No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

How to Configure an AR Router

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How to Configure an AR Router

How to Configure an AR Router

Introduction

This document describes common configuration tasks and FAQs.

Configuration Tasks

Configuring Device Login Through the Web System

Networking Requirements

As shown in Figure1, there are reachable routes between the device and PC. It is required that the device be managed and maintained through the web system.

Figure 1-1 Networking diagram for configuring device login through the web system

Configuration Roadmap

The configuration roadmap is as follows:

  1. Log in to the device through the console port.

  2. Configure a management IP address for the device.

  3. Create a web system account.

  4. Enable the web system function.

  5. Log in to the web system.

Procedure

  1. Log in to the device through the console port.

  2. Configure a management IP address for the device.

    <Huawei> system-view 
    [Huawei] interface gigabitethernet 0/0/0 
    [Huawei-GigabitEthernet0/0/0] ip address 10.1.1.1 24 
    [Huawei-GigabitEthernet0/0/0] quit
  3. Configure a web user.

    [Huawei] aaa 
    [Huawei-aaa] local-user admin password irreversible-cipher Helloworld@6789 
    [Huawei-aaa] local-user admin privilege level 15 
    [Huawei-aaa] local-user admin service-type http 
    [Huawei-aaa] quit
    NOTE:

    Before configuring a web user, you can run the display this command in the AAA view to check user names of local users. Ensure that the user name of the configured web user does not conflict with that of an existing local user; otherwise, the new web user may overwrite the existing local user.

  4. Configure the web system.

    # Enable the web system function.

    [Huawei] http server enable 
      This operation will take several minutes, please wait.........................................................
     Info: Succeeded in starting the HTTP server 
    [Huawei] quit
  5. Log in to the web system.

    Open the web browser on the PC, enter https://10.1.1.1 in the address box, and press Enter. The web system login page is displayed, as shown in Figure2.

    Figure 1-2 Web system login page

    Enter the web user name and password, and click Login or press Enter. The web system homepage is displayed

  6. Verify the configuration.

# After the configuration is complete, you can successfully log in to the device through the web system.

# Run the display http server command on the device to check the SSL policy name and HTTPS server status.

<Huawei> display http server   
   HTTP server status    : Enabled        (default: disable)   
   HTTP server port      : 80             (default: 80)  
   HTTP timeout interval : 10             (default: 10 minutes)  
   Current online users  : 0               
   Maximum users allowed : 5          
   HTTPS server status   : Enabled        (default: disable) 
   HTTPS server port     : 443            (default: 443)  
   HTTPS server manager port: 
   HTTPS SSL Policy      : 

Configuration Files

Configuration file of the device

# 
aaa  
 local-user admin password irreversible-cipher %^%#R!d3>ji-.u1+N2gSK>3&2P1AM6jfU:"x/3g[5U,lvqP+sf=70+%^E7,,SF7+%^%# 
 local-user admin privilege level 15 
 local-user admin service-type http 
# 
interface GigabitEthernet0/0/0 
 ip address 10.1.1.1 255.255.255.0 
#  
 http server enable 
# 
return

Related Information

For more information, refer to Related Information.

How do I configure VLAN assignment

Specifications

This example applies to all versions of AR routers.

Networking Requirements

As shown in Figure1, the device of a company connects to two departments. User_1 and User_2 belong to department 1 and connect to the company network through different devices, and User_3 and User_4 belong to department 2 and connect to the company network through different devices.

To ensure communication security and prevent broadcast packets from being flooded, the company requires that hosts in a department should be allowed to communicate and hosts in different departments should be isolated.

You can configure interface-based VLAN assignment on the device so that the device adds interfaces connected to users in the same department to the same VLAN. Users in the same VLAN can directly communicate with each other, and users in different VLANs cannot communicate at Layer 2.

Figure 1-3 Networking of VLAN assignment

Procedure

  1. Configure Router_1.

    #  
     sysname Router_1 
    # 
    vlan batch 2 to 3          //Create VLAN 2 and VLAN 3. 
    # 
    interface Ethernet2/0/1    //Configure the interface connected to User_1 as an access interface. The default VLAN is VLAN 2.  
     port link-type access  
     port default vlan 2 
    # 
    interface Ethernet2/0/2    //Configure the interface connected to User_3 as an access interface. The default VLAN is VLAN 3.  
     port link-type access  
     port default vlan 3 
    # 
    interface Ethernet2/0/3    //Configure the interface connected to Router_1 and Router_2 as a trunk interface and configure the interface to allow VLAN 2 and VLAN 3.  
     port link-type trunk 
     port trunk allow-pass vlan 2 to 3 
    # 
    return 
  2. Configure Router_2.
    #  
     sysname Router_2 
    # 
    vlan batch 2 to 3          //Create VLAN 2 and VLAN 3. 
    # 
    interface Ethernet2/0/1    //Configure the interface connected to User_2 as an access interface. The default VLAN is VLAN 2.  
     port link-type access  
     port default vlan 2 
    # 
    interface Ethernet2/0/2    //Configure the interface connected to User_4 as an access interface. The default VLAN is VLAN 3.  
     port link-type access  
     port default vlan 3 
    # 
    interface Ethernet2/0/3    //Configure the interface connected to Router_2 and Router_1 as a trunk interface and configure the interface to allow VLAN 2 and VLAN 3.  
     port link-type trunk  
     port trunk allow-pass vlan 2 to 3 
    # 
    return 
  3. Verify the configuration.
    • Configure User_1 and User_2 on the same network segment, for example, 10.1.100.0/24; configure User_3 and User_4 on the same network segment, for example, 10.1.200.0/24.
    • User_1 and User_2 can ping each other, but cannot ping User_3 or User_4. User_3 and User_4 can ping each other, but cannot ping User_1 or User_2.

Configuration Notes

  • To ensure that packets from VLAN 2 and VLAN 3 are correctly transmitted, create VLAN 2 and VLAN 3 on the device and configure the interface to allow VLAN 2 and VLAN 3.

  • The interfaces connected to users do not need to distinguish VLANs. The interfaces only receive and send untagged frames and add the default VLAN tag to untagged frames, so the interfaces need to be configured as access interfaces.

  • The interconnected interfaces between devices need to allow packets from VLAN 2 and VLAN 3, so the interfaces need to be configured as trunk interfaces.

Related Information

For more information, refer to Related Information.

How Do I Configure Port Mapping

Procedure
  • NAT server mode

    # Configure NAT server on public network interface GE0/0/1, to map the private IP address IP 192.168.20.2 and TCP port 8080 to the interface IP address and port 8080.

    <Huawei> system-view
    [Huawei] interface gigabitethernet 0/0/1
    [Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 8080 inside 192.168.20.2 8080
  • NAT static mode

    Interface view:

    # Map public address 202.10.10.1 and port 2000 in TCP packets to private address 10.10.10.1 and port 3000.

    <Huawei> system-view
    [Huawei] interface gigabitethernet 1/0/0
    [Huawei-GigabitEthernet1/0/0] nat static protocol tcp global 202.10.10.1 2000 inside 10.10.10.1 3000

    System view:

    # Map public IP address 10.100.10.1 and port 443 in TCP packets to private address 192.168.2.55.

    <Huawei> system-view
    [Huawei] nat static protocol tcp global 10.100.10.1 443 inside 192.168.2.55 netmask 255.255.255.255
    [Huawei] interface gigabitethernet 1/0/0
    [Huawei-GigabitEthernet1/0/0] nat static enable

If a private network device needs to provide a specific service for public network devices using one or more ports, you can configure a mapping between a private IP address with port and a public IP address with port. Public network devices then can use the specified public IP address and port to access the service on the private network device. The mapping configuration can be implemented using the NAT server or NAT static mode. The NAT server mode translates only the IP address but not the port for access from the private network to the public network. The NAT static mode translates both the IP address and port for access from the private network to the public network.

Related Information

For more information, refer to Related Information.

How Do I Configure Static Domain Name Resolution

Procedure

# Configure a static DNS entry to map domain name www.huawei.com to IP address 1.1.1.4.

<Huawei> system-view
[Huawei] ip host www.huawei.com 1.1.1.4

More information

When an AR router acts as a DNS client, DNS proxy agent, or DNS relay agent, you can configure mappings between domain names and IP addresses to impalement static domain name resolution. The DNS client can then search for a domain name in the static DNS resolution table to obtain the mapping IP address directly. This improves the efficiency of domain name resolution. Static domain name resolution can be configured for commonly used domain names.

Related Information

For more information, refer to Related Information.

How Do I Configure DHCP Static Binding

Procedure

  • Configure DHCP static binding on interfaces.

    <Huawei> system-view
    [Huawei] dhcp enable
    [Huawei] interface gigabitethernet 1/0/0
    [Huawei-GigabitEthernet1/0/0] ip address 10.10.10.10 24 
    [Huawei-GigabitEthernet1/0/0] dhcp select interface
    [Huawei-GigabitEthernet1/0/0] dhcp server static-bind ip-address 10.10.10.10 mac-address 2020-e2f3-2a3b
  • Configure DHCP static binding globally.

    <Huawei> system-view
    [Huawei] ip pool global1
    [Huawei-ip-pool-global1] network 192.168.1.10 mask 24
    [Huawei-ip-pool-global1] static-bind ip-address 192.168.1.10 mac-address dcd2-fc96-e4c0

More Information

Assigning fixed IP addresses to clients by a DHCP server, IP source guard (IPSG), and static ARP involve the binding relationship between IP addresses and MAC addresses. However, the three functions have different application scenarios and implementations, as shown in Table 1.

Table 1-1 Table 1 Differences between assigning fixed IP addresses to clients by a DHCP server, IPSG, and static ARP

Function

Usage Scenario

Implementation

Configuration Method

Assigning fixed IP addresses to clients by a DHCP server

Some clients (such as servers and PCs) require fixed IP addresses from a DHCP server.

The MAC addresses of these clients are bound to fixed IP addresses. When such a client applies to the DHCP server for an IP address, the DHCP server searches the binding entries for the MAC address of the client and allocates the matched IP address to the client.

For details about configuring DHCP static binding, see Enterprise Routers CLI-based Configuration-IP Service Configuration Guide-DHCP Configuration-Configuring a DHCP Server-Configuring a DHCP Server to Allocate IP Addresses to Clients-(Optional) Configuring a DHCP Server to Allocate Fixed IP Addresses to Specified Clients.

IPSG

Attacks including IP address spoofing and ARP spoofing need to be prevented:
  • IP address spoofing: An attacker uses a forged IP address and its own MAC address to obtain rights of the attacked device and intercept packets destined for the attacked device.

  • ARP spoofing: An attacker sends ARP packets using a forged MAC address to intercept packets destined for the attacked device or using the MAC address of the gateway to intercept all packets destined for the gateway.

The mapping between IP addresses and MAC addresses is set up on a device. When receiving an ARP Request packet, the device searches for the mapped MAC address based on the source IP address of the packet and compares the mapped MAC address with the source MAC address in the packet header. If the two MAC addresses are different from each other, the device considers the packet invalid and discards it.

For details about configuring IPSG static binding, see Enterprise Routers CLI-based Configuration-Security Configuration Guide-IPSG Configuration-Configuring IPSG-Configuring IPSG Based on a Static Binding Table.

Static ARP

The mapping between IP addresses and MAC addresses is manually configured in the following scenarios:
  • Packets whose destination IP addresses are not on the local network segment need to be forwarded by a gateway on the local network segment.

  • Destination IP addresses of invalid packets need to be bound to a nonexistent MAC address to filter them out.

  • Critical devices need to forward packet securely and be protected against attacks, such as ARP flooding. In this situation, static ARP entries can be configured to bind MAC addresses to specific IP addresses. Network attackers cannot modify the mapping between the IP and MAC addresses, which ensures communication between the two devices.

The mapping between IP addresses and MAC addresses is set up on a device. When receiving an ARP Request packet, the device searches for the MAC address mapped to the IP address in the packet and responds with an ARP Reply packet.

Static ARP entries are manually configured and maintained. These entries are neither aged nor overwritten by dynamic ARP entries, and therefore improve communication security.

For details about configuring ARP static binding, see Enterprise Routers CLI-based Configuration-IP Service Configuration Guide-ARP Configuration-Configuring ARP-Configuring Static ARP.

Related Information

For more information, refer to Related Information.

How to Configure Static Routers

Procedure

  • Configure an IPv4 static route with the destination address 192.168.1.0, next-hop IP address 192.168.4.1, and preference 60.

    <Huawei> system-view 
    [Huawei] ip route-static 192.168.1.0 255.255.255.0 192.168.4.1 preference 60
  • Configure an IPv6 static route with the destination address 1::, next-hop IPv6 address 10::1, and preference 80.

    <Huawei> system-view 
    [Huawei] ipv6 route-static 1:: 64 gigabitethernet0/0/1 10::1 preference 80

More Information

  • If no preference is set for a static route, the static route uses the default preference 60.

  • If the destination IP address and mask of a static route are set to all 0s, a default route is configured. If a packet does not match any route in an IP routing table, this packet is forwarded using a default route.

  • If you specify the same preference for multiple static routes with the same destination address, you can implement load balancing among these routes. If you specify different preferences for these routes, you can implement route backup among the routes.

  • When configuring an IPv4 static route, you need to specify an outbound interface or a next-hop address as required. On a point-to-point interface, you only need to specify an outbound interface. On an NBMA interface, you only need to specify a next-hop address. On a broadcast interface, you only need to specify a next-hop address.

  • When configuring an IPv6 static route, you need to specify an outbound interface or a next-hop address as required. On a point-to-point interface, you only need to specify an outbound interface. On an NBMA interface, you only need to specify a next-hop address. On a broadcast interface, you can specify only an outbound interface or specify both an outbound interface and a next-hop address. This next-hop address can be a non-link-local address.

Related Information

For more information, refer to Related Information.

How to Configure OSPF Route Filtering

Procedure

  1. Before configuring OSPF route filtering, configure a route filtering rule. For example, configure an ACL to permit data packets with the source IP address 10.20.0.0/24.
    <Huawei> system-view 
    [Huawei] acl 2000 
    [Huawei-acl-basic-2000] rule permit source 10.20.0.0 0.0.0.255  
    [Huawei-acl-basic-2000] quit
  2. Configure OSPF to filter the imported RIP routes according to the filtering policy.

    <Huawei> system-view 
    [Huawei] ospf 100 
    [Huawei-ospf-100] import-route rip 
    [Huawei-ospf-100] filter-policy 2000 export
  3. Configure OSPF to filter received routes.

    <Huawei> system-view 
    [Huawei] ospf 100 
    [Huawei-ospf-100] filter-policy 2000 import
  4. Configure OSPF to filter outgoing Type 3 LSAs.

    <Huawei> system-view 
    [Huawei] ospf 100 
    [Huawei-ospf-100] area 1 
    [Huawei-ospf-100-area-0.0.0.1] filter 2000 export
  5. Configure OSPF to filter incoming Type 3 LSAs.

    <Huawei> system-view 
    [Huawei] ospf 100 
    [Huawei-ospf-100] area 1 
    [Huawei-ospf-100-area-0.0.0.1] filter 2000 import

More Information

OSPF route filtering involves routes calculated by OSPF and intra-area Type 3 LSAs.

  • Filtering routes calculated by OSPF includes filtering imported routes to be advertised and filtering received routes.
    NOTE:

    Filtering imported routes to be advertised can be configured only on ASBRs.

  • Filtering intra-area Type 3 LSAs includes filtering intra-area outgoing and incoming Type 3 LSAs.
    NOTE:

    Filtering intra-area Type 3 LSAs can be configured only on ABRs.

Related Information

For more information, refer to Related Information.

How to Configure a Route Preference

Procedure

  • Set the preference of a static route to 10.

    <Huawei> system-view 
    [Huawei] ip route-static 192.168.2.0 255.255.255.0 192.168.1.1 preference 10
  • Set the preference of routes in OSPF process 100 to 150.

    <Huawei> system-view 
    [Huawei] ospf 100 
    [Huawei-ospf-100] preference 150

More Information

  • External and internal preferences are defined on routers. External preferences are manually configured for routing protocols. Table 1 lists default external preferences of routing protocols.

    Table 1-2 Table 1 Default external preferences of routing protocols

    Routing Protocol Type

    Routing Protocol External Preference

    Direct

    0

    OSPF

    10

    IS-IS

    15

    Static

    60

    RIP

    100

    OSPF ASE

    150

    OSPF NSSA

    150

    IBGP

    255

    EBGP

    255

    NOTE:

    The value 0 indicates direct routes, and the value 255 indicates routes learned from unreliable sources. A smaller value indicates a higher preference.

    External preferences of all routing protocols except direct routes can be manually configured.

  • Internal preferences of routing protocols cannot be manually configured. Table 2 lists internal preferences of routing protocols.

    Table 1-3 Table 2 Internal preferences of routing protocols

    Routing Protocol Type

    Routing Protocol Internal Preference

    Direct

    0

    OSPF

    10

    IS-IS Level-1

    15

    IS-IS Level-2

    18

    Static

    60

    RIP

    100

    OSPF ASE

    150

    OSPF NSSA

    150

    IBGP

    200

    EBGP

    20

NOTE:

When selecting the optimal route, the system compares external preferences of routes and then internal preferences if these routes have the same external preference.

Parent topic:

IP Routing

Related Information

For more information, refer to Related Information.

How Do I Configure IPSec-Protected Data Flows

IPSec can protect one or more data flows. These IPSec-protected data flows are specified using ACLs if an IPSec tunnel is established based on ACLs. In real-world applications, you need to configure an ACL to define data flows to be protected and then reference the ACL in an IPSec policy to protect these data flows. An IPSec policy can reference only one ACL. Therefore:

  • If different data flows have different security requirements, create different ACLs and IPSec policies to protect the data flows.

  • If different data flows have the same security requirements, configure multiple rules in an ACL to protect the data flows.

Configuration Guidelines

  • The protocol types defined in the ACL rules on both ends of an IPSec tunnel must be consistent. For example, if one end uses the IP protocol, the other end must also use the IP protocol.
  • If ACL rules on both ends mirror each other, an SA can be successfully established after any party initiates negotiation. If ACL rules on both ends do not mirror each other, an SA can be successfully established only when the address range defined in the ACL rule of the initiator is included in that of the responder. It is recommended that ACL rules on both ends mirror each other. That is, the source and destination addresses in an ACL rule on one end are the destination and source addresses in an ACL rule on the other end. To be specific:

    If IPSec policies in ISAKMP mode are configured on both ends, ACL rules on both ends must mirror each other. If an IPSec policy in ISAKMP mode is configured on one end and an IPSec policy configured using an IPSec policy template is configured on the other end, the ACL rule range of the IPSec policy in ISAKMP mode can be smaller than that of the IPSec policy configured using an IPSec policy template, and the overlapping ACL rule range is used as the negotiation result.

  • The IP address ranges in the ACL rules should not overlap. Otherwise, an error will occur when data flows are matching ACL rules.

  • The rules for the ACLs in the same IPSec policy group must be unique.

  • The ACL rules referenced by all the IPSec policies in the same IPSec policy group cannot overlap. In the following example, the referenced ACL3001 and ACL3002 overlap:

    acl number 3001 
     rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
    acl number 3001 
     rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.1.1.0 0.0.255.255
  • If the responder uses an IPSec policy configured using an IPSec policy template:

    Protected data flows can be not defined for the responder, which indicates that the responder accepts the protected data flow range defined on the initiator. If you want to define protected data flows for the responder, the data flow range must mirror or include that of the initiator.

  • If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device performs NAT first. In this case, you need to ensure:

    • The destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. This prevents the device from performing NAT on the IPSec-protected data flows.

    • The ACL rule referenced by IPSec matches the post-NAT IP address.

Configuration Tips

ACL rules are configured using different methods in different scenarios. The following examples show how to configure ACL rules:

Gateway-to-gateway IPSec VPN

Establish a point-to-point IPSec tunnel between two gateways. Assume that the network segments to be protected by gateway A and gateway B are 10.1.1.0/24 and 192.168.196.0/24 respectively.

Configure gateway A.

<Huawei> system-view 
[Huawei] acl 3001        
[Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255

Configure gateway B.

<Huawei> system-view 
[Huawei] acl 3001        
[Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

The network segments protected by devices on both ends of an IPSec tunnel must have the same inverse mask configured.

Headquarters-to-branch IPSec VPN

Establish a point-to-multipoint tunnel between the headquarters gateway and multiple branch gateways. Assume that the intranet network segments of the headquarters, branch A, and branch B are 192.168.196.0/24, 10.1.1.0/24, and 10.1.2.0/24 respectively.

  • If the branches need to communicate with the headquarters but not with each other, configure ACLs of the branches according to the point-to-point IPSec VPN scenario. The source address in the ACL of the headquarters remains unchanged, and the destination address need to include the intranet network segments of all branches.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit
  • If the branches need to communicate with the headquarters and with each other (the branches communicate with each other through the headquarters), the source address of the headquarters should include all network segments of the headquarters and branches, and the destination addresses need to be the intranet network segments of all branches. The source addresses of the branches remain unchanged, and the destination addresses need to include the intranet network segments of the headquarters and the other branch.

    Configure the ACL of the headquarters.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit

    Configure the ACL of branch A.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit

    Configure the ACL of branch B.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit

IPSec gateway functioning as a NAT gateway

  • If the data flow on which NAT is performed is directly transmitted from gateway A to the network without entering an IPSec VPN, deny the IPSec data flow when configuring a NAT policy.

    Assume that the IPSec-protected intranet network segments of gateway A and gateway B are 10.1.1.0/24 and 192.168.196.0/24 respectively. Configure the ACL and NAT policy of gateway A.

    # Define the IPSec-protected data flow.

    <Huawei> system-view 
    [Huawei] acl 3001        
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255           
    [Huawei-acl-adv-3001] quit

    # Deny the IPSec-protected address segment in the ACL referenced by NAT.

    [Huawei] acl 3005        
    [Huawei-acl-adv-3005] rule deny ip source 10.1.1.0 0.0.0.255 destination 192.168.196.0 0.0.0.255 
    [Huawei-acl-adv-3005] quit

    Configure gateway B.

    <Huawei> system-view 
    [Huawei] acl 3001  
    [Huawei-acl-adv-3001] rule permit ip source 192.168.196.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
  • If private IP addresses of gateway A and gateway B overlap, NAT needs to be performed on the data flow of gateway A, and then the data flow enters the IPSec VPN.

    Assume that the IPSec-protected intranet network segments of gateway A and gateway B are 10.1.1.0/24 and 10.1.1.0/24. Translation from private IP addresses to private IP addresses needs to be performed on the data flow entering from gateway A to the IPSec VPN first. Assume that the post-NAT private IP address is 10.1.2.1. Configure ACLs on both ends.

    Configure gateway A.

    <Huawei> system-view 
    [Huawei] acl 3001        
    [Huawei-acl-adv-3001] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit

    Configure gateway B.

    <Huawei> system-view 
    [Huawei] acl 3001        
    [Huawei-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 
    [Huawei-acl-adv-3001] quit

L2TP over IPSec

In an L2TP over IPSec scenario, IPSec-protected data flows are L2TP-encapsulated data flows, that is, data flows between the LAC and the LNS.
  • Assume that the LAC address is fixed; the source and destination network segments of its ACL are IP addresses of the public network interfaces (LAC outbound interface and LNS inbound interface) on both ends; the IP address of the LAC outbound interface is 1.1.1.1/24; the IP address of the LNS inbound interface is 1.2.1.1/24.

    Configure the LAC.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0   
    [Huawei-acl-adv-3001] quit

    Configure the LNS.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0 
    [Huawei-acl-adv-3001] quit
  • If the LAC address is not fixed, configure an ACL to match the L2TP over IPSec data flow through the UDP port number 1701. Configure the UDP destination port number 1701 on the LAC.

    Configure the LAC.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit udp destination-port eq 1701  
    [Huawei-acl-adv-3001] quit

    Configure the LAC.

    <Huawei> system-view 
    [Huawei] acl number 3001 
    [Huawei-acl-adv-3001] rule permit udp source-port eq 1701  
    [Huawei-acl-adv-3001] quit

GRE over IPSec

When a GRE over IPSec tunnel is established based on ACLs, IPSec-protected data flows are GRE-encapsulated data flows. The source and destination network segments in an ACL are the source and destination addresses of the GRE tunnel, that is, IP addresses of interfaces in gateways on both ends of the tunnel.

Assume that the public IP addresses of gateway A and gateway B are 1.1.1.1/24 and 1.2.1.1/24 respectively.

Configure gateway A.

<Huawei> system-view 
[Huawei] acl number 3001 
[Huawei-acl-adv-3001] rule permit ip source 1.1.1.1 0 destination 1.2.1.1 0 
[Huawei-acl-adv-3001] quit

Configure gateway B

<Huawei> system-view 
[Huawei] acl number 3001 
[Huawei-acl-adv-3001] rule permit ip source 1.2.1.1 0 destination 1.1.1.1 0 
[Huawei-acl-adv-3001] quit

Related Information

For more information, refer to Related Information.

How Do I Configure Access Control

Procedure

  • Run the traffic-filter command in the interface view.
    NOTE:

    The device supports ACL-based packet filtering on WAN interfaces and logical interfaces with Layer 3 features.

    <Huawei> system-view 
    [Huawei] acl 3000 
    [Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0 // Allow packets with the source IP address 192.168.0.2/32 to pass through. 
    [Huawei-acl-adv-3000] quit 
    [Huawei] interface gigabitethernet 0/0/2 
    [Huawei-GigabitEthernet0/0/2] traffic-filter inbound acl 3000 // Apply the ACL-based simplified traffic policy to an interface.
  • Run the traffic-policy command in the interface view.

    <Huawei> system-view 
    [Huawei] acl 3000 
    [Huawei-acl-adv-3000] rule 5 permit ip source 192.168.0.2 0 // Allow packets with the source IP address 192.168.0.2/32 to pass through. 
    [Huawei-acl-adv-3000] quit 
    [Huawei] traffic classifier c1 // Create a traffic classifier that matches the ACL. 
    [Huawei-classifier-c1] if-match acl 3000 
    [Huawei-classifier-c1] quit 
    [Huawei] traffic behavior b1 // Create a traffic behavior and configure the permit or deny action for packets. 
    [Huawei-behavior-b1] permit 
    [Huawei-behavior-b1] quit 
    [Huawei] traffic policy p1 // Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy.
    [Huawei-trafficpolicy-p1] classifier c1 behavior b1 
    [Huawei-trafficpolicy-p1] quit 
    [Huawei] interface gigabitethernet 0/0/2 
    [Huawei-GigabitEthernet0/0/2] traffic-policy p1 inbound // Apply the traffic policy to an interface.

Related Information

For more information, refer to Related Information.

How Do I Configure or Delete the Read-Write Community Name of SNMPv1 or SNMPv2c

In the system view, you can run the snmp-agent community command to configure the read-write community name of SNMPv1 or SNMPv2c and run the undo snmp-agent community command to delete the community name. When running the snmp-agent community command, you can select parameters based on the networking requirements.

  • To grant only the read right to the NMS in the specified view (for example, for an administrator with a low level), use the read parameter.

  • To grant the read and write rights to the NMS in the specified view (for example, for an administrator with a high level), use the write parameter.

  • To allow some NMSs using a community name to access the MIB view default, do not specify the mib-view view-name parameter.

  • To allow all NMSs using a community name to manage certain objects, do not specify the acl acl-number parameter.

  • To allow some NMSs using a community name to manage certain objects, specify both mib-view and acl parameters.

NOTE:

If both community name and ACL are configured, the device checks the community name and then the ACL before allowing the NMS to access it. If a community name does not exist, packets are discarded and the system prints a community name error log. In addition, the system does not check ACL. That is, the system checks ACL only when the community name exists.

To view the current community name, you can run the display snmp-agent community command.

Related Information

For more information, refer to Related Information.

FAQs

A Device Fails to Be Logged In Through the Web System

Fault Description

The device cannot be logged in through the web system.

Possible Causes

  • No physical cables are routed between the PC and router.

  • The IP address is incorrectly configured.

  • The HTTPS service is disabled.

  • The web user account is not configured or the web user configurations are incorrect.

  • The access type of the web user is incorrect.

  • The number of online web users reaches the upper limit.

  • Access control is configured for web users on the device.

Troubleshooting Procedure

  1. Check whether the device and client can ping each other.

    Access the Windows Command Prompt and run the ping command to check whether the PC and device are reachable to each other. If the system displays "Request time out", the target device is unreachable.

    Check whether the physical interface that receives ping packets is blocked. If the physical interface is not blocked, check whether the correct gateway address is configured on the device, and whether the device and PC are on the same network segment. If they are on different network segments, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device in the target network segment.

  2. Check whether the login address is correct.

    Check the IP address:port in https://IP address entered in the address box of the browser. If the IP address is incorrect, enter the correct one to log in to the web system.

  3. Check whether the HTTPS service is enabled.

    Run the display this command in the system view to check whether the http secure-server enable configuration exists. If not, the HTTPS service is disabled. Run the http secure-server enable command in the system view to enable the HTTPS service.

  4. Check whether the number of online web users reaches the upper limit.

    Run the display http server command in any view to check the maximum number of access users allowed by the web system. Run the display http user command in any view to check the number of online web users. If the number of online web users reaches the maximum number of access users allowed by the web system, you can log in to the device only after other users go offline.

  5. Check whether the IP address is correctly configured.

    Run the display this command in the interface view to check whether the configured IP address is correct. If not, run the ip address ip-address { mask | mask-length } command in the interface view to reconfigure the management IP address of the device.

  6. Check whether the web user is correctly configured.

    Run the display this command in the AAA view to check whether the web user is correctly configured.
    • If the local-user user-name password irreversible-cipher password configuration exists, an AAA user named user-name is configured.

    • If the local-user user-name privilege level level configuration exists, the level of the user user-name is level.

    • If the local-user user-name service-type http configuration exists, the service type of the user user-name is HTTP.

    If any of the preceding configurations does not exist, run the following commands in the AAA view:
    • Run the local-user user-name password irreversible-cipher password command to configure the web user name and password.

    • Run the local-user user-name privilege level level command to set the web user level.

    • Run the local-user user-name service-type http command to set the web user's service type to HTTP.

  7. Check whether access control on web users is configured on the device.

    Run the display this command in the system view to check whether the http acl acl-number configuration exists. If so, record the value of acl-number.

    Run the display acl acl-number command in any view to check whether the web user's client IP address is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule, and run the corresponding command to modify the ACL so that the web user's client IP address is allowed.

  8. If the fault persists, collect error information and contact technical support personnel.

Related Information

For more information, refer to Related Information.

What Is the Default Login Password?

  • Logging in through the console port or Telnet

    Table 1-4 Default passwords for console port or Telnet login in different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    admin

    admin

    15

    V200R005C00-V200R005C20

    ALL

    admin

    Admin@huawei or admin

    15

    V200R005C30-V300R003C10

    ALL

    admin

    Admin@huawei

    15

    V300R019C00-latest version

    ALL

    admin

    admin@huawei.com

    15

  • Web login
    Table 1-5 Default passwords for web login in different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    admin

    admin

    15

    V200R005C00-V200R005C20

    ALL

    admin

    Admin@huawei or admin

    15

    V200R005C30-V300R003C10

    ALL

    admin

    Admin@huawei

    15

    V300R019C00-latest version

    ALL

    admin

    admin@huawei.com

    15

  • BootROM menu login
    Table 1-6 Default passwords for BootROM menu login in different versions

    Version

    Product Model

    Default User Name

    Default Password

    Default Level

    V200R003

    ALL

    None

    huawei

    None

    V200R005C00-latest version

    ALL

    None

    Admin@huawei

    None

Related Information

For more information, refer to Related Information.

What if I forget the password?

What Should I Do If I Forget the Web System Login Password?

If you forget or want to change the web system login password, log in to the device through the console port, Telnet, or STelnet and set a new password after login.

NOTE:

Telnet has security vulnerabilities. You are advised to log in to the device using STelnet V2.

# Set the password to Huawei@123 for the user admin123. The configuration is as follows:

<Huawei> system-view 
[Huawei] aaa 
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 
[Huawei-aaa] local-user admin123 service-type http 
[Huawei-aaa] local-user admin123 privilege level 15 
[Huawei-aaa] return 
<Huawei> save

What If I Forget the Password for Console Port Login?

When you forget the password for logging in through the console port, use either of the following two methods to set a new password.

  • Logging In to the Device Through STelnet/Telnet to Set a New Password
    NOTE:

    It is recommended that you use STelnet V2 to log in to the device.

    Ensure that you have an STelnet/Telnet account and administrator rights. The following uses the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the device through STelnet, perform the following operations.

    # Take password authentication as an example. Set the password to Huawei@123.

    <Huawei> system-view 
    [Huawei] user-interface console 0 
    [Huawei-ui-console0] authentication-mode password 
    [Huawei-ui-console0] set authentication password cipher 
    Warning: The "password" authentication mode is not secure, and it is strongly re commended to use "aaa" authentication mode. Enter Password(<8-128>): 
    Confirm password:  
    [Huawei-ui-console0] return 
    <Huawei> save

    # Take AAA authentication as an example. Set the user name and password to admin123 and Huawei@123, respectively.

    <Huawei> system-view 
    [Huawei] user-interface console 0 
    [Huawei-ui-console0] authentication-mode aaa 
    [Huawei-ui-console0] quit 
    [Huawei] aaa 
    [Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 
    [Huawei-aaa] local-user admin123 privilege level 15 
    [Huawei-aaa] local-user admin123 service-type terminal 
    [Huawei-aaa] return 
    <Huawei> save
  • Clearing the Lost Password Using the BootROM Menu

You can use the BootROM menu of the device to clear the lost password for console port login. After starting the device, set a new password and save your configuration. Perform the following steps.

  1. Connect the terminal to the console port of the device and restart the device. When the following message is displayed, press Ctrl+B and enter the BootROM password to enter the BootROM menu.

    Press Ctrl+B to break auto startup ...  1   
    Enter Password:       //Enter the BootROM password.
  2. In the BootROM menu, select Password Manager and then Clear the console login password.

  3. Then select the Return and Default Startup options in turn to restart the device.

  4. After the system starts, you can log in through the console port without password authentication. After logging in to the system, set an authentication mode and password for the console user interface as required.

What If I Forget the Password for Telnet Login?

If you forget the Telnet login password, log in to the device through the console port and set a new password for Telnet login.

# Take password authentication for VTY0 login as an example. Set the password to Huawei@123.

<Huawei> system-view 
[Huawei] user-interface vty 0 
[Huawei-ui-vty0] authentication-mode password 
[Huawei-ui-vty0] set authentication password cipher 
Warning: The "password" authentication mode is not secure, and it is strongly re commended to use "aaa" authentication mode. Enter Password(<8-128>): 
Confirm password:  
[Huawei-ui-vty0] user privilege level 15 
[Huawei-ui-vty0] return 
<Huawei> save

# Take AAA authentication for VTY0 login as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view 
[Huawei] user-interface vty 0 
[Huawei-ui-vty0] protocol inbound telnet 
[Huawei-ui-vty0] authentication-mode aaa 
[Huawei-ui-vty0] quit 
[Huawei] aaa 
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 
[Huawei-aaa] local-user admin123 service-type telnet 
[Huawei-aaa] local-user admin123 privilege level 15 
[Huawei-aaa] return
<Huawei> save

What If I Forget the Password for STelnet Login?

Procedure

If you forget the STelnet login password, log in to the device through the console port and set a new password for STelnet login.

# Take password authentication for VTY0 login as an example. Set the password to Huawei@123.

<Huawei> system-view 
[Huawei] user-interface vty 0 
[Huawei-ui-vty0] authentication-mode password 
[Huawei-ui-vty0] set authentication password cipher 
Warning: The "password" authentication mode is not secure, and it is strongly re commended to use "aaa" authentication mode. Enter Password(<8-128>): 
Confirm password:  
[Huawei-ui-vty0] user privilege level 15 
[Huawei-ui-vty0] return 
<Huawei> save

# Take AAA authentication for VTY0 login as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view 
[Huawei] user-interface vty 0 
[Huawei-ui-vty0] protocol inbound telnet 
[Huawei-ui-vty0] authentication-mode aaa 
[Huawei-ui-vty0] quit 
[Huawei] aaa 
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123 
[Huawei-aaa] local-user admin123 service-type telnet 
[Huawei-aaa] local-user admin123 privilege level 15 
[Huawei-aaa] return 
<Huawei> save

Related Information

For more information, refer to Related Information.

How Do I Change the Working Mode of an Interface from Layer 2 Mode to Layer 3 Mode?

Procedure

<Huawei> system-view 
[Huawei] interface GigabitEthernet 0/0/0 
[Huawei-GigabitEthernet0/0/0] undo portswitch

More Information

  • By default, Layer 2 interfaces on a router work in Layer 2 mode. After switching the working mode of an interface from Layer 2 mode to Layer 3 mode, you can run the portswitch command to switch the working mode of the interface back to Layer 2 mode.

  • The interval at which the working mode of an interface is switched between Layer 2 and Layer 3 modes repeatedly cannot be less than 30s.

  • In versions earlier than V200R009, interfaces on Layer 2 cards cannot be switched to Layer 3 interfaces. The working modes of all interfaces on the 24GE Ethernet LAN cards of V200R009 and later versions can be switched from Layer 2 mode to Layer 3 mode. After the reserved VLAN ID of the 9ES2 Ethernet LAN card (excluding the 9ES2 Ethernet LAN cards installed on the AR1200 series and AR2204E routers and AR1200-S series routers) is delivered using the set reserved-vlan command, the working modes of all interfaces on the card can be switched from Layer 2 mode to Layer 3 mode.

  • In versions earlier than V200R009, the working mode of Layer 3 interfaces cannot be switched to Layer 2 mode.

    For the AR2220E running V200R009C00SPC302, AR2240 series, and AR3200 series routers (excluding the AR2240C), the working modes of all Layer 3 Ethernet interfaces on the SRU, 4GECS WAN card, and 2 x 10GL WAN interface card can be switched from Layer 3 mode to Layer 2 mode using the portswitch command. After the working modes of the Layer 3 Ethernet interfaces are switched from Layer 3 mode to Layer 2 mode, the interfaces support only VXLAN services.

  • FE and GE interfaces can be Layer 2 interfaces. You can configure an IP address for a Layer 2 interface only after the working mode of the interface is switched to Layer 3 mode.

    Table 1-7 Routers and interfaces supporting switching from Layer 2 mode to Layer 3 mode

    Device Model

    Interface

    AR120 series (excluding the AR129CGVW-L) and AR150 series

    AR120-S series running versions earlier than R7, AR151-S, AR151W-P-S, and AR151G-U-S

    Eth0/0/0 to Eth0/0/3

    AR100 series, AR160 series, and AR129CGVW-L

    AR151-S2, AR100-S series, AR110-S series, AR120-S series, and AR160-S series

    GE0/0/0 to GE0/0/3

    AR200 series, AR1220, AR1220V, AR1220W, AR1220VW, and AR1220F

    AR200-S series, AR1220-S, AR1220W-S, and AR1220F-S series

    Eth0/0/0 to Eth0/0/7

    AR1220C, AR1220E, AR1220EV, and AR1220EVW

    AR1220E-S

    GE0/0/0 to GE0/0/7

    AR2201-48FE and AR2202-48FE

    AR2201-48FE-S

    Eth0/0/0 and Eth0/0/47

    AR2204-51GE-P, AR2204-51GE-R, and AR2204-51GE

    GE0/0/3 to GE0/0/50

    AR2204-27GE-P and AR2204-27GE

    AR2204-27GE-S

    GE0/0/3 to GE0/0/26

    Table 1-8 Routers and interfaces supporting switching from Layer 2 mode to Layer 3 mode

    Device Model

    Interface

    AR550C-4GE, AR503EW, AR503EDGW-Lc, AR509CG-Lt, AR509CG-Lc, AR509G-Lc, AR515GW-LM9-D, and AR509G-L-D-H

    GE0/0/0 to GE0/0/3

    AR502EG-L, AR502CG-L, and AR502EGW-L

    GE0/0/0 and GE0/0/1

    AR531-2C-H and AR531-F2C-H

    Eth0/0/0, Eth0/0/6, Eth0/0/7, GE0/0/0, and GE0/0/1

    NOTE:

    The routing service value-added package for the AR530 series must be loaded.

    AR531GPe-U-H and AR531G-U-D-H

    Eth0/0/0, GE0/0/0, and GE0/0/1

    AR550C-2C6GE

    GE0/0/0 to GE0/0/5

Related Information

For more information, refer to Related Information.

Why Does an IP address in an Address Pool Fail to Be Statically Bound

When configuring static binding, verify the status of the IP address to be statically bound.

You can run the display ip pool name ip-pool-name ip-address command to check the IP address status in a global address pool, and run the display ip pool interface interface-name ip-address command to check the IP address status in an interface address pool.

When the interface address pool is queried, no space can exist between the interface type and interface ID, for example, vlanif10 (with no space between vlanif and 10).

When configuring static binding for IP addresses in different status, note the following points:

  1. An IP address in idle or expired status can be statically bound.

  2. To statically bind an IP address in conflict status, run the reset ip pool command in the user view to reclaim the IP address first.

  3. For an IP address in used status:

    • In versions earlier than V200R010C00, run the reset ip pool command in the user view to reclaim the IP address before static binding.

    • In V200R010C00 and later versions, static binding can be directly configured for IP addresses in used status. However, during static binding configuration, you must ensure that the MAC address to be bound is the same as that of the user who actually uses the IP address.

  4. Before configuring static binding for IP addresses in Disable status, namely, IP addresses that have been excluded using the excluded-ip-address command in the global address pool or the dhcp server excluded-ip-address command in the interface view, you need to cancel IP address exclusion using the undo excluded-ip-address command in the global address pool or the undo dhcp server excluded-ip-address command in the interface view.

  5. If a statically bound user is online when static binding is canceled, namely, the IP address is in Static-bind used status:

    • In versions earlier than V200R010C00, run the reset ip pool command in the user view to reclaim the IP address before canceling the static binding. After this command is run, the IP address is in idle status.

    • In V200R010C00 and later versions, you can directly cancel the static binding and the IP address becomes the used status.

If the client cannot detect that the reset ip pool command has been run on the DHCP server, the client continues using the IP address.

Related Information

For more information, refer to Related Information.

What Are the Causes for L2TP VPN Establishment Failure?

Possible Causes

  • There is no reachable route between the two ends. For example, this may occur when multiple default routes are configured.
  • The tunnel authentication mode is incorrect.
  • The gateway address is not configured in the IP address pool. As a result, the gateway address is allocated to a client.
  • The SA statistics function is enabled on the LNS interface connecting to L2TP users, preventing the interface from forwarding packets

Troubleshooting Procedure

  1. Run the ping or tracert command to check whether routes are reachable.

  2. Run the display current-configuration command to check the configurations of the L2TP group and VT interface are correct.

    <LAC> display current-configuration | begin l2tp-group 
    l2tp-group 1  
     start l2tp ip 202.1.1.1 fullusername huawei    
     tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#   //The tunnel password must be the same as that configured on the LNS. 
     tunnel name LAC
    <LNS> display current-configuration | begin l2tp-group 
    l2tp-group 1  
     allow l2tp virtual-template 1 remote LAC   //The LAC specifies the remote tunnel name whose connection request is accepted by the local end. It must be the same as the tunnel name on the LAC. 
     tunnel password cipher %^%#B^5:IPR>B$z[&KF_EKB(>:T">;z`ZJY+X.&_5jlH%^%#   //The tunnel password must be the same as that configured on the LAC. 
     tunnel name LNS
    <LAC> display current-configuration interface virtual-template 
    interface Virtual-Template1   //Specifies information displayed on the VT interface that dials up upon receiving a call request. 
     ppp authentication-mode chap   //The authentication mode must be the same as that configured on the LNS. 
    #  
    interface Virtual-Template2   //Specifies information displayed on the VT interface that automatically dials up to initiate a connection request. 
     ppp chap user huawei   //The virtual PPP user name must be the same as the PPP user name configured on the LNS. 
     ppp chap password cipher %^%#1HIL-jW9hLZlF'8@8+*"-UwS04'e`'+9\0*=#3Z-%^%#   //The password of the virtual PPP user must be the same as the PPP password configured on the LNS. 
     ip address ppp-negotiate  
     l2tp-auto-client enable
    <LNS> display current-configuration interface virtual-template 
    interface Virtual-Template1   //Specifies information displayed on the VT interface that dials up upon receiving a call request and the VT interface that automatically dials up to initiate a connection request. 
     ppp authentication-mode chap   //The authentication mode must be the same as that configured on the LAC. 
     remote address pool lns  
     ip address 12.1.1.1 255.255.255.0

    In the Client-LNS scenario, use l2tp-group 1, so the remote tunnel name does not need to be specified. Clients running Windows 7 do not support tunnel authentication. Configure undo tunnel authentication on the LNS to disable tunnel authentication.

    In the Client-LAC-LNS scenario, ensure that the remote tunnel name, tunnel authentication mode, and PPP authentication parameters on the LAC are the same as those configured on the LNS.

  3. Run the display ip pool command to view information about the configured address pool and IP addresses in it, including the address pool name, lease, lock status, and status of IP addresses.

    If the gateway address has been allocated to a client because it is not configured in the IP address pool, run the gateway-list command to configure the gateway address, and allocate it to the remote user.

  4. Run the undo sa application-statistic enable command to disable the SA statistics function on the interface.

    After the SA statistics function is enabled on an interface, you can view the statistics on packets of different SA application protocols. However, the SA statistics function affects packet forwarding; therefore, you need to disable the SA statistics function.

Additional Information

Packet fragmentation consumes considerable CPU resources, resulting in degraded quality of services. To ensure high quality of services, consider the following when configuring L2TP:

  • MTU

    MTU (maximum transmission unit) determines the maximum number of bytes that can be transmitted on a link at a time. The MTU value varies according to the interface type. For example, the default MTU for Ethernet interfaces is 1500 bytes. The MTU of a link depends on the interface with the smaller MTU. If the size of packets to be sent by an interface exceeds the MTU of the interface, the device fragments encrypted packets before transmitting them. After receiving all the fragments of an IP packet, the interface reassembles the fragments before decrypting the packet. Fragmentation and reassembly consume CPU resources.

  • TCP MSS

    TCP MSS specifies the maximum segment size of TCP packets. If the total packet length (TCP MSS plus all the header lengths) is greater than the link MTU, data packets are fragmented for transmission. Fragmentation and encryption/decryption of packets consume CPU resources of devices on the transmission link. High CPU resource consumption may cause packet loss.

    Some upper-layer applications, such as application layer protocols like HTTP, set the Don't Fragment (DF) field in the IP packet header to 1, preventing TCP packets from being fragmented. If the DF field is set to 1 and the interface MTU is less than the MSS, the device will discard TCP packets because it cannot fragment them.

Related Information

For more information, refer to Related Information.

What Are the Reasons for L2TP VPN Service Interruptions?

Possible Causes

  • The route is unreachable.
  • The MTU is incorrectly set on the virtual interface.
  • The TCP MSS is incorrectly set on the virtual interface. Ensure that the total packet length (TCP MSS plus all the header lengths) is no greater than the MTU value. Otherwise, packets may not be transmitted correctly.

Troubleshooting Procedure

  1. Run the ping or tracert command to check whether the route is reachable.
  2. Run the ping -s packetsize -a source-ip-address host command to check whether packets are fragmented.

    Run the ping command to test packets of different sizes and determine whether packet loss occurs or the ping fails. Find the threshold (If the packet size exceeds the threshold, packets may be lost or the ping may fail.)

    Run the mtumtu command in the interface view to change the MTU value to be less than the threshold.

    If the access speed of some TCP services remains low or if some TCP services are interrupted intermittently after a new MTU value is configured, run the tcp adjust-mss value command in the interface view to change the MSS value of TCP packets.

Additional Information

Packet fragmentation consumes considerable CPU resources, resulting in degraded quality of services. To ensure high quality of services, consider the following when configuring L2TP:

  • MTU

    Maximum transmission unit (MTU) determines the maximum number of bytes that can be transmitted on a link at a time. The MTU value varies according to the interface type. For example, the default MTU for Ethernet interfaces is 1500 bytes. The MTU of a link depends on the interface with the smallest MTU. If the size of packets to be sent by an interface exceeds the MTU of the interface, the device fragments encrypted packets before transmitting them. After an interface receives all the fragments of an IP packet, the interface reassembles the fragments before decrypting the packet. Fragmentation and reassembly consume CPU resources.

  • TCP MSS

    TCP MSS specifies the maximum segment size of TCP packets. If the total packet length (TCP MSS plus all the header lengths) is greater than the link MTU, data packets are fragmented for transmission. Both fragmentation and encryption/decryption of packets consume CPU resources of devices on the transmission link. High CPU resource consumption may cause packet loss.

    Some upper-layer applications, such as an application layer protocol like HTTP, set the Don't Fragment (DF) field in the IP packet header to 1, preventing TCP packets from being fragmented. If the DF field is set to 1 and the interface MTU is less than the MSS, the device will discard TCP packets because it cannot fragment them.

Related Information

For more information, refer to Related Information.

How Many APs Can an AR Router Manage

An AR router serving as an AC can connect to Fit APs to provide WLAN access for users. The number of APs connected to an AR router depends on the AR router model and whether an AC license is loaded. The following describes the number of APs supported by an AR router in two aspects:

  • Table 1 lists the number of APs supported when no AC license is loaded on the AR router.
    Table 1-9 Table 1 Number of APs supported by an AR router

    AR Model Version

    Number of APs

    V200R005C32 and earlier versions

    0

    NOTE:

    By default, the WLAN AC function is unavailable on an AR router, so APs cannot be connected to the AR router. To use the WLAN AC function, apply for and purchase a license from the agent based on the AR model.

    V200R005C32 to versions earlier than V200R007C00SPC900

    2

    V200R007C00SPC900 and later versions

    4

    NOTE:

    When serving as an AC, the AR120 and AR500 series allow for access of a maximum of sixteen APs without licenses.

    The AR530 series do not support WLAN AC function.

    The following lists the maximum number of access APs supported on the AR110-S&AR120-S series, AR150-S&AR160-S&AR200-S series, AR1200-S series, AR101-S, AR111EC-S, AR101W-S and AR101GW-Lc-S serving as an AC:
    • AR110-S&AR120-S series, AR101-S, AR111EC-S, AR101W-S and AR101GW-Lc-S: 4

    • AR150-S&AR160-S&AR200-S series: 8

    • AR1200-S series: 12

  • Table 2 lists the number of APs supported when an AC license is loaded on the AR router.
    Table 1-10 Table 2 Number of APs supported by an AR router

    AR Series

    Number of APs

    AR150&AR160&AR200 series

    8 (recommended) and 16 (maximum)

    AR1220, AR1220-D, AR1220V, AR1220L, AR1220W, and AR1220VW

    12 (recommended) and 12 (maximum)

    AR1220E series, AR1220F, AR1220F-S, AR1220C, AR1220-8GE, AR2200 series (excluding AR2204XE, AR2220 series, and AR2240), AR2204-S, AR2201-48FE-S, AR1220C-S

    12 (recommended) and 32 (maximum)

    AR2220 series, AR2220E-S, AR2220-S

    16 (recommended) and 64 (maximum)

    AR2240C, AR2240 (SRU40, SRU60), AR3260 (SRU40, SRU60), AR2240C-S, AR2240-S (SRU40), AR3260-S (SRU40)

    16 (recommended) and 128 (maximum)

    AR2204XE, AR2240 (SRU80, SRU100, SRU100E), AR3260 (SRU80, SRU100, SRU100E), AR3260E-S (SRU100E)

    32 (recommended) and 256 (maximum)

    AR2240 (SRU200, SRU200E), AR3260 (SRU200, SRU200E)

    64 (recommended) and 256 (maximum)

    AR2240 (SRU400), AR3260 (SRU400)

    128 (recommended) and 512 (maximum)

Related Information

For more information, refer to Related Information.

Translation
Download
Updated: 2019-08-08

Document ID: EDOC1100082076

Views: 1532

Downloads: 91

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next