H3C Fixed-Port Campus Switches Quick Configuration Guide-6W100

HomeSupportResource CenterH3C Fixed-Port Campus Switches Quick Configuration Guide-6W100

H3C Fixed-Port Campus Switches

Quick Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Document version: 6W100-20191230

 

Copyright © 2019 New H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

 



Deploying a small-sized campus network

Network configuration

In a small-sized campus network, the S5130 or S5130S Ethernet switches series are deployed on the access layer. The S5560X or S6520X Ethernet switches series are deployed on the core layer, and an MSR series router is used as the egress router.

Configure the devices to meet the following requirements:

·          Configure the spanning tree feature on all the switches to prevent loops.

·          Configure link aggregation on the access switches and the core switch to provide high availability.

·          Configure VLANs to accommodate services of different departments in the campus and configure VLAN interfaces to provide Layer 3 connectivity for inter-department services.

·          Configure the core switch as the DHCP server to dynamically assign IP addresses to campus users.

·          Enable DHCP snooping on the access switches to prevent unauthorized DHCP servers from assigning IP addresses to intranet users. Additionally, enable IPSG to prevent intranet users from changing their IP addresses.

Network diagram

Figure 1 Small-sized campus network diagram

 

Analysis

Table 1 shows the procedure of deploying a small-sized campus network.

Table 1 Procedure of deploying a small-sized campus network

Step

Item

Configuration data

Remarks

1.       Log to the devices.

Console login

Communication parameters (the transmission rate, for example).

Use a PC to log in to the devices through a terminal emulation program.

2.       Configure the management IP and Telnet login.

Management VLAN

VLAN 5

VLAN 1 is the default VLAN. Do not configure VLAN 1 as the management VLAN.

This example uses VLAN 5 as the management VLAN.

IP address of the management Ethernet interface or management VLAN interface

10.10.1.1/24

For a switch that has a management Ethernet interface, use the IP address of M-GigabitEthernet 0/0/0 for device login.

For a switch that does not have a management Ethernet interface, use the IP address of the management VLAN interface for device login.

3.       Configure interfaces and VLANs.

Dynamic aggregation

·         Access switch 1: Uplink aggregate interface Bridge-Aggregation 1

·         Access switch 2: Uplink aggregate interface Bridge-Aggregation 1

·         Core switch: Downlink aggregate interface Bridge-Aggregation 1

Access switches and the core switch are connected through aggregate links.

Port link type

·         Port connected to a PC: Access port

·         Port connected to a switch: Trunk port

N/A

VLAN IDs

·         Access switch 1: VLAN 10

·         Access switch 2: VLAN 20

·         Core switch: VLAN 100, VLAN 10, and VLAN 20

To isolate Department A and Department B at Layer 2, configure VLAN 10 for Department A and VLAN 20 for Department B.

The core switch connects to the egress router through VLAN-interface 100.

4.       Configure the DHCP server on the core switch.

DHCP server

N/A

N/A

DHCP address pools

·         VLAN 10: DHCP address pool 1

·         VLAN 20: DHCP address pool 2

PCs in Department A and Department B obtain IP addresses from DHCP address pool 1 and DHCP address pool 2, respectively.

5.       Configure routes on the core switch.

IP addresses

·         VLAN-interface 10: 10.10.10.1/24

·         VLAN-interface 20: 10.10.20.1/24

·         VLAN-interface 100: 10.10.100.1/24

The core switch communicates with the egress router through VLAN-interface 100, which is used for the connectivity between the intranet and the egress router.

You must configure a default route with the next hop as the egress router.

Assign IP addresses to VLAN-interface 10 and VLAN-interface 20 to allow Department A and Department B to visit each other.

6.       Configure the egress router.

IP address of the public network interface

GigabitEthernet 0/0: 202.101.100.2/30

GigabitEthernet 0/0 on the egress router is the public network interface that connects the router to the Internet.

Public network gateway address

202.101.100.1/30

The egress router communicates with the service provider device through the public network gateway address.

To forward intranet packets to the external network, you must configure a default route with the next hop as the public network gateway address.

DNS server address

202.101.100.199

The DNS server translates domain names into IP addresses.

IP address of the internal network interface

GigabitEthernet 0/1: 10.10.100.2/24

GigabitEthernet 0/1 on the egress router is the interface connected to the internal network.

7.       Configure DHCP snooping on the access switches.

DHCP trusted port

N/A

Configure Bridge-Aggregation 1 as a DHCP trusted port.

8.       Configure IPSG on the access switches.

IPSG

N/A

Configure IPv4SG to verify source IP address and source MAC address of user packets.

 

Procedure

Configuring the access switches

The procedure of configuring access switch 1 is the same as the procedure of configuring access switch 2. This section uses access switch 1 as an example.

1.        Log in to the device:

# Shut down the PC from which you will log in to the device.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must shut down the PC.

# Use a console cable to connect the PC to the console port of the device.

# Power on the PC, launch a terminal emulation program, and create a connection that uses the console port connected to the device. Set the port properties as follows:

¡  Bits per second—9600 bps.

¡  Data bits—8.

¡  Stop bits—1.

¡  Parity—None.

¡  Flow control—None.

# Power on the device and press Enter as prompted to enter the CLI.

# (Optional.) Configure the authentication mode for console login.

By default, authentication is disabled for console login. You can log in to the device without entering a username or password. To improve security, configure the authentication mode for console login after you log in to the device for the first time. For more information about authentication modes for console login, see login management configuration in Fundamental Configuration Guide.

2.        Configure IP addresses and Telnet login:

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/10 (the port connected to the PC used for device login) to VLAN 5.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] sysname ACCSW1

[ACCSW1] vlan 5

[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10

[ACCSW1] quit

# Create VLAN-interface 5, and assign IP address 10.10.1.1/24 to it.

[ACCSW1] interface vlan-interface 5

[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24

[ACCSW1-Vlan-interface5] quit

# Enable the Telnet service.

[ACCSW1] telnet server enable

# Enable scheme authentication for Telnet login.

[ACCSW1] line vty 0 63

[ACCSW1-line-vty0-63] authentication-mode scheme

[ACCSW1-line-vty0-63] quit

# Create local user admin. Set the password to admin, the service type to Telnet, and the user role to network-admin.

[ACCSW1] local-user admin

New local user added.

[ACCSW1-luser-manage-admin] password simple admin

[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin

[ACCSW1-luser-manage-admin] service-type telnet

[ACCSW1-luser-manage-admin] quit

# Telnet to the device from the PC by using the local user account admin.

The output varies by device model and software version. This example uses an S5560X-30C-PWR-EI switch running Release 1118P07.

C:\Users\Administrator> telnet 10.10.1.1

****************************************************************************** 

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                                

login: admin                                                                   

Password:                                                                      

<ACCSW1>

The output shows that you have Telneted to the device successfully.

3.        Configure interfaces and VLANs:

# Create VLAN 10.

[ACCSW1] vlan 10

[ACCSW1-vlan10] quit

# Configure GigabitEthernet 1/0/1 (the port connected to PC 1) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] port link-type access

[ACCSW1-GigabitEthernet1/0/1] port access vlan 10

[ACCSW1-GigabitEthernet1/0/1] stp edged-port

[ACCSW1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to PC 2) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] port link-type access

[ACCSW1-GigabitEthernet1/0/2] port acess vlan 10

[ACCSW1-GigabitEthernet1/0/2] stp edged-port

[ACCSW1-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 (the port connected to the printer) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] port link-type access

[ACCSW1-GigabitEthernet1/0/3] port access vlan 10

[ACCSW1-GigabitEthernet1/0/3] stp edged-port

[ACCSW1-GigabitEthernet1/0/3] quit

4.        Configure link aggregation:

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1] link-aggregation mode dynamic

[ACCSW1-Bridge-Aggregation1] quit

# Assign Ten-GigabitEthernet 1/0/7 and Ten-GigabitEthernet 1/0/8 to aggregation group 1.

[ACCSW1] interface ten-gigabitethernet 1/0/7

[ACCSW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1

[ACCSW1-Ten-GigabitEthernet1/0/7] quit

[ACCSW1] interface ten-gigabitethernet 1/0/8

[ACCSW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1

[ACCSW1-Ten-GigabitEthernet1/0/8] quit

# Configure Bridge-Aggregation 1 as a trunk port, and assign it to VLAN 10.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1-Bridge-Aggregation1] port link-type trunk

[ACCSW1-Bridge-Aggregation1] port trunk permit vlan 10

[ACCSW1-Bridge-Aggregation1] quit

# Display detailed information about Bridge-Aggregation 1 to verify the link aggregation configuration.

<ACCSW1> display link-aggregation verbose Bridge-Aggregation 1

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Port: A -- Auto port, M -- Management port, R -- Reference port

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual

Aggregation Mode: Dynamic

Loadsharing Type: Shar

Management VLANs: None

System ID: 0x8000, 000f-e267-6c6a

Local:

  Port                Status   Priority Index    Oper-Key               Flag

  XGE1/0/7            S        32768    61       2                      {ACDEF}

  XGE1/0/8            S        32768    62       2                      {ACDEF}

Remote:

  Actor               Priority Index    Oper-Key SystemID               Flag

  XGE1/0/7(R)         32768    111      2        0x8000, 000f-e267-57ad {ACDEF}

  XGE1/0/8            32768    112      2        0x8000, 000f-e267-57ad {ACDEF}

# Display information about VLAN 10 to verify the configuration.

[ACCSW1] display vlan 10

 VLAN ID: 10

 VLAN type: Static

 Route interface: Not configured

 Description: VLAN 0010

 Name: VLAN 0010

 Tagged ports:   None

 Untagged ports:

    Bridge-Aggregation1

    GigabitEthernet1/0/1          GigabitEthernet1/0/2

    GigabitEthernet1/0/3          GigabitEthernet1/0/7

    GigabitEthernet1/0/8

5.        Enable BPDU guard globally.

[ACCSW1] stp bpdu-protection

6.        Configure DHCP snooping:

# Enable DHCP snooping.

[ACCSW1] dhcp snooping enable

# Configure Bridge-Aggregation 1 as a trusted port.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1-Bridge-Aggregation1] dhcp snooping trust interface Bridge-Aggregation 1

[ACCSW1-Bridge-Aggregation1] quit

7.        Configure IPSG:

# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/1] quit

# Enable IPv4SG on GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/2] quit

Configuring the core switch

1.        Log in to the device.

For more information about logging in to the device, see "Log in to the device:."

2.        Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3.        Configure VLANs and VLAN interfaces:

# Create VLAN 10, VLAN 20, and VLAN 100.

<Sysname> system-view

[Sysname] sysname CORESW1

[CORESW1] vlan 10 20 100

# Create VLAN-interface 10, and assign IP address 10.10.10.1/24 to it.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface2]ip address 10.10.10.1 24

# Create VLAN-interface 20, and assign IP address 10.10.20.1/24 to it.

[CORESW1] interface vlan-interface 20

[CORESW1-Vlan-interface2]ip address 10.10.20.1 24

# Create VLAN-interface 100, and assign IP address 10.10.100.1/24 to it.

[CORESW1] interface vlan-interface 100

[CORESW1-Vlan-interface2]ip address 10.10.100.1 24

4.        Configure link aggregation:

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[CORESW1] interface bridge-aggregation 1

[CORESW1] link-aggregation mode dynamic

[CORESW1-Bridge-Aggregation1] quit

# Assign Ten-GigabitEthernet 1/0/7 and Ten-GigabitEthernet 1/0/8 to aggregation group 1.

[CORESW1] interface ten-gigabitethernet 1/0/7

[CORESW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1

[CORESW1-Ten-GigabitEthernet1/0/7] quit

[CORESW1] interface ten-gigabitethernet 1/0/8

[CORESW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1

[CORESW1-Ten-GigabitEthernet1/0/8] quit

# Configure Bridge-Aggregation 1 as a trunk port, and assign it to VLAN 10.

[CORESW1] interface bridge-aggregation 1

[CORESW1-Bridge-Aggregation1] port link-type trunk

[CORESW1-Bridge-Aggregation1] port trunk permit vlan 10

[CORESW1-Bridge-Aggregation1] quit

# Display detailed information about Bridge-Aggregation 1 to verify the link aggregation configuration.

<CORESW1> display link-aggregation verbose Bridge-Aggregation 1

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Port: A -- Auto port, M -- Management port, R -- Reference port

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual

Aggregation Mode: Dynamic

Loadsharing Type: Shar

Management VLANs: None

System ID: 0x8000, 000f-e267-6c6a

Local:

  Port                Status   Priority Index    Oper-Key               Flag

  XGE1/0/7(R)         S        32768    61       2                      {ACDEF}

  XGE1/0/8            S        32768    62       2                      {ACDEF}

Remote:

  Actor               Priority Index    Oper-Key SystemID               Flag

  XGE1/0/7            32768    111      2        0x8000, 000f-e267-57ad {ACDEF}

  XGE1/0/8            32768    112      2        0x8000, 000f-e267-57ad {ACDEF}

# Display information about VLAN 10 to verify the configuration.

[CORESW1] display vlan 10

 VLAN ID: 10

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 10.10.10.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0010

 Name: VLAN 0010

 Tagged ports:   None

 Untagged ports:

    Bridge-Aggregation1

    GigabitEthernet1/0/7          GigabitEthernet1/0/8

# Display information about VLAN 100 to verify the configuration.

[CORESW1] display vlan 100

 VLAN ID: 10

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 10.10.100.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0100

 Name: VLAN 0100

 Tagged ports:   None

 Untagged ports:   None

5.        Configure the DHCP server feature:

# Enable DHCP.

[CORESW1] dhcp enable

# Create DHCP address pool 1. In this pool, specify network segment 10.10.10.0/24, gateway address 10.10.10.1, DNS server address 202.101.100.199, set the lease duration to 30 days, and bind IP address 10.10.10.254/24 to the printer.

[CORESW1] dhcp server ip-pool 1

[CORESW1-dhcp-pool-1] network 10.10.10.0 mask 255.255.255.0

[CORESW1-dhcp-pool-1] gateway-list 10.10.10.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-1] expired day 30

[CORESW1-dhcp-pool-1] static-bind ip-address 10.10.10.254 24 client-identifier aabb-cccc-dd

[CORESW1-dhcp-pool-1] quit

# Create DHCP address pool 2. In this pool, specify network segment 10.10.20.0/24, gateway address 10.10.20.1, DNS server address 202.101.100.199, and set the lease duration to 30 days.

[CORESW1] dhcp server ip-pool 2

[CORESW1-dhcp-pool-2] network 10.10.20.0 mask 255.255.255.0

[CORESW1-dhcp-pool-2] gateway-list 10.10.20.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-2] expired day 30

[CORESW1-dhcp-pool-2] quit

# Enable the DHCP server on VLAN-interface 10, and apply DHCP address pool 1 to VLAN-interface 10.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10] dhcp select server

[CORESW1-Vlan-interface10] dhcp server apply ip-pool 1

[CORESW1-Vlan-interface10] quit

# Enable the DHCP server on VLAN-interface 20, and apply DHCP address pool 2 to VLAN-interface 20.

[CORESW1 interface vlan-interface 20

[CORESW1-Vlan-interface20] dhcp select server

[CORESW1-Vlan-interface20] dhcp server apply ip-pool 2

[CORESW1-Vlan-interface20] quit

# Display information about DHCP address pools.

[CORESW1] display dhcp server pool

Pool name: 1

  Network: 10.10.10.0 mask 255.255.255.0

  expired 30 0 0 0

  gateway-list 10.10.10.1

  static bindings:

    ip-address 10.10.10.254 mask 255.255.255.0

      client-identifier aabb-cccc-dd

Pool name: 2

  Network: 10.10.20.0 mask 255.255.255.0

  expired 30 0 0 0

  gateway-list 10.10.20.1

6.        Configure a static route and display routing table information:

# Configure a default static route with next hop 10.10.100.2 (the IP address of the router).

[CORESW1] ip route-static 0.0.0.0 0 10.10.100.2

# Display routing table information.

[CORESW1] display ip routing-table

 

Destinations : 21       Routes : 21

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.10.100.2     Vlan100

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

10.10.10.0/24      Direct  0   0           10.10.10.1      Vlan10

10.10.10.0/32      Direct  0   0           10.10.10.1      Vlan10

10.10.10.1/32      Direct  0   0           127.0.0.1       InLoop0

10.10.10.255/32    Direct  0   0           10.10.10.1      Vlan10

10.10.20.0/24      Direct  0   0           10.10.20.1      Vlan20

10.10.20.0/32      Direct  0   0           10.10.20.1      Vlan20

10.10.20.1/32      Direct  0   0           127.0.0.1       InLoop0

10.10.20.255/32    Direct  0   0           10.10.20.1      Vlan20

10.10.100.0/24     Direct  0   0           10.10.100.1     Vlan100

10.10.100.0/32     Direct  0   0           10.10.100.1     Vlan100

10.10.100.1/32     Direct  0   0           127.0.0.1       InLoop0

10.10.100.255/32   Direct  0   0           10.10.100.1     Vlan100

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

Configuring the egress router

1.        Log in to the router.

For more information about logging in to the router, see "Log in to the device:."

2.        Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3.        Assign IP addresses to the public network interface and the internal network interface:

# Assign IP address 202.101.100.2/30 to GigabitEthernet 0/0 (the public network interface).

[Router] interface GigabitEthernet0/0

[Router-GigabitEthernet0/0] ip address 202.101.100.2 30

# Assign IP address 10.10.100.2/24 to GigabitEthernet 0/1 (the internal network interface).

[Router] interface GigabitEthernet0/1

[Router-GigabitEthernet0/1] ip address 10.10.100.2 24

4.        Configure packet filtering:

# Configure ACL 2000.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 10.10.10.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 10.10.20.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 10.10.100.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Apply ACL 2000 to GigabitEthernet 0/1 to filter incoming packets.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] packet-filter 2000 inbound

[Router-GigabitEthernet0/1] quit

# Set the packet filtering default action to deny.

[Router] packet-filter default deny

# Display configuration and match statistics for ACL 2000.

[Router] display acl 2000

Basic IPv4 ACL 2000, 2 rules,

ACL's step is 5, start ID is 0

 rule 0 permit source 10.10.10.0 0.0.0.255

 rule 5 permit source 10.10.20.0 0.0.0.255

 rule 10 permit source 10.10.100.0 0.0.0.255

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/1.

[Router] display packet-filter interface gigabitethernet 0/1 inbound

Interface: GigabitEthernet0/1

 Inbound policy:

  IPv4 ACL 2000

5.        Configure static routes to the intranet and the public network:

# Configure a static route, whose destination address is 10.10.10.0/24 and next hop address is 10.10.100.1.

[Router] ip route-static 10.10.10.0 255.255.255.0 10.10.100.1

# Configure a static route, whose destination address is 10.10.20.0/24 and next hop address is 10.10.100.1.

[Router] ip route-static 10.10.20.0 255.255.255.0 10.10.100.1

# Configure a default static route, whose next hop address is 202.101.100.1.

[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1

6.        Configure DNS:

# Specify DNS server IPv4 address 202.101.100.199.

[Router] dns server 202.101.100.199

# Enable DNS proxy.

[Router] dns proxy enable

Verifying the configuration

1.        Verify that two PCs in the same department can ping each other. This example uses PC 1 and PC 2 in Department A.

# Ping PC 2 from PC 1.

<PC1> ping 10.10.10.20

Ping 10.10.10.20 (10.10.10.20): 56 data bytes, press CTRL_C to break

56 bytes from 10.10.10.20: icmp_seq=0 ttl=255 time=1.015 ms

56 bytes from 10.10.10.20: icmp_seq=1 ttl=255 time=2.338 ms

56 bytes from 10.10.10.20: icmp_seq=2 ttl=255 time=1.951 ms

56 bytes from 10.10.10.20: icmp_seq=3 ttl=255 time=1.719 ms

56 bytes from 10.10.10.20: icmp_seq=4 ttl=255 time=1.629 ms

 

--- Ping statistics for 10.10.10.20 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.015/1.730/2.338/0.434 ms

The output shows that PC 1 can ping PC 2.

2.        Verify that two PCs in different departments can ping each other. This example uses PC 1 in Department A and PC 3 in Department B.

# Ping PC 3 from PC 1.

<PC1> ping 10.10.20.10

Ping 10.10.20.10 (10.10.20.10): 56 data bytes, press CTRL_C to break

56 bytes from 10.10.20.10: icmp_seq=0 ttl=254 time=2.709 ms

56 bytes from 10.10.20.10: icmp_seq=1 ttl=254 time=0.877 ms

56 bytes from 10.10.20.10: icmp_seq=2 ttl=254 time=0.850 ms

56 bytes from 10.10.20.10: icmp_seq=3 ttl=254 time=0.805 ms

56 bytes from 10.10.20.10: icmp_seq=4 ttl=254 time=0.814 ms

 

--- Ping statistics for 10.10.20.10 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.805/1.211/2.709/0.749 ms

The output shows that PC 1 can ping PC 3.

3.        Verify that a PC in each department can ping the external network. This example uses PC 1 in Department A to ping the public network gateway address. (Details not shown.)

Saving the configuration

# Save the running configuration on the access switches. This example uses access switch 1.

[ACCSW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

# Save the running configuration on the core switch.

[CORESW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

# Save the running configuration on the egress router.

[Router] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Deploying a small to medium-sized campus network

Network configuration

In a small to medium-sized campus network, the S5130 or S5130S Ethernet switches series are deployed on the access layer. The S5560X or S6520X Ethernet switches series are deployed on the core layer, and an MSR series router is used as the egress router.

Configure the devices to meet the following requirements:

·          Configure VRRP on the core switches to provide high availability.

·          Configure VLANs to accommodate services of different departments and configure VLAN interfaces on the core switches to provide Layer 3 connectivity for inter-department services.

·          Configure the core switches as the DHCP servers to dynamically assign IP addresses to campus users.

·          Enable DHCP snooping on the access switches to prevent unauthorized DHCP servers from assigning IP addresses to intranet users. Additionally, enable IPSG to prevent intranet users from changing their IP addresses.

·          Configure per-IP address rate liming on the egress router to limit the rate of incoming and outgoing traffic.

Network diagram

Figure 2 small to medium-sized campus network diagram

 

Analysis

Table 2 shows the procedure of deploying a small to medium-sized campus network.

Table 2 Procedure of deploying a small to medium-sized campus network

Step

Item

Configuration data

Remarks

1.       Log to the devices.

Console login

Communication parameters (the transmission rate, for example).

Use a PC to log in to the devices through a terminal emulation program.

2.       Configure the management IP and Telnet login.

Management VLAN

VLAN 5

VLAN 1 is the default VLAN. Do not configure VLAN 1 as the management VLAN.

This example uses VLAN 5 as the management VLAN.

IP address of the management Ethernet interface or management VLAN interface

10.10.1.1/24

For a switch that has a management Ethernet interface, use the IP address of M-GigabitEthernet 0/0/0 for device login.

For a switch that does not have a management Ethernet interface, use the IP address of the management VLAN interface for device login.

3.       Configure interfaces and VLANs.

Port link type

·         Port connected to a PC: Access or hybrid port

·         Port connected to a switch: Trunk or hybrid port

N/A

VLAN IDs

·         Access switch 1: VLANs 10 and 20

·         Core switch: VLANs 10, 20, 30, 40, 50, 100, and 300

To isolate Department A and Department B at Layer 2, configure VLAN 10 for Department A and VLAN 20 for Department B.

The core switch connects to the egress router through VLAN-interface 100.

4.       Configure the DHCP server on the core switches.

DHCP server

Core switch 1

Core switch 2

Configure the DHCP server feature on core switch 1 and core switch 2.

DHCP address pools

·         VLAN 10: DHCP address pool 1

·         VLAN 20: DHCP address pool 2

PCs in Department A and Department B obtain IP addresses from DHCP address pool 1 and DHCP address pool 2, respectively.

5.       Configure routes on the core switches.

IP addresses

Core switch 1:

·         VLAN-interface 10: 192.168.10.1/24

·         VLAN-interface 20: 192.168.20.1/24

·         VLAN-interface 100: 172.16.1.1/24

·         VLAN-interface 300: 172.16.3.1/24

VLAN-interface100 is used for the communication between core switch 1 and the egress router.

VLAN-interface 300 is used for the communication between core switch 1 and core switch 2.

Assign IP addresses to VLAN-interface 10 and VLAN-interface 20 to allow Department A and Department B to visit each other.

6.       Configure the egress router.

IP address of the public network interface

GigabitEthernet 0/0: 202.101.100.2/30

GigabitEthernet 0/0 on the egress router is the public network interface that connects the router to the Internet.

Public network gateway address

202.101.100.1/30

The egress router communicates with the service provider device through the public network gateway address.

To forward intranet packets to the external network, you must configure a default route with the next hop as the public network gateway address.

DNS server address

202.101.100.199

The DNS server translates domain names into IP addresses.

IP addresses of the internal network interfaces

GigabitEthernet 0/1: 172.16.1.2/24

GigabitEthernet 0/2: 172.16.2.2/24

GigabitEthernet 0/1 and GigabitEthernet 0/2 on the egress router are used for connection between the egress router and the intranet.

The egress router connects to the master device and the backup device through GigabitEthernet 0/1 and GigabitEthernet 0/2, respectively.

7.       Configure DHCP snooping on the access switches.

Trusted ports

GigabitEthernet 1/0/1

GigabitEthernet 1/0/2

A trusted port can forward DHCP messages correctly to ensure that the clients get IP addresses from authorized DHCP servers.

 

Procedure

Configuring the access switches

The procedure of configuring access switch 1 is the same as the procedure of configuring access switches 2, 3, and 4. This section uses access switch 1 as an example.

1.        Log in to the device:

# Shut down the PC from which you will log in to the device.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must shut down the PC.

# Use a console cable to connect the PC to the console port of the device.

# Power on the PC, launch a terminal emulation program, and create a connection that uses the console port connected to the device. Set the port properties as follows:

¡  Bits per second—9600 bps.

¡  Data bits—8.

¡  Stop bits—1.

¡  Parity—None.

¡  Flow control—None.

# Power on the device and press Enter as prompted to enter the CLI.

# (Optional.) Configure the authentication mode for console login.

By default, authentication is disabled for console login. You can log in to the device without entering a username or password. To improve security, configure the authentication mode for console login after you log in to the device for the first time. For more information about authentication modes for console login, see login management configuration in Fundamental Configuration Guide.

2.        Configure IP addresses and Telnet login:

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/10 (the port connected to the PC used for device login) to VLAN 5.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] sysname ACCSW1

[ACCSW1] vlan 5

[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10

[ACCSW1] quit

# Create VLAN-interface 5, and assign IP address 10.10.1.1/24 to it.

[ACCSW1] interface vlan-interface 5

[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24

[ACCSW1-Vlan-interface5] quit

# Enable the Telnet service.

[ACCSW1] telnet server enable

# Enable scheme authentication for Telnet login.

[ACCSW1] line vty 0 63

[ACCSW1-line-vty0-63] authentication-mode scheme

[ACCSW1-line-vty0-63] quit

# Create local user admin. Set the password to admin, the service type to Telnet, and the user role to network-admin.

[ACCSW1] local-user admin

New local user added.

[ACCSW1-luser-manage-admin] password simple admin

[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin

[ACCSW1-luser-manage-admin] service-type telnet

[ACCSW1-luser-manage-admin] quit

# Telnet to the device from the PC by using the local user account admin.

The output varies by device model and software version. This example uses an S5560X-30C-PWR-EI switch running Release 1118P07.

C:\Users\Administrator> telnet 10.10.1.1

****************************************************************************** 

* Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                               

login: admin                                                                   

Password:                                                                       

<ACCSW1>

The output shows that you have Telneted to the device successfully.

3.        Configure interfaces and VLANs:

# Create VLAN 10 and VLAN 20.

[ACCSW1] vlan 10 20

# Configure GigabitEthernet 1/0/1 (the port connected to PC 1) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] port link-type access

[ACCSW1-GigabitEthernet1/0/1] port access vlan 10

[ACCSW1-GigabitEthernet1/0/1] stp edged-port

[ACCSW1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to PC 2) as an access port, assign it to VLAN 20, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] port link-type access

[ACCSW1-GigabitEthernet1/0/2] port access vlan 20

[ACCSW1-GigabitEthernet1/0/2] stp edged-port

[ACCSW1-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 10 and VLAN 20.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] port link-type trunk

[ACCSW1-GigabitEthernet1/0/3] port trunk permit vlan 10 20

[ACCSW1-GigabitEthernet1/0/3] quit

# Configure GigabitEthernet 1/0/4 as a trunk port, and assign it to VLAN 10 and VLAN 20.

[ACCSW1] interface gigabitethernet 1/0/4

[ACCSW1-GigabitEthernet1/0/4] port link-type trunk

[ACCSW1-GigabitEthernet1/0/4] port trunk permit vlan 10 20

[ACCSW1-GigabitEthernet1/0/4] quit

# Display information about VLAN 10.

[ACCSW1] display vlan 10

 VLAN ID: 10

 VLAN type: Static

 Route interface: Not configured

 Description: VLAN 0010

 Name: VLAN 0010

 Tagged ports:

    GigabitEthernet1/0/3

    GigabitEthernet1/0/4

 Untagged ports:

    GigabitEthernet1/0/1

# Display information about VLAN 20.

[ACCSW1] display vlan 20

 VLAN ID: 20

 VLAN type: Static

 Route interface: Not configured

 Description: VLAN 0020

 Name: VLAN 0020

 Tagged ports:

    GigabitEthernet1/0/3

    GigabitEthernet1/0/4

 Untagged ports:

    GigabitEthernet1/0/2

4.        Enable BPDU guard globally.

[ACCSW1] stp bpdu-protection

5.        Configure DHCP snooping:

# Enable DHCP snooping.

[ACCSW1] dhcp snooping enable

# Configure GigabitEthernet 1/0/3 as a trusted port.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] dhcp snooping trust interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] quit

6.        Configure IPSG:

# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/1] quit

# Enable IPv4SG on GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/2] quit

Configuring the core switches

The procedure of configuring core switch 1 is similar to the procedure of configuring core switch 2. This section uses core switch 1 as an example. Unless otherwise stated, the configuration of core switch 2 is the same as that of core switch 1.

1.        Log in to the device.

For more information about logging in to the device, see "Log in to the device:."

2.        Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3.        Configure interfaces and VLANs:

# Create VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50, VLAN 100, and VLAN 300.

<Sysname> system-view

[Sysname] sysname CORESW1

[CORESW1] vlan 10 20 30 40 50 100 300

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 10.

[CORESW1] interface gigabitethernet 1/0/1

[CORESW1-GigabitEthernet1/0/1] port link-type trunk

[CORESW1-GigabitEthernet1/0/1] port trunk permit vlan 10

# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLAN 20.

[CORESW1] interface gigabitethernet 1/0/2

[CORESW1-GigabitEthernet1/0/2] port link-type trunk

[CORESW1-GigabitEthernet1/0/2] port trunk permit vlan 20

# Configure GigabitEthernet 1/0/5 as a trunk port, and assign it to VLAN 300.

[CORESW1] interface gigabitethernet 1/0/5

[CORESW1-GigabitEthernet1/0/5] port link-type trunk

[CORESW1-GigabitEthernet1/0/5] port trunk permit vlan 300

4.        Configure VLAN interfaces:

# Create VLAN-interface 10, and assign IP address 192.168.10.1/24 to it.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10]ip address 192.168.10.1 24

# Create VLAN-interface 20, and assign IP address 92.168.20.1/24 to it.

[CORESW1] interface vlan-interface 20

[CORESW1-Vlan-interface20]ip address 192.168.20.1 24

# Create VLAN-interface 100, and assign IP address 172.16.1.1/24 to it.

[CORESW1] interface vlan-interface 100

[CORESW1-Vlan-interface100]ip address 172.16.1.1 24

# Create VLAN-interface 300, and assign IP address 172.16.3.1/24 to it.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300]ip address 172.16.3.1 24

# Display information about VLAN 10.

[CORESW1] display vlan 10

 VLAN ID: 10

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 192.168.10.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0010

 Name: VLAN 0010

 Tagged ports:

    GigabitEthernet1/0/1

 Untagged ports:   None

# Display information about VLAN 20.

[CORESW1] display vlan 20

 VLAN ID: 20

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 192.168.20.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0020

 Name: VLAN 0020

 Tagged ports:

    GigabitEthernet1/0/2

 Untagged ports:   None

# Display information about VLAN 100.

[CORESW1] display vlan 100

 VLAN ID: 100

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 172.16.1.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0100

 Name: VLAN 0100

 Tagged ports:   None

 Untagged ports:   None

# Display information about VLAN 300.

[CORESW1] display vlan 300

 VLAN ID: 300

 VLAN type: Static

 Route interface: Configured

 IPv4 address: 172.16.3.1

 IPv4 subnet mask: 255.255.255.0

 Description: VLAN 0300

 Name: VLAN 0300

 Tagged ports:

    GigabitEthernet1/0/5

 Untagged ports:   None

5.        Configure VRRP:

Use core switch 1 and core switch 2 to form a VRRP group. Core switch 1 operates as the master to process intranet packets. When core switch 1 fails or the upstream link of core switch 1 fails, core switch 2 takes over to process intranet packets.

# On core switch 1, create VRRP group 1 and set its virtual IP address to 172.16.3.10.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# Assign core switch 1 a higher priority than core switch 2 in VRRP group 1, so core switch 1 can become the master.

[CORESW1-Vlan-interface300] vrrp vrid 1 priority 120

# Configure core switch 1 to operate in preemptive mode, so it can become the master whenever it operates correctly. Set the preemption delay to 5000 centiseconds to avoid frequent status switchover.

[CORESW1-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000

[CORESW1-Vlan-interface300] quit

# Create track entry 1 to monitor the upstream link status of GigabitEthernet 1/0/7. When the upstream link fails, the track entry transits to Negative.

[CORESW1] track 1 interface gigabitethernet 1/0/7

[CORESW1-track-1] quit

# Configure the VFs in VRRP group 1 to monitor track entry 1, and decrease their weights by 30 when the track entry transits to Negative.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300] vrrp vrid 1 track 1 priority reduced 30

# On core switch 2, create VRRP group 1 and set its virtual IP address to 172.16.3.10.

[CORESW2-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# Set the priority of core switch 2 to 100 in VRRP group 1.

[CORESW2-Vlan-interface300] vrrp vrid 1 priority 100

# Configure core switch 2 to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.

[CORESW2-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000

# Display detailed information about VRRP group 1 on core switch 1.

[CORESW1] display vrrp verbose

IPv4 Virtual Router Information:

 Running mode : Standard

 Total number of virtual routers : 1

   Interface Vlan-interface300

     VRID             : 1                   Adver Timer  : 100

     Admin Status     : Up                  State        : Master

     Config Pri       : 120                 Running Pri  : 120

     Preempt Mode     : Yes                 Delay Time   : 5000

     Auth Type        : None

     Virtual IP       : 172.16.3.10

     Virtual MAC      : 0000-5e00-0101

     Master IP        : 172.16.3.1

   VRRP Track Information:

     Track Object   : 1                   State : Negative   Pri Reduced : 30

# Display detailed information about VRRP group 1 on core switch 2.

[CORESW2] display vrrp verbose

IPv4 Virtual Router Information:

 Running mode : Standard

 Total number of virtual routers : 1

   Interface Vlan-interface300

     VRID             : 1                   Adver Timer  : 100

     Admin Status     : Up                  State        : Backup

     Config Pri       : 100                 Running Pri  : 100

     Preempt Mode     : Yes                 Delay Time   : 5000

     Become Master    : 27810ms left

     Auth Type        : None

     Virtual IP       : 172.16.3.10

     Virtual MAC      : 0000-5e00-0101

     Master IP        : 172.16.3.1

The output shows that core switch 1 is operating as the master and core switch 2 is operating as the backup in VRRP group 1.

6.        Configure the DHCP server feature:

# Enable DHCP.

[CORESW1] dhcp enable

# Create DHCP address pool 1. In this pool, specify network segment 192.168.10.0/24, gateway address 192.168.10.1, DNS server address 202.101.100.199, set the lease duration to 30 days, and bind IP address 192.168.10.254/24 to the printer.

[CORESW1] dhcp server ip-pool 1

[CORESW1-dhcp-pool-1] network 192.168.10.0 mask 255.255.255.0

[CORESW1-dhcp-pool-1] gateway-list 192.168.10.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-1] expired day 30

[CORESW1-dhcp-pool-1] static-bind ip-address 192.168.10.254 24 client-identifier aabb-cccc-dd

[CORESW1-dhcp-pool-1] quit

# Create DHCP address pool 2. In this pool, specify network segment 192.168.20.0/24, gateway address 192.168.20.1, DNS server address 202.101.100.199, and set the lease duration to 30 days.

# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 192.168.10.0/24.

[CORESW1] dhcp server ip-pool 2

[CORESW1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0

[CORESW1-dhcp-pool-2] gateway-list 192.168.20.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-2] expired day 30

[CORESW1-dhcp-pool-2] quit

# Enable the DHCP server on VLAN-interface 10, and apply DHCP address pool 1 to VLAN-interface 10.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10] dhcp select server

[CORESW1-Vlan-interface10] dhcp server apply ip-pool 1

[CORESW1-Vlan-interface10] quit

# Enable the DHCP server on VLAN-interface 20, and apply DHCP address pool 2 to VLAN-interface 10.

[CORESW1 interface vlan-interface 20

[CORESW1-Vlan-interface20] dhcp select server

[CORESW1-Vlan-interface20] dhcp server apply ip-pool 2

[CORESW1-Vlan-interface20] quit

# Display DHCP address pool information.

[CORESW1] display dhcp server pool

Pool name: 1

  Network: 192.168.10.0 mask 255.255.255.0

  expired 30 0 0 0

  gateway-list 192.168.10.1

  static bindings:

    ip-address 192.168.10.254 mask 255.255.255.0

      client-identifier aabb-cccc-dd

Pool name: 2

  Network: 192.168.20.0 mask 255.255.255.0

  expired 30 0 0 0

  gateway-list 192.168.20.1

7.        Configure OSPF:

# Configure OSPF on core switch 1.

[CORESW1] ospf 100 router-id 2.2.2.2

[CORESW1-ospf-100] area 0

[CORESW1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] quit

[CORESW1-ospf-100] quit

# Configure OSPF on core switch 2.

[CORESW2] ospf 100 router-id 3.3.3.3

[CORESW2-ospf-100] area 0

[CORESW2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] quit

[CORESW2-ospf-100] quit

# Display OSPF neighbor information on core switch 1.

[CORESW1] display ospf peer

 

         OSPF Process 100 with Router ID 2.2.2.2

               Neighbor Brief Information

 

 Area: 0.0.0.0

 Router ID       Address         Pri Dead-Time  State             Interface

 3.3.3.3         172.16.3.2      1   33         Full/DR           Vlan300

# Display OSPF neighbor information on core switch 2.

[CORESW2] display ospf peer

 

         OSPF Process 100 with Router ID 3.3.3.3

               Neighbor Brief Information

 

 Area: 0.0.0.0

 Router ID       Address         Pri Dead-Time  State             Interface

 2.2.2.2         172.16.3.1      1   36         Full/BDR          Vlan300

Configuring the egress router

1.        Log in to the device.

For more information about logging in to the device, see "Log in to the device:."

2.        Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3.        Assign IP addresses to the public network interfaces and the internal network interface:

# Assign IP addresses to internet network interfaces.

[Router] interface GigabitEthernet0/1

[Router-GigabitEthernet0/1] ip address 172.16.1.2 24

[Router] interface GigabitEthernet0/2

[Router-GigabitEthernet0/2] ip address 172.16.2.2 24

# Assign an IP address to the public network interface.

[Router] interface GigabitEthernet0/0

[Router-GigabitEthernet0/0] ip address 202.101.100.2 30

4.        Configure packet filtering:

# Configure ACL 2000.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 192.168.20.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.2.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.3.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Apply ACL 2000 to GigabitEthernet 0/1 to filter incoming packets.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] packet-filter 2000 inbound

[Router-GigabitEthernet0/1] quit

# Apply ACL 2000 to GigabitEthernet 0/2 to filter incoming packets.

[Router] interface gigabitethernet 0/2

[Router-GigabitEthernet0/2] packet-filter 2000 inbound

[Router-GigabitEthernet0/2] quit

# Set the packet filtering default action to deny.

[Router] packet-filter default deny

# Display configuration and match statistics for ACL 2000.

[Router] display acl 2000

Basic IPv4 ACL 2000, 2 rules,

ACL's step is 5, start ID is 0

 rule 0 permit source 192.168.10.0 0.0.0.255

 rule 5 permit source 192.168.20.0 0.0.0.255

 rule 10 permit source 172.16.1.0 0.0.0.255

 rule 15 permit source 172.16.2.0 0.0.0.255

 rule 20 permit source 172.16.3.0 0.0.0.255

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/1.

[Router] display packet-filter interface gigabitethernet 0/1 inbound

Interface: GigabitEthernet0/1

 Inbound policy:

  IPv4 ACL 2000

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/2.

[Router] display packet-filter interface gigabitethernet 0/2 inbound

Interface: GigabitEthernet0/2

 Inbound policy:

  IPv4 ACL 2000

5.        Configure OSPF:

# Configure a default static route, whose next hop address is 202.101.100.1 (the public network gateway address).

[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1

# Configure OSPF and redistribute a default route into the OSPF routing domain.

[Router] ospf 10 router-id 1.1.1.1

[Router-ospf-10] default-route-advertise always

[Router-ospf-10] area 0

[Router-ospf-10-area-0.0.0.0] network 172.16.1.0 0.0.0.255

[Router-ospf-10-area-0.0.0.0] network 172.16.2.0 0.0.0.255

[Router-ospf-10-area-0.0.0.0] quit

[Router-ospf-10] quit

# Display OSPF neighbor information on the egress router.

[Router] display ospf peer

 

         OSPF Process 100 with Router ID 1.1.1.1

               Neighbor Brief Information

 

 Area: 0.0.0.0

 Router ID       Address         Pri Dead-Time  State             Interface

 2.2.2.2         172.16.1.1      1   31         Full/DR           GE1/0/1

 3.3.3.3         172.16.2.1      1   39         Full/BDR          GE1/0/2

# Display OSPF neighbor information on core switch 1.

[CORESW1] display ospf routing

 

         OSPF Process 100 with Router ID 2.2.2.2

                  Routing Table

 

                Topology base (MTID 0)

 

 Routing for network

 Destination        Cost     Type    NextHop         AdvRouter       Area

 172.16.1.0/24      1        Transit 0.0.0.0         2.2.2.2         0.0.0.0

 172.16.2.0/24      2        Transit 172.16.3.2      1.1.1.1         0.0.0.0

 172.16.2.0/24      2        Transit 172.16.1.2      1.1.1.1         0.0.0.0

 172.16.3.0/24      1        Transit 0.0.0.0         3.3.3.3         0.0.0.0

 

 Routing for ASEs

 Destination        Cost     Type    Tag         NextHop         AdvRouter

 0.0.0.0/0          1        Type2   1           172.16.1.2      1.1.1.1

 

 Total nets: 5

 Intra area: 4  Inter area: 0  ASE: 1  NSSA: 0

# Display OSPF neighbor information on core switch 2.

[CORESW2] display ospf routing

 

         OSPF Process 100 with Router ID 3.3.3.3

                  Routing Table

 

                Topology base (MTID 0)

 

 Routing for network

 Destination        Cost     Type    NextHop         AdvRouter       Area

 172.16.1.0/24      2        Transit 172.16.3.1      2.2.2.2         0.0.0.0

 172.16.1.0/24      2        Transit 172.16.2.2      2.2.2.2         0.0.0.0

 172.16.2.0/24      1        Transit 0.0.0.0         1.1.1.1         0.0.0.0

 172.16.3.0/24      1        Transit 0.0.0.0         3.3.3.3         0.0.0.0

 

 Routing for ASEs

 Destination        Cost     Type    Tag         NextHop         AdvRouter

 0.0.0.0/0          1        Type2   1           172.16.2.2      1.1.1.1

 

 Total nets: 5

 Intra area: 4  Inter area: 0  ASE: 1  NSSA: 0

6.        Configure DNS:

# Specify DNS server IPv4 address 202.101.100.199.

[Router] dns server 202.101.100.199

# Enable DNS proxy.

[Router] dns proxy enable

7.        Configure per-IP-address rate limiting:

# Configure CAR lists.

[Router] qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

[Router] qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

[Router] qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

[Router] qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# Configure CAR-list-based traffic policing.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] qos car inbound carl 1 cir 512

[Router-GigabitEthernet0/1] qos car inbound carl 2 cir 512

[Router-GigabitEthernet0/1] qos car outbound carl 3 cir 512

[Router-GigabitEthernet0/1] qos car outbound carl 4 cir 512

[Router-GigabitEthernet0/1] quit

[Router] interface gigabitethernet 0/2

[Router-GigabitEthernet0/2] qos car inbound carl 1 cir 512

[Router-GigabitEthernet0/2] qos car inbound carl 2 cir 512

[Router-GigabitEthernet0/2] qos car outbound carl 3 cir 512

[Router-GigabitEthernet0/2] qos car outbound carl 4 cir 512

[Router-GigabitEthernet0/2] quit

# Display CAR list information.

[Router] display qos carl

List  Rules

1     source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

2     source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

3     destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

4     destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# Display CAR configuration and statistics on GigabitEthernet 0/1.

[Router] display qos car interface gigabitethernet 0/1

Interface: GigabitEthernet0/1

 Direction: inbound

  Rule: If-match carl 1

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

  Rule: If-match carl 2

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

 Direction: outbound

  Rule: If-match carl 3

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

  Rule: If-match carl 4

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

# Display CAR configuration and statistics on GigabitEthernet 0/2.

[Router] display qos car interface gigabitethernet 0/2

Interface: GigabitEthernet0/2

 Direction: inbound

  Rule: If-match carl 1

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

  Rule: If-match carl 2

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

 Direction: outbound

  Rule: If-match carl 3

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

  Rule: If-match carl 4

   CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

   Green action  : pass

   Yellow action : pass

   Red action    : discard

   Green packets : 0 (Packets), 0 (Bytes)

   Yellow packets: 0 (Packets), 0 (Bytes)

   Red packets   : 0 (Packets), 0 (Bytes)

Verifying the configuration

1.        Verify that two PCs in the same department can ping each other.

# Use PC 1 in VLAN 10 to ping another PC in this VLAN.

<PC1> ping 192.168.10.83

Ping 192.168.10.83 (192.168.10.83): 56 data bytes, press CTRL_C to break

56 bytes from 192.168.10.83: icmp_seq=0 ttl=255 time=1.328 ms

56 bytes from 192.168.10.83: icmp_seq=1 ttl=255 time=0.808 ms

56 bytes from 192.168.10.83: icmp_seq=2 ttl=255 time=0.832 ms

56 bytes from 192.168.10.83: icmp_seq=3 ttl=255 time=0.904 ms

56 bytes from 192.168.10.83: icmp_seq=4 ttl=255 time=0.787 ms

 

--- Ping statistics for 192.168.10.83 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.787/0.932/1.328/0.202 ms

2.        Verify that two PCs in different departments can ping each other.

# Use PC 1 in VLAN 10 to ping a PC in a different VLAN.

<PC1> ping 192.168.20.5

Ping 192.168.20.5 (192.168.20.5): 56 data bytes, press CTRL_C to break

56 bytes from 192.168.20.5: icmp_seq=0 ttl=255 time=69.146 ms

56 bytes from 192.168.20.5: icmp_seq=1 ttl=255 time=1.735 ms

56 bytes from 192.168.20.5: icmp_seq=2 ttl=255 time=1.356 ms

56 bytes from 192.168.20.5: icmp_seq=3 ttl=255 time=1.302 ms

56 bytes from 192.168.20.5: icmp_seq=4 ttl=255 time=1.379 ms

 

--- Ping statistics for 192.168.20.5 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.302/14.984/69.146/27.082 ms

3.        Verify that a PC in each department can ping the external network.

# Use PC 1 in VLAN 10 to ping the public network gateway address. (Details not shown.)

Saving the configuration

# Save the running configuration on the access switches. This example uses access switch 1.

[ACCSW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

# Save the running configuration on the core switches. This example uses core switch 1.

[CORESW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

# Save the running configuration on the egress router.

[Router] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.