No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Network Deployment for a Tobacco Company (Aggregation Switches Functioning as Gateways and Routers Functioning as Egresses)

Network Deployment for a Tobacco Company (Aggregation Switches Functioning as Gateways and Routers Functioning as Egresses)

Application Scenario and Service Requirements

Application Scenario

This example describes the network deployment of a tobacco company in China. In this scenario, aggregation switches function as gateways and core switches are used to ensure network communication and reliability.

Service Requirements

  • Communication requirements

    The tobacco company can communicate with banks, the State Tobacco Monopoly Administration (STMA for short), the provincial company, and branches.

    Internet users can access the internal server, which does not need to access the Internet.

    NAT is configured on egress routers to enable communication between the intranet and extranets.

  • Reliability requirements

    Ensure network reliability by configuring RSTP, VRRP, BFD for OSPF, and CSS.

    Ensure link reliability through route backup.

  • Security requirements

    Ensure intranet security by configuring security policies on egress routers to restrict access from extranet users.

Solution Design

Networking Diagram

Figure 2-97 Networking diagram of a tobacco company

Service Design

  • Communication design
    • Aggregation switches function as gateways to connect the access layer with the core layer.
    • Core switches are connected to multiple routers, including the router of bank branches and egress routers of the STMA, provincial company, branch office A, and other branches.
    • NAT is configured on egress routers to enable communication between the intranet and extranets.
  • Reliability design
    • Access switches are dual-homed to aggregation switches, and RSTP is configured to prevent loops between the access switches and aggregation switches.
    • Eth-Trunks are configured between aggregation switches and core switches to enhance link reliability.
    • VRRP is deployed on aggregation switches to improve gateway reliability.
    • BFD for OSPF is configured to ensure route reliability.
    • Core switches set up a CSS to improve network reliability.
    • Two egress routers are deployed and OSPF is configured to improve the reliability of egress routes.
  • Security design
    • Traffic policies are configured on egress routers to restrict access from extranet users, ensuring intranet security.

Device Requirements and Versions

Table 2-139 lists the products and their software versions used in this example.

Table 2-139 Products and their software versions

Product Name

Product Version

Router (NE16EX is used as an example)

V200R009

S12700E

V200R019C10

S5731-H

V200R019C10

S5735-L

V200R019C10

Deployment Roadmap and Data Plan

Deployment Roadmap

Step

Procedure

Devices Involved

Remarks

1

Deploy a CSS and configure MAD for the CSS to reduce the impact of a CSS split on the network.

Core switches

Use MAD in direct mode.

2

Configure VLANs and add interfaces to VLANs to implement Layer 2 connectivity.

Access switches, aggregation switches, and core switches

VLANs are configured on core switches so that VLANIF interfaces can be configured.

3

Configure STP to prevent loops between access switches and aggregation switches.

Access switches and aggregation switches

Use the RSTP mode.

By default, STP is enabled on switches and all interfaces.

The interfaces on access switches connected to servers and on aggregation switches connected to core switches do not participate in STP calculation.

4

Configure IP addresses for interfaces.

Aggregation switches, core switches, and egress routers

-

5

Configure VRRP to implement gateway backup and improve gateway stability.

Aggregation switches

-

6

Configure OSPF, static routes, and routing policies to ensure Layer 3 network connectivity.

Aggregation switches, core switches, and egress routers

-

7

Configure BFD for OSPF to implement fast link fault detection, improving routing protocol reliability.

Aggregation switches, core switches, and egress routers

-

8

Configure NAT on egress routers to implement mutual access between the intranet and extranets.

Egress routers

-

9

Configure security policies on egress routers to restrict access rights of extranet users, improving network security.

Egress routers

-

Data Plan

Table 2-140 VLAN and IP address plan

Product Name

Parameter

Description

S5735-L-01

VLANs 100, 101, 102, 103, and 1001

VLANs to which servers belong

S5735-L-02

VLANs 100, 101, 102, 103, and 1001

VLANs to which servers belong

S5731-H-01

VLANIF 100: 10.1.1.3/27

VLANIF 101: 10.1.1.33/27

VLANIF 102: 10.1.1.97/27

VLANIF 103: 10.1.1.129/27

VLANIF 1001: 10.1.1.193/27

VLANIF interfaces for connecting to servers

VLANIF 1202: 172.16.6.18/29

VLANIF interface for connecting to the core switches

Loopback 0: 172.16.0.4/32

Router ID

S5731-H-02

VLANIF 100: 10.1.1.4/27

VLANIF 101: 10.1.1.34/27

VLANIF 102: 10.1.1.98/27

VLANIF 103: 10.1.1.130/27

VLANIF 1001: 10.1.1.194/27

VLANIF interfaces for connecting to servers

VLANIF 1203: 172.16.6.26/29

VLANIF interface for connecting to the core switches

Loopback 0: 172.16.0.5/32

Router ID

S12700E-8

VLANIF 1200: 172.16.10.1/29

VLANIF interface for connecting to Router-02

VLANIF 1201: 172.16.11.1/29

VLANIF interface for connecting to Router-01

VLANIF 1202: 172.16.6.17/29

VLANIF interface for connecting to S5731-H-01

IP address of S5731-H-01: 172.16.6.18/29

VLANIF 1203: 172.16.6.25/29

VLANIF interface for connecting to S5731-H-02

IP address of S5731-H-02: 172.16.6.26/29

VLANIF 1005: 172.16.1.1/30

VLANIF interface for connecting to banks

VLANIF 1004: 172.16.2.1/30

VLANIF interface for connecting to banks (as a backup)

Loopback 0: 172.16.0.2/32

Router ID

Router-01

Loopback 0: 172.16.0.1/32

Router ID

Serial1/0/0: 2.2.2.2/29

Interface for connecting to the provincial company

GigabitEthernet0/0/0: 192.0.2.2/29

Interface for connecting to the Internet

GigabitEthernet0/0/1: 172.16.1.161/28

Interface for connecting to the branch

GigabitEthernet0/0/2: 172.16.11.2/29

Interface for connecting to the CSS set up by the core switches

IP address of the CSS set up by the core switches: 172.16.11.1/29

GigabitEthernet0/0/3: 172.16.6.1/29

Interface for connecting to Router-02

GigabitEthernet2/0/0: 3.3.3.2/29

Interface for connecting to the router 1 at the STMA

GigabitEthernet2/0/1: 4.4.4.2/29

Interface for connecting to the router 2 at the STMA

GigabitEthernet2/0/3: 6.6.6.2/29

Interface for connecting to branch office A

Router-02

Loopback 0: 172.16.0.3/32

Router ID

GigabitEthernet0/0/2: 172.16.10.2/29

Interface for connecting to the CSS set up by the core switches

IP address of the CSS set up by the core switches: 172.16.10.1/29

GigabitEthernet0/0/3: 172.16.6.2/29

Interface for connecting to Router-01

Procedure

Deploying a Cluster

  1. Deploy a cluster.

    Configure the two core switches (S12700E-8) to set up a CSS. For details, see Typical CSS and Stack Deployment.

