No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Virtual Network Management

Virtual Network Management

Configuring IPsec VPN

Context

An IPsec tunnel can be established between a firewall or router and its peer device to encrypt and transmit key data, preventing malicious data interception and theft during data transmission.

To improve data transmission security, multiple IPsec tunnels can be established based on ACLs between a firewall and its peer device to direct data flows to be protected to these tunnels. A security protocol is used to encrypt and verify network packets in the IPsec tunnels to ensure secure transmission of key service data over the Internet, reducing the risks of information leakage.

  • Hub-spoke: point-to-multipoint mode, applicable when an enterprise has a headquarters and multiple branches. In this mode, the site where the central access control device resides is called the hub site and other user sites are called spoke sites.
  • Mesh: point-to-point mode, applicable to interconnection between two branches.

AR devices running versions earlier than V300R003C10 do not support IPsec VPN configuration through iMaster NCE-Campus.

In the hub-spoke scenario, a firewall running V500R005C00 or a later version supports IPsec intelligent traffic steering. After this function is enabled, the firewall uses the first configured link to establish an IPsec tunnel and continuously sends ICMP packets to detect the communication delay and packet loss rate in the IPsec tunnel. If one or both of the two indicators are higher than the specified thresholds, the firewall switches traffic to another link to establish an IPsec tunnel and detects the communication delay and packet loss rate in the IPsec tunnel until the indicator values fall below the thresholds or the number of switchovers reaches the upper limit (3 by default). After intelligent traffic steering is enabled, selection of hub and spoke devices must comply with the following rules.

Device Role

Constraint

Hub
  1. Currently, only a firewall can function as a hub device.
  2. A device that has been used as a spoke device cannot be used as a hub device.
  3. When intelligent traffic steering is disabled, only one hub device is supported. The hub device in a VPN cannot function as the hub device of other VPNs.
  4. When intelligent traffic steering is enabled, a maximum of 10 hub devices are supported.
  5. The number of subnets must be in the range of 1 to 16.

Spoke
  1. A device that has been used as a hub device cannot be used as a spoke device.
  2. A spoke device must be deployed at most three VPNs.
  3. If mutual access between devices is allowed, one VPN supports a maximum of 32 devices; otherwise, one VPN supports up to 5,000 devices.
  4. Spoke subnets cannot overlap.
  5. The last spoke node in a VPN cannot be deleted.
  6. The number of subnets must be in the range of 1 to 16.

Prerequisites

The following information has been configured on all devices involved in IPsec communication, including hub and spoke devices or mesh devices.

Device Type

Prerequisite

Cloud firewall

Subnet information has been configured. For details, see section Configuring a Network.

Cloud router

Subnet information has been configured. For details, see section Configuring a Network.

Third-party device

The following IPsec VPN information has been configured (see third-party device documentation for the detailed configuration methods):

  • Subnet information: Data packets for communication between the current device and other devices enter and leave the IPsec tunnels via the subnets specified here.
  • Security proposal: Both ends of an IPsec tunnel use the same security protocol, same authentication encryption algorithm, and same data encapsulation mode, and together determine the IPsec protection method.
  • IPsec policy: An IPsec policy specifies the protection method for certain data flows.

Procedure

  1. Choose Provision > Virtual Network > Inter-site VPN.
  2. Click Create, select the topology mode, and set VPN parameters.

    When IPSec intelligent traffic steering is enabled and the outbound interface of the firewall uses a static IP address, the gateway address must be configured on the outbound interface of the firewall.

  3. Configure security policies between all devices involved in IPsec communication and other devices, specifying the data flows that need to be encrypted for transmission between the devices.

    • In hub-spoke mode, configure security policies between hub and spoke devices to specify the data flows to be permitted.
    • In mesh mode, configure security policies between every two devices to specify the data flows to be permitted.

    For example, under Control condition, add the subnets of the hub and spoke devices to Source address and Destination address respectively; under Security policy, set Action to Permit. For details, see Configuring a Traffic Policy.

    If the configuration fails, find a troubleshooting method according to the maintenance guide of related devices.

Parameter Description

Table 5-378 Key parameters in hub-spoke topology mode

Parameter

Description

IPSec intelligent path selection

Whether to enable intelligent traffic steering. By default, this function is disabled. After you enable this function, iMaster NCE-Campus measures the link quality and switches traffic over links based on the link quality. Only the firewall supports this function.

NOTE:

After intelligent traffic steering is enabled, you can add hub nodes only based on IP addresses. In this case, you also need to configure IPsec VPN and related services on the hub nodes through other methods, such as running commands.

Route Injection

Whether to enable route injection. After this function is enabled, spoke or mesh nodes automatically generate routes based on interworking subnets. In V300R003C10 and later versions, this function is supported for routers.

Interval for sending probe packets (s)

Interval for sending probe packets. This parameter is valid only when IPSec intelligent path selection is enabled.

Packets sent in a probe interval

Total number of probe packets sent within a probe period. This parameter is valid only when IPSec intelligent path selection is enabled.

If the number of probe packets to be sent is set to 20, a firewall calculates the packet loss rate and delay and compares the values with the thresholds each time after it sends 20 probe packets. If the packet loss rate or delay exceeds the threshold, a link switchover is triggered.

Packet loss threshold (%)

Latency threshold (ms)

Customize detection address

Whether to customize a detection address. After this function is enabled, you can customize a detection address on a hub node. This parameter is valid only when IPSec intelligent path selection is enabled.

Link switching mode

Mode of intelligent traffic steering. This parameter is valid only when IPSec intelligent path selection is enabled. The options are as follows:

  • High priority. Traffic is preferentially switched to the link with the highest priority. In this case, you need to set Handover delay time. When a link is switched back, the highest priority is used by default.
  • Cycle by priority. Traffic is switched over links cyclically based on link priorities. In this case, you need to set a maximum number of cycles. After the number of cyclic link switchovers reaches the upper threshold, link detection and cyclic link switchover are stopped for 10 minutes.

Hub

Hub node

Type of the device functioning as a hub node. If the IPsec VPN initiator (at headquarters) is a firewall, set this parameter to Cloud managed device. Otherwise, select Third-party device.

IP

IP address of the interface on the hub node for communication with spoke nodes when Hub node is set to Third-party device.

Device

Device functioning as a hub node. Click to select a cloud firewall as the hub node when Hub node is set to Cloud managed device.

