HCIP-Datacom-Core Technology V1.0 Lab Guide

Huawei Certification Training
HCIP-Datacom-Core Technology
Data Communication Senior Engineer
Lab Guide
Issue: 1.0
Huawei Technologies Co., Ltd.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent
of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer.
All or part of the products, services and features described in this document may not be within the purchase scope or
the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this
document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base

Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com/
HCIP-Datacom-Core Technology Lab Guide Page 1
Huawei Certification System

Huawei Certification follows the "platform + ecosystem" development strategy, which is a
new collaborative architecture of ICT infrastructure based on "Cloud-Pipe-Terminal". Huawei has
set up a complete certification system consisting of three categories: ICT infrastructure
certification, platform and service certification, and ICT vertical certification. It is the only
certification system that covers all ICT technical fields in the industry. Huawei offers three levels
of certification: Huawei Certified ICT Associate (HCIA), Huawei Certified ICT Professional (HCIP),
and Huawei Certified ICT Expert (HCIE). Huawei Certification covers all ICT fields and adapts to
the industry trend of ICT convergence. With its leading talent development system and
certification standards, it is committed to fostering new ICT talent in the digital era, and building
a sound ICT talent ecosystem.
Huawei Certified ICT Professional-Datacom-Core Technology (HCIP-Datacom-Core
Technology) is designed for Huawei's frontline engineers and anyone who want to understand
Huawei's datacom products and technologies. HCIP-Datacom-Core Technology certification
covers advanced routing, advanced Ethernet switching, large-scale WLAN networking, multicast
technology, IPv6 technology, network security, network reliability, network service and
management, and enterprise network solutions.
The Huawei certification system introduces the industry, fosters innovation, and imparts
cutting-edge datacom knowledge.
About This Document
Overview
This document is an HCIP-Datacom-Core Technology certification training course. It is intended for
trainees who are going to take the HCIP-Datacom-Core Technology exams or readers who want to
learn advanced technologies, such as routing, Ethernet switching, large-scale WLAN networking,
multicast, IPv6, network security, network reliability, and network service and management.
Background Knowledge Required

This course is for Huawei's advanced certification. To better understand this course, familiarize
yourself with the following requirements:
1. Have basic computer skills.
2. Have participated in HCIA-Datacom training.
3. Have passed the HCIA-Datacom exams.
4. Be familiar with the principles of the TCP/IP protocol stack.
5. Be familiar with the basic working principles of Ethernet switches and routers.
Symbol Conventions
Lab Environment
Networking
This lab environment is intended for datacom network engineers who are preparing for the HCIP-
Datacom-Core Technology exam. Each lab environment includes three switches (not supporting
PoE), two PoE switches, two APs, five routers, and one firewall.
Device Introduction
To meet exercise requirements, the recommended configurations of the environment are as
follows:
The following table describes the mapping among devices, models, and versions.
Device Name Device Model Software version
CloudEngine S5731-
Switch V200R019C00 or later
H24T4XC
CloudEngine S5731-
PoE switch V200R019C00 or later
H24P4XC
AP AirEngine 5760-10 V200R019C00 or later
Router NetEngine AR6120 V300R019 or later
Firewall USG6307E V500R001C50 or later
The port, output, and configuration information of devices in this document is provided
based on the recommended topology. The actual information may vary according to the lab
environment.
Contents
Overview .....................................................................................................................................................................3
Background Knowledge Required ................................................................................................................................3
Symbol Conventions ....................................................................................................................................................3
Lab Environment ........................................................................................................................................................ 4
1 Basic OSPF Configurations ............................................................................................. 8
1.1 Lab 1: Single-Area OSPF ........................................................................................................................................ 8
1.1.1 Introduction ........................................................................................................................................................ 8
1.1.2 Lab Configuration ............................................................................................................................................... 9
1.1.3 Quiz ................................................................................................................................................................... 22
1.1.4 Configuration Reference .................................................................................................................................... 22
1.2 Lab 2: Multi-Area OSPF ........................................................................................................................................ 23
1.2.1 Introduction....................................................................................................................................................... 23
1.2.2 Lab Configuration ............................................................................................................................................. 24
1.2.3 Quiz ................................................................................................................................................................... 36
1.3 Lab 3: OSPF Adjacencies and LSAs ....................................................................................................................... 39
1.3.1 Introduction ....................................................................................................................................................... 39
1.3.3 Quiz ...................................................................................................................................................................56
1.3.4 Configuration Reference ....................................................................................................................................56
1.4 Lab 4: OSPF Stub Area and NSSA .........................................................................................................................58
1.4.1 Introduction .......................................................................................................................................................58
1.4.2 Lab Configuration ..............................................................................................................................................59
1.4.3 Quiz ................................................................................................................................................................... 71
2 IS-IS Basics Experiment ................................................................................................. 74
2.1 IS-IS Configuration Experiment ............................................................................................................................ 74
2.1.1 Introduction....................................................................................................................................................... 74
2.1.2 Lab Configuration .............................................................................................................................................. 75
2.1.3 Quiz .................................................................................................................................................................. 84
2.1.4 Configuration Reference ................................................................................................................................... 84
3 BGP Configurations ...................................................................................................... 88
3.1 Lab 1: Basic BGP Configurations .......................................................................................................................... 88
3.1.1 Introduction ...................................................................................................................................................... 88
3.1.3 Quiz ................................................................................................................................................................... 97
3.2 Lab 2: BGP Route Summarization ....................................................................................................................... 100

3.2.1 Introduction..................................................................................................................................................... 100
3.2.2 Lab Configuration ............................................................................................................................................ 101
3.2.3 Quiz ................................................................................................................................................................. 108
3.2.4 Configuration Reference .................................................................................................................................. 108
3.3 Lab 3: BGP RR ..................................................................................................................................................... 110
3.3.1 Introduction ..................................................................................................................................................... 110
3.3.3 Quiz ................................................................................................................................................................. 123
3.4 Lab 4: BGP Route Selection ................................................................................................................................ 126
3.4.1 Introduction..................................................................................................................................................... 126
3.4.3 Quiz ................................................................................................................................................................. 145
3.4.4 Configuration Reference.................................................................................................................................. 145
4 Routing Policy and Routing Control .............................................................................. 151
4.1 Route Import and Control ................................................................................................................................... 151
4.1.1 Introduction ..................................................................................................................................................... 151
4.1.3 Quiz ................................................................................................................................................................. 160
5 RSTP and MSTP .......................................................................................................... 163
5.1 Basic RSTP and MSTP Configurations ................................................................................................................. 163
5.1.1 Introduction ..................................................................................................................................................... 163
5.1.3 Quiz ................................................................................................................................................................. 171
6 Multicast .................................................................................................................... 174
6.1 IGMP, IGMP Snooping, and PIM-DM ................................................................................................................... 174
6.1.1 Introduction..................................................................................................................................................... 174
6.1.2 Lab Configuration............................................................................................................................................ 175
6.1.3 Quiz ................................................................................................................................................................. 185
6.2 PIM-SM, BSR, and PIM-SSM .............................................................................................................................. 188
6.2.1 Introduction .................................................................................................................................................... 188
6.2.2 Lab Configuration ........................................................................................................................................... 189
6.2.3 Quiz ................................................................................................................................................................ 198
6.2.4 Configuration Reference ................................................................................................................................. 198
7 Firewall Technology .................................................................................................... 202
7.1 Firewall Security Policy ....................................................................................................................................... 202
7.1.1 Introduction ..................................................................................................................................................... 202

7.1.3 Quiz .................................................................................................................................................................209
7.1.4 Configuration Reference ..................................................................................................................................209
8 VRRP ......................................................................................................................... 212
8.1 Basic VRRP Configurations ................................................................................................................................. 212
8.1.1 Introduction..................................................................................................................................................... 212
8.1.3 Quiz ................................................................................................................................................................. 219
9 DHCP ......................................................................................................................... 223
9.1 DHCP Relay Configuration.................................................................................................................................. 223
9.1.1 Introduction..................................................................................................................................................... 223
9.1.2 Lab Configuration............................................................................................................................................ 224
9.1.3 Quiz ................................................................................................................................................................. 231
10 WLAN ...................................................................................................................... 234
10.1 Inter-AC Roaming on a Large-Scale WLAN ....................................................................................................... 234
10.1.1 Introduction ................................................................................................................................................... 234
10.1.2 Lab Configuration .......................................................................................................................................... 235
10.1.3 Quiz .............................................................................................................................................................. 244
10.1.4 Configuration Reference ............................................................................................................................... 244
10.2 VRRP HSB Configuration ................................................................................................................................. 248
10.2.1 Introduction .................................................................................................................................................. 248
10.2.2 Lab Configuration .......................................................................................................................................... 250
10.2.3 Quiz ............................................................................................................................................................... 261
10.2.4 Configuration Reference ................................................................................................................................ 261
10.3 Dual-Link Cold Backup Configuration ............................................................................................................... 265
10.3.1 Introduction ................................................................................................................................................... 265
10.3.2 Lab Configuration ......................................................................................................................................... 266
10.3.3 Quiz ............................................................................................................................................................... 274
10.3.4 Configuration Reference ................................................................................................................................ 274
Reference Answers ........................................................................................................ 278
1 Basic OSPF Configurations
1.1 Lab 1: Single-Area OSPF

1.1.1 Introduction
1.1.1.1 Objectives
Upon completion of this task, you will be able to:
 Configure OSPF in a single area.
 Configure OSPF area authentication.
 Describe the process of establishing OSPF neighbor relationships on a multi-access network.
 Change the cost of an OSPF interface.
 Illustrate how to configure silent interfaces in OSPF.
 Run the display commands to check various OSPF states.
1.1.1.2 Networking Topology
Figure 1-1 Single-area OSPF
R1, R2, and R3 are connected through S1, and their interfaces and IP addresses are shown in the
figure. Loopback0 is created on each of R1, R2, and R3, and its IP address is in the format of
10.0.x.x/24, where x indicates the device number.
All interfaces of R1, R2, and R3 belong to area 0, and OSPF is activated on the interconnection and
Loopback0 interfaces.
1.1.1.3 Background
You are a network administrator of a company. Currently, there are three AR routers on the
company's network, which communicate with each other through an Ethernet. On broadcast multi-
access networks such as Ethernet, there may be security risks. To prevent malicious routing attacks,
you choose to use OSPF area authentication.
1.1.2 Lab Configuration

1.1.2.1 Configuration Roadmap
1. Configure IP addresses for the devices.
2. Configure OSPF on R1, R2, and R3, manually specify router IDs, and activate OSPF on the
interconnection and Loopback0 interfaces.
3. After the configuration is complete, check the OSPF neighbor relationship status and OSPF
routing table on each of R1, R2, and R3, and check the connectivity between the loopback
interfaces of R1, R2, and R3.
4. Manually shut down the interconnection interfaces of R1, R2, and R3 and enable the debugging
function to check the establishment of OSPF neighbor relationships. Then, enable the
interconnection interfaces again and observe the debugging information on the devices.
5. Manually change the network type of Loopback0 on R2 and observe the change in the mask
length of the OSPF route.
6. Manually change the costs of OSPF interfaces.
7. Configure the interconnection and Loopback0 interfaces as silent interfaces.
1.1.2.2 Configuration Procedure
Step 1 Configure IP addresses for the interconnection and loopback interfaces.
# Name the devices.
The configuration details are not provided.
# Disable the interfaces that are not used in this experiment.
# Configure IP addresses for GE0/0/3 and the loopback interface on R1.
<R1>system-view
Enter system view, return user view with Ctrl+Z.
[R1]interface GigabitEthernet 0/0/3
[R1-GigabitEthernet0/0/3] ip address 10.0.123.1 24
[R1-GigabitEthernet0/0/3] quit
[R1]interface LoopBack 0
[R1-LoopBack0] ip address 10.0.1.1 24
[R1-LoopBack0] quit
<R2>system-view

[R2-LoopBack0] quit
<R3>system-view
[R3-LoopBack0] quit
# Verify the connectivity on R1.
<R1>ping -c 1 10.0.123.2
PING 10.0.123.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.123.2: bytes=56 Sequence=1 ttl=255 time=2 ms
--- 10.0.123.2 ping statistics ---

1 packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/2 ms
<R1>ping -c 1 10.0.123.3

0.00% packet loss
Step 2 Configure OSPF in a single area.

# Configure the Loopback0 IP addresses of R1, R2, and R3 as their OSPF router IDs, and set the
OSPF process ID to 1.
[R1]ospf 1 router-id 10.0.1.1
# Activate OSPF on the interconnection and Loopback0 interfaces of R1, R2, and R3.
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0] network 10.0.123.1 0.0.0.0
[R2]ospf 1
[R2-ospf-1]area 0

[R3]ospf 1
[R3-ospf-1]area 0
# To ensure security, configure OSPF area authentication, use the cleartext mode, and set the
password to huawei.
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0] authentication-mode simple plain huawei
[R2]ospf 1
[R2-ospf-1]area 0
[R3]ospf 1
[R3-ospf-1]area 0
Step 3 Verify the OSPF configuration.

# Check the OSPF neighbor information on R1, R2, and R3.
<R1>display ospf peer
OSPF Process 1 with Router ID 10.0.1.1

Neighbors
Area 0.0.0.0 interface 10.0.123.1(GigabitEthernet0/0/3)'s neighbors

Router ID : 10.0.2.2 Address: 10.0.123.2
State: Full Mode :Nbr is Master Priority: 1
DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0
Dead timer due in 39 sec
Retrans timer interval: 5
Neighbor is up for 00:24:56
Authentication Sequence: [ 0 ]
Router ID: 10.0.3.3 Address: 10.0.123.3

State: Full Mode:Nbr is Slave Priority: 1
DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0
The command output shows that R1 has established OSPF neighbor relationships with R2 and R3.

Neighbors

DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0

DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0

Neighbors

State: Full Mode:Nbr is Master Priority: 1
DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0

DR: 10.0.123.1 BDR: 10.0.123.2 MTU: 0
# Check the OSPF routing tables of R1, R2, and R3.
[R1]display ospf routing

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter Area
10.0.1.1/32 0 Stub 10.0.1.1 10.0.1.1 0.0.0.0
10.0.123.0/24 1 Transit 10.0.123.1 10.0.1.1 0.0.0.0
10.0.2.2/32 1 Stub 10.0.123.2 10.0.2.2 0.0.0.0
10.0.3.3/32 1 Stub 10.0.123.3 10.0.3.3 0.0.0.0
Total Nets: 4
Intra Area: 4 Inter Area: 0 ASE: 0 NSSA: 0
The command output shows that R1 has learned the Loopback0 routes from R2 and R3.

Routing Tables
Routing for Network

10.0.2.2/32 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.123.0/24 1 Transit 10.0.123.2 10.0.2.2 0.0.0.0
10.0.1.1/32 1 Stub 10.0.123.1 10.0.1.1 0.0.0.0
10.0.3.3/32 1 Stub 10.0.123.3 10.0.3.3 0.0.0.0
Total Nets: 4

Routing Tables
Routing for Network

10.0.3.3/32 0 Stub 10.0.3.3 10.0.3.3 0.0.0.0
10.0.123.0/24 1 Transit 10.0.123.3 10.0.3.3 0.0.0.0
10.0.1.1/32 1 Stub 10.0.123.1 10.0.1.1 0.0.0.0
10.0.2.2/32 1 Stub 10.0.123.2 10.0.2.2 0.0.0.0
Total Nets: 4
# Check the connectivity between the loopback interfaces.
<R1>ping -c 1 -a 10.0.1.1 10.0.2.2


0.00% packet loss
<R1>ping -c 1 -a 10.0.1.1 10.0.3.3


0.00% packet loss
On R1, use the IP address of Loopback0 as the source address to ping the Loopback0 interfaces of
R2 and R3.
# Check the OSPF LSDB on R1.
<R1>display ospf lsdb
OSPF Process 1 with RouterID 10.0.1.1

Link StateDatabase
Area:0.0.0.0
Type LinkState ID AdvRouter AgeLen Sequence Metric
Router 10.0.3.3 10.0.3.3 468 48 80000005 0
Router 10.0.2.2 10.0.2.2 472 48 8000000B 0
Router 10.0.1.1 10.0.1.1 467 48 8000000D 0
Network 10.0.123.1 10.0.1.1 467 36 80000008 0
The command output shows four LSAs, among which the first three are Type 1 LSAs generated by
R1, R2, and R3 separately. The AdvRouter field for each LSA indicates the router that generates the
LSA. The fourth LSA is a Type 2 LSA, which is generated by the DR on a network segment. In this
scenario, R1 is the DR on the network segment 10.0.123.0/24. Therefore, the AdvRouter field value
of the Type 2 LSA is 10.0.1.1.
# Check the Type 1 LSA generated by R1.
[R1]display ospf lsdb router self-originate

Area: 0.0.0.0
Link State Database
Type : Router
Ls id : 10.0.1.1
Adv rtr : 10.0.1.1
Ls age : 430
Len : 48
Options :E
seq# : 80000009
chksum : 0x8188
Link count : 2
*Link ID : 10.0.1.1
Data : 255.255.255.255
Link Type: StubNet
Metric : 0
Priority : Medium
*Link ID : 10.0.123.1
Data : 10.0.123.1
Link Type: TransNet
Metric : 1
The command output shows that this LSA describes two Links. The first Link indicates the network
segment where the loopback interface resides. The value of Link Type is StubNet, and the values of
Link ID and Data are the IP address and mask of the stub network segment, respectively. The
second Link describes the network segment on which the three routers are interconnected. The
value of Link Type is TransNet. The value of Link ID is the DR's interface address 10.0.123.1, and the
value of Data is the IP address of the local interface on the network segment, 10.0.123.1.
# Check the Type 2 LSA generated by R1.
[R1]display ospf lsdb network self-originate

Area: 0.0.0.0
Link State Database
Type : Network
Ls id : 10.0.123.1
Adv rtr : 10.0.1.1
Ls age : 1662
Len : 36
Options : E
seq# : 80000005
chksum : 0x3d58
Net mask : 255.255.255.0
Priority : Low
Attached Router 10.0.1.1
The Attached Router field in the Type 2 LSA describes the neighbor information of the network
segment where the DR resides.
Step 4 Check the process of establishing OSPF neighbor relationships.
Based on the preceding OSPF neighbor information, the interface IP address of the DR is 10.0.123.1,
which is different from the expected result obtained based on DR election rules. In OSPF, the non-
preemption mode is used for DR election. When a DR or BDR exists on a network, a newly deployed
router on the network cannot preempt the role of the DR or BDR. However, if OSPF is configured at
different time on the network devices, the elected DR may be the device that starts first.
To prevent this issue, you can shut down the interconnection interfaces of R1, R2, and R3, and run
the debugging ospf 1 event command to observe the process of establishing the OSPF neighbor
relationships. Then, try to re-enable the interfaces of R1, R2, and R3 at the same time, and check the
DR and BDR election process based on the debugging information.
# Shut down the interconnection interfaces of R1, R2, and R3.
[R1] interface GigabitEthernet0/0/3

[R1-GigabitEthernet0/0/3] shutdown


# Enable the debugging function on R1, R2, and R3, and enable OSPF event debugging.
<R1>terminal debugging
Info: Current terminal debugging is on.
<R1>terminal monitor
<R1>debugging ospf 1 event
The operations on R2 and R3 are the same as that on R1, and are not provided here.
# Re-enable the interconnection interfaces of R1, R2, and R3.

[R1-GigabitEthernet0/0/3] undo shutdown


# Observe the debugging information on R3.
May 22 2020 14:32:25-08:00 R3 %%01PHY/1/PHY(l)[20]: GigabitEthernet0/0/4: change status to up

May 22 2020 14:32:25-08:00 R3 %%01IFNET/4/LINK_STATE(l)[21]:The line protocol IP on the interface GigabitEthernet0/0/4 has
entered the UP state.
May 22 2020 14:32:25.650.5-08:00 R3 RM/6/RMDEBUG:
FileID: 0x7017802c Line: 1281 Level: 0x20
OSPF 1: Intf 10.0.123.3 Rcv InterfaceUp State Down -> Waiting.
May 22 2020 14:32:25.650.6-08:00 R3 RM/6/RMDEBUG:
OSPF 1 Send Hello Interface Up on 10.0.123.3
May 22 2020 14:32:29-08:00 R3 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been
changed. The current change number is 20, the change loop count is 0, and the maximum number of records is 4095.
May 22 2020 14:33:06-08:00 R3 %%01OSPF/4/NBR_CHANGE_E(l)[22]:Neighbor changes event: neighbor status changed.
(ProcessId=1, NeighborAddress=10.0.123.2, NeighborEvent=HelloReceived, NeighborPreviousState=Down,
NeighborCurrentState=Init)
May 22 2020 14:33:06.320.2-08:00 R3 RM/6/RMDEBUG:
FileID: 0x7017802d Line: 1119 Level: 0x20
OSPF 1: Nbr 10.0.123.2 Rcv HelloReceived State Down -> Init.
May 22 2020 14:33:08.390.1-08:00 R3 RM/6/RMDEBUG:
OSPF 1 Send Hello Interface State Changed on 10.0.123.3
May 22 2020 14:33:08.390.2-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Intf 10.0.123.3 Rcv WaitTimer State Waiting -> DR.
(ProcessId=1, NeighborAddress=10.0.123.2, NeighborEvent=2WayReceived, NeighborPreviousState=Init,
NeighborCurrentState=ExStart)
(ProcessId=1, NeighborAddress=10.0.123.2, NeighborEvent=NegotiationDone, NeighborPreviousState=ExStart,
NeighborCurrentState=Exchange)
May 22 2020 14:33:08.480.1-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.2 Rcv 2WayReceived State Init -> ExStart.
May 22 2020 14:33:08.530.1-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.2 Rcv NegotiationDone State ExStart -> Exchange.

(ProcessId=1, NeighborAddress=10.0.123.2, NeighborEvent=ExchangeDone, NeighborPreviousState=Exchange,
NeighborCurrentState=Loading)
(ProcessId=1, NeighborAddress=10.0.123.2, NeighborEvent=LoadingDone, NeighborPreviousState=Loading,
NeighborCurrentState=Full)
May 22 2020 14:33:08.590.3-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.2 Rcv ExchangeDone State Exchange -> Loading.
May 22 2020 14:33:08.590.4-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.2 Rcv LoadingDone State Loading -> Full.
May 22 2020 14:33:10.340.1-08:00 R3 RM/6/RMDEBUG:
May 22 2020 14:33:10.340.2-08:00 R3 RM/6/RMDEBUG:
May 22 2020 14:33:10.420.1-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.1 Rcv NegotiationDone State ExStart -> Exchange.
(ProcessId=1, NeighborAddress=10.0.123.1, NeighborEvent=ExchangeDone, NeighborPreviousState=Exchange,
NeighborCurrentState=Loading)
(ProcessId=1, NeighborAddress=10.0.123.1, NeighborEvent=LoadingDone, NeighborPreviousState=Loading,
NeighborCurrentState=Full)
May 22 2020 14:33:10.460.3-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.1 Rcv ExchangeDone State Exchange -> Loading.
May 22 2020 14:33:10.460.4-08:00 R3 RM/6/RMDEBUG:
OSPF 1: Nbr 10.0.123.1 Rcv LoadingDone State Loading -> Full.
When OSPF is enabled almost at the same time, the debugging information shows that R3 has
become the DR.
May 22 2020 14:32:29-08:00 R2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been

changed. The current change number is 15, the change loop count is 0, and the maximum number of records is 4095.
May 22 2020 14:32:29-08:00 R2 %%01PHY/1/PHY(l)[18]: GigabitEthernet0/0/4: change status to up
May 22 2020 14:32:29-08:00 R2 %%01IFNET/4/LINK_STATE(l)[19]:The line protocol IP on the interface GigabitEthernet0/0/4 has
entered the UP state.
May 22 2020 14:32:29.760.5-08:00 R2 RM/6/RMDEBUG:
OSPF 1: Intf 10.0.123.2 Rcv InterfaceUp State Down -> Waiting.
May 22 2020 14:32:29.760.6-08:00 R2 RM/6/RMDEBUG:

OSPF 1 Send Hello Interface Up on 10.0.123.2
May 22 2020 14:33:06.310.1-08:00 R2 RM/6/RMDEBUG:
OSPF 1 Send Hello Interface State Changed on 10.0.123.2
May 22 2020 14:33:06.310.2-08:00 R2 RM/6/RMDEBUG:
OSPF 1: Intf 10.0.123.2 Rcv WaitTimer State Waiting -> DR.
May 22 2020 14:33:08.420.1-08:00 R2 RM/6/RMDEBUG:
May 22 2020 14:33:08.420.2-08:00 R2 RM/6/RMDEBUG:
May 22 2020 14:33:08.420.3-08:00 R2 RM/6/RMDEBUG:
OSPF 1: Intf 10.0.123.2 Rcv NeighborChange State DR -> BackupDR.
The debugging information shows that R2 has become the BDR.

Step 5 Configure the network type of an OSPF interface.
# In the OSPF routing table on R1, check the Loopback0 routes learned from R2 and R3.
<R1>display ospf routing 10.0.2.2
Destination : 10.0.2.2/32
AdverRouter : 10.0.2.2 Area : 0.0.0.0
Cost :1 Type : Stub
NextHop : 10.0.123.2 Interface : GigabitEthernet0/0/3
Priority : Medium Age : 00h09m02s
Cost :1 Type : Stub
The command output shows that the masks of the Loopback0 routes are both 32 bits, not 24 bits.
# Take R2 as an example, and check the Type 1 LSA on R2.
<R2>display ospf lsdb router 10.0.2.2

Area: 0.0.0.0
Link State Database
Type : Router
Ls id : 10.0.2.2
Adv rtr : 10.0.2.2
Ls age : 1528
Len : 48
Options :E
seq# : 80000020
chksum : 0x9653
Link count :2
*Link ID : 10.0.2.2
Data : 255.255.255.255
Link Type : StubNet
Metric : 0
Priority : Medium
*Link ID : 10.0.123.3
Data : 10.0.123.2
Link Type : TransNet
Metric : 1
The command output shows that the mask of the LSA describing Loopback0 on R2 has been set to
32 bits. OSPF considers a loopback interface as a stub network, which is connected to only one
node. Therefore, no matter how many bits are actually set for the network mask of the loopback
interface, OSPF uses a 32-bit network mask (host mask) when advertising the Type 1 LSA to
describe this interface.
For details about OSPF loopback interfaces, see section 9.1 in RFC 2328.
# Change the network type of Loopback0 on R2.
[R2-LoopBack0] ospf network-type broadcast
After the network type of the loopback interface is changed to broadcast, OSPF uses the actual
mask of the interface to advertise its network information. In this example, OSPF uses Loopback0's
actual mask length of 24 bits.
# In the OSPF routing table on R1, check the Loopback0 route learned from R2 again.
Cost :1 Type : Stub
Priority : Low Age : 00h04m10s
The command output shows that the mask length of the route has changed to 24 bits.
Step 6 Change the costs of OSPF interfaces.
# In the OSPF routing table on R1, check the Loopback0 route learned from R3.
Cost :1 Type : Stub
The command output shows that the route cost is 1.

# Change the OSPF cost of GE0/0/3 on R1 to 20 and that of GE0/0/4 on R3 to 10.
[R1]interface GigabitEthernet0/0/3
[R1-GigabitEthernet0/0/3] ospf cost 20
# In the OSPF routing table on R1, check the Loopback0 route learned from R2 again.

Cost : 20 Type : Stub
The command output shows that the cost is 20.

# In the OSPF routing table on R3, check the Loopback0 route learned from R1.
Cost : 10 Type : Stub
The command output shows that the cost is 10.

Step 7 Configure an OSPF silent interface.
# Configure GE0/0/3 of R1 as a silent interface.
[R1]ospf 1
[R1-ospf-1] silent-interface GigabitEthernet 0/0/3
# Check the OSPF neighbor information on R1.
After the configuration is completed, the interconnection interface no longer sends or receives
Hello packets. The neighbor relationship that has been established using this interface disappears.
# Check information about the OSPF interface GE0/0/3 on R1.
<R1>display ospf interface GigabitEthernet 0/0/3

Interfaces
Interface: 10.0.123.1 (GigabitEthernet0/0/3)

Cost: 20 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.0.123.1
Backup Designated Router: 0.0.0.0
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Silent interface, No hellos
The command output shows that the interface is configured as a silent interface and no Hello
packet exists on the interface.
# Delete the silent interface configuration on R1.
# Configure the Loopback0 interfaces on R2 and R3 as silent interfaces.
[R2]ospf 1
[R2-ospf-1] silent-interface LoopBack 0
[R3]ospf 1
[R3-ospf-1] silent-interface LoopBack 0
# Check the OSPF routing table on R1.
<R1>display ospf routing

Routing Tables
Routing for Network

10.0.1.1/32 0 Stub 10.0.1.1 10.0.1.1 0.0.0.0
10.0.123.0/24 20 Transit 10.0.123.1 10.0.1.1 0.0.0.0
10.0.2.0/24 20 Stub 10.0.123.2 10.0.2.2 0.0.0.0
10.0.3.3/32 20 Stub 10.0.123.3 10.0.3.3 0.0.0.0
Total Nets: 4
The command output shows that routes the Loopback0 routes learned from R2 and R3 still exist.
----End
1.1.3 Quiz
Analyze which interfaces can be configured as silent interfaces in actual networking scenarios.
1.1.4 Configuration Reference

Configuration on R1
#
sysname R1
#
interface GigabitEthernet0/0/3
ip address 10.0.123.1 255.255.255.0
ospf cost 20
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ospf 1 router-id 10.0.1.1
area 0.0.0.0
authentication-mode simple plain huawei
network 10.0.123.1 0.0.0.0
network 10.0.1.1 0.0.0.0
#
return
Configuration on R2
#
sysname R2
#
ip address 10.0.123.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
ospf network-type broadcast
#
silent-interface LoopBack0
area 0.0.0.0
network 10.0.123.2 0.0.0.0
network 10.0.2.2 0.0.0.0
#
return
Configuration on R3
#
sysname R3
#
ip address 10.0.123.3 255.255.255.0
ospf cost 10
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
silent-interface LoopBack0
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.123.3 0.0.0.0
user-interface vty 16 20
#
Return
1.2 Lab 2: Multi-Area OSPF

1.2.1 Introduction
1.2.1.1 Objectives
 Manually specify OSPF router IDs.
 Configure OSPF in multiple areas.
 Illustrate how to configure route summarization between OSPF areas.
 Illustrate how to configure an OSPF bandwidth reference value.
 Illustrate how to configure OSPF to import external routes.
 Illustrate how to perform route summarization when OSPF imports external routes.
 Illustrate how to import default routes to the OSPF routing table.
 Illustrate how to change the preferences of different types of OSPF routes.
Figure 1-2 OSPF multi-area
The preceding figure shows the interconnection interfaces and their IP addresses. Loopback0 is
created on each device, and its IP address is in the format of 10.0.x.x/24, where x indicates the
device number.
All interfaces of R1 and R3 and GE0/0/4 of R2 belong to OSPF area 2. The Loopback0 and
interconnection interfaces between R2 and R4 belong to OSPF area 0. The interconnection
interfaces between R4 and R5 and the loopback interfaces 0, 1, and 2 of R5 belong to OSPF area 1.
Loopback1 and Loopback2 are created on R2 to simulate external network segments.
1.2.1.3 Background
You are a network administrator of a company. The company's network now has five AR routers,
among which R2 and R4 reside in the headquarters, and R1, R3, and R5 reside in branches. To
control LSA flooding on the large-scale network, multi-area OSPF is designed.
To specify the router ID of each device, the devices are configured to use fixed IP addresses as their
router IDs.
To improve the efficiency of forwarding routes on the devices, automatic route summarization is
configured on the ABR.
R1 is connected to the Internet. You need to configure a default route and import it to the OSPF
areas so that all routers in the OSPF areas know how to access the Internet.
In addition, the OSPF routing information is classifies as internal routes or external routes. The
preferences of these routes are changed to prevent potential risks.
In OSPF, the cost of a specific route is the sum of the costs of all the links that the route passes
through before reaching the destination network. The cost of a link is obtained by dividing the
bandwidth reference value by the interface bandwidth. The default bandwidth reference value is
100 Mbit/s. The actual interface bandwidth may be 1000 Mbit/s, and cost values are integers. As a
result, the OSPF costs of an FE interface and a GE interface are both 1. To differentiate these links,
you can set the bandwidth reference value to 10 Gbit/s.

2. Configure OSPF areas as planned.
3. Verify the OSPF configuration by checking the OSPF neighbor relationship status and the
OSPF LSDBs on the ABR.
4. Configure route summarization on ABRs and ASBRs to reduce the number of inter-area and AS
external routes.
5. Change the bandwidth reference value of OSPF.
6. Import a default route to the OSPF routing table.
7. Change the default preferences of intra-area, inter-area, and AS external OSPF routes.
Step 1 Configure IP addresses for interconnection interfaces and loopback interfaces.
# Name the devices.

# Configure IP addresses for GE0/0/3 and Loopback0 of R1.
[R1-LoopBack0] quit
# Configure IP addresses for GE0/0/4 and GE0/0/2 as well as the loopback interfaces on R2.
[R2-LoopBack0] quit
[R2]interface LoopBack1
[R2-LoopBack1] ip address 10.2.0.1 255.255.255.0
[R2-LoopBack1] quit
[R2-LoopBack2] quit
# Configure IP addresses for GE0/0/4 and the loopback interfaces on R3.
[R3-LoopBack0] quit
[R3-LoopBack1] quit
[R3-LoopBack2] quit
# Configure IP addresses for GE0/0/3, GE0/0/2, and Loopback0 of R4.
[R4-LoopBack0] quit
# Configure IP addresses for GE0/0/3 and the loopback interfaces on R5.
[R5-LoopBack0] quit
[R5-LoopBack1] quit
[R5]int LoopBack 2
[R5-LoopBack2] quit
# On R2, ping the IP addresses of R1, R3, and R4 to test the connectivity.
<R2>ping -c 1 10.0.123.1

0.00% packet loss
<R2>ping -c 1 10.0.123.3

0.00% packet loss
<R2>ping -c 1 10.0.24.4

0.00% packet loss
# On R4, ping the IP address of R5 to test the connectivity.
<R4>ping -c 1 10.0.45.5

0.00% packet loss
Step 2 Configure multi-area OSPF.

# Configure OSPF on R1, activate OSPF on GE0/0/3 and Loopback0, and change the network type of
Loopback0 to broadcast.

[R1-ospf-1]area 2
[R1-ospf-1-area-0.0.0.2] quit
[R1-ospf-1]quit
[R1-LoopBack0] quit
# Configure OSPF on R2, activate OSPF on GE0/0/2, GE0/0/4, and Loopback0, and change the
network type of Loopback0 to broadcast.

[R2-ospf-1]area 0
[R2-ospf-1]area 2
[R2-ospf-1]quit
[R2-LoopBack0] quit
# Configure OSPF on R3, activate OSPF on GE0/0/4, Loopback0, Loopback1, and Loopback2, and
change the network types of Loopback0, Loopback1, and Loopback2 to broadcast.

[R3-ospf-1]area 2
[R3-ospf-1]quit
[R3-LoopBack0] quit
[R3-LoopBack1] quit
[R3-LoopBack2] quit
# Configure OSPF on R4, activate OSPF on GE0/0/2, GE0/0/3, and Loopback0, and change the
network type of Loopback0 to broadcast.

[R4-ospf-1]area 0
[R4-ospf-1]area 1
[R4-ospf-1]quit
[R4-LoopBack0] quit
# Configure OSPF on R5, activate OSPF on GE0/0/3, Loopback0, Loopback1, and Loopback2, and
change the network types of Loopback0, Loopback1, and Loopback2 to broadcast.

[R5-ospf-1]area 1
[R5-ospf-1]quit
[R5-LoopBack0] quit
[R5-LoopBack1] quit
[R5-LoopBack2] quit

# Check the brief information about OSPF neighbor relationships on R2.
<R2>display ospf peer brief

Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.0.4.4 Full
----------------------------------------------------------------------------
# Check the brief information about neighbor relationships and the OSPF routing table on R5.


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Routing Tables
Routing for Network

10.0.5.0/24 0 Stub 10.0.5.5 10.0.5.5 0.0.0.1
10.0.45.0/24 1 Transit 10.0.45.5 10.0.5.5 0.0.0.1
10.5.0.0/24 0 Stub 10.5.0.1 10.0.5.5 0.0.0.1
10.5.1.0/24 0 Stub 10.5.1.1 10.0.5.5 0.0.0.1
10.0.1.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.2.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.3.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.4.0/24 1 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.24.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.123.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.3.0.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.3.1.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
Total Nets: 12
# Check the OSPF LSDBs on R2.

Link StateDatabase
Area:0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.4.4 10.0.4.4 54 48 8000000B 0
Router 10.0.2.2 10.0.2.2 54 48 80000008 0
Network 10.0.24.4 10.0.4.4 54 32 80000003 0
Sum-Net 10.3.1.0 10.0.2.2 1332 28 80000001 1
Sum-Net 10.3.0.0 10.0.2.2 1332 28 80000001 1
Sum-Net 10.5.1.0 10.0.4.4 259 28 80000002 1
Sum-Net 10.0.3.0 10.0.2.2 1332 28 80000001 1
Sum-Net 10.5.0.0 10.0.4.4 268 28 80000002 1
Sum-Net 10.0.1.0 10.0.2.2 244 28 80000001 1
Sum-Net 10.0.5.0 10.0.4.4 278 28 80000002 1
Sum-Net 10.0.45.0 10.0.4.4 500 28 80000002 1
Sum-Net 10.0.123.0 10.0.2.2 45 28 80000002 1
Area:0.0.0.2
Router 10.0.3.3 10.0.3.3 247 72 80000017 0
Router 10.0.2.2 10.0.2.2 247 36 80000008 1

Router 10.0.1.1 10.0.1.1 246 48 80000008 1
Network 10.0.123.3 10.0.3.3 247 36 80000006 0
Sum-Net 10.0.24.0 10.0.2.2 45 28 80000002 1
Sum-Net 10.5.1.0 10.0.2.2 45 28 80000002 2
Sum-Net 10.5.0.0 10.0.2.2 45 28 80000002 2
Sum-Net 10.0.2.0 10.0.2.2 45 28 80000002 0
Sum-Net 10.0.5.0 10.0.2.2 45 28 80000002 2
Sum-Net 10.0.4.0 10.0.2.2 45 28 80000002 1
Sum-Net 10.0.45.0 10.0.2.2 45 28 80000002 2
R2 functions as an ABR to maintain the LSDBs of area 0 and area 2. The LSAs in the LSDBs are used
to describe routes in these two areas.
Step 4 Configure route summarization for OSPF inter-area routes and AS external routes.
# Check the OSPF routing tables on R2 and R4.

Routing Tables
Routing for Network

10.0.2.0/24 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.123.0/24 1 Transit 10.0.123.2 10.0.2.2 0.0.0.2
10.0.1.0/24 1 Stub 10.0.123.1 10.0.1.1 0.0.0.2
10.0.3.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.0.4.0/24 1 Stub 10.0.24.4 10.0.4.4 0.0.0.0
10.0.5.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.3.0.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.3.1.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.5.0.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.5.1.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
Total Nets: 12

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.2.0/24 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.5.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.0.123.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.3.0.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.3.1.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0

10.5.0.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.5.1.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
Total Nets: 12
The OSPF inter-area routes of Loopback1 and Loopback2 on R5 in the OSPF routing table of R2 as
well as those of Loopback1 and Loopback2 on R3 in the OSPF routing table of R4 can be
summarized before being advertised to other areas. This reduces the number of routing entries in
other areas and the possibility of route flapping.
# On R4, summarize the Loopback1 and Loopback2 routes learned from R5.
[R4]ospf 1
[R4-ospf-1]area 1
[R4-ospf-1-area-0.0.0.1] abr-summary 10.5.0.0 255.255.254.0

Routing Tables
Routing for Network

10.0.2.0/24 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.123.0/24 1 Transit 10.0.123.2 10.0.2.2 0.0.0.2
10.0.1.0/24 1 Stub 10.0.123.1 10.0.1.1 0.0.0.2
10.0.3.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.0.4.0/24 1 Stub 10.0.24.4 10.0.4.4 0.0.0.0
10.0.5.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.3.0.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.3.1.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.5.0.0/23 2 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
Total Nets: 11
The command output shows that the Loopback1 and Loopback2 routes of R5 are summarized into
an inter-area summary route.
# On R2, summarize the Loopback1 and Loopback2 routes learned from R3.
[R2]ospf 1
[R2-ospf-1]area 2
[R2-ospf-1-area-0.0.0.2] abr-summary 10.3.0.0 255.255.254.0


Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.2.0/24 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.5.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.0.123.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.3.0.0/23 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.5.0.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.5.1.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
Total Nets: 11
an inter-area summary route.
# Import the Loopback1 and Loopback2 routes to the OSPF routing table on R2.
[R2]ospf 1
[R2-ospf-1] import-route direct

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.2.0/24 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.5.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.0.123.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.3.0.0/23 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.5.0.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.5.1.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter
10.2.0.0/24 1 Type2 1 10.0.24.2 10.0.2.2
10.2.1.0/24 1 Type2 1 10.0.24.2 10.0.2.2
Total Nets: 13
Intra Area:7 Inter Area:4 ASE: 2 NSSA: 0
The OSPF routing table of R4 contains the Loopback1 and Loopback2 routes of R2.
# Configure AS external route summarization on R2.
[R2]ospf 1
[R2-ospf-1] asbr-summary 10.2.0.0 255.255.254.0
# Check the OSPF routing table on R4 again.

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.2.0/24 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.0.5.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.0.123.0/24 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.3.0.0/23 2 Inter-area 10.0.24.2 10.0.2.2 0.0.0.0
10.5.0.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
10.5.1.0/24 1 Stub 10.0.45.5 10.0.5.5 0.0.0.1
Routing for ASEs

10.2.0.0/23 2 Type2 1 10.0.24.2 10.0.2.2
Total Nets: 12
an AS external summary route.
Step 5 Change the bandwidth reference value of OSPF.
Gigabit or even 10-Gigabit Ethernet may be used in actual networking scenarios. The default
bandwidth reference value of OSPF is 100 Mbit/s, and an interface cost is an integer. As a result,
OSPF cannot distinguish an FE interface from a GE interface in terms of bandwidth.
Multiple OSPF areas must use the same bandwidth reference value. Otherwise, OSPF cannot work
properly.
# Change the OSPF bandwidth reference value of each router to 10 Gbit/s.
[R1]ospf 1
[R1-ospf-1] bandwidth-reference 10000
[R1-ospf-1] quit
[R2]ospf 1
[R2-ospf-1] quit
[R3]ospf 1
[R3-ospf-1] quit
[R4]ospf 1
[R4-ospf-1] quit
[R5]ospf 1
[R5-ospf-1] quit
# Take R2 as an example to check its OSPF routing table.

Routing Tables
Routing for Network

10.0.2.0/24 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.24.0/24 10 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.123.0/24 10 Transit 10.0.123.2 10.0.2.2 0.0.0.2
10.0.1.0/24 10 Stub 10.0.123.1 10.0.1.1 0.0.0.2
10.0.3.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.0.4.0/24 10 Stub 10.0.24.4 10.0.4.4 0.0.0.0
10.0.5.0/24 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.3.0.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.3.1.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.5.0.0/23 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
Total Nets: 11
The command output shows that the costs of the routes have changed.
Step 6 Configure OSPF to import a default route.
# Use Loopback0 of R1 to simulate an interface accessing the Internet, and configure a default
route on R1, with Loopback0 specified as the outbound interface.
[R1]ip route-static 0.0.0.0 0.0.0.0 LoopBack 0
# Import the default route to the OSPF routing table and set the type of the AS external route to
Type 1.
[R1]ospf 1
[R1-ospf-1] default-route-advertise always type 1
[R1-ospf-1] quit


Routing Tables
Routing for Network

10.0.2.0/24 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.24.0/24 10 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.123.0/24 10 Transit 10.0.123.2 10.0.2.2 0.0.0.2
10.0.1.0/24 10 Stub 10.0.123.1 10.0.1.1 0.0.0.2
10.0.3.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.0.4.0/24 10 Stub 10.0.24.4 10.0.4.4 0.0.0.0
10.0.5.0/24 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.0.45.0/24 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
10.3.0.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.3.1.0/24 10 Stub 10.0.123.3 10.0.3.3 0.0.0.2
10.5.0.0/23 20 Inter-area 10.0.24.4 10.0.4.4 0.0.0.0
Routing for ASEs

0.0.0.0/0 11 Type1 1 10.0.123.1 10.0.1.1
Total Nets: 12
The command output shows that R2 has learned the default route with R1 as the next hop through a
Type 5 LSA.
Step 7 Change the preferences of the two types of OSPF routes.
By default, the preference of intra-area and inter-area OSPF routes is 10; the preference of AS
external routes is 150.
# On R1 and R3, change the preference of intra-area and inter-area routes to 20, and change the
preference of AS external routes to 50.
[R1]ospf 1
[R1-ospf-1] preference 20
[R1-ospf-1] preference ase 50
[R1-ospf-1] quit
[R3]ospf 1
[R3-ospf-1] preference 20
[R3-ospf-1] preference ase 50
[R3-ospf-1] quit
The operation in this step only shows how to change the preferences of internal and external routes,
and does not have actual meaning in this experiment.
# Check the OSPF routes in the IP routing table on R3.
<R3>display ip routing-table protocol ospf

Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 9 Routes : 9
OSPF routing table status : <Active>

Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 50 11 D 10.0.123.1 GigabitEthernet0/0/3

10.0.1.0/24 OSPF 20 10 D 10.0.123.1 GigabitEthernet0/0/3
OSPF routing table status : <Inactive>

The command output shows that the preferences of the OSPF routes have changed.
----End
1.2.3 Quiz
OSPF can import two types of AS external routes: Type 1 and Type 2. What are their differences?

Configuration on R1
#
sysname R1
#
ip address 10.0.123.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
default-route-advertise always type 1
preference 20
preference ase 50
bandwidth-reference 10000
area 0.0.0.2
network 10.0.1.1 0.0.0.0
network 10.0.123.1 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 LoopBack0
#
Configuration on R2
#
sysname R2
#
ip address 10.0.24.2 255.255.255.0
#
ip address 10.0.123.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
interface LoopBack1
ip address 10.2.0.1 255.255.255.0
#
interface LoopBack2
ip address 10.2.1.1 255.255.255.0
#
asbr-summary 10.2.0.0 255.255.254.0
import-route direct
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.24.2 0.0.0.0
area 0.0.0.2
abr-summary 10.3.0.0 255.255.254.0
network 10.0.123.2 0.0.0.0
#
Configuration on R3
#
sysname R3
#
ip address 10.0.123.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack1
ip address 10.3.0.1 255.255.255.0
#
interface LoopBack2
ip address 10.3.1.1 255.255.255.0
#
preference 20
preference ase 50
area 0.0.0.2
network 10.0.123.3 0.0.0.0
network 10.0.3.3 0.0.0.0

network 10.3.0.1 0.0.0.0
network 10.3.1.1 0.0.0.0
#
Configuration on R4
#
sysname R4
#
ip address 10.0.45.4 255.255.255.0
#
ip address 10.0.24.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
area 0.0.0.0
network 10.0.24.4 0.0.0.0
network 10.0.4.4 0.0.0.0
area 0.0.0.1
abr-summary 10.5.0.0 255.255.254.0
network 10.0.45.4 0.0.0.0
#
Configuration on R5
#
sysname R5
#
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.0
#
interface LoopBack1
ip address 10.5.0.1 255.255.255.0
#
interface LoopBack2
ip address 10.5.1.1 255.255.255.0
#
area 0.0.0.0
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.5.0.1 0.0.0.0

network 10.5.1.1 0.0.0.0
network 10.0.45.5 0.0.0.0
#
1.3 Lab 3: OSPF Adjacencies and LSAs

1.3.1 Introduction
1.3.1.1 Objectives
 Illustrate the process of establishing neighbor relationships when multiple routers are
connected to a multi-access network.
 Control OSPF DR election.
 Describe the contents and functions of the five types of LSAs.
Figure 1-3 OSPF adjacencies and LSAs
The preceding figure shows the device interconnection mode and IP address plan. Loopback0 of R1
belongs to OSPF area 2, GE0/0/2 of R4 belongs to OSPF area 1, and the other interfaces of R1, R2,
R3, and R4 belong to OSPF area 0.
GE0/0/3 on R5 belongs to OSPF area 1, and Loopback0 on R5 does not belong to any OSPF area.
1.3.1.3 Background
You are a network administrator of a company. The company's network has five AR routers, among
which R1, R2, R3, and R4 reside in the headquarters and are connected through an Ethernet. R5
resides in a branch and is connected to R4 in the headquarters. To control LSA flooding on the large-
scale network, multi-area OSPF is designed.
router IDs.
On the network where R1, R2, R3, and R4 are interconnected, you need to intervene in the election
of the DR and BDR. In practice, R3 is defined as the DR, R2 as the BDR, and R1 and R4 as DR others.

2. Configure multiple OSPF areas as planned.
3. Verify the OSPF configuration by checking the OSPF neighbor relationship status, OSPF
routing tables, and OSPF LSDBs.
4. Manually change the DR priorities of the OSPF interfaces to affect the DR and BDR election
results.
5. Configure R5 to import the direct route to the OSPF routing table, and observe Type 5 LSAs on
R1.
6. Observe the Type 1, Type 2, Type 3, and Type 4 LSAs separately.
7. Run the debugging commands on R1 to observe the OSPF LSU, LSAck, and LSR packets.
# Name the devices.
[R1-LoopBack0] quit
[R2-LoopBack0] quit
[R3-LoopBack0] quit

[R4-LoopBack0] quit
[R5-LoopBack0] quit
# On R4, ping the IP addresses of the interconnected devices to test the connectivity.
<R4>ping -c 1 10.0.123.1

0.00% packet loss
<R4>ping -c 1 10.0.123.2

0.00% packet loss
<R4>ping -c 1 10.0.123.3

0.00% packet loss
<R4>ping -c 1 10.0.45.5

0.00% packet loss

Configure multi-area OSPF as planned and change the network type of Loopback0 to broadcast.
# Configure R1.

[R1-ospf-1]area 0
[R1-ospf-1]area 2
[R1-ospf-1]quit
[R1-LoopBack0] quit
# Configure R2.

[R2-ospf-1]area 0
[R2-ospf-1]quit
[R2-LoopBack0] quit
# Configure R3.

[R3-ospf-1]area 0
[R3-ospf-1]quit
[R3-LoopBack0] quit
# Configure R4.

[R4-ospf-1]area 0
[R4-ospf-1]area 1

[R4-ospf-1]quit
[R4-LoopBack0] quit
# Configure R5.

[R5-ospf-1]area 1
[R5-ospf-1]quit

[R4]display ospf peer brief

----------------------------------------------------------------------------
0.0.0.0 GigabitEthernet0/0/1 10.0.3.3 2-Way
----------------------------------------------------------------------------
The command output shows that R3 and R4 have established only a neighbor relationship instead of
an adjacency.

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.123.0/24 1 Transit 10.0.123.4 10.0.4.4 0.0.0.0
10.0.1.0/24 1 Inter-area 10.0.123.1 10.0.1.1 0.0.0.0
10.0.2.0/24 1 Stub 10.0.123.2 10.0.2.2 0.0.0.0
10.0.3.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.0
Total Nets: 6
[R5]display ospf lsdb


Link StateDatabase
Area:0.0.0.1
Router 10.0.5.5 10.0.5.5 470 36 80000008 1
Router 10.0.4.4 10.0.4.4 1660 36 80000005 1
Network 10.0.45.4 10.0.4.4 1660 32 80000002 0
Sum-Net 10.0.3.0 10.0.4.4 1710 28 80000001 1
Sum-Net 10.0.2.0 10.0.4.4 1710 28 80000001 1
Sum-Net 10.0.1.0 10.0.4.4 1710 28 80000001 1
Sum-Net 10.0.4.0 10.0.4.4 1700 28 80000001 0
Sum-Net 10.0.123.0 10.0.4.4 1710 28 80000001 1
As only two routers exist in area 1, only two Type 1 LSAs exist in the LSDB of R5, and the five Type-3
LSAs are inter-area routes advertised by R4 to R5.

Link StateDatabase
Area:0.0.0.0
Router 10.0.3.3 10.0.3.3 256 48 8000000B 1
Router 10.0.4.4 10.0.4.4 211 48 8000000A 1
Router 10.0.2.2 10.0.2.2 268 48 8000000C 1
Router 10.0.1.1 10.0.1.1 270 36 8000000B 1
Network 10.0.123.1 10.0.1.1 270 40 80000007 0
Sum-Net 10.0.1.0 10.0.1.1 399 28 80000002 0
Sum-Net 10.0.45.0 10.0.4.4 265 28 80000002 1
The LSDB on R2 contains not only four Type 1 LSAs, but also one Type 2 LSA. GE0/0/1 of R2
connects to a broadcast network, on which the DR generates a Type 2 LSA to describe all neighbors.
Based on the AdvRouter field, the router that generates the LSA is R1, which matches the result
that R1 is the DR on this network segment.
Step 4 Change the DR priorities of the device interfaces to affect DR election.
# Change the DR priority of GE0/0/1 on R4 to 255 to ensure that R4 becomes the DR on the network
segment 10.0.123.0/24.
[R4-GigabitEthernet0/0/1] ospf dr-priority 255
# Change the DR priority of GE0/0/1 on R3 to 254 to ensure that R3 becomes the BDR on the
network segment 10.0.123.0/24.
# Change the DR priority of GE0/0/1 on R2 to 0 to ensure that R2 does not participate in DR election.
# Shut down and then re-enable GE0/0/1 of R1, R2, R3, and R4 to trigger DR and BDR re-election.








To ensure that the election result is determined based on the configured priorities, you are advised
to enable the interfaces at the same time. Otherwise, the router whose interface is enabled first
may become the DR or BDR.
# Check the DR and BDR election results on R3.

Neighbors

DR: 10.0.123.4 BDR: 10.0.123.3 MTU: 0

DR: 10.0.123.4 BDR: 10.0.123.3 MTU: 0

DR: 10.0.123.4 BDR: 10.0.123.3 MTU: 0
The command output shows that R4 is the DR and R3 is the BDR.

# Check the neighbor relationship between R1 and R2 on R1.

----------------------------------------------------------------------------
0.0.0.0 GigabitEthernet0/0/1 10.0.2.2 2-Way
----------------------------------------------------------------------------
R1 and R2 are both DR others, and their neighbor relationship remains in the 2-way state. This
means that R1 and R2 has established only a neighbor relationship and no adjacency.
Step 5 Import direct routes to OSPF.
# Configure R5 to import the Loopback0 route to its OSPF routing table. As previously described,
R5's Loopback0 does not belong to any OSPF area.
[R5]ospf 1
# Check the imported external route on R1.

Routing Tables
Routing for Network

10.0.1.0/24 0 Stub 10.0.1.1 10.0.1.1 0.0.0.2
10.0.123.0/24 1 Transit 10.0.123.1 10.0.1.1 0.0.0.0
10.0.2.0/24 1 Stub 10.0.123.2 10.0.2.2 0.0.0.0
10.0.3.0/24 1 Stub 10.0.123.3 10.0.3.3 0.0.0.0
10.0.4.0/24 1 Stub 10.0.123.4 10.0.4.4 0.0.0.0
10.0.45.0/24 2 Inter-area 10.0.123.4 10.0.4.4 0.0.0.0
Routing for ASEs

10.0.5.0/24 1 Type2 1 10.0.123.4 10.0.5.5
Total Nets: 7
The Loopback0 route has been successfully imported to the OSPF routing table as an external
route.
# Check Type 5 LSAs on R1.
<R1>display ospf lsdb ase

Link State Database
Type : External
Ls id : 10.0.5.0
Adv rtr : 10.0.5.5
Ls age : 429
Len : 36
Options :E
seq# : 80000001
chksum : 0xa904
Net mask : 255.255.255.0
TOS 0 Metric :1
Etype :2
Forwarding Address: 0.0.0.0
Tag :1
Priority : Low
Type : External
Ls id : 10.0.45.0
Adv rtr : 10.0.5.5
Ls age : 429
Len : 36
Options :E
seq# : 80000001
chksum : 0xef95
Net mask : 255.255.255.0
TOS 0 Metric :1
Etype :2
Tag :1
Priority : Low
The command output shows two Type 5 LSAs, but there is only one external route 10.0.5.0/24 in the
OSPF routing table of R1. This is because an inter-area route to the destination 10.0.45.0/24 exists in
addition to the AS external route, and the preference of the inter-area route is higher than that of
the AS external route.
# Check Type 3 LSAs on R1. (The following command output shows Type 3 LSAs only in area 0.)
<R1>display ospf lsdb summary

Area: 0.0.0.0
Link State Database
Type : Sum-Net
Ls id : 10.0.1.0
Adv rtr : 10.0.1.1
Ls age : 1487
Len : 28
Options :E
seq# : 80000003
chksum : 0x72d1
Net mask : 255.255.255.0
Tos 0 metric: 0
Priority : Low
Type : Sum-Net
Ls id : 10.0.45.0
Adv rtr : 10.0.4.4
Ls age : 1506
Len : 28
Options :E
seq# : 80000003
chksum : 0x6fa1
Net mask : 255.255.255.0
Tos 0 metric: 1
Priority : Low
The command output shows that a Type 3 LSA also describes a route to the destination
10.0.45.0/24. If the route prefixes and masks described in a Type 3 LSA and a Type 5 LSA are the
same, OSPF preferentially selects the route calculated using the Type 3 LSA and installs the route
into its routing table.
Step 6 Observe the various types of LSAs.
# Check Type 1 LSAs 10.0.1.1 on R1.
<R1>display ospf lsdb router 10.0.1.1

Area: 0.0.0.0
Link State Database
Type : Router
Ls id : 10.0.1.1
Adv rtr : 10.0.1.1
Ls age : 202
Len : 36
Options : ABR E
seq# : 80000015
chksum : 0x31e4
Link count :1
*Link ID : 10.0.123.4
Data : 10.0.123.1
Link Type : TransNet
Metric :1
Area : 0.0.0.2
Link State Database
Type : Router
Ls id : 10.0.1.1
Adv rtr : 10.0.1.1
Ls age : 180
Len : 36
Options : ABR E
seq# : 80000005
chksum : 0x1615
Link count :1
*Link ID : 10.0.1.0
Data : 255.255.255.0
Link Type : StubNet
Metric : 0
Priority : Low
In a Type 1 LSA, the Ls id field indicates the router ID of the router that generates the LSA.
The command output shows that R1 has generated two Type 1 LSAs: one flooded in area 0, and the
other flooded in area 2.
In area 0, R1 is connected to a network segment of the transit type. The value of the Link ID field in
the LSA is the interface IP address of the DR on the network segment, and the value of the Data
field is the IP address of the local interface connected to the DR.
In area 2, R1's Loopback0 belongs to this area. The value of the Link Type field in the LSA is
StubNet, the value of the Link ID field is the IP address of the stub network segment, and the value
of the Data field is the network mask of the stub network segment.
# Check the Type 2 LSA on R2.
<R2>display ospf lsdb network

Area : 0.0.0.0
Link State Database
Type : Network
Ls id : 10.0.123.4
Adv rtr : 10.0.4.4
Ls age : 817
Len : 40
Options : E
seq# : 80000007
chksum : 0x373d
Net mask : 255.255.255.0
Priority : Low

The Type 2 LSA is generated by the DR. This can be proved by the Adv rtr field, whose value is
10.0.4.4 (that is, the DR). For a Type 2 LSA, the value of the Ls id field is the interface IP address of
the DR on the network segment, and the values of the Attached Router fields are the router IDs of
all routers on the network segment.
# Check Type 3 LSAs 10.0.45.0 on R1.
<R1>display ospf lsdb summary 10.0.45.0

Area: 0.0.0.0
Link State Database
Type : Sum-Net
Ls id : 10.0.45.0
Adv rtr : 10.0.4.4
Ls age : 1290
Len : 28
Options :E
seq# : 80000004
chksum : 0x6da2
Net mask : 255.255.255.0
Tos 0 metric: 1
Priority : Low
Area : 0.0.0.2
Link State Database
Type : Sum-Net
Ls id : 10.0.45.0
Adv rtr : 10.0.1.1
Ls age : 1250
Len : 28
Options :E
seq# : 80000004
chksum : 0x9e76
Net mask : 255.255.255.0
Tos 0 metric: 2
Priority : Low
The Ls id field in a Type 3 LSA indicates a network prefix, and the Net mask field carries the network
mask. Two Type 3 LSAs are displayed on R1. One is in the LSDB of area 0. Based on the Adv rtr field,
this LSA is generated by R4, which advertises it from area 1 to area 0. The other is in the LSDB of
area 2. Based on the Adv rtr field, this LSA is generated by R1 itself. R1 functions as the ABR
connecting area 0 and area 2, and generates the Type 3 LSA to advertise it to area 2.
# Check the Type 4 LSAs on R1.
<R1>display ospf lsdb asbr 10.0.5.5

Area: 0.0.0.0
Link State Database
Type : Sum-Asbr
Ls id : 10.0.5.5
Adv rtr : 10.0.4.4
Ls age : 1257
Len : 28
Options :E
seq# : 80000002
chksum : 0xea49
Tos 0 metric : 1
Area:0.0.0.2
Link State Database
Type : Sum-Asbr
Ls id : 10.0.5.5
Adv rtr : 10.0.1.1
Ls age : 1256
Len : 28
Options :E
seq# : 80000002
chksum : 0x1c1d
Tos 0 metric: 2
Type 4 LSAs are used to describe routes to ASBRs. The command output shows that R1 has two
Type 4 LSAs. One is in the LSDB of area 0, and is generated by R4 based on the Adv rtr field. The
other is generated by R1 itself as the value of the Adv rtr field is R1's own router ID. R1 functions as
the ABR connecting area 0 and area 2.
Step 7 Observe the LSR, LSU, and LSAck packets.
By default, an OSPF router sends LSU packets at the interval of 30 minutes when the network runs
stably. To trigger OSPF to send LSR and LSU packets, cancel the OSPF activation on Loopback0 of
R4. Then, observe the OSPF packets on R1.
# Run the debugging ospf packet update and debugging ospf packet ack commands on R1.
Info: Current terminal monitor is on.
<R1>debugging ospf packet update
<R1>debugging ospf packet ack
# Cancel the OSPF activation on Loopback0 of R4.
[R4]ospf 1
[R4-ospf-1]area 0
[R4-ospf-1-area-0.0.0.0] undo network 10.0.4.4 0.0.0.0
May 25 2020 20:27:47.210.1-08:00 R1 RM/6/RMDEBUG:

FileID: 0x70178024 Line: 2218 Level: 0x20
OSPF 1: RECV Packet. Interface: GigabitEthernet0/0/1

May 25 2020 20:27:47.210.2-08:00 R1 RM/6/RMDEBUG: Source Address: 10.0.123.4
May 25 2020 20:27:47.210.3-08:00 R1 RM/6/RMDEBUG: Destination Address: 224.0.0.5
May 25 2020 20:27:47.210.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 4 (Link-State Update)
May 25 2020 20:27:47.210.5-08:00 R1 RM/6/RMDEBUG: Length: 64, Router: 10.0.4.4
May 25 2020 20:27:47.210.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: 5451
May 25 2020 20:27:47.210.7-08:00 R1 RM/6/RMDEBUG: AuType: 00
May 25 2020 20:27:47.210.8-08:00 R1 RM/6/RMDEBUG: Key(ascii): 0 0 0 0 0 0 0 0
May 25 2020 20:27:47.210.9-08:00 R1 RM/6/RMDEBUG: # LSAS: 1
May 25 2020 20:27:47.210.10-08:00 R1 RM/6/RMDEBUG: LSA Type 1
May 25 2020 20:27:47.210.11-08:00 R1 RM/6/RMDEBUG: LS ID: 10.0.4.4
May 25 2020 20:27:47.210.12-08:00 R1 RM/6/RMDEBUG: Adv Rtr: 10.0.4.4
May 25 2020 20:27:47.210.13-08:00 R1 RM/6/RMDEBUG: LSA Age: 1
May 25 2020 20:27:47.210.14-08:00 R1 RM/6/RMDEBUG: Options: ExRouting:ON
May 25 2020 20:27:47.210.15-08:00 R1 RM/6/RMDEBUG: Length: 36, Seq# 80000017
May 25 2020 20:27:47.210.16-08:00 R1 RM/6/RMDEBUG: CheckSum: f014
May 25 2020 20:27:47.210.17-08:00 R1 RM/6/RMDEBUG: NtBit: 0 VBit: 0 EBit: 0 BBit: 1
May 25 2020 20:27:47.210.18-08:00 R1 RM/6/RMDEBUG: # Links: 1
May 25 2020 20:27:47.210.19-08:00 R1 RM/6/RMDEBUG: LinkID: 10.0.123.4
May 25 2020 20:27:47.210.20-08:00 R1 RM/6/RMDEBUG: LinkData: 10.0.123.4
May 25 2020 20:27:47.210.21-08:00 R1 RM/6/RMDEBUG: LinkType: 2
May 25 2020 20:27:47.210.22-08:00 R1 RM/6/RMDEBUG: TOS# 0 Metric 1
May 25 2020 20:27:47.210.23-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:27:47.570.1-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:27:47.570.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 5 (Link-State Ack)
May 25 2020 20:27:47.570.9-08:00 R1 RM/6/RMDEBUG: # LSA Headers: 1
May 25 2020 20:27:47.570.17-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:27:47.990.1-08:00 R1 RM/6/RMDEBUG:
OSPF 1: SEND Packet. Interface: GigabitEthernet0/0/1

The debugging information shows three packets. The first is an LSU packet, which is sent by R4 (the
DR). The destination address of the packet is 224.0.0.5, and the packet contains only one network
segment. Therefore, the value of the Links field is 1.
The second is an LSAck packet, which is sent by R3 (the BDR). The destination address of the packet
is 224.0.0.5. The third is also an LSAck packet, which is sent by R1 to the DR and BDR. The
destination address of the packet is 224.0.0.6.
# Re-activate OSPF on the Loopback0 interface.
[R4]ospf 1
[R4-ospf-1]area 0
May 25 2020 20:39:26.150.1-08:00 R1 RM/6/RMDEBUG:

May 25 2020 20:39:26.150.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 4 (Link-State Update)
May 25 2020 20:39:26.150.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: c8cf
May 25 2020 20:39:26.150.9-08:00 R1 RM/6/RMDEBUG: # LSAS: 1
May 25 2020 20:39:26.150.15-08:00 R1 RM/6/RMDEBUG: Length: 48, Seq# 8000001b
May 25 2020 20:39:26.150.16-08:00 R1 RM/6/RMDEBUG: CheckSum: 6b77
May 25 2020 20:39:26.150.17-08:00 R1 RM/6/RMDEBUG: NtBit: 0 VBit: 0 EBit: 0 BBit: 1
May 25 2020 20:39:26.150.18-08:00 R1 RM/6/RMDEBUG: # Links: 2
May 25 2020 20:39:26.150.27-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:39:26.580.1-08:00 R1 RM/6/RMDEBUG:

May 25 2020 20:39:26.580.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: e6fd
May 25 2020 20:39:26.580.17-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:39:26.910.1-08:00 R1 RM/6/RMDEBUG:
May 25 2020 20:39:26.910.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: e8fe
May 25 2020 20:39:26.910.17-08:00 R1 RM/6/RMDEBUG:
The first remains an LSU packet, which is generated by R4 (the DR). The value of the Links field is 2,
indicating that a Loopback0 route is added. The second and third packets remain the same as
before: the LSAck packet replied by the BDR and that replied by R1 itself.
# Run the debugging ospf packet request command on R1, and then reset the OSPF process.
<R1>debugging ospf packet request

<R1>reset ospf process 1

May 25 2020 21:18:01.400.3-08:00 R1 RM/6/RMDEBUG: Destination Address: 10.0.123
.3
May 25 2020 21:18:01.400.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 3 (Link-State Req)
May 25 2020 21:18:01.400.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: e85a
May 25 2020 21:18:01.400.9-08:00 R1 RM/6/RMDEBUG: # Requesting LSAs: 7

May 25 2020 21:18:01.400.31-08:00 R1 RM/6/RMDEBUG:
May 25 2020 21:18:01.430.1-08:00 R1 RM/6/RMDEBUG:
May 25 2020 21:18:01.430.3-08:00 R1 RM/6/RMDEBUG:
May 25 2020 21:18:01.430.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 3 (Link-State R
eq)
May 25 2020 21:18:01.430.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0, Chksum: e85a
May 25 2020 21:18:01.430.9-08:00 R1 RM/6/RMDEBUG: # Requesting LSAs: 7
The debugging information shows that R1 has sent LSR packets to R3 (the BDR) and R4 (the DR).
----End
1.3.3 Quiz
When does a Type 4 LSA exist, and what is its function?

Configuration on R1
#
sysname R1
#
ip address 10.0.123.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.0
network 10.0.123.1 0.0.0.0
area 0.0.0.2
network 10.0.1.1 0.0.0.0
#
Configuration on R2
#
sysname R2
#
ip address 10.0.123.2 255.255.255.0
ospf dr-priority 0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.123.2 0.0.0.0
network 10.0.2.2 0.0.0.0
#
Configuration on R3
#
sysname R3
#
ip address 10.0.123.3 255.255.255.0
ospf dr-priority 254

#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
area 0.0.0.0
network 10.0.123.3 0.0.0.0
network 10.0.3.3 0.0.0.0
#
Configuration on R4
#
sysname R4
#
ip address 10.0.123.4 255.255.255.0
ospf dr-priority 255
#
ip address 10.0.45.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
area 0.0.0.0
network 10.0.123.4 0.0.0.0
network 10.0.4.4 0.0.0.0
area 0.0.0.1
network 10.0.45.4 0.0.0.0
#
Configuration on R5
#
sysname R5
#
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.0
#
import-route direct
area 0.0.0.1
network 10.0.45.5 0.0.0.0
#
1.4 Lab 4: OSPF Stub Area and NSSA

1.4.1 Introduction
1.4.1.1 Objectives
 Configure an OSPF stub area.
 Configure an OSPF NSSA.
 Describe the content in a Type 7 LSA.
 Describe the process of translating Type 7 LSAs into Type 5 LSAs.
Figure 1-4 OSPF stub area and NSSA
The preceding figure shows the device interconnection mode and IP address plan. The OSPF areas
are planned as follows:
1. The interconnection interfaces between R1 and R3 and R1's Loopback0 belong to OSPF area 2.
2. The interconnection interfaces between R3 and R4 and their Loopback0 interfaces belong to
OSPF area 0.
3. The interconnection interfaces between R4 and R5 belong to OSPF area 1, and R5's Loopback0
does not belong to any area.
4. The interconnection interfaces between R2 and R3 belong to OSPF area 3, and R2's Loopback0
does not belong to any area.
1.4.1.3 Background
You are a network administrator of a company. The company's network has five AR routers, among
which R2, R3, and R4 reside in the headquarters. R5 and R1 reside in different branches of the
company.
To reduce the pressure on the devices in branches, area 1 is configured as an NSSA and area 2 as a
stub area.
router IDs.

2. Configure OSPF areas as planned.
3. Verify the OSPF configuration by checking the OSPF neighbor relationship status and OSPF
routing tables.
4. Configure R2 and R5 to import AS external routes to their OSPF routing tables.
5. Configure area 2 as a stub area, and observe the changes of the OSPF routing table and LSDB
in area 2.
6. Configure area 1 as an NSSA, and observe the changes of the OSPF routing table and LSDB in
area 1.
7. Check the OSPF role of R4, and observe the translation from Type 7 LSAs into Type 5 LSAs on
R4.
# Name the devices.
[R1-LoopBack0] quit
[R1-GigabitEthernet0/0/1] ip address 10.0.13.1 255.255.255.0
[R2-LoopBack0] quit
# Configure IP addresses for GE0/0/1, GE0/0/2, GE0/0/3, and Loopback0 of R3.
[R3-LoopBack0] quit
[R4-LoopBack0] quit
[R5-LoopBack0] quit
# On R3 and R5, ping the IP addresses of the interconnected devices to test the connectivity.
<R3>ping -c 1 10.0.13.1

0.00% packet loss
<R3>ping -c 1 10.0.23.2

0.00% packet loss
<R3>ping -c 1 10.0.34.4

0.00% packet loss

<R5>ping -c 1 10.0.45.4

0.00% packet loss

Configure OSPF as planned. Manually specify the IP address of Loopback0 as the OSPF router ID on
each device, and change the network type of Loopback0 to broadcast.
# Configure R1.
[R1] ospf 1 router-id 10.0.1.1

[R1-ospf-1] area 0.0.0.2
[R1-ospf-1] quit
[R1] interface LoopBack0
# Configure R2.

[R2-ospf-1] area 0.0.0.3
[R2-ospf-1] quit
# Configure R3.

[R3-ospf-1] area 0.0.0.0
[R3-ospf-1-area-0.0.0.0] area 0.0.0.2
[R3-ospf-1-area-0.0.0.2] area 0.0.0.3
[R3-ospf-1] quit
# Configure R4.

[R4-ospf-1] area 0.0.0.0
[R4-ospf-1-area-0.0.0.0] area 0.0.0.1
[R4-ospf-1] quit
# Configure R5.

[R5-ospf-1] area 1
[R5-ospf-1] quit
Step 3 Verify the multi-area OSPF configuration.


----------------------------------------------------------------------------
----------------------------------------------------------------------------

----------------------------------------------------------------------------
----------------------------------------------------------------------------
The command outputs show that the OSPF neighbor relationships between all devices are normal.

Routing Tables
Routing for Network

10.0.3.0/24 0 Stub 10.0.3.3 10.0.3.3 0.0.0.0
10.0.13.0/24 1 Transit 10.0.13.3 10.0.3.3 0.0.0.2
10.0.23.0/24 1 Transit 10.0.23.3 10.0.3.3 0.0.0.3
10.0.34.0/24 1 Transit 10.0.34.3 10.0.3.3 0.0.0.0
10.0.1.0/24 1 Stub 10.0.13.1 10.0.1.1 0.0.0.2
10.0.4.0/24 1 Stub 10.0.34.4 10.0.4.4 0.0.0.0
10.0.45.0/24 2 Inter-area 10.0.34.4 10.0.4.4 0.0.0.0
Total Nets: 7
R3 has learned the routes to all interfaces except R2's Loopback0 and R5's Loopback0 because the
two Loopback0 interfaces do not have OSPF activated.
Step 4 Import AS external routes into the OSPF routing tables.
# Configure R5 to import the Loopback0 route to its OSPF routing table.
[R5] ospf 1
# Configure a default route on R2, with Loopback0 specified as the outbound interface. Configure
R2 to import the default route to its OSPF routing table, with the type of the external route being
set to type 1, cost being set to 20, and the always parameter not specified.
[R2] ip route-static 0.0.0.0 0.0.0.0 LoopBack 0

[R2] ospf 1
[R2-ospf-1] default-route-advertise type 1 cost 20
# Check the imported external routes on R3 and test their connectivity.
AdverRouter : 10.0.2.2 Tag :1
Cost : 21 Type : Type1
AdverRouter : 10.0.5.5 Tag :1
Cost :1 Type : Type2
<R3>ping -c 1 10.0.5.5

0.00% packet loss
<R3>ping -c 1 10.0.2.2

0.00% packet loss
Step 5 Configure area 2 as a stub area.


Routing Tables
Routing for Network

10.0.1.0/24 0 Stub 10.0.1.1 10.0.1.1 0.0.0.2
10.0.13.0/24 1 Transit 10.0.13.1 10.0.1.1 0.0.0.2
10.0.3.0/24 1 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.4.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.23.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.34.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.45.0/24 3 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
Routing for ASEs

0.0.0.0/0 22 Type1 1 10.0.13.3 10.0.2.2
10.0.5.0/24 1 Type2 1 10.0.13.3 10.0.5.5
Total Nets: 9
The command output shows that the default route is an OSPF external route.
# Configure area 2 as a stub area on R1 and R3.
[R1] ospf 1
[R1-ospf-1] area 0.0.0.2
[R1-ospf-1-area-0.0.0.2] stub
[R3] ospf 1
[R3-ospf-1] area 0.0.0.2
[R3-ospf-1-area-0.0.0.2] stub

Routing Tables
Routing for Network

10.0.1.0/24 0 Stub 10.0.1.1 10.0.1.1 0.0.0.2
10.0.13.0/24 1 Transit 10.0.13.1 10.0.1.1 0.0.0.2
0.0.0.0/0 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.3.0/24 1 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.4.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.23.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.34.0/24 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
10.0.45.0/24 3 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
Total Nets: 8
In this case, R1 does not have any OSPF external route. The original OSPF external routes 0.0.0.0/0
and 10.0.5.0/24 have been replaced by a default OSPF inter-area route.

Link StateDatabase
Area:0.0.0.2
Router 10.0.3.3 10.0.3.3 628 36 80000004 1
Router 10.0.1.1 10.0.1.1 619 48 80000007 0
Network 10.0.13.1 10.0.1.1 619 32 80000002 0
Sum-Net 0.0.0.0 10.0.3.3 631 28 80000001 1
Sum-Net 10.0.34.0 10.0.3.3 631 28 80000001 1
Sum-Net 10.0.3.0 10.0.3.3 631 28 80000001 0
Sum-Net 10.0.4.0 10.0.3.3 631 28 80000001 1
Sum-Net 10.0.45.0 10.0.3.3 631 28 80000001 2
Sum-Net 10.0.23.0 10.0.3.3 631 28 80000001 1
R1 does not have Type 4 or Type 5 LSAs. The default route carried in the Type 3 LSA generated by
the ABR is used to reach a destination outside the OSPF domain. In addition, Type 3 LSAs destined
for other areas still exist.
This proves that an ABR blocks the transmission of Type 4 and Type 5 LSAs to the area that has been
configured as a stub area and instead floods a default route destined for the ABR itself in this area
through a Type 3 LSA.
# Configure area 2 as a totally stubby area on R3.
[R3] ospf 1
[R3-ospf-1] area 0.0.0.2
[R3-ospf-1-area-0.0.0.2] stub no-summary
# Check the OSPF routing table and LSDB on R1 again.

Routing Tables
Routing for Network

10.0.1.0/24 0 Stub 10.0.1.1 10.0.1.1 0.0.0.2
10.0.13.0/24 1 Transit 10.0.13.1 10.0.1.1 0.0.0.2
0.0.0.0/0 2 Inter-area 10.0.13.3 10.0.3.3 0.0.0.2
Total Nets: 3

Link StateDatabase
Area:0.0.0.2
Router 10.0.3.3 10.0.3.3 125 36 80000005 1
Router 10.0.1.1 10.0.1.1 121 48 8000000C 0
Network 10.0.13.1 10.0.1.1 121 32 80000002 0
Sum-Net 0.0.0.0 10.0.3.3 961 28 80000001 1
The originally multiple OSPF inter-area routes have been replaced with only one default route
0.0.0.0/0, and the LSDB contains only one Type 3 LSA 0.0.0.0.
This proves that the ABR in a totally stubby area blocks Type 3, Type 4, and Type 5 LSAs and instead
generates a Type 3 LSA to advertise a default route destined for the ABR itself.
Step 6 Configure area 1 as an NSSA.

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
10.0.3.0/24 1 Stub 10.0.34.3 10.0.3.3 0.0.0.0
10.0.13.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
10.0.23.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
Routing for ASEs

0.0.0.0/0 22 Type1 1 10.0.34.3 10.0.2.2
10.0.5.0/24 1 Type2 1 10.0.45.5 10.0.5.5
Total Nets: 9
The command output shows that R5 has an external route 10.0.5.0/24 described by a Type 5 LSA.

Routing Tables
Routing for Network

10.0.45.0/24 1 Transit 10.0.45.5 10.0.5.5 0.0.0.1
10.0.1.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.3.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.4.0/24 1 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.13.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.23.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.34.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
Routing for ASEs

0.0.0.0/0 23 Type1 1 10.0.45.4 10.0.2.2
Total Nets: 8
The default route in the OSPF routing table of R5 is described by a Type 5 LSA, which is generated
by R2.
# Configure area 1 as an NSSA on R4 and R5.
[R4]ospf 1
[R4-ospf-1] area 0.0.0.1
[R4-ospf-1-area-0.0.0.1] nssa
[R5]ospf 1
[R5-ospf-1] area 0.0.0.1
[R5-ospf-1-area-0.0.0.1] nssa

Routing Tables
Routing for Network

10.0.45.0/24 1 Transit 10.0.45.5 10.0.5.5 0.0.0.1
10.0.1.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.3.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.4.0/24 1 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1

10.0.13.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.23.0/24 3 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
10.0.34.0/24 2 Inter-area 10.0.45.4 10.0.4.4 0.0.0.1
Routing for NSSAs

0.0.0.0/0 1 Type2 1 10.0.45.4 10.0.4.4
Total Nets: 8
The command output shows that there is no default route advertised by R2. Instead, there is an
OSPF default route described by a Type 7 LSA, which is advertised by R4.
# Check the LSDB on R5.

Link StateDatabase
Area:0.0.0.1
Router 10.0.5.5 10.0.5.5 100 36 80000005 1
Router 10.0.4.4 10.0.4.4 105 36 80000005 1
Network 10.0.45.5 10.0.5.5 100 32 80000002 0
Sum-Net 10.0.34.0 10.0.4.4 151 28 80000001 1
Sum-Net 10.0.13.0 10.0.4.4 151 28 80000001 2
Sum-Net 10.0.3.0 10.0.4.4 151 28 80000001 1
Sum-Net 10.0.1.0 10.0.4.4 151 28 80000001 2
Sum-Net 10.0.4.0 10.0.4.4 151 28 80000001 0
Sum-Net 10.0.23.0 10.0.4.4 151 28 80000001 2
NSSA 10.0.5.0 10.0.5.5 143 36 80000001 1
NSSA 10.0.45.0 10.0.5.5 143 36 80000002 1
NSSA 0.0.0.0 10.0.4.4 151 36 80000001 1
The command output shows no Type 4 or Type 5 LSAs. Instead, external routes exist in the form of
Type 7 LSAs (NSSA-LSAs).

Routing Tables
Routing for Network

10.0.4.0/24 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.4 10.0.4.4 0.0.0.0
10.0.45.0/24 1 Transit 10.0.45.4 10.0.4.4 0.0.0.1
10.0.1.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
10.0.3.0/24 1 Stub 10.0.34.3 10.0.3.3 0.0.0.0
10.0.13.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
10.0.23.0/24 2 Inter-area 10.0.34.3 10.0.3.3 0.0.0.0
Routing for ASEs

0.0.0.0/0 22 Type1 1 10.0.34.3 10.0.2.2
Routing for NSSAs

10.0.5.0/24 1 Type2 1 10.0.45.5 10.0.5.5
Total Nets: 9
The external route 10.0.5.0/24 imported by R5 is described in a Type 7 LSA.

This proves that the ABR in the NSSA blocks external Type 4 and Type 5 LSAs from being
transmitted to this area and the ABR delivers a default route described by a Type 7 LSA to the NSSA.
The ASBR delivers Type 7 LSAs to the NSSA to describe the AS external routes imported to this
area.
Step 7 Observe the impact of the NSSA on OSPF.
# Check the brief OSPF information on R4.
<R4>display ospf brief

OSPF Protocol Information
RouterID: 10.0.4.4 Border Router: AREA AS NSSA

Multi-VPN-Instance is not enabled
Global DS-TE Mode : Non-Standard IETF Mode
Spf-schedule-interval : max 10000ms, start 500ms, hold 1000ms
Default ASE parameters : Metric: 1 Tag: 1 Type: 2
Route Preference : 10
ASE Route Preference : 150
SPF Computation Count : 22
RFC1583 Compatible
Retransmission limitation is disabled
Area Count: 2 Nssa Area Count : 1
ExChange/Loading Neighbors : 0
Area: 0.0.0.0 (MPLS TE not enabled)

Authtype: None Area flag : Normal
SPF scheduled Count : 22
RouterID conflict state : Normal
Interface: 10.0.4.4 (LoopBack0)

Cost: 0 State: DR Type: Broadcast MTU: 1500
Priority :1
Designated Router : 10.0.4.4
Backup Designated Router : 0.0.0.0

Cost: 1 State: BDR Type : Broadcast MTU: 1500
Priority :1
Area: 0.0.0.1 (MPLS TE not enabled)

Authtype: None Area flag : NSSA
SPF scheduled Count :6
NSSA Translator State : Elected
Router ID conflict state : Normal

Cost: 1 State: BDR Type: Broadcast MTU: 1500
Priority: 1
Timers: Hello 10 , Dead 40, Poll 120 , Retransmit 5 , Transmit Delay 1
The Border Router field is displayed as AREA AS NSSA, indicating that R4 is both an ABR and
an ASBR and has one or more interfaces belonging to the NSSA.
# On R4, observe the process of translating Type 7 LSAs into Type 5 LSAs. The following uses the
LSA 10.0.5.0/24 as an example to describe how routing information is transmitted.
<R4>display ospf lsdb nssa 10.0.5.0

Area:0.0.0.0
Link StateDatabase
Area:0.0.0.1
Link StateDatabase
Type : NSSA
Ls id : 10.0.5.0
Adv rtr : 10.0.5.5
Ls age : 587
Len : 36
Options : NP
seq# : 80000001
chksum : 0x3336
Net mask : 255.255.255.0
TOS 0 Metric: 1
Etype :2
Tag :1
Priority : Low
In the Type 7 LSA that describes the route 10.0.5.0/24, the value of the Options field is NP,
indicating that the LSA can be translated into a Type 5 LSA by the ABR.
# Check the Type 5 LSA generated on R4 to describe the route 10.0.5.0/24.
<R4>display ospf lsdb ase 10.0.5.0


Link State Database
Type : External
Ls id : 10.0.5.0
Adv rtr : 10.0.4.4
Ls age : 753
Len : 36
Options :E
seq# : 80000001
chksum : 0xb6bc
Net mask : 255.255.255.0
TOS 0 Metric: 1
Etype :2
Tag :1
Priority : Low
The Type 5 LSA carries the same Ls id, Net mask, and Forwarding Address fields as those in the
Type 7 LSA. However, the value of the Adv rtr field is changed from 10.0.5.5 to 10.0.4.4, indicating
that the Type 5 LSA is generated by R4.
----End
1.4.3 Quiz
In which scenarios is an NSSA applicable?

Configuration on R1
#
sysname R1
#
ip address 10.0.13.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
area 0.0.0.2
network 10.0.1.1 0.0.0.0
network 10.0.13.1 0.0.0.0
stub
#
Configuration on R2
#
sysname R2
#
ip address 10.0.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
default-route-advertise cost 20 type 1
area 0.0.0.3
network 10.0.23.2 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 LoopBack0
#
Configuration on R3
#
sysname R3
#
ip address 10.0.13.3 255.255.255.0
#
ip address 10.0.34.3 255.255.255.0
#
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.34.3 0.0.0.0
area 0.0.0.2
network 10.0.13.3 0.0.0.0
stub no-summary
area 0.0.0.3
network 10.0.23.3 0.0.0.0
#
Configuration on R4
#
sysname R4
#
ip address 10.0.45.4 255.255.255.0
#
ip address 10.0.34.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
area 0.0.0.0
network 10.0.4.4 0.0.0.0
network 10.0.34.4 0.0.0.0
area 0.0.0.1
network 10.0.45.4 0.0.0.0
nssa
#
Configuration on R5
#
sysname R5
#
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.0
#
import-route direct
area 0.0.0.1
network 10.0.45.5 0.0.0.0
nssa
#
2 IS-IS Basics Experiment
2.1 IS-IS Configuration Experiment

2.1.1 Introduction
2.1.1.1 Objectives
 Perform basic IS-IS configurations.
 Change the IS-IS DIS priority.
 Change the IS-IS network type.
 Import external routes to IS-IS.
 Change the IS-IS interface cost.
 Configure IS-IS route leaking.
Figure 2-1 IS-IS topology
The preceding figure shows the IP addresses, IS-IS areas, and IS-IS router levels. R1, R2, and R3
belong to area 49.0001, and R4 and R5 belong to area 49.0002. Loopback0 interfaces are created on
all routers, and their IP addresses are in the format of 10.0.x.x/32, where x indicates the device ID.
2.1.1.3 Background
A customer's network uses IS-IS as an IGP. R4 and R5 are Level-2 routers and run in area 49.0002.
R1, R2, and R3 belong to area 49.0001. R1 is a Level-1 router, whereas R2 and R3 are Level-1-2
routers. R5 imports an external route 192.168.1.0/24.
Requirements: R1 can access the destination of the external route imported by R5. GE0/0/1 of R1
functions as the DIS. Bidirectional traffic between R1 and R5 is forwarded along the path between
R3 and R4. You can control the route selection result by changing the cost or configuring route
leaking as required.

2. Configure IS-IS as planned.
3. Check IS-IS configurations and IS-IS neighbor information on R1 and R4.
4. Manually change the DIS priority of R1's GE0/0/1 so that R1 becomes the DIS.
5. Create Loopback1 on R5 and import Loopback1's route as an external route to IS-IS. Check the
IS-IS routing tables on R4 and R1, and test the connectivity between R1 and the destination
address of the external route.
6. Manually change the IS-IS cost of GE0/0/3 on R4 so that R4 preferentially selects the route with
R2 as the next hop to R1.
7. Configure IS-IS route leaking on R3 so that R1 learns specific routes in the Level-2 area from R3.
Based on the longest match rule, R1 preferentially selects the specific route with the next hop
being R3 to the Level-2 area.
Step 1 Configure IP addresses for the interconnection and loopback interfaces.
# Name the devices.
[R1-LoopBack0] quit
[R2-LoopBack0] quit

[R3-LoopBack0] quit
[R4-LoopBack0] quit
[R5-LoopBack0] quit
<R1>ping -c 1 10.0.123.2

0.00% packet loss
<R1>ping -c 1 10.0.123.3

0.00% packet loss
<R4>ping -c 1 10.0.24.2

0.00% packet loss
<R4>ping -c 1 10.0.34.3

0.00% packet loss
<R4>ping -c 1 10.0.45.5

0.00% packet loss
Step 2 Configure IS-IS.

Configure IS-IS process 1 on each router, and use the device ID of each device when setting NETs.
For example, set the NET of R1 to 49.0001.0000.0000.0001.00.
# Configure R1.
[R1]isis 1
[R1-isis-1] is-level level-1
[R1-isis-1] network-entity 49.0001.0000.0000.0001.00
[R1-isis-1] quit
[R1-LoopBack0] isis enable 1
[R1-LoopBack0] quit
[R1-GigabitEthernet0/0/1] isis enable 1
# Configure R2.
[R2]isis 1
[R2-isis-1] quit
[R2-LoopBack0] quit
# Configure R3.
[R3]isis
[R3-isis-1] quit
[R3-LoopBack0] quit
# Configure R4.
[R4]isis 1
[R4-isis-1] quit
[R4-LoopBack0] quit
# Configure R5.
[R5]isis 1
[R5-isis-1] quit
[R5-LoopBack0] quit
# To ensure security, configure IS-IS interface authentication, with the authentication mode being
MD5, and the password being huawei.
[R1-GigabitEthernet0/0/1] isis authentication-mode md5 huawei
Step 3 Check IS-IS configurations.

# Check the IS-IS neighbor relationships on R1 and R4.
<R1>display isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI

-------------------------------------------------------------------------------
0000.0000.0002 GE0/0/1 0000.0000.0002.01 Up 8s L1 64
0000.0000.0003 GE0/0/1 0000.0000.0002.01 Up 29s L1 64
Total Peer(s): 2
According to the preceding command output, R1 has established Level-1 IS-IS neighbor
relationships with R2 and R3.


-------------------------------------------------------------------------------
0000.0000.0005 GE0/0/2 0000.0000.0004.01 Up 24s L2 64
0000.0000.0003 GE0/0/3 0000.0000.0004.02 Up 27s L2 64
0000.0000.0002 GE0/0/5 0000.0000.0004.03 Up 23s L2 64
Total Peer(s): 3
According to the preceding command output, R4 has established Level-2 IS-IS neighbor
relationships with R2, R3, and R5.
# Check the IS-IS routing table on R4.
<R4>display isis route
Route information for ISIS(1)

-----------------------------
ISIS(1) Level-2 Forwarding Table

--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

-------------------------------------------------------------------------------
10.0.24.0/24 10 NULL GE0/0/5 Direct D/-/L/-
10.0.3.3/32 10 NULL GE0/0/3 10.0.34.3 A/-/-/-
10.0.2.2/32 10 NULL GE0/0/5 10.0.24.2 A/-/-/-
10.0.5.5/32 10 NULL GE0/0/2 10.0.45.5 A/-/-/-
10.0.123.0/24 20 NULL GE0/0/3 10.0.34.3 A/-/-/-
GE0/0/5 10.0.24.2
10.0.45.0/24 10 NULL GE0/0/2 Direct D/-/L/-
10.0.1.1/32 20 NULL GE0/0/3 10.0.34.3 A/-/-/-
GE0/0/5 10.0.24.2
10.0.4.4/32 0 NULL Loop0 Direct D/-/L/-
10.0.34.0/24 10 NULL GE0/0/3 Direct D/-/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,U-Up/Down Bit Set
According to the preceding command output, R4 has learned the routes on the entire network, the
routes to 10.0.123.0/24 and 10.0.1.1/32 are in the load balancing state.
Step 4 Change the DIS priority of GE0/0/1 on R1.
Change the DIS priority of GE0/0/1 on R1 so that R1 is elected as the DIS among R1, R2, and R3 that
are on the same broadcast network.
# Check the IS-IS interface status on R1.
<R1>display isis interface
Interface information for ISIS(1)

---------------------------------
Interface Id IPV4.State IPV6.State MTU Type DIS
Loop0 001 Up Down 1500 L1/L2 --
GE0/0/1 001 Up Down 1497 L1/L2 No/No
According to the preceding command output, GE0/0/1 on R1 is not the DIS.

# Change the DIS priority of GE0/0/1 on R1.
[R1-GigabitEthernet0/0/1] isis dis-priority 127
# Check the IS-IS interface status on R1.
<R1>display isis interface
Interface information for ISIS(1)

---------------------------------
Interface Id IPV4.State IPV6.State MTU Type DIS
Loop0 001 Up Down 1500 L1/L2 --
GE0/0/1 001 Up Down 1497 L1/L2 Yes/No
According to the preceding command output, GE0/0/1 on R1 becomes the DIS.

Step 5 Import the external route.
# Create Loopback1 on R5, set the IP address to 192.168.1.1, and import the route 192.168.1.1 as an
external route to IS-IS.
[R5-LoopBack1] quit
[R5]isis 1
[R5-isis-1] import-route direct
[R5-isis-1] quit

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.0.24.0/24 20 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.3.3/32 20 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.2.2/32 20 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.123.0/24 30 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.45.0/24 10 NULL GE0/0/3 Direct D/-/L/-
10.0.1.1/32 30 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.4.4/32 10 NULL GE0/0/3 10.0.45.4 A/-/-/-
10.0.34.0/24 20 NULL GE0/0/3 10.0.45.4 A/-/-/-
ISIS(1) Level-2 Redistribute Table

----------------------------------
Type IPV4 Destination IntCost ExtCost Tag

-------------------------------------------------------------------------------
D 192.168.1.1/32 0 0
Type: D-Direct, I-ISIS, S-Static, O-OSPF, B-BGP, R-RIP, U-UNR
According to the preceding command output, the imported external route is displayed in the
routing table.
# Check the IS-IS route 192.168.1.1 on R4.
<R4>display isis route192.168.1.1

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
192.168.1.1/32 10 0 GE0/0/2 10.0.45.5 A/-/-/-
According to the preceding command output, R4 has learned the IS-IS route 192.168.1.1/32.

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
0.0.0.0/0 10 NULL GE0/0/1 10.0.123.3 A/-/-/-
GE0/0/1 10.0.123.2
10.0.24.0/24 20 NULL GE0/0/1 10.0.123.2 A/-/-/-
10.0.3.3/32 10 NULL GE0/0/1 10.0.123.3 A/-/-/-
10.0.2.2/32 10 NULL GE0/0/1 10.0.123.2 A/-/-/-
10.0.123.0/24 10 NULL GE0/0/1 Direct D/-/L/-
10.0.34.0/24 20 NULL GE0/0/1 10.0.123.3 A/-/-/-
According to the preceding command output, the IS-IS routing table on R1 does not contain the
route 192.168.1.1/32 because Level-1-2 routers do not leak Level-2 routes to Level-1 routers by
default. Therefore, R1 does not have the imported external route to 192.168.1.1/32. However, R1 has
two default routes to the backbone area, and the two routes are in the load balancing state.
# On R1, ping R5's Loopback1.
<R1>ping -c 1 192.168.1.1

0.00% packet loss
According to the preceding command output, R1 can communicate with Loopback1 of R5.
Step 6 Change the cost of an IS-IS interface.
The traffic from R4 to R1 is balanced by R2 and R3 (the conclusion can be drawn according to the
routing table). To enable the traffic from R4 to R1 to pass through R2, change the interface cost on
R4.
# Check the IS-IS route 10.0.1.1/32 on R4.
<R4>display isis route10.0.1.1

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.0.1.1/32 20 NULL GE0/0/5 10.0.24.2 A/-/-/-
GE0/0/3 10.0.34.3
The routes from R4 to Loopback0 of R1 work in load balancing mode, and the next hops are
10.0.24.2 and 10.0.34.3.
# Change the IS-IS cost of GE0/0/3 on R4.
[R4-GigabitEthernet0/0/3] isis cost 15
# Check the IS-IS route 10.0.1.1/32 on R4 again.
<R4>display isis route 10.0.1.1 32

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.0.1.1/32 20 NULL GE0/0/5 10.0.24.2 A/-/-/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
According to the preceding command output, there is only one next hop (10.0.24.2) from R4 to
Loopback0 of R1.
Step 7 Configure IS-IS route leaking.

By default, R1 does not have specific routes to the Level-2 area and forwards packets to the Level-2
area only through the default routes advertised by Level-1-2 routers. In this example, R1 uses R2
and R3 as equal-cost next hops to reach the Level-2 area. To divert the traffic sent from R1 to R5 to
R3, you can configure route leaking on R3 so that R3 can leak the routes destined for the Level-2
area to the Level-1 area. In this way, R1 can learn desired routes through IS-IS.
# Check the route to Loopback0 on R5 in the IP routing table of R1.
<R1>display ip routing-table 10.0.5.5

------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 2
0.0.0.0/0 ISIS-L1 15 10 D 10.0.123.3 GigabitEthernet0/0/1

ISIS-L1 15 10 D 10.0.123.2 GigabitEthernet0/0/1
According to the preceding command output, traffic from R1 to 10.0.5.5 is balanced between R2
and R3.
# Configure IS-IS route leaking on R3.
[R3]isis 1
[R3-isis-1] import-route isis level-2 into level-1
[R3-isis-1] quit
# Check the route to Loopback0 on R5 in the IP routing table of R1 again.

------------------------------------------------------------------------------
Summary Count : 1
10.0.5.5/32 ISIS-L1 15 30 D 10.0.123.3 GigabitEthernet0/0/1
According to the preceding command output, the next hop of the route from R1 to 10.0.5.5 is
10.0.123.3, that is, R3. In addition, this route is a specific route rather than a default route.
----End
2.1.3 Quiz
What are the conditions for establishing an IS-IS neighbor relationship between Ethernet
interfaces?

Configuration on R1
#
sysname R1
#
isis 1
is-level level-1
network-entity 49.0001.0000.0000.0001.00
#
ip address 10.0.123.1 255.255.255.0
isis enable 1
isis authentication-mode md5 huawei
isis dis-priority 127
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
isis enable 1
#
return
Configuration on R2
sysname R2
#
isis 1
network-entity 49.0001.0000.0000.0002.00
#
ip address 10.0.123.2 255.255.255.0
isis enable 1
#
ip address 10.0.24.2 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
isis enable 1
#
Configuration on R3
#
sysname R3
#
isis 1
network-entity 49.0001.0000.0000.0003.00
import-route isis level-2 into level-1
#
ip address 10.0.123.3 255.255.255.0
isis enable 1
#
ip address 10.0.34.3 255.255.255.0
isis enable 1

#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
isis enable 1
#
Configuration on R4
#
sysname R4
#
isis 1
is-level level-2
network-entity 49.0002.0000.0000.0004.00
#
ip address 10.0.45.4 255.255.255.0
isis enable 1
#
ip address 10.0.34.4 255.255.255.0
isis enable 1
isis cost 15
#
ip address 10.0.24.4 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
isis enable 1
#
Configuration on R5
#
sysname R5
#
isis 1
is-level level-2
network-entity 49.0002.0000.0000.0005.00
import-route direct
#
ip address 10.0.45.5 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.255
isis enable 1

#
interface LoopBack1
ip address 192.168.1.1 255.255.255.255
#
3 BGP Configurations
3.1 Lab 1: Basic BGP Configurations

3.1.1 Introduction
 Configure IBGP.
 Configure EBGP.
 Observe the BGP peer table.
 Specify the source interface for sending BGP messages.
 Configure EBGP multi-hop.
 Observe the changes in the next hops of IBGP and EBGP routes.
Figure 3-1 Basic BGP configurations
The preceding figure shows the device interconnection mode, IP address plan, and BGP AS
numbers. Loopback0 is created on each device, and its IP address is in the format of 10.0.x.x/32,
where x indicates the device number. The IP address of Loopback0 on each device is used as the
BGP router ID of the device. Loopback1 is configured on R1 and R5 to simulate a user network
segment.
OSPF runs on R2, R3, and R4, and is activated on the interconnection and Loopback0 interfaces of
R2, R3, and R4.
3.1.1.2 Background
You are a network administrator of a company. The company's network uses BGP as the routing
protocol. The network consists of multiple ASs, with different branches using different AS numbers.
Now, you need to complete the establishment of the company's network. OSPF is used as the IGP in
the headquarters, and private BGP AS numbers are used in different branches. After the network is
set up, you need to observe the transmission of BGP routing information.

2. Configure OSPF in AS 64512.
3. Configure full-mesh IBGP peer relationships in AS 64512.
4. Establish EBGP peer relationships between AS 64512, AS 64513, and AS 64514.
5. Configure R1 and R5 to advertise their Loopback1 routes to their BGP routing tables. Configure
R2 and R4 to change the next-hop addresses of BGP routes to the IP addresses of their source
interfaces when advertising the routes to specified peers.
# Name the devices.
# Configure IP addresses for GE0/0/2, Loopback0, and Loopback1 of R1.
[R1-LoopBack0] quit
[R1-LoopBack1] quit
[R2-LoopBack0] quit

[R3-LoopBack0] quit
[R4-LoopBack0] quit
[R5-LoopBack0] quit
[R5-LoopBack1] quit
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
<R4>ping -c 1 10.0.34.3

0.00% packet loss
<R4>ping -c 1 10.0.45.5

0.00% packet loss
Step 2 Configure OSPF in AS 64512.

Configure the IP address of Loopback0 as the router ID on each of R2, R3, and R4.
# Configure R2, and activate OSPF on Loopback0 and GE0/0/2.

[R2-ospf-1] area 0.0.0.0
[R2-ospf-1] quit
# Configure R3, and activate OSPF on Loopback0, GE0/0/2, and GE0/0/3.

[R3-ospf-1] area 0.0.0.0
[R3-ospf-1] quit

[R4-ospf-1] area 0.0.0.0
[R4-ospf-1]quit


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Routing Tables
Routing for Network

10.0.3.3/32 0 Stub 10.0.3.3 10.0.3.3 0.0.0.0
10.0.23.0/24 1 Transit 10.0.23.3 10.0.3.3 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.3 10.0.3.3 0.0.0.0
10.0.2.2/32 1 Stub 10.0.23.2 10.0.2.2 0.0.0.0
10.0.4.4/32 1 Stub 10.0.34.4 10.0.4.4 0.0.0.0
Total Nets: 5
Step 3 Configure IBGP peers.
Establish full-mesh IBGP peer relationships between Loopback0 interfaces of R2, R3, and R4.
# Configure BGP on R2.
[R2]bgp 64512
[R2-bgp] router-id 10.0.2.2
[R2-bgp] peer 10.0.3.3 as-number 64512
[R2-bgp] peer 10.0.3.3 connect-interface LoopBack0
[R3]bgp 64512
[R4]bgp 64512

# Check the status of BGP peer relationships on R2, R3, and R4.
<R2>display bgp peer
BGP local router ID : 10.0.2.2

Local AS number : 64512
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.3.3 4 64512 3 3 0 00:01:57 Established 0

10.0.4.4 4 64512 3 4 0 00:01:56 Established 0

10.0.2.2 4 64512 3 3 0 00:02:23 Established 0

10.0.4.4 4 64512 3 4 0 00:02:25 Established 0

10.0.2.2 4 64512 3 3 0 00:06:33 Established 0

10.0.3.3 4 64512 3 4 0 00:06:38 Established 0
The command outputs show that R2, R3, and R4 have established full-mesh IBGP peer relationships
with each other.
Step 4 Configure EBGP peers.
Establish EBGP peer relationships between Loopback0 interfaces of R1 and R2 and between
Loopback0 interfaces of R4 and R5. To ensure proper establishment, configure static routes on R1
and R2 to ensure routing reachability between Loopback0 interfaces. Perform the same operation
on R4 and R5.
# Configure static routes on R1 and R2.
[R1]ip route-static 10.0.2.2 32 10.0.12.2
[R2]ip route-static 10.0.1.1 32 10.0.12.1
# Configure static routes on R4 and R5.

[R4]ip route-static 10.0.5.5 32 10.0.45.5
[R5]ip route-static 10.0.4.4 32 10.0.45.4
# Test the connectivity between the loopback interfaces.
<R1>ping -c 1 -a 10.0.1.1 10.0.2.2


0.00% packet loss
<R5>ping -c 1 -a 10.0.5.5 10.0.4.4


0.00% packet loss
# Configure an EBGP peer relationship between R1 and R2.
[R1]bgp 64513
[R1-bgp] peer 10.0.2.2 ebgp-max-hop 2
[R2]bgp 64512
By default, the maximum number of hops allowed for an EBGP connection is 1. In this case, EBGP
peers can establish a peer relationship only through a direct link. To use a loopback interface as the
source interface to send BGP messages, you need to manually change the maximum number of
hops allowed for an EBGP connection.
# Configure an EBGP peer relationship between R4 and R5.
[R4]bgp 64512
[R5]bgp 64514
# Check the EBGP peer relationship status on R1 and R5.

10.0.2.2 4 64512 7 10 0 00:05:47 Established 0

10.0.4.4 4 64512 7 10 0 00:03:25 Established 0
The preceding command outputs show that R1 and R2 as well as R4 and R5 have successfully
established EBGP peer relationships.
Step 5 Configure devices to advertise routes to their BGP routing tables.
Configure R1 and R5 to advertise their Loopback1 routes to their BGP routing tables.
# Run the network command on R1 and R5 to advertise the routes.
[R1]bgp 64513
[R1-bgp] network 10.1.1.1 24
[R5]bgp 64514
[R5-bgp] network 10.1.5.5 24
# Check the BGP routing table on R3.
<R3>display bgp routing-table
BGP Local router ID is 10.0.3.3

Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn
i 10.1.1.0/24 10.0.1.1 0 100 0 64513i

i 10.1.5.0/24 10.0.5.5 0 100 0 64514i
The command output shows that R3 has learned the BGP routes advertised by R1 and R5, but the
routes are invalid because their next hops are unreachable to R3. To resolve this issue, run the peer
next-hop-local command on R2 and R4 to configure the devices to change the next-hop addresses
of BGP routes to the IP addresses of their source interfaces when advertising these routes.
# Configure R2 and R4 to change the next-hop addresses of BGP routes to their own IP addresses
when advertising these routes.
[R2]bgp 64512
[R2-bgp] peer 10.0.3.3 next-hop-local
[R4]bgp 64512
# Check the BGP routing table on R3 again.


*>i 10.1.1.0/24 10.0.2.2 0 100 0 64513i

*>i 10.1.5.0/24 10.0.4.4 0 100 0 64514i
The command output shows that the two BGP routes have become valid and the optimal.
# Check the BGP routing tables on R1 and R5.


*> 10.1.1.0/24 0.0.0.0 0 0 i

*> 10.1.5.0/24 10.0.2.2 0 64512 64514i


*> 10.1.1.0/24 10.0.4.4 0 64512 64513i

*> 10.1.5.0/24 0.0.0.0 0 0 i
The command outputs show that R1 and R5 have learned the Loopback1 routes from each other.
# Test the connectivity between Loopback 1 interfaces on R1 and R5.
<R1>ping -c 1 -a 10.1.1.1 10.1.5.5


0.00% packet loss
----End
3.1.3 Quiz
What are the advantages of using loopback interface addresses to establish EBGP peer
relationships compared with using physical interface addresses?

Configuration on R1
#
sysname R1
#
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
bgp 64513
router-id 10.0.1.1
peer 10.0.2.2 as-number 64512
peer 10.0.2.2 ebgp-max-hop 2
peer 10.0.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
network 10.0.1.0 255.255.255.0
network 10.1.1.0 255.255.255.0
peer 10.0.2.2 enable

#
ip route-static 10.0.2.2 255.255.255.255 10.0.12.2
#
Configuration on R2
#
sysname R2
#
ip address 10.0.23.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
bgp 64512
router-id 10.0.2.2
#
ipv4-family unicast
peer 10.0.3.3 next-hop-local
#
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.23.2 0.0.0.0
#
ip route-static 10.0.1.1 255.255.255.255 10.0.12.1
#
return
Configuration on R3
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip address 10.0.23.3 255.255.255.0

#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
bgp 64512
router-id 10.0.3.3
#
ipv4-family unicast
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.0.34.3 0.0.0.0
#
return
Configuration on R4
#
sysname R4
#
ip address 10.0.45.4 255.255.255.0
#
ip address 10.0.34.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
bgp 64512
router-id 10.0.4.4
#
ipv4-family unicast

#
area 0.0.0.0
network 10.0.4.4 0.0.0.0
network 10.0.34.4 0.0.0.0
#
ip route-static 10.0.5.5 255.255.255.255 10.0.45.5
#
return
Configuration on R5
#
sysname R5
#
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.255
#
interface LoopBack1
ip address 10.1.5.5 255.255.255.0
#
bgp 64514
router-id 10.0.5.5
#
ipv4-family unicast
network 10.1.5.0 255.255.255.0
#
ip route-static 10.0.4.4 255.255.255.255 10.0.45.4
#
Return
3.2 Lab 2: BGP Route Summarization

3.2.1 Introduction
3.2.1.1 Objectives
 Implement automatic summarization for routes imported using the import-route command.
 Implement manual route summarization using the aggregate command.
 Use the as-set parameter for manual route summarization to prevent routing loops.

Figure 3-2 BGP route summarization
The preceding figure shows the BGP AS numbers and IP addresses of interconnection interfaces.
Loopback0 is created on each device, and its IP address is in the format of 10.0.x.x/32, where x
indicates the device number.
R1, R2, and R3 use the IP addresses of Loopback0 as their BGP router IDs and establish EBGP peer
relationships through directly connected interfaces.
Loopback1 and Loopback2 are created on each of R1 and R3 to simulate user network segments.
3.2.1.3 Background
You are a network administrator of a company. The company's network uses BGP as the routing
protocol. The network consists of multiple ASs, with different branches using different AS numbers.
As the network scale expands, more and more routing entries are stored in the routing tables on the
routers, making it urgent to summarize BGP routes. After testing several methods of route
summarization, you have finally selected a proper method to implement route summarization.

2. Configure EBGP peer relationships between R1, R2, and R3 as planned.
3. Configure R1 to advertise its Loopback1 and Loopback2 routes to the BGP routing table and
implement automatic route summarization. Check detailed information about the summary
route on R2.
4. Configure R3 to advertise its Loopback1 and Loopback2 routes to the BGP routing table, and
manually summarize the routes on R2. Check detailed information about the summary route
on R2 and R3. Perform manual summarization on R2 again, and this time configure the as-set
parameter. Then, check detailed information about the summary route on R2.
# Name the devices.
# Configure IP addresses for GE0/0/2, Loopback0, Loopback1, and Loopback2 of R1.
[R1-LoopBack0] quit
[R1-LoopBack1] quit
[R1-LoopBack1] quit
[R2-LoopBack0] quit
[R2-GigaitEthernet0/0/3] quit
# Configure IP addresses for GE0/0/3, Loopback0, Loopback1, and Loopback2 of R3.
[R3-LoopBack0] quit
[R3-LoopBack1] quit
[R3-LoopBack1] quit
# On R2, ping the IP addresses of the interconnected devices to test the connectivity.
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
Step 2 Configure EBGP peer relationships.

Configure EBGP peer relationships between R1 and R2, and between R2 and R3 through directly
connected interfaces.
# Configure R1.
[R1]bgp 64511
# Configure R2.
[R2]bgp 64512
# Configure R3.
[R3]bgp 64513
# Check the BGP peer relationship status on R2.

10.0.12.1 4 64511 3 3 0 00:02:41 Established 0

10.0.23.3 4 64513 3 4 0 00:01:20 Established 0
The command output shows that EBGP peer relationships have been successfully established
between R1 and R2, and between R2 and R3.
Step 3 Configure automatic BGP route summarization.
Enable automatic BGP route summarization on R1, and configure R1 to advertise its Loopback1 and
Loopback2 routes to the BGP routing table so that R1 automatically summarizes these routes.
# Create IP prefix list 1 to match the Loopback1 and Loopback2 routes.
[R1]ip ip-prefix 1 permit 172.16.0.0 16 greater-equal 24 less-equal 24
# Create a route-policy named hcip, create node 10, and configure an if-match clause with IP prefix
list 1 specified.
[R1]route-policy hcip permit node 10

[R1-route-policy] if-match ip-prefix 1

[R1-route-policy] quit
# Configure R1 to advertise the Loopback1 and Loopback2 routes to the BGP routing table, and
enable automatic BGP route summarization on R1.
[R1]bgp 64511
[R1-bgp] import-route direct route-policy hcip
[R1-bgp] summary automatic
Info: Automatic summarization is valid only for the routes imported through the import-route command.
Automatic summarization takes effect only on the routes imported using the import-route
command.
BGP Localrouter ID is 10.0.1.1

Status codes: *- valid,> - best, d - damped,
h - history, i - internal, s - suppressed, S- Stale
Total Number of Routes : 3

*> 172.16.0.0 127.0.0.1 0 ?

s> 172.16.1.0/24 0.0.0.0 0 0 ?
s> 172.16.2.0/24 0.0.0.0 0 0 ?
The Loopback1 and Loopback2 routes have been advertised to the BGP routing table. As automatic
BGP route summarization is enabled on R1, R1 summarizes these routes into the summary route
172.16.0.0/16 and suppresses all the specific routes. In the routing table, the s flag displayed before
each specific route indicates that the route is suppressed. As a result, R1 advertises only the
summary route 172.16.0.0/16.


*> 172.16.0.0 10.0.12.1 0 64511?
The command output shows only the summary route 172.16.0.0/16 on R2.
# Check detailed information about the BGP summary route 172.16.0.0 on R2.
<R2>display bgp routing-table 172.16.0.0


Paths: 1 available, 1 best, 1 select
BGP routing table entry information of 172.16.0.0/16:
From: 10.0.12.1 (10.0.1.1)
Route Duration: 01h09m27s
Direct Out-interface: GigabitEthernet0/0/3
Original nexthop: 10.0.12.1
Qos information : 0x0
AS-path 64511, origin incomplete, pref-val 0, valid, external, best, select, active, pre 255
Aggregator: AS 64511, Aggregator ID 10.0.1.1
Advertised to such 2 peers:
10.0.12.1
10.0.23.3
The path attributes of this route include the Aggregator attribute, which carries the AS number and
router ID of the device that generates the summary route.
Step 4 Configure manual BGP route summarization.
Configure R3 to advertise its Loopback1 and Loopback2 routes to the BGP routing table. Run the
aggregate command on R2 to manually summarize these routes and suppress the advertisement of
the specific routes.
# Create IP prefix list 1 to match the Loopback1 and Loopback2 routes.
# Create a route-policy named hcip, create node 10, and configure an if-match clause with IP prefix
list 1 specified.

# Configure R3 to advertise its Loopback1 and Loopback2 routes to the BGP routing table.
[R3]bgp 64513
[R3-bgp] import-route direct route-policy hcip


*> 172.16.0.0 10.0.12.1 0 64511?

*> 172.17.1.0/24 10.0.23.3 0 0 64513?
*> 172.17.2.0/24 10.0.23.3 0 0 64513?
The BGP routing table of R2 contains the BGP routes 172.17.1.0/24 and 172.17.2.0/24 advertised by
R3.
# On R2, manually summarize the routes 172.17.1.0/24 and 172.17.2.0/24 into the summary route
172.17.0.0/22, and suppress the advertisement of the specific routes.
[R2]bgp 64512
[R2-bgp] aggregate 172.17.0.0 22 detail-suppressed


*> 172.16.0.0 10.0.12.1 0 64511?

*> 172.17.0.0/22 127.0.0.1 0 ?
s> 172.17.1.0/24 10.0.23.3 0 0 64513?
s> 172.17.2.0/24 10.0.23.3 0 0 64513?
The summary route is displayed in the BGP routing table of R2.

# Check detailed information about the BGP summary route 172.16.0.0/22 on R2.
<R2>display bgp routing-table 172.17.0.0 22

Aggregated route.
Direct Out-interface: NULL0
AS-path Nil, origin incomplete, pref-val 0, valid, local, best, select, active, pre 255
Aggregator: AS 64512, Aggregator ID 10.0.2.2, Atomic-aggregate
10.0.12.1
10.0.23.3
The command output shows that the AS-path field value is Nil, indicating that the AS_Path
attribute is empty. This means that the AS_Path attribute values of the specific routes are lost. BGP
depends on the AS_Path attribute to prevent routing loops. Therefore, the loss of the AS_Path
attribute value may cause a routing loop. The command output also shows the BGP peers to which
the summary route is advertised, and these peers include the peer 10.0.23.3 (R3).

Total Number of Routes : 4

*> 172.16.0.0 10.0.23.2 0 64512 64511?

*> 172.17.0.0/22 10.0.23.2 0 64512?
*> 172.17.1.0/24 0.0.0.0 0 0 ?
*> 172.17.2.0/24 0.0.0.0 0 0 ?
The BGP routing table of R3 contains the summary route 172.17.0.0/22.

# To prevent routing loops, specify the as-set parameter when performing manual route
summarization on R2.
[R2]bgp 64512
[R2-bgp] aggregate 172.17.0.0 255.255.252.0 detail-suppressed as-set
# Check detailed information about the BGP summary route 172.17.0.0/22 on R2 again.
[R2]display bgp routing-table 172.17.0.0 22

Aggregated route.
Direct Out-interface: NULL0
AS-path 64513, origin incomplete, pref-val 0, valid, local, best, select, active, pre 255
Aggregator: AS 64512, Aggregator ID 10.0.2.2, Atomic-aggregate
10.0.12.1
10.0.23.3
The command output shows that the value of the AS_Path attribute in the summary route is 64513,
and the route is still advertised to the peer 10.0.23.3 (R3).


*> 172.16.0.0 10.0.23.2 0 64512 64511?

*> 172.17.1.0/24 0.0.0.0 0 0 ?
*> 172.17.2.0/24 0.0.0.0 0 0 ?
After R3 receives the summary route 172.17.0.0/22, it finds its own AS number (64153) in the
AS_Path attribute of the route and ignores this route. In this case, the summary route 172.17.0.0/22
does not exist in the BGP routing table of R3. Therefore, using the as-set parameter for manual
route summarization effectively prevents a routing loop.
----End
3.2.3 Quiz
What are the differences between the path attributes carried in a summary route generated using
the aggregate command and that generated using the summary automatic command?

Configuration on R1
#
sysname R1
#
ip address 10.0.12.1 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
interface LoopBack1
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack2
ip address 172.16.2.1 255.255.255.0
#
bgp 64511
router-id 10.0.1.1
#
ipv4-family unicast
summary automatic
import-route direct route-policy hcip
#
route-policy hcip permit node 10
if-match ip-prefix 1
#
ip ip-prefix 1 index 10 permit 172.16.0.0 16 greater-equal 24 less-equal 24
#
return
Configuration on R2
#
sysname R2
#
ip address 10.0.23.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
bgp 64512
router-id 10.0.2.2
#
ipv4-family unicast
aggregate 172.17.0.0 255.255.252.0 as-set detail-suppressed
#
return
Configuration on R3
#
sysname R3
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
interface LoopBack1
ip address 172.17.1.1 255.255.255.0
#
interface LoopBack2
ip address 172.17.2.1 255.255.255.0
#
bgp 64513
router-id 10.0.3.3
#
ipv4-family unicast
#
#

#
return
3.3 Lab 3: BGP RR

3.3.1 Introduction
3.3.1.1 Objectives
 Deploy RRs in an AS.
 Analyze how the BGP path attribute Originator_ID implements routing loop prevention in an
RR environment.
 Analyze how the BGP path attribute Cluster_List implements routing loop prevention in an RR
environment.
Figure 3-3 BGP RR
R1, R2, R3, and R4 belong to AS 64511. The preceding figure shows the device interconnection mode
and IP addresses of interconnection interfaces. Loopback0 is created on each device, and its IP
address is in the format of 10.0.x.x/32, where x indicates the device number. The Loopback1
addresses of R1 and R2 are 10.1.1.1/24 and 10.2.2.2/24, respectively. The loopback interfaces are
used to simulate user network segments.
All devices use the IP addresses of Loopback0 as their BGP router IDs. IBGP peer relationships are
established between R1 and R2, R2 and R3, R3 and R4, and R4 and R2 through directly connected
interfaces. R1 is the RR client of R2, R2 is the RR client of R3, and R3 is the RR client of R4.
3.3.1.3 Background
The headquarters network of a company uses BGP as the routing protocol. The four routers in the
headquarters establish IBGP peer relationships (not fully meshed). To enable the four routers to
learn complete BGP routes, BGP RRs need to be deployed on the network.

2. Configure OSPF in the AS, and activate OSPF on the interconnection and Loopback0
interfaces.
3. Establish IBGP peer relationships through directly connected interfaces in the AS.
4. Configure RRs, and specify R1 as the RR client of R2, R2 as the RR client of R3, and R3 as the RR
client of R4.
5. Configure R2 to advertise its Loopback1 route to the BGP routing table, and observe how the
Originator_ID attribute is used to prevent a routing loop.
6. Configure R1 to advertise its Loopback1 route to the BGP routing table, and observe how the
Cluster_List attribute is used to prevent a routing loop.
# Name the devices.
[R1-LoopBack0] quit
[R1-LoopBack1] quit
[R2-LoopBack0] quit

[R3-LoopBack0] quit
[R4-LoopBack0] quit
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
<R2>ping -c 1 10.0.24.4

0.00% packet loss
<R3>ping -c 1 10.0.34.4


0.00% packet loss

Configure R1, R2, R3, and R4 to use the IP addresses of Loopback0 as their router IDs, and activate
OSPF on the interconnection and Loopback0 interfaces.
# Configure R1.

[R1-ospf-1] area 0.0.0.0
# Configure R2.

[R2-ospf-1]area 0
# Configure R3.

[R3-ospf-1]area 0
# Configure R4.

[R4-ospf-1]area 0
# Check the brief information about OSPF neighbor relationships on R2 and R3.

----------------------------------------------------------------------------

----------------------------------------------------------------------------

----------------------------------------------------------------------------
----------------------------------------------------------------------------
The command outputs show that all the OSPF neighbor relationships have been established
properly.

Routing Tables
Routing for Network

10.0.4.4/32 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.4 10.0.4.4 0.0.0.0
10.0.1.1/32 2 Stub 10.0.24.2 10.0.1.1 0.0.0.0
10.0.2.2/32 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.3/32 1 Stub 10.0.34.3 10.0.3.3 0.0.0.0
10.0.12.0/24 2 Transit 10.0.24.2 10.0.1.1 0.0.0.0
10.0.23.0/24 2 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.23.0/24 2 Transit 10.0.34.3 10.0.2.2 0.0.0.0
Total Nets: 9
The command output shows that R4 has learned the routes on the entire network.
Step 3 Configure IBGP peer relationships.
Establish IBGP peer relationships between Loopback0 interfaces in the AS.
# Configure R1.
[R1]bgp 64511
# Configure R2.

# Configure R3.
[R3]bgp 64511
# Configure R4.
[R4]bgp 64511
# Check the IBGP peer relationship status on R2 and R3.

10.0.12.1 4 64511 3 3 0 00:05:39 Established 0

10.0.23.3 4 64511 3 4 0 00:05:23 Established 0
10.0.24.4 4 64511 3 4 0 00:05:16 Established 0

10.0.23.2 4 64511 7 8 0 00:04:33 Established 0

10.0.34.4 4 64511 8 9 0 00:04:32 Established 0
The command outputs show that the IBGP peer relationships have been successfully established in
the AS.
Step 4 Configure RRs.
# Configure R1 as an RR client on R2.
[R2]bgp 64511
[R2-bgp] peer 10.0.12.1 reflect-client
[R3]bgp 64511

[R4]bgp 64511
Step 5 Verify that the Originator_ID attribute can prevent routing loops.
In this step, configure R2 to advertise the BGP route 10.2.2.0/24. Observe whether the route is
advertised back to R2 after being reflected by R3 and R4 in sequence. If so, a routing loop may
occur.
By default, after R2 advertises a BGP route, the route is directly advertised by R2 to R4. In addition,
the route is reflected by R3 to R4. In this case, R4 preferentially selects the route directly advertised
by R2 and does not reflect the route reflected by R3 back to R2. For the purpose of this experiment,
a route-policy needs to be configured on R2 to prevent R2 from directly advertising the route
10.2.2.0/24 to R4.
# Configure a route-policy.
[R2]acl number 2000

[R2-acl-basic-2000] rule 5 permit
[R2-acl-basic-2000] quit
[R2]route-policy bgp deny node 10

[R2-route-policy] if-match acl 2000
# Apply the route-policy to filter routes to be advertised to the specified BGP peer.
[R2]bgp 64511
[R2-bgp] peer 10.0.24.4 route-policy bgp export
# Configure R2 to advertise the route 10.2.2.0/24.
[R2]bgp 64511
[R2-bgp] network 10.2.2.0 24
# Check detailed information about the route 10.2.2.0/24 on R2.

Paths : 1 available, 1 best, 1 select
Network route.
From : 0.0.0.0 (0.0.0.0)
Route Duration : 00h00m36s
Direct Out-interface : LoopBack1
Original nexthop : 10.2.2.2
AS-path Nil, origin igp, MED 0, pref-val 0, valid, local, best, select, pre 0
10.0.23.3 #R3
10.0.12.1 #R1
The command output shows that R2 has advertised this route to R3 and R1, but not to R4.
# Check detailed information about the BGP route 10.2.2.0/24 on R3.

RR-client route.
From : 10.0.23.2 (10.0.2.2)
Relay IP Nexthop : 0.0.0.0
Relay IP Out-Interface: GigabitEthernet0/0/3
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255
10.0.34.4
R3 has reflected the BGP route 10.2.2.0/24 from its RR client to the peer 10.0.34.4 (R4). In addition,
the next-hop address of the BGP route is 10.0.23.2.
# Check detailed information about the BGP route 10.2.2.0/24 on R4.

LocalAS number : 64511
Paths : 1 available,1 best, 1 select
RR-client route.
From : 10.0.34.3 (10.0.3.3)
Relay IP Out-Interface : GigabitEthernet0/0/1
Qosinformation : 0x0
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid,internal, best, select, active, pre 255, IGP cost 2
Originator : 10.0.2.2
Cluster list : 10.0.3.3
10.0.24.2
The route is received from the RR client R3. When R3 reflects the original route, the next-hop
address of the route remains unchanged, and R3 adds the Originator_ID attribute with the value of
10.0.2.2 to the route. After receiving this route from R3, R4 reflects it to R2.
# Check detailed information about the BGP route 10.2.2.0/24 on R2 again.

Network route.
From: 0.0.0.0 (0.0.0.0)

10.0.23.3
10.0.12.1
Only the locally advertised BGP route exists in the routing table, and the BGP route advertised by
R4 does not exist.
# Check detailed information about the BGP peer 10.0.24.4 on R2.
<R2>display bgp peer 10.0.24.4 verbose
BGP Peer is 10.0.24.4, remote AS 64511

Type: IBGP link
BGP version 4, Remote router ID 10.0.4.4
Update-group ID :2
BGP current state : Established, Up for 00h27m44s
BGP current event : RecvKeepalive
BGP last state : OpenConfirm
BGP Peer Up count :2
Received total routes :0
Received active routes total: 0
Advertised total routes :0
Port: Local - 179 Remote - 64495
Configured: Connect-retry Time : 32 sec
Configured: Active Hold Time : 180 sec Keepalive Time:60 sec
Received : Active Hold Time : 180 sec
Negotiated: Active Hold Time : 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 30 messages
Update messages 1
Open messages 1
KeepAlive messages 28
Notification messages 0
Refresh messages 0
Sent: Total 30 messages
Update messages 0
Open messages 2
Refresh messages 0
Authentication type configured: None
Last keepalive received: 2020-06-02 14:12:02-08:00
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No import update filter list

No export update filter list
No import prefix list
No export prefix list
No import route policy
Export route policy is: bgp
No import distribute policy
No export distribute policy
The command output shows that R2 receives an Update message from R4 and does not send an
Update message to R4 (due to routing filtering by the route-policy). However, the BGP route
10.2.2.0/24 advertised by R4 does not exist in R2's BGP routing table.
# Trigger an import soft reset on R2 to allow R4 to re-send Update messages.
<R2>refresh bgp 10.0.24.4 import
# Check the number of Update messages sent and received on R2 again.
<R2>display bgp peer 10.0.24.4 verbose | in Update

Update-group ID : 2
BGP current event : RecvUpdate
Update messages 2
Update messages 0
The number of received Update messages increases. R2 receives the BGP route 10.2.2.0/24 from
R4.
# Check detailed information about the BGP route 10.2.2.0/24 on R2 again.

Network route.
From : 0.0.0.0 (0.0.0.0)
10.0.23.3
10.0.12.1
Still only the locally advertised BGP route exists in the routing table. The value of the Originator_ID
attribute of the BGP route advertised by R4 is the same as the local router ID. As a result, R2 ignores
the route advertised by R4.
Step 6 Verify that the Cluster_List attribute can prevent routing loops.
To facilitate observation, cancel BGP route advertisement on R2. Configure R1 to advertise its
Loopback1 route to the BGP routing table. Observe how the Cluster_List attribute prevents routing
loops.
# Delete the BGP route advertised by R2.
[R2]bgp 64511
[R2-bgp] undo network 10.2.2.0 255.255.255.0
# Configure R1 to advertise its Loopback1 route to the BGP routing table.
[R1]bgp 64511
[R1-bgp] network 10.1.1.0 24
# Check detailed information about the BGP route 10.1.1.0 /24 on R1, R2, R3, and R4 in sequence.
[R1]display bgp routing-table 10.1.1.0 24

Network route.
From : 0.0.0.0 (0.0.0.0)
10.0.12.2
R1 is the originator of the BGP route 10.1.1.0/24 and advertises it to R2 (10.0.12.2).

RR-client route.
From : 10.0.12.1 (10.0.1.1)
10.0.23.3
R2 receives the BGP route 10.1.1.0/24 from its RR client R1 and reflects it to R3 (10.0.23.3).

RR-client route.
From : 10.0.23.2 (10.0.2.2)
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 2
Cluster list : 10.0.2.2
10.0.34.4
R3 receives the BGP route 10.1.1.0/24 from its RR client R2, which added the Cluster_List attribute
with the value of 10.0.2.2 to the route when reflecting it. R3 then reflects the received route to R4
(10.0.34.4).

RR-client route.
From : 10.0.34.3 (10.0.3.3)
Cluster list : 10.0.3.3, 10.0.2.2
10.0.24.2
R4 receives the BGP route 10.1.1.0/24 from its RR client R3, which added the Cluster_List attribute
with the values of 10.0.3.3 and 10.0.2.2 to the route when reflecting it. R4 then reflects the received
route to R2 (10.0.24.2).


*>i 10.1.1.0/24 10.0.12.1 0 100 0 i

The BGP routing table of R2 still contains only the BGP route 10.1.1.0/24 received from the peer
10.0.12.1.
# Check detailed information about the BGP peer 10.0.24.4 on R2.
<R2>display bgp peer 10.0.24.4 verbose
BGP Peer is 10.0.24.4, remote AS 64511

Type: IBGP link
BGP version 4, Remote router ID 10.0.4.4
Update-group ID :2
BGP current state : Established, Up for 00h29m13s
BGP current event : RecvKeepalive
BGP last state : OpenConfirm
BGP Peer Up count :2
Received total routes :0
Received active routes total :0
Advertisedtotal routes :0
Port: Local- 179 Remote - 64495
Configured: Connect-retry Time : 32 sec
Configured: Active Hold Time 180 sec Keepalive Time:60 sec
Received : Active Hold Time : 180 sec
Negotiated: Active Hold Time : 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 32 messages
Update messages 1
Open messages 1
Refresh messages 0
Sent: Total 32 messages
Update messages 0
Open messages 2
Refresh messages 0
Authentication type configured: None
Last keepalive received: 2020-06-02 14:14:03-08:00
Minimum route advertisement interval is 15 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
Peer Preferred Value: 0
Routing policy configured:
No import update filter list
No export update filter list
No import prefix list
No export prefix list
No import route policy
Export route policy is: bgp
No import distribute policy
No export distribute policy
R2 receives an Update message from R4 and does not send an Update message to R4 (due to route
filtering by the route-policy). However, the local BGP routing table does not contain the BGP route
10.1.1.0/24 advertised by R4.
# Trigger an import soft reset on R2 to allow R4 to re-send Update messages.
<R2>refresh bgp 10.0.24.4 import
# Check the number of Update messages sent and received on R2 again.
<R2>display bgp peer 10.0.24.4 verbose | in Update

Update-group ID: 2
BGP current event: RecvUpdate
Update messages 2
Update messages 0
The number of received Update messages increases. R2 receives the BGP route 10.1.1.0/24 from R4.
# Check detailed information about the BGP route 10.1.1.0 24 on R2 again.

RR-client route.
From : 10.0.12.1 (10.0.1.1)
10.0.23.3
Still only the BGP route advertised by R1 exists in the routing table. The Cluster_List attribute of the
BGP route advertised by R4 contains the cluster ID of R2. As a result, R2 ignores the route
advertised by R4.
3.3.3 Quiz
Do the routes advertised by BGP to EBGP peers carry the Originator_ID and Cluster_List attributes?

Configuration on R1
#
sysname R1
#
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255

#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
bgp 64511
router-id 10.0.1.1
#
ipv4-family unicast
summary automatic
network 10.1.1.0 255.255.255.0
#
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
#
#
return
Configuration on R2
<R2>display current-configuration
#
sysname R2
#
acl number 2000
rule 5 permit
#
ip address 10.0.24.2 255.255.255.0
#
ip address 10.0.23.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.0
#
bgp 64511
router-id 10.0.2.2
#
ipv4-family unicast

peer 10.0.12.1 reflect-client
peer 10.0.24.4 route-policy bgp export
#
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.12.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.0.24.2 0.0.0.0
#
route-policy bgp deny node 10
if-match acl 2000
#
return
Configuration on R3
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
bgp 64511
router-id 10.0.3.3
#
ipv4-family unicast
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.0.34.3 0.0.0.0
#
return
Configuration on R4
#
sysname R4
#
ip address 10.0.24.4 255.255.255.0
#
ip address 10.0.34.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
bgp 64511
router-id 10.0.4.4
#
ipv4-family unicast
#
area 0.0.0.0
network 10.0.4.4 0.0.0.0
network 10.0.24.4 0.0.0.0
network 10.0.34.4 0.0.0.0
#
return
3.4 Lab 4: BGP Route Selection

3.4.1 Introduction
3.4.1.1 Objectives
 Change the AS_Path attribute to affect route selection.
 Change the Local_Pref attribute to affect route selection.
 Change the MED attribute to affect route selection.
 Change the PrefVal attribute to affect route selection.

Figure 3-4 BGP route selection
The preceding figure shows the device interconnection mode and IP addresses of interconnection
interfaces. Loopback0 is created on each device, and its IP address is in the format of 10.0.x.x/32,
where x indicates the device number. All devices use the IP addresses of Loopback0 as their BGP
router IDs.
R1 resides in AS 100; R5 resides in AS 200; R2, R3, and R4 reside in AS 64512. OSPF runs in AS 64512,
and OSPF is activated on the interconnection interfaces (excluding the interfaces connected to
external ASs) and Loopback0 interfaces.
EBGP peer relationships are established through directly connected interfaces, and IBGP peer
relationships are established through Loopback0 interfaces.
R1 and R5 share the following network segments: 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, and
172.16.4.0/24. R1 and R5 are configured to advertise routes destined for these network segments to
their BGP routing tables for route selection.
3.4.1.3 Background
You are a network administrator of a company. The company's network uses BGP to access two
service providers, ISP1 and ISP2. The company uses the private AS number 64512. The AS number of
ISP1 is 100, and that of ISP2 is 200. The same network can be reached through AS 100 and AS 200.
You can adjust the route direction by changing various BGP attributes.

2. Configure OSPF in AS 64512, and activate OSPF on the interconnection interfaces (excluding
the interfaces connected to external ASs) and Loopback0 interfaces.
3. Configure BGP peer relationships as planned, and configure R1 and R5 to advertise network
segment routes to their BGP routing tables.
4. On R1, configure a route-policy to change the AS_Path attribute of the BGP route 172.16.1.0/24
so that R3 preferentially selects the BGP route 172.16.1.0/24 advertised by R5.
5. On R4, configure a route-policy to change the Local_Pref attribute of the BGP route
172.16.2.0/24 so that R3 preferentially selects the BGP route 172.16.2.0/24 advertised by R4.
6. On R2, configure a route-policy to change the MED attribute of the BGP route 172.16.3.0/24 so
that R3 preferentially selects the BGP route 172.16.3.0/24 advertised by R5.
7. On R3, configure a route-policy to change the PrefVal attribute of the BGP route 172.16.4.0/24
# Name the devices.
[R1-LoopBack0] quit
# Create multiple loopback interfaces on R1 so that R1 can advertise the loopback routes to the BGP
routing table.
[R1-LoopBack1] quit
[R1-LoopBack2] quit
[R1-LoopBack3] quit
[R1-LoopBack4] quit
[R2-LoopBack0] quit
[R3-LoopBack0] quit
[R4-LoopBack0] quit
[R5-LoopBack0] quit
# Create multiple loopback interfaces on R5 so that R5 can advertise the loopback routes to the
BGP routing table.
[R5-LoopBack1] quit
[R5-LoopBack2] quit
[R5-LoopBack3] quit
[R5-LoopBack4] quit
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
<R4>ping -c 1 10.0.34.3

0.00% packet loss
<R4>ping -c 1 10.0.45.5

0.00% packet loss

Configure R2, R3, and R4 use the IP addresses of Loopback0 as their router IDs, and activate OSPF
on the interconnection interfaces (excluding the interfaces connected to external ASs) and
Loopback0 interfaces.

[R2-ospf-1] area 0.0.0.0
[R2-ospf-1] quit
# Configure R3, and activate OSPF on Loopback0, GE0/0/2, and GE0/0/3.

[R3-ospf-1] area 0.0.0.0
[R3-ospf-1] quit

[R4-ospf-1] area 0.0.0.0
[R4-ospf-1] quit

----------------------------------------------------------------------------
----------------------------------------------------------------------------
The command output shows that R3 has established neighbor relationships with R2 and R4.

Routing Tables
Routing for Network

10.0.3.3/32 0 Stub 10.0.3.3 10.0.3.3 0.0.0.0
10.0.23.0/24 1 Transit 10.0.23.3 10.0.3.3 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.3 10.0.3.3 0.0.0.0
10.0.2.2/32 1 Stub 10.0.23.2 10.0.2.2 0.0.0.0
10.0.4.4/32 1 Stub 10.0.34.4 10.0.4.4 0.0.0.0
Total Nets: 5
Step 3 Configure BGP peer relationships.
Establish IBGP peer relationships through loopback interfaces, and establish EBGP peer
relationships through interconnection interfaces.
# Configure R1.
[R1]bgp 100
[R1-bgp] peer 10.0.12.2 as 64512
# Configure R2.
[R2]bgp 64512

As OSPF is not activated on interconnection interfaces between ASs, R2 needs to be configured to

change the next-hop address of routes to the IP address of its source interface when advertising
them to the IBGP peer R3.
# Configure R3.
[R3]bgp 64512
# Configure R4.
[R4]bgp 64512
As OSPF is not activated on interconnection interfaces between ASs, R4 needs to be configured to

change the next-hop address of routes to the IP address of its source interface when advertising
them to the IBGP peer R3.
# Configure R5.
[R5]bgp 200
[R5-bgp] peer 10.0.45.4 as 64512
# Check the BGP peer relationship status on R2 and R4.

10.0.3.3 4 64512 27 30 0 00:03:49 Established 0

10.0.12.1 4 100 11 11 0 00:03:54 Established 0

10.0.3.3 4 64512 39 33 0 00:03:39 Established 0

10.0.45.5 4 200 4 6 0 00:02:54 Established 0
All the BGP peer relationships have been successfully established.

# Configure each of R1 and R5 to advertise the Loopback1, Loopback2, Loopback3, and Loopback4
routes to the BGP routing table.
[R1]bgp 100
[R1-bgp] network 172.16.1.0 24
[R1-bgp] network 172.16.2.0 24
[R1-bgp] network 172.16.3.0 24
[R1-bgp] network 172.16.4.0 24
[R5]bgp 200
[R5-bgp] network 172.16.1.0 24
[R5-bgp] network 172.16.2.0 24
[R5-bgp] network 172.16.3.0 24
[R5-bgp] network 172.16.4.0 24
# Check the BGP routing table on R3 to check whether R3 has learned these BGP routes
successfully.


*>i 172.16.1.0/24 10.0.2.2 0 100 0 100i

*i 10.0.4.4 0 100 0 200i
*>i 172.16.2.0/24 10.0.2.2 0 100 0 100i
*i 10.0.4.4 0 100 0 200i
*>i 172.16.3.0/24 10.0.2.2 0 100 0 100i
*i 10.0.4.4 0 100 0 200i
*>i 172.16.4.0/24 10.0.2.2 0 100 0 100i
*i 10.0.4.4 0 100 0 200i
R3 has learned the routes advertised by R1 and R5, and preferentially selects the route advertised by
R2.
Step 4 Change the AS_Path attribute.
On R1, configure a route-policy to change the AS_Path attribute of the BGP route 172.16.1.0/24 so
# Create IP prefix list 1 to match the Loopback1 route.

# Create a route-policy named hcip, create node 10, configure an if-match clause with IP prefix list 1
specified, and configure an apply clause to modify the AS_Path attribute of the matched route.

[R1-route-policy] apply as-path 300 400 additive
Create an empty node in the route-policy to ensure that no operation is performed on the other
three BGP routes.
# Apply the route-policy to the BGP routes to be advertised to the BGP peer R2.
[R1]bgp 100
[R1-bgp] peer 10.0.12.2 route-policy hcip export
# Trigger an export soft reset on R1 to update the advertised BGP routes.
<R1>refresh bgp all export
# Check detailed information about the BGP routes 172.16.1.0/24 on R3.

From: 10.0.4.4 (10.0.4.4)
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, select, active, pre 255, IGP cost 1
Not advertised to any peer yet

From: 10.0.2.2 (10.0.2.2)
AS-path 100 300 400, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for AS-Path
R3 preferentially selects the BGP route 172.16.1.0/24 advertised by R4. This is because the AS_Path
length in the route advertised by R2 is longer than that of the route advertised by R4.
Step 5 Change the Local_Pref attribute.
On R4, configure a route-policy to change the Local_Pref attribute of the BGP route 172.16.2.0/24
# Create IP prefix list 1 to match the BGP route 172.16.2.0/24.
specified, and configure an apply clause to modify the Local_Pref attribute of the matched route.

[R4-route-policy] apply local-preference 200
three BGP routes.
# Apply the route-policy to the BGP routes to be advertised to the BGP peer R3.
[R4]bgp 64512
[R4-bgp] peer 10.0.3.3 route-policy hcip export

From : 10.0.4.4 (10.0.4.4)

From: 10.0.2.2 (10.0.2.2)
AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for Local_Pref
R3 preferentially selects the BGP route 172.16.2.0/24 advertised by R4. The Local_Pref value of the
BGP route advertised by R2 is 100, which is smaller than the Local_Pref value 200 of the BGP route
advertised by R3. As a result, the BGP route advertised by R2 is not preferentially selected.
Step 6 Change the MED attribute.
On R2, configure a route-policy to change the MED attribute of the BGP route 172.16.3.0/24 so that
R3 preferentially selects the BGP route 172.16.3.0/24 advertised by R5.
specified, and configure an apply clause to modify the MED attribute of the matched route.

[R2-route-policy] apply cost 200
three BGP routes.
# Apply the route-policy to the BGP routes received from the BGP peer R1.
[R2]bgp 64512
[R2-bgp] peer 10.0.12.1 route-policy hcip import
# Trigger an import soft reset on R2 to update the received BGP routes.
<R2>refresh bgp all import
# Configure R3 to compare the MED values of the BGP routes received from peers in different ASs.
[R3]bgp 64512
[R3-bgp] compare-different-as-med
By default, BGP does not compare the MED values of routes received from peers in different ASs.

From : 10.0.4.4 (10.0.4.4)

From: 10.0.2.2 (10.0.2.2)

AS-path 100, origin igp, MED 200, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for MED
The MED value of the BGP route 172.16.3.0/24 advertised by R2 is 200, and that of the BGP route
advertised by R4 is 0. In this case, R3 preferentially selects the BGP route with a smaller MED value.
As a result, the BGP route advertised by R2 is not preferentially selected.
Step 7 Change the PrefVal attribute.
On R3, configure a route-policy to change the PrefVal attribute of the BGP route 172.16.4.0/24 so
specified, and configure an apply clause to modify the PrefVal attribute of the matched route.

[R3-route-policy] apply preferred-value 300
three BGP routes.
# Apply the route-policy to the BGP routes received from the BGP peer R4.
[R3]bgp 64512
[R3-bgp] peer 10.0.4.4 route-policy hcip import
# Trigger an import soft reset on R3 to update the received BGP routes.
<R3>refresh bgp all import

From : 10.0.4.4 (10.0.4.4)

From: 10.0.2.2 (10.0.2.2)

AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre255, IGP cost 1, not preferred for PreVal
The PrefVal value of the BGP route 172.16.3.0/24 advertised by R4 is 300, and that of the route
advertised by R2 is 0. In this case, R3 preferentially selects the BGP route with a larger PrefVal value.
As a result, R3 preferentially selects the BGP route advertised by R4.


*>i 172.16.1.0/24 10.0.4.4 0 100 0 200i

*i 10.0.2.2 0 100 0 100 300 400i
*>i 172.16.2.0/24 10.0.4.4 0 200 0 200i
*i 10.0.2.2 0 100 0 100i
*>i 172.16.3.0/24 10.0.4.4 0 100 0 200i
*i 10.0.2.2 200 100 0 100i
*>i 172.16.4.0/24 10.0.4.4 0 100 300 200i
*i 10.0.2.2 0 100 0 100i
The command output show that all the routes advertised by R4 are preferentially selected.
Step 8 (Optional) Verify that a locally originated BGP route takes precedence over a BGP route learned
from a peer.
Create Loopback1 on R2 and configure R2 to advertise the Loopback1 route to the OSPF routing
table. Then, configure R2 and R3 to advertise the Loopback1 route to their BGP routing tables. In
this case, the BGP routing table of R3 will contain two BGP routes to Loopback1 on R2.
# Create Loopback1 on R2 and set its IP address to 10.2.2.2/32.
[R2-LoopBack1] quit
# Activate OSPF on Loopback1.
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1] quit
# Check the OSPF route 10.2.2.2/32 on R3.
Cost :1 Type : Stub
R3 has learned the Loopback1 route from R2.

# Configure R2 and R3 to advertise their Loopback1 routes to their BGP routing tables.
[R2]bgp 64512
[R2-bgp] network 10.2.2.2 32
[R3]bgp 64512
[R3-bgp] network 10.2.2.2 32

Network route.
From : 0.0.0.0 (0.0.0.0)
Direct Out-interface : GigabitEthernet0/0/3
10.0.2.2
10.0.4.4
From : 10.0.2.2 (10.0.2.2)
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for route type
R3 preferentially selects the locally advertised BGP route 10.2.2.2/32. The BGP route 10.2.2.2/32
advertised by R1 is not preferentially selected because its route type is not preferred. A locally
originated route takes precedence over a route learned from a BGP peer.
Step 9 (Optional) Change the Origin attribute.
Create Loopback5 on R1 and R5, and configure the devices to advertise the Loopback5 routes to
their BGP routing tables. Verify that the BGP route whose Origin attribute is IGP takes precedence
over the BGP route whose Origin attribute is Incomplete.
# Create Loopback5 on R1 and R5 and set its IP address to 172.16.5.1/24.
[R1-LoopBack5] quit
[R5-LoopBack5] quit
# Configure R1 and R5 to advertise Loopback5 routes to their BGP routing tables using the network
command.
[R1]bgp 100
[R1-bgp] network 172.16.5.0 24
[R5]bgp 200
[R5-bgp] network 172.16.5.0 24


*> 10.2.2.2/32 0.0.0.0 1 0 i

*i 10.0.2.2 0 100 0 i
*>i 172.16.1.0/24 10.0.4.4 0 100 0 200i
*i 10.0.2.2 0 100 0 100 300 40
0i
*>i 172.16.2.0/24 10.0.4.4 0 200 0 200i
*i 10.0.2.2 0 100 0 100i
*>i 172.16.3.0/24 10.0.4.4 0 100 0 200i
*i 10.0.2.2 200 100 0 100i
*>i 172.16.4.0/24 10.0.4.4 0 100 300 200i
*i 10.0.2.2 0 100 0 100i
*>i 172.16.5.0/24 10.0.2.2 0 100 0 100i
*i 10.0.4.4 0 100 0 200i
R3 preferentially selects the BGP route 172.16.5.0/24 received from R2 (and originally advertised by
R1). In this case, the Origin attribute of the BGP routes advertised by R2 and R4 is IGP.
# Delete the Loopback5 route advertised by R1 to the BGP routing table.
[R1]bgp 100
[R1-bgp] undo network 172.16.5.0 24
# Create IP prefix list 2 to match the Loopback5 route 172.16.5.0/24 of R1.
# Create a route-policy named origin, create node 10, and configure an if-match clause with IP
prefix list 2 specified.
[R1]route-policy origin permit node 10

# Run the import-route direct command on R1 to advertise direct routes to the BGP routing table,
and specify route-policy origin to import only the Loopback5 route.
[R1]bgp 100
[R1-bgp] import-route direct route-policy origin

From : 10.0.4.4 (10.0.4.4)
AS-path 200, origin igp, MED 0, localpref 100, pref-val 0, valid,internal, bes
t, select, active, pre 255, IGP cost 1

From : 10.0.2.2 (10.0.2.2)
AS-path 100, origin incomplete, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for Origin
R3 preferentially selects the BGP route 172.16.5.0/24 advertised by R4.

The Origin attribute of the BGP route 172.16.5.0/24 received from R2 (and originally advertised by
R1) is incomplete (advertised to the BGP routing table using the import-route command). Due to
the Origin attribute value, this route is not preferentially selected.
Step 10 (Optional) Verify that an EBGP route takes precedence over an IBGP route.
Create Loopback6 on R1 and R3, and configure the devices to advertise the Loopback6 routes to
their BGP routing tables. Observe the route selection result on R2.
# Create Loopback6 on R1 and R3.
[R1-LoopBack6] quit
[R3-LoopBack6] quit
# Configure R1 and R3 to advertise their Loopback6 routes to the BGP routing tables.
[R1]bgp 100
[R1-bgp] network 172.16.6.0 24
[R3]bgp 64512
[R3-bgp]network 172.16.6.0 24

From : 10.0.3.3 (10.0.3.3)
10.0.12.1
From : 10.0.12.1 (10.0.1.1)
AS-path 100, origin igp, MED 0, pref-val 0, valid, external, pre 255, not preferred for AS-Path
R2 preferentially selects the BGP route 172.16.6.0/24 advertised by R3 due to the AS_Path value.
# On R3, configure a route-policy to add an AS_Path value to the BGP route 172.16.6.0/24.
[R3]route-policy as_path permit node 10

[R3-route-policy] apply as-path 300 additive
[R3]route-policy as_path permit node 20
[R3]bgp 64512
[R3-bgp] peer 10.0.2.2 route-policy as_path export
# Check detailed information about the BGP routes 172.16.6.0/24 on R2 again.

From : 10.0.12.1 (10.0.1.1)
AS-path 100, origin igp, MED 0, pref-val 0, valid, external, best, select, active, pre 255
10.0.3.3
From : 10.0.3.3 (10.0.3.3)
AS-path 300, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 1, not preferred for peer type
The BGP route from R3 is not preferentially selected because BGP preferentially selects the route
from an EBGP peer when the other route attributes are the same.
Step 11 (Optional) Verify that BGP preferentially selects the route with the smallest IGP cost to the next
hop.
Establish an IBGP peer relationship between R2 and R4 through loopback interfaces. Create
Loopback7 on R2 and R3, and configure the devices to advertise the Loopback7 routes to their BGP
routing tables. Then, observe the BGP route selection result on R4.
# Establish an IBGP peer relationship between R2 and R4.
[R2]bgp 64512
[R2-bgp] peer 10.0.4.4 connect-interface LoopBack 0
[R4]bgp 64512
# Check the IBGP peer relationship status.
[R4]display bgp peer

10.0.2.2 4 64512 7 3 0 00:00:01 Established 7

10.0.3.3 4 64512 37 36 0 00:31:57 Established 2
10.0.45.5 4 200 38 36 0 00:31:58 Established 5
The command output shows that the IBGP peer relationship has been successfully established.
# Create Loopback7 on R2 and R4, and configure the devices to advertise the Loopback7 routes to
their BGP routing tables.
[R2-LoopBack7] quit
[R2]bgp 64512
[R2-bgp] network 172.16.7.0 24
[R3-LoopBack7] quit
[R3]bgp 64512
[R3-bgp] network 172.16.7.0 24
[R4]dis bgp routing-table 172.16.7.0 24

From : 10.0.3.3 (10.0.3.3)
10.0.45.5
From : 10.0.2.2 (10.0.2.2)
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, pre 255, IGP cost 2, not preferred for IGP cost
R4 preferentially selects the BGP route advertised by R3 because its IGP cost is 1, which is lower
than the IGP cost 2 of the BGP route advertised by R2.
The BGP route advertised by R2 is not preferentially selected due to the IGP cost.
----End
3.4.3 Quiz
Consider whether a routing policy can be used to delete an AS number from the AS_Path attribute.

Configuration on R1
#
sysname R1
#
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
interface LoopBack1
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack2
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.3.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.4.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.5.1 255.255.255.0
#
interface LoopBack6
ip address 172.16.6.1 255.255.255.0
#
bgp 100
router-id 10.0.1.1
#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
network 172.16.2.0 255.255.255.0
network 172.16.3.0 255.255.255.0
network 172.16.4.0 255.255.255.0
network 172.16.6.0 255.255.255.0
import-route direct route-policy origin

peer 10.0.12.2 route-policy hcip export
#
apply as-path 300 400 additive
#
#
route-policy origin permit node 10
#
#
Return
Configuration on R2
#
sysname R2
#
ip address 10.0.23.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
#
interface LoopBack7
ip address 172.16.7.1 255.255.255.0
#
bgp 64512
router-id 10.0.2.2
#
ipv4-family unicast
network 10.2.2.2 255.255.255.255
network 172.16.7.0 255.255.255.0
peer 10.0.12.1 route-policy hcip import
#

area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.2.2.2 0.0.0.0
#
apply cost 200
#
#
#
ip route-static 10.0.1.1 255.255.255.255 10.0.12.1
#
return
Configuration on R3
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
interface LoopBack6
ip address 172.16.6.1 255.255.255.0
#
interface LoopBack7
ip address 172.16.7.1 255.255.255.0
#
bgp 64512
router-id 10.0.3.3
#
ipv4-family unicast
compare-different-as-med
network 10.2.2.2 255.255.255.255
network 172.16.6.0 255.255.255.0
network 172.16.7.0 255.255.255.0
peer 10.0.2.2 route-policy as_path export
peer 10.0.4.4 route-policy hcip import
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.0.34.3 0.0.0.0
#
apply preferred-value 300
#
#
route-policy as_path permit node 10
apply as-path 300 additive
#
route-policy as_path permit node 20
#
#
return
Configuration on R4
#
sysname R4
#
ip address 10.0.45.4 255.255.255.0
#
ip address 10.0.34.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
bgp 64512
router-id 10.0.4.4
#
ipv4-family unicast
peer 10.0.3.3 route-policy hcip export
#
area 0.0.0.0
network 10.0.4.4 0.0.0.0
network 10.0.34.4 0.0.0.0
#
apply local-preference 200
#
#
#
ip route-static 10.0.5.5 255.255.255.255 10.0.45.5
#
return
Configuration on R5
#
sysname R5
#
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 10.0.5.5 255.255.255.255
#
interface LoopBack1
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack2
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.3.1 255.255.255.0
#
interface LoopBack4
ip address 172.16.4.1 255.255.255.0
#
interface LoopBack5
ip address 172.16.5.1 255.255.255.0
#
bgp 200
router-id 10.0.5.5
#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
network 172.16.2.0 255.255.255.0
network 172.16.3.0 255.255.255.0
network 172.16.4.0 255.255.255.0
network 172.16.5.0 255.255.255.0
#
ip route-static 10.0.4.4 255.255.255.255 10.0.45.4

#
return
4 Routing Policy and Routing Control
4.1 Route Import and Control

4.1.1 Introduction
4.1.1.1 Objectives
 Use a route-policy to filter routes to be imported.
 Use a route-policy to set route flags and filter labeled routes.
 Use a filter-policy to filter routes to be imported into the OSPF routing table.
Figure 4-1 Route import and control
The preceding figure shows the device interconnection mode and interconnection addresses.
Loopback0 is created for each device. The IP address of Loopback0 is 10.0.x.x/32, where x indicates
a device ID. OSPF is configured on interconnection interfaces and Loopback0 interfaces of R1, R2,
and R3.
R3 and R4 belong to IS-IS area 49.0001 and both are Level-1 routers. The system IDs of R3 and R4
are in the format of 0000.0000.000x, where x indicates a device ID.
On R1, there are three network segments of services A, B, and C (simulated using routes destined
for Loopback1, Loopback2, and Loopback3, respectively). On R1, direct routes are imported to the
OSPF routing table. Routers within an OSPF area, however, do not need to import the route
destined for the network segment of service C. Configure a route-policy on R1 to filter direct routes
to be imported.
R2 does not need the route destined for service A's network segment; R3 needs the routes destined
for network segments of services A and B. A filter-policy needs to be configured on R2 to filter the
routes to be accepted by OSPF.
Routers in the IS-IS domain need to access service A. Therefore, route re-distribution needs to be
performed on R3 to import OSPF routes to IS-IS. Routers in the IS-IS domain do not need to access
service B. Therefore, when direct routes are imported on R1, the routes of the network segment of
service B are marked with different route tags. When re-distribution is performed on R3, the route
destined for the network segment of service B are filtered according to the route tags.
4.1.1.3 Background
The local enterprise network has two routing areas. One area runs OSPF, and the other area runs IS-
IS. The border router in the OSPF area is connected to some service network segments of other
enterprises. To allow the local enterprise network device to access these service network segments
of other enterprises, import routes destined for the service network segments into the OSPF area.
To enable devices in the IS-IS area to access those service network segments, import OSPF external
routes to the IS-IS routing table. Different departments on the local enterprise network have
different requirements for service network segment access. Therefore, route-policies and filter-
policies need to be deployed to filter routes to be accepted and advertised.

2. Configure OSPF on each Loopback0 interface and the interfaces that connect R1, R2, R3, and
R4. Configure an IS-IS neighbor relationship between R3 and R4.
3. On R1, import direct routes to the OSPF routing table; configure a route-policy not to import
routes destined for the service C network segment; add route tags 10 and 20 to the routes
destined for network segments of services A and B, respectively.
4. Configure a filter-policy on R2 to filter OSPF routes to be accepted. Only the routes destined
for the service B network segment can be accepted.
5. Import OSPF routes to the IS-IS routing table on R3. Use a route-policy to match route flags
and import only OSPF external route destined for the service A network segment.
4.1.2.2 Procedure
# Name the devices.
# Configure IP addresses for GE0/0/2 and Loopback0 on R1.
[R1-LoopBack0] quit
# Create multiple loopback interfaces on R1 to simulate network segments of services A, B, and C.
[R1-LoopBack1] quit

[R1-LoopBack2] quit
[R1-LoopBack3] quit
# Configure IP addresses for GE0/0/2, GE0/0/3, and Loopback0 on R2.
[R2-LoopBack0] quit
# Configure IP addresses for GE0/0/2, GE0/0/3, and Loopback0 on R3.
[R3-LoopBack0] quit
# Configure IP addresses for GE0/0/3 and Loopback0 on R4.
[R4-LoopBack0] quit
# Check IP address connectivity on R2 and R4.
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
<R4>ping -c 1 10.0.34.3

0.00% packet loss
Step 2 Configure OSPF and IS-IS.

On R1, R2, and R3, use the IP address of Loopback0 as a router ID, and activate OSPF on the
interconnected interfaces and Loopback0 interfaces.
# Configure R1.

[R1-ospf-1] area 0
[R1-ospf-1] quit
# Configure R2.

[R2-ospf-1] area 0.0.0.0
[R2-ospf-1] quit
# Configure R3.
[R3-ospf-1] area 0.0.0.0
[R3-ospf-1] quit
# Check brief information about OSPF neighbors on R2.

----------------------------------------------------------------------------

----------------------------------------------------------------------------
OSPF neighbor relationships have been established between R1 and R2, and between R2 and R3.
Configure IS-IS on R3 and R4. Set the area ID to 49.0001. Set a system ID in the format of
0000.0000.000x (x indicates a device ID). Configure R3 and R4 as Level-1 routers. Activate IS-IS on
the interconnected interfaces and R4's Loopback0 interface.
# Configure R3.
[R3]isis 1
[R3-isis-1] quit
# Configure R4.
[R4]isis 1
[R4-isis-1] quit
[R4-LoopBack0] quit
# Check the IS-IS neighbor status on R3.

-------------------------------------------------------------------------------
0000.0000.0004 GE0/0/2 0000.0000.0001.01 Up 22s L1 64
Total Peer(s): 1
Step 3 Import direct routes on R1.

On R1, import direct routes to the OSPF routing table, configure a route-policy to filter out the
routes destined for the network segment of service C, and add route flags 10 and 20 to the routes to
the network segments of services A and B, respectively.
# Create IP prefix list 1 to match the route destined for Loopback1 (network segment of service A).
[R1]ip ip-prefix 1 index 10 permit 172.16.1.0 24 greater-equal 24 less-equal 24
# Create IP prefix list 2 to match the route destined for Loopback2 (network segment of service B).
[R1]ip ip-prefix 2 index 10 permit 172.16.2.0 24 greater-equal 24 less-equal 24
# Create a route-policy named hcip, create nodes 10 and 20, apply IP prefix lists 1 and 2 to the two
nodes, respectively, and add route flags.

[R1-route-policy] apply tag 10
[R1-route-policy] apply tag 20
# Import direct routes to the OSPF routing table on R1 and apply the route-policy named hcip.
[R1]ospf 1
[R1-ospf-1] import-route direct route-policy hcip

Link State Database
Area:0.0.0.0
Router 10.0.3.3 10.0.3.3 1333 48 8000000C 1
Router 10.0.4.4 10.0.4.4 1639 48 80000006 1
Router 10.0.2.2 10.0.2.2 777 60 8000000D 1
Router 10.0.12.1 10.0.12.1 1373 48 80000006 1
Router 10.0.1.1 10.0.1.1 24 48 80000008 1
Network 10.0.23.3 10.0.3.3 1643 32 80000001 0
Network 10.0.12.2 10.0.2.2 777 32 80000002 0
Network 10.0.34.4 10.0.4.4 1639 32 80000002 0
AS External Database
External 172.16.2.0 10.0.1.1 24 36 80000001 1
External 172.16.1.0 10.0.1.1 24 36 80000001 1
Routes to Loopback1 and Loopback2 have been imported to the OSPF routing table.
# Check the AS-external LSA 172.16.1.0 in the OSPF LSDB on R1.
[R1]display ospf lsdb ase 172.16.1.0

Link State Database
Type : External
Ls id : 172.16.1.0
Adv rtr : 10.0.1.1
Ls age : 165
Len : 36
Options :E
seq# : 80000001
chksum : 0xa954
Net mask : 255.255.255.0
TOS 0 Metric : 1
Etype :2
Tag : 10
Priority : Low
The external route destined for 172.16.1.0/24 has been tagged 10.
# Check AS-external LSA 172.16.2.0 in the OSPF LSDB on R1.
[R1]display ospf lsdb ase 172.16.2.0

Link State Database
Type : External
Ls id : 172.16.2.0
Adv rtr : 10.0.1.1
Ls age : 355
Len : 36
Options :E
seq# : 80000001
chksum : 0x539f
Net mask : 255.255.255.0
TOS 0 Metric: 1
Etype :2
Tag : 20
Priority : Low
The external route destined for 172.16.2.0/24 has been tagged 20.
Step 4 Configure a filter-policy on R2.
Configure a filter-policy on R2 to filter OSPF routes to be accepted so that only the route destined
for network segment of service B can be accepted.
# Check the OSPF routing table before the filter-policy is configured.

Routing Tables
Routing for Network

10.0.2.2/32 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.12.0/24 1 Transit 10.0.12.2 10.0.2.2 0.0.0.0
10.0.23.0/24 1 Transit 10.0.23.2 10.0.2.2 0.0.0.0
10.0.1.1/32 1 Stub 10.0.12.1 10.0.1.1 0.0.0.0
10.0.3.3/32 1 Stub 10.0.23.3 10.0.3.3 0.0.0.0
Routing for ASEs

172.16.1.0/24 1 Type2 10 10.0.12.1 10.0.1.1
172.16.2.0/24 1 Type2 20 10.0.12.1 10.0.1.1
# Check the OSPF routes in the IP routing table before the filter-policy is configured.

------------------------------------------------------------------------------
Destinations :4 Routes : 4


OSPF external routes destined for 172.16.1.0/24 and 172.16.2.0/24 are displayed in the OSPF routing
table and IP routing table.
# Configure a basic ACL.
[R2]acl number 2000

[R2-acl-basic-2000] rule 5 deny source 172.16.1.0 0.0.0.255
[R2-acl-basic-2000] rule 10 permit
# Configure an import filter-policy for OSPF and apply ACL 2000.
[R2]ospf 1
[R2-ospf-1] filter-policy 2000 import
# Check the OSPF routing table after the filter-policy is configured.

Routing Tables
Routing for Network

10.0.2.2/32 0 Stub 10.0.2.2 10.0.2.2 0.0.0.0
10.0.12.0/24 1 Transit 10.0.12.2 10.0.2.2 0.0.0.0
10.0.23.0/24 1 Transit 10.0.23.2 10.0.2.2 0.0.0.0
10.0.1.1/32 1 Stub 10.0.12.1 10.0.1.1 0.0.0.0
10.0.3.3/32 1 Stub 10.0.23.3 10.0.3.3 0.0.0.0
Routing for ASEs

172.16.1.0/24 1 Type2 10 10.0.12.1 10.0.1.1

172.16.2.0/24 1 Type2 20 10.0.12.1 10.0.1.1
# Check the OSPF routes in the IP routing table after the filter-policy is configured.

------------------------------------------------------------------------------
Destination :4 Routes : 4


The route destined for 172.16.2.0/24 does not exist in the IP routing table but exists in the OSPF
routing table. This proves that for OSPF, the filter-policy only restricts routes to be added to the IP
routing table, but does not affect the local LSDB and LSA transmission.
# Check the OSPF routes in the IP routing table on R3.

------------------------------------------------------------------------------


The OSPF external routes destined for 172.16.1.0/24 and 172.16.2.0/24 still exist in the IP routing
table of R3.
Step 5 Import OSPF routes to the IS-IS routing table on R3.
Import OSPF routes to the IS-IS routing table on R3. Use a route-policy to match route flags and
import only OSPF external route destined for network segment of service A.
# Create a route-policy named hcip.

[R3-route-policy] if-match tag 10
# Import OSPF routes to the IS-IS routing table and apply the route-policy named hcip to import
only OSPF external routes of the network segment of service A.
[R3]isis 1
[R3-isis-1] import-route ospf 1 level-1 route-policy hcip
# Check the IS-IS routing table of R3.

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.0.4.4/32 10 NULL GE0/0/2 10.0.34.4 A/-/-/-
10.0.34.0/24 10 NULL GE0/0/2 Direct D/-/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
ISIS(1) Level-1 Redistribute Table

----------------------------------
Type IPV4 Destination IntCost ExtCost Tag

-------------------------------------------------------------------------------
O 172.16.1.0/24 0 0
Type: D-Direct, I-ISIS, S-Static, O-OSPF, B-BGP, R-RIP, U-UNR
The Level-1 route redistribution table contains only a route destined for 172.16.1.0/24.
----End
4.1.3 Quiz
What are the differences when the filter-policy is used in distance-vector and link-state routing
protocols?

Configuration on R1
#
sysname R1
#
ip address 10.0.12.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
interface LoopBack1
ip address 172.16.1.1 255.255.255.0
#
interface LoopBack2
ip address 172.16.2.1 255.255.255.0
#
interface LoopBack3
ip address 172.16.3.1 255.255.255.0
#
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
#
apply tag 10
#
apply tag 20
#
#
return
Configuration on R2
#
sysname R2
#
acl number 2000
rule 5 deny source 172.16.1.0 0.0.0.255
rule 10 permit
#
ip address 10.0.23.2 255.255.255.0
#
ip address 10.0.12.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
filter-policy 2000 import
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.0.12.2 0.0.0.0
#
return
Configuration on R3
#
sysname R3
#
isis 1
is-level level-1
network-entity 49.0001.0000.0000.0003.00
import-route ospf 1 level-1 route-policy hcip
#
ip address 10.0.34.3 255.255.255.0
isis enable 1
#
ip address 10.0.23.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.23.3 0.0.0.0
#
if-match tag 10
#
return
Configuration on R4
#
sysname R4
#
isis 1
is-level level-1
network-entity 49.0001.0000.0000.0004.00
#
ip address 10.0.34.4 255.255.255.0
isis enable 1
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
isis enable 1
#
return
5 RSTP and MSTP
5.1 Basic RSTP and MSTP Configurations

5.1.1 Introduction
5.1.1.1 Objectives
 Manually change a bridge priority to affect root bridge election.
 Manually change a port cost value to control root port election.
 Manually change a port priority value to control root port election.
 Configure MSTP to implement load balancing among VLANs.
Figure 5-1 Basic RSTP and MSTP configurations
The preceding figure shows connections between switches. Configure RSTP and MSTP to break
Layer 2 loops, and manually specify the primary root bridge and secondary root bridge.
5.1.1.3 Background
You are a network administrator of a company. The enterprise network uses a backup network. To
prevent loops, RSTP is deployed. All VLANs share the same STP spanning tree. To load balancing
data traffic between VLANs, MSTP needs to be deployed on the network.

1. Enable STP and change the STP mode to RSTP.
2. Manually specify S1 as the primary root bridge and S2 as the secondary root bridge.
3. Change the interface cost so that S4's GE0/0/1 becomes the root port.
4. Change the priority value of S1's GE0/0/11 so that S2's GE0/0/11 becomes the root port.
5. Change the STP mode to MSTP, create MSTI1 and MSTI2. Specify SW1 as the root bridge of
MSTI1 and secondary root bridge of MSTI2, and specify SW2 as the root bridge of MSTI2 and
secondary root bridge of MSTI1.
5.1.2.2 Procedure
Step 1 Perform basic RSTP configurations.
Enable STP on S1, S2, S3, and S4, and switch the STP mode to RSTP.
# Name the devices.
# Configure S1.
[S1]stp enable
[S1]stp mode rstp
# Configure S2.
[S2]stp enable
[S2]stp mode rstp
# Configure S3.
[S3]stp enable
[S3]stp mode rstp
# Configure S4.
[S4]stp enable
[S4]stp mode rstp
# Check the STP status and statistics.
<S1>display stp instance 0 brief

MSTID Port Role STPState Protection
0 GigabitEthernet0/0/10 DESI FORWARDING NONE
[S2]display stp brief

0 GigabitEthernet0/0/10 ROOT FORWARDING NONE
0 GigabitEthernet0/0/11 ALTE DISCARDING NONE



All ports on S1 are designated ports, and S1 is the root bridge. In practice, the actual test result may
be different from the preceding result because the MAC address of a switch is uncertain.
# Check the STP status and statistics on S1. The following information is displayed:
<S1>display stp
-------[CIST Global Info][Mode RSTP]-------
CIST Bridge :32768.4c1f-cc1d-61a8
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
ActiveTimes :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.4c1f-cc1d-61a8 / 0
CIST RegRoot/IRPC :32768.4c1f-cc1d-61a8 / 0
CIST RootPortId :0.0
BPDU-Protection :Disabled
TC or TCN received :15
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:11m:14s
Number of TC :17
Last TCoccurred :GigabitEthernet0/0/13
S1 is the root bridge.

Step 2 Control root bridge election.
Configure S1 as the primary root bridge and S2 as the secondary root bridge.
# Manually adjust the STP priority and specify S1 as the primary root bridge and S2 as the
secondary root bridge.
[S1]stp priority 4096
[S2]stp priority 8192
When the other two switches retain the default bridge priority (32768), S1 has the lowest bridge
priority, followed by S2.
# Check the STP status and statistics on S1. The following information is displayed:
[S1]display stp
CIST Bridge :4096 .4c1f-cc1d-61a8
CIST Root/ERPC :4096 .4c1f-cc1d-61a8 / 0
CIST RegRoot/IRPC :4096 .4c1f-cc1d-61a8 / 0

Number of TC :45
The bridge priority of S1 is 4096 and S1 is still the root bridge.

# Delete the configuration of manually adjusting the bridge priority on S1 and S2, and run the stp
root command to specify the primary root bridge and secondary root bridge.
[S1]undo stp priority

[S1]stp root primary
[S2]undo stp priority

[S2]stp root secondary
# Check the STP status and statistics on S1 and S2. The following information is displayed:
[S1]display stp
CIST Bridge :0 .4c1f-cc1d-61a8
CIST RegRoot/IRPC :0 .4c1f-cc1d-61a8 / 0
CIST Root Type :Primary root
Number of TC :51
[S2]display stp
CIST Bridge :4096 .4c1f-cc69-5bf7
CIST RegRoot/IRPC :4096 .4c1f-cc69-5bf7 / 0
CIST Root Type :Secondary root
Number of TC :44
The bridge priority of S1 is 0 and that of S2 is 4096. S1 is the primary root bridge and S2 is the
secondary root bridge.
Step 3 Change the interface cost to control root port election.

# Check the STP status and statistics on S4.

GE0/0/2 on S4 has a smaller root path cost (RPC) and becomes the root port.
# Check the STP status and statistics on GE0/0/2 of S4.
[S4]display stp interface GigabitEthernet 0/0/2

CIST Bridge :32768.4c1f-cc49-4c7c
CIST RegRoot/IRPC :32768.4c1f-cc49-4c7c / 0
Number of TC :47
----[Port2(GigabitEthernet0/0/2)][FORWARDING]----
Port Protocol :Enabled
Port Role :Root Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :0.4c1f-cc1d-61a8 / 128.13
Port Edged :Config=default / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :147packets/hello-time
Protection Type :None
Port STPMode :RSTP
Port Protocol Type :Config=auto / Active=dot1s
BPDU Encapsulation :Config=stp / Active=stp
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 0
TCor TCN send :26
TCor TCN received :40
BPDU Sent :1747
TCN: 0, Config: 0, RST: 1747, MST: 0
BPDU Received :1048
TCN: 0, Config: 0, RST: 1048, MST: 0
In this case, the RPC calculation method is dot1t, and the STP cost of the interface is 20000.
# Change the STP cost of GE0/0/2 on S4 to 40001.
[S4]interface GigabitEthernet 0/0/2

[S4-GigabitEthernet0/0/2] stp cost 40001
# Check the STP status and statistics on S4 again.
<S4>display stp brief

The RPC of GE0/0/1 is 40000, smaller than RPC 40001 of GE0/0/2. GE0/0/1 of S4 becomes the root
port.
Step 4 Change the interface priority to control root port election.
# Check the STP status and statistics on S2.

The BPDUs received on GE0/0/10 and GE0/0/11 of S2 have the same RPC, bridge ID, and interface
priority. Therefore, S2 compares interface numbers in the received BPDU interface IDs.
# Enable LLDP on S1 and S2 and check interface connections.
[S1]lldp enable
[S2]lldp enable
[S2]display lldp neighbor brief

Local Intf NeighborDev NeighborIntf Exptime
GE0/0/10 S1 GE0/0/10 102
GE0/0/11 S1 GE0/0/11 102
GE0/0/12 S4 GE0/0/1 108
GE0/0/13 S3 GE0/0/2 103
The peer end of S2's GE0/0/10 is S1's GE0/0/10, and the peer end of S2's GE0/0/11 is S1's GE0/0/11.
The BPDU received by GE0/0/10 on S2 has a smaller interface number, which is why GE0/0/10
becomes the root port.
# Change the STP priority of S1's GE0/0/11 so that the priority of BPDUs sent by GE0/0/11 becomes
higher than that of BPDUs sent by GE0/0/10.

[S1-GigabitEthernet0/0/11] stp port priority 64
The priority value of the STP interface is 128. The smaller the value, the higher the priority.
# Check the STP status and statistics on S2 again.

S2's GE0/0/1 becomes the root port.

Step 5 Basic MSTP Configurations
Create VLANs 10, 20, 30, 40, 50, 60, 70 and 80 on all switches. Configure an MSTP domain named
hcip. Create two instances named Instance 1 and Instance 2. Map VLANs 10, 30, 50, and 70 to
Instance 1. Map VLANs 20, 40, 60, and 80 to Instance 2. In addition, SW1 is configured as the
primary root bridge of MSTI1 and the secondary root bridge of MSTI2, and SW2 is configured as the
primary root bridge of MSTI2 and the secondary root bridge of MSTI1.
# Create VLANs.
[S1]vlan batch 10 20 30 40 50 60 70 80
[S2]vlan batch 10 20 30 40 50 60 70 80
[S3]vlan batch 10 20 30 40 50 60 70 80
[S4]vlan batch 10 20 30 40 50 60 70 80
# Configure all interconnection interfaces as trunk interfaces and allow packets from all VLANs to
pass.
# Change the STP mode to MSTP.
[S1]stp mode mstp
[S2]stp mode mstp
[S3]stp mode mstp
[S4]stp mode mstp
# Configure MSTP.
[S1]stp region-configuration
[S1-mst-region] region-name hcip
[S1-mst-region] revision-level 1
[S1-mst-region] instance 1 vlan 10 30 50 70
[S1-mst-region] active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1-mst-region] quit
# Check mappings between MSTIs and VLANs on S1.
[S1]display stp region-configuration

Oper configuration
Format selector :0
Region name :hcip
Revision level :1
Instance VLANs Mapped

0 1 to 9, 11 to 19, 21 to 29, 31 to 39, 41 to 49, 51 to 59, 61 to
69, 71 to 79, 81 to 4094
1 10, 30, 50, 70
2 20, 40, 60, 80
# Configure SW1 as the root bridge of MSTI1 and the secondary root bridge of MSTI2.
[S1]stp instance 1 root primary

[S1]stp instance 2 root secondary
# Configure SW2 as the primary root bridge of MSTI2 and the secondary root bridge of MSTI1.

# Check the status and statistics of MSTI1 on S1.
[S1]display stp instance 1 brief

MSTID Port Role STP State Protection
All ports on S1 are designated ports, and S1 is the root bridge of MSTI1.


All ports on S2 are designated ports, and S2 is the root bridge of MSTI2.
----End
5.1.3 Quiz
Compared with STP, which improvements are made in RTSP?

Configuration on S1
sysname S1
#
vlan batch 10 20 30 40 50 60 70 80
#
lldp enable
#
stp instance 0 root primary
stp instance 2 root secondary
#
stp region-configuration
region-name hcip
revision-level 1
instance 1 vlan 10 30 50 70
active region-configuration
#
port link-type trunk
port trunk allow-pass vlan 10 20 30 40 50 60 70 80
#
stp instance 0 port priority 64
#
#
#
return
Configuration on S2
sysname S2
#
vlan batch 10 20 30 40 50 60 70 80
#
lldp enable
#
#
region-name hcip
revision-level 1
#
#
stp instance 0 port priority 64
#
#
#
return
Configuration on S3
#
sysname S3
#
vlan batch 10 20 30 40 50 60 70 80
#
lldp enable
#
region-name hcip
revision-level 1
#
#
#
#
return
Configuration on S4
#
sysname S4
#
vlan batch 10 20 30 40 50 60 70 80
#
lldp enable
#
region-name hcip
revision-level 1
#
#
stp instance 0 cost 40001
#
#
return
6 Multicast
6.1 IGMP, IGMP Snooping, and PIM-DM

6.1.1 Introduction
6.1.1.1 Objectives
 Know how to enable multicast routing for multicast traffic forwarding.
 Know how to enable IGMP snooping on a switch and manually configure a static router port
and member port.
 Know how to use PIM-DM to forward multicast traffic.
 Know how to control the election result of the Assert mechanism by changing the IGP cost.
Figure 6-1 Lab topology for IGMP, IGMP snooping, and PIM-DM
In the preceding figure, OSPF runs on four routers. Loopback0 is created on each router. The IP
address of Loopback0 is 10.0.x.x/32, where x is the device number.
The four routers form a multicast network. R1 is the first-hop router and is connected to multicast
source 239.0.0.12. R4 is the last-hop router and is connected to receivers of multicast group
239.0.0.12. To ensure that the traffic from the multicast source can be received by multicast group
members connected to R4, deploy PIM-DM on each router and activate IGMPv2 on GE0/0/5 of R4.
To optimize multicast traffic forwarding on S2, configure IGMP snooping on S2 and manually
specify a static router port and member port.
6.1.1.3 Background
You are a network administrator of a company. Multicast needs to be configured to forward some
services. The network size is small, so you can configure PIM-DM to implement multicast route
learning. To improve network efficiency and security, you can manually control the election result of
the PIM-DM Assert mechanism. To optimize multicast traffic forwarding on the switch connected to
multicast receivers, you can enable IGMP snooping on the switch.

R4.
3. Enable the multicast routing function on the routers, and enable PIM-DM on involved
interfaces.
4. On R1, simulate traffic of the multicast source, and then check the PIM routing table of each
router.
5. Change the OSPF cost of GE0/0/1 on R3 to control the election result of the Assert mechanism.
Then, check the PIM routing tables of R2 and R3 again.
6. Configure IGMP snooping on S2 and manually configure a static router port and member port.
# Name the devices.
# Configure R1.
[R1-LoopBack0] quit
# Configure R2.
[R2-LoopBack0] quit
# Configure R3.
[R3-LoopBack0] quit
# Configure R4.
[R4-LoopBack0] quit
# Check IP connectivity on R1 and R4.
<R1>ping -c 1 10.0.12.2

0.00% packet loss
<R1>ping -c 1 10.0.13.3

0.00% packet loss
<R4>ping -c 1 10.0.234.2

0.00% packet loss

<R4>ping -c 1 10.0.234.3

0.00% packet loss
Step 2 Configure OSPF.

Use the IP address of the Loopback0 interface as the router ID of each router and activate OSPF on
the interconnection interfaces and each Loopback0 interface.
# Configure R1.

[R1-ospf-1] area 0
[R1-ospf-1] quit
# Configure R2.

[R2-ospf-1] area 0
[R2-ospf-1] quit
# Configure R3.

[R3-ospf-1] area 0
[R3-ospf-1] quit
# Configure R4.

[R4-ospf-1]area 0
[R4-ospf-1] quit
# Check the OSPF neighbor status on R1 and R4.

----------------------------------------------------------------------------
----------------------------------------------------------------------------

----------------------------------------------------------------------------
----------------------------------------------------------------------------
OSPF neighbor relationships have been established between routers.


Routing Tables
Routing for Network

10.0.4.4/32 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.234.0/24 1 Transit 10.0.234.4 10.0.4.4 0.0.0.0
192.168.1.0/24 1 Stub 192.168.1.1 10.0.4.4 0.0.0.0
10.0.1.1/32 2 Stub 10.0.234.3 10.0.1.1 0.0.0.0
10.0.1.1/32 2 Stub 10.0.234.2 10.0.1.1 0.0.0.0
10.0.2.2/32 1 Stub 10.0.234.2 10.0.2.2 0.0.0.0
10.0.3.3/32 1 Stub 10.0.234.3 10.0.3.3 0.0.0.0
10.0.12.0/24 2 Transit 10.0.234.2 10.0.1.1 0.0.0.0
10.0.13.0/24 2 Transit 10.0.234.3 10.0.1.1 0.0.0.0
Total Nets: 9
R4 has learned OSPF routes on the entire network.

Step 3 Configure PIM-DM.
Enable multicast routing on all routers and enable PIM-DM on involved interfaces.
# Enable multicast routing.
[R1]multicast routing-enable
# Enable PIM-DM on involved interfaces of R1.
[R1-GigabitEthernet0/0/1] pim dm
# Check the PIM neighbor relationships on R1 and R4.
[R1]display pim neighbor

VPN-Instance: public net
Total Number of Neighbors = 2
Neighbor Interface Uptime Expires Dr-Priority BFD-Session

10.0.13.3 GE0/0/1 00:04:14 00:01:31 1 N
10.0.12.2 GE0/0/2 00:04:50 00:01:26 1 N
[R4]display pim neighbor


10.0.234.2 GE0/0/4 00:03:09 00:01:41 1 N
10.0.234.3 GE0/0/4 00:03:08 00:01:19 1 N
PIM neighbor relationships have been established between R1 and R2, between R1 and R3, between
R4 and R2, and between R4 and R3.
# Enable IGMP on GE0/0/5 of R4 and configure GE0/0/5 to join the multicast group in static mode.
[R4-GigabitEthernet0/0/5] igmp enable
[R4-GigabitEthernet0/0/5] igmp static-group 239.0.0.12
# Check IGMP interface information on R4.
[R4]display igmp interface GigabitEthernet 0/0/5

Interface information of VPN-Instance: public net
GigabitEthernet0/0/5(192.168.1.1):
IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: none
IGMP limit: -
Value of query interval for IGMP (negotiated): -
Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: 0 s
Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 192.168.1.1 (this router)
The default IGMP version (IGMPv2) is used, and R4 is the IGMP querier.
Step 4 Check the PIM routing table.
On R1, use the address of Loopback0 as the source address to send ICMP packets to 239.0.0.12 to
simulate traffic of the multicast source. Then, check the PIM routing table on each router.
# Use R1 to send packets to simulate traffic of the multicast source.
ping -a 10.0.1.1 -c 10 239.0.0.12
After this command is run, R1 does not send multicast traffic, but it triggers PIM-DM State-Refresh
messages.
# Query the content of the PIM-DM State-Refresh messages.
Frame 45: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) on interface 0
Ethernet II, Src: HuaweiTe_0c:16:0a (54:89:98:0c:16:0a), Dst: IPv4mcast_0d (01:00:5e:00:00:0d)
Internet Protocol Version 4, Src: 10.0.12.1, Dst: 224.0.0.13
Protocol Independent Multicast
0010 .... = Version: 2
.... 1001 = Type: State-Refresh (9)
Reserved byte(s): 00
Checksum: 0x8295 [correct]
[Checksum Status: Good]
PIM Options
Group: 239.0.0.12/32
Source: 10.0.1.1
Originator: 10.0.12.1
0... .... = RP Tree: False
.000 0000 0000 0000 0000 0000 0000 0000 = Metric Preference: 0
Metric: 0
Masklen: 32
TTL: 255
0... .... = Prune indicator: Not set
.0.. .... = Prune now: Not set
..1. .... = Assert override: Set
Interval: 60
The State-Refresh messages carry the multicast source address (10.0.1.1) and multicast group
address (239.0.0.12). After receiving the messages, the downstream device creates an (S, G) entry
and forwards the State-Refresh messages downstream.
# Check statistics about the State-Refresh messages sent by R1.
<R1>display pim control-message counters message-type state-refresh interface GigabitEthernet 0/0/2

PIM control-message counters for interface: GigabitEthernet0/0/2
Message Type Received Sent Invalid Filtered
State-Refresh 0 8 0 0
If the value of Sent is not 0, check the (S, G) entry on the downstream device. If the value of Sent is
0, you will find no (S, G) entry on the downstream device.
PIM-SM does not have State-Refresh messages. Therefore, this method cannot be used in PIM-SM
scenarios.
# Check the PIM routing tables of the four routers.
<R1>display pim routing-table

Total 0 (*, G) entry; 1 (S, G) entry
(10.0.1.1, 239.0.0.12)
Protocol : pim-dm, Flag: LOC ACT
UpTime: 00:04:19
Upstream interface : LoopBack0
Upstream neighbor: NULL
RPF prime neighbor: NULL
Downstream interface(s) information:
Total number of downstreams: 1
1: GigabitEthernet0/0/1
Protocol: pim-dm, UpTime: 00:04:19, Expires: never
On R1, the inbound interface of the (S, G) entry is Loopback0. Because the multicast source is
directly connected to R1, PRF prime neighbor is Null. The downstream interface is GE0/0/1, and R1
forwards the multicast traffic to R3.

(10.0.1.1, 239.0.0.12)
Protocol : pim-dm, Flag:
UpTime: 00:01:25
Upstream interface : GigabitEthernet0/0/3
Upstream neighbor: 10.0.12.1
RPF prime neighbor: 10.0.12.1
Downstream interface(s) information: None
On R2, the (S, G) entry does not have any downstream interface.

(10.0.1.1, 239.0.0.12)
UpTime: 00:02:55
On R3, the downstream interface of the (S, G) entry is GE0/0/4.

The downstream interfaces of R2 and R3 and the upstream interface of R4 are on the same network
segment. Therefore, the Assert mechanism is triggered. R2 and R3 send Assert messages through
their respective GE0/0/4 for election. The unicast routes from R2 and R3 to the multicast source
have the same preference and cost. However, GE0/0/4 of R3 has a higher IP address (10.0.234.3)
than that (10.0.234.2) of R2. Therefore, R3 wins the Assert election and continues to forward
multicast traffic to R4. R2 no longer forwards multicast traffic downstream through its GE0/0/4. This
is why there is no downstream interface in the (S, G) entry in the PIM routing table of R2.
[R4]display pim routing-table

(*, 239.0.0.12)
Protocol : pim-dm, Flag: WC
UpTime: 00:05:41
Upstream interface : NULL
Protocol: static, UpTime: 00:05:41, Expires: never
(10.0.1.1, 239.0.0.12)
UpTime: 00:01:52

Protocol: pim-dm, UpTime: 00:01:52, Expires: -
The upstream neighbor of R4 is R3, and R4 is the last-hop router.

Step 5 Change the IGP cost to control the Assert election result.
Change the OSPF cost of GE0/0/1 on R3 so that the unicast route from R3 to the multicast source
address has a higher cost. Consequently, R2 wins the Assert election and becomes the Assert
winner.
# On R2 and R3, check the cost of the route to the multicast source address 10.0.1.1.

------------------------------------------------------------------------------
Summary Count : 1

------------------------------------------------------------------------------
Summary Count : 1
The costs of the routes from R2 and R3 to 10.0.1.1 are both 1.

# Change the OSPF cost of GE0/0/1 on R3.
# On R3, check the cost of the route to the multicast source address 10.0.1.1.

------------------------------------------------------------------------------
Summary Count : 2

OSPF 10 2 D 10.0.234.2 GigabitEthernet0/0/4
The cost of the route from R3 to 10.0.1.1 becomes 2.

# Change the Assert timeout period on GE0/0/4 of R2 and R3 to 10s.
[R2-GigabitEthernet0/0/4] pim holdtime assert 10
[R3-GigabitEthernet0/0/4] pim holdtime assert 10
# Run the debugging pim join-prune receive command on R1 and then observe the prune process.
<R1>debugging pim join-prune receive
# Re-trigger multicast traffic on R1.
<R1>ping -a 10.0.1.1 -c 10 239.0.0.12
# Check the PIM routing tables of R2 and R3.

(10.0.1.1, 239.0.0.12)
UpTime: 00:00:01

(10.0.1.1, 239.0.0.12)
UpTime: 00:00:08
Upstream interface : GigabitEthernet0/01
Downstream interface(s) information: None
In this case, R3 does not have a downstream interface, and R2 becomes the Assert winner.
# Check the debugging information on R1.
Jul 2 2020 09:49:03.520.1-08:00 R1 PIM/7/JP:(public net): PIM ver 2 JP receiving 10.0.13.3 -> 224.0.0.13 on GigabitEthernet0/0/1
(P012998)
Jul 2 2020 09:49:03.520.2-08:00 R1 PIM/7/JP:(public net): Upstream 10.0.13.1, Groups 1, Holdtime 180 (P013002)
Jul 2 2020 09:49:03.520.3-08:00 R1 PIM/7/JP:(public net): Group: 239.0.0.12/32 --- 0 join 1 prune (P013011)
Jul 2 2020 09:49:03.520.4-08:00 R1 PIM/7/JP:(public net): Prune: 10.0.1.1/32 (P013021)
Jul 2 2020 09:49:05.790.1-08:00 R1 PIM/7/JP:(public net): PIM ver 2 JP receiving 10.0.12.2 -> 224.0.0.13 on GigabitEthernet0/0/2
(P012933)
Jul 2 2020 09:49:05.790.2-08:00 R1 PIM/7/JP:(public net): Upstream 10.0.12.1, Groups 1, Holdtime 0 (P012939)
Jul 2 2020 09:49:05.790.3-08:00 R1 PIM/7/JP:(public net): Group: 239.0.0.12/32 --- 1 join 0 prune (P012949)
Jul 2 2020 09:49:05.790.4-08:00 R1 PIM/7/JP:(public net): Join: 10.0.1.1/32 (P012959)
The debugging information shows that R1 received a Prune message from R3 with the group
address being 239.0.0.12 and the multicast source address being 10.0.1.1.
Step 6 Configure IGMP snooping.
To optimize multicast traffic forwarding on S2, enable IGMP snooping on S2 and manually configure
a static router port and member port.
# Enable IGMP snooping globally and in VLAN 1.
[S2]igmp-snooping enable
[S2]vlan 1
[S2-vlan1] igmp-snooping enable
[S2-vlan1] quit
# Manually configure GE0/0/4 as a static router port.
[S2]interface GigabitEthernet0/0/4
[S2-GigabitEthernet0/0/4] igmp-snooping static-router-port vlan 1
# Manually configure GE0/0/10 as a static member port of the multicast group 239.0.0.12.
[S2-GigabitEthernet0/0/10] l2-multicast static-group group-address 239.0.0.12 vlan 1
[S2-GigabitEthernet0/0/10] quit
# Check the L2 multicast forwarding table on S2.
[S2]display l2-multicast forwarding-table vlan 1

VLAN ID : 1, Forwarding Mode : IP
----------------------------------------------------------------------
(Source, Group) Interface Out-Vlan
----------------------------------------------------------------------
Router-port GigabitEthernet0/0/4 1
(*,239.0.0.12) GigabitEthernet0/0/4 1
GigabitEthernet0/0/10 1
----------------------------------------------------------------------
Total Group(s) : 1
GE0/0/4 is a static router port, and GE0/0/10 is a static member port. The static member port must
be connected to a device and is up.
----End
6.1.3 Quiz
What are the disadvantages of configuring PIM-DM on a large-sized network?

Configuration on R1
#
sysname R1
#
multicast routing-enable
#
ip address 10.0.13.1 255.255.255.0
pim dm
#
ip address 10.0.12.1 255.255.255.0
pim dm
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
#
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
#
return
Configuration on R2
#
sysname R2
#
#
ip address 10.0.12.2 255.255.255.0
pim dm
#
ip address 10.0.234.2 255.255.255.0
pim holdtime assert 10
pim dm
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
#
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.12.2 0.0.0.0
network 10.0.234.2 0.0.0.0
#
return
Configuration on R3
#
sysname R3
#
#
ip address 10.0.13.3 255.255.255.0
pim dm
ospf cost 2
#
ip address 10.0.234.3 255.255.255.0
pim holdtime assert 10
pim dm
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
network 10.0.234.3 0.0.0.0
#
return
Configuration on R4
#
sysname R4
#
#
ip address 10.0.234.4 255.255.255.0
pim dm
#
ip address 192.168.1.1 255.255.255.0
igmp enable
igmp static-group 239.0.0.12
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
area 0.0.0.0
network 10.0.234.4 0.0.0.0
network 10.0.4.4 0.0.0.0
network 192.168.1.1 0.0.0.0
#
return
Configuration on S2
#
sysname S2
#
igmp-snooping enable
#
vlan 1
igmp-snooping enable
#
igmp-snooping static-router-port vlan 1
#
l2-multicast static-group group-address 239.0.0.12 vlan 1
6.2 PIM-SM, BSR, and PIM-SSM

6.2.1 Introduction
6.2.1.1 Objectives
 Know how to use PIM-SM to forward multicast traffic.
 Know how to configure a BSR for RP election.
 Know how to configure PIM-SM SSM to forward multicast traffic.
 Know how to use the ping multicast command to send multicast traffic.
Figure 6-2 Lab topology for PIM-SM, BSR, and PIM-SSM
OSPF runs on four routers. Loopback0 is created on each router. The IP address of Loopback0 is
10.0.x.x/32, where x is the device number. Use R1 to simulate the source of multicast group
239.0.0.12, and use GE0/0/0 on R4 to simulate a receiver of multicast group 239.0.0.12.
R3 is planned as the RP of the network and is elected as the RP through the BSR mode.
6.2.1.3 Background
You are a network administrator of a company. PIM-DM has been configured on the company's
network. However, when more and more multicast users are dispersed on the network, multicast
service quality degrades. To improve multicast reliability and efficiency, you can configure PIM-SM.
In the PIM-SM mode, an RP is required and is used as the root of RPTs.

R4.
3. Enable the multicast routing function on the routers, and enable PIM-SM on involved
interfaces.
4. Configure Loopback0 on R2 as the BSR and Loopback0 on R3 as the RP.
5. Check the PIM-SM routing table on each device. Run the ping multicast command to trigger
the RPT-to-SPT switchover. Then check the PIM-SM routing table again.
6. Change the IGMP version on GE0/0/0 of R4 to version 3, configure an interface to join multicast
group 232.0.0.12 in static mode, and check the PIM-SM SSM routing table.
# Name the devices.
# Configure R1.
[R1-LoopBack0] quit
# Configure R2.
[R2-LoopBack0] quit
# Configure R3.
[R3-LoopBack0] quit
# Configure R4.
[R4-LoopBack0]quit
[R4-GigabitEthernet0/0/1]quit
[R4-GigabitEthernet0/0/3]quit
# Check the connectivity of interconnection interfaces on R2 and R3.
<R2>ping -c 1 10.0.12.1

0.00% packet loss
<R2>ping -c 1 10.0.23.3

0.00% packet loss
<R2>ping -c 1 10.0.24.4

0.00% packet loss

<R3>ping -c 1 10.0.34.4

0.00% packet loss
Step 2 Configure OSPF on R1, R2, R3, and R4.

Configure R1, R2, R3, and R4 to use their Loopback0 IP addresses as their router ID, and activate
OSPF on the interconnected interfaces and Loopback0 interfaces of each device.
# Configure R1.

[R1-ospf-1] area 0.0.0.0
# Configure R2.

[R2-ospf-1]area 0
# Configure R3.

[R3-ospf-1]area 0
# Configure R4.

[R4-ospf-1]area 0
# Check the OSPF neighbor status on R2 and R3.

----------------------------------------------------------------------------
----------------------------------------------------------------------------

----------------------------------------------------------------------------
----------------------------------------------------------------------------
The preceding command outputs show that OSPF neighbor relationships have been established.

Routing Tables
Routing for Network

10.0.4.4/32 0 Stub 10.0.4.4 10.0.4.4 0.0.0.0
10.0.24.0/24 1 Transit 10.0.24.4 10.0.4.4 0.0.0.0
10.0.34.0/24 1 Transit 10.0.34.4 10.0.4.4 0.0.0.0
10.0.1.1/32 2 Stub 10.0.24.2 10.0.1.1 0.0.0.0
10.0.2.2/32 1 Stub 10.0.24.2 10.0.2.2 0.0.0.0
10.0.3.3/32 1 Stub 10.0.34.3 10.0.3.3 0.0.0.0
10.0.12.0/24 2 Transit 10.0.24.2 10.0.1.1 0.0.0.0
10.0.23.0/24 2 Transit 10.0.24.2 10.0.2.2 0.0.0.0
10.0.23.0/24 2 Transit 10.0.34.3 10.0.2.2 0.0.0.0
Total Nets: 9
The preceding command output shows that R4 has learned the routes on the entire network.
Step 3 Configure PIM-SM.
Enable multicast routing on all routers and enable PIM-SM on involved interfaces.
# Enable multicast routing.
# Enable PIM-SM on involved interfaces of R1.
[R1-LoopBack0] pim sm
[R1-LoopBack0] quit
[R1-GigabitEthernet0/0/2] pim sm
# Check PIM neighbor relationships on R2 and R3.
<R2>display pim neighbor


10.0.24.4 GE0/0/1 00:08:19 00:01:26 1 N
10.0.23.3 GE0/0/2 00:09:09 00:01:37 1 N
10.0.12.1 GE0/0/3 00:10:07 00:01:42 1 N
<R3>display pim neighbor


10.0.34.4 GE0/0/2 00:08:35 00:01:39 1 N
10.0.23.2 GE0/0/3 00:09:25 00:01:21 1 N
PIM neighbor relationships have been established between routers.

Step 4 Deploy a BSR.
Adjust the C-BSR priority of R2 to enable R2 to become the BSR, and configure R3 as a C-RP.
# Adjust the C-BSR priority of R2 to enable Loopback0 of R2 to become the BSR.
[R2-LoopBack0] quit
[R2]pim
[R2-pim] c-bsr priority 100
[R2-pim] c-bsr LoopBack0
[R2-pim] quit
Note that PIM-SM must be enabled on Loopback0.

# Configure Loopback0 of R3 as a C-RP and set the multicast group address to 239.0.0.12.
[R3-LoopBack0] quit
[R3]acl 2000
[R3-acl-basic-2000] rule 1 permit source 239.0.0.12 0.0.0.0
[R3-acl-basic-2000] quit
[R3]pim
[R3-pim] c-rp LoopBack 0 group-policy 2000 priority 100
[R3-pim] quit
Note that PIM-SM must be enabled on Loopback0.

# Check information about the BSR and RP on R4.
<R4>display pim bsr-info

VPN-Instance : public net
Elected AdminScoped BSR Count: 0
Elected BSR Address : 10.0.2.2
Priority : 100
Hash mask length : 30
State : Accept Preferred
Scope : Not scoped
Uptime : 00:03:35
Expires : 00:02:06
C-RP Count :1
<R4>display pim rp-info

VPN-Instance : public net
PIM-SM BSR RP Number :2
Group/MaskLen : 224.0.0.0/4
RP : 10.0.3.3
Priority : 100
Uptime : 00:04:15
Expires : 00:02:15
Group/MaskLen : 239.0.0.12/32
RP : 10.0.3.3
Priority : 100
Uptime : 00:00:15
Expires : 00:02:15
There is only one C-BSR and one C-RP. Therefore, R2 and R3 function as the BSR and RP,
respectively. The IP address of the RP corresponding to the multicast group 239.0.0.12 is 10.0.3.3.
Step 5 Check the PIM routing table.
On R4, use GE0/0/0 to simulate a receiver of multicast group 239.0.0.12 and check the PIM routing
tables of R3 and R4. Change the RPT-to-SPT switchover threshold and trigger multicast traffic
forwarding again. Then, check the PIM routing table again.
# Enable IGMP on GE0/0/0 of R4 and configure GE0/0/0 to join the multicast group in static mode.
[R4-GigabitEthernet0/0/0] igmp enable
[R4-GigabitEthernet0/0/0] igmp static-group 239.0.0.12
Note that the interface must be configured with an IP address and be up.
# Check the PIM routing table of R4.

(*, 239.0.0.12)
RP : 10.0.3.3
Protocol : pim-sm, Flag: WC EXT
UpTime: 00:01:18
Protocol: static, UpTime: 00:01:29, Expires: -
The outbound interface of the route to the RP (10.0.3.3) on R4 is GE0/0/3. Therefore, R4 uses
GE0/0/3 as the upstream interface of (*, 239.0.0.12) and sends PIM Join messages through this
interface.

(*, 239.0.0.12)
RP : 10.0.3.3 (local)
Protocol : pim-sm, Flag: WC
UpTime: 00:08:05
Upstream interface : Register
Protocol: pim-sm, UpTime: 00:08:05, Expires: 00:03:25
R3 is the RP and does not need to send the Join message upstream. Currently, no multicast source
has registered with the RP. Therefore, the upstream interface is still null.
# Run the ping multicast command on R1 to simulate the multicast source of the multicast group
239.0.0.12 and send multicast data.
<R1>ping multicast -c 10 239.0.0.12
# After the network becomes stable, check the PIM routing table of R4.

(*, 239.0.0.12)
RP : 10.0.3.3
Protocol : pim-sm, Flag: WC EXT
UpTime: 00:03:38
(10.0.1.1, 239.0.0.12)
RP: 10.0.3.3
Protocol : pim-sm, Flag: SPT ACT
UpTime: 00:00:05
Protocol: pim-sm, UpTime: 00:00:03, Expires: -
On R4, the entry with the Flag being SPT ACT is an (S, G) entry, indicating that the (S, G) entry is
used to guide multicast packet forwarding. In addition, the upstream interface is GE0/0/1 that is
connected to R2, rather than GE0/0/3 that is connected to R3. In this case, the RPT-to-SPT
switchover has been performed.
# Change the RPT-to-SPT switchover threshold on R4.
[R4]pim
[R4-pim] spt-switch-threshold infinity
The command configures R4 never to initiate an RPT-to-SPT switchover.

# Run the ping multicast command on R1 to simulate the multicast source of the multicast group
239.0.0.12 and send multicast data.
<R1>ping multicast -c 10 239.0.0.12
# Check the PIM routing table on R4.

(*, 239.0.0.12)
RP : 10.0.3.3
Protocol : pim-sm, Flag: WC
UpTime: 00:13:27
(10.0.1.1, 239.0.0.12)
RP : 10.0.3.3
Protocol : pim-sm, Flag: ACT
UpTime: 00:00:12
Protocol: pim-sm, UpTime: 00:00:12, Expires: -
In this case, the upstream interface of R4 is still GE0/0/3, and the path of the (S, G) entry to the
multicast source is still by way of the RP, indicating that no RPT-to-SPT switchover is performed.
Step 6 Deploy PIM-SSM.
Change the IGMP version on R4's GE0/0/0 to version 3 and configure GE0/0/0 to join SSM group
232.0.0.12 in static mode.
# Modify the configurations of GE0/0/0.
[R4-GigabitEthernet0/0/0] igmp version 3
[R4-GigabitEthernet0/0/0] igmp static-group 232.0.0.12 source 10.0.1.1
By default, the address range of multicast groups in an SSM group policy is 232.0.0.0/8. If the
address of the multicast group that an interface joins in static mode is not in this range, PIM-SSM
entries cannot be generated.

...
...
(10.0.1.1, 232.0.0.12)
Protocol: pim-ssm, Flag: SG_RCVR
UpTime: 00:01:58
Upstream interface: GigabitEthernet0/0/1
The command output on R4 shows that no traffic is triggered, an (S, G) entry is generated, the
protocol is PIM-SSM, and the upstream device is R2.

Total 0 (*, G) entry; 2 (S, G) entries
...
...
(10.0.1.1, 232.0.0.12)
Protocol: pim-ssm, Flag:
UpTime: 00:03:30
Upstream interface: GigabitEthernet0/0/3
Protocol: pim-ssm, UpTime: 00:03:30, Expires: 00:03:00
The protocol is PIM-SSM, and the upstream device is R1.

----End
6.2.3 Quiz
What are the advantages of PIM-SM over PIM-DM?

Configuration on R1
#
sysname R1
#
#
ip address 10.0.12.1 255.255.255.0

pim sm
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.255
pim sm
#
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
#
return
Configuration on R2
#
sysname R2
#
#
ip address 10.0.24.2 255.255.255.0
pim sm
#
ip address 10.0.23.2 255.255.255.0
pim sm
#
ip address 10.0.12.2 255.255.255.0
pim sm
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.255
pim sm
#
area 0.0.0.0
network 10.0.2.2 0.0.0.0
network 10.0.12.2 0.0.0.0
network 10.0.23.2 0.0.0.0
network 10.0.24.2 0.0.0.0
#
pim
c-bsr priority 100
c-bsr LoopBack0
#
return
Configuration on R3
#
sysname R3
#
#
acl number 2000
rule 1 permit source 239.0.0.12 0
#
ip address 10.0.34.3 255.255.255.0
pim sm
#
ip address 10.0.23.3 255.255.255.0
pim sm
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.255
pim sm
#
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.23.3 0.0.0.0
network 10.0.34.3 0.0.0.0
#
pim
c-rp LoopBack0 group-policy 2000 priority 100
#
return
Configuration on R4
#
sysname R4
#
#
ip address 192.168.1.1 255.255.255.0
pim sm
igmp enable
igmp version 3
igmp static-group 239.0.0.12
igmp static-group 232.0.0.12 source 10.0.1.1
#
ip address 10.0.24.4 255.255.255.0
pim sm
#
ip address 10.0.34.4 255.255.255.0
pim sm
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.255
#
area 0.0.0.0
network 10.0.4.4 0.0.0.0
network 10.0.24.4 0.0.0.0
network 10.0.34.4 0.0.0.0
#
pim
spt-switch-threshold infinity
#
Return
7 Firewall Technology
7.1 Firewall Security Policy

7.1.1 Introduction
7.1.1.1 Objectives
 Understand how a security policy works
 Learn how to configure a security policy on the firewall using the CLI
 Observe server mapping entries to understand how NAT ALG works
Figure 7-1 Firewall security policy
The preceding figure shows how the devices are connected and their IP address planning. Routers
R1 and R2 communicate with the firewall FW1 at Layer 3 through switch S1. On S1, its interfaces
(GE0/0/1 and GE0/0/2) connected to R1 and R2 are assigned to VLAN 10 and VLAN 20 respectively,
and the interfaces (GE0/0/14 and GE0/0/15) connected to FW1 are assigned to VLAN 10 and VLAN 20
respectively.
R1 belongs to the Demilitarized Zone (DMZ), and R2 to the untrusted zone. Configure source NAT
on FW1 so that R1 can access the untrusted zone through GE0/0/2 of FW1. Configure NAT Server on
FW1, enabling R2 to access the FTP service enabled on R1 through GE0/0/2 of FW1.
In addition, configure security policies on FW1 to restrict the access between R1 and R2 as follows:
R1 in the DMZ can access the untrusted zone, but R2 in the untrusted zone can only access the FTP
service on R1 in the DMZ.
7.1.1.3 Background
To protect enterprise network security, you (the enterprise network administrator) decide to deploy
a firewall at the border of the enterprise network to prevent external users from proactively
accessing the internal network. In addition, as an egress device, the firewall needs to be configured
with source NAT (for internal users to access the Internet) and NAT Server (mapping intranet servers
to the public network).
The FTP service is provided for external access. FTP is a multi-channel protocol, which requires NAT
ALG in addition to security policies to ensure normal communication after NAT is performed on the
firewall.

1. Complete basic device configurations for connectivity.
2. Add interfaces to security zones and configure a security policy to allow access from the local
zone to the external zones.
3. Configure source NAT and NAT Server.
4. Configure a security policy to restrict the access between the untrusted zone and DMZ.
5. Check the session entries generated for the access traffic between the untrusted zone and
DMZ on FW1.
6. Enable the FTP service on R1. Simulate FTP service access on R1 from R2, and run the dir
command to transmit data through the FTP data channel. Then check the server mapping
entries on FW1.
Step 1 Complete basic device configurations for connectivity.
Configure IP addresses for interconnected interfaces, configure VLANs on S1, and configure default
routes on R1 and FW1.
# Name the devices.
# Perform basic configurations on S1.
[S1]vlan 10
[S1-vlan10] description DMZ
[S1-vlan10] quit
[S1-GigabitEthernet0/0/1] port link-type access
[S1-GigabitEthernet0/0/1] port default vlan 10
[S1]vlan 20
[S1-vlan20] description Untrust
[S1-vlan20] quit
# Configure R1.
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.11.1
Configure the default route for accessing the Internet.

# Configure R2.
# Configure login data for FW1.
Login authentication
Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: Y
Please enter old password:
Please enter new password:
Please confirm new password:
By default, login authentication is enabled for the console port of the firewall. The default user
name and password are admin and Admin@123, respectively. After the first login to the firewall,
you need to change the password to ensure subsequent successful login.
# Configure interface IP addresses and the default route on FW1.
[FW1]interface GigabitEthernet0/0/1
[FW1-GigabitEthernet0/0/1] ip address 10.0.11.1 255.255.255.0
[FW1-GigabitEthernet0/0/1] quit
[FW1-GigabitEthernet0/0/2] ip address 10.0.12.1 255.255.255.0
[FW1]ip route-static 0.0.0.0 0.0.0.0 10.0.12.2
# Configure FW1 interfaces to permit ping packets.
[FW1-GigabitEthernet0/0/1] service-manage ping permit
[FW1-GigabitEthernet0/0/2] service-manage ping permit
By default, access control is enabled (using the service-manage command) on firewall interfaces,
which implements security control at the interface layer and determines whether users can manage
or access the firewall through a specific interface (for example, through ping, SSH, Telnet, or
SNMP). GE0/0/0 is the NMS interface of the device. By default, the service-manage ping permit
and service-manage ssh permit commands are configured on this interface. Therefore, users can
manage the firewall through this interface. For other interfaces, the firewall does not allow users to
manage or access the firewall through these interfaces by default, unless the service-manage
command is manually configured. For example, to allow users to ping GE1/0/1, run the service-
manage ping permit command on GE1/0/1. Similarly, to allow users to access GE1/0/1 using SSH,
run the service-manage ssh permit command.
Step 2 Configure a security policy for access from the local zone to other zones.
Add interfaces to security zones and create a security policy named local_to.
1. Do not restrict source and destination IP addresses.
2. Do not restrict the destination security zone.
3. Do not restrict services.
4. Set the source security zone to local.
5. Set the action to permit.
# Add interfaces to security zones.
[FW1]firewall zone dmz

[FW1-zone-dmz] description DMZ
[FW1-zone-dmz] add interface GigabitEthernet0/0/1
[FW1-zone-dmz] quit
[FW1]firewall zone untrust
[FW1-zone-untrust] description Untrust
[FW1-zone-untrust] add interface GigabitEthernet0/0/2
[FW1-zone-untrust] quit
# Create a security policy named local_to.
[FW1]security-policy
[FW1-policy-security] rule name local_to
[FW1-policy-security-rule-local_to] source-zone local
[FW1-policy-security-rule-local_to] action permit
Since the source IP address, destination IP address, destination security zone, and services are not
restricted, retain the default setting any for these parameters.
# Test the connectivity between FW1 and R1 interface IP addresses and between FW1 and R2
interface IP addresses.
<FW1>ping -c 1 10.0.11.11

0.00% packet loss
<FW1>ping -c 1 10.0.12.2

0.00% packet loss
Step 3 Configure source NAT and NAT Server.

Configure NAPT for intranet users (R1) to access the Internet and configure NAT Server to map the
FTP service of R1 to the public network.
# Configure a NAT address pool and enable port address translation for reuse of public addresses.
[FW1]nat address-group 1
[FW1-address-group-1] mode pat
[FW1-address-group-1] section 0 10.0.12.1 10.0.12.1
[FW1-address-group-1] quit
# Configure a source NAT policy to enable source address translation for intranet users on a
specified network segment when they access the Internet.
[FW1]nat-policy
[FW1-policy-nat] rule name 1
[FW1-policy-nat-rule-1] source-zone dmz
[FW1-policy-nat-rule-1] destination-zone untrust
[FW1-policy-nat-rule-1] source-address 10.0.11.0 24
[FW1-policy-nat-rule-1] action source-nat address-group 1
[FW1-policy-nat-rule-1] quit
# Configure NAT Server and create a static mapping to map the FTP service of R1.
[FW1]nat server policy_ftp protocol tcp global 10.0.12.1 ftp inside 10.0.11.11 ftp
# Enable NAT ALG for FTP.
[FW1]firewall zone dmz

[FW1-zone-dmz] detect ftp
[FW1-zone-dmz] quit
[FW1]firewall interzone dmz untrust
[FW1-interzone-dmz-untrust] detect ftp
[FW1-interzone-dmz-untrust] quit
Step 4 Configure security policies for the DMZ-untrusted interzone.

Configure a security policy named DMZtoUntrust, limit the source address to 10.0.11.0/24, and set
the action to permit. Configure a security policy named Untrust_DMZ to allow R2 to access only
the FTP service provided by R1.
#Create a security policy named DMZtoUntrust.
[FW1-policy-security] rule name DMZtoUntrust
[FW1-policy-security-rule-DMZtoUntrust] source-zone dmz
[FW1-policy-security-rule-DMZtoUntrust] destination-zone untrust
[FW1-policy-security-rule-DMZtoUntrust] source-address 10.0.11.0 24
[FW1-policy-security-rule-DMZtoUntrust] action permit
# Create a security policy named Untrust_DMZ.
[FW1-policy-security-rule] rule name Untrust_DMZ
[FW1-policy-security-rule-Untrust_DMZ] source-zone untrust
[FW1-policy-security-rule-Untrust_DMZ] destination-zone dmz
[FW1-policy-security-rule-Untrust_DMZ] destination-address 10.0.11.11 24
[FW1-policy-security-rule-Untrust_DMZ] service ftp
[FW1-policy-security-rule-Untrust_DMZ] action permit
Note that the destination IP address is the mapped internal address. The security policy processes a
packet after NAT Server changes the destination IP address of the packet.
Step 5 Check sessions on FW1.
Ping R2 from R1 and check detailed session information on FW1.
# Test the access from R1 to R2.
<R1>ping -c 100 10.0.12.2

R1 can access R2 through FW1. In this case, you can view detailed information about the related
session on FW1.
# Check sessions on FW1.
<FW1>display firewall session table verbose destination global 10.0.12.2

2020-07-01 10:00:22.100
Current Total Sessions : 1
icmp VPN: public --> public ID: c487f0653c0805017ce5efc5e84
Zone: dmz --> untrust TTL: 00:00:20 Left: 00:00:20
Recv Interface: GigabitEthernet0/0/1
Interface: GigabitEthernet0/0/2 NextHop: 10.0.12.2 MAC: 5489-98c8-4a33
<--packets: 80 bytes: 6,720 --> packets: 80 bytes: 6,720
10.0.11.11:52651[10.0.12.1:2048] --> 10.0.12.2:2048 PolicyName: DMZtoUntrust
View details about the session with the destination global IP address of 10.0.12.2. In the command
output, you can view the direction of the session regarding the security zone, which is from DMZ to
the untrusted zone; the aging time (TTL) of the session is 20s, the interface that receives packets is
GigabitEthernet0/0/1, and the interface that sends packets is GigabitEthernet0/0/2. There are a total
of 100 packets that match the session, and the total size of the packets is 8400 bytes. The name of
the security policy matching the session is DMZtoUntrust.
According to the session, we can learn that the source IP address of the packets is translated from
10.0.11.11 to 10.0.12.1 (IP address of GE0/0/2 on FW1).
Step 6 Observe the working process of NAT ALG.
Enable the FTP service on R1. Use R2 that serves as the FTP client to access the FTP service of R1
through the IP address mapped by FW1, and run the dir command to view the file list. Check how
ASPF of FW1 processes multi-channel protocols.
# Enable the FTP service on R1.
[R1]aaa
[R1-aaa] local-user ftp service-type ftp
[R1-aaa] local-user ftp password cipher ftp@123
[R1-aaa] local-user ftp privilege level 15
[R1-aaa] local-user ftp ftp-directory flash:
[R1-aaa] quit
# Have R2 access the FTP service enabled on R1 through the address mapped by FW1.
<R2>ftp 10.0.12.1
Trying 10.0.12.1 ...
Press CTRL+K to abort
Connected to 10.0.12.1.
220 FTP service ready.
User(10.0.12.1:(none)):ftp
331 Password required for ftp.
Enter password:
230 User logged in.
R2 can access the FTP service enabled on R1 through NAT Server mapping of FW1.
# Check the session table on FW1.
<FW1>display firewall session table verbose protocol tcp destination-port global

21
2020-07-01 10:08:32.300
ftp VPN: public --> public ID: c487f0653c081382bee5efc6046
Zone: untrust --> dmz TTL: 00:20:00 Left: 00:19:54
Recv Interface: GigabitEthernet1/0/2
Interface: GigabitEthernet1/0/1 NextHop: 10.0.11.11 MAC: 5489-98d9-4e30
<--packets: 11 bytes: 558 --> packets: 14 bytes: 598
10.0.12.2:64505 +-> 10.0.12.1:21[10.0.11.11:21] PolicyName: Untrust_DMZ
TCP State: established
The command output shows that the FTP control channel has been established.
# Run the dir command on R2.
[ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
drwxrwxrwx 1 noone nogroup 0 Aug07 2015 src
drwxrwxrwx 1 noone nogroup 0 Jun 07 16:46 pmdata
drwxrwxrwx 1 noone nogroup 0 Jun 07 16:46 dhcp
-rwxrwxrwx 1 noone nogroup 603 Jun 07 18:12 private-data.txt
drwxrwxrwx 1 noone nogroup 0 Jun 07 17:01 mplstpoam
-rwxrwxrwx 1 noone nogroup 482 Jun 07 17:51 vrpcfg.zip
226 Transfer complete.
The file list of R1 is displayed. In this case, the FTP transmission channel is used.
# Check the session table on FW1 again.
<FW1>display firewall session table

2020-07-01 10:14:10.310
ftp VPN: public --> public 10.0.12.2:64505 +-> 10.0.12.1:21[10.0.11.11:21]
Only the FTP control channel session exists, and no transmission channel session exists.
# Check the server mapping entries generated by NAT ALG.
<FW1>display firewall server-map

2020-07-01 10:15:24.830
Current Total Server-map : 2
Type: Nat Server, ANY -> 10.0.12.1:21[10.0.11.11:21], Zone:---, protocol:tcp
Vpn : public -> public
Type: Nat Server Reverse, 10.0.11.11[10.0.12.1] -> ANY, Zone:---, protocol:tcp
Vpn : public -> public, counter: 1
The server mapping entry of the FTP data channel is generated on FW1.
Note that you need to run the dir command on R2 to trigger traffic on the transmission channel
before checking the server mapping entry.
----End
7.1.3 Quiz
What is the purpose of permitting traffic from the local zone to other zones on the firewall?

Configuration on R1
#
sysname R1
#
FTP server enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user ftp password cipher iA7kS$rR@T=H)H2[EInBK@O#
local-user ftp privilege level 15
local-user ftp ftp-directory flash:
local-user ftp service-type ftp
local-user admin password cipher BJB3#A}[;JZypQCee$t3@bJ#
local-user admin service-type http
#
ip address 10.0.11.11 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.11.1
#
return
Configuration on R2
#
sysname R2
#
ip address 10.0.12.2 255.255.255.0
#
return
Configuration on S1
#
sysname S1
#
vlan batch 10 20
#
vlan 10
description DMZ
vlan 20
description Untrust
#
port link-type access
port default vlan 10
#
#
#
#
return
Configuration on FW1
#
sysname FW1
#
undo shutdown
ip address 10.0.11.1 255.255.255.0
service-manage ping permit
#
undo shutdown
ip address 10.0.12.1 255.255.255.0
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone untrust
description Untrust
set priority 5
add interface GigabitEthernet0/0/2
#
firewall zone dmz
description DMZ
set priority 50
add interface GigabitEthernet0/0/1
detect ftp
#
firewall interzone dmz untrust
detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2
#
nat server policy_ftp protocol tcp global 10.0.12.1 ftp inside 10.0.11.11 ftp
#
nat address-group 1 0
mode pat
route enable
section 0 10.0.12.1 10.0.12.1
#
security-policy
rule name local_to
source-zone local
action permit
rule name DMZtoUntrust
source-zone dmz
destination-zone untrust
source-address 10.0.11.0 mask 255.255.255.0
action permit
rule name Untrust_DMZ
source-zone untrust
destination-zone dmz
destination-address 10.0.11.11 mask 255.255.255.255
service ftp
action permit
#
nat-policy
rule name 1
source-zone dmz
destination-zone untrust
source-address 10.0.11.0 mask 255.255.255.0
action source-nat address-group 1
#
Return
8 VRRP
8.1 Basic VRRP Configurations

8.1.1 Introduction
8.1.1.1 Objectives
 Deploy VRRP.
 Implement collaboration between VRRP and MSTP.
 Configure association between BFD and VRRP.
Figure 8-1 Basic VRRP configurations
Devices are connected as shown in the figure. VLAN 10 and VLAN 20 exist on the network, each
with a VRRP group configured. The IDs of the VLANs are used as the VRIDs for their respective VRRP
groups. S1 is configured as the master of the VRRP group in VLAN 10, and S2 as the master of the
VRRP group in VLAN 20.
In addition, MSTP is deployed on S1, S2, and S3, and instances 1 and 2 are created. VLAN 10 is
mapped to MSTI1, and VLAN 20 is mapped to MSTI2. S1 is configured as the primary root bridge of
MSTI1 and the secondary root bridge of MSTI2. S2 is configured as the secondary root bridge of
MSTI1 and the primary root bridge of MSTI2.
The IP address of each VLANIF interface is 10.0.x.y/24, where x indicates the VRID and y indicates
the device ID. The virtual IP address is set to 10.0.x.254/24.
8.1.1.3 Background
To implement gateway redundancy, you as the network administrator need to deploy VRRP on two
aggregation switches. To balance user-to-network traffic of terminal users, you need to deploy a
VRRP group in each VLAN. To prevent loops, MSTP is deployed on the switching network and works
with VRRP to implement load balancing.

1. Create VLANs and configure MSTP on all switches. Manually specify S1 as the primary root
bridge of MSTI1 and the secondary root bridge of MSTI2, and specify S2 as the secondary root
bridge of MSTI1 and the primary root bridge of MSTI2.
2. Create VLANIF 10 and VLANIF 20 and deploy VRRP groups 10 and 20 on both S1 and S2.
Manually adjust VRRP priorities so that S1 functions as the master in VRRP group 10 and S2
functions as the master in VRRP group 20.
3. Deploy single-hop BFD to detect the connectivity between VLANIF interfaces on S1 and S2.
Associate BFD with VRRP to implement fast master/backup VRRP switchovers.
Step 1 Perform basic MSTP configurations.
Create VLANs 10 and 20 on all switches. Configure an MSTP region named hcip, and create two
instances Instance 1 and Instance 2. Map VLAN 10 to Instance 1 and VLAN 20 to Instance 2. Plan
S1 as the primary root bridge of MSTI1 and secondary root bridge of MSTI2; plan S2 as the primary
root bridge of MSTI2 and the secondary root bridge of MSTI1.
# Name the devices.
# Create VLANs.
[S1]vlan batch 10 20
# Configure all interconnection interfaces as trunk interfaces and allow packets from the
corresponding VLANs to pass through.
# Change the working mode from STP to MSTP.
[S1]stp mode mstp
[S2]stp mode mstp
[S3]stp mode mstp
[S4]stp mode mstp
# Configure MSTP.
[S1-mst-region] instance 1 vlan 10
# Check the mappings between MSTI instances and VLANs on S1.
[S1]display stp region-configuration

Oper configuration
Format selector :0
Region name :hcip
Revision level :1
Instance VLANs Mapped

0 1 to 9, 11 to 19, 21 to 29, 31 to 39, 41 to 49, 51 to 59, 61 to
69, 71 to 79, 81 to 4094
1 10,
2 20
# Configure S1 as the primary root bridge of MSTI1 and the secondary root bridge of MSTI2.

# Configure S2 as the primary root bridge of MSTI2 and the secondary root bridge of MSTI1.


All interfaces on S1 are designated interfaces, and S1 is the primary root bridge of MSTI1.

All interfaces on S2 are designated interfaces, and S2 is the secondary root bridge of MSTI1.
Step 2 Perform basic VRRP configurations.
Create VLANIF 10 and VLANIF 20 on both S1 and S2, and add VLANIF 10 to VRRP group 10 and
VLANIF 20 to VRRP group 20. Configure VRRP priorities so that S1 in VLAN 10 and S2 in VLAN 20
both function as the VRRP master.
# Create VLANIF interfaces.
[S1]interface Vlanif10
[S1-Vlanif10] ip address 10.0.10.1 255.255.255.0
[S1-Vlanif10] quit
[S1-Vlanif20] quit
[S2-Vlanif10] quit
[S2-Vlanif20] quit
# Configure VRRP groups on S1.
[S1]interface Vlanif 10
[S1-Vlanif10] vrrp vrid 10 virtual-ip 10.0.10.254
[S1-Vlanif10] vrrp vrid 10 priority 120
[S1-Vlanif10] quit
[S1-Vlanif20] quit
Set the VRRP priority to 120 for S1 in VLAN 10, and use the default priority 100 for S1 in VLAN 20.
# Configure VRRP groups on S2.
[S2-Vlanif10] quit
[S2-Vlanif20] vrrp vrid 20 priority 120
[S2-Vlanif20] quit
Set the VRRP priority to 120 for S2 in VLAN 20, and use the default priority 100 for S2 in VLAN 10.
# Check the VRRP status.
<S1>display vrrp brief

VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 10.0.10.254
20 Backup Vlanif20 Normal 10.0.20.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
[S2]display vrrp brief

----------------------------------------------------------------
10 Backup Vlanif10 Normal 10.0.10.254
----------------------------------------------------------------
The VRRP status is the same as expected.

Step 3 Configure association between VRRP and BFD to implement rapid master/backup VRRP
switchovers.
Configure single-hop BFD on S1 and S2 to detect the connectivity between VLANIF interfaces.
Associate VRRP with BFD so that the backup device increases its VRRP priority when the BFD
session goes down.
# Create BFD sessions on S1.
[S1]bfd
[S1-bfd] quit
[S1]bfd vlanif10 bind peer-ip 10.0.10.2 interface Vlanif10
[S1-bfd-session-vlanif10] discriminator local 1
[S1-bfd-session-vlanif10] discriminator remote 2
[S1-bfd-session-vlanif10] min-tx-interval 100
[S1-bfd-session-vlanif10] min-rx-interval 100
[S1-bfd-session-vlanif10] commit
[S1-bfd-session-vlanif10] quit
# Create BFD sessions on S2.
[S2]bfd
[S2-bfd] quit
# Check the BFD session status.
[S1]display bfd session all

--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 10.0.10.2 Up S_IP_IF Vlanif10

11 22 10.0.20.2 Up S_IP_IF Vlanif20
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
[S2]display bfd session all

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
2 1 10.0.10.1 Up S_IP_IF Vlanif10

22 11 10.0.20.1 Up S_IP_IF Vlanif20
--------------------------------------------------------------------------------
The BFD sessions on S1 and S2 are in the Up state.

# Configure association between VRRP and BFD.
[S1-Vlanif20] vrrp vrid 20 track bfd-session 11 increased 30
[S1-Vlanif20] quit
[S2-Vlanif10] vrrp vrid 10 track bfd-session 2 increased 30
[S2-Vlanif10] quit
Note that bfd-session-id specifies the local discriminator of a BFD session. You only need to
configure the backup device to track the BFD session. In this way, the backup device increases its
local VRRP priority when the BFD session goes down.
# Shut down all interfaces on S1 to simulate a link fault.
[S1-GigabitEthernet0/0/10] shutdown
# Check the BFD session status on S2.
<S2>display bfd session all

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
2 1 10.0.10.1 Down S_IP_IF Vlanif10

22 11 10.0.20.1 Down S_IP_IF Vlanif20
--------------------------------------------------------------------------------
The two BFD sessions immediately enter the Down state.

# Check the VRRP status on S2.
<S2>display vrrp brief

----------------------------------------------------------------
----------------------------------------------------------------
S2 functions as the master in both VRRP groups 10 and 20.

# Check the VRRP status and configuration parameters on S2.
[S2]display vrrp
Vlanif10 | Virtual Router 10
State : Master
Virtual IP : 10.0.10.254
Master IP : 10.0.10.2
PriorityRun : 130
PriorityConfig : 100
MasterPriority : 130
Preempt : YES Delay Time : 0 s
TimerRun : 1s
TimerConfig : 1s
Auth type : NONE
Virtual MAC : 0000-5e00-010a
Check TTL : YES
Config type : normal-vrrp
TrackBFD : 2 Priority increased : 30
BFD-session state : DOWN

Create time : 2020-06-05 11:01:54 UTC-08:00
Last change time : 2020-06-05 11:31:15 UTC-08:00

State : Master
Virtual IP : 10.0.20.254
Master IP : 10.0.20.2
PriorityRun : 120
TimerRun : 1s
TimerConfig : 1s
Auth type : NONE
Virtual MAC : 0000-5e00-0114
Check TTL : YES
Config type : normal-vrrp
Create time : 2020-06-05 11:01:54 UTC-08:00
Last change time : 2020-06-05 11:01:55UTC-08:00
The priority of VRRP group 10 is 130, and the BFD session is in the Down state. The BFD down event
triggers S2 to increase the priority of VRRP group 10 by 30.
----End
8.1.3 Quiz
In what situation does a device send VRRP packets carrying a priority of 255?

Configuration on S1
#
sysname S1
#
vlan batch 10 20
#
#
region-name hcip
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
#
bfd
#
interface Vlanif10
ip address 10.0.10.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.0.10.254
vrrp vrid 10 priority 120
#
interface Vlanif20
ip address 10.0.20.1 255.255.255.0
vrrp vrid 20 track bfd-session 11 increased 30
#
shutdown
port trunk allow-pass vlan 10 20
#
shutdown
#
shutdown
#
bfd vlanif10 bind peer-ip 10.0.10.2 interface Vlanif10
discriminator local 1
discriminator remote 2
min-tx-interval 100
min-rx-interval 100
commit
#
min-tx-interval 100
min-rx-interval 100
commit
#
return
Configuration on S2
#
sysname S2
#
vlan batch 10 20
#
#
region-name hcip
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
#
bfd
#
interface Vlanif10
ip address 10.0.10.2 255.255.255.0
vrrp vrid 10 track bfd-session 2 increased 30
#
interface Vlanif20
ip address 10.0.20.2 255.255.255.0
#
#
#
#
min-tx-interval 100
min-rx-interval 100
commit
#
min-tx-interval 100
min-rx-interval 100
commit
#
return
Configuration on S3
#
sysname S3
#
vlan batch 10 20
#
region-name hcip
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
#

#
#
return
9 DHCP
9.1 DHCP Relay Configuration

9.1.1 Introduction
9.1.1.1 Objectives
 Deploy a DHCP relay agent to enable terminals to dynamically obtain IP addresses.
 Configure DHCP static address binding.
 Analyze the debugging information of a DHCP relay agent.
Figure 9-1 DHCP relay configuration
VLANIF 10, VLANIF 20, and VLANIF 30 are created on S4 to simulate DHCP clients. S3 and S1
function as a DHCP relay agent and DHCP server, respectively. A global address pool is created on
S1 to allocate IP addresses to the three VLANIF interfaces of S4.
The interfaces between S3 and S4 are configured to work in trunk mode to allow VLANs 10, 20, and
30 to pass through; the interfaces between S1 and S3 are configured to work in access mode. The
PVID is set to 40.
9.1.1.3 Background
You are a network administrator of a company. Because there are a large number of hosts on the
network, static address allocation is difficult to manage. Therefore, a DHCP server needs to be
deployed.
The core switch S1 functions as a DHCP server, S4 as a DHCP client, and S3 as the gateway of each
network segment. DHCPDISCOVER messages are broadcast ones and cannot traverse routers.
Therefore, DHCP relay needs to be deployed on S3 to unicast the messages to S1.
In addition, DHCP is required to allocate fixed IP addresses to special clients, such as servers and
printers.

1. Create VLANs on each switch, configure interfaces to work in the corresponding mode, and
allow the corresponding VLANs to pass through.
2. Create an address pool on the DHCP server to allocate IP addresses to terminals, and configure
static address allocation.
3. Configure the IP address of the DHCP server on the DHCP relay agent's interface.
4. Enable the DHCP client to obtain an IP address through DHCP.
5. Observe the DHCP packet relay process on the DHCP relay agent through debugging.
Step 1 Perform basic configurations.
Create VLANs and VLANIF interfaces on the three switches, and configure interfaces to allow the
corresponding VLANs to pass through. The IP address of the VLANIF interface is 10.0.x.y/24, where
x and y indicate the VLAN ID and device number, respectively. IP addresses do not need to be
configured for the VLANIF interfaces on S4.
# Create VLANs.
[S1]vlan 40
[S3]vlan batch 10 20 30 40
[S4]vlan batch 10 20 30
# Configure interfaces to allow the corresponding VLANs to pass through.
[S4-GigabitEthernet0/0/3] port link-type trunk
[S4-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 30
[S3-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 30
# Configure VLANIF interfaces.
[S4-Vlanif10] quit
[S4-Vlanif20] quit
[S4-Vlanif30] quit
[S3-Vlanif10] ip address 10.0.10.3 24
[S3-Vlanif10] quit
[S3-Vlanif20] quit
[S3-Vlanif30] quit
[S3-Vlanif40] quit
[S1-Vlanif40] quit
# Check the connectivity of VLANIF 40 between S1 and S3.
[S1]ping -c 1 10.0.40.3

0.00% packet loss
The DHCP server and relay agent can communicate with each other.
Step 2 Configure the DHCP server.
Enable the DHCP service, configure a global address pool, and allocate a static IP address to VLANIF
30 on S4.
# Enable the DHCP service.
[S1]dhcp enable
# Create an IP address pool named vlan10 to allocate an IP address to VLANIF 10 of S4.
[S1]ip pool vlan10

[S1-ip-pool-vlan10] gateway-list 10.0.10.3
[S1-ip-pool-vlan10] network 10.0.10.0 mask 255.255.255.0
[S1-ip-pool-vlan10] dns-list 10.0.10.3
[S1-ip-pool-vlan10] quit
[S1]ip pool vlan20


[S1]ip pool vlan30

# Check the MAC address of VLANIF 30 on S4.
[S4]display interface Vlanif 30

Vlanif30 current state : UP
Line protocol current state : DOWN
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-cc49-4c7c
Current system tim3 : 2020-06-05 16:51:20-08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
The actual MAC address is subject to the device in the lab environment.
# On S1, configure static address allocation for VLANIF 30 of S4.
[S1]ip pool vlan30

[S1-ip-pool-vlan30] static-bind ip-address 10.0.30.2 mac-address 4c1f-cc49-4c7c
Allocate the fixed IP address 10.0.30.2 to VLANIF 30 of S4.

# Enable the DHCP server function on VLANIF 40.
[S1-Vlanif40] dhcp select global
# Check the IP address pool configurations.
[S1]display ip pool name vlan10

Pool-name : vlan10
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : 10.0.10.3
NBNS-server0 : -
Netbios-type :-
Position : Local Status : Unlocked
Gateway-0 : 10.0.10.3
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.0.10.1 10.0.10.254 253 0 253(0) 0 0

-----------------------------------------------------------------------------

Pool-name : vlan20
Pool-No :1
Domain-name : -
DNS-server0 : 10.0.20.3
NBNS-server0 : -
Netbios-type :-
Gateway-0 : 10.0.20.3
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.0.20.1 10.0.20.254 253 0 253(0) 0 0
-----------------------------------------------------------------------------

Pool-name : vlan30
Pool-No :2
Domain-name : -
DNS-server0 : 10.0.30.3
NBNS-server0 : -
Netbios-type :-
Gateway-0 : 10.0.30.3
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
10.0.30.1 10.0.30.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
The address pool vlan30 already has a used IP address, which is a static one.
# Configure routes to user network segments.
[S1]ip route-static 10.0.10.0 24 10.0.40.3

[S1]ip route-static 10.0.20.0 24 10.0.40.3
[S1]ip route-static 10.0.30.0 24 10.0.40.3
After receiving a DHCP message from the DHCP client, the DHCP relay agent uses the interface IP
address to relay the message to the DHCP server. Therefore, the connectivity between the interface
IP address and DHCP server must be ensured.
# Check the connectivity between the DHCP server and relay interface.
<S1>ping -c 1 10.0.10.3

0.00% packet loss
<S1>ping -c 1 10.0.20.3

0.00% packet loss
<S1>ping -c 1 10.0.30.3

0.00% packet loss
Step 3 Configure the DHCP relay agent.

Configure DHCP relay on S3.
[S3]dhcp enable
# Configure DHCP relay on interfaces and specify the DHCP server.
[S3-Vlanif10] dhcp select relay
[S3-Vlanif10] dhcp relay server-ip 10.0.40.1
[S3-Vlanif10] quit
[S3-Vlanif20] quit
[S3-Vlanif30] quit
# Verify the DHCP relay configuration.
[S3]display dhcp relay all

DHCP relay agent running information of interface Vlanif10 :
Server IP address [01] : 10.0.40.1
Gateway address in use : 10.0.10.3


Step 4 Configure the DHCP client.

Configure VLANIF 10, VLANIF 20, and VLANIF 30 on S4 to obtain IP addresses through DHCP.
[S4]dhcp enable
# Enable the interfaces to obtain IP addresses through DHCP.
[S4-Vlanif10] ip address dhcp-alloc
[S4-Vlanif10] quit
[S4-Vlanif20] quit
[S4-Vlanif30] quit
# Check the IP address allocated to each interface.
<S4>display interface Vlanif 10

Line protocol current state : UP
Last line protocol up time: 2020-06-05 17:37:57 UTC-08:00
Description:
Internet Address is allocated by DHCP, 10.0.10.254/24

Description:

Description:
The interfaces have obtained IP addresses through DHCP, and the IP address of VLANIF 30 is the
static IP address 10.0.30.2.
Step 5 Observe the DHCP relay process.
Run the debugging dhcp relay info and debugging dhcp relay packet commands on S3. Disable
the DHCP client function on VLANIF 30 of S4, and then enable it again. Check the debugging
information.
# Enable debugging on S3.
<S3>debugging dhcp relay info

<S3>debugging dhcp relay packet
<S3>terminal debugging
<S3>terminal monitor
Info: Current terminal monitor is on.
# Disable the DHCP client function on VLANIF 30 of S4.
[S4-Vlanif30] undo ip address dhcp-alloc
# Check the debugging information on S3.
Jun 5 2020 18:41:41.510.1-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DHCP RELEASE message from interface Vlanif30.
Jun 5 2020 18:41:41.510.2-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:srcip:10.0.30.2 dstip:10.0.40.1 vpnid:0
Jun 5 2020 18:41:41.510.3-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:msgtype:BOOT-REQUEST dhcp msgtype:DHCP RELEASE
bflag:uc chaddr:4c1f-cc49-4c7c ciaddr:10.0.30.2 reqip:0.0.0.0 giaddr:0.0.0.0 serverid:10.0.40.1
Jun 5 2020 18:41:41.510.4-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:Select 10.0.30.3 as giaddr.
Jun 5 2020 18:41:41.510.5-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Relay DHCP RELEASE to server 10.0.40.1.
S3 receives a DHCPRELEASE message from VLANIF 30. The source and destination IP addresses of
the message are 10.0.30.2 and 10.0.40.1, respectively, and the value of the giaddr field is 0.0.0.0. S3
sets the giaddr field in the message to 10.0.30.3 (IP address of VLANIF 30) and then sends the
message to the DHCP server.
# Enable the DHCP client function on VLANIF 30 of S4 again.
# Check the debugging information on S3.
Jun 5 2020 18:38:42.600.1-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DHCP DISCOVER message from interface Vlanif30.
Jun 5 2020 18:38:42.600.3-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:msgtype:BOOT-REQUEST dhcp msgtype:DHCP DISCOVER
Jun 5 2020 18:38:42.600.5-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Relay DHCP DISCOVER to server 10.0.40.1.
S3 receives a DHCPDISCOVER message from the client. The source and destination IP addresses of
the message are 0.0.0.0 and 255.255.255.255, respectively. After setting the giaddr field in the
message to 10.0.30.3, S3 unicasts the message to the DHCP server at 10.0.40.1. In this case, the
source IP address of the message is 10.0.30.3.
Jun 5 2020 18:38:42.610.1-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DHCP OFFER message from interface Vlanif40.
Jun 5 2020 18:38:42.610.3-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:msgtype:BOOT-REPLY dhcp msgtype:DHCP OFFER bflag:uc
chaddr:4c1f-cc49-4c7c ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:10.0.30.3 serverid:10.0.40.1
Jun 5 2020 18:38:42.610.4-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Unicast DHCP OFFER to client. (Chaddr=4c1f-cc49-4c7c,
Ciaddr=10.0.30.2)
S3 receives a DHCPOFFER message from the DHCP server. The source and destination IP addresses
of the message are 10.0.40.1 and 10.0.30.3, respectively, and the message carries the DHCP server
ID (DHCP Option 54). S3 then unicasts the message to the client.
Jun 5 2020 18:38:42.650.1-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DHCP REQUEST message from interface Vlanif30.
Jun 5 2020 18:38:42.650.3-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:msgtype:BOOT-REQUEST dhcp msgtype:DHCP REQUEST
Jun 5 2020 18:38:42.650.5-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Relay DHCP REQUEST to server 10.0.40.1.
After receiving a DHCPREQUEST broadcast message from the client, S3 converts the message into
a unicast one and then sends it to the DHCP server.
Jun 5 2020 18:38:42.660.1-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DHCP ACK message from interface Vlanif40.
Jun 5 2020 18:38:42.660.3-08:00 S3 DHCP/7/DEBUG:[dhcpr-info]:msgtype:BOOT-REPLY dhcp msgtype:DHCP ACK bflag:uc
chaddr:4c1f-cc49-4c7c ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:10.0.30.3 serverid:10.0.40.1
Jun 5 2020 18:38:42.660.4-08:00 S3 DHCP/7/DEBUG:[dhcpr-pkt]:Unicast DHCP ACK to client. (Chaddr=4c1f-cc49-4c7c,
Ciaddr=10.0.30.2)
After receiving a DHCPACK message with the source IP address 10.0.40.1 and destination IP address
10.0.30.3 from the DHCP server, S3 unicasts the message to the DHCP client.
----End
9.1.3 Quiz
How does a DHCP server select an address pool after receiving a DHCP message from a DHCP relay
agent?

Configuration on S1
#
sysname S1
#
vlan batch 40
#
dhcp enable
#
ip pool vlan10
gateway-list 10.0.10.3
network 10.0.10.0 mask 255.255.255.0
dns-list 10.0.10.3
#
ip pool vlan20
network 10.0.20.0 mask 255.255.255.0
dns-list 10.0.20.3
#
ip pool vlan30
network 10.0.30.0 mask 255.255.255.0
static-bind ip-address 10.0.30.2 mac-address 4c1f-cc49-4c7c
dns-list 10.0.30.3
#
interface Vlanif40
ip address 10.0.40.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.0.10.0 255.255.255.0 10.0.40.3
ip route-static 10.0.20.0 255.255.255.0 10.0.40.3
ip route-static 10.0.30.0 255.255.255.0 10.0.40.3
#
return
Configuration on S3
#
sysname S3
#
vlan batch 10 20 30 40
#
dhcp enable
#
interface Vlanif10
ip address 10.0.10.3 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.0.40.1
#
interface Vlanif20
ip address 10.0.20.3 255.255.255.0
dhcp select relay
#
interface Vlanif30
ip address 10.0.30.3 255.255.255.0
dhcp select relay
#
interface Vlanif40
ip address 10.0.40.3 255.255.255.0
#

#
port trunk allow-pass vlan 10 20 30
#
user-interface con 0
user-interface vty 0 4
#
return
Configuration on S4
#
sysname S4
#
vlan batch 10 20 30
#
dhcp enable
#
interface Vlanif10
ip address dhcp-alloc
#
interface Vlanif20
#
interface Vlanif30
#
port trunk allow-pass vlan 10 20 30
#
Return
10 WLAN
10.1 Inter-AC Roaming on a Large-Scale WLAN

10.1.1 Introduction
10.1.1.1 Objectives
 Implement inter-AC Layer 3 roaming by configuring a mobility group.
 Describe how to configure APs to go online.
 Know the basic WLAN configuration process.
Figure 10-1 Inter-AC roaming on a large-scale WLAN
The preceding figure shows the device connection mode. AP1 is managed by AC1, and AP2 is
managed by AC2. All APs use the direct forwarding mode.
S4 transparently transmits packets from AP2 at Layer 2. S3 serves as the gateway for APs and STAs.
S3 is enabled with DHCP to allocate IP addresses to AP1, AP2, and STAs associated with them. APs
obtain ACs' addresses from Option 43 in DHCP packets.
10.1.1.3 Background
To meet the increasing STA access requirements, an enterprise needs to deploy a batch of APs. As
AC1 is managing APs of its maximum specifications, the enterprise purchases a new AC (AC2) to
manage the newly deployed APs. In addition, inter-AC roaming is required to minimize the service
interruption time when STAs move between the coverage areas of APs managed by different ACs.
10.1.1.4 Data Planning
Table 10-1 AC's data planning
Item Configuration
Management VLAN for APs VLANs 10 and 20
Service VLAN for STAs VLANs 11 and 21
DHCP server S3 functions as a DHCP server to allocate IP addresses to

APs and STAs.
IP address pool for APs 10.0.10.0/24 and 10.0.20.0/24
IP address pool for STAs 10.0.11.0/24 and 10.0.21.0/24
AC's source interface address VLANIF 100 (10.0.100.254) and VLANIF 200 (10.0.200.254)
AP group Name: ap-group1 and ap-group2
Referenced profile: VAP profile departX
Regulatory domain profile Name: default
Country code: CN
SSID profile Name: departX
SSID name: roam
Security profile Name: departX
Security policy: WPA-WPA2+PSK+AES
Password: huawei123
VAP profile Name: departX
Forwarding mode: direct forwarding
Service VLANs: VLANs 11 and 21
Referenced profiles: SSID profile departX and security

profile departX
X in departX indicates the AC number, that is, depart1 on AC1 and depart2 on AC2.

1. Shut down unnecessary ports and enable the PoE function on switches.
2. Configure wired-side functions so that S3 serves as the gateway for APs and STAs, and AC1 and
AC2 communicate with S3 at Layer 3 through VLANIF interfaces.
3. Configure WLAN services on AC1 and enable AP1 to go online.

4. Configure WLAN services on AC2 and enable AP2 to go online.
5. Configure a mobility group on AC1 and AC2 to implement inter-AC roaming.
Step 1 Complete basic device configurations.
# Name the devices.
# Shut down unnecessary ports.
# Enable the PoE function on S3 and S4 ports connected to APs.

[S3-GigabitEthernet0/0/4] poe enable

The poe enable command enables the PoE function on a port. When a port detects a powered
device (PD) connected, the port supplies power to the PD. By default, the PoE function is enabled on
a port. Therefore, this command is unnecessary and is provided for demonstration purpose only.
Step 2 Configure the wired network.
Configure the wired network of the switches and ACs as planned.
# Create VLANs on S3, S4, AC1, and AC2, and assign ports to the VLANs.
[S3]vlan batch 10 11 20 21 100 200

[S3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[S3-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 to 21
[S3-GigabitEthernet0/0/4] port trunk pvid vlan 10
The PVID of the S3 port connected to AP1 is set to VLAN 10, and packets in the service VLAN and
management VLAN from AP2 are allowed to pass on the S3 port connected to S4.

The PVID of the S4 port connected to AP2 is set to VLAN 20, and the uplink port of S4 is configured
to transparently transmit packets in VLANs 20 (management VLAN) and 21 (service VLAN).
[AC1]vlan batch 100

[AC1]interface GigabitEthernet0/0/12
[AC1-GigabitEthernet0/0/12] port link-type trunk
[AC1-GigabitEthernet0/0/12] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/12] quit
The interface is configured to allow packets in VLAN 100 to pass through because VLANIF 100
serves as the CAPWAP source interface of AC1.
[AC2]vlan batch 200

The interface is configured to allow packets in VLAN 200 to pass through because VLANIF 200
serves as the CAPWAP source interface of AC2.
# Create VLANIF interfaces on S3, AC1, and AC2.
[S3-Vlanif10] description ap1_mgnt
[S3-Vlanif10] quit
[S3-Vlanif11] description ap1_service
[S3-Vlanif11] quit
[S3-Vlanif20] description ap2_mgnt
[S3-Vlanif20] quit
[S3-Vlanif21] description ap2_service
[S3-Vlanif21] quit
[S3-Vlanif100] description to_AC1
[S3-Vlanif100] quit
[S3-Vlanif200] description to_AC2
[S3-Vlanif200] quit
On S3, VLANIF 10 and VLANIF 20 are configured as the management VLAN gateways of AP1 and
AP2, respectively; VLANIF 11 and VLANIF 21 are configured as the service VLAN gateways of STAs
connected to AP1 and AP2, respectively; and VLANIF 100 and VLANIF 200 are used for Layer 3
communication with AC1 and AC2, respectively.
[AC1]interface Vlanif100
[AC1-Vlanif100] description to_S3_CAPWAP
[AC1-Vlanif100] ip address 10.0.100.254 255.255.255.0
[AC1-Vlanif100] quit
VLANIF 100 is configured as the CAPWAP source interface of AC1.

# Configure routes to the AP management network segments on AC1 and AC2.
[AC1]ip route-static 10.0.10.0 255.255.255.0 10.0.100.1
Static routes to the AP management network segments for communication with APs.
# Configure the DHCP service on S3.
[S3]dhcp enable
The DHCP service is enabled.
[S3]ip pool ap1

[S3-ip-pool-ap1] gateway-list 10.0.10.1
[S3-ip-pool-ap1] network 10.0.10.0 mask 255.255.255.0
[S3-ip-pool-ap1] option 43 sub-option 3 ascii 10.0.100.254
[S3-ip-pool-ap1] quit
[S3]ip pool ap2
[S3-ip-pool-ap2] gateway-list 10.0.20.1
[S3-ip-pool-ap2] network 10.0.20.0 mask 255.255.255.0
[S3-ip-pool-ap2] option 43 sub-option 3 ascii 10.0.200.254
[S3-ip-pool-ap2] quit
[S3]ip pool service_a
[S3-ip-pool-service_a] gateway-list 10.0.11.1
[S3-ip-pool-service_a] network 10.0.11.0 mask 255.255.255.0
[S3-ip-pool-service_a] dns-list 10.0.11.1
[S3-ip-pool-service_a] quit
[S3]ip pool service_b
[S3-ip-pool-service_b] gateway-list 10.0.21.1
[S3-ip-pool-service_b] network 10.0.21.0 mask 255.255.255.0
[S3-ip-pool-service_b] dns-list 10.0.21.1
[S3-ip-pool-service_b] quit
The address pools ap1 and ap2 are configured to allocate IP addresses to APs and carry Option 43
specifying the AC's IP address in DHCP packets. The address pools service_a and service_b are
configured to allocate IP addresses to STAs on AP1 and AP2, respectively. The gateways for all
address pools are set to the addresses of VLANIF interfaces on S3.
[S3-Vlanif10] quit
[S3-Vlanif11] quit
[S3-Vlanif20] quit
[S3-Vlanif21] quit
The global address pool is selected on the VLANIF interfaces.

Step 3 Configure AC1.
On AC1, specify VLANIF 100 as the CAPWAP source interface, create the AP group depart1,
configure MAC address authentication for APs, name the AP ap1, add it to the AP group depart1,
associate parameter profiles with the VAP profile depart1, and bind the VAP profile to the AP group
depart1.
# Specify the CAPWAP source interface.
[AC1]capwap source interface vlanif100
# Create an AP group named depart1.
[AC1]wlan
[AC1-wlan-view] ap-group name depart1
[AC1-wlan-ap-group-depart1] quit
# Create a regulatory domain profile and configure the AC's country code in the profile.
[AC1]wlan
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
Info: The current country code is same with the input country code.
[AC1-wlan-regulate-domain-default] quit
A regulatory domain profile provides configurations of the country code, calibration channel set,
and calibration bandwidth for an AP.
By default, the system provides the regulatory domain profile default. Therefore, the default
regulatory domain profile is displayed.
A country code identifies the country where AP radios work. Different countries require different AP
radio attributes, including the transmit power and supported channels. The correct country code
configuration ensures that radio attributes of APs comply with local laws and regulations of
countries and regions to which the APs are delivered. By default, the country code CN is configured.
# Bind the regulatory domain profile to the AP group.
[AC1]wlan
[AC1-wlan-view]ap-group name depart1

[AC1-wlan-ap-group- depart1]regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP.
Continue?[Y/N]:y
[AC1-wlan-ap-group- depart1]quit
In the AP group view, the regulatory-domain-profile command binds a regulatory domain profile
to an AP or AP group. By default, the regulatory domain profile default is bound to an AP group, but
no regulatory domain profile is bound to an AP. In the regulatory domain profile default, the
country code is CN, 2.4G calibration channels include channels 1, 6, and 11, and 5G calibration
channels include channels 149, 153, 157, 161, and 165. Therefore, you can skip this step and the
previous step in actual operations.
# Add an AP.
[AC1]wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 00e0-fc6e-2890 //Set the AP's MAC address as required in the lab environment.
[AC1-wlan-ap-0] ap-name ap1
[AC1-wlan-ap-0] ap-group depart1
Three AP authentication modes are supported. By default, MAC address authentication is used. The
AP is added on the AC before it goes online, named ap1, and added to the AP group depart1.
# Configure parameter profiles.
[AC1]wlan
[AC1-wlan-view] security-profile name depart1
[AC1-wlan-sec-prof-depart1] security wpa2 psk pass-phrase huawei123 aes
[AC1-wlan-sec-prof- depart1] quit
[AC1-wlan-view] ssid-profile name depart1
[AC1-wlan-ssid-prof-depart1] ssid roam
[AC1-wlan-ssid-prof-depart1] quit
[AC1-wlan-view] vap-profile name depart1
[AC1-wlan-vap-prof-depart1] forward-mode direct-forward
[AC1-wlan-vap-prof-depart1] service-vlan vlan-id 11
[AC1-wlan-vap-prof-depart1] ssid-profile depart1
[AC1-wlan-vap-prof-depart1] security-profile depart1
[AC1-wlan-vap-prof-depart1] quit
[AC1-wlan-ap-group-depart1] vap-profile depart1 wlan 1 radio all
The security profile depart1 is configured, with the authentication mode of WPA2-PSK and the pre-
shared key of huawei123.
The SSID profile depart1 is configured, and the SSID is set to roam.
The VAP profile depart1 is configured, with the direct forwarding mode and the service VLAN 11,
and has the SSID profile depart1 and security profile depart1 bound.
The VAP profile depart1 is bound to the AP group depart1.
# Check the AP online status.
<AC1>display ap all
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [1]

--------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
--------------------------------------------------------------------------------------------
0 00e0-fc6e-2890 ap1 depart1 10.0.10.254 AirEngine5760-10 nor 0 50S
--------------------------------------------------------------------------------------------
Total: 1
Wait for a period of time and check the AP online status. If the AP status is nor, the AP goes online
successfully and works properly. The AP has obtained the IP address 10.0.10.254 and has no STA
associated.
Step 4 Configure AC2.
On AC2, specify VLANIF 200 as the CAPWAP source interface, create the AP group depart2,
configure MAC address authentication for APs, name the AP ap2, add it to the AP group depart2,
associate parameter profiles with the VAP profile depart2, and bind the VAP profile to the AP group
depart2.
# Specify the CAPWAP source interface.
[AC2]capwap source interface vlanif200
# Create an AP group named depart2.
[AC2]wlan
[AC2]wlan
[AC2]wlan
[AC2-wlan-ap-group- depart2] regulatory-domain-profile default
Continue?[Y/N]:y
[AC2-wlan-ap-group- depart2] quit
# Add an AP.
[AC2]wlan
[AC2-wlan-view] ap-id 0 ap-mac 00e0-fcde-1990 //Set the AP's MAC address as required in the lab environment.
[AC2-wlan-ap-0] ap-group depart2

[AC2]wlan
[AC2-wlan-view] security-profile name depart2
[AC2-wlan-sec-prof-depart2] security wpa2 psk pass-phrase huawei123 aes
[AC2-wlan-sec-prof- depart2] quit
[AC2-wlan-view] ssid-profile name depart2
[AC2-wlan-ssid-prof-depart2] ssid roam
[AC2-wlan-ssid-prof-depart2] quit
[AC2-wlan-view] vap-profile name depart2
[AC2-wlan-vap-prof-depart2] forward-mode direct-forward
[AC2-wlan-vap-prof-depart2] service-vlan vlan-id 21
[AC2-wlan-vap-prof-depart2] ssid-profile depart2
[AC2-wlan-vap-prof-depart2] security-profile depart2
[AC2-wlan-vap-prof-depart2] quit
[AC2-wlan-ap-group-depart2] vap-profile depart2 wlan 1 radio all
The security profile depart2 is configured, with the authentication mode of WPA2-PSK and the pre-
The SSID profile depart2 is configured, and the SSID is set to roam.
The VAP profile depart2 is configured, with the direct forwarding mode and the service VLAN 21,
and has the SSID profile depart2 and security profile depart1 bound.
The VAP profile depart2 is bound to the AP group depart2.
# Check the AP online status.
<AC2>display ap all
nor : normal [1]
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
0 00e0-fcde-1990 ap2 depart2 10.0.20.254 AirEngine5760-10 nor 0 1M:13S
--------------------------------------------------------------------------------------------
Total: 1
Wait for a period of time and check the AP online status. If the AP status is nor, the AP goes online
successfully and works properly. The AP has obtained the IP address 10.0.20.254 and has no STA
associated.
Step 5 Configure Layer 3 roaming.
Configure static routes between the CAPWAP source interfaces on AC1 and AC2. Create the
mobility group mobility and add AC1 and AC2 to the mobility group, without specifying a mobility
server.
#Configure static routes.
# Configure AC1.
[AC1]wlan
[AC1 -wlan-view] mobility-group name mobility
[AC1-mc-mg-mobility] member ip-address 10.0.100.254
The mobility group mobility is created on AC1, and AC1 and AC2 are added to the mobility group as
members.
# Configure AC2.
[AC2]wlan
[AC2 -wlan-view] mobility-group name mobility
The mobility group mobility is created on AC2, and AC1 and AC2 are added to the mobility group as
members.
# Check the mobility group status.
[AC1]display mobility-group name mobility

--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.0.100.254 -
normal 10.0.200.254 -
--------------------------------------------------------------------------------
Total: 2
Members AC1 and AC2 in the mobility group are both in normal state.
# Check STA information on AC1.
[AC1]display station ssid roam

Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
-----------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
-----------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254
-----------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
After detecting the WLAN with the SSID roam in the coverage area of AP1, the STA is associated
with the WLAN through the password huawei123. After the display station ssid roam command is
run on AC1 to check STA access information, the command output shows that the STA (MAC
address: 5489-986f-73) is associated with AP1.
Move the STA to the coverage area of AP2 while still associating with AP1 and then power off AP1 to
enable the STA to roam to AP2.
# Check the inter-AC roaming track.
<AC2>display station roam-track sta-mac5489-986f-73ad

Access SSID:roam
z: Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In Rx/Tx RSSI Out Rx/Tx RSSI
------------------------------------------------------------------
10.0.100.254 ap1 1
00e0-fc6e-2890 2020/06/08 07:27:06 130/130 -44 130/130 -44
L3 10.0.200.254 ap2 1
00e0-fcde-1990 2020/06/08 07:27:24 130/6 -42 -/-
------------------------------------------------------------------
Number of roam track: 1
The STA with the MAC address 5489-986f-73ad has roamed from AP1 to AP2, which is an inter-AC
roaming process.
----End
10.1.3 Quiz
What are the differences in forwarding between inter-AC Layer 2 roaming and inter-AC Layer 3
roaming?

Configuration on S3
#
sysname S3
#
vlan batch 10 to 11 20 to 21 100 200
#
dhcp enable
#
ip pool ap1
network 10.0.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.0.100.254
#
ip pool ap2
network 10.0.20.0 mask 255.255.255.0
#
ip pool service_a
network 10.0.11.0 mask 255.255.255.0
dns-list 10.0.11.1
#
ip pool service_b
network 10.0.21.0 mask 255.255.255.0
dns-list 10.0.21.1
#
interface Vlanif10
description ap1_mgnt
ip address 10.0.10.1 255.255.255.0
dhcp select global

#
interface Vlanif11
description ap1_service
ip address 10.0.11.1 255.255.255.0
dhcp select global
#
interface Vlanif20
description ap2_mgnt
ip address 10.0.20.1 255.255.255.0
dhcp select global
#
interface Vlanif21
description ap2_service
ip address 10.0.21.1 255.255.255.0
dhcp select global
#
interface Vlanif100
description to_AC1
ip address 10.0.100.1 255.255.255.0
#
interface Vlanif200
description to_AC2
ip address 10.0.200.1 255.255.255.0
#
port trunk allow-pass vlan 100
#
#
port trunk allow-pass vlan 20 to 21
#
port trunk pvid vlan 10
#
return
Configuration on S4
#
sysname S4
#
vlan batch 20 to 21
#
#
#
return
Configuration on AC1
#
sysname AC1
#
vlan batch 100
#
interface Vlanif100
description to_S3_CAPWAP
ip address 10.0.100.254 255.255.255.0
#
#
ip route-static 10.0.10.0 255.255.255.0 10.0.100.1
ip route-static 10.0.200.0 255.255.255.0 10.0.100.1
#
capwap source interface vlanif100
#
wlan
security-profile name depart1
security wpa2 psk pass-phrase huawei123 aes
aes
ssid-profile name depart1
ssid roam
vap-profile name depart1
service-vlan vlan-id 11
ssid-profile depart1
security-profile depart1
regulatory-domain-profile name default
mobility-group name mobility
member ip-address 10.0.100.254
ap-group name depart1
radio 0
vap-profile depart1 wlan 1
radio 1
radio 2
ap-id 0 type-id 56 ap-mac 00e0-fc6e-2890 ap-sn 210235448310F30CF56D
ap-name ap1
ap-group depart1
provision-ap
#
return
#
sysname AC2
#
vlan batch 200
#
interface Vlanif200
ip address 10.0.200.254 255.255.255.0
#
#
ip route-static 10.0.20.0 255.255.255.0 10.0.200.1
ip route-static 10.0.100.0 255.255.255.0 10.0.200.1
#
#
wlan
security-profile name depart2
security wpa-wpa2 psk pass-phrase huawei123 aes
ssid-profile name default
ssid-profile name depart2
ssid roam
vap-profile name depart2
ssid-profile depart2
security-profile depart2
mobility-group name mobility
ap-group name depart2
radio 0
radio 1
radio 2
ap-id 0 type-id 56 ap-mac 00e0-fcde-1990 ap-sn 210235448310FA145341
ap-name ap2
ap-group depart2
provision-ap
#
Return
10.2 VRRP HSB Configuration

10.2.1 Introduction
10.2.1.1 Objectives
 Improve AC reliability through VRRP HSB.
 Configure VRRP HSB.
 Describe the technical implementation of VRRP HSB.
Figure 10-2 VRRP HSB configuration
As shown in the figure, AC1 and AC2 form an HSB group, and VRRP HSB is configured for AC
backup. AP1 and AP2 are managed by AC1 and AC2 in active/standby mode, and both use the direct
forwarding mode.
obtain the ACs' virtual IP address from Option 43 in DHCP packets.
10.2.1.3 Background
As the number of STAs on the enterprise intranet keeps increasing, to ensure the stability of
wireless services, you, a network engineer, decide to purchase a new AC (AC2) to form an HSB
group with the existing AC (AC1) and configure the HSB group to work with VRRP to implement AC
HSB and improve the reliability of wireless services.
Item Configuration
Management VLAN for APs VLAN 10
Service VLAN for STAs VLAN 11

APs and STAs.
IP address pool for APs 10.0.10.0/24
IP address pool for STAs 10.0.11.0/24
AC's source interface address 10.0.100.254 (VRRP virtual address)
AP group Name: depart
Referenced profile: VAP profile depart
Country code: CN
SSID profile Name: depart
SSID name: HSB
Security profile Name: depart
Password: huawei123
VAP profile Name: depart
Service VLAN: VLAN 11
Referenced profiles: SSID profile depart and security

profile depart
VRRP group VRRP group ID: 1
Virtual IP address: 10.0.100.254
HSB IP address and port number of the HSB channel for AC1:
10.0.100.1 and 10241
IP address and port number of the HSB channel for AC2:

10.0.100.2 and 10241

1. Shut down unnecessary ports and enable the PoE function on switches.
2. Configure wired-side functions so that S3 serves as the gateway for APs and STAs, and AC1 and
AC2 communicate with S3 at Layer 3 through VLANIF 100.
3. Configure WLAN services on AC1 and AC2. Note that you do not need to configure the
CAPWAP source address now. Perform this configuration after HSB and VRRP configurations
are completed.
4. Configure HSB on AC1, specify AC1 as the master device in VRRP group 1 and the active device
in HSB mode, and set the CAPWAP source address to the VRRP virtual IP address.
5. Configure HSB on AC1, specify AC1 as the standby device in HSB mode, and set the CAPWAP
source address to the VRRP virtual IP address.
6. Verify the VRRP HSB configuration. Shut down the downlink interface on AC1, and check the
states of APs and STAs on AC2.
# Name the devices.


The poe enable command enables the PoE function on a port. When a port detects a PD connected,
the port supplies power to the PD. By default, the PoE function is enabled on a port. Therefore, this
command is unnecessary and is provided for demonstration purpose only.


The PVID of the S3 port connected to AP1 is set to VLAN 10, packets in the service VLANs and
management VLANs are allowed to pass on the S3 port connected to S4, and the S3 ports
connected to ACs are configured to allow packets in VLAN 100 to pass through.
[AC1]vlan batch 100

The interface is configured to allow packets in VLAN 100 to pass through.
[AC2]vlan batch 100


[S3-Vlanif10] description ap_mgnt
[S3-Vlanif10] quit
[S3-Vlanif11] description ap_service
[S3-Vlanif11] quit
[S3-Vlanif100] description to_AC

[S3-Vlanif100] quit
On S3, VLANIF 10 is configured as the management VLAN gateway of AP1 and AP2; VLANIF 11 is
configured as the service VLAN gateway of STAs connected to AP1 and AP2; and VLANIF 100 is used
for Layer 3 communication with AC1 and AC2.
VLANIF 100 of AC1 is configured as the CAPWAP communication interface (instead of the CAPWAP
source interface).
VLANIF 100 of AC2 is configured as the CAPWAP communication interface (instead of the CAPWAP
source interface).
Static routes to the AP management network segments are configured on ACs for CAPWAP
communication with APs.
[S3]dhcp enable
[S3]ip pool ap
[S3-ip-pool-ap] gateway-list 10.0.10.1
[S3-ip-pool-ap] network 10.0.10.0 mask 255.255.255.0
[S3-ip-pool-ap] option 43 sub-option 3 ascii 10.0.100.254
[S3-ip-pool-ap] quit
[S3]ip pool service
[S3-ip-pool-service] gateway-list 10.0.11.1
[S3-ip-pool-service] network 10.0.11.0 mask 255.255.255.0
[S3-ip-pool-service] dns-list 10.0.11.1
[S3-ip-pool-service] quit
The address pool ap is configured to allocate IP addresses to APs. Option 43 is configured to specify
the AC's IP address (VRRP virtual IP address).
The address pool service is configured to allocate IP addresses to STAs connected to AP1 and AP2.
VLANIF interfaces on S3 are configured as the gateways for all address pools.

[S3-Vlanif10] quit
[S3-Vlanif11] quit

Step 3 Configure ACs.
Create the AP group depart, configure MAC address authentication for APs, name the APs ap1 and
ap2, add them to the AP group depart, and associate parameter profiles with the VAP profile
depart.
The WLAN configurations on AC1 and AC2 are the same. The following uses AC1 as an example.
# Create an AP group named depart.
[AC1]wlan
[AC1-wlan-view] ap-group name depart
[AC1-wlan-ap-group-depart] quit
[AC1]wlan
[AC1]wlan
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group- depart]regulatory-domain-profile default
Continue?[Y/N]:y
[AC1-wlan-ap-group- depart]quit
# Add APs.
[AC1]wlan
[AC1-wlan-ap-0] ap-group depart
[AC1-wlan-ap-0] quit
Three AP authentication modes are supported. By default, MAC address authentication is used. APs
are added on the AC before they go online, named ap1 and ap2, and added to the AP group depart.
[AC1]wlan
[AC1-wlan-view] security-profile name depart
[AC1-wlan-sec-prof-depart] security wpa2 psk pass-phrase huawei123 aes
[AC1-wlan-sec-prof- depart] quit
[AC1-wlan-view] ssid-profile name depart
[AC1-wlan-ssid-prof-depart] ssid HSB
[AC1-wlan-ssid-prof-depart] quit
[AC1-wlan-view] vap-profile name depart
[AC1-wlan-vap-prof-depart] forward-mode direct-forward
[AC1-wlan-vap-prof-depart] service-vlan vlan-id 11
[AC1-wlan-vap-prof-depart] ssid-profile depart
[AC1-wlan-vap-prof-depart] security-profile depart
[AC1-wlan-vap-prof-depart] quit
[AC1-wlan-ap-group-depart] vap-profile depart wlan 1 radio all
The security profile depart is configured, with the authentication mode of WPA2-PSK and the pre-
The SSID profile depart is configured, and the SSID is set to HSB.
The VAP profile depart is configured, with the direct forwarding mode and the service VLAN 11, and
has the SSID profile depart and security profile depart bound.
The VAP profile depart is bound to the AP group depart.
Step 4 Configure VRRP HSB on AC1.
Configure AC1 as the master in VRRP group 1. Configure the hot standby (HSB) function on AC1 so
that service information on AC1 is backed up to AC2 in real time or in batches, ensuring seamless
service switchover.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC1] vrrp recover-delay 60
# Create a management VRRP group on AC1. Set the VRRP priority of AC1 to 120 and the
preemption delay to 1800 seconds.
[AC1] interface vlanif 100

[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.0.100.254
[AC1-Vlanif100] vrrp vrid 1 priority 120

[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
The VRRP priority of AC1 is adjusted, and AC1 is specified as the master device in VRRP group 1.
# Create HSB service 0 on AC1, and configure the IP addresses and port numbers for establishing an
HSB channel. Set the retransmission time and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.0.100.1 peer-ip 10.0.100.2 local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind HSB service 0 and the management VRRP group to the HSB
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Bind the NAC service to the HSB group.
[AC1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[AC1] hsb-service-type ap hsb-group 0
# Enable the HSB function.
[AC1]hsb-group 0
[AC1-hsb-group-0] hsb enable
# Configure the CAPWAP source address of AC1.
[AC1]undo capwap source ip-address

[AC1]capwap source ip-address 10.0.100.254
Note that this IP address must be set to the VRRP virtual IP address.
Step 5 Configure VRRP HSB on AC2.
Configure AC2 as the backup in VRRP group 1. Configure the HSB function on AC2 to back up service
information from AC1, ensuring seamless service switchover.
# Set the recovery delay of the VRRP group to 60 seconds.
[AC2] vrrp recover-delay 60
# Create a management VRRP group on AC2 and set the preemption delay to 1800 seconds.
[AC2] interface vlanif 100

[AC2-Vlanif100] vrrp vrid 1 virtual-ip 10.0.100.254

[AC2-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC2-Vlanif100] admin-vrrp vrid 1
# Create HSB service 0 on AC2, and configure the IP addresses and port numbers for establishing an
HSB channel. Set the retransmission time and interval of HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.0.100.2 peer-ip 10.0.100.1 local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2, and bind HSB service 0 and the management VRRP group to the HSB
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
# Bind the NAC service to the HSB group.
[AC2] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.
[AC2] hsb-service-type ap hsb-group 0
# Enable the HSB function.
[AC2]hsb-group 0
[AC2-hsb-group-0] hsb enable
# Configure the CAPWAP source address of AC2.
[AC2]undo capwap source ip-address

[AC2]capwap source ip-address 10.0.100.254
Note that this IP address must be set to the VRRP virtual IP address.
Step 6 Verify the configuration.
# Check the VRRP status on AC1 and AC2. The State field of AC1 is Master and that of AC2 is
Backup.
<AC1>display vrrp
State: Master
Virtual IP : 10.0.100.254
Master IP : 10.0.100.1
PriorityRun : 120

TimerRun : 1s
TimerConfig : 1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2020-06-12 08:26:33 UTC-05:13
<AC2>display vrrp
State : Backup
Virtual IP : 10.0.100.254
Master IP : 10.0.100.1
PriorityRun : 100
TimerRun : 1s
TimerConfig : 1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2020-06-12 08:41:15 UTC-05:13
AC1 is the owner of the virtual IP address 10.0.100.254.

# Run the display hsb-service 0 command on AC1 and AC2 to check the status of the HSB service.
<AC1>display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
LocalIP Address : 10.0.100.1
Peer IP Address : 10.0.100.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
<AC2>display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
LocalIP Address : 10.0.100.2
Peer IP Address : 10.0.100.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times :3
Keep Alive Interval :6
Service State : Connected

Service Batch Modules :
----------------------------------------------------------
The value of the Service State field is Connected, indicating that the HSB channel has been
established.
# Run the display hsb-group 0 command on AC1 and AC2 to check the running status of the HSB
group.
[AC1] display hsb-group 0

Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Vrrp Interface : Vlanif100
Service Index :0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group DeviceName : AC2
Peer Group Software Version : V200R019C00
Group Backup Modules : Access-user
AP
----------------------------------------------------------
[AC2] display hsb-group 0

----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
AP
----------------------------------------------------------
# Check the AP online status on AC1 and AC2.
<AC1>display ap all
nor : normal [2]
----------------------------------------------------------------------------------------
ID MAC Name Group IP Type StateSTA Uptime
----------------------------------------------------------------------------------------
0 00e0-fc6e-2890 ap1 depart 10.0.10.254 AirEngine5760-10 nor 1 12M:27S
1 00e0-fcde-1990 ap2 depart 10.0.10.253 AirEngine5760-10 nor 0 12M:29S
----------------------------------------------------------------------------------------
Total: 2
<AC2>dis ap all
stdby: standby [2]
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
0 00e0-fc6e-2890 ap1 depart 10.0.10.254 AirEngine5760-10 stdby 1 -
1 00e0-fcde-1990 ap2 depart 10.0.10.253 AirEngine5760-10 stdby 0 -
---------------------------------------------------------------------------------------
Total: 2
The AP status is normal on AC1 and standby on AC2. AP information on AC2 is synchronized from
the HSB group.
# Enable the STA to search for the WLAN with the SSID HSB and go online. Check STA information
on AC1 and AC2.
<AC1>display station all

Rx/Tx : link receive rate/link transmit rate(Mbps)
--------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
--------------------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254 HSB
--------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

-------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254 HSB
--------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
STA information is displayed on both AC1 and AC2.

# Shut down the interface on AC1 to simulate an AC fault.
[AC1]interface GigabitEthernet 0/0/12

[AC1-GigabitEthernet0/0/12] shutdown
# Check brief VRRP information on AC2.
<AC2>display vrrp brief

----------------------------------------------------------------
1 Master Vlanif100 Admin 10.0.100.254
VLANIF 100 of AC2 is the master in VRRP group 1.

# Check the running status of the HSB group on AC2.
<AC2>display hsb-group 0
----------------------------------------------------------
HSB-group ID :0
Vrrp Group ID :1
Service Index :0
Group Vrrp Status : Master
Group Status : Independent
Group Backup Process : Independent
AP
----------------------------------------------------------
AC2 is the master in VRRP group 1 that is in the independent running state (indicating that the
connection to AC1 is interrupted).
# Check AP online information on AC2.
<AC2>display ap all
nor : normal [2]
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Total: 2
The AP status on AC2 is normal, and the Uptime value is not null (-).

-------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254 HSB
--------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
STA information is still displayed on AC2.

----End
10.2.3 Quiz
How many CAPWAP control channels are established between an AP and ACs when VRRP HSB is
deployed?

Configuration on S3
#
sysname S3
#
vlan batch 10 to 11 100
#
dhcp enable
#
ip pool ap
network 10.0.10.0 mask 255.255.255.0
#
ip pool service
network 10.0.11.0 mask 255.255.255.0
dns-list 10.0.11.1
#
interface Vlanif10
description ap_mgnt
ip address 10.0.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
description ap_service
ip address 10.0.11.1 255.255.255.0
dhcp select global
#
interface Vlanif100
description to_AC
ip address 10.0.100.3 255.255.255.0
#
#
#
#
#
return
Configuration on S4
#
sysname S4
#
vlan batch 10 to 11
#
#
#
#
return
#
sysname AC1
#
vrrp recover-delay 60
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.100.1 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 preempt-mode timer delay 1800
#
#
ip route-static 10.0.10.0 255.255.255.0 10.0.100.3
#
capwap source ip-address 10.0.100.254
#
hsb-service 0
service-ip-port local-ip 10.0.100.1 peer-ip 10.0.100.2 local-data-port 10241 pe
er-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100

bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
traffic-profile name default
security-profile name depart
ssid-profile name depart
ssid HSB
vap-profile name depart
ssid-profile depart
security-profile depart
ap-group name depart
radio 0
vap-profile depart wlan 1
radio 1
radio 2
ap-group name default
ap-group name ap-group1
ap-name ap1
ap-group depart
ap-name ap2
ap-group depart
provision-ap
#
Return
#
sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.100.2 255.255.255.0
admin-vrrp vrid 1
#

#
ip route-static 10.0.10.0 255.255.255.0 10.0.100.3
#
capwap source ip-address 10.0.100.254
#
hsb-service 0
service-ip-port local-ip 10.0.100.2 peer-ip 10.0.100.1 local-data-port 10241 pe
er-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
ssid HSB
ssid-profile depart
radio 0
radio 1
radio 2
ap-name ap1
ap-group depart
ap-name ap2
ap-group depart
provision-ap
#
return
10.3 Dual-Link Cold Backup Configuration

10.3.1 Introduction
10.3.1.1 Objectives
 Configure dual-link cold backup.
 Improve AC reliability through dual-link cold backup.
 Explain the technical implementation of dual-link cold backup.
 Specify the IP addresses of the active and standby ACs through DHCP Option 43.
Figure 10-3 Dual-Link cold backup configuration

AC1 (S1) AC2 (S2)
VLANIF 100 VLANIF 100
Active AC Standby AC
GE0/ 0/ 12 GE0/ 0/ 13
GE0/ 0/ 1 GE0/ 0/ 2
GE0/ 0/ 3 GE0/ 0/ 3
S3 S4
GE0/ 0/ 4 GE0/ 0/ 4
GE0/ 0/ 1 GE0/ 0/ 1
AP1 AP2
As shown in the figure, AC1 is the active AC, and AC2 is the standby AC. APs establish CAPWAP links
with the active and standby ACs, and periodically exchange CAPWAP packets with the ACs to
monitor the link status. When the AP detects a failure of the link with the active AC, the AP instructs
the standby AC to perform an active/standby switchover. The standby AC becomes the active AC
and controls STA access, thereby improving WLAN reliability.
obtain the IP addresses of AC1 and AC2 from Option 43 in DHCP packets. The direct forwarding
mode is configured for all APs.
10.3.1.3 Background
As the number of STAs on the enterprise intranet keeps increasing, to ensure the stability of
wireless services, you, a network engineer, decide to purchase a new AC and deploy dual-link cold
backup so that the new AC works as a backup of the existing AC, thereby improving the reliability of
wireless services.
Item Configuration
Management VLAN for APs VLAN 10
Service VLAN for STAs VLAN 11

APs and STAs.
IP address pool for APs 10.0.10.0/24
IP address pool for STAs 10.0.11.0/24
AC's source interface address 10.0.100.1 and 10.0.100.2
AP group Name: depart
Referenced profile: VAP profile depart
Country code: CN
SSID profile Name: depart
SSID name: LB
Security profile Name: depart
Password: huawei123
VAP profile Name: depart
Service VLAN: VLAN 11
Referenced profiles: SSID profile depart and security

profile depart
Dual-link cold backup AC1 priority: 0
AC2 priority: 1

Shut down unnecessary ports and enable the PoE function on switches.
Configure wired-side functions so that S3 serves as the gateway for APs and STAs, and AC1 and AC2
communicate with S3 at Layer 3 through VLANIF 100 working as the CAPWAP source interface.
Configure WLAN services on AC1 and AC2.

Configure dual-link cold backup. Set the priority of AC1 to 0 and that of AC2 to 1 so that AC1 and
AC2 become the active and standby ACs, respectively.
Verify dual-link cold backup. Shut down the downlink interface on AC1, and check the states of APs
and STAs on AC2.
# Name the devices.


The poe enable command enables the PoE function on a port. When a port detects a PD connected,
the port supplies power to the PD. By default, the PoE function is enabled on a port. Therefore, this
command is unnecessary and is provided for demonstration purpose only.

The PVID of the S3 port connected to AP1 is set to VLAN 10, packets in the service VLANs and
management VLANs are allowed to pass on the S3 port connected to S4, and the S3 ports
connected to ACs are configured to allow packets in VLAN 100 to pass through.
[AC1]vlan batch 100

[AC2]vlan batch 100


[S3-Vlanif10] description ap_mgnt
[S3-Vlanif10] quit
[S3-Vlanif11] description ap_service
[S3-Vlanif11] quit
[S3-Vlanif100] description to_AC
[S3-Vlanif100] quit
On S3, VLANIF 10 is configured as the management VLAN gateway of AP1 and AP2; VLANIF 11 is
configured as the service VLAN gateway of STAs connected to AP1 and AP2; and VLANIF 100 is used
for Layer 3 communication with AC1 and AC2.
[AC1] capwap source interface vlanif100
[AC2] capwap source interface vlanif100

Static routes to the AP management network segments are configured on ACs for CAPWAP
communication with APs.
[S3]dhcp enable
[S3]ip pool ap
[S3-ip-pool-ap] gateway-list 10.0.10.1
[S3-ip-pool-ap] network 10.0.10.0 mask 255.255.255.0
[S3-ip-pool-ap] option 43 sub-option 2 ip-address 10.0.100.1 10.0.100.2
[S3-ip-pool-ap] quit
[S3]ip pool service
[S3-ip-pool-service] gateway-list 10.0.11.1
[S3-ip-pool-service] network 10.0.11.0 mask 255.255.255.0
[S3-ip-pool-service] dns-list 10.0.11.1
[S3-ip-pool-service] quit
The address pool ap is configured to allocate IP addresses to APs. Option 43 is configured to specify
the AC's IP address, and sub-option 2 is configured to specify the IP addresses of the active and
standby ACs.
The address pool service is configured to allocate IP addresses to STAs connected to AP1 and AP2.
VLANIF interfaces on S3 are configured as the gateways for all address pools.
[S3-Vlanif10] quit
[S3-Vlanif11] quit

Step 3 Configure ACs.
Create the AP group depart, configure MAC address authentication for APs, name the APs ap1 and
ap2, add them to the AP group depart, and associate parameter profiles with the VAP profile
depart.
The WLAN configurations on AC1 and AC2 are the same. The following uses AC1 as an example.
# Create an AP group named depart.
[AC1]wlan
[AC1]wlan
[AC1]wlan
[AC1-wlan-view]ap-group name depart
[AC1-wlan-ap-group- depart]regulatory-domain-profile default
Continue?[Y/N]:y
[AC1-wlan-ap-group- depart]quit
# Add APs.
[AC1]wlan
Three AP authentication modes are supported. By default, MAC address authentication is used. APs
are added on the AC before they go online, named ap1 and ap2, and added to the AP group depart.
[AC1]wlan
[AC1-wlan-view] security-profile name depart
[AC1-wlan-sec-prof-depart] security wpa2 psk pass-phrase huawei123 aes
[AC1-wlan-sec-prof- depart] quit
[AC1-wlan-view] ssid-profile name depart
[AC1-wlan-ssid-prof-depart] ssid LB
[AC1-wlan-ssid-prof-depart] quit
[AC1-wlan-view] vap-profile name depart
[AC1-wlan-vap-prof-depart] forward-mode direct-forward
[AC1-wlan-vap-prof-depart] service-vlan vlan-id 11
[AC1-wlan-vap-prof-depart] ssid-profile depart
[AC1-wlan-vap-prof-depart] security-profile depart
[AC1-wlan-vap-prof-depart] quit
[AC1-wlan-ap-group-depart] vap-profile depart wlan 1 radio all
The security profile depart is configured, with the authentication mode of WPA2-PSK and the pre-
The SSID profile depart is configured, and the SSID is set to LB.
The VAP profile depart is configured, with the direct forwarding mode and the service VLAN 11, and
has the SSID profile depart and security profile depart bound.
The VAP profile depart is bound to the AP group depart.
Step 4 Configure dual-link cold backup.
Specify the IP address of the peer AC for APs on the active and standby ACs. Set the priority of AC1
to 0 and that of AC2 to 1 so that AC1 and AC2 become the active and standby ACs, respectively.
# Configure AC1.
[AC1]wlan
[AC1-wlan-view]ac protect protect-ac 10.0.100.2 priority 0
Warning: Operation successful. It will take effect after AP reset.
[AC1-wlan-view]undo ac protect restore disable
Info: Protect restore has already enabled.
[AC1-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
By default, dual-link backup is disabled. When the ac protect enable command is executed, a
message is displayed indicating that all APs will be restarted. After the APs are restarted, the dual-
link backup function takes effect.
# Configure AC2.
[AC2]wlan
[AC2-wlan-view]ac protect protect-ac 10.0.100.1 priority 1
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view]undo ac protect restore disable
Info: Protect restore has already enabled.

[AC2-wlan-view]ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Info: Capwap echo interval has changed to default value 25, capwap echo times to 3.
By default, dual-link backup is disabled. When the ac protect enable command is executed, a
message is displayed indicating that all APs will be restarted. After the APs are restarted, the dual-
link backup function takes effect.
Step 5 Verify the configuration.
# Run the display ac protect command on AC1 to check the dual-link information and AC priority.
<AC1>display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.0.100.2
Priority :0
Protect restore : enable
Coldbackup kickoff station: disable
------------------------------------------------------------
The peer IP address is 10.0.100.2, and the local priority is 0.

# Run the display ac protect command on AC2 to check the dual-link information and AC priority.
<AC2>display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.0.100.1
Priority :1
Protect restore : enable
Coldbackup kickoff station: disable
------------------------------------------------------------
The peer IP address is 10.0.100.1, and the local priority is 1.

# Check the AP online status on AC1 and AC2.
<AC1>display ap all
nor : normal [2]
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Total: 2
<AC2>dis ap all
stdby: standby [2]
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
0 00e0-fc6e-2890 ap1 depart 10.0.10.254 AirEngine5760-10 stdby 0 -
1 00e0-fcde-1990 ap2 depart 10.0.10.253 AirEngine5760-10 stdby 0 -
---------------------------------------------------------------------------------------
Total: 2
The AP status is normal on AC1 and standby on AC2. The APs have established CAPWAP tunnels
with AC1 and AC2.
# Enable the STA to search for the WLAN with the SSID LB and go online. Check STA information
on AC1 and AC2.

--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254 LB
--------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
In this case, STA information is displayed only on AC1.

# Shut down the interface on AC1 to simulate an AC fault.
[AC1]interface GigabitEthernet 0/0/12

[AC1-GigabitEthernet0/0/12] shutdown
# After 75 seconds, check the AP online status on AC2.
<AC2>display ap all
nor : normal [2]
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
0 00e0-fc6e-2890 ap1 depart 10.0.10.253 AirEngine5760-10 nor 0 2S
1 00e0-fcde-1990 ap2 depart 10.0.10.254 AirEngine5760-10 nor 0 2S
---------------------------------------------------------------------------------------
Total: 2
The CAPWAP heartbeat detection time is 25s. If no response is received after three heartbeat
timeouts, the peer end is considered faulty. Therefore, the AP status change can be displayed on the
standby AC at least 75 seconds later.
The AP status on AC2 changes from standby to normal, but no STA goes online. When an
active/standby switchover is implemented between two ACs, STAs using open system
authentication remain connected to APs while STAs using other authentication modes are
disconnected and need to go online again by default.
In this case, reassociate the STA with the SSID LB.

--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
5489-986f-73ad 0 ap1 0/1 2.4G - -/- - 11 10.0.11.254 LB
--------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
STA information is displayed on AC2.

----End
10.3.3 Quiz
How many CAPWAP control channels are established between an AP and ACs when dual-link cold
backup is deployed?

Configuration on S3
#
sysname S3
#
vlan batch 10 to 11 100
#
dhcp enable
#
ip pool ap
network 10.0.10.0 mask 255.255.255.0
#
ip pool service
network 10.0.11.0 mask 255.255.255.0
dns-list 10.0.11.1
#
interface Vlanif10
description ap_mgnt
ip address 10.0.10.1 255.255.255.0
dhcp select global
#
interface Vlanif11
description ap_service
ip address 10.0.11.1 255.255.255.0

dhcp select global
#
interface Vlanif100
description to_AC
ip address 10.0.100.3 255.255.255.0
#
#
#
#
#
return
Configuration on S4
#
sysname S4
#
vlan batch 10 to 11
#
#
#
#
return
#
sysname AC1
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.100.1 255.255.255.0
#
#
ip route-static 10.0.10.0 255.255.255.0 10.0.100.3
#
#
wlan
ac protect enable protect-ac 10.0.100.2
ssid LB
ssid-profile depart
radio 0
radio 1
radio 2
ap-group name ap-group1
ap-name ap1
ap-group depart
ap-name ap2
ap-group depart
provision-ap
#
Return
#
sysname AC2
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.100.2 255.255.255.0
#
#
ip route-static 10.0.10.0 255.255.255.0 10.0.100.3

#
#
wlan
ac protect enable protect-ac 10.0.100.1 priority 1
ssid LB
ssid-profile depart
radio 0
radio 1
radio 2
ap-name ap1
ap-group depart
ap-name ap2
ap-group depart
provision-ap
#
Return
Reference Answers
Answers to the basic OSPF experiment
1. You can configure an interface a silent interface if this interface does not need to establish an
OSPF neighbor relationship, which reduces unnecessary OSPF packets sending. In addition,
the silent interface does not need to send OSPF packets.
2. The cost of a Type 2 external route remains unchanged within the OSPF area and is equal to the
cost (the default value is 1) configured when such a route is imported into the OSPF area. The
cost of a Type 1 external route within the OSPF area is the sum of the cost of the Type 1 route
and the cost of the route from the router to the ASBR in the OSPF area.
3. When external routes are imported to the OSPF routing table on an ASBR, a Type 4 LSA is
generated by an ABR in the area to which the ASBR belongs. The Type 4 LSA is used to
calculate the route destined for the ASBR.
4. A non-backbone area on the border of an AS can be configured as an NSSA if this area needs to
import external routes and has to avoid resource consumption caused by the external routes.
5. A non-backbone area must be connected to backbone area 0. In addition, due to the OSPF loop
prevention mechanism, if area 0 is not contiguous, routes between non-backbone areas may
be missing, causing communication failures.
Answers to the basic IS-IS experiments

1. The following conditions must be met: The routers to which the interfaces belong must be of
the same level; the interfaces must be of the same level; the area IDs of the devices must be
the same; the IP addresses of the interfaces must be on the same network segment.
Answers to the basic BGP experiments

1. Compared with physical interfaces, loopback interfaces are stable. Route redundancy between
peers can be used to ensure the reliability of a peer relationship. If a physical interface is faulty,
a BGP session is interrupted, even if IP connectivity between peers is normal.
2. Summary routes automatically generated using the summarization route command carry
only the Aggregator attribute, but not the Atomic-Aggregate attribute. Summary routes
manually generated using the aggregate command carry the Atomic-Aggregate attribute.
3. No, the Originator_ID and Cluster_List attributes are not carried. They are used to prevent
routing loops when RRs exist within an AS. EBGP peers use the AS_Path attribute to prevent
routing loops, which is independent of the Originator_ID and Cluster_List attributes.
4. A route-policy can be used to implement this function, which is not recommended. Deleting an
AS number from the AS_Path attribute may cause routing loops between ASs.
Answers to the routing policy and routing control experiments

1. Distance-vector routing protocols generate routes based on routing tables. Filter-policies
affect the routes to be accepted from neighbors and the routes to be advertised to neighbors.
Link-state routing protocols generate routes based on LSDBs, and routing information is
contained in link-state LSAs. The filter-policy, however, cannot filter LSAs to be advertised and
accepted. Therefore, the filter-policy affects only the local routing table, but does not affect
the LSA and LSDB integrity or the protocol routing table. In addition, only the routes that
match the filter-policy can be added to the routing table, and the routes that do not match the
filter-policy are not added to the routing table.
Answers to the RSTP and MSTP experiments

1. Improvements in RSTP, compared with STP:
a) RSTP defines more port roles to simplify the learning and deployment of STP.
b) RSTP redefines port states.
c) RSTP changes the configuration BPDU format and uses the Flags field to describe port
roles.
d) RSTP processes configuration BPDUs differently from STP.
e) RSTP uses the P/A mechanism to implement fast convergence.
f) The protection function is added.
Answers to the multicast experiments

1. PIM-DM applies only to small-scale networks where multicast receivers are densely
distributed. PIM-DM spreads multicast traffic to the entire network in a harsh way. If leaf nodes
do not need multicast traffic, they do not need to use protocol packets to prune themselves
from the SPT. Consequently, on a large-scale network where receivers are scattered, a large
amount of unnecessary multicast traffic is generated, and multicast protocol packets are
frequently exchanged, wasting link bandwidth and device resources.
2. PIM-SM uses the "push" mode. Multicast paths are established only when multicast receivers
exist. This mode consumes less device resources and link bandwidth.
Answers to the firewall technology experiments

1. The local zone defines a device itself, covering interfaces on the device. Adding an interface to
another security zone only indicates that the network connected to the interface belongs to
the zone. The traffic forwarded by the interface belongs to the security zone that the interface
joins. When the interface address of the device is used as the source address to access an
extranet, the source security zone is still the local zone.
Answer to the VRRP experiments

1. If the actual IP address of an interface is the same as the virtual IP address of a VRRP group, the
priority of the VRRP group is 255.
Answer to the DHCP experiments

1. After receiving the DHCP Discover message from the DHCP relay agent, the DHCP server
selects an address pool on the same network segment as the GIADDR field value in the
message and assigns parameters, such as an IP address, to the client.
Answers to the WLAN experiments

1. After Layer 2 roaming is performed, STA remains in the original subnet. The FAP/FAC forwards
packets of Layer 2 roaming STAs in the same way as it forwards packets of new online STAs.
That is, packets of Layer 2 roaming STAs are directly forwarded on the local network of the
FAP/FAC and do not need to be forwarded back to the HAP/HAC through the inter-AC tunnel.
After Layer 3 roaming is performed, STAs switch to different subnets. To enable the STAs to
access the original network after Layer 3 roaming is performed, ensure that user traffic is
forwarded to the original subnets over CAPWAP tunnels.
2. Only one CAPWAP tunnel exists. No CAPWAP tunnel exists between the AP and the standby
AC. Information on the standby AC is synchronized from the HSB.

HCIP-Datacom-Core Technology V1.0 Lab Guide

Uploaded by

Copyright:

Available Formats

HCIP-Datacom-Core Technology V1.0 Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCIP-Datacom-Core Technology V1.0 Lab Guide

Uploaded by

Copyright:

Available Formats

Huawei Certification Training

Data Communication Senior Engineer

Huawei Technologies Co., Ltd.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Huawei Certification System

About This Document

Background Knowledge Required

Device Name Device Model Software version

AP AirEngine 5760-10 V200R019C00 or later

Router NetEngine AR6120 V300R019 or later

Firewall USG6307E V500R001C50 or later

3.2 Lab 2: BGP Route Summarization ....................................................................................................................... 100

7.1.2 Lab Configuration ............................................................................................................................................ 203

1 Basic OSPF Configurations

1.1 Lab 1: Single-Area OSPF

1.1.2 Lab Configuration

# Configure IP addresses for GE0/0/4 and the loopback interface on R2.

[R2-LoopBack0] ip address 10.0.2.2 24

# Configure IP addresses for GE0/0/4 and the loopback interface on R3.

# Verify the connectivity on R1.

--- 10.0.123.2 ping statistics ---

--- 10.0.123.3 ping statistics ---

Step 2 Configure OSPF in a single area.

[R1]ospf 1 router-id 10.0.1.1

[R2]ospf 1 router-id 10.0.2.2

[R3]ospf 1 router-id 10.0.3.3

[R2-ospf-1-area-0.0.0.0] network 10.0.123.2 0.0.0.0

Step 3 Verify the OSPF configuration.

<R1>display ospf peer

OSPF Process 1 with Router ID 10.0.1.1

Area 0.0.0.0 interface 10.0.123.1(GigabitEthernet0/0/3)'s neighbors

Router ID: 10.0.3.3 Address: 10.0.123.3

<R2>display ospf peer

OSPF Process 1 with Router ID 10.0.2.2

Area 0.0.0.0 interface 10.0.123.2(GigabitEthernet0/0/4)'s neighbors

Router ID: 10.0.3.3 Address: 10.0.123.3

<R3>display ospf peer

OSPF Process 1 with Router ID 10.0.3.3

Area 0.0.0.0 interface 10.0.123.3(GigabitEthernet0/0/4)'s neighbors

Router ID: 10.0.2.2 Address: 10.0.123.2

[R1]display ospf routing

OSPF Process 1 with Router ID 10.0.1.1

Routing for Network

10.0.3.3/32 1 Stub 10.0.123.3 10.0.3.3 0.0.0.0

[R2]display ospf routing

OSPF Process 1 with Router ID 10.0.2.2

Routing for Network

[R3]display ospf routing

OSPF Process 1 with Router ID 3.3.3.3

Routing for Network

<R1>ping -c 1 -a 10.0.1.1 10.0.2.2

--- 10.0.2.2 ping statistics ---

<R1>ping -c 1 -a 10.0.1.1 10.0.3.3

--- 10.0.3.3 ping statistics ---

<R1>display ospf lsdb

OSPF Process 1 with RouterID 10.0.1.1

[R1]display ospf lsdb router self-originate

OSPF Process 1 with Router ID 10.0.1.1