Huawei switch configuration basics
1.vlan configuration
The methods for dividing VLANs in Huawei equipment are:
- Static partitioning: based on interfaces
- Dynamic division: based on MAC address, based on IP subnet, based on protocol, based on policy (MAC address, IP address).
Among them, dividing VLANs based on interfaces is the simplest and most common way.
Dividing VLANs based on interfaces refers to dividing VLANs based on the interfaces of the switch. The network administrator needs to configure different PVIDs for each interface of the switch in advance.
2. vlan and trunk configuration cases
<HUAWEI> system-view
[HUAWEl]sysname SwitchA
SwitchA]vlan batch23//批量创建VLAN2和VLAN3
[SwitchA]interface gigabitethernet1/0/1
[SwitchA-GigabitEthernet1/0/1]port link-type access//设置接口类型为access
[SwitchA-GigabitEthernet1/0/1]port default vlan 2//将接口GE1/0/1加入VLAN2
[SwitchA-GigabitEthernet1/0/1]quit
[SwitchA]interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2]portlink-type access
[SwitchA-GigabitEthernet1/0/2]port default vlan 3//将接口GE1/0/2加入VLAN3
[SwitchA-GigabitEthernet1/0/2]quit
[SwitchA-GigabitEthernet1/0/2]interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3]port link-type trunk//设置接口类型为trunk
[SwitchA-GigabitEthernet1/0/3]port trunk allow-pass vlan2 3//允许该接口上透传VLAN2和VLAN3到上层交换机
YSwitchA-GigabitEthernet1/0/3]quit
3. Ethernet ports have three link types: Access, Hybrid and Trunk
- Access type ports can only belong to one VLAN and are generally used to connect computers;
- Trunk type ports can allow multiple VLANs to pass through and can receive and send messages from multiple VLANs. They are generally used for ports connecting switches;
- Hybrid type port is a new port type in Huawei equipment. Its characteristic is that it can allow multiple VLANs to pass through, and can receive and send packets of multiple VLANs. It can be used for connections between switches or for Connect to the user's computer.
Note:
There is a difference between Hybrid port and Trunk port:
when receiving data, the Hybrid port and Trunk port processing methods are the same. The only difference is that when sending data, the Hybrid port can allow multiple VLAN packets to be sent. The runk port only allows packets of the default VLAN to be sent without tags.
Default VLAN : Usually the Access port only belongs to one VLAN, so its default VLAN1 does not need to be set. Hybrid ports and Trunk ports can belong to multiple VLANs, so a default VLAN ID needs to be set. By default, the default VLAN of Hybrid ports and Trunk ports is VLAN1. The default interface type of all Huawei switches is hybrid.
4. Processing of data sent by Hybrid port
When a port receives a packet without a VLANTag, it forwards the packet to the port belonging to the default VLAN (if the port's default VLANID is set). When a port sends a packet with a VLAN tag, if the VLAN ID of the packet is the same as the default VLAN ID of the port, the system will remove the VLAN Tag from the packet and then send the packet.
[Switch-Ethernet0/1]interface Ethernet 0/1 \\进入ethernet 0/1接口
[Switch-Ethernet0/1]port link-type hybrid \\设置接口类型为hybrid
[Switch-Ethernet0/1]port hybrid pvid vlan 10 \\接口的PVID是vlan10
[Switch-Ethernet0/1]port hybrid vlan 10 20 untagged //对VLAN为10、20的报文,剥掉VLAN Tag
5. Switch management IP settings
Some Huawei equipment has a Meth interface, an interface specifically used for out-of-band management and cannot be used for the transmission of business data. If it is a Layer 2 access switch and you need to remotely manage this machine, you need to configure a management IP for this machine. Through in-band management through ssh, telnet, etc., the default management vlan is usually vlan1, but you can also set it to other Vlans yourself.
The following takes s5700 as an example to introduce the configuration of using Vlan5 as the management Vlan and the management IP address is 192.168.1.1/24. Users can connect to Vlanif5 through the GigabitEthernet 0/0/1 interface.
<55700>system-view/进入系统视图
[S5700-vlan5]quit
[S5700linterface Vlanif5//进入Vlanif5
[S5700-Vlanifs]Jip address 192.168.1.124//设置Vlanif5网关192.168.1.1掩码255.255.255.0
[S5700-Vlanif5]quit/退出
[S5700]interface GigabitEthernet0/0/1 //进入物理端口GE0/0/1
[S5700-GigabitEthermet0/0/1]port link-type access //设置端口access模式
[S5700-GigabitEthermet0/0/1]port default vlan 5 //将此端口划分到Vlan5
[S5700-GigabitEthemet0/0/1]quit //退出
[S5700]aaa
//进入aaa
[S5700-aaa]local-user admin passwordcipher 123456//创建用户admin设置密码为123456密码加密方式为cipher
[55700-aaa]local-user admin privilege level15//设置admin最高权限等级15
[S5700-aaa]local-user admin service-type telnet ssh//授权admin用户可以使用telnet、ssh
[S5700-aaa]quit/退出
[S5700]user-interfacevty04
[S5700-ui-vtyO-4Jauthentication-mode aaa
6.MSTP load balancing example
As shown on the left, all four switches run MSTP. They are connected to each other to form a ring network with redundant links. In order to implement traffic load sharing on the access layer switch, VLAN2VLAN10 and VLAN11
VLAN20 are in different STP domains:
therefore, two MSTl needs to be configured, that is, MSTI1 corresponds to Vlan2-
Vlan10 and MSTl2 corresponds to Vlan11-20. After they go through MSTP, the loop-free topology generated is shown in the figure.
(1) MSTP area configuration of the switch.
Create the same MST domain (domain name RG1), two multi-tree instances MSTl1 and MSTl2 on switch A, and then map Vlan2-10 to MSTl1 and Vlan11-20 to MSTI2. Finally activate the MST domain configuration.
[SwitchA]stp region-configuration
[SwitchA-mst-region]region-name RG1
[SwitchA-mst-region]instance 1 vlan 2 to 10
[SwitchA-mst-region]instance 2 vlan 11 to 20
[SwitchA-mst-region]active region-configuration
[SwitchA-mst-region]quit
Note: Because these four switches are in the same domain (same domain name) to work, the other three devices also need to be configured in the same way.
(2) Configure the root bridge and backup root bridge of MSTI1 and MSTI2
[SwitchA]stp instance 1 root primary //配置switchA为MSTI1的根桥
[SwitchA]stp instance 2 root secondary //配置SwitchA为MSTI2的备份根桥
[SwitchB]stp instance 1 root secondary //配置Switch8为MST11的备份根桥
[SwitchB]stp instance 2 root primary //配置SwitchB为MSTI2的根桥
(3) Configure the ports to be blocked in MSTI1 and MSTI2 respectively to eliminate Layer 2 loops
[Switch A-D]stp pathcost-standard legacy //配置采用华为的私有端口路径开销计算方法,四台设备同样的标准
[SwitchC]interface gigabitethernet 0/0/2
[SwitchC-GigabitEthernet0/0/2]stp instance 2 cost 20000 //设置端口GE0/0/2在实例MSTI2中的路径开销值为20000
[SwitchC-GigabitEthernet0/0/2]quit
[SwitchD]interface gigabitethernet 0/0/2
[SwitchD-GigabitEthernet0/0/2]stp instance 2 cost 20000 //设置端口GE0/0/2在实例MSTI2中的路径开销值为20000
[SwitchD-GigabitEthernet0/0/2]quit
(4) Enable MSTP globally on the four switches to make the above MSTP configuration take effect and eliminate Layer 2 loops.
[SwitchA]stp enable
[SwitchB]stp enable
[SwitchC]stp enable
[SwitchD]stp enable
(5) Disable MSTP on the port connected to the terminal PC
[SwitchC]interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1]stp disable
[SwitchC-GigabitEthernet0/0/1]quit
(6) Configure the root protection function on the designated ports of the root bridge devices corresponding to the two instances
[SwitchA]interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1]stp root-protection
[SwitchB]interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1]stp root-protection
(7) Finally, create a total of 19 VLANs with ID numbers 2 to 20 on each switch, and then configure the ports of the direct links between the four switches as Trunk type, and allow these 19 VLANs to pass. Set the link port connected to the PC to Access type and join the corresponding VLAN
[SwitchA]vlan batch 2 to 20
[SwitchA]interface g0/0/1
[SwitchA-GigabitEthernet0/0/1]port link-type trunk
[SwitchA-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 20
[SwitchA]interface g0/0/2
[SwitchA-GigabitEthernet0/0/1]port link-type trunk
[SwitchA-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 20
dis stp brief
Huawei router configuration basics
| Routing protocol or routing type | The priority of the corresponding route |
|---|---|
| DIRECT | 0 |
| OSPF | 10 |
| IS-IS | 15 |
| STATIC | 60 |
| RIP | 100 |
DHCP configuration
Three roles of DHCP
DHCP networking includes the following three roles:
DHCP client: a device that requests network parameters such as P addresses through the DHCP protocol. For example, IP phones, PCs, mobile phones, diskless workstations, etc.
DHCP server: A device responsible for allocating network parameters to DHCP clients.
DHCP relay (optional): A device responsible for forwarding DHCP messages between the DHCP server and the DHCP client, and assisting the DHCP server in dynamically allocating network parameters to the DHCP client.
dhcp relay: dhcp select relay, enables the DHCP relay function of the interface (not enabled by default)
(1) Enable DHCP service
<Huawei>system-view
[Huawei]sysname Router
[Router]dhcp enable
(2) Configure the interface to join the VLAN
#配置Eth2/0/0接口加入VLAN10。
[Router]vlan batch 10 to 11
[Router]interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
[Router-Ethernet2/0/0] quit
(3) Configure VLANIF11 interface address
[Router]interface vlanif 11
[Router-Vlanif11]ip address 10.1.2.1 24
[Router-Vlanif11]quit
(4) Configure the interface address pool
配置VLANIF10接口下的客户端从接口地址池中获取IP地址和相关网络参数。
[Router]interface vlanif 10
[Router-Vlanif10]dhcp select interface
[Router-Vlanif10]dhcp server lease day 30
[Router-Vlanif10]dhcp server domain-name huawei.com
[Router-Vlanif10]dhcp server dns-list 10.1.1.2
[Router-Vlanif10]dhcp server excluded-ip-address 10.1.1.2
[Router-Vlanif10]dhcp server statuc-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
ACL
| Classification | Number range | Supported filtering options |
|---|---|---|
| Basic ACL | 2000~2999 | There are few matching conditions. Traffic matching can only be carried out through the source IP address and time period. It can be used in some functions that only require simple matching. |
| Advanced ACL | 3000~3999 | The matching conditions are relatively comprehensive. Traffic is matched through multiple dimensions such as source P address, destination IP address, To5, time period, protocol type, priority, ICMP message type and ICMP message code. In most functions, Advanced ACLs can be used for precise traffic matching. |
| MAC address-based ACL | 4000~4999 | Since the data link layer uses MAC addresses for addressing, traffic needs to be classified by MAC addresses when controlling data link layer frames. ACL based on MAC address can match traffic through the source MAC address, destination MAC address, co5, protocol code and other dimensions. |
ACL rules
acl number 2004
rule 0 deny 202.38.0.0 0.0.255.255
rule 10 permit 202.38.160.0 0.0.0.255
配置好的ACL,应用到相应的接口才会生效。
interface GigabitEthernet 0/0/1
traffic-filter inbound acl 2004 //在接口上应用ACL,进行报文过滤,某些类型的设备可以使用packet-filter 3000
ACL应用规则
1.标准访问控制列表,靠近目标网络
2.高级访问控制列表,靠近源网络
The combination of the two rules means that hosts on a large network segment (202.38.0.0) are prohibited but access to a small part of the hosts (202.38.160.0) is allowed.
specific:acl number 3001rule deny source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
Restrict the internal network address 192.168.1.12/24 from accessing the external network so that it cannot access all WEB interfaces
acl number 3005 //定义用于报文过滤的访问控制
description deny_source_ip_www
rule 5 deny tcp source 192.168.1.12 0 destination-port eq www
rule 10 permit tcp source 192.168.1.12 0
interface g0/0/1
ip address 192.168.1.2 255.255.255.0
traffic-filter inbound acl 3005
Example of ACL configuration application on switch
1. Define ACL first
[Switch]acl 3001 //新建一个高级ACL
[Switch-acl-adv-3001]rule 5 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 //禁止5网段访问2网段
[Switch-acl-adv-3001]rule 100 permit ip //允许访问任何网段
2. Configure ACL-based traffic classification
[Switch]traffic classifer tc1 //创建流分类
[Switch-classifier-tc1]if-match acl 3001 //将ACL与流分类关联
3. Configure traffic behavior
[Switch]traffic behavior tb1 //创建流行为
[Switch-behavior-tb1]deny //配置流行为动作为拒绝报文通过
4. Configure traffic policy
[Switch]traffic policy tp1 //创建流策略
[Switch-trafficpolicy-tp1]classifier tc1 behavior tb1 //将流分类tc1与流行为tb1关联
5. Apply traffic policy under the interface
[Switch]interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1]traffic-policy tp1 inbound //流策略应用在接口入方向
Huawei firewall configuration
The router's security rules are defined on the interface, while the firewall's security rules are defined between security zones
Local
Trust
DMZ
Untrust
Inter-domain data flow is divided into two directions:
inbound: the direction in which data is transmitted from a low-level security zone to a high-level security zone;
outbound: data is transmitted from a high-level security zone to a low-level security zone. The direction of safe zone transmission.
Firewall security zone rules:
- Direct forwarding between different interfaces in this domain without filtering
- Packets with the same incoming and outgoing interfaces are discarded
- The interface cannot forward packets before it joins the domain.
配置区域dmz
[Eudemon]firewall zone name dmz1
[Eudemon-zone-dmz1]set priority 70
把接口加入到区域中
把相应的接口加入到相应的区域中去
配置接口Ethernet 1/0/0加入到防火墙DMZ域
[Eudemon]firewall zone dmz
[Eudemon-zone-dmz]add interface ethernet 1/0/0
Introduction to IP packet filtering technology
For the data packets that the firewall needs to forward, it first obtains the packet header information, then compares it with the set rules, and forwards or discards the data packets based on the comparison results. The core technology for implementing packet filtering is the access control list
five-tuple: source address, destination address, source port, destination port, protocol number
Applying access control lists between areas
Example: Create access control list numbered 3001.
[华为]acl number 3001
#配置ACL规则,允许特定用户从外部网访问内部服务器。
[华为-acl-adv-3001]rule permit tcp source 202.39.2.30 destination129.38.1.10
[华为-acl-adv-3001]rule permit tcp source 202.39.2.3 0 destination 129.38.1.20
[华为-acl-adv-3001]rule permit tcp source 202.39.2.3 0 destination 129.38.1.30
下面的配置是在包过滤应用中引用ACL
policy interzone trust untrust outbound
#将ACL规则3000作用于Trust区域到untrust区域间的出方向。
[华为-Interzone-trust-untrust]packet-filter 3000 outbound
#将ACL规则3001作用于Trust区域到Untrust区域间的入方向。
[华为-Interzone-trust-untrust]packet-filter 3001 inbound
#在Trust区域和Untrust区域之间使能FTP协议的应用协议检测。
[华为-Interzone-trust-untrust]detec tftp
Nat Server configuration
There are NAT Server configuration examples in Nat Server.
The internal server (Nat Server) function uses a public network address to represent the external address of the internal server. On the firewall, configure an external public network address specifically for the internal server to represent the private network address. For external network users, the external network address configured on the firewall is the address of the server.
Using NAT can flexibly add internal servers. By configuring the internal server, the corresponding external address, port, etc. can be mapped to the internal server, providing the function that the external network can access the internal server.
Configure internal web and FTP servers.
[USG] nat server wwwserver protocol tcp global 202.169.10.1 80 inside 192.168.20.2 8080
[USG] nat server ftpserver protocol tcp global 202.169.10.1 ftp inside 192.168.20.3 ftp
Easy IP configuration
The concept of Easy IP is very simple. When performing address translation, the public IP address of the interface is directly used as the translated source address. At the same time, it also uses access control lists to control which internal addresses can be translated
Application Level Gateway ALG
NAT ALG implementation principle
Configuration:
Execute the following command in the system view to enable the ALG function of the corresponding protocol
nat alg enable {ftp|h323|icmp|ras|qq|msn}
Configure ASPF detection for application layer protocols in interzone view
firewall interzone trust untrust
detect ftp Enable ASPF and NAT ALG. These two commands are common
Dual-machine hot standby
Firewall intrusion and detection day04 firewall dual-machine hot backup
VGMP group management
- The state consistency management
VGMP management group controls unified switching of all VRRP backup groups. - Preemption management
When the original failed master device recovers, its priority will also be restored. At this time, its status can be preempted as the master again.
Basic concepts of HRP
- HRP (Huawei Redundancy Protocol) protocol is used to synchronize key configuration and connection status data of the main firewall to the backup firewall.
- First package session quick backup
- Update message session fast backup
Three major firewall hot standby protocols
- VRRP is active and backup
- VGMP is state switching consistency
- HRP is the synchronization of configuration session tables
Switch three ports
Characteristics of the three port types of the switch:
The Ethernet port has three link types: Access, Hybrid and Trunk.
■ Access type ports can only belong to one VLAN, and are generally used to connect computers;
■ Trunk type ports can allow multiple VLANs to pass through, and can receive and send messages from multiple VLANs, and are generally used to connect switches. Ports; Hybrid type ports can allow multiple VLANs to pass through, can receive and send messages from multiple VLANs, and can be used to connect between switches or to connect to users' computers.
■ Hybrid ports and Trunk ports have the same processing method when receiving data. The only difference is when sending data: Hybrid ports can allow multiple VLAN packets to be sent without tags, while Trunk ports only allow the default VLAN. The packets are sent without tags.
Switch interface incoming and outgoing data processing process:
■ Access port receives packets: after receiving a packet, determine whether there is VLAN information: if not, add the PVID of the port, and perform switching and forwarding; if there is, it will be discarded directly (default) ■
Access Port sending packets: strip the VLAN information of the packets and send them directly.
■ Trunk port receiving packets: receiving a packet, determine whether there is VLAN information: if so, determine whether the trunk port allows the data of the VLAN to enter: If possible, forward it, otherwise discard it; if there is no VLAN information, add the PVID of the port and perform switching and forwarding.
■ Trunk port sending packets: Compare the VLAN information of the packet to be sent with the PVID of the port. If they are not equal, send them directly. If the two are equal, strip the VLAN information and send it again.
■ Hybrid port receives packets: After receiving a packet, it determines whether there is VLAN information: if so, it determines whether the hybrid port allows the data of the VLAN to enter (the ones in the untagged and tagged lists are considered allowed to pass, this is equivalent to (for the allow-pass vlan of the trunk), forward it if possible, otherwise discard it (the untag configuration on the port does not need to be considered at this time, the untag configuration only takes effect when sending messages); if not, add the PVID of the port, and Perform exchange forwarding.
■ Hybrid port sends packets: 1) Determine the attributes of the VLAN on this port (disp interface can see which VLANs are untagged and which VLANs are tagged for the port) 2) If it is untagged, strip the VLAN information, and then Send, if it is a tag, send it directly.
[Switch1]vlan 5 //创建 VLAN5
[Switch1-vlan5]management-vlan //设备 VLAN5 为管理 VLAN
[Switch1-vlan5]quit
[Switch1]interface vlanif 5 //创建管理 VLAN 的 VLANIF 接口
[Switch1-Vlanif5]ip add 10.10.1.1 24 //配置 VLANIF 接口 IP 地址
[Switch1-Vlanif5]quit
[Switch1]telnet server enable //Telnet 默认是关闭的,需要打开
[Switch1]user-interface vty 0 4 //开启 VTY 线路模式
[Switch1-ui-vty0-4]protocol inbound telnet //配置 Telnet 协议
[Switch1-ui-vty0-4]authentication-mode aaa //配置认证方式
[Switch1-ui-vty0-4]quit
[Switch1]int g0/0/10
[Switch1-GigabitEthernet0/0/10]port link-type trunk //配置上联接口类型(trunk)
[Switch1-GigabitEthernet0/0/10]port trunk allow-pass vlan all //允许所有 VLAN 通过
[SW2]interface Ethernet 0/0/2
[SW2-Ethernet0/0/2]port link-type access //配置接口类型为 access
[SW2-Ethernet0/0/2]port default vlan 10 //将接口加入 VLAN10
[SW2-Ethernet0/0/2]quit
[Huawei-GigabitEthernet0/0/1]port link-type hybrid //配置接口类型为 hybrid
[Huawei-GigabitEthernet0/0/1]port hybrid pvid vlan 10 //配置接口的 PVID
[Huawei-GigabitEthernet0/0/1]port hybrid untagged vlan 10 30 //配置接口的 untgged vlan
Port
1. When configuring the POP3 server, the TCP (D) port is opened by default in the mail server.
A. 21
B. 25
C. 53
D. 110
2. The email application utilizes the POP3 protocol (D).
A. Create email B. Encrypt email C. Send email D. Receive email
The FTP server uses two network ports 20 and 21 to communicate with the FTP client. In active mode, port 21 of the FTP server is used to transmit FTP control commands, and port 20 is used to transmit file data.
HTTP:80 Telnet:23
All SNMP messages are received through UDP port 161, only Trap information uses UDP port 162. SNMP uses the connectionless UDP protocol
IMAP4 port 143
Linux:
inetd.conf is the configuration file of the system super service process inetd
. lilo.conf is the configuration file of the operating system startup program LILO.
httpd.conf is the configuration file of the web server Apache
. resolv.conf is the configuration file of DNS resolution.
In the Linux operating system, the main configuration files related to DHCP are as follows:
DHCP server configuration file /etc/dhcpd.conf (the main configuration file of the DHCP service)
script to start the DHCP service /etc/rc.d/ink.d/dhcpd
The program that executes the DHCP service /usr/sbin/dhcpd
The file that records the client lease information /var/state/dhcpd.leases (the file that saves the client lease information)
Restart the DNS server: service named restart
Symmetric encryption algorithms : DES, 3DES, RC5, IDEA. Suitable for large amounts of data encryption. Public
key (asymmetric) encryption algorithms : RSA, DSA, ECC. Encryption speed is slow, computationally intensive, and not suitable for conversational communication.
1. OSPF's default Hello message sending interval is 4 seconds.
Hello is used to discover neighbors and ensure keepalives between neighbors. Keepalive is a mechanism in TCP that can detect dead connections.
To establish and maintain the link relationship between adjacent neighbor routers, the
default Hello message sending interval is 10 seconds, and the default invalid time interval is 4 times the Hello interval, that is, if no message is received from a specific neighbor within 40 seconds For this kind of grouping, the router thinks that the neighbor no longer exists.
The Hello multicast address is 224.0.0.5
2. During the domain name resolution process, when the primary domain name server cannot find the IP address, the (forwarding domain name server) is responsible for the domain name resolution. 3.
In the description of the router, the serial port of the router is usually Point-to-point connection
4. The OSPF protocol divides the network into 4 types of areas. Among them (stub area) does not accept routing information outside the local autonomous system, and uses the default route 0.0.0.0 for targets outside the autonomous system. 5. Frame Relay: Local Management
Interface Type: Provide connection-oriented services, efficient data link technology, and fully reuse the advantages of optical fiber communications and digital network technology.
6. Before a router running the OSPF protocol elects a DR/BDR, the DR is the router itself, the backup designated router (BDR).
7. Interior Gateway Protocol (IGP): exchanges routing information within the same autonomous system. The main purpose of IGP is to discover and calculate routing information within the autonomous domain.
The routing protocols used by IGP are: RIP, OSPF, IS-IS