Subnet

Subnet via which data packets for communication between the hub node and other nodes enter and leave IPsec tunnels. Set this parameter to the subnet used for communication between the hub device and IPsec gateway.

NOTE:

When you add a node on this page, set Subnet to the internal subnet to be encrypted by the IPsec tunnel of the node.

Detection address

Destination address of probe packets when a spoke node performs intelligent traffic steering probe.

Spoke

Select devices

Remote end of the IPsec VPN tunnel in a branch.

Click Add to select cloud firewalls or routers as spoke devices. Currently, routers can function as spoke devices only.

NOTE:
  • Multiple outbound interfaces can be configured on a spoke device, whereas only one outbound interface can be configured on a mesh and hub device.
  • You can set Spoke Mutual Access for spoke devices only.

Third-party device to connect

Remote end of an IPsec VPN tunnel in a branch.

When you add a third-party device as a spoke node by clicking Create, you need to set the local IP address used for communication between the current device and the hub device, and specify the subnets via which data packets enter and leave IPsec tunnels.

Security

IPSec policy template

Template of an IPsec policy. To create an IPsec policy template, click +, set IKE Parameters and IPSec Parameters (including the IKE version, IKE encryption and authentication algorithms, and IPsec encryption and authentication algorithms), and click Save. Configure both ends of an IPsec tunnel with the same security parameters.

Key

Key used to establish an IPsec VPN tunnel.
Table 5-379 Key parameters in mesh topology mode

Parameter

Description

Mesh

Select devices

Devices that set up a VPN mesh network. Click Add to specify devices.

Third-party device to connect

Device functioning as a mesh node. When you configure a device as a mesh node by clicking Create, you need to set IP addresses of uplink interfaces on the device, and specify the subnets via which data packets enter and leave IPsec tunnels.

Security

IPSec policy template

Template of an IPsec policy. To create an IPsec policy template, click +, set IKE Parameters and IPSec Parameters (including the IKE version, IKE encryption and authentication algorithms, and IPsec encryption and authentication algorithms), and click Save.

Key

Key used to establish an IPsec VPN tunnel.

Authentication type

Factor used for identity authentication. The options are IP address, ESN or FQDN of the device. Currently, only the firewall supports ESN-based authentication.

When the FQDN mode is used for identity authentication, you need to configure Verification mode and ID.

  • Verification mode
    • Spoke verification by hub: The hub node verifies the identity authentication information of spoke nodes.
    • Hub verification by spoke: A spoke nodes verifies the identity authentication information of the hub node.
    • Bidirectional verification: Two-way authentication verification between nodes. In mesh scenarios, this check mode is supported.
  • ID

    ID used for identity authentication.

Configuring VNs in LAN-WAN Interconnection Scenario

Creating VNs in LAN-WAN Interconnection Scenario

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Procedure

  1. Choose Provision > Virtual Network > Virtual Network from the main menu.
  2. Set the VN name and select the sites to be added to the VN.

  3. Click OK.

Parameters

Table 5-380 VN parameters

Parameter

Description

Name

Name of a VN.

IPsec Encryption

Whether to enable IPsec encryption. After this function is enabled, data packets sent from VNs are encrypted using IPsec. Check IPSec Encryption Parameters on Design > Basic Network Design > Network Settings > Global Configuration

Inter-site VPN

Whether to enable inter-site VPNs. After this function is enabled, you can perform configurations on the WAN side.

NOTE:

This parameter is configurable only when ARs are deployed at sites.

Configuring WAN Services

You can configure the following features only when the tunnel mode is set to EVPN on the Design > Basic Network Design > Network Settings > Tunnel Mode page.

Configuring an Overlay Topology

An inter-site interconnection topology model needs to be configured based on service communication requirements.

Context

Currently, there are four typical topology models for interconnection between sites. In EVPN tunnel mode, all four models are supported.

  • Hub-spoke: applies when mutual access traffic between all branch sites of an enterprise must pass through the headquarters site for centralized security monitoring.
  • Full-mesh: applies when all sites of an enterprise need to directly access each other. This model eliminates the delay of traffic transmission through the headquarters site.
  • Hierarchical topology: applies to large-scale multi-area enterprise networks, on which enterprise sites are connected to each other through a hub area and sites in different areas access each other through this hub area.
  • Partial-mesh: applies when most sites of an enterprise need to directly access each other, while some other sites need to communicate with each other through a third site.

Only edge sites are included in topology planning. An RR is a route reflector and is not included in overlay topology planning.

Prerequisites

The edge site has been associated with an RR. For details, see "Associating an Edge Site with an RR Site" in Network Design.

Procedure
  1. Choose Provision > Virtual Network > Virtual Network from the main menu, and click the name of the created VN.

  2. Click 1 WAN Service, as shown in the following figure.

  3. Click the Inter-Site VPN tab.
  4. Click Predefine Topology.
  5. Set Mode.

    • Simple mode: In this mode, the hub-spoke, full-mesh and partial-mesh topology models can be configured.
      1. Set Topology mode.
        • In the Hub-Spoke topology model, you need to configure a hub site and a branch site.

        • In the Full-Mesh topology model, a branch site must be configured, and you can choose whether to configure a redirect site. You can configure the partial-mesh mode by configuring a redirect site in full-mesh mode.

      2. Click Apply.
    • Advanced mode: In this mode, the hierarchical topology can be configured.
      1. Configure an area topology.
        1. Click Create on the Area Topology tab page.

          • If Mode is set to Simple Mode in initial configuration, the system automatically creates a default area in advanced mode. The topology model and sites in the default area are those configured in simple mode. After the department topology is switched from Simple Mode to Advanced Mode, you can create an area, and configure interconnection between this area and the default area.
          • If Mode is set to Advanced Mode in initial configuration, the topology mode cannot be switched to Simple Mode.
        2. Enter an area name, set the topology model, and configure hub sites, branch sites and redirect sites as required. The operations are similar to those performed in Simple Mode.

        3. (Optional) Enable the area interconnection function and configure the relationship between edge sites and other sites.

      2. Configure Area interconnection, that is, the interconnection mode of edge sites in each area.

        1. Click the Area Interconnection tab.
        2. Set Topology mode.
          • In the hub-spoke topology model, configure a hub site.
          • In the full-mesh topology model, you can choose to whether configure a redirect site.

Parameters
Table 5-381 Parameters on the Topology tab page

Parameter

Description

Predefine Topology

Simple Mode

Simple Mode

Simple mode. This mode applies to small- and medium-sized enterprises that use a single-layer network model.

