No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Examples for NE and ME60 Routers in Typical Enterprise Scenarios 2.0

This document provides NE series routers typical configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Egress Gateways on a Campus Network

Example for Configuring Egress Gateways on a Campus Network

This section provides an example for configuring OSPF on a large campus network to allow users to access a wireless network.

Applicable Products and Versions

This configuration example applies to NE40E series products running V800R008C00 or later.

Networking Requirements

In Figure 1-28, at the egress of a large campus network, routers and firewalls are directly connected. Routers are connected to the Internet and data center through firewalls. To ensure network security, the firewalls must filter the service traffic entering and leaving the campus network. The specific network requirements are as follows:
  • Users on the campus network use private IP addresses, which are managed and allocated by a DHCP server. The routers function as DHCP relay agents.
  • The users are classified as VIP or non-VIP (common) users. Each VIP user can access two or three terminals, each with the bandwidth of 1 Mbit/s. Each common user can access only one terminal, with the bandwidth of 256 kbit/s. This requirement can be met by configuring QoS on the routers.
  • In addition to firewall deployment, user authentication is configured on the routers to ensure that only registered users can log in to the internal network.
  • BFD is deployed on each device to ensure network reliability. Virtual Router Redundancy Protocol (VRRP) backup groups are configured on the two routers and are associated with BFD. This allows the gateways to automatically negotiate their master/backup status and ensure uninterrupted routing.
Figure 1-28  Networking for configuring egress gateways on an OSPF campus network
NOTE:

In this example, interface 1, interface 2, and interface 3 correspond to 10GE 1/0/1, 10GE 1/0/2, and 10GE1/0/3, respectively.



Table 1-33  IP addresses of interfaces

Device Name

Interface Name

Interface IP Address

Router A Loopback 0 1.1.1.1/32
10GE 1/0/1 10.1.1.1/24
10GE 1/0/2 10.1.2.1/24
10GE 1/0/3 192.168.1.5/24
Router B Loopback 0 2.2.2.2/32
10GE 1/0/1 10.1.1.2/24
10GE 1/0/2 10.2.1.1/24
10GE 1/0/3 192.168.1.6/24
FW1 10GE 1/0/1 10.1.2.2/24
FW2 10GE 1/0/1 10.2.1.2/24

Configuration Roadmap

The configuration roadmap is as follows:
Table 1-34  Egress gateway configuration roadmap

Step

Configuration Roadmap

Involved Devices and Interfaces

1

Configure an IP address for each interface.

Upstream and downstream interfaces of routers, firewalls, and switches

2

Configure OSPF.

Routers, firewalls, and switches

3

Configure BFD for OSPF to ensure network reliability.

Routers, firewalls, and switches

4

Associate a VRRP backup group with a BFD session to increase device reliability.

Routers

5

Configure QoS and deploy traffic policies.

Routers

6

Configure DHCP relay on the DHCP server to allocate and manage IP addresses.

Routers

Configuring Device Names and Interface IP Addresses

For easier device identification, you can configure a name for each device, for example, Router A.

#
sysname RouterA
#

Configure an IP address for the management network interface of each device so that the IP address can be used for Layer 3 interworking or remote login. For example, you can set the IP address of 10GE 1/0/0 to 10.1.1.1/24.

#
interface 10GE1/0/0
 undo shutdown
 ip address 10.1.1.1 255.255.255.0     // Configure an IP address for the interface.
#

The configuration method of other IP addresses is similar to that of this IP address.

Configuring an IGP

Overall planning

Routes are categorized into the following types:

  • Network routes: These are required for network connectivity. : They are generated based on IP addresses, such as a device's interworking interface addresses and loopback interface addresses used by protocols (such as IGP, BGP, or MPLS).

  • Service routes: These are required for service connectivity, and include terminal and service system routes.

Network routes are usually carried by an IGP, which can be OSPF or IS-IS. In this example, OSPF is used as an IGP.

Basic OSPF configurations

Figure 1-29 and Table 1-35 list the data preparation for basic OSPF configurations.
Figure 1-29  Networking for configuring OSPF
Table 1-35  Planning of basic OSPF parameters

Parameter

Planned Value

Process ID

1.

