Table of Contents

Related Documents

33-LAN Networks Quick Start Configuration Guide

Title	Size	Download
33-LAN Networks Quick Start Configuration Guide	267.83 KB

LAN Networks Quick Start Configuration Guide

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Deploying a small-sized campus network

Introduction

The following information uses an example to describe the basic procedure for configuring a small-sized campus network.

As shown in Figure 1, in a small-sized campus network, the S5130 or S5130S Ethernet switches series are deployed on the access layer. The S5560X or S6520X Ethernet switches series are deployed on the core layer, and an MSR series router is used as the egress router.

Configure the devices to meet the following requirements:

· Configure the spanning tree feature on all the switches to prevent loops.

· Configure link aggregation on the access switches and the core switch to provide high availability.

· Configure VLANs to accommodate services of different departments in the campus and configure VLAN interfaces to provide Layer 3 connectivity for inter-department services.

· Configure the core switch as the DHCP server to dynamically assign IP addresses to campus users.

· Enable DHCP snooping on the access switches to prevent unauthorized DHCP servers from assigning IP addresses to intranet users. Additionally, enable IPSG to prevent intranet users from changing their IP addresses.

Figure 1 Small-sized campus network diagram

Analysis and data preparation

Table 1 shows the procedure of deploying a small-sized campus network.

Table 1 Procedure of deploying a small-sized campus network

Step	Item	Configuration data	Remarks
1. Log in to the devices.	Console login	Communication parameters (the transmission rate, for example).	Use a PC to log in to the devices through a terminal emulation program.
2. Configure the management IP and Telnet login.	Management VLAN	VLAN 5	VLAN 1 is the default VLAN. Do not configure VLAN 1 as the management VLAN. This example uses VLAN 5 as the management VLAN.
2. Configure the management IP and Telnet login.	IP address of the management Ethernet interface or management VLAN interface	10.10.1.1/24	For a switch that has a management Ethernet interface, use the IP address of M-GigabitEthernet 0/0/0 for device login. For a switch that does not have a management Ethernet interface, use the IP address of the management VLAN interface for device login.
3. Configure interfaces and VLANs.	Dynamic aggregation	· Access switch 1: Uplink aggregate interface Bridge-Aggregation 1 · Access switch 2: Uplink aggregate interface Bridge-Aggregation 1 · Core switch: Downlink aggregate interface Bridge-Aggregation 1	Access switches and the core switch are connected through aggregate links.
	Port link type	· Port connected to a PC: Access port · Port connected to a switch: Trunk port	N/A
	VLAN IDs	· Access switch 1: VLAN 10 · Access switch 2: VLAN 20 · Core switch: VLAN 100, VLAN 10, and VLAN 20	To isolate Department A and Department B at Layer 2, configure VLAN 10 for Department A and VLAN 20 for Department B. The core switch connects to the egress router through VLAN-interface 100.
4. Configure the DHCP server on the core switch.	DHCP server	N/A	N/A
4. Configure the DHCP server on the core switch.	DHCP address pools	· VLAN 10: DHCP address pool 1 · VLAN 20: DHCP address pool 2	PCs in Department A and Department B obtain IP addresses from DHCP address pool 1 and DHCP address pool 2, respectively.
5. Configure routes on the core switch.	IP addresses	· VLAN-interface 10: 10.10.10.1/24 · VLAN-interface 20: 10.10.20.1/24 · VLAN-interface 100: 10.10.100.1/24	The core switch communicates with the egress router through VLAN-interface 100, which is used for the connectivity between the intranet and the egress router. You must configure a default route with the next hop as the egress router. Assign IP addresses to VLAN-interface 10 and VLAN-interface 20 to allow Department A and Department B to visit each other.
6. Configure the egress router.	IP address of the public network interface	GE0/2: 202.101.100.2/30	GE0/2 on the egress router is the public network interface that connects the router to the Internet.
	Public network gateway address	202.101.100.1/30	The egress router communicates with the service provider device through the public network gateway address. To forward intranet packets to the external network, you must configure a default route with the next hop as the public network gateway address.
	DNS server address	202.101.100.199	The DNS server translates domain names into IP addresses.
	IP address of the internal network interface	GE0/1: 10.10.100.2/24	GE0/1 on the egress router is the interface connected to the internal network.
7. Configure DHCP snooping on the access switches.	DHCP trusted port	N/A	Configure Bridge-Aggregation 1 as a DHCP trusted port.
8. Configure IPSG on the access switches.	IPSG	N/A	Configure IPv4SG to verify source IP address and source MAC address of user packets.

Procedure

Configuring the access switches

The procedure of configuring access switch 1 is the same as the procedure of configuring access switch 2. This section uses access switch 1 as an example.

1. Log in to the device through the console port (first device access):

# Shut down the PC from which you will log in to the device.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must shut down the PC.

# Use the console cable shipped with the device to connect the PC to the console port of the device. Plug the DB-9 connector of the console cable into the 9-pin serial port of the PC, and then plug the RJ-45 connector into the console port of the device.

TIP:

· Identify interfaces correctly to avoid connection errors.

· To connect the PC to the device, first plug the DB-9 connector of the console cable into the 9-pin serial port of the PC, and then plug the RJ-45 connector of the console cable into the console port of the device.

· To disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.

Figure 2 Connecting a PC to the console port of the device

# Power on the PC, launch a terminal emulation program, and create a connection that uses the console port connected to the device. Set the port properties as follows:

¡ Bits per second—9600 bps.

¡ Data bits—8.

¡ Stop bits—1.

¡ Parity—None.

¡ Flow control—None.

# Power on the device and press Enter as prompted to enter the CLI.

# (Optional.) Configure the authentication mode for console login.

By default, authentication is disabled for console login. You can log in to the device without entering a username or password. To improve security, configure the authentication mode for console login after you log in to the device for the first time. For more information about authentication modes for console login, see login management configuration in Fundamental Configuration Guide.

2. Configure IP addresses and Telnet login:

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/10 (the port connected to the PC used for device login) to VLAN 5.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] sysname ACCSW1

[ACCSW1] vlan 5

[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10

[ACCSW1-vlan5] quit

# Create VLAN-interface 5, and assign IP address 10.10.1.1/24 to it.

[ACCSW1] interface vlan-interface 5

[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24

[ACCSW1-Vlan-interface5] quit

# Enable the Telnet service.

[ACCSW1] telnet server enable

# Enable scheme authentication for Telnet login.

[ACCSW1] line vty 0 63

[ACCSW1-line-vty0-63] authentication-mode scheme

[ACCSW1-line-vty0-63] quit

# Create local user admin. Set the password to admin, the service type to Telnet, and the user role to network-admin.

[ACCSW1] local-user admin

New local user added.

[ACCSW1-luser-manage-admin] password simple hello12345

[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin

[ACCSW1-luser-manage-admin] service-type telnet

[ACCSW1-luser-manage-admin] quit

# Telnet to the device from the PC by using the local user account admin.

The output varies by device model and software version. This example uses an S5560X-30C-PWR-EI switch running Release 1118P07.

C:\Users\Administrator> telnet 10.10.1.1

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

The output shows that you have Telneted to the device successfully.

3. Configure interfaces and VLANs:

# Create VLAN 10.

[ACCSW1] vlan 10

[ACCSW1-vlan10] quit

# Configure GigabitEthernet 1/0/1 (the port connected to PC 1) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] port link-type access

[ACCSW1-GigabitEthernet1/0/1] port access vlan 10

[ACCSW1-GigabitEthernet1/0/1] stp edged-port

[ACCSW1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to PC 2) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] port link-type access

[ACCSW1-GigabitEthernet1/0/2] port access vlan 10

[ACCSW1-GigabitEthernet1/0/2] stp edged-port

[ACCSW1-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 (the port connected to the printer) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] port link-type access

[ACCSW1-GigabitEthernet1/0/3] port access vlan 10

[ACCSW1-GigabitEthernet1/0/3] stp edged-port

[ACCSW1-GigabitEthernet1/0/3] quit

4. Configure link aggregation:

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1-Bridge-Aggregation1] link-aggregation mode dynamic

[ACCSW1-Bridge-Aggregation1] quit

# Assign Ten-GigabitEthernet 1/0/7 and Ten-GigabitEthernet 1/0/8 to aggregation group 1.

[ACCSW1] interface ten-gigabitethernet 1/0/7

[ACCSW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1

[ACCSW1-Ten-GigabitEthernet1/0/7] quit

[ACCSW1] interface ten-gigabitethernet 1/0/8

[ACCSW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1

[ACCSW1-Ten-GigabitEthernet1/0/8] quit

# Configure Bridge-Aggregation 1 as a trunk port, and assign it to VLAN 10.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1-Bridge-Aggregation1] port link-type trunk

[ACCSW1-Bridge-Aggregation1] port trunk permit vlan 10

[ACCSW1-Bridge-Aggregation1] quit

# Display detailed information about Bridge-Aggregation 1 to verify the link aggregation configuration.

[ACCSW1] display link-aggregation verbose Bridge-Aggregation 1

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Port: A -- Auto port, M -- Management port, R -- Reference port

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual

Aggregation Mode: Dynamic

Loadsharing Type: Shar

Management VLANs: None

System ID: 0x8000, 000f-e267-6c6a

Local:

Port Status Priority Index Oper-Key Flag

XGE1/0/7 S 32768 61 2 {ACDEF}

XGE1/0/8 S 32768 62 2 {ACDEF}

Remote:

Actor Priority Index Oper-Key SystemID Flag

XGE1/0/7(R) 32768 111 2 0x8000, 000f-e267-57ad {ACDEF}

XGE1/0/8 32768 112 2 0x8000, 000f-e267-57ad {ACDEF}

# Display information about VLAN 10 to verify the configuration.

[ACCSW1] display vlan 10

VLAN ID: 10

VLAN type: Static

Route interface: Not configured

Description: VLAN 0010

Name: VLAN 0010

Tagged ports: None

Untagged ports:

Bridge-Aggregation1

GigabitEthernet1/0/1 GigabitEthernet1/0/2

GigabitEthernet1/0/3 Ten-GigabitEthernet1/0/7

Ten-GigabitEthernet1/0/8

5. Enable BPDU guard globally.

[ACCSW1] stp bpdu-protection

6. Configure DHCP snooping:

# Enable DHCP snooping.

[ACCSW1] dhcp snooping enable

# Configure Bridge-Aggregation 1 as a trusted port.

[ACCSW1] interface bridge-aggregation 1

[ACCSW1-Bridge-Aggregation1] dhcp snooping trust

[ACCSW1-Bridge-Aggregation1] quit

7. Configure IPSG:

# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/1] quit

# Enable IPv4SG on GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/2] quit

8. Save the configuration:

# Save the running configuration on the access switches. This example uses access switch 1.

[ACCSW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Configuring the core switch

1. Log in to the device.

For more information about logging in to the device, see "Log in to the device through the console port (first device access):."

2. Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3. Configure VLANs and VLAN interfaces:

# Create VLAN 10, VLAN 20, and VLAN 100.

<Sysname> system-view

[Sysname] sysname CORESW1

[CORESW1] vlan 10 20

[CORESW1] vlan 100

[CORESW1-vlan100] port gigabitethernet 1/0/1

[CORESW1-vlan100] quit

# Create VLAN-interface 10, and assign IP address 10.10.10.1/24 to it.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10]ip address 10.10.10.1 24

[CORESW1-Vlan-interface10] quit

# Create VLAN-interface 20, and assign IP address 10.10.20.1/24 to it.

[CORESW1] interface vlan-interface 20

[CORESW1-Vlan-interface20]ip address 10.10.20.1 24

[CORESW1-Vlan-interface20] quit

# Create VLAN-interface 100, and assign IP address 10.10.100.1/24 to it.

[CORESW1] interface vlan-interface 100

[CORESW1-Vlan-interface100]ip address 10.10.100.1 24

[CORESW1-Vlan-interface100] quit

4. Configure link aggregation:

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[CORESW1] interface bridge-aggregation 1

[CORESW1-Bridge-Aggregation1] link-aggregation mode dynamic

[CORESW1-Bridge-Aggregation1] quit

# Assign Ten-GigabitEthernet 1/0/7 and Ten-GigabitEthernet 1/0/8 to aggregation group 1.

[CORESW1] interface ten-gigabitethernet 1/0/7

[CORESW1-Ten-GigabitEthernet1/0/7] port link-aggregation group 1

[CORESW1-Ten-GigabitEthernet1/0/7] quit

[CORESW1] interface ten-gigabitethernet 1/0/8

[CORESW1-Ten-GigabitEthernet1/0/8] port link-aggregation group 1

[CORESW1-Ten-GigabitEthernet1/0/8] quit

# Configure Bridge-Aggregation 1 as a trunk port, and assign it to VLAN 10.

[CORESW1] interface bridge-aggregation 1

[CORESW1-Bridge-Aggregation1] port link-type trunk

[CORESW1-Bridge-Aggregation1] port trunk permit vlan 10

[CORESW1-Bridge-Aggregation1] quit

# Display detailed information about Bridge-Aggregation 1 to verify the link aggregation configuration.

[CORESW1] display link-aggregation verbose Bridge-Aggregation 1

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Port: A -- Auto port, M -- Management port, R -- Reference port

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual

Aggregation Mode: Dynamic

Loadsharing Type: Shar

Management VLANs: None

System ID: 0x8000, 000f-e267-6c6a

Local:

Port Status Priority Index Oper-Key Flag

XGE1/0/7(R) S 32768 61 2 {ACDEF}

XGE1/0/8 S 32768 62 2 {ACDEF}

Remote:

Actor Priority Index Oper-Key SystemID Flag

XGE1/0/7 32768 111 2 0x8000, 000f-e267-57ad {ACDEF}

XGE1/0/8 32768 112 2 0x8000, 000f-e267-57ad {ACDEF}

# Display information about VLAN 10 to verify the configuration.

[CORESW1] display vlan 10

VLAN ID: 10

VLAN type: Static

Route interface: Configured

IPv4 address: 10.10.10.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0010

Name: VLAN 0010

Tagged ports: None

Untagged ports:

Bridge-Aggregation1

Ten-GigabitEthernet1/0/7 Ten-GigabitEthernet1/0/8

# Display information about VLAN 100 to verify the configuration.

[CORESW1] display vlan 100

VLAN ID: 100

VLAN type: Static

Route interface: Configured

IPv4 address: 10.10.100.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0100

Name: VLAN 0100

Tagged ports: None

Untagged ports: None

5. Configure the DHCP server feature:

# Enable DHCP.

[CORESW1] dhcp enable

# Create DHCP address pool 1. In this pool, specify network segment 10.10.10.0/24, gateway address 10.10.10.1, DNS server address 202.101.100.199, set the lease duration to 30 days, and bind IP address 10.10.10.254/24 to the printer.

[CORESW1] dhcp server ip-pool 1

[CORESW1-dhcp-pool-1] network 10.10.10.0 mask 255.255.255.0

[CORESW1-dhcp-pool-1] gateway-list 10.10.10.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-1] expired day 30

[CORESW1-dhcp-pool-1] static-bind ip-address 10.10.10.254 24 client-identifier aabb-cccc-dd

[CORESW1-dhcp-pool-1] quit

# Create DHCP address pool 2. In this pool, specify network segment 10.10.20.0/24, gateway address 10.10.20.1, DNS server address 202.101.100.199, and set the lease duration to 30 days.

[CORESW1] dhcp server ip-pool 2

[CORESW1-dhcp-pool-2] network 10.10.20.0 mask 255.255.255.0

[CORESW1-dhcp-pool-2] gateway-list 10.10.20.1

[CORESW1-dhcp-pool-2] dns-list 202.101.100.199

[CORESW1-dhcp-pool-2] expired day 30

[CORESW1-dhcp-pool-2] quit

# Enable the DHCP server on VLAN-interface 10, and apply DHCP address pool 1 to VLAN-interface 10.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10] dhcp select server

[CORESW1-Vlan-interface10] dhcp server apply ip-pool 1

[CORESW1-Vlan-interface10] quit

# Enable the DHCP server on VLAN-interface 20, and apply DHCP address pool 2 to VLAN-interface 20.

[CORESW1 interface vlan-interface 20

[CORESW1-Vlan-interface20] dhcp select server

[CORESW1-Vlan-interface20] dhcp server apply ip-pool 2

[CORESW1-Vlan-interface20] quit

# Display information about DHCP address pools.

[CORESW1] display dhcp server pool

Pool name: 1

Network: 10.10.10.0 mask 255.255.255.0

dns-list 202.101.100.199

expired 30 0 0 0

gateway-list 10.10.10.1

static bindings:

ip-address 10.10.10.254 mask 255.255.255.0

client-identifier aabb-cccc-dd

Pool name: 2

Network: 10.10.20.0 mask 255.255.255.0

dns-list 202.101.100.199

expired 30 0 0 0

gateway-list 10.10.20.1

6. Configure a static route and display routing table information:

# Configure a default static route with next hop 10.10.100.2 (the IP address of the router).

[CORESW1] ip route-static 0.0.0.0 0 10.10.100.2

# Display routing table information.

[CORESW1] display ip routing-table

Destinations : 21 Routes : 21

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0 Static 60 0 10.10.100.2 Vlan100

0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.0/24 Direct 0 0 10.10.10.1 Vlan10

10.10.10.0/32 Direct 0 0 10.10.10.1 Vlan10

10.10.10.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.10.255/32 Direct 0 0 10.10.10.1 Vlan10

10.10.20.0/24 Direct 0 0 10.10.20.1 Vlan20

10.10.20.0/32 Direct 0 0 10.10.20.1 Vlan20

10.10.20.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.20.255/32 Direct 0 0 10.10.20.1 Vlan20

10.10.100.0/24 Direct 0 0 10.10.100.1 Vlan100

10.10.100.0/32 Direct 0 0 10.10.100.1 Vlan100

10.10.100.1/32 Direct 0 0 127.0.0.1 InLoop0

10.10.100.255/32 Direct 0 0 10.10.100.1 Vlan100

127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0

127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0

127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0

127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0

7. Save the configuration:

# Save the running configuration on the core switch.

[CORESW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Configuring the egress router

1. Log in to the router.

For more information about logging in to the router, see "Log in to the device through the console port (first device access):."

2. Configure IP addresses and Telnet login.

For more information about configuring IP addresses and Telnet login, see "Configure IP addresses and Telnet login:."

3. Assign IP addresses to the public network interface and the internal network interface:

# Assign IP address 202.101.100.2/30 to GigabitEthernet 0/2 (the public network interface).

[Router] interface GigabitEthernet 0/2

[Router-GigabitEthernet0/2] ip address 202.101.100.2 30

[Router-GigabitEthernet0/2] quit

# Assign IP address 10.10.100.2/24 to GigabitEthernet 0/1 (the internal network interface).

[Router] interface GigabitEthernet 0/1

[Router-GigabitEthernet0/1] ip address 10.10.100.2 24

[Router-GigabitEthernet0/1] quit

4. Configure packet filtering:

# Configure ACL 2000.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 10.10.10.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 10.10.20.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 10.10.100.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Apply ACL 2000 to GigabitEthernet 0/1 to filter incoming packets.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] packet-filter 2000 inbound

[Router-GigabitEthernet0/1] quit

# Set the packet filtering default action to deny.

[Router] packet-filter default deny

# Display configuration and match statistics for ACL 2000.

[Router] display acl 2000

Basic IPv4 ACL 2000, 3 rules,

ACL's step is 5, start ID is 0

rule 0 permit source 10.10.10.0 0.0.0.255

rule 5 permit source 10.10.20.0 0.0.0.255

rule 10 permit source 10.10.100.0 0.0.0.255

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/1.

[Router] display packet-filter interface gigabitethernet 0/1 inbound

Interface: GigabitEthernet 0/1

Inbound policy:

IPv4 ACL 2000

5. Configure static routes to the intranet and the public network:

[Router] ip route-static 10.10.10.0 255.255.255.0 10.10.100.1

[Router] ip route-static 10.10.20.0 255.255.255.0 10.10.100.1

[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1

6. Configure DNS:

[Router] dns server 202.101.100.199

[Router] dns proxy enable

7. Save the configuration:

# Save the running configuration on the egress router.

[Router] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Verifying the configuration

1. Verify that two PCs in the same department can ping each other. This example uses PC 1 and PC 2 in Department A.

# Ping PC 2 from PC 1.

<PC1> ping 10.10.10.20

Ping 10.10.10.20 (10.10.10.20): 56 data bytes, press CTRL+C to break

56 bytes from 10.10.10.20: icmp_seq=0 ttl=255 time=1.015 ms

56 bytes from 10.10.10.20: icmp_seq=1 ttl=255 time=2.338 ms

56 bytes from 10.10.10.20: icmp_seq=2 ttl=255 time=1.951 ms

56 bytes from 10.10.10.20: icmp_seq=3 ttl=255 time=1.719 ms

56 bytes from 10.10.10.20: icmp_seq=4 ttl=255 time=1.629 ms

--- Ping statistics for 10.10.10.20 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.015/1.730/2.338/0.434 ms

The output shows that PC 1 can ping PC 2.

2. Verify that two PCs in different departments can ping each other. This example uses PC 1 in Department A and PC 3 in Department B. Assume that PC3 obtains IP address 10.10.20.10 through DHCP.

# Ping PC 3 from PC 1.

<PC1> ping 10.10.20.10

Ping 10.10.20.10 (10.10.20.10): 56 data bytes, press CTRL+C to break

56 bytes from 10.10.20.10: icmp_seq=0 ttl=254 time=2.709 ms

56 bytes from 10.10.20.10: icmp_seq=1 ttl=254 time=0.877 ms

56 bytes from 10.10.20.10: icmp_seq=2 ttl=254 time=0.850 ms

56 bytes from 10.10.20.10: icmp_seq=3 ttl=254 time=0.805 ms

56 bytes from 10.10.20.10: icmp_seq=4 ttl=254 time=0.814 ms

--- Ping statistics for 10.10.20.10 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.805/1.211/2.709/0.749 ms

The output shows that PC 1 can ping PC 3.

3. Verify that a PC in each department can ping the external network. This example uses PC 1 in Department A to ping the public network gateway address. (Details not shown.)

Configuration files

Access switch ACCSW1

sysname ACCSW1

telnet server enable

dhcp snooping enable

vlan 5

vlan 10

stp bpdu-protection

interface Bridge-Aggregation1

port link-type trunk

port trunk permit vlan 10

link-aggregation mode dynamic

dhcp snooping trust

interface Vlan-interface5

ip address 10.10.1.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 10

stp edged-port

ip verify source ip-address mac-address

dhcp snooping binding record

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 10

stp edged-port

ip verify source ip-address mac-address

dhcp snooping binding record

interface GigabitEthernet1/0/3

port link-mode bridge

port access vlan 10

stp edged-port

interface Ten-GigabitEthernet1/0/7

port link-mode bridge

port link-type trunk

port trunk permit vlan 10

port link-aggregation group 1

interface Ten-GigabitEthernet1/0/8

port link-mode bridge

port link-type trunk

port trunk permit vlan 10

port link-aggregation group 1

interface Ten-GigabitEthernet1/0/10

port link-mode bridge

port access vlan 5

line vty 0 63

authentication-mode scheme

local-user admin class manage

password hash $h$6$/up8ijTTulpXAAkL$s9fFDXwWVzNd0j2F8Rq/ZQEiMbA2s8uW31kkcaDoGHoNyvE/zZLV9HoLp+i0+VcV6Jpm48ufEAxbuKvi6qtWmg==

service-type telnet

authorization-attribute user-role network-admin

Access switch ACCSW2

The configuration file of ACCSW2 is the same as that of ACCSW1 except the VLAN IDs, management VLAN interface address, and aggregate interface number. (Details not shown.)

Core switch CORESW1

sysname CORESW1

vlan 10

vlan 20

vlan 100

dhcp server ip-pool 1

gateway-list 10.10.10.1

network 10.10.10.0 mask 255.255.255.0

dns-list 202.101.100.199

expired day 30

static-bind ip-address 10.10.10.254 mask 255.255.255.0 client-identifier aaaa-cccc-dd

dhcp server ip-pool 2

gateway-list 10.10.20.1

network 10.10.20.0 mask 255.255.255.0

dns-list 202.101.100.199

expired day 30

interface Bridge-Aggregation1

port link-type trunk

port trunk permit vlan 10

link-aggregation mode dynamic

interface Vlan-interface10

ip address 10.10.10.1 255.255.255.0

dhcp server apply ip-pool 1

interface Vlan-interface20

ip address 10.10.20.1 255.255.255.0

dhcp server apply ip-pool 2

interface Vlan-interface100

ip address 10.10.100.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 100

interface Ten-GigabitEthernet1/0/7

port link-mode bridge

port link-type trunk

port trunk permit vlan 10

port link-aggregation group 1

interface Ten-GigabitEthernet1/0/8

port link-mode bridge

port link-type trunk

port trunk permit vlan 10

port link-aggregation group 1

ip route-static 0.0.0.0 0 10.10.100.2

Egress router

sysname Router

packet-filter default deny

dns proxy enable

dns server 202.101.100.199

interface GigabitEthernet0/1

port link-mode route

ip address 10.10.100.2 255.255.255.0

packet-filter 2000 inbound

interface GigabitEthernet0/2

port link-mode route

ip address 202.101.100.2 255.255.255.252

ip route-static 0.0.0.0 0 202.101.100.1

ip route-static 10.10.10.0 24 10.10.100.1

ip route-static 10.10.20.0 24 10.10.100.1

acl basic 2000

rule 0 permit source 10.10.10.0 0.0.0.255

rule 5 permit source 10.10.20.0 0.0.0.255

rule 10 permit source 10.10.100.0 0.0.0.255

Deploying a small- to medium-sized campus network

Introduction

The following information uses an example to describe the basic procedure for configuring a small- to medium-sized campus network.

Network configuration

As shown in Figure 1, in a small- to medium-sized campus network, the S5130 or S5130S Ethernet switches series are deployed on the access layer. The S5560X or S6520X Ethernet switches series are deployed on the core layer, and an MSR series router is used as the egress router.

Configure the devices to meet the following requirements:

· Configure VRRP on the core switches to provide high availability.

· Configure VLANs to accommodate services of different departments and configure VLAN interfaces on the core switches to provide Layer 3 connectivity for inter-department services.

· Configure the core switches as the DHCP servers to dynamically assign IP addresses to campus users.

· Configure per-IP address rate liming on the egress router to limit the rate of incoming and outgoing traffic.

Figure 3 Small- to medium-sized campus network diagram

Analysis and data preparation

Table 2 shows the procedure of deploying a small-l to medium-sized campus network.

Table 2 Procedure of deploying a small- to medium-sized campus network

Step	Item	Configuration data	Remarks
1. Log in to the devices.	Console login	Communication parameters (the transmission rate, for example).	Use a PC to log in to the devices through a terminal emulation program.
2. Configure the management IP and Telnet login.	Management VLAN	VLAN 5	VLAN 1 is the default VLAN. Do not configure VLAN 1 as the management VLAN. This example uses VLAN 5 as the management VLAN.
2. Configure the management IP and Telnet login.	IP address of the management Ethernet interface or management VLAN interface	10.10.1.1/24	This example uses ACCSW1. For a switch that has a management Ethernet interface, use the IP address of M-GigabitEthernet 0/0/0 for device login. For a switch that does not have a management Ethernet interface, use the IP address of the management VLAN interface for device login.
3. Configure interfaces and VLANs.	Port link type	· Port connected to a PC: Access or hybrid port · Port connected to a switch: Trunk or hybrid port	N/A
3. Configure interfaces and VLANs.	VLAN IDs	· Access switch 1: VLANs 10 and 20 · Core switch: VLANs 10, 20, 30, 40, 50, 100, and 300	To isolate Department A and Department B at Layer 2, configure VLAN 10 for Department A and VLAN 20 for Department B. The core switch connects to the egress router through VLAN-interface 100.
4. Configure the DHCP server on the core switches.	DHCP server	Core switch 1 Core switch 2	Configure the DHCP server feature on core switch 1 and core switch 2.
4. Configure the DHCP server on the core switches.	DHCP address pools	· VLAN 10: DHCP address pool 1 · VLAN 20: DHCP address pool 2	PCs in Department A and Department B obtain IP addresses from DHCP address pool 1 and DHCP address pool 2, respectively.
5. Configure routes on the core switches.	IP addresses	Core switch 1: · VLAN-interface 10: 192.168.10.1/24 · VLAN-interface 20: 192.168.20.1/24 · VLAN-interface 100: 172.16.1.1/24 · VLAN-interface 300: 172.16.3.1/24	VLAN-interface100 is used for the communication between core switch 1 and the egress router. VLAN-interface 300 is used for the communication between core switch 1 and core switch 2. Assign IP addresses to VLAN-interface 10 and VLAN-interface 20 to allow Department A and Department B to visit each other.
6. Configure the egress router.	IP address of the public network interface	GE0/0: 202.101.100.2/30	GE0/0 on the egress router is the public network interface that connects the router to the Internet.
	Public network gateway address	202.101.100.1/30	The egress router communicates with the service provider device through the public network gateway address. To forward intranet packets to the external network, you must configure a default route with the next hop as the public network gateway address.
	DNS server address	202.101.100.199	The DNS server translates domain names into IP addresses.
	IP addresses of the internal network interfaces	GE0/1: 172.16.1.2/24 GE0/2: 172.16.2.2/24	GE0/1 and GE0/2 on the egress router are used for connection between the egress router and the intranet. The egress router connects to the master device and the backup device through GE0/1 and GE0/2, respectively.
7. Configure DHCP snooping and IP source guard on the access switches.	Trusted ports	GE1/0/1 GE1/0/2	A trusted port can forward DHCP messages correctly to ensure that the clients get IP addresses from authorized DHCP servers.

Procedure

Configuring the access switches

The procedure of configuring access switch 1 is the same as the procedure of configuring access switches 2, 3, and 4. This section uses access switch 1 as an example.

1. Log in to the device through the console port (first device access):

# Shut down the PC from which you will log in to the device.

The serial ports on PCs do not support hot swapping. Before connecting a cable to or disconnecting a cable from a serial port on a PC, you must shut down the PC.

TIP:

· Identify interfaces correctly to avoid connection errors.

· To disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.

Figure 4 Connecting a PC to the console port of the device

# Power on the PC, launch a terminal emulation program, and create a connection that uses the console port connected to the device. Set the port properties as follows:

¡ Bits per second—9600 bps.

¡ Data bits—8.

¡ Stop bits—1.

¡ Parity—None.

¡ Flow control—None.

# Power on the device and press Enter as prompted to enter the CLI.

# (Optional.) Configure the authentication mode for console login.

2. Configure IP addresses and Telnet login:

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/10 (the port connected to the PC used for device login) to VLAN 5.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] sysname ACCSW1

[ACCSW1] vlan 5

[ACCSW1-vlan5] port ten-gigabitethernet 1/0/10

[ACCSW1-vlan5] quit

# Create VLAN-interface 5, and assign IP address 10.10.1.1/24 to it.

[ACCSW1] interface vlan-interface 5

[ACCSW1-Vlan-interface5] ip address 10.10.1.1 24

[ACCSW1-Vlan-interface5] quit

# Enable the Telnet service.

[ACCSW1] telnet server enable

# Enable scheme authentication for Telnet login.

[ACCSW1] line vty 0 63

[ACCSW1-line-vty0-63] authentication-mode scheme

[ACCSW1-line-vty0-63] quit

# Create local user admin. Set the password to admin, the service type to Telnet, and the user role to network-admin.

[ACCSW1] local-user admin

New local user added.

[ACCSW1-luser-manage-admin] password simple hello12345

[ACCSW1-luser-manage-admin] authorization-attribute user-role network-admin

[ACCSW1-luser-manage-admin] service-type telnet

[ACCSW1-luser-manage-admin] quit

# Telnet to the device from the PC by using the local user account admin.

The output varies by device model and software version. This example uses an S5560X-30C-PWR-EI switch running Release 1118P07.

C:\Users\Administrator> telnet 10.10.1.1

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Password:

The output shows that you have Telneted to the device successfully.

3. Configure interfaces and VLANs:

# Create VLAN 10 and VLAN 20.

[ACCSW1] vlan 10 20

# Configure GigabitEthernet 1/0/1 (the port connected to PC 1) as an access port, assign it to VLAN 10, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] port link-type access

[ACCSW1-GigabitEthernet1/0/1] port access vlan 10

[ACCSW1-GigabitEthernet1/0/1] stp edged-port

[ACCSW1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 (the port connected to PC 2) as an access port, assign it to VLAN 20, and configure it as an edge port.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] port link-type access

[ACCSW1-GigabitEthernet1/0/2] port access vlan 20

[ACCSW1-GigabitEthernet1/0/2] stp edged-port

[ACCSW1-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 10 and VLAN 20.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] port link-type trunk

[ACCSW1-GigabitEthernet1/0/3] port trunk permit vlan 10 20

[ACCSW1-GigabitEthernet1/0/3] quit

# Configure GigabitEthernet 1/0/4 as a trunk port, and assign it to VLAN 10 and VLAN 20.

[ACCSW1] interface gigabitethernet 1/0/4

[ACCSW1-GigabitEthernet1/0/4] port link-type trunk

[ACCSW1-GigabitEthernet1/0/4] port trunk permit vlan 10 20

[ACCSW1-GigabitEthernet1/0/4] quit

# Display information about VLAN 10.

[ACCSW1] display vlan 10

VLAN ID: 10

VLAN type: Static

Route interface: Not configured

Description: VLAN 0010

Name: VLAN 0010

Tagged ports:

GigabitEthernet1/0/3

GigabitEthernet1/0/4

Untagged ports:

GigabitEthernet1/0/1

# Display information about VLAN 20.

[ACCSW1] display vlan 20

VLAN ID: 20

VLAN type: Static

Route interface: Not configured

Description: VLAN 0020

Name: VLAN 0020

Tagged ports:

GigabitEthernet1/0/3

GigabitEthernet1/0/4

Untagged ports:

GigabitEthernet1/0/2

4. Enable BPDU guard globally.

[ACCSW1] stp bpdu-protection

5. Configure DHCP snooping:

# Enable DHCP snooping.

[ACCSW1] dhcp snooping enable

# Configure GigabitEthernet 1/0/3 as a trusted port.

[ACCSW1] interface gigabitethernet 1/0/3

[ACCSW1-GigabitEthernet1/0/3] dhcp snooping trust

[ACCSW1-GigabitEthernet1/0/3] quit

6. Configure IPSG:

# Enable IPv4SG on GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/1

[ACCSW1-GigabitEthernet1/0/1] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/1] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/1] quit

# Enable IPv4SG on GigabitEthernet 1/0/2 and verify the source IPv4 address and MAC address for dynamic IPSG, and enable recording of client information in DHCP snooping entries on the interface.

[ACCSW1] interface gigabitethernet 1/0/2

[ACCSW1-GigabitEthernet1/0/2] ip verify source ip-address mac-address

[ACCSW1-GigabitEthernet1/0/2] dhcp snooping binding record

[ACCSW1-GigabitEthernet1/0/2] quit

7. Save the configuration:

# Save the running configuration on the access switches. This example uses access switch 1.

[ACCSW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Configuring the core switches

The procedure of configuring core switch 1 is similar to the procedure of configuring core switch 2. This section uses core switch 1 as an example. Unless otherwise stated, the configuration of core switch 2 is the same as that of core switch 1.

1. Configure interfaces and VLANs:

# Create VLAN 10, VLAN 20, VLAN 30, VLAN 40, VLAN 50, VLAN 100, and VLAN 300.

<Sysname> system-view

[Sysname] sysname CORESW1

[CORESW1] vlan 10 20 30 40 50 100 300

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 10 and VLAN 20.

[CORESW1] interface gigabitethernet 1/0/1

[CORESW1-GigabitEthernet1/0/1] port link-type trunk

[CORESW1-GigabitEthernet1/0/1] port trunk permit vlan 10 20

[CORESW1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/5 as a trunk port, and assign it to VLAN 300.

[CORESW1] interface gigabitethernet 1/0/5

[CORESW1-GigabitEthernet1/0/5] port link-type trunk

[CORESW1-GigabitEthernet1/0/5] port trunk permit vlan 300

[CORESW1-GigabitEthernet1/0/5] quit

# Configure the link type and permit VLANs for other interfaces in a similar way. (Details not shown.)

2. Configure VLAN interfaces:

# Create VLAN-interface 10, and assign IP address 192.168.10.1/24 to it.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10]ip address 192.168.10.1 24

[CORESW1-Vlan-interface10] quit

# Create VLAN-interface 20, and assign IP address 92.168.20.1/24 to it.

[CORESW1] interface vlan-interface 20

[CORESW1-Vlan-interface20]ip address 192.168.20.1 24

[CORESW1-Vlan-interface20] quit

# Create VLAN-interface 100, and assign IP address 172.16.1.1/24 to it.

[CORESW1] interface vlan-interface 100

[CORESW1-Vlan-interface100]ip address 172.16.1.1 24

[CORESW1-Vlan-interface100] quit

# Create VLAN-interface 300, and assign IP address 172.16.3.1/24 to it.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300]ip address 172.16.3.1 24

[CORESW1-Vlan-interface300] quit

# Create other VLAN interfaces and assign IP addresses to them in a similar way. (Details not shown.)

# Display information about VLAN 10.

[CORESW1] display vlan 10

VLAN ID: 10

VLAN type: Static

Route interface: Configured

IPv4 address: 192.168.10.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0010

Name: VLAN 0010

Tagged ports:

GigabitEthernet1/0/1

Untagged ports: None

# Display information about VLAN 20.

[CORESW1] display vlan 20

VLAN ID: 20

VLAN type: Static

Route interface: Configured

IPv4 address: 192.168.20.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0020

Name: VLAN 0020

Tagged ports:

GigabitEthernet1/0/2

Untagged ports: None

# Display information about VLAN 100.

[CORESW1] display vlan 100

VLAN ID: 100

VLAN type: Static

Route interface: Configured

IPv4 address: 172.16.1.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0100

Name: VLAN 0100

Tagged ports: None

Untagged ports: None

# Display information about VLAN 300.

[CORESW1] display vlan 300

VLAN ID: 300

VLAN type: Static

Route interface: Configured

IPv4 address: 172.16.3.1

IPv4 subnet mask: 255.255.255.0

Description: VLAN 0300

Name: VLAN 0300

Tagged ports:

GigabitEthernet1/0/5

Untagged ports: None

3. Configure VRRP:

Use core switch 1 and core switch 2 to form a VRRP group. Core switch 1 operates as the master to process intranet packets. When core switch 1 fails or the upstream link of core switch 1 fails, core switch 2 takes over to process intranet packets.

# On core switch 1, create VRRP group 1 and set its virtual IP address to 172.16.3.10.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# Assign core switch 1 a higher priority than core switch 2 in VRRP group 1, so core switch 1 can become the master.

[CORESW1-Vlan-interface300] vrrp vrid 1 priority 120

# Configure core switch 1 to operate in preemptive mode, so it can become the master whenever it operates correctly. Set the preemption delay to 5000 centiseconds to avoid frequent status switchover.

[CORESW1-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000

[CORESW1-Vlan-interface300] quit

# Create track entry 1 to monitor the upstream link status of GigabitEthernet 1/0/7. When the upstream link fails, the track entry transits to Negative.

[CORESW1] track 1 interface gigabitethernet 1/0/7

[CORESW1-track-1] quit

# Configure the VFs in VRRP group 1 to monitor track entry 1, and decrease their weights by 30 when the track entry transits to Negative.

[CORESW1] interface vlan-interface 300

[CORESW1-Vlan-interface300] vrrp vrid 1 track 1 priority reduced 30

# On core switch 2, create VRRP group 1 and set its virtual IP address to 172.16.3.10.

<Sysname> system-view

[Sysname] sysname CORESW2

[CORESW2] interface vlan-interface 300

[CORESW2-Vlan-interface300] vrrp vrid 1 virtual-ip 172.16.3.10

# Set the priority of core switch 2 to 100 in VRRP group 1.

[CORESW2-Vlan-interface300] vrrp vrid 1 priority 100

# Configure core switch 2 to operate in preemptive mode, and set the preemption delay to 5000 centiseconds.

[CORESW2-Vlan-interface300] vrrp vrid 1 preempt-mode delay 5000

[CORESW2-Vlan-interface300] quit

# Display detailed information about VRRP group 1 on core switch 1.

[CORESW1] display vrrp verbose

IPv4 Virtual Router Information:

Running mode : Standard

Total number of virtual routers : 1

Interface Vlan-interface300

VRID : 1 Adver Timer : 100

Admin Status : Up State : Master

Config Pri : 120 Running Pri : 120

Preempt Mode : Yes Delay Time : 5000

Auth Type : None

Virtual IP : 172.16.3.10

Virtual MAC : 0000-5e00-0101

Master IP : 172.16.3.1

VRRP Track Information:

Track Object : 1 State : Positive Pri Reduced : 30

# Display detailed information about VRRP group 1 on core switch 2.

[CORESW2] display vrrp verbose

IPv4 Virtual Router Information:

Running mode : Standard

Total number of virtual routers : 1

Interface Vlan-interface300

VRID : 1 Adver Timer : 100

Admin Status : Up State : Backup

Config Pri : 100 Running Pri : 100

Preempt Mode : Yes Delay Time : 5000

Become Master : 27810ms left

Auth Type : None

Virtual IP : 172.16.3.10

Virtual MAC : 0000-5e00-0101

Master IP : 172.16.3.1

The output shows that core switch 1 is operating as the master and core switch 2 is operating as the backup in VRRP group 1.

4. Configure the DHCP server feature:

# Enable DHCP.

[CORESW1] dhcp enable

# Create DHCP address pool 1. In this pool, specify network segment 192.168.10.0/24, gateway address 192.168.10.1, DNS server address 202.101.100.199, set the lease duration to 30 days, and bind IP address 192.168.10.254/24 to the printer.

[CORESW1] dhcp server ip-pool 1

[CORESW1-dhcp-pool-1] network 192.168.10.0 mask 255.255.255.0

[CORESW1-dhcp-pool-1] gateway-list 192.168.10.1

[CORESW1-dhcp-pool-1] dns-list 202.101.100.199

[CORESW1-dhcp-pool-1] expired day 30

[CORESW1-dhcp-pool-1] static-bind ip-address 192.168.10.254 24 client-identifier aabb-cccc-dd

[CORESW1-dhcp-pool-1] quit

# Create DHCP address pool 2. In this pool, specify network segment 192.168.20.0/24, gateway address 192.168.20.1, DNS server address 202.101.100.199, and set the lease duration to 30 days.

# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 192.168.10.0/24.

[CORESW1] dhcp server ip-pool 2

[CORESW1-dhcp-pool-2] network 192.168.20.0 mask 255.255.255.0

[CORESW1-dhcp-pool-2] gateway-list 192.168.20.1

[CORESW1-dhcp-pool-2] dns-list 202.101.100.199

[CORESW1-dhcp-pool-2] expired day 30

[CORESW1-dhcp-pool-2] quit

# Enable the DHCP server on VLAN-interface 10, and apply DHCP address pool 1 to VLAN-interface 10.

[CORESW1] interface vlan-interface 10

[CORESW1-Vlan-interface10] dhcp select server

[CORESW1-Vlan-interface10] dhcp server apply ip-pool 1

[CORESW1-Vlan-interface10] quit

# Enable the DHCP server on VLAN-interface 20, and apply DHCP address pool 2 to VLAN-interface 10.

[CORESW1 interface vlan-interface 20

[CORESW1-Vlan-interface20] dhcp select server

[CORESW1-Vlan-interface20] dhcp server apply ip-pool 2

[CORESW1-Vlan-interface20] quit

# Display DHCP address pool information.

[CORESW1] display dhcp server pool

Pool name: 1

Network: 192.168.10.0 mask 255.255.255.0

expired 30 0 0 0

gateway-list 192.168.10.1

static bindings:

ip-address 192.168.10.254 mask 255.255.255.0

client-identifier aabb-cccc-dd

Pool name: 2

Network: 192.168.20.0 mask 255.255.255.0

expired 30 0 0 0

gateway-list 192.168.20.1

5. Configure OSPF:

# Configure OSPF on core switch 1.

[CORESW1] ospf 100 router-id 2.2.2.2

[CORESW1-ospf-100] area 0

[CORESW1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255

[CORESW1-ospf-100-area-0.0.0.0] quit

[CORESW1-ospf-100] quit

# Configure OSPF on core switch 2.

[CORESW2] ospf 100 router-id 3.3.3.3

[CORESW2-ospf-100] area 0

[CORESW2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 192.168.10.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] network 192.168.20.0 0.0.0.255

[CORESW2-ospf-100-area-0.0.0.0] quit

[CORESW2-ospf-100] quit

# Display OSPF neighbor information on core switch 1.

[CORESW1] display ospf peer

OSPF Process 100 with Router ID 2.2.2.2

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

3.3.3.3 172.16.3.2 1 33 Full/DR Vlan300

# Display OSPF neighbor information on core switch 2.

[CORESW2] display ospf peer

OSPF Process 100 with Router ID 3.3.3.3

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

2.2.2.2 172.16.3.1 1 36 Full/BDR Vlan300

6. Save the configuration:

# Save the running configuration on the core switches. This example uses core switch CORESW1.

[CORESW1] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Configuring the egress router

1. Assign IP addresses to the public network interfaces and the internal network interface:

# Assign IP addresses to internet network interfaces.

[Router] interface GigabitEthernet 0/1

[Router-GigabitEthernet0/1] ip address 172.16.1.2 24

[Router-GigabitEthernet0/1] quit

[Router] interface GigabitEthernet 0/2

[Router-GigabitEthernet0/2] ip address 172.16.2.2 24

[Router-GigabitEthernet0/2] quit

# Assign an IP address to the public network interface.

[Router] interface GigabitEthernet 0/0

[Router-GigabitEthernet0/0] ip address 202.101.100.2 30

[Router-GigabitEthernet0/0] quit

2. Configure packet filtering:

# Configure ACL 2000.

[Router] acl basic 2000

[Router-acl-ipv4-basic-2000] rule permit source 192.168.10.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 192.168.20.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.1.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.2.0 0.0.0.255

[Router-acl-ipv4-basic-2000] rule permit source 172.16.3.0 0.0.0.255

[Router-acl-ipv4-basic-2000] quit

# Apply ACL 2000 to GigabitEthernet 0/1 and GigabitEthernet 1/0/2 to filter incoming packets.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] packet-filter 2000 inbound

[Router-GigabitEthernet0/1] quit

[Router] interface gigabitethernet 0/2

[Router-GigabitEthernet0/2] packet-filter 2000 inbound

[Router-GigabitEthernet0/2] quit

# Set the packet filtering default action to deny.

[Router] packet-filter default deny

# Display configuration and match statistics for ACL 2000.

[Router] display acl 2000

Basic IPv4 ACL 2000, 5 rules,

ACL's step is 5, start ID is 0

rule 0 permit source 192.168.10.0 0.0.0.255

rule 5 permit source 192.168.20.0 0.0.0.255

rule 10 permit source 172.16.1.0 0.0.0.255

rule 15 permit source 172.16.2.0 0.0.0.255

rule 20 permit source 172.16.3.0 0.0.0.255

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/1.

[Router] display packet-filter interface gigabitethernet 0/1 inbound

Interface: GigabitEthernet0/1

Inbound policy:

IPv4 ACL 2000

# Display ACL application information for inbound packet filtering on GigabitEthernet 0/2.

[Router] display packet-filter interface gigabitethernet 0/2 inbound

Interface: GigabitEthernet0/2

Inbound policy:

IPv4 ACL 2000

3. Configure OSPF:

# Configure a default static route, whose next hop address is 202.101.100.1 (the public network gateway address).

[Router] ip route-static 0.0.0.0 0.0.0.0 202.101.100.1

# Configure OSPF and redistribute a default route into the OSPF routing domain.

[Router] ospf 10 router-id 1.1.1.1

[Router-ospf-10] default-route-advertise always

[Router-ospf-10] area 0

[Router-ospf-10-area-0.0.0.0] network 172.16.1.0 0.0.0.255

[Router-ospf-10-area-0.0.0.0] network 172.16.2.0 0.0.0.255

[Router-ospf-10-area-0.0.0.0] quit

[Router-ospf-10] quit

# Display OSPF neighbor information on the egress router.

[Router] display ospf peer

OSPF Process 100 with Router ID 1.1.1.1

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

2.2.2.2 172.16.1.1 1 31 Full/DR GE0/1

3.3.3.3 172.16.2.1 1 39 Full/BDR GE0/2

# Display OSPF neighbor information on core switch 1.

[CORESW1] display ospf routing

OSPF Process 100 with Router ID 2.2.2.2

Routing Table

Topology base (MTID 0)

Routing for network

Destination Cost Type NextHop AdvRouter Area

172.16.1.0/24 1 Transit 0.0.0.0 2.2.2.2 0.0.0.0

172.16.2.0/24 2 Transit 172.16.3.2 1.1.1.1 0.0.0.0

172.16.2.0/24 2 Transit 172.16.1.2 1.1.1.1 0.0.0.0

172.16.3.0/24 1 Transit 0.0.0.0 3.3.3.3 0.0.0.0

Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter

0.0.0.0/0 1 Type2 1 172.16.1.2 1.1.1.1

Total nets: 5

Intra area: 4 Inter area: 0 ASE: 1 NSSA: 0

# Display OSPF neighbor information on core switch 2.

[CORESW2] display ospf routing

OSPF Process 100 with Router ID 3.3.3.3

Routing Table

Topology base (MTID 0)

Routing for network

Destination Cost Type NextHop AdvRouter Area

172.16.1.0/24 2 Transit 172.16.3.1 2.2.2.2 0.0.0.0

172.16.1.0/24 2 Transit 172.16.2.2 2.2.2.2 0.0.0.0

172.16.2.0/24 1 Transit 0.0.0.0 1.1.1.1 0.0.0.0

172.16.3.0/24 1 Transit 0.0.0.0 3.3.3.3 0.0.0.0

Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter

0.0.0.0/0 1 Type2 1 172.16.2.2 1.1.1.1

Total nets: 5

Intra area: 4 Inter area: 0 ASE: 1 NSSA: 0

4. Configure DNS:

# Specify DNS server IPv4 address 202.101.100.199.

[Router] dns server 202.101.100.199

# Enable DNS proxy.

[Router] dns proxy enable

5. Configure per-IP-address rate limiting:

# Configure CAR lists.

[Router] qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

[Router] qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

[Router] qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

[Router] qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# Configure CAR-list-based traffic policing.

[Router] interface gigabitethernet 0/1

[Router-GigabitEthernet0/1] qos car inbound carl 1 cir 512

[Router-GigabitEthernet0/1] qos car inbound carl 2 cir 512

[Router-GigabitEthernet0/1] qos car outbound carl 3 cir 512

[Router-GigabitEthernet0/1] qos car outbound carl 4 cir 512

[Router-GigabitEthernet0/1] quit

[Router] interface gigabitethernet 0/2

[Router-GigabitEthernet0/2] qos car inbound carl 1 cir 512

[Router-GigabitEthernet0/2] qos car inbound carl 2 cir 512

[Router-GigabitEthernet0/2] qos car outbound carl 3 cir 512

[Router-GigabitEthernet0/2] qos car outbound carl 4 cir 512

[Router-GigabitEthernet0/2] quit

# Display CAR list information.

[Router] display qos carl

List Rules

1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

# Display CAR configuration and statistics on GigabitEthernet 0/1.

[Router] display qos car interface gigabitethernet 0/1

Interface: GigabitEthernet0/1

Direction: inbound

Rule: If-match carl 1

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Rule: If-match carl 2

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Direction: outbound

Rule: If-match carl 3

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Rule: If-match carl 4

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

# Display CAR configuration and statistics on GigabitEthernet 0/2.

[Router] display qos car interface gigabitethernet 0/2

Interface: GigabitEthernet0/2

Direction: inbound

Rule: If-match carl 1

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Rule: If-match carl 2

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Direction: outbound

Rule: If-match carl 3

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

Rule: If-match carl 4

CIR 512 (kbps), CBS 32000 (Bytes), EBS 0 (Bytes)

Green action : pass

Yellow action : pass

Red action : discard

Green packets : 0 (Packets), 0 (Bytes)

Yellow packets: 0 (Packets), 0 (Bytes)

Red packets : 0 (Packets), 0 (Bytes)

6. Save the configuration:

# Save the running configuration on the egress router.

[Router] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Verifying the configuration

1. Verify that two PCs in the same department can ping each other.

# Use PC 1 in VLAN 10 to ping another PC in this VLAN.

<PC1> ping 192.168.10.83

Ping 192.168.10.83 (192.168.10.83): 56 data bytes, press CTRL+C to break

56 bytes from 192.168.10.83: icmp_seq=0 ttl=255 time=1.328 ms

56 bytes from 192.168.10.83: icmp_seq=1 ttl=255 time=0.808 ms

56 bytes from 192.168.10.83: icmp_seq=2 ttl=255 time=0.832 ms

56 bytes from 192.168.10.83: icmp_seq=3 ttl=255 time=0.904 ms

56 bytes from 192.168.10.83: icmp_seq=4 ttl=255 time=0.787 ms

--- Ping statistics for 192.168.10.83 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.787/0.932/1.328/0.202 ms

2. Verify that two PCs in different departments can ping each other.

# Use PC 1 in VLAN 10 to ping a PC in a different VLAN.

<PC1> ping 192.168.20.5

Ping 192.168.20.5 (192.168.20.5): 56 data bytes, press CTRL+C to break

56 bytes from 192.168.20.5: icmp_seq=0 ttl=255 time=69.146 ms

56 bytes from 192.168.20.5: icmp_seq=1 ttl=255 time=1.735 ms

56 bytes from 192.168.20.5: icmp_seq=2 ttl=255 time=1.356 ms

56 bytes from 192.168.20.5: icmp_seq=3 ttl=255 time=1.302 ms

56 bytes from 192.168.20.5: icmp_seq=4 ttl=255 time=1.379 ms

--- Ping statistics for 192.168.20.5 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.302/14.984/69.146/27.082 ms

3. Verify that a PC in each department can ping the external network.

# Use PC 1 in VLAN 10 to ping the public network gateway address. (Details not shown.)

Configuration files

Access switch ACCSW1

sysname ACCSW1

telnet server enable

dhcp snooping enable

vlan 5

vlan 10

vlan 20

stp bpdu-protection

interface Vlan-interface5

ip address 10.10.1.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 10

stp edged-port

ip verify source ip-address mac-address

dhcp snooping binding record

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 20

stp edged-port

ip verify source ip-address mac-address

dhcp snooping binding record

interface GigabitEthernet1/0/3

port link-mode bridge

port link-type trunk

port trunk permit vlan 10 20

dhcp snooping trust

interface GigabitEthernet1/0/4

port link-mode bridge

port link-type trunk

port trunk permit vlan 10 20

interface Ten-GigabitEthernet1/0/10

port link-mode bridge

port access vlan 5

line vty 0 63

authentication-mode scheme

local-user admin class manage

password hash $h$6$ZJSf20ub4uEzjy2F$cXW3O3Jt5Ci21ECze7w2MdRpLebMaE4vXBo59frUrIZs+Knxw76oNBu+HiB0zqkTfrnw1Phe0rSRa5d+OSIIbg==

service-type telnet

authorization-attribute user-role network-admin

authorization-attribute user-role network-operator

Access switches ACCSW2, ACCSW3, ACCSW4

The configuration files of access switches ACCSW2, ACCSW3, and ACCSW4 are the same as that of ACCSW1 except the VLAN IDs, management VLAN interface address, and interface numbers. (Details not shown.)

Core switch CORESW1

sysname CORESW1

track 1 interface GigabitEthernet1/0/7

ospf 100 router-id 3.3.3.3

area 0.0.0.0

network 172.16.1.0 0.0.0.255

network 172.16.3.0 0.0.0.255

network 192.168.10.0 0.0.0.255

network 192.168.20.0 0.0.0.255

dhcp enable

vlan 10

vlan 20

vlan 30

vlan 40

vlan 50

vlan 100

vlan 300

ftth

dhcp server ip-pool 1

gateway-list 192.168.10.1

network 192.168.10.0 mask 255.255.255.0

dns-list 202.101.100.199

expired day 30

static-bind ip-address 192.168.10.254 mask 255.255.255.0 client-identifier aabb-cccc-dd

dhcp server ip-pool 2

gateway-list 192.168.20.1

network 192.168.20.0 mask 255.255.255.0

dns-list 202.101.100.199

expired day 30

interface Vlan-interface10

ip address 192.168.10.1 255.255.255.0

interface Vlan-interface20

ip address 192.168.20.1 255.255.255.0

interface Vlan-interface100

ip address 172.16.1.1 255.255.255.0

interface Vlan-interface300

ip address 172.16.3.1 255.255.255.0

vrrp vrid 1 virtual-ip 172.16.3.10

vrrp vrid 1 priority 120

vrrp vrid 1 preempt-mode delay 5000

vrrp vrid 1 track 1 priority reduced 30

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 10

interface GigabitEthernet1/0/2

port link-mode bridge

port link-type trunk

port trunk permit vlan 20

interface GigabitEthernet1/0/5

port link-mode bridge

port link-type trunk

port trunk permit vlan 300

Core switch CORESW2

The configuration file of core switch CORESW2 is the same as that of CORESW1 except the VLAN IDs, interface numbers, OSPF router ID, and VRRP group 1's priority. (Details not shown.)

Egress router

sysname Router

packet-filter default deny

qos carl 1 source-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

qos carl 2 source-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

qos carl 3 destination-ip-address range 192.168.10.1 to 192.168.10.254 per-address shared-bandwidth

qos carl 4 destination-ip-address range 192.168.20.1 to 192.168.20.254 per-address shared-bandwidth

ospf 10 router-id 1.1.1.1

default-route-advertise always

area 0.0.0.0

network 172.16.1.0 0.0.0.255

network 172.16.2.0 0.0.0.255

dns proxy enable

dns server 202.101.100.199

interface GigabitEthernet0/1

port link-mode route

ip address 172.16.1.2 255.255.255.0

packet-filter 2000 inbound

qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

interface GigabitEthernet0/2

port link-mode route

ip address 172.16.2.2 255.255.255.0

packet-filter 2000 inbound

qos car inbound carl 1 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car inbound carl 2 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car outbound carl 3 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

qos car outbound carl 4 cir 512 cbs 32000 ebs 0 green pass red discard yellow pass

interface GigabitEthernet0/0

port link-mode route

ip address 202.101.100.2 255.255.255.252

ip route-static 0.0.0.0 0 202.101.100.1

acl basic 2000

rule 0 permit source 192.168.10.0 0.0.0.255

rule 5 permit source 192.168.20.0 0.0.0.255

rule 10 permit source 172.16.1.0 0.0.0.255

rule 15 permit source 172.16.2.0 0.0.0.255

rule 20 permit source 172.16.3.0 0.0.0.255

H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101

Deploying a small-sized campus network

Configuring the core switch

Access switch ACCSW1

Access switch ACCSW2

Core switch CORESW1

Egress router

Analysis and data preparation

Verifying the configuration

Access switch ACCSW1

Access switches ACCSW2, ACCSW3, ACCSW4

Core switch CORESW1

Core switch CORESW2

Egress router

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us