Topology mode

Topology mode

Topology model. The options are Hub-Spoke and Full-Mesh.

Hub-Spoke: This model is applicable to scenarios where mutual access traffic between all branch sites of an enterprise must pass through the headquarters site for centralized security monitoring.

Full-Mesh: This model is applicable to scenarios where all sites of an enterprise need to directly access each other. It eliminates the delay of traffic transmission through the headquarters site.

Hub Sites

Hub Site

Hub site, which is usually the enterprise headquarters or the data center. This parameter is configurable only when Topology mode is set to Hub-Spoke.

NOTE:

Hub sites, redirect sites, and branch sites can only be selected from edge sites or RR sites.

Active/standby

Active or standby hub site.

  • If only one hub site is deployed, this site needs to be configured as the active site.
  • If two hub sites are deployed, they work in active/standby mode, that is, one is the active site and the other is the standby site.

Redirect sites

Redirect sites

Redirect site that forwards traffic between branch sites when branch sites cannot directly communicate with each other. This parameter is available only when Topology mode is set to Full-Mesh. You need to configure one or two sites to redirect sites in each VPN (department).

Active/standby

Active or standby redirect site.

  • If only one redirect site is deployed, this site needs to be deployed as the active site.
  • If two redirect sites are deployed, they work in active/standby mode, that is, one is the active site and the other is the standby site.

Branch sites

Spoke site, which is required in the hub-spoke and full-mesh topology models. You need to deploy branch sites based on departments.

Advanced Mode

Advanced Mode

Advanced mode. This mode is applicable to large-scale multi-area enterprises that use a hierarchical topology model. In the hierarchical topology model, enterprise sites are deployed in multiple areas and are connected to each other through a hub area. In this case, the sites in different areas access each other through the hub area.

Area Topology

Area Name

Area name.

Topology Mode

Topology model of an area. The hub-spoke and full-mesh topology models are supported.

Hub Sites

Hub site in an area.

Redirect Sites

Redirect site in an area.

Branch Sites

Branch site in an area.

Area Interconnection enable

Whether to enable area interconnection. After area interconnection is enabled, the configured border site will be added to the hub area.

Border Sites

Border Site

Border site, which is an edge site through which sites in an area communicate with sites in other areas. Border sites vary according to the topology model.

  • In the hub-spoke topology model, hub sites are border sites by default.
  • In the full-mesh topology model:
    • A site can be configured to function as an active or a standby border site.
    • A redirect site can function as a border site, or a redirect site and a border site can be independently deployed.

Active/standby

Active or standby border site.

  • If only one border site is deployed, this site needs to be configured as the active site.
  • If two border sites are deployed, they work in active/standby mode or active-active mode. In active/standby mode, one hub site functions as the active site and the other works as the standby site. In active-active mode, both the two hub sites work as active sites.

Sites relationship

This parameter is configurable only when Topology Mode is set to Full Mesh. For each border site, the active or standby role can be switched.

Area Interconnection

Topology mode

Topology model of a hub area. The hub-spoke and full-mesh topology models are supported. The full-mesh topology model is used by default. Sites in a hub area are border sites for all other areas.

Hub Sites

Hub site in the hub area.

Redirect Sites

Redirect site in the hub area.

Configuring a Topology Policy

You can customize topology policies for sites and adjust routing policies between local networks or sites based on actual requirements. A topology policy can be bound to a maximum of 100 sites.

Context
  • A topology policy is used to filter routes and set route attributes for the routes that match the topology policy. A site may be bound to multiple policies with different priorities. One policy can contain multiple rules.
  • Customized topology policies can be configured only in EVPN tunnel mode. If a site is not added to any area and only customized topology policies are configured, the site does not support centralized Internet access and centralized mutual access. In this situation, no predefined topology is configured for the site. For details, see Configuring an Overlay Topology.
Procedure
  1. Choose Provision > Virtual Network > Virtual Network from the main menu, and click the name of the created VN.

  2. Click 1 WAN Service, as shown in the following figure.

  3. Click the Inter-Site VPN tab.
  4. Click Custom Topology Policy.
  5. Click Create to create a topology policy.

    1. Set Policy name to specify the topology policy name.
    2. Set Priority to specify the priority of the topology policy.
    3. Click Create next to Rule to create a rule for the topology policy.
      1. Select the sites to match and click Next.
      2. Set an IP address prefix range and click Next.

      3. Set the action to perform when the topology policy matches, and set Next-hop site list and Modification mode.

    4. Click OK.

Follow-up Procedure
Table 5-382 Follow-up procedure for creating a topology policy

Function

Scenario and Constraint

Procedure

Viewing a topology policy

You can view detailed information about a site.
  1. Choose Provision > Virtual Network > Virtual Network from the main menu.
  2. In the VN area, select the department for which the topology model needs to be configured.
  3. Click Custom Topology Policy. View information about a customized topology policy, such as the policy name and priority.
  4. Click next to a policy to view details about the policy, such as the bound sites and matching rules.

Binding a topology policy to a site

After creating a topology policy, you can bind the policy to a site.
  1. Select a topology policy on the Custom Topology Policy tab page. Click in the Operation column. On the Attach site page that is displayed, select a desired site.
  2. Click OK.

Modifying a topology policy

You can modify a topology policy.
  1. Select a topology policy on the Custom Topology Policy tab page. Click in the Operation column to modify the selected policy.
  2. Click OK.

Deleting a topology policy

You can delete unnecessary topology policies.

Select a topology policy on the Custom Topology Policy tab page. Click in the Operation column to delete the selected policy.
Description
Table 5-383 Parameters on the Custom Topology Policy tab page in EVPN tunnel mode

Parameter

Description

Custom Topology Policy

Policy name

Name of a topology policy.

Priority

Priority of a topology policy. A smaller value indicates a higher priority.

Rule

Rule

Filtering rule of a topology policy.

Match

Match

Matching conditions of a filtering rule in a topology policy.

  • When both IP prefix and Match sites are specified, the relationship between the two conditions is AND. That is, the filtering rule is matched only when the two conditions are met.
  • When only IP prefix or Match sites is specified, if multiple entries are set in a filtering rule, the relationship among the entries is OR. That is, the filtering rule is matched as long as one entry is matched.

IP prefix

IP Address/Mask

IP address or mask used for filtering. A maximum of 100 IP prefixes can be specified.

Greater than or equal to

Minimum length of the IP address prefix or mask specified for filtering.