  2. Configure MAD for the CSS.

    <HUAWEI> system-view 
[HUAWEI] sysname S12700E-8 
[S12700E-8] interface gigabitethernet1/1/0/45
[S12700E-8-GigabitEthernet1/1/0/45] description TO GE2/1/0/45
[S12700E-8-GigabitEthernet1/1/0/45] mad detect mode direct
[S12700E-8-GigabitEthernet1/1/0/45] quit
[S12700E-8] interface gigabitethernet2/1/0/45
[S12700E-8-GigabitEthernet2/1/0/45] description TO GE1/1/0/45
[S12700E-8-GigabitEthernet2/1/0/45] mad detect mode direct
[S12700E-8-GigabitEthernet2/1/0/45] quit

Configuring VLANs

  1. Configure VLANs on the access switch S5735-L-01 and add interfaces to the VLANs to implement Layer 2 connectivity.

    # Create VLANs 100 to 103 and 1001 to which downstream servers belong.

    <HUAWEI> system-view 
[HUAWEI] sysname S5735-L-01 
[S5735-L-01] vlan batch 100 to 103 1001

    # Add downlink interfaces to the corresponding VLANs to which the servers belong.

    [S5735-L-01] interface GigabitEthernet 0/0/5   
[S5735-L-01-GigabitEthernet0/0/5] port link-type access   
[S5735-L-01-GigabitEthernet0/0/5] port default vlan 100  
[S5735-L-01-GigabitEthernet0/0/5] quit
[S5735-L-01] interface GigabitEthernet 0/0/6   
[S5735-L-01-GigabitEthernet0/0/6] port link-type access   
[S5735-L-01-GigabitEthernet0/0/6] port default vlan 101  
[S5735-L-01-GigabitEthernet0/0/6] quit
[S5735-L-01] interface GigabitEthernet 0/0/7   
[S5735-L-01-GigabitEthernet0/0/7] port link-type access   
[S5735-L-01-GigabitEthernet0/0/7] port default vlan 102  
[S5735-L-01-GigabitEthernet0/0/7] quit
[S5735-L-01] interface GigabitEthernet 0/0/8   
[S5735-L-01-GigabitEthernet0/0/8] port link-type access   
[S5735-L-01-GigabitEthernet0/0/8] port default vlan 103  
[S5735-L-01-GigabitEthernet0/0/8] quit
[S5735-L-01] interface GigabitEthernet 0/0/9   
[S5735-L-01-GigabitEthernet0/0/9] port link-type access   
[S5735-L-01-GigabitEthernet0/0/9] port default vlan 1001  
[S5735-L-01-GigabitEthernet0/0/9] quit

    # Configure uplink interfaces to transparently transmit packets from the VLANs to which the servers belong.

    [S5735-L-01] interface GigabitEthernet 0/0/1   
[S5735-L-01-GigabitEthernet0/0/1] port link-type trunk
[S5735-L-01-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 103 1001
[S5735-L-01-GigabitEthernet0/0/1] quit
[S5735-L-01] interface GigabitEthernet 0/0/2   
[S5735-L-01-GigabitEthernet0/0/2] port link-type trunk
[S5735-L-01-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 103 1001
[S5735-L-01-GigabitEthernet0/0/2] quit

  2. Configure VLANs on the access switch S5735-L-02 and add interfaces to the VLANs to implement Layer 2 connectivity.

    # Create VLANs 100 to 103 and 1001 to which downstream servers belong.

    <HUAWEI> system-view 
[HUAWEI] sysname S5735-L-02 
[S5735-L-02] vlan batch 100 to 103 1001

    # Add downlink interfaces to the corresponding VLANs to which the servers belong.

    [S5735-L-02] interface GigabitEthernet 0/0/5   
[S5735-L-02-GigabitEthernet0/0/5] port link-type access   
[S5735-L-02-GigabitEthernet0/0/5] port default vlan 100  
[S5735-L-02-GigabitEthernet0/0/5] quit
[S5735-L-02] interface GigabitEthernet 0/0/6   
[S5735-L-02-GigabitEthernet0/0/6] port link-type access   
[S5735-L-02-GigabitEthernet0/0/6] port default vlan 101  
[S5735-L-02-GigabitEthernet0/0/6] quit
[S5735-L-02] interface GigabitEthernet 0/0/7   
[S5735-L-02-GigabitEthernet0/0/7] port link-type access   
[S5735-L-02-GigabitEthernet0/0/7] port default vlan 102  
[S5735-L-02-GigabitEthernet0/0/7] quit
[S5735-L-02] interface GigabitEthernet 0/0/8   
[S5735-L-02-GigabitEthernet0/0/8] port link-type access   
[S5735-L-02-GigabitEthernet0/0/8] port default vlan 103  
[S5735-L-02-GigabitEthernet0/0/8] quit
[S5735-L-02] interface GigabitEthernet 0/0/9   
[S5735-L-02-GigabitEthernet0/0/9] port link-type access   
[S5735-L-02-GigabitEthernet0/0/9] port default vlan 1001  
[S5735-L-02-GigabitEthernet0/0/9] quit

    # Configure uplink interfaces to transparently transmit packets from the VLANs to which the servers belong.

    [S5735-L-02] interface GigabitEthernet 0/0/1   
[S5735-L-02-GigabitEthernet0/0/1] port link-type trunk
[S5735-L-02-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 103 1001
[S5735-L-02-GigabitEthernet0/0/1] quit
[S5735-L-02] interface GigabitEthernet 0/0/2   
[S5735-L-02-GigabitEthernet0/0/2] port link-type trunk
[S5735-L-02-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 103 1001
[S5735-L-02-GigabitEthernet0/0/2] quit

  3. Configure VLANs on the aggregation switch S5731-H-01 and add interfaces to the VLANs.

    # Create VLANs 100 to 103 and 1001 to which the servers belong, and VLAN 1202 to which the interface connected to the core switches belongs.

    <HUAWEI> system-view 
[HUAWEI] sysname S5731-H-01 
[S5731-H-01] vlan batch 100 to 103 1001 1202

    # Add the downlink interfaces connected to access switches to VLANs 100 to 103 and 1001.

    [S5731-H-01] interface GigabitEthernet 0/0/3   
[S5731-H-01-GigabitEthernet0/0/3] port link-type trunk
[S5731-H-01-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-01-GigabitEthernet0/0/3] quit
[S5731-H-01] interface GigabitEthernet 0/0/4   
[S5731-H-01-GigabitEthernet0/0/4] port link-type trunk
[S5731-H-01-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-01-GigabitEthernet0/0/4] quit

    # Add the interface connected to the aggregation switch S5731-H-02 to VLANs 100 to 103 and 1001.

    [S5731-H-01] interface GigabitEthernet 0/0/13   
[S5731-H-01-GigabitEthernet0/0/13] port link-type trunk
[S5731-H-01-GigabitEthernet0/0/13] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-01-GigabitEthernet0/0/13] quit
    # Create Eth-Trunk 1 for communicating with the core switches, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 1.
    [S5731-H-01] interface Eth-Trunk1   
[S5731-H-01-Eth-Trunk1] port link-type access    
[S5731-H-01-Eth-Trunk1] trunkport xgigabitethernet 0/0/1
[S5731-H-01-Eth-Trunk1] trunkport xgigabitethernet 0/0/2
    # Add Eth-Trunk 1 to VLAN 1202.
    [S5731-H-01-Eth-Trunk1] port link-type access    
[S5731-H-01-Eth-Trunk1] port default vlan 1202 
[S5731-H-01-Eth-Trunk1] quit

  4. Configure VLANs on the aggregation switch S5731-H-02 and add interfaces to the VLANs.

    # Create VLANs 100 to 103 and 1001 to which servers belong, and VLAN 1203 to which the interface connected to the core switches belongs.

    <HUAWEI> system-view 
[HUAWEI] sysname S5731-H-02 
[S5731-H-02] vlan batch 100 to 103 1001 1203

    # Add the downlink interfaces connected to access switches to VLANs 100 to 103 and 1001.

    [S5731-H-02] interface GigabitEthernet 0/0/3   
[S5731-H-02-GigabitEthernet0/0/3] port link-type trunk
[S5731-H-02-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-02-GigabitEthernet0/0/3] quit
[S5731-H-02] interface GigabitEthernet 0/0/4   
[S5731-H-02-GigabitEthernet0/0/4] port link-type trunk
[S5731-H-02-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-02-GigabitEthernet0/0/4] quit

    # Add the interface connected to the aggregation switch S5731-H-01 to VLANs 100 to 103 and 1001.

    [S5731-H-02] interface GigabitEthernet 0/0/13   
[S5731-H-02-GigabitEthernet0/0/13] port link-type trunk
[S5731-H-02-GigabitEthernet0/0/13] port trunk allow-pass vlan 100 to 103 1001  
[S5731-H-02-GigabitEthernet0/0/13] quit
    # Create Eth-Trunk 2 for communicating with the core switches, and add GE0/0/1 and GE0/0/2 to Eth-Trunk 2.
    [S5731-H-02] interface Eth-Trunk2   
[S5731-H-02-Eth-Trunk2] port link-type access    
[S5731-H-02-Eth-Trunk2] trunkport xgigabitethernet 0/0/1
[S5731-H-02-Eth-Trunk2] trunkport xgigabitethernet 0/0/2
    # Add Eth-Trunk 2 to VLAN 1203.
    [S5731-H-02-Eth-Trunk2] port link-type access    
[S5731-H-02-Eth-Trunk2] port default vlan 1203 
[S5731-H-02-Eth-Trunk2] quit