Router ID

Loopback interface address.

Area ID

Area 0.

Interface type

P2P. The default interface type of Ethernet interfaces is broadcast. Because only two devices in the same network segment of the backbone area run OSPF, you can change the network type of the involved interfaces to P2P.

Route cost

During IGP deployment, plan route costs to balance over different planes the traffic of different services on the backbone network. This improves bandwidth utilization, service quality, and service reliability.

It is recommended that the OSPF route cost be calculated based on the formula: Interface cost = Bandwidth reference value/Interface bandwidth.

The configuration of Router A (similar to that of Router B) is as follows:

#
router id 1.1.1.1
#
ospf 1
 area 0.0.0.0
 network 10.1.1.0 0.0.0.255     // OSPF must be enabled on the network segments where the interfaces of all devices connected to the router reside.
 network 10.1.2.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 network 172.16.0.0 0.0.0.255
#
interface 10GE1/0/1
 ospf cost 10                  // Set the cost of the OSPF route between the two routers to 10.
 ospf network-type p2p
#
#
interface 10GE1/0/2
 ospf cost 2000                // Set the cost of the OSPF route between the router and the Internet firewall to 2000.
 ospf network-type p2p
#
#
interface 10GE1/0/3
 ospf cost 2000               // Set the cost of the OSPF route between the router and the DC firewall to 2000.
 ospf network-type p2p
#
interface 10GE1/0/4.1         // If there are multiple sub-interfaces, refer to this configuration.
 ospf cost 2000       
#
interface 10GE1/0/4.2
 ospf cost 2000       
#
interface 10GE1/0/4.100
 ospf cost 2000       
#

Interworking between firewalls and routers through the IGP

To implement communication between firewalls and routers, OSPF also needs to be deployed on the firewalls.

Use FW1 as an example:

#
ospf 1
 default-route-advertise always     // Advertise the default routes to the OSPF area.
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255        // Enable OSPF on the network segment where the interface connecting the firewall to the router is located.
#

Checking the configurations

Run the display ospf [ process-id ] routing router-id [ router-id] [age { min-value min-age-value | max-value max-age-value } * ] command to check OSPF route information.

Configuring BFD

In this example, routers communicate with each other using OSPF. OSPF periodically sends Hello packets to neighbors to implement neighbor monitoring. Without BFD, it takes more than one second to detect a fault. This slow fault detection degrades user experience in voice and video services, which are sensitive to packet loss and delay. To speed up fault detection, configure BFD for OSPF. Using BFD, if one router fails, traffic is automatically switched to another router.

Table 1-36  BFD parameter planning

Parameter

Planned Value

Minimum interval at which BFD packets are received

100 ms

Minimum interval at which BFD packets are sent

100 ms

Local BFD detection multiplier

Default value (3)

BFD must be enabled on all OSPF interfaces. The following example shows the configuration on Router A:

#
bfd                                                  // Enable BFD globally.
#
interface 10GE1/0/1
 ospf bfd enable                                     // Enable BFD on the interface.
 ospf bfd min-tx-interval 100 min-rx-interval 100    // Set the minimum interval for sending and receiving BFD packets to 100 ms.
#
interface 10GE1/0/2
 ospf bfd enable
 ospf bfd min-tx-interval 100 min-rx-interval 100
#
interface 10GE1/0/3
 ospf bfd enable
 ospf bfd min-tx-interval 100 min-rx-interval 100
#

Repeat this step for other devices.

Checking the configurations

Run the display bfd session all command to view information about all BFD sessions.

Configuring a VRRP Backup Group

The VRRP groups multiple physical routers to one virtual router. In a VRRP backup group, if the physical router through which the primary route passes fails, the virtual router switches traffic to another physical router within the group, ensuring continuous and reliable communication. To reduce the bandwidth consumption and CPU usage of protocol packets, you can configure one VRRP backup group as the management VRRP (mVRRP) backup group and several service VRRP groups if multiple VRRP backup groups exist. The mVRRP group sends protocol packets to negotiate the master/backup status, and the service VRRP groups do not send protocol packets.

As shown in Figure 1-30, multiple VRRP backup groups exist between the two routers, among which the mVRRP backup group negotiates the master/backup status of each router.
Figure 1-30  mVRRP backup group among VRRP backup groups
Table 1-37 lists the data preparation for basic VRRP backup group configurations.
Table 1-37  VRRP parameter planning

Parameter

Planned Value

VRRP backup groups

1, 2, 3 (for example). You can configure VRRP backup groups based on the number of sub-interfaces.

Virtual IP addresses of the VRRP backup groups

Set the IP addresses as required. This example uses the following IP addresses:
  • Service VRRP backup group: 172.16.0.10

  • Service VRRP backup group: 172.17.0.10

  • mVRRP group: 172.100.0.10

# Configure Router A. The following example shows the configurations of three sub-interfaces.

#
interface GigabitEthernet1/0/4.1
 vrrp vrid 1 virtual-ip 172.16.0.10                 // Configure the VRRP backup group corresponding to the sub-interface to use the virtual IP address 172.16.0.10.
 vrrp vrid 1 track admin-vrrp interface GigabitEthernet1/0/4.100 vrid 100 unflowdown   // Bind the VRRP backup group to the mVRRP group and make it a service VRRP group. unflowdown sets the status of the service VRRP group to be the same as that of the mVRRP group.
#
interface GigabitEthernet1/0/4.2
 vrrp vrid 2 virtual-ip 172.17.0.10                 // Configure the VRRP backup group corresponding to the sub-interface to use the virtual IP address 172.17.0.10.
 vrrp vrid 2 track admin-vrrp interface GigabitEthernet1/0/4.100 vrid 100 unflowdown
#
interface GigabitEthernet1/0/4.100
 vrrp vrid 100 virtual-ip 172.100.0.10              // Configure the VRRP backup group corresponding to the sub-interface as the mVRRP group.
 admin-vrrp vrid 100
#

# Configure Router B.

#
interface GigabitEthernet1/0/4.1
 vrrp vrid 1 virtual-ip 172.16.0.10                 // Configure the VRRP backup group corresponding to the remote sub-interface to use the virtual IP address 172.16.0.10.
 vrrp vrid 1 track admin-vrrp interface GigabitEthernet1/0/4.100 vrid 100 unflowdown
#
interface GigabitEthernet1/0/4.2
 vrrp vrid 2 virtual-ip 172.17.0.10                 // Configure the VRRP backup group corresponding to the sub-interface to use the virtual IP address 172.17.0.10.
 vrrp vrid 2 track admin-vrrp interface GigabitEthernet1/0/4.100 vrid 100 unflowdown
#
interface GigabitEthernet1/0/4.100
 vrrp vrid 100 virtual-ip 172.100.0.10              // Configure an mVRRP group on this sub-interface.
 admin-vrrp vrid 100                                // Set the number of the mVRRP group to 100.
#

VRRP association with BFD

If the link between devices in a VRRP backup group fails, a backup device attempts to preempt the Master state after waiting three times the interval at which VRRP Advertisement packets are broadcast. During this period, user traffic is still forwarded to the master device, resulting in traffic loss. If the VRRP backup group is associated with BFD, the master/backup switchover takes less than 1s.

# Configure Router A.

#
bfd atob bind peer-ip 172.100.0.2 interface GigabitEthernet1/0/4.100   // Configure a static BFD session and specify the local interface and the IP address of the peer interface.
 discriminator local 1                                                 // Set the local discriminator of the static BFD session to 1.
 discriminator remote 2                                                // Set the remote discriminator of the static BFD session to 2.
#

# Configure Router B.

#
bfd btoa bind peer-ip 172.100.0.1 interface GigabitEthernet1/0/4.100   // Configure a static BFD session and specify the local interface and the IP address of the peer interface.
 discriminator local 2                                                 // Set the local discriminator of the static BFD session to 2.
 discriminator remote 1                                                // Set the remote discriminator of the static BFD session to 1.
#

Checking the configurations

Run the display vrrp command to view the state and configuration parameters of each VRRP backup group.

Configuring QoS

Configure QoS and filtering rules to set different bandwidth values for users of different levels.

QoS provides end-to-end service quality assurance for different services. In this example, QoS meets the bandwidth and terminal access requirements of VIP and non-VIP users. Using traffic classifiers, traffic policing is implemented for different service flows with different priorities and quality of service.

In this example, you need to define traffic policies, traffic classifiers, and traffic behaviors on the two routers, and apply the specified policy to the incoming traffic on the corresponding interface to differentiate VIP from non-VIP users.

Table 1-38  QoS parameter planning

Parameter

Planned Value

ACL number

  • 2001

  • 2002

Traffic classifier name

  • VIP

  • SIP

Traffic behavior

Unique traffic behavior (such as interface rate limiting) for each traffic classifier

# Configure ACLs.

#
acl number 2001
 rule 0 permit source 10.8.0.0 0.0.255.255     // IP address of a VIP user
 rule 1 permit source 10.80.0.0 0.1.255.255
#
acl number 2002
 rule 0 permit source 172.24.0.0 0.0.255.255   // IP address of a non-VIP user
 rule 0 permit source 172.25.0.0 0.0.255.255    

# Configure traffic classifiers and traffic behaviors.

#
traffic classifier VIP operator or             // Define a traffic classifier named VIP.
 if-match acl 2001                             // Define ACL 2001 for traffic classifier VIP.
traffic classifier SIP operator or             // Define a traffic classifier named SIP.
 if-match acl 2002                             // Define ACL 2002 for traffic classifier SIP.
#
traffic behavior VIP
 remark ip-precedence 5                        // Set the priority of the IP packets matching traffic classifier VIP to 5.
traffic behavior SIP
 remark ip-precedence 4                        // Set the priority of the IP packets matching traffic classifier SIP to 4.
#
traffic policy VIP
 share-mode                                    // Set the shared attribute for the traffic policy.
 classifier VIP behavior VIP                   // Specify the traffic behavior VIP for the traffic classifier VIP.
traffic policy SIP
 share-mode
 classifier SIP behavior SIP                   // Specify the traffic behavior SIP for the traffic classifier SIP.
#

# Apply a traffic policy to the corresponding sub-interfaces that carry service traffic.

#
interface GigabitEthernet1/0/4.1
 traffic-policy SIP inbound                   // Apply the traffic policy SIP to the incoming traffic on the sub-interface. If a packet matches ACL 2002, its priority is set to 4.
#
interface GigabitEthernet1/0/4.2
 traffic-policy VIP inbound                   // Apply the traffic policy VIP to the incoming traffic on the sub-interface. If a packet matches ACL 2001, its priority is set to 5.
#

Configuring User Access

Configure dynamic allocation and management of user IP addresses.

DHCP can dynamically assign IP addresses to hosts and centrally manage host configurations. It uses the client/server communication model. After the client sends a configuration request to the server, the server returns the configuration information such as the IP address allocated to the client. In this example, the server and clients are not in the same network segment. Therefore, you need to configure the routers as DHCP relay agents. A DHCP relay agent transparently transmits DHCP packets between a DHCP client and the DHCP server on different network segments.

# Configure Router A (repeat this step for Router B).

#
dhcp enable
#
interface GigabitEthernet1/0/4.1     // Configure all service sub-interfaces as DHCP relay agents.
 dhcp select relay                   // Enable DHCP relay.
 ip relay address 192.168.1.2        // Configure the IP address of the DHCP server corresponding to the DHCP relay agent.
#
interface GigabitEthernet1/0/4.2    // Configure all service sub-interfaces as DHCP relay agents.
 dhcp select relay                  // Enable DHCP relay.
 ip relay address 192.168.1.2       // Configure the IP address of the DHCP server corresponding to the DHCP relay agent.
#
Updated: 2019-05-16

Document ID: EDOC1000120969

Views: 26068

Downloads: 877

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next