Less than or equal to

Maximum length of the IP address prefix or mask specified for filtering.

Match sites

Sites specified for filtering. A maximum of 16 sites can be set.

Apply

Apply

Defines the application conditions of a topology policy filtering rule.

Action

The default action is Permit.

Next-hop site list

You can configure multiple next hop sites and access the next hop based on the priorities.

Modification mode

There are two modification modes: Overwrite and Additive.

Overwrite: Indicates that the access path of the user-defined topology policy overwrites the access path in the predefined topology. The access path is subject to the user-defined topology policy.

Additive: Indicates that a new access path is added to the original predefined topology policy. The priority of the user-defined topology policy is higher than that of the predefined topology.

Configuring WAN-side Routes

Context

After the overlay network is configured, iMaster NCE-Campus automatically deploys the BGP control protocol between sites to advertise routes on the overlay network.

Procedure
  1. Choose Provision > Virtual Network > Virtual Network from the main menu, and click the name of the created VN.

  2. Click 1 WAN Service, as shown in the following figure.

  3. Click the WAN Route tab.
  4. On the Routing Policy page, set exported and imported route policies for the overlay routes.

  5. Click OK.
  6. Click Apply.
Parameters
Table 5-384 Parameters on the BGP page under the WAN Route tab page

Parameter

Description

Export

Export

Filter Exported Routes: Filter the LAN-side routes to be advertised by the current WAN site to the WAN-side overlay network.

Match

Type

Type. Routes can be filtered only by IP address prefix.

IP prefix list
Routing range. You can specify a routing range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: minimum mask to specify a smaller network segment
  • Less-equal: maximum mask to specify a smaller network segment

Apply

Filtering type

Filtering type:

  • Blacklist: The site is allowed to export/import only BGP routes not in the network segment specified in IP prefix list.
  • Whitelist: The site is allowed to export/import only BGP routes in the network segment specified in IP prefix list.

MED

MED value of a BGP route in the network segment specified in IP prefix list. Similar to the metric of an IGP, the MED value is used to determine the optimal route for the traffic to enter an AS. When a BGP-enabled device obtains multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.

AS Path

AS path of a BGP route in the network segment specified in IP prefix list. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.

Import

Import

Filter Imported Routes: Filter the routes to be learned by the current WAN site from other sites on the WAN-side overlay network.

Match

Type

Type. Routes can be filtered only by IP address prefix.

IP prefix list
Routing range. You can specify a routing range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: minimum mask to specify a smaller network segment
  • Less-equal: maximum mask to specify a smaller network segment

Apply

Filtering type

Filtering type:

  • Blacklist: The site is allowed to export/import only BGP routes not in the network segment specified in IP prefix list.
  • Whitelist: The site is allowed to export/import only BGP routes in the network segment specified in IP prefix list.

Configuring LAN Services

Configuring Network Devices

Context

When configuring LAN services, you need to configure network devices and features according to the actual networking. For example, APs need to be configured with region information, SSIDs, and secure authentication, while gateway devices need to be configured with uplinks, NAT, and DNS. Administrators can quickly configure network devices based on the actual networking and complete network deployment.

Procedure
  1. Choose Provision > Virtual Network > Virtual Network from the main menu, and click the name of the created VN.

  2. Click LAN Service and select the site to configure.

  3. Click the desired device. The device configuration page is displayed.
  4. Configure required features based on the device type and role. For details, see Table 5-385.

    Table 5-385 Relationships between device type, device role, and quick configuration features

    Device Type

    Role

    Feature

    Reference

    AP

    AP

    Region, SSID, WLAN security

    LAN Network Site Configuration > Configuring AP Services:

    Configuring an SSID

    Configuring Radio Parameters

    Configuring AP Security Services

    Firewall

    Gateway

    Uplink, NAT, DNS, traffic policy, interface

    LAN Network Site Configuration > Configuring Firewall Services:

    Configuring Network

    Configuring Physical Interfaces

    Configuring a Traffic Policy

    Gateway+core

    Uplink, NAT, DNS, subnet, traffic policy, interface

    Core

    DNS, subnet, traffic policy, interface

    Switch

    Core

    Subnet, interface

    LAN Network Site Configuration > Configuring Switch Services:

    Configuring Subnet Information

    Configuring Physical Interfaces

    Aggregation

    Interface

    LAN Network Site Configuration > Configuring Switch Services:

    Configuring Physical Interfaces

    Access

    Interface

Configuring LAN-WAN Interconnection

Context

To connect LAN-side sites to WAN-side sites, configure VLAN IDs, IP addresses, interconnection interfaces, and interworking routes for LAN-side border devices and WAN-side gateways.

Procedure

  1. Choose Provision > Virtual Network > Virtual Network from the main menu, and click the name of the created VN.

  2. Click LAN-WAN Interconnect and select the site to configure.

  3. Configure parameters for the interconnection port between a border device and gateway. After the configuration is complete, click Apply.

    • In the simple mode, only Layer 3 sub-interfaces can be configured on the gateway.
    • In the advanced mode, Layer 2 interfaces, Layer 3 physical interfaces, and Layer 3 sub-interfaces can be configured on the gateway.

  4. (Optional) Click Gateway WLAN to set required parameters. After the configuration is complete, click Apply.
  5. Click to add a routing protocol.
  6. Click Create and set network parameters for the routing protocol.

Parameters

Table 5-386 Parameters on the Interconnection Interface Configuration tab page under Simple Mode

Parameter

Description

Border

--

Border device on the LAN side. You also need to configure the number of an interface, such as 0/0/0, on the border device. This interface is used for LAN-WAN interconnection.

VLAN ID

VLAN used for Layer 2 communication between the LAN-side border device and WAN-side gateway.

IP address

IP address for the VLANIF interface on the LAN-side border device.

Gateway

--

Gateway on the WAN side. You also need to configure an interface number for the gateway, such as 0/0/0.

IP address

IP address for the VLANIF interface on the WAN-side gateway.
Table 5-387 Parameters on the Interconnection Interface Configuration tab page under Advanced Mode

Parameter

Description

Border

Gateway interface

Type of the interface used for LAN-WAN interconnection. Currently, only L2 is available.

VLAN ID

VLAN used for Layer 2 communication between the LAN-side border device and WAN-side gateway.

Physical interfaces

Number of the physical interface for LAN-WAN interconnection, such as 0/0/0.

IP address

IP address for the VLANIF interface on the LAN-side border device.

Gateway

Gateway interface

L2

VLAN ID

VLAN ID. This VLAN is used for Layer 2 communication between LAN and WAN. It cannot overlap with the VLAN ID of a WLAN, or the VLAN ID of an internal link between dual gateways.

The system creates VLANIF interfaces based on VLAN IDs. For a dual-gateway site, if the CPEs are directly connected downstream to the Layer 2 switch, the two CPEs must use VLANIF interfaces created based on the same VLAN ID to communicate with the LAN-side network, implementing the VRRP function on the LAN-side network.

Physical interfaces

Physical interface on the gateway for LAN-WAN interconnection. For details, see Table 6.

L3

Interface

Type of the interface to be configured as an LAN-WAN interconnection interface and the interface number, such as 0/0/0.

Sub-interface

Whether to create a sub-interface.

VLAN ID

Number range of Layer 3 sub-interfaces: 1-4094. The value of Dot1q Vlan is the number of a Layer 3 sub-interface.

IP address

IP address for the VLANIF interface on the WAN-side gateway.

Trust mode

Whether the LAN of an interface is in a trusted or untrusted zone.

Advanced Settings

For details about the parameters, see Table 7.
Table 5-388 Physical interface parameters on the Interconnection Interface Configuration tab page under Advanced Mode

Parameter

Description

Interface

Type and port number of the port to be configured. The port number can be set in the format 0/0/0.

Mode

Whether an interconnection interface is a tagged or untagged member of a VLAN. The options are Tag and Untag. If PCs are deployed on the LAN, set this parameter to Untagged. Set this parameter based on the actual networking. This parameter is configurable only on the Advanced mode tab page.

NOTE:

If the interconnection interface on the border device (LSW) is assigned to VLAN as a Layer 2 tagged interface, the interconnection interface on the WAN-side gateway must be assigned to the same VLAN as a Layer 2 tagged interface or a Layer 3 sub-interface.
Table 5-389 Parameters on the Interconnection Interface Configuration tab page under Advanced Mode > Advanced Settings

Parameter

Description

Secondary IP address

Secondary IP addresses of a Layer 3 interface. Generally, an interface needs only a primary IP address. In some scenarios, you need to configure secondary IP addresses for an interface. For example, a CPE connects to a physical network through an interface, and hosts on this network belong to two network segments. To enable the CPE to communicate with all hosts on the physical network, you need to configure a primary IP address and a secondary IP address for this interface.

Each Layer 3 interface can be configured with one primary IP address and a maximum of 31 secondary IP addresses.

DHCP

DHCP type. After DHCP is enabled, you need to set the DHCP type of the CPE. The following DHCP types are supported:

  • Server: A device as a DHCP server and allocates network parameters to DHCP clients.
  • Relay: A device as a DHCP relay agent to exchange DHCP messages between a DHCP server and DHCP clients and help the DHCP server to dynamically allocate network parameters to DHCP clients. A DHCP relay agent is required in scenarios where multiple network segments need to be planned for an enterprise network and terminals need to automatically obtain network parameters (such as IP addresses) through DHCP. In this way, terminals in different network segments can share the DHCP server, saving server resources and facilitating unified management.

For details about DHCP parameters, see Table 8.

VRRP

Whether to enable VRRP. VRRP can be configured only for dual-gateway sites. After VRRP is enabled, the two gateways are virtualized into one device. After a VRRP group is configured, traffic is forwarded through the master device in normal circumstances. If the master device fails, traffic is switched quickly to the backup device, implementing gateway redundancy.

For details, see Table 9.

ARP proxy

Whether to enable ARP proxy. If this parameter is enabled, routed ARP proxy is used by default.

If the LANs of two sites belong to the same network segment and neither of them are configured with default gateways, the two LANs cannot communicate with each other. To allow the two LANs to communicate with each other, enable routed ARP proxy on the LAN interfaces of the two sites.

MTU

Maximum transmission unit of an interface. This parameter cannot be configured for a physical interface of the xDSL type.

The size of data packets is limited at the network layer. When a network layer device receives an IP packet, it determines the destination interface and obtains the MTU configured on the interface. The device then compares the MTU with the IP packet length. If the IP packet length is longer than the MTU, the device fragments the IP packet. Each fragment has a length less than or equal to the MTU

  • If the MTU is too small whereas the packet size is large, the packet is probably split into many fragments. Therefore, the packet may be discarded due to the insufficient QoS queue length.
  • If the MTU is too large, the packet is transmitted slowly or even lost.

MSS

Maximum segment size of TCP packets on an interface. The MSS is an option defined in the TCP protocol and refers to the maximum segment size of TCP packets that can be received by a peer device. When setting up a TCP connection, the local and peer devices negotiate an MSS value. If the length of a TCP packet exceeds the negotiated MSS value, the packet is fragmented.

NOTICE:

To prevent TCP packets from being fragmented, you must configure a proper MSS based on the MTU. The MTU is an option used to determine whether IP packets will be fragmented. If the size of an IP packet sent by a peer device exceeds the MTU, the IP packet will be fragmented. To ensure that a complete packet is transmitted properly, the MSS plus all the header lengths (TCP header and IP header) cannot exceed the MTU. For example, the default MTU of an Ethernet interface is 1500 bytes. To ensure that packets are not fragmented, the maximum MSS value is 1460 bytes [1500 - 20 (minimum length of the TCP header) - 20 (minimum length of the IP header)]. You are advised to set the MSS to 1200 bytes.
Table 5-390 DHCP parameters on the Interconnection Interface Configuration tab page under Advanced Mode > Advanced Settings

Parameter

Description

Relay

Server IP

IP address of the DHCP server that the DHCP relay agent serves. A maximum of eight DHCP server IP addresses can be configured on each interface enabled with the DHCP relay function.

Server

Address assignment mode
  • Primary: The DHCP server assigns IP addresses from the interface address pool to DHCP clients.
  • Primary/Secondary: The DHCP server assigns IP addresses from the global address pool to DHCP clients.

Exclude IP addresses

Range of IP addresses that will not be automatically assigned to clients from the DHCP address pool. A DHCP address pool is a set of address segments specified in IP addresses and secondary IP address. In the address pool, some IP addresses need to be reserved for other services, and some are statically assigned to hosts such as the web server, which cannot be automatically assigned to clients. You can specify the IP addresses or range of IP addresses in Exclude IP for the DHCP server.

Domain name

Domain name that the DHCP server assigns to a client. When allocating an IP address to a client, the DHCP server also sends the domain name to the client.

Lease time

Lease of IP addresses in the interface address pool on a DHCP server.

DNS-server

DSN server. You can specify the DNS server IP address to be assigned to a DHCP client by selecting a DNS group (which is configured in DNS server IP under Global Parameters). The DNS server address is contained in the DHCP response sent to the client.

Option
Option type.
  • Custom : User defined.
  • [44] Wins/Netbios server: indicates a WINS server address allocated to a DHCP client.
  • [46] Wins/Netbios node type: is applicable to the DHCP server. When a DHCP client uses a protocol for communication, its host name needs to be mapped to an IP address, and the node type needs to be specified for it.
  • [148]Cloud platform address: When requesting IP addresses through DHCP, devices can obtain the address and port of the iMaster NCE-Campus server through this option.
  • [150]TFTP server indicates the TFTP server IP address assigned by a DHCP client.
  • [184]Voice option: is applicable to the DHCP server. It is the content of the Option184 field sent by the DHCP server to a DHCP client.
If Option is set to Custom, the Code is an integer in the range from 1 to 254, but cannot be one of the following values: 1, 3 , 6, 15, 44, 46, 50, 51, 52, 53, 54, 55, 57, 58, 59, 61, 82, 120, 121, 148, 150, and 184. You can select two options from Type.
  • IP: You need to set this parameter to the server IP address.
  • Text: You need to type the text.

If Option is set to [44] Wins/Netbios server and [150]TFTP server, you need to set this parameter to the server IP address.

If Option is set to [46] Wins/Netbios node type, you can select any of the following for this parameter:
  • 1. B-Node: node in broadcast mode. A B-Node obtains the mapping between host names and IP addresses in broadcast mode.
  • 2. P-Node: node in peer-to-peer mode.
  • 3. M-Node: node in mixed mode. An M-Node is a P-Node with some broadcast features.
  • 4. H-Node: node in hybrid mode. An H-Node is a B-Node enabled with the peer-to-peer communication mechanism.

If Option is set to [148]Cloud platform address, the value of the text type should be set to agilemode=xxx;agilemanage-mode=xxx;agilemanage-domain=xxxx.xxx;agilemanage-port=xxx. For example, agilemode=agile-cloud;agilemanage-mode=domain;agilemanage-domain=device-naas.huawei.com;agilemanage-port=10020. When requesting IP addresses through DHCP, Intranet cloud devices can obtain the address and port of the iMaster NCE-Campus server through this option.

  • agilemode: The value is agile-cloud (default mode), tradition (mode can be switched by an external DHCP server through Option 148) or tradition-fit (indicates a special Fit mode of APs. This parameter is used to switch the AP Fit mode in WAC scenarios).
  • agilemanage-mode: The value is ip or domain, which mean the value of agilemanage-domain is an IP address or domain name.
  • agilemanage-domain: IP address or domain name of iMaster NCE-Campus.
  • agile-port: Number type which means the port of iMaster NCE-Campus.

If Option is set to[184]Voice option, you can select any of the following for this parameter:

  • as-ip: IP address of the backup network call processor (NCP).
  • fail-over: IP address in the failover route.
  • ncp-ip: IP address of the NCP.
  • voice-vlan: ID of a voice VLAN.

Static
  • IP: indicates a static IP address allocated to a DHCP client.
  • MAC: indicates the client MAC address statically bound to an IP address.
Table 5-391 VRRP parameters on the Advanced Settings tab page

Parameter

Description

VRRP ID

ID of a VRRP group. The two gateways need to be configured with the same VRRP group ID.

Virtual IP

IP address of a virtual device. The two gateways need to be configured with the same virtual IP address.

Default role

Device role, which is master or backup.

After a VRRP group is configured, traffic is forwarded through the master device in normal circumstances. If the master device fails, traffic is switched quickly to the backup device, implementing gateway redundancy.

Preempt delay (s)

Preemption delay of the master or backup device.

You are advised to set the preemption delay of the backup device in a VRRP group to 0, and set the preemption delay of the master device to a value longer than 60 seconds. These settings ensure that there is enough time for the uplinks and downlinks on the master and backup devices in a VRRP group to synchronize their statuses on an unstable network. If the preceding settings are not used, user devices may learn an incorrect master address due to frequent preemption, interrupting traffic.

In some abnormal scenarios, for example, the master device restarts, it takes a long time to restore services. You are advised to set the preemption delay to a larger value, for example, 180 seconds or more.

Track

Track

Whether to enable association between VRRP and BFD to implement fast switchover between the master and backup gateways in a VRRP group.

Peer IP

IP address of the peer device.

Source IP

IP address of the local device.

Local Discriminator

Local BFD discriminator. The value is in the range from 1 to 8191.

Remote Discriminator

Remote BFD discriminator. The value is in the range from 1 to 8191.

Interval

Link fault detection interval, in seconds. The value is in the range from 10 to 2000.

Priority Mode

Whether to increase or decrease the device priority. You can set this parameter to Increased or Reduced to switch the device to the master or backup device.

Priority Value

Priority value to be increased or decreased to. Ensure that the priority of the master device is lower than that of the backup device so that a master/backup switchover can be triggered.
Table 5-392 Parameters on the Create WLAN page under the Gateway WLAN tab page

Parameter

Description

Device

Currently, WLAN can be created only on the WAN-side gateway.

SSID

WLAN identifier, namely, the network service set identifier (SSID).

Effective radio

Frequency band over which radio signals of a WLAN are transmitted. The frequency band can be 2.4 GHz or 5 GHz.

VLAN ID

Service VLAN ID of a WLAN. It cannot overlap with the VLAN ID of a Layer 2 interface, or the VLAN ID of an internal link between dual gateways.

Interface IP address

VLANIF interface for the service VLAN of the WLAN.

DHCP

DHCP type

DHCP type. After DHCP is enabled, you need to set the DHCP type of the CPE. The following DHCP types are supported:

  • Server: A device as a DHCP server and allocates network parameters to DHCP clients.
  • Relay: A device as a DHCP relay agent to exchange DHCP messages between a DHCP server and DHCP clients and help the DHCP server to dynamically allocate network parameters to DHCP clients. A DHCP relay agent is required in scenarios where multiple network segments need to be planned for an enterprise network and terminals need to automatically obtain network parameters (such as IP addresses) through DHCP. In this way, terminals in different network segments can share the DHCP server, saving server resources and facilitating unified management.

Relay

Server IP

IP address of the DHCP server that the DHCP relay agent serves. A maximum of eight DHCP server IP addresses can be configured on each interface enabled with the DHCP relay function.

Server

Excluded IP addresses

Range of IP addresses that will not be automatically assigned to clients from the DHCP address pool. A DHCP address pool is a set of address segments specified in IP addresses and secondary IP address. In the address pool, some IP addresses need to be reserved for other services, and some are statically assigned to hosts such as the web server, which cannot be automatically assigned to clients. You can specify the IP addresses or range of IP addresses in Exclude IP for the DHCP server.

Domain name

Domain name that the DHCP server assigns to a client. When allocating an IP address to a client, the DHCP server also sends the domain name to the client.

Lease time

Lease of IP addresses in the interface address pool on a DHCP server.

DNS server

DSN server. You can specify the DNS server IP address to be assigned to a DHCP client by selecting a DNS group (which is configured in DNS server IP under Global Parameters). The DNS server address is contained in the DHCP response sent to the client.

Option
Option type.
  • [44] Wins/Netbios server: indicates a WINS server address allocated to a DHCP client.
  • [46] Wins/Netbios node type: is applicable to the DHCP server. When a DHCP client uses a protocol for communication, its host name needs to be mapped to an IP address, and the node type needs to be specified for it.
  • [150]TFTP server indicates the TFTP server IP address assigned by a DHCP client.
  • [184]Voice option: is applicable to the DHCP server. It is the content of the Option184 field sent by the DHCP server to a DHCP client.

If Option is set to [44] Wins/Netbios server and [150]TFTP server, you need to set this parameter to the server IP address.

If Option is set to [46] Wins/Netbios node type, you can select any of the following for this parameter:
  • 1. B-Node: node in broadcast mode. A B-Node obtains the mapping between host names and IP addresses in broadcast mode.
  • 2. P-Node: node in peer-to-peer mode.
  • 3. M-Node: node in mixed mode. An M-Node is a P-Node with some broadcast features.
  • 4. H-Node: node in hybrid mode. An H-Node is a B-Node enabled with the peer-to-peer communication mechanism.

If Option is set to[184]Voice option, you can select any of the following for this parameter:

  • as-ip: IP address of the backup network call processor (NCP).
  • fail-over: IP address in the failover route.
  • ncp-ip: IP address of the NCP.
  • voice-vlan: ID of a voice VLAN.

Static
  • IP: indicates a static IP address allocated to a DHCP client.
  • MAC: indicates the client MAC address statically bound to an IP address.

Security Authentication

Encryption mode
  • WPA1: WPA1 authentication is used.
  • WPA2: WPA2 authentication is used.

PSK

Shared key for PSK authentication.

Advanced Settings

Hide SSID

Whether to hide an SSID. If this parameter is enabled for an SSID, new users cannot detect the SSID. Only wireless users who know the SSID name can connect to the WLAN.

Max number of access users

Maximum number of access users permitted on a WLAN. The value ranges from 1 to 128.

Downlink traffic

Uplink traffic of a WLAN. The value ranges from 64 to 4294967295.

Uplink traffic

Downlink traffic of a WLAN. The value ranges from 64 to 4294967295.

Transmit Power Level

Power level for a radio. This parameter is configurable only when Effective radio is set to 2.4GHZ. A larger value indicates a higher power level and a lower transmit power of a radio. The default value is 0, indicating full power.

Channel

Working channel for a radio. Select the channel based on the country code and radio mode. This parameter is configurable only when Effective radio is set to 2.4GHZ. The default working bandwidth is 20 MHz.
Table 5-393 Parameters on the BGP > Advanced Settings page

Parameter

Description

Default route redistribution

Whether to redistribute the default routes in the local IP routing table to the BGP routing table.

Route redistribution

Protocol of the routes to be redistributed. Static and direct routes can be redistributed to BGP.

External priority

Priority of EBGP routes. This parameter is configurable for ARs only. You can set different priorities for different devices. For a dual-gateway site, you can specify a separate EBGP route priority for each gateway.

Summary route

Route obtained by summarizing specific routes in the local BGP routing table. This parameter is configurable for ARs only. The system advertises only the summary route, and suppresses the advertisement of all specific routes within the summary route. You can specify IP addresses and masks of multiple summary routes.
Table 5-394 Parameters on the Create BGP page under Interconnection Interface Configuration > Interconnection Route Configuration

Parameter

Description

Device

CPE on which a BGP route needs to be configured.

Peer IP

IP address of the peer device. In most cases, a BGP peer relationship is established between a WAN-side site and a legacy site.

Peer AS

AS number of the peer device.

Local AS

Fake AS number of the local device. Typically, a device supports only one BGP process, that is, a device supports only one AS number. However, in some cases, for example, when AS numbers need to be changed during a network migration, you can set a fake AS number for a specified peer to ensure successful network migration.

If this parameter is left empty, the AS number in the global configuration is used by default.

Keepalive time (s)

Interval for sending Keepalive messages to the peer. After establishing a BGP connection, two peers periodically send Keepalive messages to each other to detect the status of the BGP connection. If a device receives no Keepalive message or any other type of message from its peer within the hold time, the device declares a BGP peer dead.

Hold time (s)

Interval after which a device, having not received a Keepalive message, declares a BGP peer dead. The hold time should be at least three times the Keepalive time.

MD5 encrypt

Whether to use MD5 authentication between BGP peers. If MD5 authentication is enabled, you need to enter the password in cipher text.

Routing Policy

NOTE:

Only the AR supports this parameter.

Export

Export

Whether to filter BGP routes. When a WAN site communicates with a legacy site, BGP can be used to control access paths.

If a BGP peer relationship has been established between a WAN site and a legacy site, you can enable this function to control the advertisement of the underlay BGP routing information. That is, after this function is enabled, a site advertises only the routes to be advertised or the routes required by its peer. This restricts the access of the legacy site to the LAN side of the WAN site.

Match

Type

Filter criteria. Routes can be filtered only by IP address prefix.

IP Prefix
Range of the routes to be filtered. You can specify a route range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: lower limit of the range for subnet mask length matching
  • Less-equal: upper limit of the range for subnet mask length matching

Apply

Filtering type

Mode for filtering BGP routes. BGP routes are filtered so that the current site does not advertise BGP routes in a specified subnet to the underlay network. The options are as follows:

  • Blacklist: The site is allowed to advertise only BGP routes not in the subnets specified by IP prefix list.
  • Whitelist: The site is allowed to advertise only BGP routes in the subnet specified by IP prefix list.