  5. Configure VLANs on the core switches S12700E-8 and add interfaces to the VLANs.

    # Create VLANs.
    [S12700E-8] vlan batch 1004 to 1005 1200 to 1203
    # Add downlink interfaces to corresponding VLANs.
    [S12700E-8] interface Eth-Trunk1 
[S12700E-8-Eth-Trunk1] trunkport gigabitethernet 1/1/0/46
[S12700E-8-Eth-Trunk1] trunkport gigabitethernet 2/1/0/46 
[S12700E-8-Eth-Trunk1] port link-type access
[S12700E-8-Eth-Trunk1] port default vlan 1202
[S12700E-8-Eth-Trunk1] quit
[S12700E-8] interface Eth-Trunk2 
[S12700E-8-Eth-Trunk2] trunkport gigabitethernet 1/1/0/47
[S12700E-8-Eth-Trunk2] trunkport gigabitethernet 2/1/0/47 
[S12700E-8-Eth-Trunk2] port link-type access
[S12700E-8-Eth-Trunk2] port default vlan 1203
[S12700E-8-Eth-Trunk2] quit
    # Add uplink interfaces to corresponding VLANs.
    [S12700E-8] interface gigabitethernet1/1/0/1 
[S12700E-8-GigabitEthernet1/1/0/1] description YinHang
[S12700E-8-GigabitEthernet1/1/0/1] port link-type access
[S12700E-8-GigabitEthernet1/1/0/1] port default vlan 1005
[S12700E-8-GigabitEthernet1/1/0/1] quit
[S12700E-8] interface gigabitethernet2/1/0/1 
[S12700E-8-GigabitEthernet2/1/0/1] description YinHang-bei
[S12700E-8-GigabitEthernet2/1/0/1] port link-type access
[S12700E-8-GigabitEthernet2/1/0/1] port default vlan 1004
[S12700E-8-GigabitEthernet2/1/0/1] quit
[S12700E-8] interface gigabitethernet1/1/0/44 
[S12700E-8-GigabitEthernet1/1/0/44] description TO-Router-01 GE0/0/2
[S12700E-8-GigabitEthernet1/1/0/44] port link-type access
[S12700E-8-GigabitEthernet1/1/0/44] port default vlan 1201
[S12700E-8-GigabitEthernet1/1/0/44] quit
[S12700E-8] interface gigabitethernet2/1/0/44 
[S12700E-8-GigabitEthernet2/1/0/44] description TO-Router-02 GE0/0/2
[S12700E-8-GigabitEthernet2/1/0/44] port link-type access
[S12700E-8-GigabitEthernet2/1/0/44] port default vlan 1200
[S12700E-8-GigabitEthernet2/1/0/44] quit

Configuring STP

  1. Configure STP on the access switch S5735-L-01.

    # Enable STP and set the STP mode to RSTP.

    [S5735-L-01] stp enable  
[S5735-L-01] stp mode rstp

    # Disable STP on the downlink interfaces connected to the servers.

    [S5735-L-01] interface GigabitEthernet 0/0/5   
[S5735-L-01-GigabitEthernet0/0/5] stp disable
[S5735-L-01-GigabitEthernet0/0/5] quit
[S5735-L-01] interface GigabitEthernet 0/0/6   
[S5735-L-01-GigabitEthernet0/0/6] stp disable
[S5735-L-01-GigabitEthernet0/0/6] quit
[S5735-L-01] interface GigabitEthernet 0/0/7   
[S5735-L-01-GigabitEthernet0/0/7] stp disable
[S5735-L-01-GigabitEthernet0/0/7] quit
[S5735-L-01] interface GigabitEthernet 0/0/8   
[S5735-L-01-GigabitEthernet0/0/8] stp disable
[S5735-L-01-GigabitEthernet0/0/8] quit
[S5735-L-01] interface GigabitEthernet 0/0/9   
[S5735-L-01-GigabitEthernet0/0/9] stp disable
[S5735-L-01-GigabitEthernet0/0/9] quit

  2. Configure STP on the access switch S5735-L-02.

    # Enable STP and set the STP mode to RSTP.

    [S5735-L-02] stp enable  
[S5735-L-02] stp mode rstp

    # Disable STP on the downlink interfaces connected to the servers.

    [S5735-L-02] interface GigabitEthernet 0/0/5   
[S5735-L-02-GigabitEthernet0/0/5] stp disable
[S5735-L-02-GigabitEthernet0/0/5] quit
[S5735-L-02] interface GigabitEthernet 0/0/6   
[S5735-L-02-GigabitEthernet0/0/6] stp disable
[S5735-L-02-GigabitEthernet0/0/6] quit
[S5735-L-02] interface GigabitEthernet 0/0/7   
[S5735-L-02-GigabitEthernet0/0/7] stp disable
[S5735-L-02-GigabitEthernet0/0/7] quit
[S5735-L-02] interface GigabitEthernet 0/0/8   
[S5735-L-02-GigabitEthernet0/0/8] stp disable
[S5735-L-02-GigabitEthernet0/0/8] quit
[S5735-L-02] interface GigabitEthernet 0/0/9   
[S5735-L-02-GigabitEthernet0/0/9] stp disable
[S5735-L-02-GigabitEthernet0/0/9] quit

  3. Configure STP on the aggregation switch S5731-H-01.

    # Enable STP, set the STP mode to RSTP, and configure the switch as the root bridge.

    [S5731-H-01] stp enable  
[S5731-H-01] stp mode rstp  
[S5731-H-01] stp instance 0 root primary
    # Disable STP on Eth-Trunk 1 so that the Eth-Trunk 1 does not participate in spanning tree calculation.
    [S5731-H-01] interface Eth-Trunk1   
[S5731-H-01-Eth-Trunk1] stp disable
[S5731-H-01-Eth-Trunk1] quit

  4. Configure STP on the aggregation switch S5731-H-02.

    # Enable STP, set the STP mode to RSTP, and configure the switch as the secondary root bridge.

    [S5731-H-02] stp enable  
[S5731-H-02] stp mode rstp  
[S5731-H-02] stp instance 0 root secondary
    # Disable STP on Eth-Trunk 2 so that the Eth-Trunk 2 does not participate in spanning tree calculation.
    [S5731-H-02] interface Eth-Trunk2   
[S5731-H-02-Eth-Trunk2] stp disable
[S5731-H-02-Eth-Trunk2] quit

Configuring IP Addresses for Interfaces

  1. Configure IP addresses for interfaces on the aggregation switch S5731-H-01.

    # Create a loopback interface and configure its IP address.
    [S5731-H-01] interface LoopBack0   
[S5731-H-01-LoopBack0] ip address 172.16.0.4 255.255.255.255  
[S5731-H-01-LoopBack0] quit
    # Create VLANIF interfaces and configure their IP addresses.
    [S5731-H-01] interface vlanif 100   
[S5731-H-01-Vlanif100] ip address 10.1.1.3 255.255.255.224    
[S5731-H-01-Vlanif100] quit    
[S5731-H-01] interface vlanif 101   
[S5731-H-01-Vlanif101] ip address 10.1.1.33 255.255.255.224    
[S5731-H-01-Vlanif101] quit    
[S5731-H-01] interface vlanif 102   
[S5731-H-01-Vlanif102] ip address 10.1.1.97 255.255.255.224    
[S5731-H-01-Vlanif102] quit    
[S5731-H-01] interface vlanif 103   
[S5731-H-01-Vlanif103] ip address 10.1.1.129 255.255.255.224    
[S5731-H-01-Vlanif103] quit    
[S5731-H-01] interface vlanif 1001   
[S5731-H-01-Vlanif1001] ip address 10.1.1.193 255.255.255.224    
[S5731-H-01-Vlanif1001] quit    
[S5731-H-01] interface vlanif 1202   
[S5731-H-01-Vlanif1202] ip address 172.16.6.18 255.255.255.248
[S5731-H-01-Vlanif1202] ospf cost 5  
[S5731-H-01-Vlanif1202] quit

  2. Configure IP addresses for interfaces on the aggregation switch S5731-H-02.

    # Create a loopback interface and configure its IP address.
    [S5731-H-02] interface LoopBack0   
[S5731-H-02-LoopBack0] ip address 172.16.0.5 255.255.255.255  
[S5731-H-02-LoopBack0] quit
    # Create VLANIF interfaces and configure their IP addresses.
    [S5731-H-02] interface vlanif 100   
[S5731-H-02-Vlanif100] ip address 10.1.1.4 255.255.255.224    
[S5731-H-02-Vlanif100] quit    
[S5731-H-02] interface vlanif 101   
[S5731-H-02-Vlanif101] ip address 10.1.1.34 255.255.255.224    
[S5731-H-02-Vlanif101] quit    
[S5731-H-02] interface vlanif 102   
[S5731-H-02-Vlanif102] ip address 10.1.1.98 255.255.255.224    
[S5731-H-02-Vlanif102] quit    
[S5731-H-02] interface vlanif 103   
[S5731-H-02-Vlanif103] ip address 10.1.1.130 255.255.255.224    
[S5731-H-02-Vlanif103] quit    
[S5731-H-02] interface vlanif 1001   
[S5731-H-02-Vlanif1001] ip address 10.1.1.194 255.255.255.224    
[S5731-H-02-Vlanif1001] quit    
[S5731-H-02] interface vlanif 1203   
[S5731-H-02-Vlanif1203] ip address 172.16.6.26 255.255.255.248
[S5731-H-02-Vlanif1203] ospf cost 5  
[S5731-H-02-Vlanif1203] quit

  3. Configure IP addresses for interfaces on the core switches S12700E-8.

    # Create a loopback interface and configure its IP address.

    [S12700E-8] interface LoopBack0   
[S12700E-8-LoopBack0] ip address 172.16.0.2 255.255.255.255  
[S12700E-8-LoopBack0] quit
    # Create VLANIF interfaces and configure their IP addresses.
    [S12700E-8] interface vlanif 1004   
[S12700E-8-Vlanif1004] ip address 172.16.2.1 255.255.255.252    
[S12700E-8-Vlanif1004] quit    
[S12700E-8] interface vlanif 1005   
[S12700E-8-Vlanif1005] ip address 172.16.1.1 255.255.255.252    
[S12700E-8-Vlanif1005] quit    
[S12700E-8] interface vlanif 1200   
[S12700E-8-Vlanif1200] ip address 172.16.10.1 255.255.255.248    
[S12700E-8-Vlanif1200] quit 
[S12700E-8] interface vlanif 1201   
[S12700E-8-Vlanif1201] ip address 172.16.11.1 255.255.255.248    
[S12700E-8-Vlanif1201] quit    
[S12700E-8] interface vlanif 1202   
[S12700E-8-Vlanif1202] ip address 172.16.6.17 255.255.255.248    
[S12700E-8-Vlanif1202] quit    
[S12700E-82] interface vlanif 1203   
[S12700E-8-Vlanif1203] ip address 172.16.6.25 255.255.255.248
[S12700E-8-Vlanif1203] ospf cost 7  
[S12700E-8-Vlanif1203] quit

  4. Configure IP addresses for interfaces on Router-01.

    # Create a loopback interface and configure its IP address.

    <HUAWEI> system-view 
[HUAWEI] sysname Router-01 
[Router-01] interface LoopBack0 
[Router-01-LoopBack0] ip address 172.16.0.1 32
[Router-01-LoopBack0] quit
    # Configure IP addresses for interfaces.
    [Router-01] interface serial 1/0/0
[Router-01-Serial1/0/1] description link_to_Shenggongsi
[Router-01-Serial1/0/1] ip address 2.2.2.2 255.255.255.248
[Router-01-Serial1/0/1] quit
[Router-01] interface gigabitethernet 0/0/0
[Router-01-GigabitEthernet0/0/0] description link_to_Internet
[Router-01-GigabitEthernet0/0/0] ip address 192.0.2.2 255.255.255.248
[Router-01-GigabitEthernet0/0/0] quit
[Router-01] interface gigabitethernet 0/0/1
[Router-01-GigabitEthernet0/0/1] description link_to_FenGongsi
[Router-01-GigabitEthernet0/0/1] ip address 172.16.1.161 255.255.255.240
[Router-01-GigabitEthernet0/0/1] quit
[Router-01] interface gigabitethernet 0/0/2
[Router-01-GigabitEthernet0/0/2] description link_to_S12700E
[Router-01-GigabitEthernet0/0/2] ip address 172.16.11.2 255.255.255.248
[Router-01-GigabitEthernet0/0/2] quit
[Router-01] interface gigabitethernet 0/0/3
[Router-01-GigabitEthernet0/0/3] description link_to_Router-02
[Router-01-GigabitEthernet0/0/3] ip address 172.16.6.1 255.255.255.248
[Router-01-GigabitEthernet0/0/3] quit
[Router-01] interface gigabitethernet 2/0/0
[Router-01-GigabitEthernet2/0/0] description link_to_Guojiaju1
[Router-01-GigabitEthernet2/0/0] ip address 3.3.3.2 255.255.255.248
[Router-01-GigabitEthernet2/0/0] quit
[Router-01] interface gigabitethernet 2/0/1
[Router-01-GigabitEthernet2/0/1] description link_to_Guojiaju2
[Router-01-GigabitEthernet2/0/1] ip address 4.4.4.2 255.255.255.248
[Router-01-GigabitEthernet2/0/1] quit
[Router-01] interface gigabitethernet 2/0/3
[Router-01-GigabitEthernet2/0/3] description link_to_AFenJu
[Router-01-GigabitEthernet2/0/3] ip address 6.6.6.2 255.255.255.248
[Router-01-GigabitEthernet2/0/3] quit

  5. Configure IP addresses for interfaces on Router-02.

    # Create a loopback interface and configure its IP address.

    <HUAWEI> system-view 
[HUAWEI] sysname Router-02 
[Router-02] interface LoopBack0 
[Router-02-LoopBack0] ip address 172.16.0.3 32
[Router-02-LoopBack0] quit
    # Configure IP addresses for interfaces.
    [Router-02] interface gigabitethernet 0/0/2
[Router-02-GigabitEthernet0/0/2] description link_to_S12700E
[Router-02-GigabitEthernet0/0/2] ip address 172.16.10.2 255.255.255.248
[Router-02-GigabitEthernet0/0/2] quit
[Router-02] interface gigabitethernet 0/0/3
[Router-02-GigabitEthernet0/0/3] description link_to_Router-01
[Router-02-GigabitEthernet0/0/3] ip address 172.16.6.2 255.255.255.248
[Router-02-GigabitEthernet0/0/3] quit

Configuring VRRP

  1. Configure VRRP on the aggregation switch S5731-H-01 to implement gateway backup.

    [S5731-H-01] interface vlanif 100 
[S5731-H-01-Vlanif100] vrrp vrid 100 virtual-ip 10.1.1.10  
[S5731-H-01-Vlanif100] vrrp vrid 100 priority 120
[S5731-H-01-Vlanif100] vrrp vrid 100 track interface GigabitEthernet0/0/1 reduced 30
[S5731-H-01-Vlanif100] vrrp vrid 100 track interface GigabitEthernet0/0/2 reduced 30
[S5731-H-01-Vlanif100] quit 
[S5731-H-01] interface vlanif 101  
[S5731-H-01-Vlanif101] vrrp vrid 101 virtual-ip 10.1.1.40  
[S5731-H-01-Vlanif101] vrrp vrid 101 priority 120
[S5731-H-01-Vlanif101] vrrp vrid 101 track interface GigabitEthernet0/0/1 reduced 30
[S5731-H-01-Vlanif101] vrrp vrid 101 track interface GigabitEthernet0/0/2 reduced 30
[S5731-H-01-Vlanif101] quit 
[S5731-H-01] interface vlanif 102   
[S5731-H-01-Vlanif102] vrrp vrid 102 virtual-ip 10.1.1.99  
[S5731-H-01-Vlanif102] vrrp vrid 102 priority 120
[S5731-H-01-Vlanif102] vrrp vrid 102 track interface GigabitEthernet0/0/1 reduced 30
[S5731-H-01-Vlanif102] vrrp vrid 102 track interface GigabitEthernet0/0/2 reduced 30
[S5731-H-01-Vlanif102] quit 
[S5731-H-01] interface vlanif 103 
[S5731-H-01-Vlanif103] vrrp vrid 103 virtual-ip 10.1.1.131  
[S5731-H-01-Vlanif103] vrrp vrid 103 priority 120
[S5731-H-01-Vlanif103] vrrp vrid 103 track interface GigabitEthernet0/0/1 reduced 30
[S5731-H-01-Vlanif103] vrrp vrid 103 track interface GigabitEthernet0/0/2 reduced 30
[S5731-H-01-Vlanif103] quit 
[S5731-H-01] interface vlanif 1001   
[S5731-H-01-Vlanif1001] vrrp vrid 161 virtual-ip 10.1.1.195  
[S5731-H-01-Vlanif1001] vrrp vrid 161 priority 120
[S5731-H-01-Vlanif1001] vrrp vrid 161 track interface GigabitEthernet0/0/1 reduced 30
[S5731-H-01-Vlanif1001] vrrp vrid 161 track interface GigabitEthernet0/0/2 reduced 30
[S5731-H-01-Vlanif1001] quit

  2. Configure VRRP on the aggregation switch S5731-H-02.

    [S5731-H-02] interface vlanif 100 
[S5731-H-02-Vlanif100] vrrp vrid 100 virtual-ip 10.1.1.10  
[S5731-H-02-Vlanif100] quit 
[S5731-H-02] interface vlanif 101  
[S5731-H-02-Vlanif101] vrrp vrid 101 virtual-ip 10.1.1.40  
[S5731-H-02-Vlanif101] quit 
[S5731-H-02] interface vlanif 102   
[S5731-H-02-Vlanif102] vrrp vrid 102 virtual-ip 10.1.1.99  
[S5731-H-02-Vlanif102] quit 
[S5731-H-02] interface vlanif 103 
[S5731-H-02-Vlanif103] vrrp vrid 103 virtual-ip 10.1.1.131  
[S5731-H-02-Vlanif103] quit 
[S5731-H-02] interface vlanif 1001   
[S5731-H-02-Vlanif1001] vrrp vrid 161 virtual-ip 10.1.1.195  
[S5731-H-02-Vlanif1001] quit

Configuring Routes

  1. Configure OSPF on the aggregation switch S5731-H-01.

    [S5731-H-01] router id 172.16.0.4  
[S5731-H-01] ospf 1 router-id 172.16.0.4
[S5731-H-01-ospf-1] import-route direct  
[S5731-H-01-ospf-1] import-route static   
[S5731-H-01-ospf-1] area 0.0.0.0 
[S5731-H-01-ospf-1-area-0.0.0.0] network 172.16.0.4 0.0.0.0
[S5731-H-01-ospf-1-area-0.0.0.0] network 172.16.6.16 0.0.0.7
[S5731-H-01-ospf-1-area-0.0.0.0] quit
[S5731-H-01-ospf-1] quit

  2. Configure OSPF on the aggregation switch S5731-H-02.

    [S5731-H-02] router id 172.16.0.5 
[S5731-H-02] ospf 1 router-id 172.16.0.5
[S5731-H-02-ospf-1] import-route direct  
[S5731-H-02-ospf-1] import-route static   
[S5731-H-02-ospf-1] area 0.0.0.0 
[S5731-H-02-ospf-1-area-0.0.0.0] network 172.16.0.5 0.0.0.0
[S5731-H-02-ospf-1-area-0.0.0.0] network 172.16.6.24 0.0.0.7
[S5731-H-02-ospf-1-area-0.0.0.0] quit
[S5731-H-02-ospf-1] quit

  3. Configure OSPF on the core switches S12700E-8.

    # Disable STP to prevent STP from blocking interfaces.
    [S12700E-8] stp disable
    # Configure OSPF.
    [S12700E-8] router id 172.16.0.2 
[S12700E-8] ospf 1 router-id 172.16.0.2
[S12700E-8-ospf-1] import-route direct  
[S12700E-8-ospf-1] import-route static   
[S12700E-8-ospf-1] area 0.0.0.0 
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.0.2 0.0.0.0
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.1.1 0.0.0.3
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.2.1 0.0.0.3
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.5.1 0.0.0.3
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.10.1 0.0.0.7
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.11.1 0.0.0.7
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.6.16 0.0.0.7
[S12700E-8-ospf-1-area-0.0.0.0] network 172.16.6.24 0.0.0.7
[S12700E-8-ospf-1-area-0.0.0.0] quit
[S12700E-8-ospf-1] quit

  4. Configure OSPF on Router-01.

    # Configure basic OSPF functions.
    [Router-01] router id 172.16.0.1 
[Router-01] ospf 1 router-id 172.16.0.1
[Router-01-ospf-1] import-route direct  
[Router-01-ospf-1] import-route static   
[Router-01-ospf-1] area 0.0.0.0 
[Router-01-ospf-1-area-0.0.0.0] network 172.16.0.1 0.0.0.0 
[Router-01-ospf-1-area-0.0.0.0] network 172.16.1.160 0.0.0.15
[Router-01-ospf-1-area-0.0.0.0] network 172.16.11.0 0.0.0.7
[Router-01-ospf-1-area-0.0.0.0] network 172.16.6.0 0.0.0.7
[Router-01-ospf-1-area-0.0.0.0] quit
[Router-01-ospf-1] quit
[Router-01] interface gigabitethernet 0/0/1
[Router-01-GigabitEthernet0/0/1] ospf cost 5
[Router-01-GigabitEthernet0/0/1] quit
[Router-01] interface gigabitethernet0/0/2 
[Router-01-GigabitEthernet0/0/2] ospf cost 5
[Router-01-GigabitEthernet0/0/2] quit
[Router-01] interface gigabitethernet 0/0/3
[Router-01-GigabitEthernet0/0/3] ospf cost 10
[Router-01-GigabitEthernet0/0/3] quit

  5. Configure static routes on Router-01.

    [Router-01] ip route-static 0.0.0.0 0.0.0.0 192.0.2.1   //Internet
[Router-01] ip route-static 10.0.0.0 255.0.0.0 3.3.3.1  //Router 1 at the STMA
[Router-01] ip route-static 10.0.0.0 255.0.0.0 4.4.4.1 preference 70  //Router 2 at the STMA
[Router-01] ip route-static 10.2.0.0 255.255.255.0 6.6.6.1  //Branch office A
[Router-01] ip route-static 10.3.0.0 255.255.255.0 2.2.2.1    //Provincial company

  6. Configure routing policies on Router-01.

    [Router-01] route-policy test permit node 1
[Router-01-route-policy] if-match interface GigabitEthernet0/0/0 
[Router-01-route-policy] apply cost-type type-2 
[Router-01-route-policy] quit
[Router-01] ospf 1
[Router-01-ospf-1] default-route-advertise route-policy test  //Advertise default routes.
[Router-01-ospf-1] quit

  7. Configure OSPF on Router-02.

    [Router-02] router id 172.16.0.3 
[Router-02] ospf 1 router-id 172.16.0.3
[Router-02-ospf-1] import-route direct  
[Router-02-ospf-1] import-route static   
[Router-02-ospf-1] area 0.0.0.0 
[Router-02-ospf-1-area-0.0.0.0] network 172.16.0.3 0.0.0.0 
[Router-02-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.7
[Router-02-ospf-1-area-0.0.0.0] network 172.16.6.0 0.0.0.7
[Router-02-ospf-1-area-0.0.0.0] quit

Configuring BFD

  1. Configure BFD for OSPF on the aggregation switch S5731-H-01.

    [S5731-H-01] bfd
[S5731-H-01-bfd] quit 
[S5731-H-01] ospf 1 
[S5731-H-01-ospf-1] bfd all-interfaces enable
[S5731-H-01-ospf-1] quit

  2. Configure BFD for OSPF on the aggregation switch S5731-H-02.

    [S5731-H-02] bfd
[S5731-H-02-bfd] quit 
[S5731-H-02] ospf 1 
[S5731-H-02-ospf-1] bfd all-interfaces enable
[S5731-H-02-ospf-1] quit

  3. Configure BFD for OSPF on the core switches S12700E-8.

    [S12700E-8] bfd
[S12700E-8-bfd] quit 
[S12700E-8] ospf 1 
[S12700E-8-ospf-1] bfd all-interfaces enable
[S12700E-8-ospf-1] quit

  4. Configure BFD for OSPF on Router-01.

    [Router-01] bfd
[Router-01-bfd] quit 
[Router-01] ospf 1 
[Router-01-ospf-1] bfd all-interfaces enable
[Router-01-ospf-1] quit

  5. Configure BFD for OSPF on Router-02.

    [Router-02] bfd
[Router-02-bfd] quit 
[Router-02] ospf 1 
[Router-02-ospf-1] bfd all-interfaces enable
[Router-02-ospf-1] quit

Configuring NAT

  1. Configure NAT on Router-01 so that intranet users can access external networks.

    # Configure NAT so that intranet users can access the Internet.
    [Router-01] acl number 2000 
[Router-01-acl-basic-2000] description ith 
[Router-01-acl-basic-2000] rule 5 permit source 10.1.1.0 0.0.0.255
[Router-01-acl-basic-2000] quit
[Router-01] interface gigabitethernet 0/0/0
[Router-01-GigabitEthernet0/0/0] nat outbound 2000
[Router-01-GigabitEthernet0/0/0] quit
    # Configure NAT so that intranet users can access the provincial company.
    [Router-01] acl number 2002 
[Router-01-acl-basic-2002] description nat to shenggongsi 
[Router-01-acl-basic-2002] rule 1 deny source 10.1.187.0 0.0.0.255 
[Router-01-acl-basic-2002] rule 6 permit source 10.0.0.0 0.255.255.255
[Router-01-acl-basic-2002] quit
[Router-01] interface serial 1/0/0
[Router-01-Serial1/0/1] nat outbound 2002
[Router-01-Serial1/0/1] quit
    # Configure NAT so that intranet users can access the branch.
    [Router-01] acl number 3000 
[Router-01-acl-adv-3000] rule 1 permit ip source 10.0.0.0 0.255.255.255 destination 10.1.187.9 0
[Router-01-acl-adv-3000] rule 10 permit ip source 192.168.0.0 0.0.255.255 destination 10.1.185.18 0
[Router-01-acl-adv-3000] rule 25 permit ip destination 192.0.2.25 0 
[Router-01-acl-adv-3000] rule 30 permit ip destination 192.0.2.26 0 
[Router-01-acl-adv-3000] rule 35 permit ip destination 192.0.2.27 0 
[Router-01-acl-adv-3000] rule 40 permit ip destination 192.0.2.28 0 
[Router-01-acl-adv-3000] rule 45 permit ip destination 192.0.2.30 0 
[Router-01-acl-adv-3000] quit
[Router-01] interface gigabitethernet 0/0/1
[Router-01-GigabitEthernet0/0/1] nat outbound 3000
[Router-01-GigabitEthernet0/0/1] quit
    # Configure NAT so that intranet users can access the STMA.
    [Router-01] acl number 2001 
[Router-01-acl-basic-2001] description nat to guojiaju
[Router-01-acl-basic-2001] rule 1 deny source 10.1.1.64 0.0.0.31
[Router-01-acl-basic-2001] rule 2 deny source 10.1.185.0 0.0.0.31
[Router-01-acl-basic-2001] rule 3 permit source 10.0.0.0 0.255.255.255
[Router-01-acl-basic-2001] rule 4 permit source 192.168.13.0 0.0.0.255 
[Router-01-acl-basic-2001] quit
[Router-01] interface gigabitethernet 2/0/0
[Router-01-GigabitEthernet2/0/0] nat outbound 2001
[Router-01-GigabitEthernet2/0/0] quit
[Router-01] interface gigabitethernet 2/0/1
[Router-01-GigabitEthernet2/0/1] nat outbound 2001
[Router-01-GigabitEthernet2/0/1] quit
    # Configure NAT so that external network users can access the intranet.
    [Router-01] interface gigabitethernet 0/0/2
[Router-01-GigabitEthernet0/0/2] nat outbound 3000
[Router-01-GigabitEthernet0/0/2] quit

  2. Configure NAT server mapping on Router-01 so that both intranet and external network users can access internal servers using public IP addresses.

    [Router-01] interface gigabitethernet 0/0/0
[Router-01-GigabitEthernet0/0/0] nat server protocol tcp global current-interface 47538 inside 10.10.185.108 443
[Router-01-GigabitEthernet0/0/0] nat server protocol tcp global current-interface 48538 inside 10.10.185.108 1723
[Router-01-GigabitEthernet0/0/0] nat server protocol tcp global 218.7.68.166 www inside 10.10.185.19 www
[Router-01-GigabitEthernet0/0/0] quit
[Router-01] interface gigabitethernet 0/0/2
[Router-01-GigabitEthernet0/0/2] nat static protocol tcp global 218.7.68.164 22 inside 10.10.185.21 22 netmask 255.255.255.255
[Router-01-GigabitEthernet0/0/2] nat static protocol tcp global 218.7.68.164 9010 inside 10.10.187.5 9010 netmask 255.255.255.255
[Router-01-GigabitEthernet0/0/2] nat static protocol tcp global 218.7.68.166 www inside 10.10.185.19 www netmask 255.255.255.255
[Router-01-GigabitEthernet0/0/2] quit

Configuring Security Policies

Configure security policies on Router-01 to control user access rights.
[Router-01] acl number 3500 
[Router-01-acl-adv-3500] description ith 
[Router-01-acl-adv-3500] rule 0 deny tcp source-port eq 3127 
[Router-01-acl-adv-3500] rule 1 deny tcp source-port eq 1025 
[Router-01-acl-adv-3500] rule 2 deny tcp source-port eq 5554 
[Router-01-acl-adv-3500] rule 3 deny tcp source-port eq 9996 
[Router-01-acl-adv-3500] rule 4 deny tcp source-port eq 1068 
[Router-01-acl-adv-3500] rule 5 deny tcp source-port eq 135 
[Router-01-acl-adv-3500] rule 6 deny udp source-port eq 135 
[Router-01-acl-adv-3500] rule 7 deny tcp source-port eq 137 
[Router-01-acl-adv-3500] rule 8 deny udp source-port eq netbios-ns 
[Router-01-acl-adv-3500] rule 9 deny tcp source-port eq 138 
[Router-01-acl-adv-3500] rule 10 deny udp source-port eq netbios-dgm 
[Router-01-acl-adv-3500] quit
[Router-01] traffic classifier c1 operator or
[Router-01-classifier-c1] if-match acl 3500 
[Router-01-classifier-c1] quit   
[Router-01] traffic behavior b1
[Router-01-behavior-b1] quit 
[Router-01] traffic policy p1
[Router-01-trafficpolicy-p1] classifier c1 behavior b1 
[Router-01-trafficpolicy-p1] quit
[Router-01] interface gigabitethernet 0/0/0
[Router-01-GigabitEthernet0/0/0] traffic-policy p1 inbound
[Router-01-GigabitEthernet0/0/0] quit

Verifying the Configuration

  1. Check the STP status on the access switch S5735-L-01 to verify that the interface status is correct.

    [S5735-L-01] display stp brief 
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        ALTE  DISCARDING      NONE

  2. Check the STP status on the access switch S5735-L-02 to verify that the interface status is correct.

    [S5735-L-02] display stp brief 
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        ALTE  DISCARDING      NONE

  3. Check the OSPF route status and VRRP status on the aggregation switch S5731-H-01.

    [S5731-H-01] display ospf peer 

OSPF Process 1 with Router ID 172.16.0.4
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          Vlanif1202                       172.16.0.2       Full        
 ----------------------------------------------------------------------------
    [S5731-H-01] display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Master       Vlanif100                Normal   10.1.1.10      
101   Master       Vlanif101                Normal   10.1.1.40      
102   Master       Vlanif102                Normal   10.1.1.99      
103   Master       Vlanif103                Normal   10.1.1.131     
161   Master       Vlanif1001               Normal   10.1.1.195     
----------------------------------------------------------------
Total:5     Master:5     Backup:0     Non-active:0

  4. Check the OSPF route status and VRRP status on the aggregation switch S5731-H-02.

    [S5731-H-02] display ospf peer brief 

 OSPF Process 1 with Router ID 172.16.0.5
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          Vlanif1203                       172.16.0.2       Full        
 ----------------------------------------------------------------------------
    [S5731-H-02] display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Backup       Vlanif100                Normal   10.1.1.10      
101   Backup       Vlanif101                Normal   10.1.1.40      
102   Backup       Vlanif102                Normal   10.1.1.99      
103   Backup       Vlanif103                Normal   10.1.1.131     
161   Backup       Vlanif1001               Normal   10.1.1.195     
----------------------------------------------------------------
Total:5     Master:0     Backup:5     Non-active:0

  5. Check the OSPF route status and BFD status on core switches S12700E-8.

    [S12700E-8] display ospf peer brief

	 OSPF Process 1 with Router ID 172.16.0.2
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          Vlanif1004                       172.16.2.2       Full        
 0.0.0.0          Vlanif1005                       172.16.1.2       Full              
 0.0.0.0          Vlanif1201                       172.16.0.1       Full        
 0.0.0.0          Vlanif1203                       172.16.0.5       Full        
 0.0.0.0          Vlanif1202                       172.16.0.4       Full        
 0.0.0.0          Vlanif1200                       172.16.0.3       Full        
 ----------------------------------------------------------------------------
	 OSPF Process 1 with Router ID 172.16.0.2
    [S12700E-8] display bfd session all
--------------------------------------------------------------------------------
Local Remote     PeerIpAddr      State     Type        InterfaceName            
--------------------------------------------------------------------------------

8194  8194       172.16.6.18     Up        D_IP_IF     Vlanif1202               
8195  8193       172.16.6.26     Up        D_IP_IF     Vlanif1203               
8196  8192       172.16.1.2      Up        D_IP_IF     Vlanif1005               
8197  8192       172.16.2.2      Up        D_IP_IF     Vlanif1004                              
8199  8192       172.16.11.2     Up        D_IP_IF     Vlanif1201               
8200  8193       172.16.10.2     Up        D_IP_IF     Vlanif1200               
--------------------------------------------------------------------------------
     Total UP/DOWN Session Number : 7/0

  6. Check the OSPF route status on Router-01.

    [Router-01] display ospf peer brief

	 OSPF Process 1 with Router ID 172.16.0.1
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet0/0/1             172.16.1.162     Full        
 0.0.0.0          GigabitEthernet0/0/3             172.16.0.3       Full        
 0.0.0.0          GigabitEthernet0/0/2             172.16.0.2       Full        
 ----------------------------------------------------------------------------

  7. Check the OSPF route status on Router-02.

    [Router-02] display ospf peer brief

	 OSPF Process 1 with Router ID 172.16.0.3
		  Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet0/0/3             172.16.0.1       Full        
 0.0.0.0          GigabitEthernet0/0/2             172.16.0.2       Full        
 ----------------------------------------------------------------------------

Configuration Files

Configuration Files of Access Switches

S5735-L-01

S5735-L-02

 
#
sysname S5735-L-01
#
vlan batch 100 to 103 1001
#
stp mode rstp
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 100
 stp disable
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 101
 stp disable
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 102
 stp disable
#
interface GigabitEthernet0/0/8
 port link-type access
 port default vlan 103
 stp disable
#
interface GigabitEthernet0/0/9
 port link-type access
 port default vlan 1001
 stp disable
#
return
 
#
sysname S5735-L-02
#
vlan batch 100 to 103 1001
#
stp mode rstp
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/5
 port link-type access
 port default vlan 100
 stp disable
#
interface GigabitEthernet0/0/6
 port link-type access
 port default vlan 101
 stp disable
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 102
 stp disable
#
interface GigabitEthernet0/0/8
 port link-type access
 port default vlan 103
 stp disable
#
interface GigabitEthernet0/0/9
 port link-type access
 port default vlan 1001
 stp disable
#
return

Configuration Files of Aggregation Switches

S5731-H-01

S5731-H-02

 
#
sysname S5731-H-01
#
router id 172.16.0.4
#
vlan batch 100 to 103 1001 1202
#
stp mode rstp
stp instance 0 root primary
#
bfd
#
interface Vlanif100
 ip address 10.1.1.3 255.255.255.224
 vrrp vrid 100 virtual-ip 10.1.1.10
 vrrp vrid 100 priority 120
 vrrp vrid 100 track interface GigabitEthernet0/0/1 reduced 30
 vrrp vrid 100 track interface GigabitEthernet0/0/2 reduced 30
#
interface Vlanif101
 ip address 10.1.1.33 255.255.255.224
 vrrp vrid 101 virtual-ip 10.1.1.40
 vrrp vrid 101 priority 120
 vrrp vrid 101 track interface GigabitEthernet0/0/1 reduced 30
 vrrp vrid 101 track interface GigabitEthernet0/0/2 reduced 30
#
interface Vlanif102
 ip address 10.1.1.97 255.255.255.224
 vrrp vrid 102 virtual-ip 10.1.1.99
 vrrp vrid 102 priority 120
 vrrp vrid 102 track interface GigabitEthernet0/0/1 reduced 30
 vrrp vrid 102 track interface GigabitEthernet0/0/2 reduced 30
#
interface Vlanif103
 ip address 10.1.1.129 255.255.255.224
 vrrp vrid 103 virtual-ip 10.1.1.131
 vrrp vrid 103 priority 120
 vrrp vrid 103 track interface GigabitEthernet0/0/1 reduced 30
 vrrp vrid 103 track interface GigabitEthernet0/0/2 reduced 30
#
interface Vlanif1001
 ip address 10.1.1.193 255.255.255.224
 vrrp vrid 161 virtual-ip 10.1.1.195
 vrrp vrid 161 priority 120
 vrrp vrid 161 track interface GigabitEthernet0/0/1 reduced 30
 vrrp vrid 161 track interface GigabitEthernet0/0/2 reduced 30
#
interface Vlanif1202
 ip address 172.16.6.18 255.255.255.248
 ospf cost 5
#
interface Eth-Trunk1
 port link-type access
 port default vlan 1202
 stp disable
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/13
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface LoopBack0
 ip address 172.16.0.4 255.255.255.255
#
ospf 1 router-id 172.16.0.4
 bfd all-interfaces enable
 import-route direct
 import-route static
 area 0.0.0.0
  network 172.16.0.4 0.0.0.0
  network 172.16.6.16 0.0.0.7
#
return
 
#
sysname S5731-H-02
#
router id 172.16.0.5
#
vlan batch 100 to 103 1001 1203
#
stp mode rstp
stp instance 0 root secondary
#
bfd
#
interface Vlanif100
 ip address 10.1.1.4 255.255.255.224
 vrrp vrid 100 virtual-ip 10.1.1.10
#
interface Vlanif101
 ip address 10.1.1.34 255.255.255.224
 vrrp vrid 101 virtual-ip 10.1.1.40
#
interface Vlanif102
 ip address 10.1.1.98 255.255.255.224
 vrrp vrid 102 virtual-ip 10.1.1.99
#
interface Vlanif103
 ip address 10.1.1.130 255.255.255.224
 vrrp vrid 103 virtual-ip 10.1.1.131
#
interface Vlanif1001
 ip address 10.1.1.194 255.255.255.224
 vrrp vrid 161 virtual-ip 10.1.1.195
#
interface Vlanif1203
 ip address 172.16.6.26 255.255.255.248
 ospf cost 5
#
interface MEth0/0/1
#
interface Eth-Trunk2
 port link-type access
 port default vlan 1203
 stp disable
#
interface GigabitEthernet0/0/1
 eth-trunk 2
#
interface GigabitEthernet0/0/2
 eth-trunk 2
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface GigabitEthernet0/0/13
 port link-type trunk
 port trunk allow-pass vlan 100 to 103 1001
#
interface LoopBack0
 ip address 172.16.0.5 255.255.255.255
#
ospf 1 router-id 172.16.0.5
 bfd all-interfaces enable
 import-route direct
 import-route static
 area 0.0.0.0
  network 172.16.0.5 0.0.0.0
  network 172.16.6.24 0.0.0.7
#
return

Configuration File of Core Switches

S12700E-8

 
#
sysname S12700E-8
#
router id 172.16.0.2
#
vlan batch 1004 to 1005 1200 to 1203
#
stp disable
#
bfd
#
interface Vlanif1004
 ip address 172.16.2.1 255.255.255.252
#
interface Vlanif1005
 ip address 172.16.1.1 255.255.255.252
#
interface Vlanif1200
 ip address 172.16.10.1 255.255.255.248
#
interface Vlanif1201
 ip address 172.16.11.1 255.255.255.248
#
interface Vlanif1202
 ip address 172.16.6.17 255.255.255.248
#
interface Vlanif1203
 ip address 172.16.6.25 255.255.255.248
 ospf cost 7
#
interface Eth-Trunk1
 port link-type access
 port default vlan 1202
#
interface Eth-Trunk2
 port link-type access
 port default vlan 1203
#
interface GigabitEthernet1/1/0/1
 description YinHang
 port link-type access
 port default vlan 1005
#
interface GigabitEthernet1/1/0/44
 description TO-Router-01 GE0/0/2
 port link-type access
 port default vlan 1200
#
interface GigabitEthernet1/1/0/45
 description TO GE2/1/0/45
 mad detect mode direct
#
interface GigabitEthernet1/1/0/46
 eth-trunk 1
#
interface GigabitEthernet1/1/0/47
 eth-trunk 2
#
interface GigabitEthernet2/1/0/1
 description YinHang-bei
 port link-type access
 port default vlan 1004
#
interface GigabitEthernet2/1/0/44
 description TO-Router-02 GE0/0/2
 port link-type access
 port default vlan 1201
#
interface GigabitEthernet2/1/0/45
 description TO GE1/1/0/45
 mad detect mode direct
#
interface GigabitEthernet2/1/0/46
 eth-trunk 1
#
interface GigabitEthernet2/1/0/47
 eth-trunk 2
#
interface LoopBack0
 ip address 172.16.0.2 255.255.255.255
#
ospf 1 router-id 172.16.0.2
 bfd all-interfaces enable
 import-route direct
 import-route static
 area 0.0.0.0
  network 172.16.0.2 0.0.0.0
  network 172.16.6.16 0.0.0.7
  network 172.16.6.24 0.0.0.7
  network 172.16.1.0 0.0.0.3
  network 172.16.2.0 0.0.0.3
  network 172.16.5.0 0.0.0.3
  network 172.16.10.0 0.0.0.7
  network 172.16.11.0 0.0.0.7
#
return

Configuration Files of Egress Routers

Router-01

 
#
sysname Router-01
#
router id 172.16.0.1
#
bfd
#
acl number 2000
 description ith
 rule 5 permit source 10.1.1.0 0.0.0.255
#
acl number 2001
 description nat to guojiaju
 rule 1 deny source 10.1.1.64 0.0.0.31
 rule 2 deny source 10.1.185.0 0.0.0.31
 rule 3 permit source 10.0.0.0 0.255.255.255
 rule 4 permit source 192.168.13.0 0.0.0.255
#
acl number 2002
 description nat to shenggongsi
 rule 1 deny source 10.1.187.0 0.0.0.255
 rule 6 permit source 10.0.0.0 0.255.255.255
#
acl number 3000
 rule 1 permit ip source 10.0.0.0 0.255.255.255 destination 10.1.187.9 0
 rule 10 permit ip source 192.168.0.0 0.0.255.255 destination 10.1.185.18 0
 rule 25 permit ip destination 192.0.2.25 0 
 rule 30 permit ip destination 192.0.2.26 0 
 rule 35 permit ip destination 192.0.2.27 0 
 rule 40 permit ip destination 192.0.2.28 0 
 rule 45 permit ip destination 192.0.2.30 0 
#
acl number 3500  
 description ith
 rule 0 deny tcp source-port eq 3127 
 rule 1 deny tcp source-port eq 1025 
 rule 2 deny tcp source-port eq 5554 
 rule 3 deny tcp source-port eq 9996 
 rule 4 deny tcp source-port eq 1068 
 rule 5 deny tcp source-port eq 135 
 rule 6 deny udp source-port eq 135 
 rule 7 deny tcp source-port eq 137 
 rule 8 deny udp source-port eq netbios-ns 
 rule 9 deny tcp source-port eq 138 
 rule 10 deny udp source-port eq netbios-dgm 
#
traffic classifier c1 operator or
 if-match acl 3500
#
traffic behavior b1
#
traffic policy p1
 classifier c1 behavior b1
#
interface Serial1/0/0
 link-protocol ppp
 description link_to_Shenggongsi
 ip address 2.2.2.2 255.255.255.252
 nat outbound 2002 
#
interface GigabitEthernet0/0/0
 description link_to_Internet
 ip address 192.0.2.30 255.255.255.248
 traffic-policy p1 inbound
 nat server protocol tcp global current-interface 47538 inside 10.10.185.108 443
 nat server protocol tcp global current-interface 48538 inside 10.10.185.108 1723
 nat server protocol tcp global 218.7.68.166 www inside 10.10.185.19 www
 nat outbound 2000
#
interface GigabitEthernet0/0/1
 description link_to_FenGongsi
 ip address 172.16.11.2 255.255.255.248
 ospf cost 5
 nat outbound 3000 
#
interface GigabitEthernet0/0/2
 description link_to_S12700E
 ip address 172.16.1.145 255.255.255.240
 ospf cost 5
 nat static protocol tcp global 218.7.68.164 22 inside 10.10.185.21 22 netmask 255.255.255.255
 nat static protocol tcp global 218.7.68.164 9010 inside 10.10.187.5 9010 netmask 255.255.255.255
 nat static protocol tcp global 218.7.68.166 www inside 10.10.185.19 www netmask 255.255.255.255
 nat outbound 3000 
#
interface GigabitEthernet0/0/3
 description link_to_Router-8-02
 ip address 172.16.6.1 255.255.255.248
 ospf cost 10
#
interface GigabitEthernet2/0/0
 description link_to_Guojiaju1
 ip address 3.3.3.3 255.255.255.248
 nat outbound 2001 
#
interface GigabitEthernet2/0/1
 description link_to_Guojiaju2
 ip address 4.4.4.4 255.255.255.248
 nat outbound 2001 
#
interface GigabitEthernet2/0/3
 description link_to_AFenJu
 ip address 6.6.6.6 255.255.255.248
#
interface LoopBack0
 ip address 172.16.0.1 255.255.255.255
#
ospf 1 router-id 172.16.0.1
 default-route-advertise route-policy test
 bfd all-interfaces enable
 import-route direct
 import-route static
 area 0.0.0.0
  network 172.16.0.1 0.0.0.0
  network 172.16.1.160 0.0.0.15
  network 172.16.11.0 0.0.0.7
  network 172.16.6.0 0.0.0.7
#
route-policy test permit node 1
 if-match interface GigabitEthernet0/0/0
 apply cost-type type-2
#
ip route-static 0.0.0.0 0.0.0.0 30.30.30.1
ip route-static 10.0.0.0 255.0.0.0 3.3.3.1
ip route-static 10.0.0.0 255.0.0.0 4.4.4.1 preference 70 
ip route-static 10.2.0.0 255.255.255.0 6.6.6.1
ip route-static 10.3.0.0 255.255.255.0 2.2.2.1
#
return

Router-02

 
#
sysname Router-02
#
router id 172.16.0.3
#
bfd
#
interface GigabitEthernet0/0/2
 description link_to_S12700E
 ip address 172.16.10.2 255.255.255.248
#
interface GigabitEthernet0/0/3
 ip address 172.16.6.2 255.255.255.248
#
interface LoopBack0
 ip address 172.16.0.3 255.255.255.255
#
ospf 1 router-id 172.16.0.3
 bfd all-interfaces enable
 area 0.0.0.0
  network 172.16.0.3 0.0.0.0
  network 172.16.6.0 0.0.0.7
  network 172.16.10.0 0.0.0.7
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1870813

Downloads: 41273

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :