internal nodes in Area 0 are backbone routers.
• AS boundary routers (ASBRs)
The router that exchanges routing information with other ASs is called an ASBR. The ASBR may
not be located on the boundary of an AS. It can be an internal router or an ABR. When an OSPF
device imports the external routing information, the device becomes an ASBR.

Figure:Types of OSPF routers

Network Div | 02 April 2012 | P001
 OSPF Network Types
OSPF classifies networks into four types according to the link layer protocol:
 Broadcast: If the link layer protocol is Ethernet or FDDI, OSPF defaults the network type
to broadcast. In this type of networks, the following situations occur.
– Hello packets and packets from the Designated Router (DR) are sent in multicast mode
(224.0.0.5: indicates the reserved IP multicast addresses for OSPF routers).
– Link State Update (LSU) packets are sent to the DR in multicast mode (224.0.0.6:indicates the
reserved IP multicast address for the OSPF DR), and the DR forwards the
LSU packets to destination 224.0.0.5.
– Database Description (DD) packets, Link State Request (LSR) packets, and all retransmission
packets are sent in unicast mode.
– Link State Acknowledgement (LSAck) packets are usually sent in multicast mode (224.0.0.5).
When a router receives repeated LSAs, or the LSAs are deleted due to the timeout of the
maximum lifetime, LSAck packets are sent in unicast mode.
 Non-Broadcast Multi-Access (NBMA): If the link layer protocol is Frame Relay, ATM, or
X.25, OSPF defaults the network type to NBMA. In this type of networks, protocol packets,
such as Hello packets, DD packets, LSR packets, LSU packets, and LSAck packet, are transmitted
in unicast mode.

Network Div | 02 April 2012 | P001

 OSPF Network Types cont’d
 Point-to-Multipoint (P2MP): A P2MP network must be forcibly changed from other
network types. In this type of networks, Hello packets are transmitted in multicast mode
(224.0.0.5); DD packets, LSR packets, LSU packets, and LSAck packets are transmitted
in unicast mode.

 Point-to-Point (P2P): If the link layer protocol is PPP, HDLC, or LAPB, OSPF defaults the
network type to P2P. In this type of networks, protocol packets, such as Hello packets, DD
packets, LSR packets, LSU packets, and LSAck packets, are transmitted in multicast mode
(224.0.0.5).

Network Div | 02 April 2012 | P001

OSPF Network Types Summary

Network Div | 02 April 2012 | P001

 Configuring Basic OSPF Functions
Before configuring basic OSPF functions,
 enable OSPF, specify the OSPF process and area, and establish OSPF neighbor relationships.
 Configuring a link layer protocol
 Configuring IP addresses for interfaces to ensure that neighboring routers are reachable at
the network layer.

• process-id specifies the process ID and the process-id value is 1 by default.

• Each router ID in an OSPF process must be unique. Otherwise, the OSPF neighbor
relationship cannot be established and the routing information is incorrect
• If a VPN instance is specified, the OSPF process belongs to the VPN instance; if a VPN
instance is not specified, the OSPF process belongs to a public network instance.
• The OSPF areas can be classified into a backbone area with the area ID of 0 and
non-backbone areas.
Network Div | 02 April 2012 | P001
 Configuring cont’d
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *
Step 3 Run:
area area-id
Step 4 Run:
network ip-address wildcard-mask [ description text ]
and other optional configurations (OSPF Virtula Link,Route Selection rule,OSPF
Priority,Restricting the flood of LSA Update Packets, setting an Interval at Which an LSA Packet Is
Retransmitted,)

Network Div | 02 April 2012 | P001

Checking the Configuration

Network Div | 02 April 2012 | P001

 BFD Principle and Configuration
BFD
 Bidirectional Forwarding Detection (BFD) is a unified detection mechanism used
to rapidly detect link faults and monitor IP connectivity.
 A network device must detect a communications fault between adjacent devices
quickly so that the upper layer protocol can rectify the fault and prevent a service
interruption.
 a standby channel can be created immediately to restore communication and
ensure network reliability.
 BFD provides fast fault detection independent of media and routing protocols.
It has the following advantages:
 Rapidly detects link faults between neighboring network devices. The detected
faults may occur on interfaces, data links, or forwarding engines.
 Provides uniform detection for all media and protocol layers in real time.

Network Div | 02 April 2012 | P001

 BFD Cont’d
 Reference standards and protocols

Network Div | 02 April 2012 | P001

 BFD Packet
BFD packets include BFD control packets and BFD echo packets

BFD packet format

 Vers: indicates the BFD version number. The current version number is 1.
 Diag: indicates that the cause of the last session status change on the local BFD system.

Network Div | 02 April 2012 | P001

Meanings of the Diag field

Network Div | 02 April 2012 | P001

 Meanings of the sta field
 Sta: indicates the local BFD status.
 The following table describes the values and meanings of the Sta field.

Network Div | 02 April 2012 | P001

Meanings cont’d

Network Div | 02 April 2012 | P001

Meanings cont’d

Network Div | 02 April 2012 | P001

 BFD Detection Mechanism
Two systems set up a BFD session and periodically send BFD control packets along the path
between them. If one system does not receive BFD control packets within a specified
period, the system considers that a fault has occurred on the path. BFD control packets are
encapsulated in UDP packets, using destination port 3784.
BFD echo packets provide a fault detection mechanism without using BFD control packets.
One end sends a BFD echo packet to the peer end, which then returns the received BFD
echo packet back without processing it. Therefore, the BFD protocol does not define the
format of BFD echo packets. The only requirement is that the transmitting end can
distinguish between sessions based on packet contents.
BFD echo packets are encapsulated in UDP packets, using destination port 3785.

BFD provides the following detection modes:

 Asynchronous mode: In asynchronous mode, two systems periodically send BFD control
packets to each other. If one system receives no packets consecutively, the system
considers the BFD session Down.
 Demand mode: If multiple BFD sessions exist in a system, periodically sending costs of
BFD control packets affects system running. To solve this problem, use the demand
mode. In demand mode, after BFD sessions are set up, the system does not periodically
send BFD control packets. The system detects connectivity using other mechanisms
such as the Hello mechanism of a routing protocol and hardware detection to reduce
Network Div | 02 April 2012 | P001
the costs of BFD sessions.
 BFD Session Establishment Modes
 BFD sessions can be set up statically and dynamically.
 Static and dynamic BFD sessions differ in that local and remote discriminators are
configured in different modes.
 BFD uses local and remote discriminators in control packets to differentiate BFD
sessions.

Network Div | 02 April 2012 | P001

BFD Session Establishment Modes

 Static BFD sessions with manually specified discriminators

 Static BFD sessions with automatically negotiated discriminators
 Dynamic BFD sessions triggered by a protocol

Single-hop BFD

 Common BFD sessions can be established on the following types of interfaces:

 Physical interfaces: Layer 3 Ethernet interfaces, serial interfaces (including synchronous
SA interfaces, E1 interfaces, CE1/CT1/PRI interfaces, and CPOS interfaces), ATM
interfaces (including ADSL interfaces and G.SHDSL interfaces).

 Logical interfaces: Ethernet sub-interfaces (including Dot1q sub-interfaces and QinQ sub
interfaces),dialer interfaces, VLANIF interfaces, Layer 3 Eth-Trunk interfaces, virtual
Ethernet interfaces, virtual template interfaces, MP-Group interfaces, MFR interfaces,
serial sub-interfaces, channelized serial sub-interfaces, MFR sub-interfaces, ATM sub
interfaces, and Eth-Trunk sub-interfaces (Dot1q sub-interfaces).

Network Div | 02 April 2012 | P001

 The BFD echo function is only applicable to single-hop BFD sessions.

Fig. Networking diagram for the BFD echo function

BFD can be used for :

 VRRP
 Routing Protocols (Static Routes,RIP,BGP,OSPF,IS-IS)
 PIM (Protocol Independent Multicast)

Network Div | 02 April 2012 | P001

 Configuring Single-hop BFD
 The BFD echo function is only applicable to single-hop BFD sessions.
Pre-configuration Tasks
Before configuring single-hop BFD, complete the following tasks:
 Connecting each interface correctly
 Configuring IP addresses for Layer 3 interfaces

To configure single-hop BFD, you need the following data

Networking diagram of singe-hop BFD on a Layer 3 link

Network Div | 02 April 2012 | P001
 Configuring Single-hop BFD
Procedure
Step 1 Configure IP addresses for directly-connected interfaces on Router A and Router B.
//Configure the IP address of the interface on Router A.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[RouterA-GigabitEthernet1/0/0] quit
//Configure the IP address of the interface on Router B.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface gigabitethernet 1/0/0
[RouterB-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[RouterB-GigabitEthernet1/0/0] quit
Step 2 Configure single-hop BFD.
# Enable BFD on Router A, create a BFD session between Router A and Router B, and bind
Router A's interface to the BFD session.
[RouterA] bfd
[RouterA-bfd] quit
[RouterA] bfd atob bind peer-ip 10.1.1.2 interface gigabitethernet 1/0/0
[RouterA-bfd-session-atob] discriminator local 1
[RouterA-bfd-session-atob] discriminator remote 2
[RouterA-bfd-session-atob] commit
[RouterA-bfd-session-atob] quit
# Enable BFD on Router B, set up the BFD session between Router B and Router A, and bind
Router B's interface to the BFD session.
[RouterB] bfd
[RouterB-bfd] quit
[RouterB] bfd btoa bind peer-ip 10.1.1.1 interface gigabitethernet 1/0/0
[RouterB-bfd-session-btoa] discriminator local 2 Step 3 Verify the configuration
[RouterB-bfd-session-btoa] discriminator remote 1 #display bfd session all verbose
Network Div | 02 April 2012 | P001
[RouterB-bfd-session-btoa] commit
[RouterB-bfd-session-btoa] quit
Network Div | 02 April 2012 | P001
 Configuring Single-hop BFD for VLANIF

 A single-hop BFD session is configured on VLANIF interfaces to rapidly check direct links
between the VLANIF interfaces:
Procedure
The configuration roadmap is as follows:
Step 1 Configure VLAN 10. 1. Configure a VLAN based on the interface.
# Configure VLAN 10 on Router A. 2. Configure a single-hop BFD session between VLANIF interfaces.
<RouterA> system-view [RouterA] display interface vlanif 10
[RouterA] interface ethernet 0/0/1 [RouterA] ping -a 110.1.1.1 110.1.1.2
[RouterA-Ethernet0/0/1] port link-type access
[RouterA-Ethernet0/0/1] quit
[RouterA] vlan 10
[RouterA-vlan10] port ethernet 0/0/1
[RouterA-vlan10] quit
[RouterA] interface vlanif 10
[RouterA-Vlanif10] ip address 110.1.1.1 24
[RouterA-Vlanif10] quit
# Configure VLAN 10 on Router B.
<RouterB> system-view
[RouterB] interface ethernet 0/0/1
[RouterB-Ethernet0/0/1] port link-type access
[RouterB-Ethernet0/0/1] quit
[RouterB] vlan 10
[RouterB-vlan10] port ethernet 0/0/1
[RouterB-vlan10] quit
[RouterB] interface vlanif 10
[RouterB-Vlanif10] ip address 110.1.1.2 24 Network Div | 02 April 2012 | P001
[RouterB-Vlanif10] quit
 Configuring Multi-hop BFD
a BFD session is created on both ends of a multi-hop path to fast detect faults in the multi-hop path.

Step 3 Verify the configuration

<RouterA> display bfd session all

Figure Networking diagram of multi-hop BFD

Procedure
Step 1 Configure reachable routes between Router A, Router B, and Router C.
In this example, static routes are used. The detailed configurations are not provided.
Step 2 Configure multi-hop BFD between Router A and Router C.
# Configure a BFD session between Router A and Router C.
The interface is not bound to the BFD session.
<RouterA> system-view
[RouterA] bfd
[RouterA-bfd] quit
[RouterA] bfd atoc bind peer-ip 10.2.1.2
[RouterA-bfd-session-atoc] discriminator local 10
[RouterA-bfd-session-atoc] discriminator remote 20
[RouterA-bfd-session-atoc] commit
[RouterA-bfd-session-atoc] quit
# Configure a BFD session between Router C and Router A.
The interface is not bound to the BFD session.
<RouterC> system-view
[RouterC] bfd
[RouterC-bfd] quit
[RouterC] bfd ctoa bind peer-ip 10.1.1.1
[RouterC-bfd-session-ctoa] discriminator local 20
[RouterC-bfd-session-ctoa] discriminator remote 10
[RouterC-bfd-session-ctoa] commit
[RouterC-bfd-session-ctoa] quit
Network Div | 02 April 2012 | P001
 BFD one-arm-echo
Usage Scenario
Among two directly connected devices, one device supports BFD, whereas the other device does
not support BFD. To rapidly detect forwarding failures between the two devices, configure a BFD
session supporting the BFD echo function on the BFD supporting
device. The BFD-supporting device sends an Echo Request packet to the remote device. The
remote device sends the Echo Request packet back along the same path to detect the
forwarding link connectivity.
When you configure a BFD session supporting the BFD echo function:
• If source-ip is specified, the URPF(Unicast Reverse Path Forwarding)-enabled device does not
incorrectly discard BFD packets. Ensure that the source IP address is correct. The system only
checks whether the source IP address is valid (for example, it cannot be a multicast or broadcast
address) without checking correctness.
• If a VPN instance is specified, BFD is configured to detect the one-hop link in the VPN instance.
The difference between a BFD session supporting the BFD echo function and a common BFD session is as follows:

 When configuring a BFD session supporting the BFD echo function, you can only specify local discr-value in the
discriminator command.
 You can only run the min-echo-rx-interval command to change the interval for receiving BFD packets.

Network Div | 02 April 2012 | P001

 BFD one-arm-echo
NOTE:
• If the IP address of an outbound interface is changed after a BFD session is configured, the
source IP address of BFD packets is not updated.
• The BFD echo function is only applicable to single-hop BFD sessions.
• After the bfd one-arm-echo command is executed, run the commit command to commit the
configuration to make the configuration take effect.

Example
# Configure a BFD session test supporting the BFD echo function.
<Huawei> system-view
[Huawei] bfd
[Huawei-bfd] quit
[Huawei] bfd test bind peer-ip 10.10.10.1 interface gigabitethernet 1/0/0 one-arm-echo
[Huawei-bfd-session-test] discriminator local 100
[Huawei-bfd-session-test] min-echo-rx-interval 100
[Huawei-bfd-session-test] commit
Same configuration for the second link and configure default route by binding the above bfd
with different preference Values (primarly and secondarly)
#ip route-static 0.0.0.0 0.0.0.0 10.134.198.101 preference
Network20
Div track
| 02 April bfd-session
2012 | P001 test
 NAT and DHCP configurations
 NAT
..Network Address Translation (NAT) translates the IP address in an IP datagram header to
another IP address.

Why NAT,
1. NAT translates the host's private IP address to a public IP address enable access to internet
2. alleviating the IPv4 address shortage
3. Protects private networks against external attacks, greatly improving network security

Network Div | 02 April 2012 | P001

NAT and DHCP configurations
 NAT implementation,

dynamic NAT

Configuring Outbound NAT

The address pool used by outbound NAT stores a set of public IP addresses used by dynamic
NAT. When dynamic NAT is performed, an address in the address pool is selected for
NAT address translation.
To access external networks through dynamic NAT, intranet users can choose one of the
following modes based on their public IP address plan:

Network Div | 02 April 2012 | P001

NAT and DHCP configurations
1.After users configure the IP address of outbound ports and other applications on the NAT
device, there are still some available public IP addresses. Users can choose outbound NAT with
an address pool.

2.After users configure the IP address of outbound ports on the NAT device and other
applications, there are no available public IP addresses. Users can choose Easy IP that uses the
IP address of outbound ports on the NAT device to implement dynamic NAT.

Network Div | 02 April 2012 | P001

NAT and DHCP configurations
1.Configuring ACL Rules

Network Div | 02 April 2012 | P001

NAT and DHCP configurations

Network Div | 02 April 2012 | P001

NAT and DHCP configurations

Network Div | 02 April 2012 | P001

 NAT and DHCP configurations

NAT VERFICATION
1.configured dynamic NAT

Network Div | 02 April 2012 | P001

NAT and DHCP configurations
2.NAT translation

Network Div | 02 April 2012 | P001

 DHCP
The Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses to users
and manages user configurations in a centralized manner.

DHCP uses the client/server model. A DHCP client sends a packet to a DHCP server to
request configuration parameters such as the IP address, subnet mask, and default
gateway address. The DHCP server responds with a packet carrying the requested
configurations based on a policy.

Network Div | 02 April 2012 | P001

Dhcp configuration

 1.enable dhcp

Network Div | 02 April 2012 | P001

 DHCP
2.Defining dhcp pool

Network Div | 02 April 2012 | P001

 DHCP

3. Enabling clients on LAN to obtain dhcp parameters from global pool

Network Div | 02 April 2012 | P001

 DHCP

Dhcp verification

Network Div | 02 April 2012 | P001

Q&A
Network Div | 02 April 2012 | P001
THANK YOU!

Network Div | 02 April 2012 | P001