MED

MED value of a BGP route in the subnet specified in IP prefix list. Similar to the metric of an IGP, the MED value is used to determine the optimal route for the traffic to enter an AS. When a BGP-enabled device obtains multiple routes to the same destination address but with different next hops from EBGP peers, it selects the route with the smallest MED value as the optimal route.

This parameter is configurable only when Filtering type is set to Whitelist.

Community

Community attribute to be added to a BGP route in the subnet specified in IP prefix list. The community attribute is a private BGP route attribute. It is transmitted between BGP peers and is not restricted to an AS. The community attribute allows a group of BGP-enabled devices in multiple ASs to share the same routing policies. This allows routing policies to be flexibly used and makes it simple to maintain and manage routing policies.

This parameter is configurable only when Filtering type is set to Whitelist.

AS Path

AS path of a BGP route in the subnet specified in IP prefix list. The AS_Path attribute records the numbers of all ASs that a route passes through, from the source to the destination, in the vector order. You can configure the AS_Path attribute to implement flexible route selection.

This parameter is configurable only when Filtering type is set to Whitelist.

Import

Import

Whether to filter BGP routes. When a WAN site communicates with a legacy site, BGP can be used to control access paths.

If a BGP peer relationship has been established between a WAN site and a legacy site, you can enable this function to control the reception of the underlay BGP routing information. After this function is enabled, the site receives only the routes that it wants to receive. This restricts the access of the WAN site to the LAN side of the legacy site.

Match

Type

Filter criteria. Routes can be filtered only by IP address prefix.

IP Prefix
Range of the routes to be filtered. You can specify a route range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: lower limit of the range for subnet mask length matching
  • Less-equal: upper limit of the range for subnet mask length matching

Apply

Filtering type

Mode for filtering BGP routes. BGP routes are filtered so that the current site does not receive BGP routes in a specified subnet to the underlay network. The options are as follows:

  • Blacklist: The site is allowed to receive only BGP routes not in the subnets specified by IP prefix list.
  • Whitelist: The site is allowed to receive only BGP routes in the subnets specified by IP prefix list.
Table 5-395 Parameters on the Create Static Routes page under Interconnection Interface Configuration > Interconnection Route Configuration

Parameter

Description

Device

CPE on which a static route needs to be configured.

Priority

Priority of a static route. The value is an integer in the range from 1 to 255. A smaller value indicates a higher priority. If you specify the same priority for static routes with the same destination, load balancing can be implemented among these routes. If you specify different priorities for multiple static routes with the same destination, backup can be implemented among these routes.

Destination address/mask

Destination IP address and mask of a static route.

Next-Hop

Next-hop type

Type of the next hop in a static route.

  • IP address
  • The value black_hole indicates that the packets destined to the destination subnet specified in a static route will be discarded. For example, it can be used to block packets destined for a particular website. The switch does not support this parameter.

IP address

Next-hop IP address of a static route. This parameter is configurable only when Next-hop type is set to IP address.

Track

Whether to associate a static route with a network quality analysis (NQA) instance.

This parameter is configurable only when Next-hop type is set to IP address.

Target

Destination address in an NQA instance. If a static route is associated with an NQA instance, only Internet Control Message Protocol (ICMP) instances can be used to check whether there are reachable routes between the source and destination.
Table 5-396 Parameters on the Create OSPF page under Interconnection Interface Configuration > Interconnection Route Configuration

Parameter

Description

Device

CPE on which an OSPF route needs to be configured. You need to configure BGP routes on the border device and gateway specified on the Interconnection Interface Configuration page.

Process ID

OSPF process ID. OSPF processes can be classified by service type.

Default route advertisement

Whether to advertise default routes to a common OSPF area.

Default route cost

Cost of the default route. The value is an integer in the range from 0 to 16777214. The default value is 1.

Internal preference

Priority of an OSPF route. The value is an integer in the range from 1 to 255.

ASE preference

Priority of an AS external route. The value is an integer in the range from 1 to 255.

Interface Parameter

Area ID

OSPF area ID.

Interface Name

Name of the interface that runs OSPF.

Authentication Mode

Authentication mode used in the OSPF area. The options are None, Simple, and Cryptographic.

Key

Authentication key ID of the interface's cipher authentication. Both ends must have the same Key ID. The value is an integer in the range from 1 to 255.

Password
Password in clear text or in cipher text. The value is a string of case-sensitive characters without spaces, and contains digits and letters.
  • In Simple mode, a password is a string of 1 to 8 characters.
  • In Security mode, a password is a string of 1 to 255 characters.

Hello Timer

Interval for sending Hello packets on an interface. The value is an integer in the range from 1 to 65535, in seconds.

DR Priority

Priority for an interface that participates in the DR election. The value is an integer in the range from 0 to 255.

Cost

Cost of running OSPF on an interface. The value is an integer in the range from 1 to 65535. The default value is 1.

Route Redistribute

Protocol

Routing protocol of the routes to be redistributed. Only static routes and direct routes can be redistributed.

Process ID

Process ID of the routing protocol.

Cost

Cost of redistributed routes. The value is an integer in the range from 0 to 16777214. The default value is 1.

Router Filter

NOTE:

Only the AR supports this parameter.

Export filter

Mode

Mode for filtering OSPF routes to be advertised to the LAN:

  • Blacklist: The site is allowed to advertise only OSPF routes not in the network segment specified by Filter IP address.
  • Whitelist: The site is allowed to advertise only OSPF routes in the network segment specified by Filter IP address.

Filter IP address
Routing range. You can specify a routing range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: minimum mask to specify a smaller network segment
  • Less-equal: maximum mask to specify a smaller network segment

Import filter

Mode

Mode for filtering OSPF routes to be received from the LAN:

  • Blacklist: The site is allowed to receive only OSPF routes not in the network segment specified by Filter IP address.
  • Whitelist: The site is allowed to receive only OSPF routes in the network segment specified by Filter IP address.

Filter IP address
Routing range. You can specify a routing range by setting the following parameters. The parameter values must meet the following conditions: MaskGreater-equalLess-equal.
  • IP Address/Mask: IP address and mask
  • Greater-equal: minimum mask to specify a smaller network segment
  • Less-equal: maximum mask to specify a smaller network segment
Translation
简体中文
Download
Updated: 2021-04-29

Document ID: EDOC1100141248

Views: 137196

Downloads: 573

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :