HCDA v1.6 En

7/22/2019 HCDA v1.6 En

http://slidepdf.com/reader/full/hcda-v16-en 1/682

HCDA-HNTD

HC Series HUAWEI TECHNOLOGIES 1

Huawei Certification

HCDA-HNTD

Huawei Networking Technology and Device

Huawei Technologies Co.,Ltd

http://www.easycomputing.com/pdf


7/22/2019 HCDA v1.6 En


HCDA-HNTD

2 HUAWEI TECHNOLOGIES HC Series

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.

No part of this document may be reproduced or transmitted in any

form or by any means without prior written consent of HuaweiTechnologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of HuaweiTechnologies Co., Ltd. All other trademarks and trade names mentioned

in this document are the property of their respective holders.

Notice

The information in this document is subject to change without notice.

Every effort has been made in the preparation of this document toensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of

any kind, express or implied.

Huawei Certification

HCDA-HNTD Huawei Networking Technology and Device

Edition 1.6



7/22/2019 HCDA v1.6 En


HCDA-HNTD


Huawei Certification System

Relaying on its strong technical and professional training system,

according to different customers at different levels of ICT technology,Huawei certification is committed to provide customs with authentic,

professional certification.

Based on characteristics of ICT technologies and customers’needs atdifferent levels, Huawei certification provides customers with

certification system of four levels.

HCDA (Huawei Certification Datacom Associate) is primary for IP

network maintenance engineers, and any others who want to learn the IP

network knowledge. HCDA certification covers the TCP/IP basics, routing,

switching and other common foundational knowledge of IP networks,together with Huawei communications products, versatile routingplatform VRP characteristics and basic maintenance.

HCDP-Enterprise (Huawei Certification Datacom Professional-Enterprise)is aimed at enterprise-class network maintenance engineers, networkdesign engineers, and any others who want to in depth grasp routing,

switching, network adjustment and optimization technologies.HCDP-Enterprise is consist of IESN (Implement Enterprise Switch

Network), IERN (Implement Enterprise Routing Network), and IENP

(Improving Enterprise Network performance), which includes advancedIPv4 routing and switching technology principle, IP technology of

network security, high availability and Qos, as well as the implementation

in Huawei products.

HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is

designed to endue engineers with a variety of IP network technologyand proficiency in maintenance, diagnostics and troubleshooting ofHuawei products, which equips the engineers with competence in

planning, design and optimization of large-scale IP network.



7/22/2019 HCDA v1.6 En


HCDA-HNTD


Foreword

Outline

This book is about the Huawei certified Datacom Associate certification.Thestudents who want to prepare for the HCDA exam or want to learn the technology

about TCP/IP protocol stacks,router,swith,WAN,eathernet and how to configure

use on the VRP

Content

The guide contains a total of six modules, starting from the basic knowledge of

data communications, the guide introduces the fields of routing, switching, WAN,

firewall and other basic knowledge, as well as configuration and implementation

using the VRP platform.

Module 1 systematically introduces the IP network infrastructure, TCP/IP four-layer

model to help the reader to establish the basic framework of the data

communications network. In highlighting functions and roles of the network layer,

transport layer and application layer ,this module helps readers to master the

functions and roles of communication networks in a variety of products.

Module 2 describes the basics and operation of the Huawei generic routing

platform VRP and progressive approach to the basics of routing protocols, static

routing and dynamic routing protocols. This module helps readers understand the

principles and the basic process of data communication by highlighting RIP and

OSPF, two IGP routing protocols.

Module 3 introduces the popular Ethernet technology, how Ethernet equipment

works as well as technologies used mostly in the LAN like VLAN, STP, VRRP to help

readers improve abilities for planning LAN.

Module 4 briefly describes the basic principles of WAN technologies such as HDLC,

PPP, Frame Relay configuration and implementation on the VRP to help readers to

master WAN technologies and implement flexibly.

Module 5 briefly describes the types of firewall technologies and development,

performance and the basic functions of Huawei Eudemon series firewalls, and

implementations on the VRP to help readers to understand and layout the network

security policy .

Module 6 briefly describes hardware features, positioning and networking

applications of Huawei routers and switches. Through studying this part, readers

will develop a comprehensive understanding of Huawei data communications

products.



7/22/2019 HCDA v1.6 En


HCDA-HNTD


The guide enables the readers to master step by step from the basis of data

communication to routing, switching, WAN, network security technologies, and

Huawei products. Readers can also read selectively according to their own

circumstances.

Readers’ Knowledge Background

This course is a basic course of Huawei certification, the reader should have a

basic knowledge of the network background.



7/22/2019 HCDA v1.6 En


HCDA-HNTD


Icons Used in This Book

IPv6 Router SOHO Router Voice Router Low-end Router

Core Router Hub Convergence Switch Core Switch

Edge Switch Cascade Switch AP AP Amplifier Wireless Bridge

Wireless Network Card Access Server Audio Gateway Firewall Internet Telephony

Socket switch

High-end Router



7/22/2019 HCDA v1.6 En


Table of Contents

page 7

Module 1 Network Fundamentals ........................................................................................... Page 9

HC110110000 - IP Network Fundamental ................................................................... Page 11

HC110110001-TCPIP Basis ...........................................................................................Page 44

HC110110003-Protocols of Transprot Layer..................................................................Page 80

HC110110004-Introduction to Common Application ......................................................Page 98

HC110110002-IP Addressing and Routing ..................................................................Page 113

Module 2 Routing ................................................................................................................Page 151

HC110111000-VRP Basis and Operation .................................................................... Page 153

HC110111001-Routing Protocol Basis ......................................................................... Page 187

HC110111002-Static Route .................................................................. ........................ Page 212

HC110111003-Dynamic Routing Protocol Basis.......................................................... Page 230

HC110111004-Distance-vector Routing Protocol ........................................................Page 241

HC110111005-RIP Routing Protocol ............................................................................ Page 260

HC110111006-RIP Troubleshooting .............................................................................. Page283

HC110111007-OSPF Routing Protocol Basis .............................................................. Page 310

Module 3 Switching .............................................................................................................Page 335

HC110112000-Ethernet Overview ............................................................................... Page 337

HC110112001-Principle of Ethernet Device ................................................................ Page 354

HC110112002-Ethernet Port Technology .................................................................... Page 378

HC110112003-VLAN Technology Principle and Configuration .................................... Page 403

HC110112004-VLAN Routing ......................................................................................Page 423

HC110112005-STP Principle and Configuration.......................................................... Page 442

HC110112006-VRRP Principle and Configuration....................................................... Page 472

Module 4 WAN ....................................................................................................................Page 495

HC110113000-HDLC Principle and Configuration ....................................................... Page 497

HC110113001-PPP Principle and Configuration ......................................................... Page 511



7/22/2019 HCDA v1.6 En


page 8

HC110113002-FR Principle and Configuration ............................................................ Page 540

Module 5 Network Security-Firewall Product Basis ............................................................Page 575

HC110114000-Firewall Product Basis ......................................................................... Page 577

HC110114001-Eudemon Basic Function and Configuration .......................................Page 594

Module 6 product .................................................................................................................Page 627

HC110115001-AR G3 & Sx7 Brief ............................................................................... Page 660

HC110115000-Huawei NE40E-X Series Router Introduction ......................................Page 629







7/22/2019 HCDA v1.6 En


Page 15 page 11

http://www.docu-track.com/buy/


7/22/2019 HCDA v1.6 En


Page 16 page 12



7/22/2019 HCDA v1.6 En


Page 17 page 13



7/22/2019 HCDA v1.6 En


Page 18 page 14



7/22/2019 HCDA v1.6 En


Data refers to information in any format. The format used to encode any information must

follow agreed or standard rules before successful communication between a sender and

receiver is possible.

For example, a picture can be broken down into a number of dots referred to as pixels,

each pixel can then be represented by a number which can then be encoded ready fortransmission. The format used to encode the image data by the sender must be understood

by the receiver to enable them to decode and rebuild the picture.

Common types of data that can be encoded for transmission include text, numbers,

pictures, audio, and video. many standard ways of encoding the different types of data exist.

Data communication is the process of exchanging data between two devices through a

transmission medium, such as a wired or wireless network.

Page 19 page 15



7/22/2019 HCDA v1.6 En


A simple data communication system consists of a message, a sender, a receiver, a

(transfer) medium, and a protocol.

Message:

A message contains information that needs to be communicated. This could be text,

numbers, a picture, sound, or video which will be encoded and transmitted as one or more

messages.

Sender :

The sender is a device or system that transmits the message, this could be a PC, a

workstation, a server, or a mobile phone.

Receiver :

The receiver is a device or system that receives the message, this could be a PC, a

workstation, a server, a mobile phone, or a television.

Medium:

The medium is a physical or logical connection between the sender and the receiver which

is capable of carrying the message. Typical types of medium are twisted pair cable, coaxial

cable, optical fiber and radio wave.

Protocol:

The protocol is the set of rules that controls the way in which data exchanged. The protocol

does not necessarily define what the original data is or how it is encoded, just how it should

be exchanged by two communicating devices. Protocol rules define such things as the

speed at which data is transferred and the size of the data unit that is sent. It will also define

when a communication session starts and ends. These rules can be likened to the ruleswhich define the way we talk to each other or read and write, without such rules even if we

use the same language we cannot communicate.

Page 20 page 16



7/22/2019 HCDA v1.6 En


There are three different ways in which two devices can communicate in data networking:

Simplex communication:

Simplex communication is in one direction. One device can only send

messages, the other one can only receive messages.For example a keyboard is a device which only sends data and a monitor

a device that can only receive data both use simplex communication.

Half-duplex communication:

Half-duplex communication is two way but only one device can be sending at

any time, the other must be receiving. Both devices are capable of sending and

receiving but communication can only be in one direction at a time.

Two-way radios, such as those used by police and taxis work in half-duplex mode.

Full-duplex communication:

Full-duplex communication is two way concurrently, both devices can send and

receive messages at the same time. A motorway is full duplex as traffic is able to travel in both directions at the same time.

Telephony networks are also full duplex, however most humans can only either talk or

listen - not do both at the same time.

Huawei Networking Technology and Device Module 1 Part 1 IP Network Fundamental

Page 21 page 17



7/22/2019 HCDA v1.6 En


Page 22 page 18



7/22/2019 HCDA v1.6 En


A network is any group of people, things or places that are interconnected in some way.

Networks exist everywhere in our life, we have road, rail, telephone and postal networks

which we use on a daily basis.

A computer network consists of two or more computers and peripheral which are

interconnected by communication lines.

The computers in a network can easily exchange and share information and resources.

Computer networks were developed to meet increasing requirements for exchanging

information and sharing resources.

In early computer networks , each computer was an independent device, there was little

or no communication between systems.

As computer and communication technologies evolved, communication between different

systems was made possible.

Standard protocols understood by dif ferent systems made sharing resources and datapossible and improved resource utilisation.

Page 23 page 19



7/22/2019 HCDA v1.6 En


In recent years, the computer network is developing rapidly. The computer

communications network and the Internet have become the basic part of the

society. The computer network is applied to many fields of industry and

commerce, including e-bank, e-commerce, modernized enterprise management,

and information service. From remote education to government routines, and to today’s e-community without the network technology they can not work.

The saying "network exists everywhere in the world" is not an exaggerated statement.

The computer network came into being in 1960s. At that time, the network was a

host-based low-speed serial connection providing program running, remote

printing, and data service. The System Network Architecture (SNA) of IBM and

X.25 public data network are such kind of network. In 1960s, the defense

department of US funded a packet switching network called ARPANET, which was theearliest rudiment of the Internet.

In 1970s, the commercial computing mode, which featured personal computers,

came forth. Initially, personal computers were used as independent devices.

Because of the complexity of commercial computing, many terminal devices needed tocooperate, and thus the local area network (LAN) was developed. The LAN reduced theexpense on printers and disks dramatically.

In 1980s and 1990s, in order to deal with the increasing demand on remote computing,

the computer industry developed many wide area network protocols (including

TCP/IP and IPX/SPX). Then the Internet was expanded fast. Nowadays TCP/IP is

extensively used on the Internet.

Page 24 page 20



7/22/2019 HCDA v1.6 En


The topology defines the organization of devices in a network. A LAN can adopt

various topologies, such as the bus topology and star topology.

In the bus topology, all devices are connected to a l inear network media, whichis called the bus. When a node transmits data in a network adopting the bus

topology, the data reaches all nodes. Each node checks the data. If the data is

not sent to this node, the node discards the data. If the data is sent to this node,

the node accepts the data and transfers the data to the upper layer protocol. A

typical bus topology has simple layout of lines. Such layout uses short network

media, and thus, the expense on cables is low. However, this topology makes

it difficult to diagnose and isolate faults. Once a fault occurs, the entire network

will be affected. In addition, each device in the LAN sends data to al l the other

devices, which consumes large amount of bandwidth. It will lower network

performance.In the star topology, devices are connected to a central control point. A device

communicates with another device through the point-to-point connection between

it and the hub or switch. The start topology is easy to design and install, because

network media connect the hub or switch and workstations. The star topology

is easy to maintain, because the network can be easily modif ied and network

faults can be easily be located. The star topology is extensively used in LAN

construction. Of course the star topology has its weakness. Once the central

control device becomes faulty, the single point failure may be occur. In addition, a

Network media can connect only one device, so large amount of network

media are needed and the LAN installation cost increases.

Page 25 page 21



7/22/2019 HCDA v1.6 En


These topologies are logical structures and are not necessarily related to the

physical structure of devices. For example, logical bus and ring topologies usually

adopt the physical star structure. A WAN usually adopts the star, tree, fullmeshed,

or half-meshed topology.

Page 26 page 22



7/22/2019 HCDA v1.6 En


The Internet is a large network formed by networks and devices. Based on the

covered geographic scope, networks are classified into LAN, WAN, and

Metropolitan Area Network (MAN) whose size is between the LAN and WAN.

Local Area Network (LAN) A LAN is formed by connected communication devices in a small area. A LAN

covers a room, a building, or an industry garden. A LAN covers several

kilometers. It is a combination of computers, printers, modems, and other devices

interconnected through various media within several ki lometers.

Wide Area Network (WAN)

A WAN covers a larger geographic scope, such as a state or a continent. It

provides the data communication service in a large area and is used to connect

LANs. The China Packet Network (CHINAPAC), China Data Digital Network

(CHINADDN), China Education and Research network (CERnet), CHINANET,

and China Next Generation Internet (CNGI) are all WANs. A WANconnects LANs that are far from each other.

Page 27 page 23



7/22/2019 HCDA v1.6 En


A LAN is formed by interconnected communication devices in a small area, such

as a room, a building, and a campus. In general, a LAN covers several

kilometers. The LAN is featured by short distance, low delay, high data

transmission speed, and high reliability.

Common LANs are Ethernet and Asynchronous Transfer Mode (ATM). They are

different in topology, transmission speed, and data format. Ethernet is the most

widely used LAN.

The following network devices are used in LAN construction:

Cables: A LAN is extended by cables. Various cables are used in LANs, for

example, the fiber, twisted pair, and coaxial cable.

Network Interface Card (NIC): An NIC is inserted in the main board slot of a

computer. It transforms the data to the format that other network devices can

identify and transmits the data through the network media.

Hub: A hub is a shared device that provides many network interfaces to connectcomputers in the network. The hub is called a shared device because all its

interfaces share a bus. At the same time, only one user can transmit data, and so the

data amount and speed of each user (interface) depends on the number of active

users (interfaces).

Switch: also called a switched hub. A switch also provides many interfaces to

connect network nodes but its performance is much higher than that of a shared

hub. It can be considered to have many buses so that devices connected to each

interface can independently transmit data without affecting other devices. For users,

the interfaces are independent of each other and have fixed bandwidth. In

addition, a switch has some functions that a hub lacks, such as data f iltering,

network segmentation, and broadcast control.

Page 28 page 24



7/22/2019 HCDA v1.6 En


Router: A router is a computer device used to connect networks. A router works

at the third layer (network layer) of the OSI model and is used to route, store, and

forward packets between networks. Generally, a router supports two or more

network protocols so that it can connect different type of networks A router can

also run dynamic routing protocols to dynamically route packets.

Page 29 page 25



7/22/2019 HCDA v1.6 En


A WAN covers a larger geographic scope, such as a state or a continent. The

China Packet Network (CHINAPAC), China Data Digital Network (CHINADDN),

China Education and Research network (CERnet), CHINANET, and abuilding

China Next Generation Internet (CNGI) are all WANs.

A WAN connects LANs that are far from each other. It consists of the end system

(users on two ends) and the communication system (the link between two ends).

The communication system is the key of the WAN and it falls into the following

types:

Integrated Service Digital Network (ISDN): a dial-up connection mode. The ISDN

BRI provides 2B+D data channels. Each B channel provides the speed of 64

kbit/s and the highest speed can be 128 kbit/s. The ISDN PRI has two standards:

the European standard (30B+D) and the North America standard (23B+D). The

ISDN uses the data transmission mode, which features fast connection and high

reliability. Two devices in the ISDN can identify the number of each other. The

call cost of the ISND is higher than that of the ordinary telephony network, but the

double-channel structure supports two independent lines. The ISND is applicable

to individual subscribers or small offices.

Leased Line: called DDN in China. It is a point-to-point connection that transmits

data at the speed of 64 kbit/s to 2.048 Mbit/s. The leased line guarantees data

transmission and provides constant bandwidth, but the cost is high and the point to-

point structure is not very flexible.

X.25: a WAN type that appeared early and is still in extensive use at present. It

transmits data at the speed of 9600 bit/s to 2 Mbit/s. X.25 adopts the redundant

mode and is fault tolerant, so it features high reliability. But the transmissionspeed is low and the delay is high.

Page 30 page 26



7/22/2019 HCDA v1.6 En


Frame Relay: a comparatively newer technology developed on the basis of X.25. The

transmission speed is between 64 kbit/s and 2.048 Mbit/s. The Frame Relay is

flexible. It implements point-to-multipoint connection. In addition, FR can transmit

data at a speed that exceeds the Committed Information Rate (CIR) when large

amount of data needs to be transmitted, and it allows certain burst traffic. For

these reasons, FR is a good choice for business subscribers.

Asynchronous Transfer Mode (ATM): a cell exchange network that features high

speed, low delay, and guaranteed transmission quality. Most of ATM network use

fibers as the connection medium. The fiber provides a high speed of over 1

gigabit, but the cost is also high. ATM is also a WAN protocol.

Page 31 page 27



7/22/2019 HCDA v1.6 En


The WAN operates in a scope larger than that of the LAN. In the WAN, the network

access is

implemented through various serial connections. Generally, enterprise networks

are connected to the local ISP through the WAN lines. The WAN provides fulltime and

part-time connections. In the WAN, serial interfaces can work at different speeds.

The following devices are used in the WAN:

Router: In the WAN, messages are sent to the destination according to the

address. The process of looking for the transmission path is called routing. A router will

send data to the destination by

establishing routes between WANs and LANS according to their address information.

Modem: As the device used to transform signals between the end system and

communication system, a modem is the indispensable device in a WAN. Modems

are classified into synchronous modem and asynchronous modem. The

synchronous modem is connected to the synchronous serial interface and is

applied to the leased line, Frame Relay, and X.25. The asynchronous modem is

connected to the asynchronous serial interface and is applied to the PSTN.

Page 32 page 28



7/22/2019 HCDA v1.6 En


ARPAnet solves the problem of network robustness. That is, once a device fault

or link fault occurs, data transmission must be ensured between any two nodes if

the two nodes are physically connected. For the high ability of self-healing,

ARPAnet meets the requirement in wars. It comes of the Defence AdvancedResearch Projects Agency (DARPA).

In 1985, the National Science Foundation (NSF) established the NSFnet. NSF

established a WAN consisting of regional networks and connected these regional

networks to the super computer center. In June 1990, the NFSnet took the place

of the ARPAnet and became the backbone network of the Internet. Owing to the

NSFnet, the Internet is open to the public, while it was only used by computer

science researchers and governments before.

The second leap of the Internet was attributed to the commercialization in early of the 1990s. As soon as commercial organizations entered the world of Internet,

they found the great potential of Internet in communications, information

searching, and customer service. Then numerous enterprises in the world

swarmed into the Internet, which resulted in a new leap of the Internet.

In 1995, NSFnet came to an end and it was replaced by a new Internet backbone

network operated by multiple private companies.

Page 33 page 29



7/22/2019 HCDA v1.6 En


Currently, the Internet is not a simple hierarchy, instead, it is formed by many

WANs and LANs connected by connecting devices and exchange devices. End

users are connected to the Internet through the service provided by Internet

service providers (ISPs). ISPs are classified into international service providers,

national service providers, regional ISPs, and local ISPs.

International service provider

An international service provider connects networks of different countries.

National service provider (NSP)

A national service provider operates on backbone networks that are built and

maintained by professional companies. These backbone networks are connected

by complicated switching devices (usually operated by the third party) so that end

users can be connected to the backbone network. The switching devices are

called network access points (NAPs). NAPs transmit data at a high speed.

Regional ISP

A regional ISP is a small ISP connected to one or more NSPs. Regional ISPs

transmit data at a lower speed.

Local ISP

A local ISP provides service for end users. A local ISP is connected to a regional

ISP or an NSP. Most end users are connected to local ISPs.

NAP

An NAP connects backbone networks. It is usually a complicated switching

workstation operated by the third party.

Page 34 page 30



7/22/2019 HCDA v1.6 En


Page 35 page 31



7/22/2019 HCDA v1.6 En


A network protocol is a set of formats and conventions stipulated and observed

by communication parties so that devices in different computer networks can

communicate. A network protocol is the standardized description of a series of

rules and conventions. It defines how network devices exchange information.Network protocols are basis of the computer network. Only the devices that

comply with related network protocols (laws for interconnected devices in the

network) can communicate with each other. Any device that does not comply with

the network protocol cannot communicate with other devices.

What is a protocol? Take the telegraph for example. Before sending a telegraph,

the two parties must define the transmission format of the telegraph, for example,

what signal indicates the start, what signal indicates the end, how to handle errors,

and how to express the name and address of the sender. The predefined format

and convention is a protocol.

Network protocols include the Transfer Control Protocol/Internet Protocol

(TCP/IP), Internetwork Packet eXchange/Sequenced Packet eXchange (Novell

IPX/SPX), and IBM System Network Architecture (SNA). The most widely used

protocol is the TCP/IP stack, which has become the standard protocol of the

Internet.

Page 36 page 32



7/22/2019 HCDA v1.6 En


A standard is a set of rules and processes that are widely used or defined by the

government. A standard describes stipulations in a protocol and sets the simplest

performance set for guaranteeing network communications. IEEE 802.X is the

dominant LAN standard.

Page 37 page 33



7/22/2019 HCDA v1.6 En


Many international standardization organizations made great contributions to

development of the computer network. They unify network standards so that

devices of different vendors can communicate with each other. Till now, the

following standardization organizations have made contributions to development of the computer network.

International Organization for Standardization (ISO)

ISO stipulates standards for large-scale networks, including the Internet. The ISP

brings forward the OSI model that describes the working mechanism of network.

The OSI model is a comprehensible and clear hierarchical model of the computer

network.

Institute of Electrical and Electronics (IEEE)

IEEE defines standards for network hardware so that hardware devices of different vendors can communicate with each other. The IEEE LAN standard is

the dominant standard for LANs. IEEE defines the 802.X protocol suite. 802.3 is

the standard for the Ethernet; 802.4 is the standard for the token bus network;

802.5 is the standard for token ring; 802.11 the standard fro the wireless local

area network (WLAN).

American National Standards Institute (ANSI)

ANSI is an organization formed by companies, governments, and other members

voluntarily. The ANSI defines the standard for the fiber distribution data interface.

Electronic Industries Association/Telecomm Industries Association (EIA/TIA)

Page 38 page 34



7/22/2019 HCDA v1.6 En


They define the standards for network cables, for example, RS232, CAT5, HSSI,

and V.24. They also define the standard for cabling, for example, EIA/TIA 568B.

International Telecomm Union (ITU)

They define the standard for the telecom network working as the WAN, for

example, X.25 and Frame Relay.

Internet Engineering Task Force (IETF)

Founded at the end of 1985, the IETF is responsible for researching and

establishing technical specifications related to the Internet. Now IETF has

become the most authoritative research institute in the global Internet field.

Page 39 page 35



7/22/2019 HCDA v1.6 En


IETF produces two types of files: Internet drafts and RFCs.

RFCs, which are used as standards, fall into the following types:

Proposals, namely, the recommended solutions Accepted standards that are used by all users and cannot be changed

Optimal practices, a kind of introduction

IETF standards are called RFCs, which are a series of files published by IETF.

In the past, RFC stood for Request for Comments. Now RFC is only a name

without any special meaning. Currently, RFCs are formal files. There are about

5000 RFC files. The first one is RFC 1 Host Software, which was published on

April 7th, 1969.

Many Internet-related protocols, such as IP, OSPF, BGP, and MPLS, are defined

by RFCs.

Page 40 page 36



7/22/2019 HCDA v1.6 En


Page 41 page 37



7/22/2019 HCDA v1.6 En


A typical IP network is comprised of a backbone network, Metropolitan Area Network (MAN) and

Access Network. The backbone network commonly interconnects networks from different

countries and cities. Metropolitan Area Networks are located between the backbone network

and the access network, and it is commonly comprised of a backbone layer, convergence layer

and access layer. Access networks are used for terminal user access, it is usually in the layer2access network, which is under the service access point. Users can access the internet via xDSL,

Ethernet and so on.

The target network structure of IP MAN is divided into:

IP MAN

Service access point (BRAS and service router) and the upper layer routers that compose the

layer3 network.

IP MAN is comprised of a backbone layer, convergence layer and access layer.

Broadband access network

The layer2 access network, which is under the service access point.

The network structure is divided into the layer2 convergence network and the last mile access

network.

On the service plane, the structure can be divided into a public access network plane and the

major account access network plane.

Page 42 page 38

Group Dedicated user

service identification

differentiated services



7/22/2019 HCDA v1.6 En


The Metropolitan Area Network (MAN) is located between the backbone network and the

access network, and interlinks different areas of a city.

The MAN provides the following services:

Internet access There are two access modes: dialup access mode and private line access mode.

In the dialup access mode, subscribers have different service attributes. In the private line

access mode, subscribers in the same group have the same service attributes. The Asymmetric

Digital Subscriber Line (ADSL) and Local Area Network (LAN) technologies are widely used as

Internet access services. Both technologies support dialup access and private line access modes.

Virtual private network (VPN)

In recent years, enterprises have increasing requirements for diversified services. As such, VPN

technology has become more and more popular. VPN is a private network constructed within a

public network infrastructure with the help of Internet service providers (ISPs) and network

service providers (NSPs).

Based on the implementation layer, VPN can be classified into Layer 2 VPN (L2VPN), Layer 3 VPN

(L3VPN) and the Virtual Private Dial Network (VPDN). The VPDN provides network access to

mobile personnel in enterprises and small-sized ISPs using the dialup function of the publicnetwork and the access network.

Page 44 page 39



7/22/2019 HCDA v1.6 En


The common Internet access modes are ADSL, Ethernet, and leased line. Household users usually

choose the ADSL access mode, residential users prefer the Ethernet access mode, and enterprise

users select the leased line access mode. Normally, the access network uses Layer 2 devices,

such as digital subscriber line access multiplexers (DSLAM) and Ethernet switches, to provide the

access service for users. The access network does not perform any control on users and it simplysets up Layer 2 connections to transparently transmit user information to upper-layer devices.

The access network refers to all devices at the access layer.

The access layer uses the broadband remote access server (BRAS) to manage users.

The convergence layer generally uses aggregation routers or Layer 3 switches. The convergence

layer aggregates traffic from the BRAS into the MAN devices and forwards this traffic through

routing functions.

The following shows the Internet access process:

A user sends an Internet access request. Layer 2 devices in the access network establish a Layer 2

connection and transparently transmit the request to the BRAS.

The BRAS performs user identity authentication and authorization, and allocates IP addresses to

the user.

The BRAS routes the user packets to devices at the convergence layer. The devices at the

convergence layer forward the packets through routing functions, to allow the user to have

access to the Internet.

Page 46 page 40



7/22/2019 HCDA v1.6 En


VPN services are classified into L3VPN services, L2VPN services and VPDN services. Here, we talk

about the most common L3VPN services. L3VPN has multiple types, such as Internet Protocol

Security VPN (IPSec VPN), Ground Radar Equipment VPN (GRE VPN) and Border Gateway

Protocol/Multiple protocol Label Switching VPN (BGP/MPLS VPN).

The BGP/MPLS VPN model has three parts: customer edge (CE), provider edge (PE) and provider(P).

CE: It is an edge device on the user network. A CE provides interfaces that are directly connected

to the service provider (SP) network. It can be a router, switch or a host.

PE: It is an edge router provided by the SP. A PE device is directly connected to the CE. On the

MPLS network, all VPN operations are performed in the PEs.

P: It is a backbone router on the SP network. A P device is not directly connected to the CE. The P

device forwards MPLS data, and does not maintain VPN information.

As shown in the figure on this slide, enterprise private line users A, B and C can communicate

with each other on the LAN by means of the BGP/MPLS VPN network.

Page 48 page 41



7/22/2019 HCDA v1.6 En


Generally, the performance of the backbone network can be evaluated using the following

indicators:

High reliability

Devices on the backbone network must be stable, which is critical to the stable operation of the

entire network. Therefore, network architects should properly design the network architecture

and develop reliable network backup policies to ensure strong network self-healing capabilities.

Flexibility and scalability

To meet future network services, the network must be seamlessly expanded and upgraded while

minimally affecting the network architecture and devices.

Flat networking

The number of network layers and hops should be minimized to facilitate network management.

Proper planning of quality of service (QoS)

In, the IP network also supports voice over IP (VoIP), video and key customer services. These

services have high requirements on service in addition to carrying Internet access service quality.

Therefore, support for QoS is one of the necessary conditions for the transition of the IP network

to the telecommunications network. To achieve support for QoS, QoS should be properly

planned.

Operability and manageability

Centralized monitoring, rights-based management, and unified allocation of bandwidth

resources are supported, which make the entire network controllable.

Page 50 page 42



7/22/2019 HCDA v1.6 En


Hierarchical plane structure

The hierarchical plane structure is commonly applied in the early-stage backbone network.

Currently, most carriers in China use this structure, which is divided into three layers, core

backbone layer, core convergence layer and core access layer. The core backbone layer is divided

by area. Areas are connected in full-mesh or partial-mesh mode to improve network robustness.The core convergence layer adopts dual homing networking. Devices at this layer are dual-

uplinked to an area or two areas at the core backbone.

Hierarchical spatial plane structure

In the hierarchical spatial plane structure, the network is divided in layers and planes. Different

planes carry different services. Normally, services on two different planes are independent from

each other. When one plane fails, the other plane acts as a backup plane. When designing the

network, architects usually design the plane as one that can carry all services. As a network

requires carrying multiple services, the hierarchical plane network model stands out with its

features of a clear structure, large backup capacity and high security.

Page 52 page 43



7/22/2019 HCDA v1.6 En


Page 55 page 44



7/22/2019 HCDA v1.6 En


Page 56 page 45



7/22/2019 HCDA v1.6 En


Page 57 page 46



7/22/2019 HCDA v1.6 En


Page 58 page 47



7/22/2019 HCDA v1.6 En


Since the 1960s, computer networks have undergone a dramatic development. To take the

leading position and have a larger share in the communication market, manufacturers

competed in advertising their own network structures and standards which included IBM’s

SNA, Novell’s IPX/SPX., Apple’s Apple Talk, DEC’s DECnet and TCP/IP, which remains

the most widely used today. These companies pushed software and hardware that use

their protocols to the market enthusiastically. All these efforts promoted the fast

development of network technology and the prosperity of the market of network devices.

However, the network became more and more complicated due to lack of compatibility

between the various protocols.

To improve network compatibility, the International Organization for Standardization (ISO)

developed the Open System Interconnection Reference Model (OSI RM) which soon

became the model of network communications. The ISO followed the following principles

when they designed the OSI reference model:

1. Each layer of the model has its own responsibilities which should help it stand

out as an independentlayer.

2. To avoid function overlapping, there should be enough layers.

The OSI reference model has the following advantages:

1. It simplif ies network related operations.

2. It provides compatibility and standard interfaces for systems designed by

different institutions.

3. It enables all manufactures to be able to produce compatible network

devices, which facilitates the standardization of networks.

4. It lays the complex concept of communications down into simpler and smaller

problems, which facilitates our understanding and operations.

5. It separates the whole network into areas, which guarantees changes in one

area will not affect other areas and networks in each area can be updated

quickly and independently.

Page 59 page 48



7/22/2019 HCDA v1.6 En


The OSI reference model has seven layers. From bottom to top, they are physical layer,

data link layer, network layer, transport layer, session layer, presentation

layer and application layer.

The bottom three layers are usually called lower layer or the media layer, which is

responsible for transmitting data in the network. Networking devices often work at lower

layers and network interconnection is achieved by the cooperation of software and hardware.

Layer 5 to layer 7 form the upper layer or the host layer. The upper layer guarantees data is

transmitted correctly, which is achieved by software.

Page 60 page 49



7/22/2019 HCDA v1.6 En


The functions of each layer of the OSI Reference Model are listed as follows:

Physical layer: providing a standardized interface to physical transmission media including

voltage, wire speed and pin-out of cables.

Data link layer: combines bits into bytes and bytes into frames. Provides access to mediausing MAC address and error detection.

Network layer: providing logical addresses for routers to decide path.(path selection)

Transport layer: providing reliable or unreliable data transfer services and error correction

before retransmission.

Session layer: establishing, managing and terminating the connections between the local

and remote application. Service requests and responds of application

programs in different devices form the communication of this layer RPC,NFS and SQL

belong to this layer.

Presentation layer: providing data encoding and translation. Make sure that the data sent

by the application layer of one system can be understood by the application layer of

another system.

Application layer: providing network services as the closest layer to users among the

seven layers.

Page 61 page 50



7/22/2019 HCDA v1.6 En


Since the OSI reference model and protocols are comparatively complicated, they do not

spread widely. However, TCP/IP has been widely accepted for its openness

and simplicity. The TCP/IP stack has already been the main stream protocols for the

Internet.

The TCP/IP model also takes a layered structure. Each layer of the model is independent

from each other but they work together very closely.

The difference between the TCP/IP model and the OSI reference model is that the former

groups the presentation layer and the session layer have been merged into the application

layer. So the TCP/IP model has only f ive layers. From bottom to top, they are: physical

layer, data link layer, network layer, transport layer and application layer.

Page 62 page 51



7/22/2019 HCDA v1.6 En


Each layer of the TCP/IP model corresponds to dif ferent protocols. The TCP/IP protocol

stack is a set of communication protocols. Its name, the TCP/IP protocol

suite, is named after two of its most important protocols: the Transmission Control

Protocol (TCP) and the Internet Protocol (IP). The TCP/IP protocol stack ensures the

communication between network devices. It is a set of rules that define how information isdelivered in the network.

Page 63 page 52



7/22/2019 HCDA v1.6 En


Each layer of the TCP/IP model uses Protocol Data Unit (PDU) to exchange information

and enable communication between network services. During encapsulation, each

succeeding layer encapsulates the PDU that it receives from the layer above. At each

stage of the process, a PDU has a different name to reflect its new appearance.

For example, the transport layer adds TCP header to the PDU from the upper layer togenerate the layer 4 PDU, which is called a segment. Segments are then

delivered to the network layer. They become packets after the network layer adds the IP

header into those PDUs. The packets are transmitted to the data link

layer, where they are added data link layer headers to become frames. Finally, those

frames are encoded into bit stream to be transmitted through network medium. This

process in which data are delivered following the protocol suite from the top to the bottom

and are added with headers and tails is called

encapsulation.

After encapsulation, data is sent to the receiving device after transmission. The receivingdevice will decode the data to extract the original service data unit and

decides how to pass the data to an appropriate application program along the protocol

stack. This reverse process is called de-encapsulation. The corresponding layers, or

peers, of different devices communicates through encapsulation and de-encapsulation.

As the figure above shows, Host A is communicating with Host B. Host A delivers data

transformed from an upper layer protocol to the transport layer. The transport layer

encapsulates the data within the segment and send it to the network layer, which adds a

header. Then the segment is encapsulated within an IP packet, which adds another

header, called the IP header. Next, the IP packet is sent to data link layer where it is

encapsulated within a frame header and trailer. The physical layer then transforms the

frame into bit stream and sends it to Host B through the physical cable.

Page 64 page 53



7/22/2019 HCDA v1.6 En


When Host B receives the bit stream, it sends it to i ts data link layer. The data link layer

removes the frame header and trailer, then passes the packet to the upper layer - network

layer. Then the network layer removes the IP header from the packet and passes segment

to the transport layer. In the similar way, the transport layer extracts the original data and

delivers it to the top layer, the application layer.

The process of encapsulation or decapsulation is done layer by layer. Each layer of the

TCP/IP has to deal with data both from its upper and lower layers by adding

or deleting packet headers.

Page 65 page 54



7/22/2019 HCDA v1.6 En


The main functions of the physical layer are:

•It specifies the media, interface and signaling types.

•It specify the electrical, mechanical, procedural, and functional requirements for activating,

maintaining, and deactivating a physical l ink between end systems.

•It specify the features such as voltage, wire speed, maximum transmission distance and

pin-out.

The physical layer provides standards of the transmission media and connectors.

The common physical layer standards include IEEE 802.3 for Ethernet, IEEE 802.4 for

token bus networks, IEEE 802.5 for token ring networks and Fiber Distributed Data

Interface (FDDI) specified by the X3T9.5 committee of ANSI. The common physical layer

standard for WANs include EIA/TIA-232 (RS-232), V.24 and V.35 developed by ITU for

serial ports and G.703, which involves the physical and electrical and electronic standards

for all digital interfaces.

Page 66 page 55



7/22/2019 HCDA v1.6 En


Physical layer mediums include coaxial cable, twisted pair, fiber and wireless radio. Coaxial

cable is an electrical cable consisting of a round conducting wire. The

coaxial cable can be grouped into thick coaxial cable and thin coaxial cable according to their

diameters. The thick coaxial cable is more suitable for large LANs since its transmissiondistance is longer and it is more reliable. The thick coaxial cable does not need to be cut but

you must install transceiver for networks using thick coaxial cable. The thin coaxial cable iseasy to install and is much cheaper, but you need to cut the thin coaxial cable and put basic

network connectors (BNC) on its two sides and then inserts the two sides into T-shape

connectors when installing the cable. So when there are many connectors, the safety is

influenced.

Twisted pair is the most widely used cable, which is twisted by a pair of insulated copper

wires whose diameters are about 1mm. Twisted pair has two types: Shielded Twisted Pair

(STP) and Unshielded Twisted Pair (UTP) . STP cabling includes metal shielding over each

individual pair of copper wires, so it is very capable of keeping electromagnetic interferences

and wireless radio interference at bay. STP is easy to install but i ts price is comparativelyhigh. UTP is easy to install and its price is cheaper, however, its capability of anti-

interference is not as powerful as that of STP and its transmission distance is not that long.

Fiber consists of fiberglass and the shielding layer and it will not be interfered by

electromagnetic signals. The transmission speed of fiber is fast and the transmission

distance is long, but fiber is very expensive. Optical fiber connectors are connectors for the

light, which are very smooth and should not have any cuts.

Fiber connectors are not installed easily.

Wireless radio makes communications without physical links. Wireless radio refers to

electromagnetic waves with f requencies within the radio frequency that are transmitted in the

space including the air and vacuum. We should put all the aspects into consideration such as

the distance, price, bandwidth requirement, cables that the network devices support etc.

when we make a choice of physical medium.

Repeaters and hubs are devices working at the physical layer, but with the development of

networks, they are not used so much as in the past. We’ll not discuss them here.

Page 67 page 56



7/22/2019 HCDA v1.6 En


Data link layer is the first logical layer of the physical layer. It encodes physical address forterminals and help network devices decide whether to pass data to

upper layers along the protocol stack. It also points out which protocol the data should bedelivered to with some of its fields and at the same time, it provides

functions like sequencing and traffic control.

The data link layer has two sub-layers: Logical Link Control sublayer (LLC) and Media Access Control sublayer (MAC) .

LLC lies between the network layer and the MAC sublayer. This sublayer is responsible foridentifying protocols and encapsulating data for transmission. The LLC sublayer performsmost functions of the data link layer and some functions of the network layer such assending and receiving frames. When it sends a frame,

it adds the address and CRC to the original data. When it receives a frame, it takes apart theframe and performs address identification and CRC. It also provides flow control, framesequence check, and error recovery. Besides these, it can perform some of the networkfunctions including datagram, virtual links and multiplexing.

The MAC sublayer defines how data is transmitted through physical links. It communicateswith the physical layer, specifies physical addresses, network topology, and line standardsand performs error notif ication, sequence transmission and traff ic control etc.

Page 68 page 57



7/22/2019 HCDA v1.6 En


Data link layer protocols specify the frame encapsulation at the data link layer. Acommon data link layer protocol for LANs is IEEE 802.2LLC.

Common data link layer protocols for WANs include High-level Data Link Control(HDLC) , Point-to-Point Protocol (PPP) and Frame Relay (FR).

HDLC is a bit-oriented synchronous data link layer protocol developed by theISO. HDLC specifies data encapsulation for synchronous serial links with frame

characters and CRC.

PPP is defined by Request For Comment (RFC) 1661. PPP consists of the LinkControl Protocol (LCP) , the Network Control Protocol (NCP) and other PPPextended protocol stacks. PPP is commonly used to act as a data link layerprotocol for connection over synchronous and asynchronous circuits and itsupports multiple network layer protocols. PPP is the default data link layer

protocol for data encapsulation of the serial ports of VRP routers.

FR is a protocol conforming with the industrial standards and it is an example ofpacket-switched technology. PPP uses error verification mechanism, whichspeeds up data transmission.

Ethernet switches are common network devices work at the data link layer.

Page 69 page 58



7/22/2019 HCDA v1.6 En


As every person is given a name for identification, each network device is labeled with a

physical address, namely, the MAC address. The MAC address of a network device is

unique globally. A MAC address consists of 48 binary digits and is often printed in

hexadecimal digits for human use. The first six hexadecimal bits are assigned to

producers by IEEE and the last six bits are decided by producers themselves. Forexample, the first six hexadecimal bits of the MAC address of Huawei’s products is

0x00e0fc.

Network Interface Card (NIC) has a fixed MAC address. Most NIC producers burn theMAC address of their products into the ROM. When an NIC is initialized, the MAC

address in the ROM is read into the RAM. When you insert a new NIC into a computer,

the physical address of the computer is replaced by the physical address of the NIC.

However if you insert two NICs into your computer, then your computer may have two

MAC addresses, so a network device may have multiple MAC addresses.

Page 70 page 59



7/22/2019 HCDA v1.6 En


The data link layer ensures that datagram are forwarded between devices on the same

network, while the network layer is responsible for forwarding packets from

source to destination across networks. The functions of the network layer can be

generalized as follows:

•Provide logical addresses for transmission across networks.

•Routing: to forward packets from one network to another.

The router is a common network device that works at the network layer. Routers functions

mainly for forwarding packets among networks. In the above figure,

Host A and Host B reside on different networks or links. When the router that resides on

the same network as Host A receives frames from Host A, the router

passes those frames to the network layer after it ensures that the f rames should be sent to

itself by analyzing the frame header. Then the network layer checks

where those frames should go according to the destination address in the network layerheader and later it forwards those frames to the next hop. The process

repeats until the frames are sent to Host B.

Page 71 page 60



7/22/2019 HCDA v1.6 En


Common network layer protocols include the Internet Protocol (IP) , the Internet Control

Message Protocol (ICMP) , the Address Resolution Protocol (ARP) and the Reverse

Address Resolution Protocol (RARP) .

IP is the most important one among the network layer protocols and its functions

represent the main functions of the network layer. The functions of IP include

providing logical address, routing and encapsulating or de-encapsulating packets. ICMP,

ARP and RARP facilitate IP to achieve the network layer functions.

ICMP is a management protocol and it provides information for IP. ICMP information iscarried by IP packets.

ARP maps an IP address to a hardware address, which is the standard method for finding

a host's hardware address when only its network layer address is known.

RARP maps a hardware address to an IP address, which means to get a host’s IP

address through its hardware address.

Page 72 page 61



7/22/2019 HCDA v1.6 En


The network layer address we mentioned here refers to the IP address. The IP address is

a logical address instead of a hardware address. The hardware address

such as the MAC address, is burned on the NIC and it is for the communication between

devices that are on the same link. However, the IP address is used for communicationbetween devices on different networks.

An IP address is 4-byte long and is made up of the network address and the host address.

It is of ten presented in dotted decimal notation, for example, 10.8.2.48.

More information about the IP address will be introduced in later chapters.

Page 73 page 62



7/22/2019 HCDA v1.6 En


The transport layer provides transparent transfer of data between hosts. It shields the

complexity of communications for the upper applications and is usually responsible for

end-to-end connection. The main functions of the transport layer involve:

• Encapsulate data received from the application layer and decapsulate data received

from the network layer.

• Create end-to-end connections to transmit data streams.

• Send data segments from one host to another, perform error recovery, f low control, and

ensure complete data transfer.

• Some of the transport layer protocols ensure data are transmitted correctly which meansdata are not lost or changed during transmission and the order of data

packets remains the same when they are received at the end.

Page 74 page 63



7/22/2019 HCDA v1.6 En


Transport layer protocols mainly include the Transmission Control Protocol (TCP) and the

User Datagram Protocol (UDP) .

Page 75 page 64



7/22/2019 HCDA v1.6 En


Although TCP and UDP are both protocols of the transport layer, their contributionsto the application layer differ greatly.

TCP provides connection-oriented and reliable transmission. Connection-oriented

transmission means that applications which use TCP as their transport layerprotocol need to create a TCP connection before they exchange data.

TCP provides reliable transmission services for the upper layer through itsmechanisms of error detection, verification and reassembly. However, creating theTCP connection and performing these mechanisms may bring a lot of extra effortsand increase the cost.

UDP does not guarantee reliability or ordering in the way that TCP does. It providesa simpler service that does not guarantee the reliability which means datagramsmay arrive out of order, appear duplicated, or go missing without notice. UDPfocuses on applications that require more on transmission efficiency such as SNMPand Radius. Take SNMP as an example, it monitors networks and sends out

warnings from time to time. If SNMP is demanded to create a TCP connection everytime when it sends a small amount of information, undoubtedly, the transmissionefficiency will be affected. So time-sensitive applications like SNMP and Radiusoften use UDP as their transport layer protocol. Besides this, UDP is alsoappropriate for applications that are equipped with some mechanisms for reliabilityby themselves.

Page 76 page 65



7/22/2019 HCDA v1.6 En


The main functions of the application layer are:

•Provide user interfaces and deal with specific applications.

•Provide data encryption, de-encryption, compression and decompression.

•Specify the standards of data presentation.

Page 77 page 66



7/22/2019 HCDA v1.6 En


The application layer has many protocols and the following protocols may help you use and

manage a TCP/IP network.

•File Transfer Protocol (FTP) is used to transfer data from one computer to another over the

Internet, or through a network. It is often used for interactive user sessions.

•Hypertext Transfer Protocol (HTTP) is a communication protocol used to transfer orconvey information on the World Wide Web.

•TELNET is used to transmit data that carries the Telnet control information. It provides

standards for interacting with terminal devices or terminal processing. Telnet supports end-

to-end connections and process-to-process distributed communications.

•Simple Message Transfer Protocol (SMTP) and Post Off ice Protocol 3 (POP3) are for

sending and receiving emails.

•DNS (Domain Name Server) translates a domain name to an IP address and allows

decentralized management on domain resources.

•Trivial File Transfer Protocol (TFTP ) is a very simple file transfer protocol. TFTP is

designed for high throughput file transfer for ordinary purposes.

•Routing Information Protocol (RIP) is the protocol for routers to change routing informationthrough an IP network.

•Simple Network Management Protocol (SNMP) collects network management information

and makes that information exchanged between the network management control console

and network devices including routers, bridges and servers.

•Remote Authentication Dial In User Service (Radius) performs user authorization,

authentication and accounting.

Page 78 page 67



7/22/2019 HCDA v1.6 En


Page 79 page 68



7/22/2019 HCDA v1.6 En


To illustrate the encapsulation process, imagine there is network whose transport layer

uses TCP, the network layer applies IP and the data link layer takes Ethernet standards.

The above figure shows the encapsulation of a TCP/IP packet on that network.

The original data is encapsulated and delivered to the transport layer. And then the

transport layer adds a TCP header to the data and passes it down to the network layer. The

network layer encapsulates the IP header in front of the segment and delivers it to the data

link layer. The data link layer encapsulates Ethernet header and trailer to the IP packet and

then passes it to the physical layer. At last, the physical layer sends the data to the physicallink as bit streams. The length of each field in the header is pointed out in the above figure.

Now, we’ll take a close look into the whole process from the top to the bottom.

Page 80 page 69



7/22/2019 HCDA v1.6 En


The above is a TCP data segment encapsulated in an IP packet. The TCP segment

consists of the TCP header and the TCP data. The maximum length of a TCP header is

60 bytes. If there is not the Option field, normally, the header is 20-bytes long.

The structure of a TCP header is shown as in the above figure. We are going to explain

just some of it. For more details, please refer to the transport layer protocols.

•Source Port: Indicates the source port number. TCP allocates source port numbers for

every application.

•Destination Port: Indicates the destination port number.

•Sequence Number: Indicates the sequence number which labels TCP data streams.

•Port number is used to distinguish applications,80 means HTTP application,23 for

telnet,20 and 21 for ftp,53 for DNS.

•Ack Num: Indicates the acknowledgement sequence number. Ack Num includes the next

sequence number that the sender expects. The value of this field is thesequence number that the sender of the acknowledgement expects next.

•Option: Indicates the optional fields.

Page 81 page 70



7/22/2019 HCDA v1.6 En


The network layer adds the IP header to TCP datagram which it receives from the transport

layer. Usually, the IP header has a f ixed length of 20 bytes which does

not include the IP options. The IP header consists of the following fields:

•Version: indicates the version of the IP protocol. At present, the version is 4. The version is

6 for the next generation IP protocol.

•IP header length is the number of 32-bit words forming the header including options. Since it

is a 4-bit field, its maximum length is 60 bytes.

•TOS: 8 bits. It consists of a 3-bit COS (Class of Service) field, a 4-bit TOS field and a 1-bit

final bit. The 4 bits of the TOS field indicates the minimum delay, the

maximum throughput, the highest reliability and the minimum cost respectively.

•Total length: indicates the length of the whole IP packet including the original data. This f ield

is 16 bit long which means an IP packet can be 65535 bytes at most. Although an IP packet

can be up to 65535 byte long, most data link layers segment them before transmission.

Furthermore, hosts cannot receive a packet more than 576 bytes and UDP limits packets

within 512 bytes. However, nowadays many applications allow IP datagram that are morethan 8192 bytes to go through the links especially for applications that support NFS.

•Identification: identifies every datagram the host sends. The value increases with the

number of datagram the host sends.

•Time to Live (TTL) : indicates the number of routers a packet can travel through. The value

decreases one every time the packet passes a router. When the value turns to 0, the packet

will be discarded.

•Protocol: indicates the next level protocol used in the data portion of the internet datagram.

It is similar to the port number. IP protocols use protocol number to mark upper layer

protocols. The protocol number of TCP is 6 and the protocol number of UDP is 17.

•Header checksum: calculates the checksum of the IP header to see if the header is

complete.•The source IP address field and the destination IP address filed point out the IP addresses

of the source and the destination.

Page 82 page 71



7/22/2019 HCDA v1.6 En


The physical layer has limitations on the length of frame it sends every time. Whenever the

network layer receives an IP datagram, it needs to decide which interface the

datagram should choose and check the MTU of that interface. IP uses a

technique called fragmentation to solve the problem of heterogeneous MTUs.

When a datagram is longer than the MTU of the network over which it must be sent, it isdivided into smaller fragments which are sent separately.

Fragmentationcan be done on the source host or the intermediary router.

Fragments of an IP datagram are not reassembled until they arrive at the final destination.

The reassembly is performed by the IP layer at the destination.

Datagram can be fragmented for more than one time. The IP header provides enough

information for fragmentation and reassembly.

•Flags: 3 bits

Multiple control bits:

0bit: reserved, must be 0.

1bit: (DF) 0 = can be fragmented, 1 = cannot be fragmented.

2bit: (MF) 0 = final fragmentation,1 = more fragmentation.

The valuesof DF and MF cannot be 1 at the same time.

0 1 2

+---+---+---+

| | D | M |

| 0 | F | F |

+---+---+---+

•Fragment offset: indicates the position of the fragment within the original datagram. When

an IP datagram is fragmented, each fragment becomes a packet with its ownIP header and will be routed independentlyof any other datagrams.

Page 83 page 72



7/22/2019 HCDA v1.6 En


The Ethernet header is made up of three fields:

•DMAC: indicates the MAC address of the destination.

•SMAC: indicates the MAC address of the source.

•LENGTH/TYPE: its meanings vary with its values. When the value is bigger than 1500, it indicates the frame type, for example theupper layer protocol type. The common protocol types are:

0X0800 IP packets

0X0806 ARP request/response message

0X8035 RARP request/response message

When the value is smaller than 1500, it indicates the length of data frame.

•DATA/PAD: the original data. Ethernet standards specify that the minimum data length

should be 46 bytes. If the data is less than 46 bytes, add the Pad field to f ill it.

•FCS: the frame check field.

Page 84 page 73



7/22/2019 HCDA v1.6 En


Page 85 page 74



7/22/2019 HCDA v1.6 En


The above is an example of an HTTP packet that is captured, which may facili tate your

understanding towards packet encapsulation. The bottom displays the actual

data and the top is information analyzed by the software.

Page 86 page 75



7/22/2019 HCDA v1.6 En


This page illustrates data encapsulation at the data link layer. The encapsulation format

used here is Ethernet, which is mentioned earlier.

The figure above shows DMAC at the top and then comes SMAC and the type f ield is listed

at the bottom.

DMAC is 00d0: f838: 43cf

SMAC is 0011: 5b66: 6666

Type field value is 0x0800, which indicates that it is an IP packet.

Page 87 page 76



7/22/2019 HCDA v1.6 En


This page illustrates data encapsulation at the network layer. An IP packet is made up of

two parts, the IP header and the IP data. As described previously, the IP header consists

of many fields. In the above example, the value of the version field is 4, which indicates

the packet is an IPv4 packet. The packet header is 20-byte long. The protocol field is 0x06,

which tells us that the packet to be encapsulated is a TCP packet. The IP address of the

source is 192.168.0.123 and the IP address of the destination is 202.109.72.70.

Page 88 page 77



7/22/2019 HCDA v1.6 En


This page illustrates data encapsulation at the transport layer. The transport layer here

uses TCP protocols. The source port number is a random number 3514 and

the destination port number is 80, which is the number assigned for the HTTP protocol.

So the datagram is from the source to v isit the HTTP service of the destination host.

Page 89 page 78



7/22/2019 HCDA v1.6 En


1. What are the layers of the OSI reference model?

The OSI reference model consists of seven layers, namely, the physical layer, the data link

layer, the network layer, the transport layer, the session layer and the application layer.

2. What are the functions of each layer in the TCP/IP protocol stack?

The TCP/IP protocol stack has f ive layers: the physical layer, the data link layer, the

network layer, the transport layer and the application layer. The physical layer specifies the

mechanical, electrical and electronic standards for transmission. The data link layer

provides controls on the physical layer, detects errors and performs traffic control (optional).

The network layer checks the network topology to decide the best route for data

transmission. The basic function of the transport layer is to segment the data it received

from the application layer and combines data segments before it sends the data to the

application layer. It builds end-to-end connections to send data segments from one host to

the other host. The application layer provides network services for application programs.

3. What is the process of packet encapsulation and de-encapsulation?De-encapsulation is the reverse process of encapsulation. Encapsulation means to add

headers to the original data layer by layer from the top of the protocol stack to

the bottom; while de-encapsulation is to strip off those headers from the lower layers to the

upper layers.

4. What are the differences between the MAC address and the IP address?

MAC address is a 48-byte physical address printed on the hardware of a device. The MAC

address can’t be changed. The IP address is a 32-byte address works at the network layer

and IP addresses can be changed. IP addresses are grouped into public addresses and

private addresses. Public addresses are unique globally, while private addresses can be

used repetitively in different LAN segments.

Page 90 page 79



7/22/2019 HCDA v1.6 En


Page 92 page 80



7/22/2019 HCDA v1.6 En


Page 93 page 81



7/22/2019 HCDA v1.6 En


Page 94 page 82



7/22/2019 HCDA v1.6 En


Page 95 page 83



7/22/2019 HCDA v1.6 En


TCP provides reliable, connection-oriented service for applications.

The reliability of TCP is guaranteed through the following aspects:

Connection-oriented transport: In TCP, before any end of the link begins to transfer data,the connection between two parties of the link must be established.

MMS: In TCP, it indicates the maximum length of the data packet could be sent to anotherend of the link. After the connection is established, the two parties of the

connection should advise its own MMS, to use the bandwidth resources more efficiently.

Transmission Acknowledgement Mechanism: In TCP, after a segment is transmitted, atimer would be started, and waiting for the acknowledgement from the receiver; if theacknowledgement cannot be received within the timer, the segment will be retransmitted.

Header and data checksum: TCP will maintain the checksum of header and data, which isthe end-to-end check. Its purpose is to detect the variation of the data

during the transmission procedure. If there is some error in the segment checksum, thissegment will be discarded by TCP receiver and the acknowledgement will not be replied.Hence, the TCP retransmission mechanism will be started.

Flow control: Both ends of the TCP connection have a buffer with fixed space. Only theamount of data less than the size of receiver’s buffer could be sent by the

sender. This mechanism prevents such a situation happening in which the buffer isoverloaded because of the speed difference of two hosts.

Page 96 page 84



7/22/2019 HCDA v1.6 En


TCP uses IP as the network layer protocol, and TCP segment is encapsulated into

the IP packet.

TCP segment is made up of two parts, TCP Header and TCP Data. If there isno option field, the length is 20 bytes.

TCP header includes the fields showed in the slide. There are some explanations

of some fields:

16-bit source port number: TCP will allocate a source port number for the source

application.

16-bit destination port number: The port number of destination application.

Source and Destination Port : Every TCP segment includes the source and

destination port number, used to f ind the sending and receiving application. Using

these two numbers, together with the source and destination IP address of IP

header, a unique TCP connection could be confirmed.

Sequence Number is a 32-bit number that identifies where the encapsulated data

fits within a data stream from the sender.

Acknowledgment Number is a 32-bit field that identifies the sequence number the

source next expects to receive from the destination. The Acknowledgement

Number is the last data sequence number plus one.

Page 97 page 85



7/22/2019 HCDA v1.6 En


4-bit header length: It indicates the header is of 32 bits.

Window Size is a 16-bit f ield used for f low control. It indicates the number of

bytes are expected to receive. Because this field is of 16 bits, the maximumwindow size is 65535 bytes.

Checksum is 16 bits, covering both the header and the encapsulated data,

allowing error detection.

Page 98 page 86



7/22/2019 HCDA v1.6 En


TCP provides full-duplex transmission protocol which is reliable and connection-

oriented. The reliability of TCP is guaranteed by some methods. One of them is

to

establish the connection before sending any data.

The TCP connection is established through three-way handshakes procedure:

1. Request end (or Client) sends a SYN field, indicating the client’s expectation

to connect to the port of server, with Initial Sequence Number (ISN) “a”.

2. The Server replied SYN with sequence number “b”. At the same time, the

acknowledgement number is set to be “a+1” to acknowledge the SYN packet of

the client.

3. The Client will sent the acknowledgement packet with acknowledgement

number set to be “b+1” to acknowledge the SYN packet of the server. The TCP

connection is then established.

Page 99 page 87



7/22/2019 HCDA v1.6 En


As it is mentioned before, TCP is a full-duplex transport layer protocol. Full-

duplex indicates the two ends of the connection could transmit or receive data at

the same time. Thus, the two parties should terminate the connection individually.

The TCP connection is established through three-way handshakes procedure,

while the TCP connection is terminated through four-way handshake procedure:

1. Request end (or Client) sends a FIN field, indicating the client’s expectation to

terminate the connection, with initial sequence number “a”.

2. The Server set the acknowledgement number to be “a+1” to acknowledge the

FIN packet of the Client.

3. The Server replied sends FIN field with sequence number “b”,

acknowledgement number “a+1.

4. The client will send the acknowledgement packet with acknowledgement

number set to be “b+1”.

The TCP connection is then terminated.

Page 100 page 88



7/22/2019 HCDA v1.6 En


Multiplexing indicates that the same transport layer connection is used by multiple

applications to transmit data. The data is divided to different segments by the transport layer

according to different applications. And based on FIFO rule, the segments are to be sent.

These segments could be with the same or different destinations.

Supposing two servers www.huawei.com and ftp.huawei.com are sending data packets to

destination host at the same time. The following is the end-to-end communication procedure

of transport layer. When the www and ftp applications are called, the server will allocate a

port number for every application. (Note:

This port number is different from the physical port of network equipment. It is a virtual

interface between the application and transport layer protocol). The

segments are then created.

In the transport layer, a session connection should be established between the server and

the host. (Note: It is a virtual connection instead of a physical one.) In order to begin the data

transmission, the two applications of the server and terminal host will inform their ownoperation systems, to initialize the connection. After the virtual end-to-end connection is

established, the data transmission could begin.

During the transmission procedure, the server and the host continue to communicate using

their protocol software, to check whether the data has been correctly received.

After the terminal equipment receives the data flow, it will sort the data so that the transportlayer could send the data flow to the host correctly.

After the data transmission finished, the two party negotiate to terminate the virtual link.

Page 101 page 89



7/22/2019 HCDA v1.6 En


MSS (Maximum Segment Size) indicates the maximum size of the segment could be sent to

the other end of the connection. When a connection is established, their two ends should

advertise its own MSS. The default value of MSS is 536 bytes, so the allowable length of IP

packet is 576 bytes(536 +20 byte IP header +20byte TCP header).

Through the negotiation of MSS, the network resources could be used more efficiently and the

network performance could be improved.

Page 102 page 90



7/22/2019 HCDA v1.6 En


The reliability of TCP is guaranteed by the acknowledgement mechanism to ensure thecorrect data transmission from the source equipment to the destination. The workingmechanism of acknowledgement mechanism is as followings:

When the destination equipment receives the data packets sent by the source equipment,it will reply an acknowledgement to the sender; and if the sender receives theacknowledgement, it will continue to send data packets. However, if the sender does notreceive the acknowledgement, after a period of time, ( a timer will be started by thesender when the data is sent) the sender will decrease the transmission speed, andretransmit the packets in question.

As the slide shows, a virtual end-to-end link is established between the source anddestination equipment, and data packets are sent. The source equipment sends 3 datapackets (1,2,3) to the destination at one time. After the destination equipment receivesthe data packets, it will acknowledge them by the sequence number of fourth data packetwhich is 4.

When the source equipment receives the data packets, it will continue to send anotherthree data packets (4, 5, 6). As the example shows, because the destination equipment

has not received the fourth data packet correctly, the destination equipment still usesacknowledgement number 4 as the reply. Hence, the fourth data packet will beretransmitted by the source equipment. After the destination equipment receives thefourth data packet, and acknowledge it by the acknowledgement number 7, the next threedata packets could be sent continuously.

Page 103 page 91



7/22/2019 HCDA v1.6 En


TCP Sliding Window technology is able to control the data f low between two hosts by

dynamically changing window size. Every TCP/IP host supports full-duplex data

transmission, so there are 2 Sliding Windows in TCP: one is used for receiving, the other is

used for sending. what’s more, TCP uses positive acknowledgement technology whose

acknowledgement number refers to next expected bytes.

As shown above, it is an example of single direction sending, which introduces how Sliding

Window achieves flow control.

The server sends to client 4 1024-byte segments, and the window size of sender is 4096

bytes. Receiver will acknowledge by using ACK4097, and modify window size to 2048

bytes. This means client (receiver) only has 2048-byte buffer space. Therefore, sender

changes its sending speed and sends 2048-byte segment which the receiver can afford.

Sliding window mechanism provides reliable flow control method for data transmission

between end-to-end devices. However, it is only on source and destination devices thatSliding Window mechanism will take effect. When there is congestion between interim

devices ( like routers), Sliding Window has no use. Thus ICMP source quench mechanism

could be used in congestion management.

Page 104 page 92



7/22/2019 HCDA v1.6 En


Page 105 page 93



7/22/2019 HCDA v1.6 En


UDP provides connectionless service for applications, so there is no need to establish

connection before communication take place between source and destination like TCP.

Besides, because UDP is a connectionless transport protocol, it is not necessary to

maintain connection state, sending or receiving state. So the server is capable of

simultaneously sending the same message to multiple clients.

UDP is suitable for those applications who requires "best-effort" transmission and

reliability is provided by application layer, such as Radius protocol which is commonly

used in authentication and accounting and RIP protocol are all based on UDP.

Page 106 page 94



7/22/2019 HCDA v1.6 En


UDP, like TCP, also uses IP as network layer protocol. UDP segment is encapsulated in a

IP packet. Since UDP doesn’t provide reliable transmission like TCP, its segment format is

relatively simple.

The UDP header is made up of the following field:

16-bit source port number: applying source port number for source application.

16-bit destination number: port number of destination application.

16-bit UDP length: referring to the length of both UDP header part and UDP data part. The

min value is 8.

16-bit UDP checksum: this segment provide the same function as TCP checksum.

But this is an extra parameter.

Page 107 page 95



7/22/2019 HCDA v1.6 En


As shown above, the picture compare TCP protocol with UDP protocol. It is able to get a

conclusion through comparison that TCP is suitable for high-reliability service;

while UDP is suitable for speed-sensitive services.

As UDP supports a connectionless service, it requires that the upper layer of providing

error detection and retransmission mechanism.

Page 108 page 96



7/22/2019 HCDA v1.6 En


1.How does TCP establish and terminate a connection?

Connections are established in TCP by means of the three-way handshake procedure.

TCP connections are full-duplex, both of the two ends which establish the connection will

send their own terminate request and wait for the acknowledgement, for which in all there

are four steps when terminating a connection.

2.How does TCP provide reliability?

TCP provides transmission reliability by sequence number and ACK mechanism. By using

sequence number, the two ends will both clearly know the sending and

receiving information of data segment. ACK mechanism is able to guarantee transmissionreliability, which will ensure data f low arrives at destination correctly

from the source.

3.What is the purpose of TCP Sliding Window technology?

TCP Sliding Window technology adjusts data transmission between two hosts bydynamically modifying window size. Sliding Window mechanism provides reliable

flow control method for data transmission between end-to-end devices.

Page 109 page 97



7/22/2019 HCDA v1.6 En


Page 111 page 98



7/22/2019 HCDA v1.6 En


Page 112 page 99



7/22/2019 HCDA v1.6 En


Page 113 page 100



7/22/2019 HCDA v1.6 En


The ping command is a common way to check the IP connectivity of the network and the

connection to the host. The ping command uses a series of Internet Control Message

Protocol (ICMP) messages to check whether the destination is reachable, the

communication delay, and the packet loss ratio. Ping is a process in which the device

sends a request and waits for response. The device that run the ping command sends anEcho message to the destination, and then waits for a response. If the Echo message

reaches the destination and an Echo Reply message is returned to the source within the

specified period, the device can ping through the peer. If the source does not receive the

Echo Reply message, the “Request timed out” message is displayed. In this example, the

following command is typed on the PC:

Ping 1.1.1.1

To test the connectivity, send the Echo message to address 1.1.1.1.

Besides basic commands, the ping command provides various optional parameters, for

example –a and –i. -a source-ip-address: sets the source IP address that sends the ICMP

ECHOREQUEST message. -i interface-type interface-number: sets the interface that

sends the ICMP ECHOREQUEST message. In this example, the ping 1.1.1.1 –a 1.1.1.2command can also be used.

Page 114 page 101



7/22/2019 HCDA v1.6 En


ICMP is an important part of the network layer. IP does not provide reliability, so the device

cannot obtain the network fault information. By using ICMP, the device

can obtain the information about the network faults.

ICMP can send the information of error, control, and packet query. The ICMP packets are

encapsulated in IP packets. The value of the protocol field is 1. Some upper layer

applications may use the ICMP protocol, for example, ping and Tracert.

Page 115 page 102



7/22/2019 HCDA v1.6 En


The ICMP packet uses the basic IP header, namely 20 bytes. The ICMP packet is

encapsulated in the IP packet. The first 64 bits of the datagram refer to the ICMP

packet. Therefore, an ICMP packet consists of an IP packet and the first 64 bits of the

datagram.

The ICMP packet consists of the Type, Code, Checksum, and unused fields. The formats

of the messages vary with the message types. The details are omitted here.

Type: indicates the type of the ICMP message.

Code: in the same ICMP message type, the messages express different contents by using

the codes.

For example: The Destination Unreachable message of which the Type value is 3 contains

the following four types of messages:

0 = net unreachable

1 = host unreachable2 = protocol unreachable

3 = port unreachable

Checksum: contains 16 bits. This field is not in use and the value is 0.

Page 116 page 103



7/22/2019 HCDA v1.6 En


ICMP provides the various message types. The following are commonly used:

0 Echo Reply

3 Destination Unreachable

4 Source Quench

5 Redirect

8 Echo

11 Time Exceeded

12 Parameter Problem

13 Timestamp

14 Timestamp Reply

Some messages are used together. For example, the Echo Reply message is the response

to the Echo message. The messages of the same type contain different information. The

following describes the message types and formats.

Page 117 page 104



7/22/2019 HCDA v1.6 En


Tracert is used to check the path from the source node to the destination node. It deducts 1from the TTL value of the packet every time the packet traverses a router. When the TTL

value becomes 0, the router reports TTL timeout.

Tracert sends a packet of which the TTL value is 1, so the first hop returns an ICMP errormessage to notify that the packet cannot be forwarded because the TTL times out. Then,

Tracert sends a packet of which the TTL is 2, and the second hop returns the same

message. Tracert continuously sends such packets until one packet can be sent to the

destination. The packet uses an invalid port number (33434 by default), so the destination

host returns an ICMP unreachable message to notify that the Tracert operation completes.

Tracert records the source address that sends the ICMP error message. Thus it canprovide the IP addresses of the gateways through which the user packets pass.

Tracert can also provide a function to test the connectivity. When a fault occurs on the

network, it can be located according to the path displayed by Tracert.

Page 118 page 105



7/22/2019 HCDA v1.6 En


Ping and Tracert are taken as an example here. The two methods can test whether RTA and

interface 3.3.3.3 of RTC can communicate.

As shown in the displayed information, the ping command can directly display whether theRTC is reachable, while Tracert can display the forwarding path in details. The packet

reaches 10.1.1.2, and then to 10.2.2.2, and finally reaches 3.3.3.3. In addition, the tracertcommand can locate the fault. In this example, if the displayed information is as follows, it

indicates that the packet can be sent to next hop 10.1.1.2, but cannot be forwarded by the

router, therefore the fault occurs between this router and the destination.

[RTA]tracert3.3.3.3

traceroute to 3.3.3.3(3.3.3.3) 30 hops max,40 bytes packet

1 10.1.1.2 31 ms 31 ms 32 ms

2 * * *

Page 119 page 106



7/22/2019 HCDA v1.6 En


Telnet is used for the remote service. The user can log in to the remote server through Telnet.

The transport protocol used by Telnet is TCP and the port number is 23. The telnet command

is as follows:

telnet 192.168.1.22 23

192.168.1.22: IP address of the router server.

23: port number. The default value is 23. The value can be null. If the port number is not 23,

the user must enter the port number. For the detailed operation related to telnet based access

to a device, refer to the basic configuration of VRP.

Page 120 page 107



7/22/2019 HCDA v1.6 En


FTP is an Internet standard for f ile transfer. It adopts two TCP links to transfer a file. One is

control link and the other is the data l ink. FTP adopts different TCP ports according to the port

mode, Port or Passive. In the past, the default client mode is Port. In recent years, the Passive

mode is widely used because the Port mode is not secure (easy to be attacked.) In Port mode,FTP adopts two default port numbers 20 and 21. Port 20 is used to transfer data, and port 21

is used to transfer commands.

The VRP routers can act as the FTP client or the FTP server. In this example, the PC

functions as the FTP client to log in to the FTP server through the FTP protocol. The PC run

the FTP program (that is, enter the ftp 1.1.1.1 command). The system displays the login

dialog box to request the user to enter user name and password, then the user can log in.

Page 121 page 108



7/22/2019 HCDA v1.6 En


If the VRP router needs to download a file from the remote server, it can act as the FTP

client to access files from the FTP server. Enter “FTP IP address of the remote server” in

the VRP system view. The user is prompted to enter the user name and password. Then,

the prompt is changed into [FTP]. It indicates that the user logs in successfully.

Get and Put are two operations performed on files. Get means downloading files from theserver, while Put means uploading files to the server. In this example, the Get vrpcfg.def

vrp1 command means that the client downloads the vrpcfg.dev file and saves the fi le as

vrp1.

Page 122 page 109



7/22/2019 HCDA v1.6 En


To upload files to the FTP server, use the put command. In this example, the Put

vrpcfg.def command means that the local file vrpcfg.def is uploaded to the authorized

directory of the FTP server and the file name is not changed. The configuration software

of the FTP server is different. The details are omitted here.

Page 123 page 110



7/22/2019 HCDA v1.6 En


The Trivial File Transfer Protocol (TFTP) is used when the user needs to transfer file

between server and client and complex interaction is not required. TFTP uses

UDP and the port number is 69. The VRP router can act as only the TFTP client to

download f iles from the TFTP server.

Page 124 page 111



7/22/2019 HCDA v1.6 En


1. What are the functions of Ping and Tracert?

They can test the connectivity of the network. Ping can provide the options to satisfy test

requirements, for example, specifying the source IP address and source port. Tracert can

obtain the forwarding path of packets. Besides, Tracert can also be used to judge the distance

to a destination.

2. What is the format of the ICMP packet?

The ICMP packet adopts the basic IP header (20 bytes). The packet is encapsulated in the IP

packet. The ICMP packet consists of the Type, Code, Checksum, and unused fields. The

formats vary with the message types.

3. What is the difference between FTP and TFTP?

FTP is based on TCP, while TFTP is based on UDP. TFTP is a simple fi le transfer protocol. It

is applicable to the read-only memory. FTP is designed for file transfer with high throughput.

FTP can control the user name and password, while TFTP cannot. The router can support FTP

Client and FTP Server, while TFTP supports only the Client.

Page 125 page 112



7/22/2019 HCDA v1.6 En


Page 127 page 113



7/22/2019 HCDA v1.6 En


In TCP/IP protocols, each layer has its own communication method, Data Link Layer use

MAC Addresses, the Network Layer use IP Addresses. After understanding the functions

of these layers, this course mainly introduces IP Addressing used at the Network Layer,

as well as packet forwarding between Network Layer devices, which is the basis for

routing.

This chapter introduces the layer 3 –Network Layer in TCP/IP protocols. The main

function of the Network Layer is achieved through using the IP protocol, which includes IP

Addressing and IP Routing.

Page 128 page 114



7/22/2019 HCDA v1.6 En


Page 129 page 115



7/22/2019 HCDA v1.6 En


Page 130 page 116



7/22/2019 HCDA v1.6 En


As the slide shows, this procedure is called encapsulation, in which data is

transferred along the TCP/IP protocol stack, from the upper layer downward,

meanwhile, corresponding header and trailer are added. After the data

encapsulation and transmission in the network, the receiving equipment will delete

the information added, and decide how to deliver the data to proper applicationalong the TCP/IP protocol stack, according to the information in the header.

Among different layers of TCP/IP model, information is exchanged to ensure the

communication between network equipment. The PDU is used for exchanging

information. The PDU is different for different layers, and with different names. For

instance, in the transport layer, the PDU with TCP layer is called a segment; after

the segment is transmitted to network layer, and added with an IP header, the PDU

is called a packet. The PDU with layer 2 header is called a frame. Finally, the

frame is processed as bits, and transmitted through network media.

Page 131 page 117



7/22/2019 HCDA v1.6 En


The network layer receives data from the transport layer, and adds source address anddestination address into the data. As learned in previous chapters, the data link layer hasthe physical address (MAC address), which is globally unique. When there is data to besent, the source network equipment queries the MAC address of the other end equipment,and sends it out.

However, the MAC addresses are existent in a flat address space, without clear addressclassification. Thus, it is only suitable for the communication within the same networksegment. Besides, the MAC address is fixed in the hardware, with poor flexibility. Hence,for communication between different networks, usually it is based on IP

address based on software, to provide better flexibility.

Page 132 page 118



7/22/2019 HCDA v1.6 En


IP address is composed of 32 bits, which are divided into four octets, or four

bytes.

The IP address could be represented in the following methods:

Dotted decimal format:10.110.128.111Binary format：00001010.01101110.10000000.01101111

Hexadecimal format:0a.7e.80.7f

Usually, IP addresses are represented in the dotted decimal format; and seldom

in hexadecimal format. The hierarchical scheme for IP addresses is composed of

two parts, network and host.

The hierarchical scheme of IP addresses is similar to that of telephone

numbering, which is also globally unique. For example, the telephone number

010-8288248: the 010 represents the city code of Beijing, and 82882484

represents a telephone in Beijing city. It is the same for IP addresses. The

preceding network part of an address represents a network segment, while the

latter host portion represents the device in a given network segment. In using this

hierarchical design for every network layer device, the network is able to be

segmented. This mechanism enables routers to decrease the number of routing

table entries greatly, and increases routing flexibility.

Page 133 page 119



7/22/2019 HCDA v1.6 En


An IP address contains a network ID, which identifies a network segmentuniquely or identifies the aggregation of multiple network segments. The devicesin the same network segment use the same network ID. An IP address alsocontains a host ID, which identifies a device in the network segment uniquely.How to distinguish the network ID and the host ID? The Internet designer

classifies the IP addresses into five classes according to the size of the network,namely, class A, class B, class C, class D, and class E.

The network ID of the IP address of class A is the first octet, and the first digit ofthe first octet is 0. Therefore, the number of valid bits for network address inclass A address is 8–1=7. The first octet of class A address ranges from 1 to 126(0 and 127 are reserved). For example, 10.1.1.1 and 126.2.4.78 are class Aaddresses. The host

ID of the class A address is the last three octets, namely, the last 24 bits. The IPaddress of class A ranges from 1.0.0.0 to 126.255.255.255. Each class Anetwork can have 224 IP addresses. The network ID of the class B address isthe first two octets. The first digit of the first octet is 1 and the second digit is 0.Therefore, the number of valid digits of the class B network address is 16–2=14.The first octet of class B address ranges from 128 to 191. For example, 128.1.1.1and 168.2.4.78 are class B addresses.

The host ID of the class B address is the last two octets, namely, the last 16 bits.The class B address ranges from 128.0.0.0 to 191.255.255.255. Each class Bnetwork can have 216 IP addresses. The network ID of the class C address isthe first three octets. The first two digits of the first octet are 11, and the third digitis 0. Therefore, the number of valid digits of class C network address is 24–3=21.The first digit of the class C address ranges from 192 to 223. For example,192.1.1.1 and 220.2.4.78 are class C addresses. The host ID of the class Caddress is the last octet. The class C address range from 192.0.0.0 to223.255.255.255. Each class C network can have 28=256 IP addresses. Thefirst three digits of the first octet of class D address is 111, and the fourth digit is0. Therefore, the first octet of the class D address ranges from 224 to 239. Theclass D address is used as the multicast address. The first octet of class Eaddress ranges from 240 to 255. It is reserved for research. The IP addressusually used are of class A, class B and class C. The IP addresses are allocated

by the International Network Information Center (InterNIC) according to the scaleof the company. Basically, the class A addresses are allocated to governments,

Page 134 page 120



7/22/2019 HCDA v1.6 En


the class B addresses are al located to medium-sized companies, and class C addresses

are allocated to small-sized companies. With the fast development of the Internet and

also the waste of IP addresses, the IP address is becoming insufficient.

Page 135 page 121



7/22/2019 HCDA v1.6 En


An IP address uniquely identifies a device in the network. However, some IPaddresses cannot be used to identify devices, because they are used for somespecial purposes.

The IP address with all 0s host ID is called network address. The network

address identifies a network segment. For example, class A address 1.0.0.0 andprivate addresses 10.0.0.0 and 192.168.1.0 are network addresses.

The IP address with all 1s for the host ID is called a broadcast address. Abroadcast address identifies all the hosts in a network. For example,10.255.255.255 and 192.168.1.255 are broadcast addresses. If the router sendsthe packet to the broadcast address, all the nodes on the network segment canreceive the packet. The IP address with the network ID being 127 is the loopbackaddress, for example, 127.0.0.1, which is used for loopback test usually. The IPaddress of all 0s refers to all the hosts. On the Huawei Quidway routers, IPaddress 0.0.0.0 specifies the default route. IP address 255.255.255.255 is also abroadcast address, but it stands for all hosts and is used to send packets to allthe nodes on the network. Such broadcast packets cannot be forwarded byrouters. In a network segment, some IP addresses cannot be allocated to hosts.

The number of IP addresses that could be allocated can be calculated. For

example, in class B network segment 172.16.0.0, an IP address has a 16-bit hostID. There are 2 to the power of 16 IP addresses on the network segment, inwhich 172.16.0.0 is the network address and 172.16.255.255 is the broadcastaddress, so up to 216- 2 IP addresses can be allocated to hosts.

In class C network segment 192.168.1.0, an IP address has an 8-bit host ID.There are 28=256 IP addresses on the network segment, in which 192.168.1.0 isthe network address and 192.168.1.255 is the broadcast address, so up to 254IP addresses can be allocated to hosts. Therefore, the number of IP addressesthat can be allocated to hosts is calculated as follows: Suppose the IP address inthe network segment has an n-bit host ID, and then, the number of IP addressesthat can be allocated to hosts is 2n-2. A network-layer device (like router) usesthe network address to indicate the hosts on the network segment. Thus, thenumber of entries in the routing table of the

router is greatly reduced.

Page 136 page 122



7/22/2019 HCDA v1.6 En


When planning IP addresses, usually private IP addresses are used within the

same company. Private IP addresses, reserved by InterNIC, can be freely used

by companies. The private IP addresses cannot be used to access the Internet.

The reason is that the private IP addresses cannot have corresponding routes on

the public network and the IP addresses may conflict.

When the user with private IP address needs access to the Internet, the private

IP address must be translated to the public address that can be identified by the

public network through Network Address Translation (NAT) technique. InterNIC

reserves the following network segments as the private IP addresses:

class A: 10.0.0.0-10.255.255.255;

class B: 172.16.0.0-172.31.255.255;

class C: 192.168.0.0-192.168.255.255.

By using the private IP addresses, the enterprises reduce the cost on buying

public addresses and the IP addresses are saved.

Page 137 page 123



7/22/2019 HCDA v1.6 En


Subnet masks are used to distinguish the network and host bits. In a subnet mask, the “1”

bits represent the network, and “0” for host. The subnet mask of class A network in dotted

decimal format by default is 255.0.0.0, the subnet mask of class B network is 255.255.0.0,

and the subnet mask of class C network is 255.255.255.0.

Page 138 page 124



7/22/2019 HCDA v1.6 En


192.168.1.100 is a standard class C address. The subnet mask is 255.255.255.0. Hence

the network address of this IP address is 192.168.1.0.

Page 139 page 125



7/22/2019 HCDA v1.6 En


IP address is a collection of 32 binary digits or bits. Every 8 bits corresponds to a decimal

number. The decimal counting system is based on the power of 10: 101，102 , etc. And

binary counting system is based on the power of 2: 21，22 , etc. In a byte, from the right

to the left bit, the values corresponding as such, 20，21，22 …27. As the slide shows, for

this byte, from left to right, the decimal number represented are: 2 7=128，26=64，25=32，24=16，23=8，22=4，21=2，20=1. The sum of them is 255. Thus, the byte (8 bits) with all

“1” represents 255 in decimal.

Page 140 page 126



7/22/2019 HCDA v1.6 En


As this slide shows, for “11101001”, calculate bit by bit as a decimal number, then convert

the binary to the decimal value.

Page 141 page 127



7/22/2019 HCDA v1.6 En


An IP address is a collection of 32 binary digits. It is represented by 4 bytes, each byte is

composed of 8 binary digits.

Page 142 page 128



7/22/2019 HCDA v1.6 En


IP networks without a subnet can be treated as a single network externally

without it being necessary to know what it looks like internally. For example, all

the routes to address 172.16.X.X is considered as originating from the same

direction, without consideration of third and fourth byte. This reduces the number

of routes in the routing table. However in this way, different subnets cannot bedistinguished. Thus, all the hosts in the network may receive broadcasts for the

network, which reduces the network performance, and not convenient for

network management.

For example, a class B network can contain 65000 hosts. If the user applied for

the class B address only needs 100 IP address, it is a huge waste since the

addresses left cannot be used by others. Hence, a method is needed to divide

this kind of network into several segments, and to manage it according to

different sub networks.

Page 143 page 129



7/22/2019 HCDA v1.6 En


From the view of address allocation, a subnet is the extension of a network

address. The network administration can decide the size of the subnet according

to the need of development of organization. Using Subnet Masks, the network

devices can determine from the IP address which bits represent the network and

which bit represent the hosts. In using subnets, the network addresses are usedmore efficiently. Externally, it is still a single network, however internally, it is

divided into several different subnets. As the slide shows, the network 172.16.0.0

is divided to two network segments:

172.16.4.0 and 172.16.8.0.

If a financial department of some company uses the subnet 172.16.4.0; and the

engineering department uses subnet 172.16.8.0. Thus, the routing could be

implemented according to the destination subnet address, so as to limit the

spread of broadcast packets of one subnet to other subnets and improve general

the network performance.

Page 144 page 130



7/22/2019 HCDA v1.6 En


After learning the conversion between binary and decimal, it is easy to understand the

corresponding relationship for that of IP address and subnet masks. In this slide, the

number of bits of a subnet mask is 8+8+8+4=28, which indicates the number of

consecutive “1” in the network mask is 28, i.e., the network address bits is of a 28-bit

length. The subnet can be represented in another method: as “/28”, indicating that the first28 bits represent the network ID.

Page 145 page 131



7/22/2019 HCDA v1.6 En


As shown in the slide, the IP address and subnet mask are already known. The network

address is obtained from the AND operation between the IP address and the subnet

mask. The AND operation is 1&1=1, 1&0=0, and 0&0=0. Therefore, the calculation of the

AND operation for the example in this slide is as follows:

11000000, 10101000, 00000001, 00000111

&11111111, 11111111, 11111111, 11110000

11000000, 10101000, 00000001, 00000000

The calculation result is the network address.

Page 146 page 132



7/22/2019 HCDA v1.6 En


The number of hosts is calculated through the subnet mask. First, it is necessary to

identify how many 0s there are in the subnet mask. As shown in the above figure, if there

are N-bit 0s, then, the number of hosts is 2n. The number of IP addresses that can be

allocated to the host is 2n -2 (minus the network address which is all 0s and the

broadcast address which is all 1s).

Page 147 page 133



7/22/2019 HCDA v1.6 En


This example shows the calculation of host quantity.

The subnet mask of class A address is 255.0.0.0, namely, 24-bit host ID. The

subnet mask of class B address is 255.255.0.0, namely, 16-bit host ID. The

subnet mask of class C address is 255.255.255.0, namely, 8-bit host ID.This example is a class C address. The standard subnet mask has an 8-bit host ID, andin this case, the first 4 bits of it are also used as the subnet mask. The maximum number

of hosts is 28-4.

Page 148 page 134



7/22/2019 HCDA v1.6 En


In this example, the network address is of class C: 201.222.5.0. Suppose 20

subnets are needed, and 5 hosts in every subnet. it is necessary to divide the

last byte for subnet and host. The bits of the subnet decide the number of

subnets. In this example, because it is a class C address, there are 8 bits for

subnet and hosts. And since 24<20<25 , there are 5 bits for subnets, and themaximum subnets which could be provided are 32(25). And the 3 bits left are for

host, and 23=8, deducting the network address and broadcast address in this

network, which is 8-2=6. It is can meet the network requirements.

And each network segment is as follows:

201.222.5.0~201.222.5.7

201.222.5.8~201.222.5.15

201.222.5.16~201.222.5.23

………

201.222.5.232~201.222.5.239

201.222.5.240~201.222.5.247

201.222.5.248~201.222.5.255

Page 149 page 135



7/22/2019 HCDA v1.6 En


For the network of class B, if there are 8 bits for subnet, then 256 subnets could

be provided, and 254 hosts could be included in each subnet.

Subnet bits subnet mask subnet number host number in each subnet

1 255.255.128.0 2 32766

2 255.255.192.0 4 16382

3 255.255.224.0 8 8190

4 255.255.240.0 16 4094

5 255.255.248.0 32 2046

6 255.255.252.0 64 1022

7 255.255.254.0 128 510

8 255.255.255.0 256 254

9 255.255.255.128 512 126

10 255.255.255.192 1024 62

11 255.255.255.224 2048 30

12 255.255.255.240 4096 1413 255.255.255.248 8192 6

14 255.255.255.252 16384 2

Page 150 page 136



7/22/2019 HCDA v1.6 En


For the network of class C, if there are 5 bits for subnet, then 32 subnets could be

provided, and 6 hosts could be included in each subnet.

Subnet bits Subnet mask Host number in each subnet Subnet number

1 255.255.255.128 126 2

2 255.255.255.192 62 4

3 255.255.255.224 30 8

4 255.255.255.240 14 16

5 255.255.255.248 6 32

6 255.255.255.252 2 64

Page 151 page 137



7/22/2019 HCDA v1.6 En


A network can be divided into multiple subnets, and each subnet uses a uniqueID. But the number of hosts in every subnets may be different. If the length ofsubnet mask is fixed and the number of IP addresses in the subnets is the same,lots of IP addresses are wasted. In this case, the variable length subnet mask(VLSM) technique can be used. If the subnet has lots of nodes, the subnet mask

could be shorter. The IP address with shorter subnet mask represents lessnetworks/subnets, but more IP addresses can be allocated to hosts. If the subnethas a few nodes, the subnet mask could be longer. The IP address with longersubnet mask represents more logical networks/subnets, but less IP addressescan be allocated to hosts. Such addressing scheme can save lots of IPaddresses, which can be used in other subnets. As shown in the above figure, acompany deploys the IP addresses subnet planning with class C address192.168.1.0. The company has bought five routers. One router, which works asthe gateway of the intranet, is connected to the local ISP. The other four routersare connected to four branch offices. Each office has 20 PCs, so each off iceneeds 20 host addresses.

As shown in the above figure, 8 subnets are required. 4 offices need 21 IPaddresses (including a router interface). The 4 network segments connected withthe gateway need 2 IP addresses. The IP address number of every network

segment is different, so the VLSM could be used. The four network segments forthe office adopt the subnet mask 255.255.255.224, 3 bits for subnet, and 5 bitsfor hosts. This means at most 25-2=30 hosts could be included. The four networksegments connecting office router and gateway, are support 6 bits for subnet,and 2 bits for hosts, therefore at most 2 hosts could be included.

Page 152 page 138



7/22/2019 HCDA v1.6 En


Classless Inter-Domain Routing (CIDR), defined by RFC 1817,does not adhere

to the IP address classification. It can aggregate multiple routes into one, so to

minimize the size of the routing table and improve the scalability of the router. As

shown in the above figure, some class C networks are allocated to the ISP,

198.168.0.0-198.168.255.0. The ISP allocates the class C networks to the usergroups. At present, three class C networks have been allocated to user groups. If

the CIDR technique is not used, the routing table of the ISP’s router has three

routes connected to the downlink network segments, and the routes will

advertise them to the routers on the Internet. By the CIDR technique, the three

routes 198.168.1.0, 198.168.2.0, and 198.168.3.0 can be aggregated into one

route 198.168.0.0/16. Thus, the ISP’s router advertises only route 198.168.0.0/16

to the Internet, and the number of entries in the routing table is reduced. It should

be noted that the number of bits of the network addresses aggregated by CIDR

must be the same. As shown in the above figure, if the ISP is connected to

network segment 172.178.1.0, then the routes of the network segments cannot

beaggregated.

Page 153 page 139



7/22/2019 HCDA v1.6 En


Page 154 page 140



7/22/2019 HCDA v1.6 En


Address Resolution Protocol (ARP) is a broadcast protocol, through which the

host can dynamically find the corresponding MAC address of an IP address.

Every host has an ARP cache, with the mapping table between IP address and

physical address, which are currently known by the host. When host A wants to

send an IP packet to host B in the same LAN, it will f irst look up the ARP cacheto find whether there is IP address of host B in the table. If so, the corresponding

physical address could be found, and to send the data packet according to the

physical address.

Sometimes, the corresponding IP address of host B cannot be found. It is

possibly because host B just joined the network, or host A has just powered and

on whose ARP cache is empty. In this case, suppose host A needs to know the

MAC address of host B. host A will send ARP Request to every host in the

network segment by broadcast. In the ARP Request, the mapping information of

its own IP address to MAC address is contained, as well as the destination IP

address needs to be resolved. When the destination host B receives the request

packet, it stores the mapping information of host A into its ARP cache, and sendsits own mapping information from IP to MAC address back to host A. After host A

receives the ARP Reply, it obtains the MAC address of host B. At the same time,

host A puts the mapping information of host B into its ARP cache.

Page 155 page 141



7/22/2019 HCDA v1.6 En


The function of Proxy ARP is to make hosts or routers in different networks segment can

communicate. Usually, when a router R receives an ARP Request, it will check whether

the requested destination address is its own: if so, the ARP Reply will be sent; if not, the

request packet is discarded.

However, if the router R enables the Proxy ARP function, when router R receives an ARPRequest, and finds the destination address is not its own, router R will not discard the

packet immediately. Instead, router R looks up the routing table, if there is a route to this

destination, it will send its own MAC address to the request party, and the request party

will send the packet with this destination to router R, and router R will forward it further.

Page 156 page 142



7/22/2019 HCDA v1.6 En


Gratuitous ARP: The host sends ARP Request to find the corresponding MAC

address of its own IP address. If in the network, there is no another host with the

same IP address, the host will not receive any reply. However, if the host

receives reply, it indicates that another host in the network is configured with the

same IP address. Hence, in the terminal log of host, an error information will becreated, indicating that a duplicate IP address is configured.

Functions of Gratuitous ARP:

1. Through sending Gratuitous ARP packets, it could be confirmed whether there

is IP address conflict in the network. If the Request party receives a Gratuitous

ARP reply, it indicates that there is an equipment with a duplicate IP address.

2. Updating the old hardware address information. If the host sending Gratuitous

ARP just changes its hardware address, such as changing network card, the

Gratuitous ARP could be used to update the old hardware address information.

When the receiving party receives an ARP Request, and this ARP information

already exists in the ARP table, then the receiving party must update the old

ARP information table, using the address information in the new ARP Request.

Page 157 page 143



7/22/2019 HCDA v1.6 En


Sometimes, RARP ( Reverse Address Resolution Protocol) is needed when dealing with

diskless workstations. This equipment knows its own MAC address, and needs to obtain

IP address. In order to make RARP work properly, in the LAN, at least one host has to be

the RARP Server. In this example, the diskless workstation needs its own IP address. It

broadcasts the RARP Request in the network. The RARP Server receives this broadcastrequest, and sends the reply. Thus, the diskless workstation will obtain the IP address.

Similarly with ARP Request, RARP Request are sent using broadcasts, ARP Reply and

RARP Reply are usually forwarded as unicast packets

Page 158 page 144



7/22/2019 HCDA v1.6 En


Page 159 page 145



7/22/2019 HCDA v1.6 En


The main function of a router is to interconnect different networks. The data must

also be capable of being forwarded to the Internet.

Data forwarding: A router should have the ability to forward data packets

according to the destination address of data packets.Routing: In order to forward data packets, the router should have the ability to

establish, update and forward data packets based on routing table.

Backup, traffic flow control: In order to guarantee the reliability of network,

usually, the router has the ability to switch to backup link and the function of

traffic flow control.

Speed adapting: Different interfaces have different speeds, the router can

implement the adjustment according to its buffer and other f low control protocols.

Isolating network: The router can isolate broadcast network and prevent

broadcast storms. At the same time, it can apply flexible filter policy to the data

packet, to guarantee network security.

Interconnecting heterogeneous networks: Presently, at least two kinds of

network protocols could be implemented in the router to interconnect

heterogeneous networks. For example, routers that support ATM and FR

interfaces can be considered as belonging to a router that can interconnect

heterogeneous networks.

Page 160 page 146



7/22/2019 HCDA v1.6 En


The slide shows the working process of a router:

At the physical layer, the packet is received by one of the router interfaces, and is sent tothe upper layer which is data link layer. The Data Link Layer will de-encapsulate theframes, and send to the Network Layer based on the protocol f ield of the packets. The

network layer will firstly check whether the packet is intended for the local host.If so, the network layer encapsulation is de-encapsulated, and the packet is sent to upperlayer. If not, the router will check the routing table according to the destination address ofthe packet. If a route item could be found, the packet is sent to data link layer of thecorresponding port, after the encapsulation of data link layer, the packet is sent. If noroute could be found, the packet will be discarded, and relative error information would besent to the source of the packet.

Page 161 page 147



7/22/2019 HCDA v1.6 En


The ability to forward data packets is due to the routing table. Every router

maintains a routing table, in which every route indicates the corresponding

physical port of the router through which the destination subnet or host could be

reached. In the routing table, the following key items are included:

Destination: It is used to identify the destination address or network of the IP

packet.

Mask: Together with the destination address, it is used to identify the network

segment address in which the destination host or router is located. After

implementing “logical AND” to the destination address and network mask, the

network segment address could be obtained in which the destination host or

router is located.

Interface: Indicates to the current router, through which interface the IP packet is

to be forwarded.

Next Hop: Indicates the interface address of the next router through which the IP

packet should pass.

Page 162 page 148



7/22/2019 HCDA v1.6 En


1. What is IP address classification?

IP addresses are divided into Classes A, B, C, D and E. Among them, Class D ismulticast address; Class E is reserved address. In Class A, B, and C, each hasits own private address space.

2. What is the function of ARP/RARP?

ARP stands for Address Resolution Protocol, which is used to analyze thecorresponding MAC address for an IP address; RARP stands for Reverse Address Resolution Protocol, which is used to analyze the corresponding IPaddress for a MAC address.

3. What is the principle function of a router?

At the physical layer, the packet is generally received by one of the routerinterfaces, and is sent to the upper layer, namely the data link layer. The datalink encapsulation is de-encapsulated, and according to the protocol field of

packets, it is sent to network layer. For network layer, f irst of all, it checkswhether the packet is intended for the local host. If so, the network layerencapsulation is decapsulated, and the packet is sent to the upper layers. If not,the router will check the routing table according to the

destination address of the packet. If a route item could be found, the packet issent to data link layer and the corresponding interface, after the encapsulation ofdata link

layer, the packet is forwarded. If no route could be found, the packet will bediscarded, and relative error information would be sent to the packet’s source.

Page 163 page 149



7/22/2019 HCDA v1.6 En


page 150

7/22/2019 HCDA v1.6 En


Page 167 page 153



7/22/2019 HCDA v1.6 En


Page 168 page 154



7/22/2019 HCDA v1.6 En


Page 169 page 155



7/22/2019 HCDA v1.6 En


Page 170 page 156



7/22/2019 HCDA v1.6 En


VRP is the network operation system used by Huawei based routing & switching products.

VRP can be used as general software platform of all Huawei‘s network devices to

provide TCP/IP routing services. Currently version 5.7 is used for many products.

Page 171 page 157



7/22/2019 HCDA v1.6 En


VRP adopts componentized architecture，VRP is made up of five planes: GCP, SCP DFP

SMP and SSP.

For example, GCP is General Control Plane, it supports internet protocols such as IPv4

and IPv6. The protocols and functions that GCP supports include SOCKET, TCP/IP, route

management, routing protocols and so on VRP just needs to add or delete correspondingplanes to fit different switch or router functionality.

Page 172 page 158



7/22/2019 HCDA v1.6 En


Page 173 page 159



7/22/2019 HCDA v1.6 En


At present, Huawei’s routers and switches support three configuration modes, two of which

are listed as follows:

•Local configuration through the Console port

•Local or remote configuration through Telnet

Page 174 page 160



7/22/2019 HCDA v1.6 En


You can build a configuration environment only through the Console port for the two

following occasions:

(1)The router is powered on for the first time. There is only default configuration

(2) You can directly connect the device

The procedures of configuring a router through the Console port are as follows:

Procedure 1: Connect the console cable

(1) Connect the RJ45 connector to the Console port of the router.

(2) Connect the 9-pin or 25-pin RS232 connector to the serial port (COM) of the computer.

Page 175 page 161



7/22/2019 HCDA v1.6 En


Procedure 2: Create the super terminal

(1)Run the terminal emulation program, for example, Super Terminal of WIN XP,

on the PC.

（2）Click Start > Program > Communication> Super Terminal

（3）Input any characters as the name after New Connection appears and choose a COM

connection and click OK, then a page as above appears. The port settings should be

configured in accordance with the image, then click OK

Page 176 page 162



7/22/2019 HCDA v1.6 En


If it is not the f irst time for the router to be powered on and you cannot directly connect to the

router console port, it may be possible depending on the current device configuration settings,

to use TELNET to enter the device. There are two methods you may use to configure the

router, either from a PC through the local network to directly Telnet to the router from a PC

using a console connection to a router (e.g. router1), and then Telnet from this router toanother router. The device running the VRP system operation can serve as a TELNET client.

Page 177 page 163



7/22/2019 HCDA v1.6 En


For the PC to use Telnet to reach the Telnet server requires two conditions to be met。

1，Client and server must be able to communicate

2，The server is configured to allow clients to use the Telnet service establish a session.

In the example given, the configuration is represents the router configuration that is actingas the Telnet server. The initial step requires configuration of the router Ethernet interface,

to make sure the client and the server (router) can communicate. The second step involves

configuration of the VTY interface including selecting the password mode as the

authentication mode of Telnet, setting user permission level.

Page 178 page 164



7/22/2019 HCDA v1.6 En


Page 179 page 165



7/22/2019 HCDA v1.6 En


After accessing the router, the user will be given the prompt in ‘user view’. It is from here

that the user can switch to the system view by entering the System-view command. It is

then possible to enter views of other services by running corresponding commands in the

system view. Commands that can be run in different views can be seen listed in the graphic.

Page 180 page 166



7/22/2019 HCDA v1.6 En


When accessing the device for the first time, all users will start off in the ‘user v iew’, from

where users can switch to the ‘system view’ using the System-view command. The system

view can be switched back to the user-view after entering the quit command. It is possible

to return to the user view from any view by entering the return command or using the

composite key command <Ctrl+Z>.For example

#Enter the system view from the user view.

<Huawei>system-view

Enter system view, return user view with Ctrl+Z

#Enter the interface view from the system view.

[Quidway]interface Serial 0/0/0

[Quidway-Serial0/0/0]

#Return to the system view from the interface view.

[Quidway-Serial0/0/0]quit

[Quidway]

#Return to the user view from the system view.

[Quidway]return

<Huawei>

Page 181 page 167



7/22/2019 HCDA v1.6 En


In this example, through using the “?” command, it is possible to obtain a brief of all the

commands at a given level. All levels will support the use of this command to display

possible completions. Another use of this command will allow for completion based on

matches to a partial entry. If only the first letter of a command can be recalled, the ?

command can be inserted as shown in the example above, in order to obtain all thecommands with the same matching parameters, in this case, the same f irst letter.

Page 182 page 168



7/22/2019 HCDA v1.6 En


VRP supports two languages and allows users to enter the language-mode command to

switch between the two languages. The procedure is as follows:

<Huawei>language-mode ?

chinese Chinese environment

english English environment

<Huawei>language-mode chinese

Change language mode, confirm? [Y/N]y

Info:Switchto the Chinese mode.

<Huawei>

Page 183 page 169



7/22/2019 HCDA v1.6 En


The command line interface automatically stores commands input by users which so that

users can recall used commands at any time and repetitively. By default,

the command line interface can keep records of up to 10 commands for a user.

display history-command:

To display the commands that a user has input.

Up-arrow key or <Ctrl+P>:

Display the earlier record if there is one; otherwise the alarm goes off.

down-arrow key or <Ctrl+N>:

Display the next record if there is one; otherwise, the command is cleared up and the alarm

goes off.

When you use the command record function, please note the following:

(1) The format of command records kept by VRP complies with the format of commands

input by users. If the format of commands input by users is not intact,

then the format of commands kept by VRP is not intact either.

(2) If a command is run by a user for many times, VRP only keeps the first running of this

command as record. If a command is run in different formats several times, it is treated as

different commands. For example, if you run the display ip routing-tablecommand

several times, VRP will keep it as only one record. If you run disp ip routing and display

ip routing-table, VRP will keep them as two records.

Page 184 page 170



7/22/2019 HCDA v1.6 En


Do as following to change the name of a router:

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Quidway][Quidway]sysname Router1

[Router1]

Page 185 page 171



7/22/2019 HCDA v1.6 En


Some services require that there be synchronization of time with other devices, often as a

security measure and therefore the system time should be set correctly.

VRP supports the setting of the time zone and daylight savings time features.

#Set the time.

<Huawei>clock datetime 10:19:30 2006/12/12

<Huawei>

<Huawei>display clock

10:19:36 UTC Tue 2006/12/12

<Huawei>

Page 186 page 172



7/22/2019 HCDA v1.6 En


You can display the VRP version information by running the display version command.

<Router>display version

Huawei Versatile Routing Platform Software

VRP WVRP-CEN Software Version VRPV5R1B12D054

Copyright (c) 2003-2010 by VRP Team Beijing Institute Huawei Tech, Inc

……

The version is VRPV5R1B12D054.

You can view the information about terminal users by running the display users command.

<Router>display users

User-Intf Delay Type Network Address AuthenStatus

+ 0 CON 0 00:00:00

Username : Unspecified

You can view the configurat ions in the current view by running the display this command. Forexample, you can view the configurations of the interface after you enter the interface view:

[Router]interface Ethernet 0

[Router-Ethernet0]display this

#

interface Ethernet0

ip address 13.13.13.2 255.255.255.252

isis enable 1

#

return

You can obtain the diagnostic information by running the display diagnostic-informationcommand.

Page 187 page 173



7/22/2019 HCDA v1.6 En


VRP manages software and configuration files through the file system. The f ile system is

used for managing the files and directories in the storage device, which

includes creating the system file, changing names of f iles and directories, creating, deleting,

modifying files and directories and display files. The two main functions of the file system are

storage device management and files management. The storage device is the hardware

device that keeps information. At present, f lash memory, hard disks and CF cards can beused by routers as storage devices. Different products use dif ferent devices to store

information. File system is a mechanism for information storage and management. File

directories are mechanisms for organizing files and they are the logical vessels for keeping

files.

Delete a file

<Huawei> delete flash:/test/test.txt

Delete flash:/test/test.txt?[Y/N]

<Huawei>

Restore the file that was deleted.

<Huawei> undelete sample.bak

Undelete flash:/test/sample.bak ?[Y/N]:y% Undeleted f ile flash:/test/sample.bak

Delete files in the recycle bin.

<Huawei> reset recycle-bin

Display a file.

<Huawei> more test.txt

AppWizard has created this test application for you. This file contains a summary of what

you will find in each of the files that make up your test application.

Test.dsp

Copy a file.

<Huawei> copy hda1:/sample.txt flash:/

Copy hda1:/sample.txt to flash:/sample.txt ?[Y/N]:Y

% Copyed file hda1:/sample.txt to flash:/sample.txt

Page 188 page 174



7/22/2019 HCDA v1.6 En


Create a directory

<Huawei> mkdir dd

Created dir dd.

Delete a directory<Huawei> rmdir test

Rmdir test?[Y/N]:y

% Removed directory test

Display the current directory

<Huawei> pwd

flash:/test

Page 189 page 175



7/22/2019 HCDA v1.6 En


Format storage device

<Huawei> format flash:

All data on flash: will be lost , proceed with format ? [Y/N]:y

%Format flash: completed.Fix storage device whose file system is abnormal

<Huawei> fixdisk flash:

Fixdisk flash: will take long time if needed.

Fixdisk flash: completed.

Be careful with the format command. It deletes all the files in the storage device once you

run it.

Page 190 page 176



7/22/2019 HCDA v1.6 En


When the router is powered on, it reads the configuration file from the default storage path

to initialize itself. The configuration in the configuration file is called

the initial configuration. If there are no configuration files in the default storage path, the

router will initialize itself with the default parameters. The configuration used when the

router is running is called the current configuration.

Users can change the current configurations of the router through the command line

interface. To make the current configuration to be the initial configuration for

the router when the router is powered on next time, you need to save the current

configuration in the default storage path with the save command. You can view the saved

configuration of the router by running the display saved configuration command.

You can view the current configuration of the router by running the display current-

configurationcommand.

You can save the current configuration by running the save command. The detailed

procedure is as follows:

<Huawei>save

The current configuration will be written to the device.

Please make sure configuration recovery has been finished.

Are you sure?[Y/N]y

Now saving the current configuration to the device.....

Info:The current configuration was saved to the device successfully

You can erase the configuration file in the storage device by running the reset saved-

configurationcommand. The detailed procedure is as follows:

<Huawei>reset saved-configuration

Page 191 page 177



7/22/2019 HCDA v1.6 En


The action will delete the saved configuration in the device.

The configuration will be erased to reconfigure.

Are you sure?[Y/N]y

Now clearing the configuration in the device.

Info:Clear the configuration in the device successfully

You can run the compare configuration command to make comparisons between the

current configuration and the configuration in the configuration file

stored. The following shows that the message displayed indicates that the current

configuration is not the same as the stored configuration.

<Huawei>compare configuration

Warning:The current configuration is NOT the same as the saved configuration!

====== Current configuration line 31 ======

ospf 1

……

====== Saved configuration line 31 ======……

Page 192 page 178



7/22/2019 HCDA v1.6 En


VRP can backup its software and configuration files through FTP, TFTP and XMODEM.

Here we will introduce the basic operations for routers or switches to obtain version files

through the three modes, which is the general knowledge about version update. For details

about version update methods and procedures, please refer to the update guidelines we

provide for a product or a specific version of a product.

FTP, TFTP and XMODEM are all file transport protocols for transporting files between

users and devices.

File Transfer Protocol (FTP) is based on TCP and takes the mode of Server/Client. VRP

can act both as the FTP server and the FTP client. When it acts as the FTP server, users

can log in to the router to v isit files on the router by running the FTP client program. When

VRP acts as the FTP client, users can run FTP commands to connect with the remote FTP

server and then visit files on the remote host after they built connections with the router

through the terminal emulation program or Telnet.

Trivial File Transfer Protocol (TFTP), different from FTP, does not require any

authentication mechanisms, which is fit for an environment that does not involve much

interaction between clients and servers. TFTP is based on UDP and takes the mode of

Server/Client. TFTP transfer is initiated by the client. When there are

files to download, the client sends requests to the TFTP server for reading the f iles and

receives packets from the server and at last, it sends confirmation to the

server. When there are files to upload, the client sends requests to the TFTP server for

writing the files and sends packets to the server and at last, it sends confirmation to the

server. TFTP files have two modes, one is the binary mode that is used for program files

and the other is the ASCII mode that is for text files.

VRP can only act as the TFTP client and can transfer files only in the binary mode.

XModem protocol transfers files through serial ports, which is widely used for its simplicityand capabilities. VRP supports receiving program through XModem

which can be applied to the AUX interface.Page 193

page 179



7/22/2019 HCDA v1.6 En


As the above figure illustrates, the PC and Router A are connected through serial portsand Router A and the FTP server are connected to the LAN. Router A

obtains version files from the FTP server as the FTP client. Set the username andpassword to quidway and huawei respectively on the FTP server. Log in to Router A fromthe PC by the super terminal and make the following operations to obtain version files.

#Log in to the FTP server from Router A.

<Router> ftp 172.16.104.110

Trying 172.16.104.110 ...

Connected to 172.16.104.110.

……

User(172.16.104.110:(none)):quidway

331 Give me your password, please

Password:

230 Logged in successfully

……

#Obtain the version file vrp.cc from the FTP server by running the get command.

[ftp] get vrp.cc……

150 "D:\system\vrp.cc" file ready to send (5805100 bytes) in IMAGE / Binary

mode

226 Transfer finished successfully.

FTP: 5805100 byte(s) received in 19.898 second(s) 291.74Kbyte(s)/sec.

Page 194 page 180



7/22/2019 HCDA v1.6 En


As the above figure illustrates, the PC and Router A are connected through serial ports andRouter A and the FTP client are connected to LAN. Router A is configured as the FTPserver to obtain version files from the FTP client. Run the following commands to configureRouter A as the FTP server.

#Enable the FTP server on the router.[Quidway]ftp server enable

#Enter the AAA view and configure the authentication and authorization of the FTP server.Only users that pass the authentication and are authorized successfully can enjoy theservices offeredby the FTP server.

[Quidway]aaa

#Create a local user named quidway.

[Quidway-aaa] local-user quidway

#Set the service type to FTP.

[Quidway-aaa] local-user quidway service-type ftp

#Configure the password to huawei.

[Quidway-aaa] local-user quidway password simple huawei

#Configure the authorization directory of FTP users on the FTP server.

[Quidway-aaa] local-user quidway ftp-directory flash:/ftp/quidway

Page 195 page 181



7/22/2019 HCDA v1.6 En


As the above figure illustrates, the PC with the IP address of 10.111.16.160 runs the TFTPsoftware to act as the TFTP server and Router A obtains version software from the TFTPserver.

Run the following command on Router A to obtain version software.

#Run the tftp command to obtain the vrp.cc file and save it under cfcard:/.<Huawei> tftp 10.111.16.160 get vrp.cc cfcard:/vrp.cc

Run the dir command to check if the version file is obtained and save in the

defined directory.

<Huawei> dir

Directory of cfcard:/

0 -rw- 86211956 Jun 08 2006 15:20:14 v300r001b02ssp02.cc

1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt

2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat

3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat

4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg

5 -rw- 14343 May 19 2006 15:00:10 paf.txt

6 -rw- 6247 May 19 2006 15:00:10 license.txt

7 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak

8 -rw- 80975644 Jun 08 2006 14:50:20 v300r001b02msp06.cc

9 -rw- 86235884 Feb 05 2001 10:23:46 vrp.cc

508752 KB total (261112 KB free)

Page 196 page 182



7/22/2019 HCDA v1.6 En


Page 197 page 183



7/22/2019 HCDA v1.6 En


Simple Network Management Protocol (SNMP) is a widely used network management

protocol. SNMP is a protocol that works at the application layer and the transport layer

protocol is UDP. It takes up the 161 and 162 ports.

SNMP consists of NMS and Agent. NMS stands for Network Management Station which

sends requests to Agent. Agent is a process or task that resides on the

device that is managed. Agent makes analysis and obtains information after it receives

requests from NMS and then it generates responding packets to send

back to NMS. SNMP is the application protocol that defines how to deliver management

informationbetween NMS and Agent.

SNMP defines two operations, namely GET and SET. The GET operation is for obtaining

management information from the device that is under management.

The SET operation is for setting variable values to configure the management device. Trap

is generated by Agent and it reports abnormalities of the managed device to NMS. Once

NMS receives the trap, it takes measures such as polling detection to diagnose problemsand take methods to solve problems and make changes to the data of network

management.

Page 198 page 184



7/22/2019 HCDA v1.6 En


[Quidway]snmp-agent //Enable the SNMP Agent service

[Quidway]snmp-agent sys-info version v3 //Configure the SNMP version information.

[Quidway]snmp-agent community read public //Configure the name of the SNMP read

community.

[Quidway]snmp-agent community write private //Configure the name of the SNMP write

community.

Note: The configurations of Agent should agree with that on the NMS.

[Quidway]snmp-agent trap enable //Enable the router to send Trap.

[Quidway]snmp-agent target-host udp-domain 10.111.16.160 udp-port 5000

params securityname public Configure the destination address of Trap, the UDP port

numberand community attributes.

Page 199 page 185



7/22/2019 HCDA v1.6 En


1. How is a console connection established?

Connect the PC serial port with the Console port of the router by the normal line and run the

terminal emulation software such as the windows terminal emulation software. Configure

the parameters correctly and then log into the router to configure.

2. What are the VRP command levels and command views?

The VRP command levels include the visit level, the monitor level, the config level and the

manage level. The command views involve the user v iew, the system

view, the interface view, and the routing protocol view, and so on.

3. How to create a Telnet user?

Enter the vty user v iew and configure the authentication mode and the password for

authentication and configure user permissions.

4. What protocols can be used to upgrade VRP file?

FTP, TFTP & XMODEM.

Page 200 page 186



7/22/2019 HCDA v1.6 En


Page 202 page 187



7/22/2019 HCDA v1.6 En


Each layer of the TCP/IP layered model has its own function and role. Built around the

main principles of network layer addressing and routing. This section of Routing Protocol

Basics focuses on details of IP address structure, address classification and subnet

planning; In addition, how the data packet is carried in network, and router principles are

further illustrated. Routing protocol basics is a basic course with great significance forunderstanding the different routing protocols. Based on previous sections, this section

focuses on how the packet is forwarded between routers and the structure of the routing

table.

Page 203 page 188



7/22/2019 HCDA v1.6 En


Page 204 page 189



7/22/2019 HCDA v1.6 En


A router provides mechanisms for interconnecting networks of different

structures which makes the transfer of packets among networks a reality. Routes

are

decisions made regarding the path over which the forwarding of packets willoccur for a given destination.

In the internet, routes are decided by routers. A router chooses an appropriate

route according to the destination address in the header of the packet and sends

the packet to the next router. The last router on the route is responsible for

delivering the packet to the destination host. The whole process is very similar to

a relay race. Each router focuses only on finding an optimal route and forward

packets to the next station along that route. In this way, packets are delivered

from one router to the next until they reach their destinations. However, packets

do not always travel along the best route if some routing policies cause

interference.

In the example above, RTA is going to send a packet to a destination in network

N. By searching the routing table, RTA finds the egress to network N is E0/0 and

the next hop router is RTB. Then RTA sends out the packet through E0/0 to RTB

and RTB forwards the packet to RTC in the same way and so on until the last

router RTC sends the packet to network N. The packet is sent following the route

RTA-RTB-RTC-network N

Page 205 page 190



7/22/2019 HCDA v1.6 En


Here we take the previous example to explain the process of IP routing. As the above

figure shows: RTA connects with network 10.3.1.0 on the left and RTC connects with

network 10.4.1.0 on the right. Here is a datagram to be sent from network 10.3.1.0 to

network 10.4.1.0. The process of IP routing is as follows:

1. The packet is sent to E1 port of RTA that directly connects with network 10.1.1.0.Afterreceiving the packet, RTA looks up the routing table and finds that

the next hop to the destination is 10.1.2.2 and the egress is E0. Then the packet is sent

out from E0 to 10.1.2.2.

2. When the packet reaches E0 port of network 10.1.2.2, RTB looks up its routing table to

find the route to the destination of the packet. The routing table tells that the next hop

to the destination is 10.2.1.2 and the egress is E1. Then the packet is sent out from

E1 to head for its next hop, network 10.2.1.2.

3. When the packet reaches E0 port of network 10.2.1.2, RTC looks up its routing tableand finds that the destination of the packet is in its own segment and

the next hop for the packet is 10.4.1.1 and the egress is E1. Then the packet is sent out

from E1 to i ts destination.

0

Page 206 page 191



7/22/2019 HCDA v1.6 En


The analysis of the process of IP routing shows us that data forwarding is totally dependent

on the information in the routing table. To function effectively and

efficiently, a router should:

1. Check the destination of a packet: Does the router have information about the destination

of the packet?

2. Find the source of the information: Where is the information about the route to the

destination from? Is it def ined by the administrator statically? Or is it obtained from other

routers?

3. Search for possible routes to the destination: What are the possible routes to thedestination?

4. Select the best route: which is the best route to the destination? Should the router use

the loading balance mechanism to send the packet by multiple routes?

5. Verify and maintain routing information: Is a route valid? Is it the latest?

Routers have to verify and maintain routing information to ensure that the information is

correct.

Page 207 page 192



7/22/2019 HCDA v1.6 En


Routers check the destination of the packets they receive and if the destination of thepackets is not the interface of local routers, they will look up their routing tables to find outto which port the packets should be forwarded.

1. If the destination network connects with the router directly, the router knows to which portthe packet should be forwarded.

2. If the destination network does not directly connects with the router, the router shouldfind out of the possible routes to send the packet and then select one of them to forward thepacket. Routes in the routing table can be sorted to three categories according to theirsources:

1. Routes found by data-link layer protocols (interface routes or direct routes)

2. Static routes manually configured by network administrators.

3. Routes found by dynamic routing protocols.

Page 208 page 193



7/22/2019 HCDA v1.6 En


The protocol field in the routing table indicates the source of the routes. Routes come from

three sources. The first source is those routes discovered by the data-link layer. When

data-link layer protocols are up, routes of this sort are generated and their protocol f ield

value in the routing table is shown as “direct”. Routes discovered by the data-link layer do

not need maintenance, which reduces the workload. However, data-link layer can only findroutes to segments directly connected with its interfaces and can not discover routes that

cross segments. Routes that cross segments can only be discovered by other methods.

Page 209 page 194



7/22/2019 HCDA v1.6 En


The second source is the statically configured routes. Static routes are configured by

administrators manually and they can also help to build connectivity between networks.

Static routes however cannot make adjustments automatically when networks fail. They must

be managed by administrators.

Page 210 page 195



7/22/2019 HCDA v1.6 En


The last group of routes are discovered by dynamic routing protocols. Configuring routes

statically for a network with a complicated topology is a demanding task and may result in

errors easily. So it is better to use dynamic routing protocols to find and change routes, which

does not need manual maintenance. However, the cost of dynamic routing protocols is. As

the figure above shows, routes whose Proto field values are RIP and OSPF are routesdiscovered by RIP dynamic routing protocol or OSPF routing protocol. Details about dynamic

routing protocols will be given later.

Page 211 page 196



7/22/2019 HCDA v1.6 En


As we mentioned just now, routes come from three sources. Here, we make a comparison

between static routes and dynamic routes.

1. Static routes must be defined by administrators. When the network topology changes,administrators have to change the configurations of static routes

manually. Static routes are more suitable for simple and small networks. If the network is

complicated, administrators may struggle to support the complexity and work needed to

manage numerous static routes.

2. Routing protocols collect network information for dynamic routes. When the network

topology changes, routers update their information automatically without the help of

administrators.

Page 212 page 197



7/22/2019 HCDA v1.6 En


Routing protocol is a language that works for the communication between

routers. With the routing protocol, routers can share information about routes

and network status. Only routers that use the same language can communicate

with each other. Routers that do not speak the same language may obtaininformation from each other with other approaches, but it will not be discussed

here. Routing protocols set down a set of rules for the communication between

routers. And routers maintain their routing tables and offer the best routes

through routing protocols.

Page 213 page 198



7/22/2019 HCDA v1.6 En


An AS is a set of networks under unified management. According to their working area,

routing protocols can be divided into:

1. Interior Gateway Protocol (IGP): a protocol for exchanging routing information betweengateways within an autonomous network. The protocols we introduce here like RIP and OSPF

are IGP protocols. Other IGP protocols that are not mentioned here include ISIS, IGRP andEIGRP.

2. Exterior Gateway Protocol (EGP): a protocol for exchanging routing information between

two autonomous systems. The Border Gateway Protocol (BGP) is a kind of EGP.

Page 214 page 199



7/22/2019 HCDA v1.6 En


According to the algorithms used, routing protocols can be divided into the following

categories:

Distance-Vector routing protocol: RIP and BGP. BGP is also called the Path -Vector

Protocol.

Link-State Protocol: OSPF and IS-IS.

The differences between the algorithms used by the Distance-Vector routing protocols and

the Link-State protocols lie in the way they find and calculate routes. Distance-Vector

routing protocols concern is to the number of the hops to the destination, while Link-State

protocols care more about the network topology and bandwidth resources used to reach a

given destination.

Page 215 page 200



7/22/2019 HCDA v1.6 En


Routing protocols can be div ided into unicast routing protocols and multicast routing

protocols according to their applications. Unicast is one of the data transmission modes. In

this mode, the destination of a datagram is unique, which can be a host or a device.

Multicast is another data transmission mode. In this mode, the destination address is a

multicast address, which means a group of hosts or devices can receive a datagram at thesame time. Here, we only focus on unicast routing protocols. For details about multicast

routing protocols, see references for multicast modules.

Page 216 page 201



7/22/2019 HCDA v1.6 En


Routing tables play a key role in packet forwarding. Each router holds a routing table and

every entry in the routing table tells a packet should be sent through which physical port of

a router to reach a subnet or a host before the packet arrives at the next hop router or its

destination.

A routing table contains the following items:

Destination: indicates the destination or the destination network of an IP packet.

Mask: We have already learned the structure and functions of mask in our TCP/IP course.

Similarly, network masks are important information in a routing

table. If we let an IP address and a network mask go through a logical AND operation, we

can get information about the network segment. As the example

here, the destination address is 8.0.0.0 and the mask is 255.0.0.0. After they go through

the logical AND, we may know that the segment is 8.0.0.0/8 which is a Class A address.

Another function of network masks is that when there are multiple route entries to the

same destination in a routing table, the router can

choose the route with the longest mask.

Interface: indicates which interface an IP packet should be forwarded from.

Nexthop: indicates the IP address of the next interface that an IP packet will go through.

Other fields in the routing table will be discussed later.

Page 217 page 202



7/22/2019 HCDA v1.6 En


Routes to the same destination may come from different sources. So the next hop of those

routes may be the same or different. In this case, how routers

make their choice about those routes? Route preference is here for this problem.

In the figure above, there are two routes to the segment 10.0.0.0: R0 and R1. R0 is

discovered by RIP protocol and R1 is discovered by OSPF protocol. By

default, OSPF has a higher route preference level than that of RIP . So routers use the

route discovered by OSPF on this occasion and add it to the global

routing table for packet forwarding.

Page 218 page 203



7/22/2019 HCDA v1.6 En


The default route preference on VRP platform is shown in the above table. Preference 0 is

for direct routes and 255 is for untrustworthy routes. Except direct routes, the preference of

all dynamic routing protocols can be configured manually according to the requirements of

our customers. And you should note that usually a preference is for all routes of the

protocol with that preference. For example, routes discovered by IS-IS have the samepreference 15. The static route is an exception because each static route may have its own

preference.

An operator can adjust preference to control routes. If a router receives two routes, one

route from an IBGP source and one route from an EBGP source, it will select EBGP source

according BGP protocol's principle. 255 is the maximum preference value. Routes learned

from an IGP source is more credible than those from an EGP (BGP) source. By default the

preference of IBGP and EBGP is set to 255.

Page 219 page 204



7/22/2019 HCDA v1.6 En


The route metric reflects the cost of a route to its destination. Route metrics are often

decided by factors including the delay, bandwidth, line occupation rate, line reliability, hops

and the maximum transmission unit. Dif ferent dynamic routing protocols choose different

factors to calculate a route cost. For example, RIP uses hops to calculate the route metric.

Route metrics make sense only for routes discovered by the same routing protocol. It ismeaningless to compare route metrics calculated by different protocols and there is no

formula to make conversions between route metrics come from different routing protocols.

The

route metric of the static route is 0.

Router A learns routes to Router D from Router B and Router E with the same protocol. As

the figure above illustrates, the route metric of the route that Router A gets from Router B is

9. While the route metric of the route that Router A gets from Router E is 12. Obviously, the

route that Router A gets from Router B is better than the route Router A learns from RouterE. So Router A adds the first route to its routing table. Router B is the next hop for that route.

Page 220 page 205



7/22/2019 HCDA v1.6 En


If there are multiple routes to the same destination and their route metrics and route

preference are the same, all these routes will be added to the routing table. IP packets are

sent on these routes alternatively, which helps to realize the load balancing.

At present, routing protocols that support load balancing are RIP, OSPF, BGP and IS-IS.

The static route also supports load balancing.

Page 221 page 206



7/22/2019 HCDA v1.6 En


In the routing table above, there are three routes to the network 10.1.1.1/32. The three

routes have the same preference and the preference is the highest

preference. So all the three routes are added to the routing table to balance the load.

Page 222 page 207



7/22/2019 HCDA v1.6 En


Data packets are forwarded according to the IP addresses of their destinations. When a

packet reaches a router, the router first gets to know the IP address of the destination of the

packet and then looks up its routing table to make the logical AND operation for the IP

address and the mask in the table. If the result of the logical AND operation agrees with the

destination IP address of the entry in the table, it means the entry is the route to thedestination of the IP packet; Otherwise, it is not. When all the entries that meet the

requirement are found, the router will choose the one with the longest mask among them.

Page 223 page 208



7/22/2019 HCDA v1.6 En


Imagine that a packet whose destination IP address is 9.1.2.1 reaches the router. The router

looks up its routing table and finds three matching routes there. They are:

0.0.0.0/0 whose matching length is 0 bit.

9.0.0.0/8 whose matching length is 8 bits.

9.1.0.0/16 whose matching length is 16 bits.

The last route has the longest mask length. So the router will choose this one to forward the

packet through serial 0/0.

Page 224 page 209



7/22/2019 HCDA v1.6 En


Routing loop is a network problem in which packets are sent from one router and return back

to the router after travelling in the network for a while. When the routing loop problem occurs,

packets travel around several routers until they are discarded when TTL is 0, which wastes

the network resource quite a lot. Steps should taken to keep routing loops at bay.

As the figure above shows, RTA has a packet heading for network N. The packet is

forwarded to RTC and the value of TTL is decremented by one. When RTC receives the

packet, it forwards it to RTB which leads to a routing loop occurrence, at which point the TTL

value again decrements by one. RTC receives the packet and forwards it to RTA and then

RTA sends the packet again to RTC. This process continues until the packet is discardedonce the TTL value is reduced to 0. The routing loop is very harmful to the network and care

should taken to avoid it’s occurrence.

The possible causes for a routing loop may be:

1. A temporary loop occurs when the network converges

2. Algorithm defect

3. Information that can prevent routing loops is lost when routes are imported to dif ferentrouting domains.

4. Configuration mistakes

Page 225 page 210



7/22/2019 HCDA v1.6 En


1. What are the sources of routes, and what are their characteristics?

Routes come from three sources: direct routes discovered by the Data-Link layer; manuallyconfigured static routes; routes discovered by dynamic routing protocols. Routes found bythe Data-Link layer do not need maintenance and they are discovered automatically whenprotocols at Data-Link layer are up. The

disadvantage of this source is that it can only find routes to the directly connected segmentsand routes to other segments cannot be discovered. Manually

configured static routes need maintenance and they cannot be modified automatically whenthe network topology changes. Dynamic routing protocols can

discover and modify routes automatically without human interference but the cost of theseprotocols is huge and the configuration process is rather complicated.

2. What are the classifications for dynamic routing protocols?

Dynamic routing protocols can be grouped into the IGP and EGP protocols according to theirworking areas and Distance-Vector and Link-State protocols

according to their algorithms and unicast routing protocols and multicast routing protocolsaccording to their applications.

3. What are the values that can be found in a routing table?

The routing table includes factors like destination, mask, protocol, preference, metric,nexthop and interface.

The equal cost multi-path refers to routes that head for the same destination with

the same metric. When these routes have the same preference, they are all

added to the routing table and IP packets are sent on them alternatively.

4. What does equal cost multi-path mean?

Equal cost multi-path refers to two or more routes to a single destination from a singlesource, that are capable of supporting load balancing due to the fact that both routes supporta metric that is considered equal to the routing protocol being used. Should the protocol beRIP, the number of hops to a given destination should be equal. Alternatively if the protocolhappened to be OSPF, the distance between the source and the destination over the tworoutes must reflect an equal cost, based on the link type e.g Serial/Ethernet and supportedbandwidth of the such links in accordance with OSPF cost values.

Page 226 page 211



7/22/2019 HCDA v1.6 En


Page 228 page 212



7/22/2019 HCDA v1.6 En


Page 229 page 213



7/22/2019 HCDA v1.6 En


Page 230 page 214



7/22/2019 HCDA v1.6 En


A static route is a special route that is configured by a network administrator manually. The

disadvantage of static routes is that they cannot adapt to the change in a network automatically,

so network changes require manual reconfiguration. Static routes are fit for networks with

comparatively simple structures. It is not advisable to configure and maintain static routes for a

network with a complex structure.

Page 231 page 215



7/22/2019 HCDA v1.6 En


The command for configuring the static route is:

[Quidway]iproute-static <ip_address> [ <mask> | <masklen> ]

<interface_name> | <gateway_address> [ preference

<preference_value> ] [ reject | blackhole ]

The meaning of the parameters in the command are as follows:

(1)<ip_address>[<mask>|<masklen>]:the IP address and mask of the

Destination

The IP address should take the form of dotted decimal notation; the mask can be in theform of a dotted decimal or be represented by the mask length (the number of the bits setas “1” in the mask).

(2) <interface_name>|<gateway_address>: the name of the sending

interface or the address of the next hop

When configuring static routes, you can define an interface name or the address of the next

hop. To define the interface name or the next hop addressshould be decided by the real situation. Actually, for every route entry, there must be a nexthop address. When sending the packets, the routers looks up the routing table for a routethat matches with the address of the destination of the packet. Only when the next hopaddress is specified, the data-link layer can f ind the corresponding data-link address toforward the packet.

(3) <preference_value>: preference value

A flexible management technique on routes can be realized by configuring the preferencevalue differently. If you assign multiple routes to the same destination with the samepreference value, load balancing can be achieved; otherwise, route backup is made. Youcan input preference values more than once in a command but only the last one is valid.

(4) Others

The attributes “reject” and “blackhole” refer to an inaccessible route and a blackhole route

Page 232 page 216



7/22/2019 HCDA v1.6 En


respectively. If one static route is labeled with the “reject” attribute, all the packets sent tothe destination of the route will be discarded and an ICMP packet will be sent to notify thesource that the destination is unreachable. When a static route is assigned the attribute“blackhole”, any packet heading for the destination of the static route will be abandonedand in this case, no ICMP packet will be sent to notify the source.

In the example above, the two routers to the loopback segment of RTA on RTB. Thecommand for configuring the route can be in one of the three forms below:are connectedby serial ports and we can configure a static route destined

[RTB] ip route-static 10.1.1.1 255.255.255.255 1.1.1.1

[RTB] ip route-static 10.1.1.1 32 1.1.1.1

[RTB] ip route-static 10.1.1.1 32 Serial 0

In the first form, the mask is represented by a dotted decimal number.

In the second form, the mask is shown by its length.

In the last form, gateway address is taken place by the interface name.

Page 233 page 217



7/22/2019 HCDA v1.6 En


You can query the routing table by running display ip routing-table command after the

static route is configured. The static route is displayed in the routing table as highlighted in

red here.

Page 234 page 218



7/22/2019 HCDA v1.6 En


Load balancing: Packets are sent through several links alternately when there are multiple

paths to the destination of those packets with the same cost. Static routes support load

balancing.

As shown in the figure above, three routes are configured to the same destination,network 10.1.1.1/32, on RTB. The three static routes have the same preference value with

the default value 60 and there are no routes heading for this network with higher

preference value than these three routes. In this case, these three routes are equal routes

which can share the load, and packets will be sent through the three routes alternately.

Page 235 page 219



7/22/2019 HCDA v1.6 En


Looking up the routing table, you can see there are three routes destined to the network

10.1.1.1/32 which will share the load over each ECMP supported link.

Page 236 page 220



7/22/2019 HCDA v1.6 En


Route backup: Multiple routes heading for the same destination are configured, amongst

which there is one with a higher preference value that acts as the main route. Other equal

cost routes with lower preference values become backup routes.

As the above figure shows, two static routes are configured, destined for the network

10.1.1.1/32 on RTB. One of the routes has the preference value of the default value 60

while the other static route is configured with a less preferred preference value of 100.

Page 237 page 221



7/22/2019 HCDA v1.6 En


By looking up the routing table, you may find that there is only one route heading for the

network 10.1.1.1/32 which acts as the main route. The route with the preference value of 100

has not been added to the routing table. It will be added to the routing table only after the route

with the preference value of 60 becomes invalid.

Page 238 page 222



7/22/2019 HCDA v1.6 En


After running the display ip routing-table protocol static command, you can see the route

whose preference value is 60 is active, which means it is the main route to forward packets

to the network 10.1.1.1/32.

The route whose preference value is 100 is inactive and acts as the backup route. It will not

be added to the routing table or used for forwarding packets until the route with a preference

of 60 is no longer available, or the preference of this route is changed to a value lower than

the currently preferred route.

Note: The routing table here is a global routing table.

display ip routing table can only list the active routes at present.

display ip routing table protocol static can list all the static routes, including the

active routes and the inactive routes.

Page 239 page 223



7/22/2019 HCDA v1.6 En


A look up of the routing table after disabling a port for the active route with the shutdown

command will result in the backup route becoming the active route, and being added to the

routing table to forward packets in place of the lost route.

Page 240 page 224



7/22/2019 HCDA v1.6 En


The default route is one kind of special route. Usually, default routes are configured byadministrators manually but they can also be generated by routing protocols such as OSPFand IS-IS.

When a router receives a packet whose destination is not listed in the routing table, therouter will forward the packet to the next hop defined by the default route. You can run thedisplay ip routing-table command to see if a default route is configured.

A packet will be forwarded to the default route if its destination does not match anydestinations of the routes in the routing table. If there is no default route either, then thepacket will be discarded and an ICMP message notifying the source that the destination orthe network is inaccessible will be sent.

Page 241 page 225



7/22/2019 HCDA v1.6 En


A default route is configured by setting the destination address and the mask to be 0s

(0.0.0.0 0.0.0.0) when you run the ip route-static command to configure a static route.

Page 242 page 226



7/22/2019 HCDA v1.6 En


In the routing table, you may see the destination address of the default route is set to be

0.0.0.0 and the mask length is 0.

Page 243 page 227



7/22/2019 HCDA v1.6 En


The default route supports both the load balancing and route backup mechanisms. If multiple

default routes are configured with the same preference value, they will share the load

together. If they have different preference values, the one with the highest route acts as the

main route and others are backup routes.

As the above table shows, the two static routes highlighted in red share the load for eachother after they are configured with the same preference value of the default value of 60.

Page 244 page 228



7/22/2019 HCDA v1.6 En


What are the differences between load balancing and route backup for static routes?

Load balancing: Packets are sent through several links alternately when there are multiple

paths to the destination of those packets with the same metric.

Route backup: If there are multiple routes heading for the same destination, one of them

which having the highest preference value will act as the main route, and the others with

lower preference value will act as the backup routes. The backup routes will be in use only

after the main route becomes invalid.

What is a default route?

The default route is a kind of the special route used for last resort forwarding. Usually,default routes are configured by administrators manually but they can also be generated

by routing protocols such as OSPF and IS-IS. A default route is the route whose network

address and mask are both 0s in the routing table.

Page 245 page 229



7/22/2019 HCDA v1.6 En


Page 247 page 230



7/22/2019 HCDA v1.6 En


Page 248 page 231



7/22/2019 HCDA v1.6 En


Page 249 page 232



7/22/2019 HCDA v1.6 En


Routing protocols are like languages that build bridges between routers for informationexchange. Information like the network status and its accessibility range is

shared among routers with the help of those routing protocols.

Dynamic routing protocols are not only responsible for selecting routes, they are also capable

of finding another best route to the destination when the original one

is not available. This feature of dynamic routing is especially noteworthy when a network

topology changes which makes it the advantage of dynamic routing protocol over static routingprotocol.

The common routing protocols in use at present are RIP, OSPF, ISIS and BGP. RIP is famous

for its simplicity of configuration and deployment and it is designed for exchanging routing

information within a small to medium-size network as it converges slowly.

Developed by IETF, OSPF is a complicated but widely used protocol. ISIS is a routing

protocol based on a simple design with good extendibility and is extensively applied to largescale SP networks.

BGP is used for communicating route information between AS’.

Page 250 page 233



7/22/2019 HCDA v1.6 En


At present, the common dynamic routing protocols include RIP, OSPF, ISIS, BGP routing

protocols. RIP routing protocol configuration is simple, but the convergence rate is slow,

and RIP is commonly used in small and medium-sized networks. OSPF protocol

developed by the IETF, the protocol principle of OSPF is more complex, and it is widely

used; the ISIS design idea is simple, and it has good scalability, presenting in large SPnetwork configuration.

The BGP is used to exchange routing information between AS’.

Page 251 page 234



7/22/2019 HCDA v1.6 En


A traditional definition for autonomous system (AS) is a collection of IP networks and routers

under the control of one entity that presents a common routing policy to the Internet. Now,

the definition of AS has developed into a collection of networks and routers that are

managed by multiple entities and adhere to several routing policies.

AS numbers are assigned by the IANA and each AS is allocated with a unique number to

differentiate from another. AS number ranges from 1 to 65535 and are divided into two

ranges. The first are public AS numbers, which may be used on the Internet and range from

1 to 64511. AS number in the second range, from 64512 to 65534, are known as private

numbers, and can only be used internally within an organization.

Page 252 page 235



7/22/2019 HCDA v1.6 En


Routing protocols can be divided into IGP and EGP according to their working area.

IGP（Interior gateway protocols）

A set of routing protocols that are used within an autonomous system, such as RIP and IS-IS.

IGP is mainly used to search and calculate routes within an autonomous

system.

EGP（Exterior gateway protocols）is used to connect different autonomous systems. An

EGP, such as BGP, controls communication of route information between

autonomous systems with routing policies and route f iltering mechanisms.

Page 253 page 236



7/22/2019 HCDA v1.6 En


Routing protocols can be divided into Distance-vector protocols and Link-state protocols. RIP

and BGP are examples of Distance-vector protocols and OSPF and IS-IS fall in the group ofLink-state protocols. BGP is also called Path-vector protocol.

Distance-vector Routing Protocol

They use the Bellman-Ford algorithm to calculate paths. In Distance-vector routing protocols,each router sends complete routing tables to their neighboring routers at fixed intervals. It is

the metric which means the distance between the router and the destination network and the

vector which indicates the interface from which data is forwarded that routers in a Distance-

vector routing protocol network really care about .

Advantages of Distance-vector protocol:

They are easy to configure and take up comparatively few resources of memory and CPU.

Disadvantages of Distance-vector protocol:

Poor extendibility, for example, the maximum hops of RIP is limited to 16.

Link-state Routing Protocol

They are based on the Dijkstra algorithm which is sometimes called the Shortest Path First(SPF) algorithm. This algorithm pays attention to the state of links or interfaces in the

network, including whether they are up or down, their IP addresses and masks. Routers

advertise information about link states they know to other routers in the area through which

each router in the area builds up a complete link state database for the area. Then every

router draws its own topology map based on the information it collected in the form of a

graph showing which nodes are connected to which other nodes.

The primary advantage of link-state routing is that it reacts more quickly, and in a bounded

amount of time, to connectivity changes. Routers send update information only when the link

state changes which saves the bandwidth of the links between routers. Some of the updateinformation only covers the information about the changes of link state instead of the wholerouting table.

Page 254 page 237



7/22/2019 HCDA v1.6 En


In some occasions, route information should be shared among different routing protocols. For

example, route information obtained from RIP may possibly needs to be imported to OSPF.

The process of exchanging route information between protocols is called route importation.

This process could be a one-way street as we see in the example of import information from

RIP to OSPF. And it could also be a two-way process as RIP and OSPF can learn route

information from each other.

The cost of each protocol can not be compared and there are no formula to convert the cost of

one protocol to another's. So we must set the Metric again ( some protocols can use the

default value set by the system) when we import route information from one protocol to another.Improper importation may impose burdens on routers or lead to loops, so we must be careful

with it.

Page 255 page 238



7/22/2019 HCDA v1.6 En


What makes a good dynamic routing protocol?

(1) Correctness: The routing protocol should be able to find the optimal route

without self-loop correctly.

(2) Fast convergence: The routing protocol can respond to a new network

topology quickly.

(3) Low cost: The cost (memory, CPU, network bandwidth) of the routing

protocol itself is minimum.

(4) High security: The routing protocol is resistent to attack and provide high

security.

(5) High adaptability: The routing protocol can be easily applied to networks of

different topologies and scales.

Page 256 page 239



7/22/2019 HCDA v1.6 En


What are the common dynamic routing protocols used?

They are RIP, OSPF, ISIS and BGP.

Dynamic routing protocols can be divided into which domain classifications?

Routing protocols can be grouped into two distinct classifications, of either intra-AS based or

inter AS based, better known as Interior Gateway Protocol (IGP) and Exterior GatewayProtocol (EGP).

What classifications of dynamic routing protocols are there?

RIPv1/v2, OSPF, ISIS fall in the f irst group and BGP belongs to the second. According to the

algorithm, routing protocols can be categorized into Distance vector routing protocols and

Link-state routing protocols. RIPv1/RIPv2 and BGP are all Distance-vector protocols and

OSPF and ISIS are Link-state routing protocols.

Page 257 page 240



7/22/2019 HCDA v1.6 En


Page 259 page 241



7/22/2019 HCDA v1.6 En


Page 260 page 242



7/22/2019 HCDA v1.6 En


Page 261 page 243



7/22/2019 HCDA v1.6 En


The distance-vector (D-V) routing protocol is based on the Bellman-ford

algorithm. A router using the D-V algorithm sends the entire routing table to

adjacent routers.

The adjacent routers compare the received routing table with their own routingtables. If the received route is new, it will be added to the routing tables directly.

If the received route had the same destination as the existing route, the router

will compare the metric of these routes, and will add the one whose metric is

smaller to the routing table. The adjacent routers then broadcast their routing

tables (with the new routes) to their adjacent routers. The distance-vector routing

protocol advertises routing information in the format of (Distance, Direction).

Distance indicates the metric, and Direction indicates the next hop. The

advantage of the distance-vector routing protocol: The configuration is simple, so

less memory is used and shorter CPU processing time is needed.

Disadvantage: The expandability is poor. For example, the maximum hop count

in RIP cannot exceed 16.

Page 262 page 244



7/22/2019 HCDA v1.6 En


When a router starts (on t0), it generates an entry for each directly-connected network

segment. The router is directly connected to the network segment, so the hop count is 0

and the next hop router is represented as "– –" in the entry. The router then broadcasts

the routing information to all links.

Page 263 page 245



7/22/2019 HCDA v1.6 En


On t1, routers receive and process the first update message. RTA receives the update

message from RTB and finds that RTB has a route to 10.1.3.0 with 0 hops. This route is

not contained in the routing table of RTA, so RTA adds this route to its routing table and

increases the hop count by 1. Thus RTA learns the route to 10.1.3.0 from the update

message sent by RTB. Similarly, RTB learns the route to 10.1.1.0 from the updatemessage sent by RTA and learns the route to 10.1.4.0 from the update message sent by

RTC. RTC learns the route to 10.1.2.0 from the update message sent by RTB.

Page 264 page 246



7/22/2019 HCDA v1.6 En


On t2, the update period begins and new update packets are broadcasted. RTA learns the

route to 10.1.4.0 from RTB. RTC learns the route to 10.1.1.0 from RTB. Through the

periodical update mechanism, each router obtains routes to all network segments. Finally,

the network converges.

Page 265 page 247



7/22/2019 HCDA v1.6 En


The D-V algorithm requires that each router sends it’s routing table to adjacent

routers. When receiving the route update message, the router compares the new

routing information with the original routing information in its routing table. The

router then modifies the local routing table according to the comparison to keeppace with the change of network.

The principles of updating the routing table are:

1. Adding new routes.

As shown in the figure, RTB receives the route update message from RTA. If a

route entry of RTA, for example, the route to 10.1.1.0 does not exist in the routing

table of RTB, RTB will adds this entry to its own routing table. In the routing table

of RTB, the destination network of this route is 10.1.1.0; the metric (hop count) is

the metric of this entry for RTA plus 1; the next hop address is the IP address of

RTA's interface connected to RTB, namely, 10.1.2.1.

Page 266 page 248



7/22/2019 HCDA v1.6 En


2. Changing the next hop address and metric.

RTB receives the update message from RTA and f inds that the metric to a network in the

routing table of RTA is less than the metric in its own routing table minus 1. For example,

to the same network 10.0.1.0, the route in routing table of RTB needs 5 hops, while the

route in routing table of RTA needs 2 hop. 5-1>2, which indicates that the metric is less ifthe packet passes through RTA. Therefore, RTB changes the route entry in its routing

table. The next hop is changed to the IP address of the interface on RTA. Subsequent

packets will be forwarded to the destination network by RTA. The route metric is the route

metric of RTA plus 1.

Page 267 page 249



7/22/2019 HCDA v1.6 En


3. Changing the metric (hop count) only .

As shown in the figure, the next hop to network segment for RTB is RTA. The update

message from RTA shows that the metric to the destination network segment has

changed. At this time, the metric of this route entry in the routing table of RTB changes to

the new metric of RTA plus 1. That is, the original metric 2 changes to 4+1=5.

Page 268 page 250



7/22/2019 HCDA v1.6 En


4. Deleting unreachable routes.

In RTB's routing table, the next hop to the destination network is RTA, but routing table of

RTA does not contain the route to this network any more. Then RTB deletes this route

entry from the routing table. Take the 10.0.3.0 entry in the figure as example. In the

routing table of RTB, the next hop is RTA. However, the update message sent by RTAdoes not contain this entry. It indicates that packets cannot reach 10.0.3.0 through RTA,

so RTB needs to delete this entry from its routing table.

Page 269 page 251



7/22/2019 HCDA v1.6 En


When a network fault occurs, network convergence may slow down because theroutes in the routing table may be inconsistent with routes in the actual networktopology. In this case, routing loop may be generated. This figure provides asimple network structure to show how a route loop is generated. Before a faultoccurs to network 11.4.0.0, all routers have correct and consistent routing tables

and the network is converged. In this example, route metric is represented byhop count, so the metric of each link is 1. Router C is directly connected tonetwork 11.4.0.0, so the hop count is 0. Router B is connected to network11.4.0.0 through Router C, so the hop count is 1. Router A is connected tonetwork 11.4.0.0 through Router B and Router C, so the hop count is 2. When afault occurs to network 11.4.0.0, route loop may be generated. The process is asfollows:

1. When a fault occurs to network 11.4.0.0, Router C receives the informationabout the fault first. Router C then regards 11.4.0.0 as unreachable, andwaits till the update period begins to advertise the route change to theadjacent router. If the update period of Router B begins earlier than theupdate period of Router C, Router C will learn a new route to 11.4.0.0 fromRouter B. Actually, the learnt route is incorrect. Thus, the routing table ofRouter C records an incorrect route. (The next hop is Router B; the

destination is 11.4.0.0; the hop count is increases to 2.)2. After leaning a wrong route, Router C advertises this route to Router B. Route

B also records a wrong route to 11.4.0.0, of which the next hop is Router Cand the hop count is increases to 3.

3. Router B considers that network 11.4.0.0 is reachable through Router C, andRouter C considers that network 11.4.0.0 is reachable through Router B. Thus, aloop is generated.

Page 270 page 252



7/22/2019 HCDA v1.6 En


When a route loop occurs, the count of hops to network 11.4.0.0 keeps

increasing, and the network cannot converge. To avoid this problem, the RIP

protocol limits the maximum hop count to 16. In the figure, when the hop count

reaches 16, network 11.4.0.0 is considered unreachable. The router marks this

route unreachable in the routing table and does not update the route to 11.4.0.0any more. By defining the maximum hop count, the distance-vector routing

protocol prevents the route metric from increasing infinitely when route loop

occurs. In addition, incorrect route information is corrected. However, routing

loop still exists before the hop count reaches the maximum value. That is to say,

this solution is only a remedial measure but it cannot avoid route loops. This

solution can only mitigate the damage caused by route loop. Therefore,

designers of routing protocols provide other solutions to reduce the probability

generating the route loops, for example, split horizon and triggered update.

Page 271 page 253



7/22/2019 HCDA v1.6 En


Split horizon is a common solution among distance-vector routing protocols toavoid routing loops. One cause of routing loops is due to a router learning theroute from

its neighbor, and then advertising this route to the same neighbor who advertised

this route to it. With split horizon, a router does not send the routing informationto the neighbor from whom the routing information is sent.

As shown in the figure:

1.Router C advertises the route to network 11.4.0.0 to Router B. Router B thenadvertises this routing information to Router A. At the same time, Router B alsosends this routing information to Router C. If network 11.4.0.0 works normally,Router C does not accept the route to 11.4.0.0 advertised by Router B, becauseRouter C has a route with smaller metric to 11.4.0.0.

2. If route from Router C to 11.4.0.0 becomes unreachable, Router C accepts theroute to 11.4.0.0 advertised by Router B, although it is an incorrect route now.(Since the route from Router C to 11.4.0.0 is unreachable, the route learned byRouter B from Router C is incorrect.) However, Router C does not know that theroute is incorrect. Router B considers that 11.4.0.0 is reachable through Router C,and Router C considers that 11.4.0.0 is reachable through Router B. Thus, therouting loop generates.

3. Split horizon solves this problem. Split horizon forbids a router to return therouting information to the interface from which the routing information arrived. In

the figure, Router B learns the route to 11.4.0.0 from Router C. Split horizonforbids Router B to advertise this route to Router C again. This avoids routingloops

to some extent.

Page 272 page 254



7/22/2019 HCDA v1.6 En


Route poisoning is a supplement to split horizon. Route poisoning can prevent

routing loops to some extent and can suppress network flapping caused by

interface resetting. When a fault occurs in the network or an interface is reset,

route poisoning suppresses the related route and starts a hold-down timer.

Within the hold-down time, the router does not update the routing table. In thisway, the routing loop is avoided and network flapping is suppressed.


When a fault occurs in network 11.4.0.0, Router C sets the metric of the route to

this network to 16 (unreachable) in its routing table, and thus this route is

suppressed. Router C does not accept the update message of the route to

11.4.0.0 from the adjacent router. After Router B receives the advertisement from

Router C, indicating that the route metric to 11.4.0.0 is infinite, Router B sends a

poison reverse update message to Router C. The update message indicates that

11.4.0.0 is unreachable. The update message violates the principle of split

horizon, but it is used to confirm that all routers on this network segment know

that the route is suppressed.

Page 273 page 255



7/22/2019 HCDA v1.6 En


Route poisoning can avoid routing loops to some extent and can suppress

network flapping caused by interface resetting. When a fault occurs in the

network or an

interface is reset, route poisoning suppresses the related route and starts a hold-down timer. Within the hold-down time, the router does not update the routing

table. In this way, the routing loop is avoided and network flapping is suppressed.


1. When a fault occurs in network 11.4.0.0, Router C suppresses the related

route entry in the routing table, that is, it sets the metric of the route to this

network to 16 or unreachable. At the same time, Router C starts a hold-down

timer. Within the hold-down time, if Router C receives a route reachable

message from the same neighbor (or the same direction), it marks the network

as reachable and stops the hold-down timer.

2. If Router C receives an update message from other neighbors, advertising the

route with higher weight, Router C updates the routing table by selecting the newroute. At the same time, Router C stops the hold-down timer.

3. Within the hold-down time, if Router C receives a route reachable update

message, but the weight of the new route is lower, Router C will not accept the

new route. After the hold-down timer expires, if Router C receives this update

message again, it will update the routing table.

Page 274 page 256



7/22/2019 HCDA v1.6 En


As shown in the figure, when network 11.4.0.0 becomes unreachable, Router C

obtains this information first. Generally, route update messages are sent to

adjacent routers periodically. For example, RIP specifies that a router sends

route update messages every 30 seconds. However, if the update message sent

by Router B reaches Router C before the update period of Router C begins,Router C will learns the wrong route to 11.4.0.0. Thus the routing loop generates.

If Router C sends the update message immediately, instead of waiting for the

update period, this problem will be avoided. This mechanism is call triggered

update. Triggered update means that a router sends a triggered update message

to adjacent routers immediately after the routing information changes. When a

router detects that the network topology changes, it immediately sends the

triggered update message to adjacent router. All other routers also send the

triggered update messages immediately, and thus the triggered update

messages spread in the entire network. In the figure, Router C immediately

sends an update message to advertise that network 11.4.0.0 is unreachable.

After Router B receives this message, it sends the network unreachablemessage from interface S0. Router A then advertises this message from

interface E0.

Page 275 page 257



7/22/2019 HCDA v1.6 En


Triggered update avoids the route loop to some extent, but it still cannot avoid

the following problems:

1. The packet containing the update message may be discarded or damaged.

2. If a router receives the periodically sent update message from the adjacentrouter before receiving the triggered update messages, the router will learn the

wrong routing information.

The above problems can be solved when triggered update is combined with the

hold-down timers. Within the hold-down timers, the router does not update the

route

to the destination network which becomes unreachable. Therefore, combining

triggered updates with the hold-down timers ensures that the triggered update

message has enough time to be transmitted in the network. As shown in the

figure, when Route C detects that network 11.4.0.0 is disconnected, it deletes the

route to this network immediately. Then Router C sends a triggered update

message to Router B. Router C sets the route metric to 11.4.0.0 to infinite (16) tosuppress this route. After receiving the triggered update message, Router B

starts the hold-down timer and marks the network as "may be disconnected." At

the same time, Router B sends a reverse update message to Router C, then

sends a triggered update message to Router A to advertise that network 11.4.0.0

is unreachable. Router A then suppresses the route to 11.4.0.0 and sends a

reverse update message to Router B.

Page 276 page 258



7/22/2019 HCDA v1.6 En


What is distance-vector routing protocol?

A distance-vector routing protocol is an algorithm based on distance and vector. The

distance-vector routing protocol is also called Bellman-ford algorithm or Ford-Fulkerson

algorithm. Based on this protocol, a route is advertised in the format of distance (metric,

hop count) and vector (direction, outgoing interface). Every router periodically sends itsrouting table to directly connected routers.

What are the methods used to prevent routing loop?

The methods for avoiding routing loops are: split horizon, route poisoning, hold-down

timers, and triggered updates.

Page 277 page 259



7/22/2019 HCDA v1.6 En


Page 279 page 260



7/22/2019 HCDA v1.6 En


Page 280 page 261



7/22/2019 HCDA v1.6 En


Page 281 page 262



7/22/2019 HCDA v1.6 En


The Routing Information Protocol (RIP) is a relatively simple dynamic routingprotocol, but it is widely used. RIP is a routing protocol based on the distancevector

(D-V) algorithm. RIP exchanges routing information through UDP. Based on RIP,

a router sends update messages every 30 seconds. If a router does not receivethe update message from the peer router within 180 seconds, the router marksall routes learned from the peer router as unreachable. If the router still does notreceive the update message from the peer router in the subsequent 120 seconds,it deletes these routes from the routing table. RIP represents the distance to thedestination network by the hop count. In RIP, the hop count between a routerand the directly connected network is 0. If the network can be reached throughanother router, the hop count increases by 1. The hop count increases with thenumber of routers between the source router and the destination network. In RIP,the metric is an integer ranging from 0 to 15. The hop count equal to or largerthan 16 is defined as infinite, that is, the destination network or host isunreachable. RIP is on the upper layer of UDP. Routing information for RIP isencapsulated in the datagram of UDP. RIP uses port 520 to exchange routinginformation. When a router receives the route update message from the remoterouter, the router notifies other routers of the changed route. In this way, routes

are synchronized on all routers in the network.To improve the routing performance and avoid route loop, RIP supports splithorizon, poison reverse, and triggered updates. In addition, RIP can importroutes learned through other routing protocols.

Page 282 page 263



7/22/2019 HCDA v1.6 En


When RIP is enabled, the initial routing table contains only direct routes. After

RIP is enabled on a router, the router broadcast Request packets to all directly

connected interfaces. When the adjacent router receives the Request packet

from an interface, it broadcast Response packet to the network connected to this

interface according to its routing table. When the router receives the Responsepacket from the adjacent router, it generates the routing table according to the

Response packet. Based on the characteristics of the D-V algorithm, the devices

involved in RIP are classified into active devices and passive devices. The active

device actively broadcasts route update packets, and the passive device

receives route update packets passively. Generally, a host is a passive device,

and a router is both an

active device and a passive device. That is, a router not only broadcasts route

update packets, but also receives the D-V packets from other active devices and

updates the routing table.

Huawei Networking Technology and Device Module 2 Part 6 RIP Routing

Protocol

Confidential Information of Huawei. No Spreading without Permission

Copyright © 2008 Huawei Technologies Co., Ltd. All rights reserved.

Page 294

Page 283 page 264



7/22/2019 HCDA v1.6 En


Based on RIP, a router broadcasts its routing table through the Responsepackets every 30 seconds. After receiving the Response packet from theneighbor, the router calculates the route metric in the packet through RIP. Thenthe router compares the calculated metric with the metric of the route in therouting table and updates the routing table. The route metric is calculated by the

following formula: metric = Min (metric + cost, 16). Here, "metric" is the metric inthe packet. Cost is the metric from the neighbor to the network where the packetis received. The default value of cost is 1 (one hop). 16 means that thedestination network is unreachable. When the local router receives a routeupdate packet, it updates the routing table based on the following principles:

•For an existing route entry in the routing table, if the next hop is the adjacentrouter, the local router updates the entry (keeps the original metric and onlyresets the aging timer), regardless of whether the metric in the route up datepacket is larger or smaller. If the next hop is not the adjacent router, the localrouter updates the route entry only when the metric in the router update packet issmaller than the previous metric.

•For a route entry that does not exist in the routing table, the router adds it to therouting table if the metric is less than 16 (unreachable). Each entry in the routingtable has an aging timer. If a route entry is not updated within 180 seconds, theaging timer times out and the metric of this route changes to 16 (unreachable).

After the metric of a route changes to 16 and the route is advertised through theResponse packet for four times (120 seconds), this route will be deleted from the

routing table.

Page 284 page 265



7/22/2019 HCDA v1.6 En


RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support Variable Length Subnet

Masks (VLSM). RIPv2 supports VLSM, route aggregation, and Classless Inter-Domain

Routing (CIDR). In addition, RIPv2 supports plain text authentication and MD5

authentication. In RIPv1, packets are transmitted in broadcast mode. RIPv2 supports two

transmission modes: broadcast and multicast. Multicast is adopted by RIPv2 by default.The multicast address for RIPv2 is 224.0.0.9. An advantage of multicast transmission is

that the networks that do not support RIP will not receive the RIP packets. Also with

multicast, network segments that run RIPv1 will not receive or process the RIPv2 routes.

Page 285 page 266



7/22/2019 HCDA v1.6 En


This figure shows the format of the RIPv1 packet. A RIPv1 packet contains a

command field, a version field, and multiple route entries (up to 25 entries). Each

route entry consists of the Address Family Identifier, reachable IP address, and

hop count (Metric). If a router needs to send more than 25 route entries, the

entries must be sent in multiple RIP packets. From this figure, you can see thatthe RIP packet header takes four bytes, and each route entry takes 20 bytes.

Therefore, the length of a RIP packet is 4 + 25 x 20 = 504 bytes. Counting the 8-

byte UDP header, the maximum length of the RIP packet (excluding the IP

header) is 512 bytes.

The values and functions of the fields in the RIP packet are as follows:

Command: The value can be only 1 or 2. 1 represents the Request packet; 2

represents the Response packet. A router or host sends the Request packet to

require routing information from the peer router. The peer router responds by the

Response packet. But in most cases, a router periodically sends Response

packets without waiting for the Request packet.

Version: For RIPv1, the value is 1.

Address Family Identifier (AFI): For the IP protocol, the value is 2.

IP address: indicates the destination address of the route. The value can be a

network address or the address of a host.

Metric: indicates the hop count. The value ranges from 1 to 16.

Page 286 page 267



7/22/2019 HCDA v1.6 En


Compared with the RIPv1 packet, the RIPv2 packet has the following new fields:

Route tag: 16 bits, used to mark the external route or the route redistributed to RIPv2

protocol.

Subnet mask: 32-bit mask, used to identify the network address and subnet address in

the IP address.

Next hop: 32-bit next-hop IP address.

Page 287 page 268



7/22/2019 HCDA v1.6 En


All command lines base on VRP 5.3.

In the VRP series routers, the default RIP version is 1.0. Unless otherwise

specified, the RIP version is RIPv2.0 in this course. The method of changing the

RIP protocol version will be described later. The basic RIP configuration includesthe following:

Enable RIP.

[Quidway] RIP

By default, RIP is not enabled.

Specify the network segment for RIP.

[Quidway-rip] network network-address

RIP runs only on the interfaces in the specified network segment. For an

interface out of the specified network segment, RIP does not send or receive

routes on the interface. RIP does not forward routes on this interface to other

interfaces either. Therefore, you must specify a network segment after RIP isenabled. The network-addressspecifies the address of the network where RIP is

enabled. It can be the network address of the interface. When this parameter is

specified, RIP is enabled on all interfaces in this network segment.

Page 288 page 269



7/22/2019 HCDA v1.6 En


The display rip command is used to display the running status and configuration

of RIP. Part of the display information is described in the following. Pay attention

to the contents marked in red.

RIP process: 1— indicates that the RIP process number is 1.Public VPN-Instance — indicates the public network VPN.

RIP version: RIP-2 — indicates that the RIP version is 2.

Preference: 100 — indicates that the precedence of the RIP protocol is 100.

Maximum number of balanced paths: 6 — indicates that the maximum number of

equal-cost routes is 6.

Update time: 30 sec — indicates that the route update interval is 30 seconds.

Age time: 180 sec — indicates that the aging time of the RIP route is 180

seconds.

Suppress time: 0 sec — indicates that the route suppression duration is 0

seconds.

Networks: 192.168.1.0 172.16.0.0 — indicates the network where RIP is enabled.

Page 289 page 270



7/22/2019 HCDA v1.6 En


The display rip route command is used to display all active and inactive routes, and the

timer of each route.

Destination (Dest) destination IP address

Nexthop next hop of the route

Cost weight of the route

Tag f lag used to identify the internal route and external route

Sec period in which a route entry keeps in certain status

Page 290 page 271



7/22/2019 HCDA v1.6 En


All command lines base on VRP 5.3.

You can configure any of the following RIP versions:

1. Global RIP version

version { 1 | 2 }: configure the RIP version globally. This command issupported by vrp5.x only.2. Interface RIP version

rip version { 1| { 2 [ broadcast | multicast ] } }: configures the RIP version on aninterface. This command is configured in the interface view. By default, the RIP

version on an interface is RIPv1.

RIPv2 supports two packet transmission modes: broadcast and multicast.Multicast is adopted by default. The multicast address for RIPv2 is 224.0.0.9. Anadvantage of using multicast is that the networks not running RIP will not processthe RIP packets. With multicast, network segments that run RIPv1 will notreceive or process the RIPv2 routes. If the interface with the RIP version RIPv1,the interface process only RIPv1 and RIPv2 broadcast packets and does notprocess RIPv2 multicast packets. If RIPv2 broadcast mode is adopted on theinterface, the interface receives only RIPv1 and RIPv2 broadcast packets and

does not receive RIPv2 multicastpackets. If RIPv2 multicast mode is adopted on the interface, the interfacereceives only RIPv2 multicast packets and does not receive RIPv1 and RIPv2broadcast

packets.

Note: If the global RIP version is configured, you need not configure theRIP version in the interface view vrp5.x supports this function.

Page 291 page 272



7/22/2019 HCDA v1.6 En


Page 292 page 273



7/22/2019 HCDA v1.6 En


On Router A, the summary command is used to configure route aggregation.Thus, routes 172.16.1.1/32, 172.16.1.2/32, and 172.16.1.3/32 are aggregated toone route: 172.16.0.0/16. The aggregated route uses the natural mask. 172indicates that the address is a Class-B address, so the mask length of theaggregated route is 16.

RIPv2 supports route aggregation. By default, route aggregation is enabled. Thatis, when the RIP version is configured to RIPv2, route aggregation takes effect

automatically, unless you use the undo summary command to disable routeaggregation. Route aggregation in RIP-2 improves the extendibility and efficiencyof large scale networks. After route aggregation, the RIP routing table does notcontain sub route entries, namely, the route entry containing a single IP address.In this

way, the routing table is condensed, thus the router can process more routes.When the classful aggregation is enabled, the router aggregates the subnetaddresses to the natural network segment when it advertises routes to thedestination out of the network segment. However, when split horizon or poisonreverse is configured, classful aggregation becomes invalid. Therefore, toconfigure the router to advertise aggregated routes to the destination out of the

natural network segment, you must disable the split horizon and poison reversefunctions in the corresponding view by using the following commands:

[RTA-Serial0/0/0]undo rip split-horizon

[RTA-Serial0/0/0]undo rip poison-reverse// supported by VRP5.X

Page 293 page 274



7/22/2019 HCDA v1.6 En


Using the undo summary command, you can disable classful route aggregation to allow

routing between subnets. In this case, routing information of the subnet is

advertised. Route aggregation reduces the routing information in the routing table. By

default, route aggregation is enabled in RIPv2. In this example, three IP addresses are

configured for three loopback interfaces on Router A. RIP is enabled on these IPaddresses. Route aggregation is disabled by the undo summary command. These IP

addresses are advertised to other routers. Viewing the routing table of Router B, you can

find three host routes with these IP addresses.

Page 294 page 275



7/22/2019 HCDA v1.6 En


Using the rip summary-address ip-address mask command, you can configure

a RIP router to advertise an aggregated local IP address. This command is

supported

by VRP5.3.ip-address: network address to be aggregated

mask : subnet mask

Using the undo rip summary-address ip-address mask command you can

cancel the configuration. If both auto route aggregation and manual route

aggregation are enabled, the manually aggregated routes are integrated into the

automatically aggregated routes. Namely, auto route aggregation take effect. If

the mask length of aggregated route is smaller than natural mask length, use

manual route aggregation to perform it and do not use auto route aggregation

together.

Page 295 page 276



7/22/2019 HCDA v1.6 En


Each routing protocol has a preference. The preference influences the routing policy in

selecting the route learned through a certain protocol as the best route. The larger the

value, the lower is the preference. You can set the preference of the RIP protocol

manually.

Set the preference of RIP protocol.

[Quidway-rip] preference value

Restore the preference of the RIP protocol to the default value.

[Quidway-rip] undo preference

By default, the preference of RIP protocol is 100.

Page 296 page 277



7/22/2019 HCDA v1.6 En


RIP allows RIP to import the routing information of other routing protocol into the

RIP routing table. You can set the default cost of the imported route. Routes that

can be imported to the RIP routing table are: direct routes, static routes, OSPF

routes, BGP routes, and IS-IS routes. Enable RIP to import routes of other

routing protocols.

[Quidway-rip] import-route protocol [ allow-ibgp ] [ cost value ] [ route-

policy

route-policy-name ]

Disable RIP to import routes of other routing protocols by default.

[Quidway-rip] undo import-route protocol

By default, RIP does not import routes of other routing protocols. When protocol

is specified as BGP, the allow-ibgp keyword is optional. The import-route bgp

command configures RIP to import only EBGP routes. The import-route bgp

allow-ibgp command configures RIP to import both EBGP routes and IBGP

routes. This configuration may cause route disorder, so use this command withcaution then takes default-cost as route cost. If route cost is not set for the

imported routes. The default-cost value is 0. In this example, the route cost is set

to 10. Therefore, the cost of imported routes is calculated by route-cost plus 1,so

the cost of routes received by RTB is 11.

Page 297 page 278



7/22/2019 HCDA v1.6 En


Using the rip metricin value command, you can set the metric increment for the

RIP route received on an interface.

value: specifies the metric increment for the RIP route received on an interface.

The value ranges from 0 to 15. By default, the value is 0.When receiving a route, the router adds the RIP increment of the receiving

interface to the route, and then adds the route to the routing table. Thus, the

metric in the routing table is changed. Therefore, when the RIP metric of an

interface increases, the metric value of the RIP routes received on the interface

also increases.

when RTA receiving route 10.1.1.1/32 by rip update message, it will calculate

cost 10.1.1.1/32. The metric-in value of RTA's receiving interface is changed to 5,

the

cost of 10.1.1.1/32 in rip message is 1. So the cost of 10.1.1.1/32 in RTA's the

routing-table is 6 (5+1=6).

Page 298 page 279



7/22/2019 HCDA v1.6 En


Using the rip metricout value command, you can set the increment of metric for the RIProute sent from an interface.

value: specify the metric increment for the RIP route sent from an interface. The valueranges from 1 to 15. By default, the value is 1.

Before a route is advertised, the metric increment is added to this route. Therefore, whenthe RIP metric of an interface increases, the metric value of the RIP routes

sent from the interface also increases. However, the metric in the routing table is notchanged. When RTB receives routes 172.16.1.X by rip update messages, the metric of172.16.1.X in the update is 4, which is set by "rip metricout 4" on RTA's serial interface.The default metric in of RTB's serial interface is 0, so RTB calculates 4+0=4, 4 being thecost of 172.16.1.X in RTB's routing table.

Page 299 page 280



7/22/2019 HCDA v1.6 En


RIPv1 does not support packets authentication. In RIPv2, two authenticationmodes are used: plain text authentication and MD5 authentication. MD5authentication packets have two formats. One is described in RFC 2453, and theother is described in RFC 2082. The router supports both formats and you canselect the format as required.

You can configure the RIP authentication mode by using the following command:

rip authentication-mode { { simple password } | { md5 { rfc2082 key-string key-id

| huawei key-string } } }.

simple: adopt simple text authentication.

password : specify the password for plain text authentication. The value is acharacter string. For the plain text password, the string can contain 1 to 16characters. For the cipher text password, the string must contain 24 characters.

md5: adopt MD5 authentication.

rfc2082: indicate that the MD5 authentication packet adopts the non-standardformat (described in RFC 2082)

huawei: indicate that the MD5 authentication packet adopts the standard format(described in RFC 2453).

key-string : specify the password for MD5 authentication. For the plain textpassword, the string can contain 1 to 16 characters, for example, 1234567. Forthe cipher text password, the string must contain 24 characters, and the formatmust be cipher text, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.

key-id : specify the ID of the key used in MD5 authentication. The value rangesfrom 1 to 255.

Using the rip authentication-mode command, you can configure theauthentication mode and authentication parameters for RIPv2.

Using the undo rip authentication-mode command, you can disable RIPv2authentication.

The rip input command is used to allow an interface to receive RIP packets. The

rip output command is used to allow an interface to send RIP packets. Bydefault, an interface can receive and send RIP update packets at the same time.

Page 300 page 281



7/22/2019 HCDA v1.6 En


What are the characteristics of the RIP protocol?

The Routing Information Protocol (RIP) is a distance-vector routing protocol. It is

an IGP protocol. The RIP protocol is applicable to medium and small-sized

networks. It has two versions: RIPv1 and RIPv2. The RIP protocol exchangesrouting information through UDP, using port number 520. RIP supports the route

loop avoidance mechanisms, such as split horizon, route poisoning, and

triggered update.

What are the differences between RIPv1 and RIPv2?

RIPv1 is a classful routing protocol and does not support VLSM and CIDR.

RIPv1 sends packets in broadcast mode and does not support authentication.

RIPv2 is a classless routing protocol and supports route aggregation and CIDR.

RIPv2 sends packets in broadcast or multicast mode (using multicast address

240.0.0.9). RIPv2 supports plain text authentication and MD5 authentication.

Page 301 page 282



7/22/2019 HCDA v1.6 En


Page 303 page 283



7/22/2019 HCDA v1.6 En


Page 304 page 284



7/22/2019 HCDA v1.6 En


Page 305 page 285



7/22/2019 HCDA v1.6 En


Page 306 page 286



7/22/2019 HCDA v1.6 En


The Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol. RIP

is a routing protocol based on the distance-vector (D-V) algorithm.

RIP exchanges routing information through UDP. Based on RIP, a router sends update

messages every 30 seconds. If a router does not receive the update

message from the peer router within 180 seconds, the router marks all routes learned from

the peer router as unreachable. If the router still does not receive

the update message from the peer router in the subsequent 120 seconds, it deletes these

routes from the routing table.

RIP represents the distance to the destination network by the hop count. In RIP, the hop

count between a router and the directly connected network is 0. If the network is reachable

reached through another router, the hop count is 1. The hop count increases with the

number of routers between the source router and the destination network. In RIP, the

metric is an integer ranging from 0 to 15. The hop count equal to or larger than 16 is

defined as infinite, that is, the destination network or host is unreachable.

RIP is on the upper layer of UDP. Routing information for RIP is encapsulated in thedatagram of UDP. RIP uses port 520 to exchange routing information. When a router

receives the route update message from the remote router, the router notifies other routers

of the changed route. In this way, routes are synchronized on all routers in the network.

To improve the routing performance and avoid route loop, RIP supports split horizon,

poisoned reverse, and triggered update. In addition, RIP can import

routes learned through other routing protocols.

Page 307 page 287



7/22/2019 HCDA v1.6 En


RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support Variable Length Subnet

Masks (VLSM). RIPv2 supports VLSM, route aggregation, and Classless Inter-Domain

Routing (CIDR). In addition, RIPv2 supports plain text authentication and MD5

authentication. In RIPv1, packets are transmitted in broadcast mode. RIPv2 supports two

transmission modes: broadcast and multicast. Multicast is adopted by RIPv2 by default.The multicast address for RIPv2 is 224.0.0.9. An advantage of multicast transmission is

that the networks that do not support RIP will not receive the RIP packets. Also with

multicast, network segments that run RIPv1 will not receive or process the RIPv2 routes.

Page 308 page 288



7/22/2019 HCDA v1.6 En


Page 309 page 289



7/22/2019 HCDA v1.6 En


Network description:

RTA is connected to RTB through serial interface. RTA and RTB are configured with two

loopback interfaces each. IP addresses of these interfaces are shown in the f igure.

Fault description:

After the configuration, the routes learned through RIP are not found in the routing table.

Command lines in part 7 RTP trouble shooting base on V3.4.

Page 310 page 290



7/22/2019 HCDA v1.6 En


The flowchart provides the main procedure for troubleshooting. When a router fails to receive

part of or all the routes, follow the following steps to locate the fault:

1. Check whether RIP is enabled on the incoming interface.

Use the network command to specify the network segment where RIP is enabled. An

interface can receive and send RIP routes only if the RIP protocol is enabled on this interface.

You can use the display current-configuration configuration rip command to view the

information about the RIP-enabled network segment and check whether the incoming

interface is included in this network segment. The specified network segment must be a

natural network segment.

2. Check whether the incoming interface works normally.

Use the display interface command to view the status of the incoming interface. If the

physical status of the interface is Down or Administratively Down, or the protocol status is

Down, RIP cannot function normally on the interface. Therefore, you must ensure that the

status of the incoming interface is normal.

3. Check whether the version of the RIP packets sent from the peer is the same

as the RIP version configured on the local interface. If the version of the received RIP

packets is different from the RIP version configured on the incoming interface, the RIP routes

may not be accepted correctly.

4. Check whether the undo rip input command is configured on incoming interface. The rip

input command is used to allow the specified interface to receive RIP packets. The undo rip

input command is used to prohibit the specified interface to receive RIP packets. If the undo

rip input is configured on the incoming interface, RIP packets received on this interface

cannot be processed, so RIP routes cannot be received.

Page 311 page 291



7/22/2019 HCDA v1.6 En


5. Check whether a routing policy is configured to filter RIP routes.

The filter-policy import command is used to filter the received RIP routing information. If

the ACL is used, use the display current-configuration

configuration acl-basic command to check whether the RIP routes from the neighbor

are filtered. If the IP address prefix is used, use the display ip ip-prefix command tocheck the configured routing policy. If RIP routes are f iltered by the routing policy, you

need to configure the correct touting policy.

6. Check whether the additional metric set by the rip metricin command makes the

metric of the received route exceed 15. The rip metricin command is used to set themetric increment for the route in the received RIP packets. If the metric of the received

route exceeds 15, the router considers the route as unreachable and does not add this

route to the routing table.

7. Check whether the metric of the received RIP route exceeds 15. Similarly, if the metric

of the received route exceeds 15, the router considers the route as unreachable and dose

not add this route to the routing table.

8. Check whether the routing table contains the same route learned through another

protocol.

Use the display rip 1 route command to check whether the local router receives the RIP

route. It is possible that the RIP routes are accepted correctly, but the routing table

contains the same routes learned through another routing protocol, for example, OSPF or

IS-IS. Generally, the priority of OSPF or IS-IS is higher than the priority of RIP, so the

routing management module selects the routes learned through OSPF or IS-IS. Using the

display ip routing-table protocol rip verbose command, you can see that these routes

are inactive. If the fault still exists after these steps, contact technical support engineers of Huawei or visit http://support.huawei.com.

Page 312 page 292



7/22/2019 HCDA v1.6 En


Page 313 page 293



7/22/2019 HCDA v1.6 En


Page 314 page 294



7/22/2019 HCDA v1.6 En


Networking description:

RTA is connected to RTB through serial interface. RTA and RTB are configured with two

loopback interface each. IP addresses of these interfaces are shown in

the figure.

Fault description:

After the configuration, the router does not send all or some of the routes.

Page 315 page 295



7/22/2019 HCDA v1.6 En


The flowchart provides the main procedure for troubleshooting. When a router

fails to send part of or all routes, follow the following steps to locate the fault:

1. Check whether RIP is enabled on the outgoing interface.Use the network command to enable the network segment of the interface .

An interface can receive and send RIP routes only if the RIP protocol is enabled

on this interface. You can use the display current-configuration configuration

rip command to view the information about the RIP-enabled network segment and

check whether the outgoing interface is included in this network segment. The

specified network segment must be a natural network segment.

2. Check whether the outgoing interface works normally.

Use the display interface command to view the status of the outgoing interface. If

the physical status of the interface is Down or Administratively Down, or theprotocol status is Down, RIP cannot function normally on the interface. Therefore,

you must ensure that the status of the incoming interface is normal.

3. Check whether the silent-interfacecommand is configured on the outgoing

interface.

The silent-interfacecommand is used to suppress the interface from sending the

RIP packet.

The display current-configuration configuration rip command is used to check

whether the interface is suppressed from sending the RIP packet.

Enable the interface if it is disabled.

Page 316 page 296



7/22/2019 HCDA v1.6 En


4. Check whether the undo rip output command is configured on outgoing

interface.

The rip output command is used to allow the specified interface to send RIP

packets. The undo rip output command is used to prohibit the specified interface

to send RIP packets. If the undo rip output is configured on the outgoinginterface, RIP packets cannot be sent from this interface.

5. Checking whether the rip split-horizon command is configured on the outgoing

interface.

Run the display current-configuration command on the outgoing interface to

view whether the rip split-horizon command is configured. If the command is

configured, the split-horizon is enabled on the outgoing interface.

By default, the split-horizon is enabled on all outgoing interfaces, and it is used to

could the route loop,so please be careful if you want to cancel split-horizon .

6. Check whether a routing policy is configured to filter RIP routes.

The filter-policy export command is used to filter the RIP routes. Only the route

that passes the filtering policy can be added to the advertised routing table of RIP.

7. Check the status of the interface when the route contains the address of the

local interface.

Run the display interface command to check the status of the interface. If the

physical state of the interface is Down or Administratively Down, or the current

status of the protocol on the interface is Down, the IP address of the

interface cannot be added to the advertised routing table of RIP. Therefore, the

routing information will not be sent to the neighbor.

8. Check whether there are other problems.

If the outgoing interface does not support the multicast or broadcast mode and a

packet needs to be sent to the multicast or broadcast address, the fault occurs.

You can configure the peer command in the RIP mode to make routers send

packets with unicast address.

If the fault still exists after these steps, contact technical support engineers of

Huawei or visit http://support.huawei.com.

Page 317 page 297



7/22/2019 HCDA v1.6 En


Page 318 page 298



7/22/2019 HCDA v1.6 En


Page 319 page 299



7/22/2019 HCDA v1.6 En


Fault description: RTA and RTB use different authentication keys, so they cannot receive

routes from each other.

Analysis: If a router cannot receive any route from the peer, check the following:1. Whether RIP is enabled on the interfaces connecting the peer.

2. Whether the link between the routers is normal.

3. Whether the routing protocol is configured properly.

Using related commands, you can see that RIP is enabled on the interfaces and the link

between the routers is normal, but the configuration of RTA is different from that of RTB.

Comparing their configurations, you can see that password authentication is configured for

RTA and RTB. Following the preceding sections, you already know that RIPv2 supports

the authentication of update packets to improve security. The authentication modes and

authentication keys must be the same on the two routers. If the authentication modes or

authentication keys on two routers are different, the routers cannot exchange routing

information and they ignore the update packets.

Page 320 page 300



7/22/2019 HCDA v1.6 En


After the authentication mode and key are configured correctly, the routers can learn

routing information of each other from the update packets.

Page 321 page 301



7/22/2019 HCDA v1.6 En


Fault description: The metric of the route exceeds the hop count limit in RIP, so the router

cannot accept route.

Analysis: RIP limits the hop count to 15. If the hop count in a network exceeds 15, RIP isnot applicable to this network.

Additional metric is the increment (hop count) added to the original metric. The rip metricin

command is used to set the increment added to the received route when the route is added

to the routing table. The metric of this route is also changed in the routing table. The rip

metricout command is used to set the increment added to a route to be advertised. But the

metric of this route is not changed in the local routing table. For example, after you

configure rip metricout 16 on RTB, the hop count of the route to 172.16.3.0 is 16 when the

route is received by RTA. RTA does not add the route to the routing table.

Command lines used here are based on VRP3.4.

Page 322 page 302



7/22/2019 HCDA v1.6 En


Viewing the routing tables of RTA and RTB, you can find that the route to 172.16.2.0 is

added to the routing table of RTB, while route to 172.16.3.0 is not added to the routing table

of RTA.

Page 323 page 303



7/22/2019 HCDA v1.6 En


Change the additional metric to 15, and RTA will add the route to 172.16.3.0 to its routing

table. Command lines used here are based on VRP3.4.

Page 324 page 304



7/22/2019 HCDA v1.6 En


Fault description: The subnets are not continuous, and thus the routing information cannot be

added to the routing table.

Analysis: Network 162.16.0.0 segment is divided by network segment. RTA and RTB uses

RIPv1, which is a classful routing protocol. Therefore, the routers send

update packets with a Class-B network segment address 162.16.0.0 but not the accurate

network addresses 162.16.2.0 and 162.16.3.0.

Page 325 page 305



7/22/2019 HCDA v1.6 En


When RTA receives the update packet for the route to 162.16.0.0, RTA does not add the

route to the routing table, because it has a directly connected network

segment 162.16.2.0.

Page 326 page 306



7/22/2019 HCDA v1.6 En


To solve this problem, you can enable RIPv2 on the routers, because RIPv2 is a classless

routing protocol. Use the undo summary command to enable the CIDR function.

Page 327 page 307



7/22/2019 HCDA v1.6 En


After you modify the configuration, RTB advertises the route with the accurate address

162.16.3.0, and RTA adds the route to the routing table.

Page 328 page 308



7/22/2019 HCDA v1.6 En


What are the steps for troubleshooting received RIP routes?

1. Check whether RIP is enabled on the incoming interface.

2. Check whether the incoming interface works normally.

3. Check whether the version of the received RIP packet is the same as the RIP versionconfigured on the incoming interface.

4. Check whether the undo rip input command is configured on the incoming interface.

5. Check whether the routing policy is configured to filter the received RIP routes.

6. Check whether the additional metric set by the rip metricin command makes the metric

of the received route exceed 15.

7. Check whether the metric of the received route exceeds 15.

8. Check whether the routing table contains the same route learned through another routing

protocol.

What are the steps for troubleshooting sent RIP routes?

1. Check whether RIP is enabled on the outgoing interface.

2. Check whether the outgoing interface works normally.

3. Check whether the silent-interfacecommand is configured on the outgoing interface.

4. Check whether the undo rip output command is configured on the outgoing interface.

5. Check whether split horizon is configured on the outgoing interface.

6. Check whether the routing policy is configured to filter the routes imported to RIP.

7. Check status of the local interface if the route to be advertised contains the address of the

local interface.

8. Check whether other problems exist.

Page 329 page 309



7/22/2019 HCDA v1.6 En


Page 331 page 310



7/22/2019 HCDA v1.6 En


Page 332 page 311



7/22/2019 HCDA v1.6 En


Page 333 page 312



7/22/2019 HCDA v1.6 En


Open Shortest Path First (OSPF) is an IGP protocol based on the link state algorithm.

OSPF is brought forward by the Internet Engineering Task Force (IETF). OSPF has three

versions. OSPFv1 is defined in RFC 1131. This version was in the experimental stage and

has never been released for public use. OSPFv2 is used for IPv4 and was initially defined in

RFC 1247. RFC2328 is the latest standard document for OSPFv2. OSPFv3 is used for IPv6.

Unless otherwise specified, OSPF refers to OSPFv2 in this course.

OSPF is borne by the IP protocol and uses IP protocol number 89. An OSPF packet

consists of the header and the packet body. The format of the OSPF packet is described in

the HCDP course and is not explained here

Page 334 page 313



7/22/2019 HCDA v1.6 En


The following features of OSPF enable extensive use of OSPF:

Supports CIDR.

Early routing protocols, such as RIPv1, do not support CIDR. OSPF supports CIDR and

allows the advertised routing information to contain the subnet mask so that routinginformation is not limited to the classful network.

Supports area division.

OSPF allows dividing an autonomous system (AS) into areas so that the users can bemanaged more flexibly.

Avoids route loops.

The design of OSPF avoids route loops. OSPF allows dividing an AS into areas. Routers inan area use the SPF algorithm to avoid route loops. Route loop between areas is avoidedthrough the area connection rule specif ied by OSPF.

The routes converge very quickly when the network topology is changed.

OSPF adopts the triggered update mode. When the network topology changes, the new linkstate is flooded immediately. OSPF is sensitive to the change of network topology, so theroutes converge quickly.

Forwards protocol data through IP multicast.

An OSPF router sends and receives protocol data through multicast or unicast, which useslow network traffic.

Supports equal-cost routes.

OSPF supports equal-cost routes. When multiple routes to the same destination have thesame cost, the traff ic is shared by these routes evenly. Through load balancing, the linkbandwidth is used more eff iciently.

Supports authentication of protocol packets.

In a network that requires higher security, OSPF routers can provide the authenticationfunction. Packets can be exchanged between OSPF routers only after they pass theauthentication. The authentication improves security of the network.

Page 335 page 314



7/22/2019 HCDA v1.6 En


OSPF is an open standard routing protocol and is extensively used by various network carriers.

OSPF can be applied to both the enterprise network and the carrier-class IP network. This slide

lists the differences between OSPF, RIPv2 and RIPv1.

Page 336 page 315



7/22/2019 HCDA v1.6 En


Compared with RIP, OSPF is a more advanced interior gateway protocol. OSPF

and RIP are totally different, although they are both IGPs. OSPF is based on the

link state algorithm, while RIP is based on the distance-vector algorithm. As

described in the course of the RIP protocol, distance-vector protocols select

routes based on the hop count and do not consider network resources such asthe link bandwidth. Under this condition, a path with high bandwidth may not be

selected.

OSPF selects routes according to the link state. OSPF enables fast convergence

of routes and do not limit the hop count. OSPF routers advertise the link

information, instead of periodically sending route update packets. Therefore,

OSPF is more applicable to large-scale networks. (A link can be regarded as an

interface on a router. The link state is the description of the interface and the

relation between the local router and the adjacent router.) The calculation

process of OSPF will be described later.

Page 337 page 316



7/22/2019 HCDA v1.6 En


Unlike early routing protocols that use the distance-vector algorithm, OSPF uses the link

state algorithm. The following describes the route calculation process of the link state

algorithm.

An OSPF router floods the link state advertisement (LSA) to notify other routers of thestatus of the local link, for example, available interface, reachable neighbor, and the

information about the adjacent network segment. Flooding is a process of sending and

synchronizing the l ink state between routers.

Each router generates a link state database (LSDB) according to the LSAs advertised by

other routers and its local LSAs. The LSDB describes the detailed network topology in the

routing area. In the same area, all routers have the same LSDB.

Based on the LSDB, each router calculates a shortest path tree with the SPF algorithm. The

local router is the root of the tree, and other nodes in the network are leaves. The shortest

path tree calculated through the SPF algorithm does not have route loops.

The shortest path tree of each router provides the routing table listing the routes to other

nodes in the network. Thus, each OSPF router knows the routes to other routers.

Page 338 page 317



7/22/2019 HCDA v1.6 En


OSPF supports five types of packets, which contain the same OSPF header. An OSPF

router uses the following packets to discover neighbors and maintain the neighbor relation,

synchronize the LSDB, and exchange routing information:

Hello packet: It is a common packet used to discover neighbors and maintain the neighbor

relation. The Hello packet is also used to elect the designated router (DR) and backupdesignated router (BDR) in the broadcast network and NBMA network.

DD packet: Routers use DD packets to describe their LSDBs when they synchronize the

LSDBs. A DD packet consists of an LSA and an LSA header. The header uniquely identifies

an LSA. The LSA header makes a small part of the packet, and thus the traffic of protocol

packets transmitted between routers can be reduced. The peer router checks whether an

LSA already exists according to the LSA header.

LSR packet: After two routers exchange the DD packets, each router knows the LSAs that

exist in the LSDB of the peer but do not exist in the local LSDB. Then the router sends anLSR packet to request for these LSAs. The LSR packet contains the summary of the

required LSAs.

LSU packet: This packet is used to send the required LSAs to the peer router. An LSU

packet contains the combination of multiple LSAs.

LSAck packet: This packet is used to acknowledge the received LSU packet.

Page 339 page 318



7/22/2019 HCDA v1.6 En


To exchange the link status and routing information, two OSPF routers need to establish the

neighbor relation.

Neighbor After an OSPF router is started, it sends Hello packets through the OSPF interface to

discover neighbors. The OSPF router that receives the Hello packet checks the parameters

in the Hello packet. If the parameters are consistent on the two routers, the two routers

establish the neighbor relation.

Adjacency

Not all neighboring routers can establish the adjacency. Adjacency establishment depends

on the network type. The real adjacency is established only if the routers exchange DD

packets successfully and can exchange LSAs. To send LSAs, a router must discover theneighbor and establish the adjacency with the neighbor.

In this example, RTA is connected to three routers through Ethernet. RTA has three

neighbors, but you cannot say that RTA establishes three adjacencies.

Page 340 page 319



7/22/2019 HCDA v1.6 En


Not all neighbors can establish the adjacency to exchange link status and routing

information. Adjacency establishment depends on the network type, namely, the layer-2 link

type of the OSPF network.

Based on the link-layer protocol, OSPF networks are classified into the point-to-point

network, broadcast network, NBMA network, and point-to-multipoint network. A point-to-point network is a network that directly connects two routers.

Link layer protocols for the point-to-point network are PPP, LAPB, and HDLC. In a point-to-

point network, neighboring routers can establish the adjacency directly. Broadcast network:

If the link-layer protocol is Ethernet or FDDI, the network is considered as a broadcast

network by default. The network shown in the right of the figure is a broadcast network.

Ethernet is a common link layer protocol for a broadcast network. In the broadcast network,

NBMA network, and point-to-multipoint network, routers establish adjacency selectively.

Page 341 page 320



7/22/2019 HCDA v1.6 En


A non-broadcast network can connect more than two routers, but it does not support

broadcast.

In non-broadcast networks, OSPF has two operation modes: non broadcast multi-access (NBMA) and point-to-multipoint.

NBMA

In an NBMA network, routers must establish a full connection. An ATM network adopting full

connection is an NBMA network.

In an NBMA network, OSPF simulates the operations on broadcast networks, however

neighbors of each router must be configured manually.

Common link layer protocols for the NBMA network are Frame Relay and ATM.

Page 342 page 321



7/22/2019 HCDA v1.6 En


Point-to-multipoint

A network that cannot establish the full connection needs to adopt the point-to-multipoint

mode. A Frame Relay network is such a network. In this mode, the entire non-broadcast

network is regarded as a group of point-to-point networks. A router discovers its neighbors

by using a lower layer protocol, for example, inverse ARP. The point-to-multipoint networktype is not a default type in OSPF.

Page 343 page 322



7/22/2019 HCDA v1.6 En


In broadcast and NBMA networks, if any two routers need to establish the adjacency, route

convergence is very slow. Use of the designated router (DR) and backup designated router

(BDR) solves this problem.

A broadcast network or NBMA network containing at least two routers has one DR and aBDR.

Functions of the DR and BDR:

The DR and BDR reduce adjacencies, thus reduce exchanges of link state information and

routing information. Use of the DR and BDR reduces bandwidth consumption and lowers the

burden of routers. A router that is neither the DR nor the BDR is called a DRother. A DRother establishes the adjacencies and exchanges the link state information and routing information

only with the DR and BDR. This mode greatly reduces adjacencies and raises route

convergence speed in large-scale broadcast and NBMA networks.

In the f igure, RTA has three neighbors, but it establishes adjacencies only with the DR andBDR. RTA does not establish the adjacency with the other router and does not exchange

routing information with this router. To sum up, establishment of the adjacency depends on

the network type. In a point-to-point network, two routers can establish the adjacency. A

point-tomultipoint network can be regarded as a group of point-to-point networks. An

adjacency is established between each two directly connected routers. In a broadcast orNBMA network, a DR and a BDR are selected. Drothers establishes adjacencies only with

the DR and the BDR.

Page 344 page 323



7/22/2019 HCDA v1.6 En


Autonomous system

An autonomous system is a combination of routers that use the same routing policy and are

managed by the same technical management organization. In the course of OSPF, an

autonomous system refers to a group of routers that exchange routing information by using

the same routing protocol. In this course, autonomous system is referred to as AS for short. As an IGP protocol based on the link state algorithm, OSPF takes effect only within the AS.

Area

An area is a combination of routers and the networks connected to these routers. As shown

in the figure, three routers and the networks connected to the routers forms an area. Single

area means that all routers running OSPF belong to the same area. OSPF requires that all

routers in the same area have the same LSDBs.

Router ID:

To run OSPF, a router must have a router ID. The LSDB records the topology of the

network, including routers in the network. Each router must have a unique identifier toidentify itself in the LSDB. A router ID is a 32-bit integer used to uniquely identifies a router

in an AS. Each OSPF router has a router ID. Router ID uses the format of an IP address.

The IP address of Loopback interface of a router is recommended as the router ID.

Page 345 page 324



7/22/2019 HCDA v1.6 En


In this example, the topology for OSPF single area configuration is as follows:

RTA and RTB are located in the network. Each router uses the IP address of Loopback0 as

the router ID. RTA and RTB belong to Area 0. Here, configuration of interfaces and IP

addresses is not mentioned. For the configuration, refer to related basic courses.

The procedure for basic OSPF configuration is as follows:

Run the router id router-id command to specify the router ID. If the router ID is not specified,

OSPF uses the largest loopback IP address as the router ID. If no loopback interface is

configured, the largest IP address of physical interfaces is used as the router ID.

Run the ospf [ process-id ] command to enable OSPF. OSPF supports multiple processes. If

the process ID is not specified, process 1 is used by default. Run the area area-id command

to enter the area view.

Run the network ip-address wildcard command to specify the network segment included in

the area. When specifying the network, use the wildcard mask of the network segment.

Page 346 page 325



7/22/2019 HCDA v1.6 En


After the configuration, you can use related commands to check the configuration. For

example, you can use the display ospf routing command to display information about the

OSPF routing table.

[RTA] display ospf routing

In this example, this command displays the OSPF routing table of RTA. The display shows

that the OSPF routing table of RTA contains three route entries and they are all in Area 0.

Each route entry shows network segment, next hop, router that advertises this route, and the

area the route belongs to. From the display information, you can see that the OSPF

configuration is correct and RTA and RTB can exchange routing information.

Page 347 page 326



7/22/2019 HCDA v1.6 En


As the network size keeps increasing it increases the number of devices that are part of the sameconverged domain and in turn their routing tables. If all routers in a large-scale network run OSPF,an increasing amount of storage space becomes occupied, The reason is that the LSDB becomesvery large when a large number of routers are added to the network. A huge LSDB makescalculation of SPF algorithm very complicated and burdens the CPU. When the network size isenlarged, the probability of topology changes also increases and the network often flaps. Under

such a condition, a large amount of OSPF packets are transmitted in the network, which lowers thebandwidth utility. To make it worse, each time the network topology changes, all routers in thenetwork need to recalculate routes.

To avoid this problem, OSPF divides an AS into areas. Areas logically classify routers into differentgroups. An area is identified by the area ID.

An area is a combination of network segments.

OSPF allows network segment to form an area.

Dividing an AS into areas reduces the LSDB size and reduces network

traffic.

The detailed topology within an area is not sent to other areas. Areas exchanges only abstractrouting information but not the link state information. Areas maintain different LSDBs. Each routermaintains a independent LSDB that records each area connected to it. Since the link stateinformation is not advertised to other areas, the size of LSDB is much more smaller.

Area 0 is the backbone area that advertises the inter-area routing information (not detailed linkstate information) summarized by edge routers to non-backbone areas. To avoid routing loop, non-backbone areas cannot advertise inter-area routing information. Each edge router, therefore, musthave at least one interface in Area 0. That is, al l non-backbone networks must be connected to thebackbone area.

Page 348 page 327



7/22/2019 HCDA v1.6 En


OSPF defines the following types of router:

Internal Router (IR)

An IR is the whole interfaces of a router connected to network segments in the same area.IRs in the same area maintain the same LSDBs.

Area border router (ABR)

An ABR is a router connected to multiple areas. An ABR maintains an LSBD for each area

connected to it. ABRs exchange inter-area routing information.

Backbone router (BR)

A BR is a router that has at least one interface (or virtual connection) in the backbone area.

All ABRs and routers that have all interfaces in the backbone area are BRs. Non-backbone

areas must be directly connected to the backbone area, and so BRs usually process routing

information of multiple areas.

AS boundary router (ASBR)

An ASBR is a router used to exchange routing information with routers in other AS’. The

ASBR advertises routing information of other AS’ to all routers in the same AS. Routers in an AS communicate with routers in other AS’ through the ASBR. An IR or ABR can act as the

ASBR. An ASBR can be in the backbone area or a non-backbone area.

Page 349 page 328



7/22/2019 HCDA v1.6 En


As shown in the figure, the area is divided into Area 0, Area 1, and Area 2. OSPF requires

non-backbone areas to be directly connected to the backbone network, and so Area 1 and

Area 2 are connected to Area 0. On RTA, Area 1 must be configured. On RTB, Area 0 and

Area 1 must be configured. On RTC, Area 0 and Area 2 must be configured. On RTD, Area 2

must be configured.

RTA and RTB exchanges LSAs to generate LSDBs. LSDBs of RTA and RTB are the same.

Since RTB also belongs to Area 0, RTB maintains another LSDB for Area 0. This LSDB is

the same as the LSDB on RTC. Similarly, RTD and RTC maintain same LSDBs for Area 2.

The configuration is similar to configuration of a single area, and the commands are omitted

here. When configuring multiple areas, network segments must be specified for area

separately. For example, network segment 2.2.2.2 is specified Area 1, and so this network

segment cannot be specified in Area 0. Note that a network segment cannot belong to

multiple areas.

The configuration of RTA is similar that of RTD. please take note of the configuration of RTD

later.

Page 350 page 329



7/22/2019 HCDA v1.6 En


This page shows the configuration of RTC. Two areas are configured on RTC:

Area 0 and Area 2. Their network segments are specified separately.

Page 351 page 330



7/22/2019 HCDA v1.6 En


Only one area (Area 2) is configured on RTD, and so network segments are

specified only for Area 2.

Page 352 page 331



7/22/2019 HCDA v1.6 En


Using the display ospf routing command, you can verify the configuration. You can also use

the following command to view information about neighbors of an OSPF router.

display ospf peer

In the output information:

Area indicates the area a neighbor belongs to.

Interface indicates the interface connected to this neighbor.

Router Id indicates the router ID of the neighbor.

Address indicates the address of the neighboring interface.

RTB has two neighbors: RTA in Area 1 and RTC in Area 0.

First line of the output information: OSPF Process 1 with Router ID 2.2.2.2 indicates that the

router ID of RTB is 2.2.2.2.

The following lines:

Area 0.0.0.0 interface 10.1.2.1(Ethernet0/1)'s neighbors

Router ID: 3.3.3.3 Address: 10.1.2.2

These lines indicate that the neighbor belongs to backbone area Area 0; the IP address of the

interface connected to the neighbor is 10.1.2.1; the router ID of the neighbor is 3.3.3.3; the IP

address of the neighboring interface is 10.1.2.2.

Information about the neighbor in Area 2 is similar to the above information.

Page 353 page 332



7/22/2019 HCDA v1.6 En


Besides the OSPF routing table and OSPF neighbor information, you can v iew the global

routing table. In this example, you can use the display ip routing-table command to view

the global routing table. The output information shows that five route entries are learned

through OSPF.

Page 354 page 333



7/22/2019 HCDA v1.6 En


What is the calculation process of the link state algorithm?

Each router in the network advertises the local link state information to other routers and

collects the link state information advertised by other routers. In this way, each router

generates an LSDB that describes the network topology. Based on the LSDB, routers

calculate a shortest path tree by using the SPF algorithm. The shortest path tree providesroutes to all nodes in the network.

What is an OSPF area?

An OSPF area is a combination of network segments.

What is the procedure for basic OSPF configuration?

Enable the OSPF process. Create OSPF areas. Specify network segments for each area.

Page 355 page 334



7/22/2019 HCDA v1.6 En


Page 359 page 337



7/22/2019 HCDA v1.6 En


Page 360 page 338



7/22/2019 HCDA v1.6 En


Page 361 page 339



7/22/2019 HCDA v1.6 En


The history of Ethernet:

1973 Ethernet was invented at Xerox in Palo Alto, California. Dr Robert Metcalfe

is regarded as the father of Ethernet. Early Ethernet standards, the prototype of today’s

Ethernet ran at a speed of 2.94 Mbps.

1980 Digital Equipment Corporation, Intel and Xerox promoted Ethernet as a

standard, the so called Ethernet DIX80 or Ethernet version 1 standard which

standardized 10Mbps Ethernet.

1982 A second revision of Ethernet, known as Ethernet DIX82 or Ethernet

version II. The Ethernet II remains the Ethernet standard used in today’s networks.

1995 IEEE issued the standard for Fast Ethernet, namely, the 802.3u standard.

1998 IEEE issued the standard for gigabit Ethernet.

1999 IEEE 802.3ab or 1000 BASE-T standard was published.

July 18th, 2002

IEEE published the 802.3ae or 10G Ethernet standard which involves threephysical interface standards, namely, 10GBASE-R, 10GBASE-W and 10GBASE-LX4.

March, 2004

IEEE issued the 802.3ak standard or 10GBASE-CX4 for 10G Ethernet over

copper twin-axial cable.

Page 362 page 340



7/22/2019 HCDA v1.6 En


In the early days, Ethernet was a shared network medium. It often ran using the following

transmission media:

10Base5: thick coaxial cable commonly known as thicknet. The 5 refers to a maximumtransmission distance of 500 meters.

10Base2: thin coaxial cable commonly known as thinnet. The 2 refers to a maximum

transmission distance of close to 200 meters, the true distance is 185 meters.

Before shared Ethernet came into being, coaxial cable was connected with a device called

a pigtail which is was inserted by cutting a small hole in the coaxial cable. Extreme care had

to be taken when inserting a pigtail into the coaxial cable due to the potential for the central

core to short out on contact with the metallic shield, which could cause the failure of anentire segment.

Page 363 page 341



7/22/2019 HCDA v1.6 En


At the end of 1980s, unshielded twisted pair (UTP) came into being and was soon

widely used. UTP is cheap and easily made and with UTP data can be sent and

received over different wires, which makes full duplex easily applied.

Twisted pair cable comes in two types: shielded twisted pair (STP) and unshielded twistedpair (UTP). STP is very effective at protecting cables from external electromagnetic

interference. Twisted cables are categorized by the length of a single twist for each wire

pair, and they come in the following types:

Category-3 twisted-pair cable ——The cable defined by ANSI and EIA/TIA568. Its

transmission frequency is 16MHz and is mainly for transmitting voice or transmitting data

with data rates of up to 10Mbps. It is often used for 10base-T networks.

Category-4 twisted-pair cable — Mainly used for transmitting voice or transmitting data

with a typical data rate of 16Mbps. It is commonly used in token ring LANs and 10base-

T/100base-T networks.

Category-5 twisted-pair cable — Mainly for transmitting voice or data at the rates of up to

100Mbps. It is often used for 100base-T and 10base-T networks. It one of the most widely

used Ethernet cables, however has generally been superseded by an enhanced version

known as Cat5e. The Cat5e standards are much more stringent and give a support the

use of 4 wire pairs as opposed to 2 wire pairs used by Cat5, allowing Cat5e to supportGigabit Ethernet transmissions.

Page 364 page 342



7/22/2019 HCDA v1.6 En


Ethernet interfaces on networking devices come into two types: Medium Dependent

Interface (MDI) and Medium Dependent Interface Crossover (MDI_X). Ethernet interfaces

of routers and interfaces of Network Interface Cards (NIC) are often MDIs. The Interfaces of

hubs are considered MDI_X interfaces.

Twisted-pair cables can be divided into straight cable and crossover cable types. Straight

cables are used for connecting MDI and MDI_X type devices; crossover cables are mainly

for connecting MDI and MDI or MDI_X and MDI_X device types. It should be noted that the

pair sequence in a crossover cable results in a crossover at each end of the cable betweenpins 1 & 3 and 2 & 6.

Page 365 page 343



7/22/2019 HCDA v1.6 En


Page 366 page 344



7/22/2019 HCDA v1.6 En


Usually 10 Mbit/s Ethernet is only located at the access layer of the network. The

new generation multimedia products, video and database products may easily

chew up the bandwidth of 10Mbit/s Ethernet.

Page 367 page 345



7/22/2019 HCDA v1.6 En


Besides coaxial cable and twisted pair cable, the IEEE802.3 cable also incudes

fiber 10BASE-F. 10BASE-F was once used at the early age of Ethernet and its

transmission distance can reach 2 Km.

Page 368 page 346



7/22/2019 HCDA v1.6 En


The standard (10Mbps) Ethernet transmission rate is too low to meet the demands of

today’s networks. To meet these higher demands, IEEE issued the IEEE802.3u standard

for fast Ethernet, supporting data transmission rates of 100Mbps.

Page 369 page 347



7/22/2019 HCDA v1.6 En


Full-duplex fast Ethernet is capable of sending and receiving data at 100 Mbps/s rate

simultaneously. Data sending and receiving are independent due to the use of separate

wire pairs for transmitted and received data, which avoids collisions and interference and

improves the network efficiency.

The standards body EIA/TIA stands for Electronic Industries Alliance/TelecommunicationIndustry Association.

Page 370 page 348



7/22/2019 HCDA v1.6 En


Gigabit Ethernet is an extension of the Ethernet defined by IEEE802.3, for which transmission

speeds of 1Gbps are achieved.

There are two standards that have been defined for gigabit Ethernet, they are IEEE802.3z (for

fiber and copper) and

IEEE802.3ab (for twisted-pair).

Page 371 page 349



7/22/2019 HCDA v1.6 En


IEEE802.3ab specifies the standard for 1000BaseT. 1000BaseT is a kind of 10G

Ethernet technologies using Type5 UTP to transmit data and its effective

transmission distance reaches 100 meters as that of 100BASETX does. Users can

upgrade their 100Mbps Ethernet to 1000Mbps Ethernet smoothly in their original

fast Ethernet system with this technology.

IEEE802.3z sets standards for three kinds of cables:

1000BaseCX is based on a kind of copper shielded twisted-pair cables with high

quality. The transmission distance of this cable is 25 meters and is connected by

9um D type connectors.

1000BaseSX is a kind of technology using shortwave laser as the signal source.

The wavelength of the laser is set to be within the scope of 770-860nm (usually

800nm). It supports only multi-mode fiber and cannot operate on the single mode

fiber.

1000BaseLX is another optical gigabit Ethernet standard, using a long wavelength

laser (1270-1355, usually is 1300nm),It can drive not only multi-mode fiber butalso single-mode fiber.

Page 372 page 350



7/22/2019 HCDA v1.6 En


10G Ethernet is the cutting-edge technology in the Ethernet world. Its transmission speed is

10 times that of a gigabit Ethernet and its working area is much wider. 10G Ethernet can be

applied not only to the traditional LANs, but also WANs and MANs which were once closed to

Ethernet due to its limited capabilities. 10G Ethernet can be compatible with DWDM

seamlessly which stretches Ethernet to a global geographical scope without being limited bydistance.

Two organizations, IEEE and 10 Gigabit Ethernet Alliance (10GEA), played an important role

in the standardization of 10G Ethernet. IEEE is in charge of setting standards for 10GEthernet and it has issued IEEE802.3ae as of June 2006. IEEE802.3ae specifies the

standard of 10G Ethernet that runs on fiber, a standard not so suitable for enterprise LANs

that commonly transmit data through copper cabling. To meet the requirements from the 10G

Ethernet that runs on copper cables, IEEE issued the 802.3ak standard in March 2004 and

the IEEE 802.3an standard for 10G Ethernet over twisted-pair cabling.

Page 373 page 351



7/22/2019 HCDA v1.6 En


The standard for 10G Ethernet over fiber is IEEE802.3ae, which consists of 10G

BASE-X, 10GBASE-R and 10GBASE-W.

10GBASE-X uses a tightly packed package which involves a rather simple WDM device, fourreceivers and four lasers that work at the wavelength of about 1300nm at an interval of around

25nm. Each sender and receiver pair works at a speed of 3.125 Gbps with a data rate of 2.5

Gbps.

10GBASE-R is a form of serial interface based on a 64B/66B coding scheme instead of the

8B/10B scheme applied to the gigabit Ethernet. Its data rate is 10.000 Gbps/s which leads to aclock rate of 10.3 Gbps.

10GBASE-W refers to the WAN interface, which is compatible with SONET OC-192. The

clock rate and data rate of 10 GBASE-W are 9.953 Gbps and 9.585 Gbps respectively.

The 10G Ethernet standard for fiber is IEEE802.3ae. IEEE802.3ak is the standard for 10G

Ethernet over coaxial cables. 10GBASE-CX4 allows 10G Ethernet to transmit over coaxialcopper lines up to a distance of 15 meters.

Page 374 page 352



7/22/2019 HCDA v1.6 En


This chapter involves the following contents:

1. How was the Ethernet standard formed?

Xerox first presented the original Ethernet technology whose speed was only 3Mbps in 1973.Later, Digital Equipment Corporation, Intel and Xerox jointly proposed the 10Mbps DIX

standard for Ethernet. This was then developed into early forms of the IEEE802.3 standard in

1980.

2. Which media types are supported by Ethernet?

Ethernet has defined standards for support of Ethernet over coaxial, twisted-pair and fiber

optic media types.

3. What are the speed rates of Ethernet?

10M, 100M, 1000M and 10G. Early category 4 cabling also supports speeds of 16Mbps for

token ring.

Page 375 page 353



7/22/2019 HCDA v1.6 En


Page 377 page 354



7/22/2019 HCDA v1.6 En


Page 378 page 355



7/22/2019 HCDA v1.6 En


Page 379 page 356



7/22/2019 HCDA v1.6 En


Page 380 page 357



7/22/2019 HCDA v1.6 En


Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a set of rules

determining how network devices respond when two devices attempt to use a data

channel simultaneously. The basic working theories of CSMA/CD are as follows:

(1) If the transmission media is not occupied at that time, a particular station can

transmit,otherwise moveon to the next step.

(2) The station waits for a while until the data channel is not occupied and then it begins

to send data.

(3) If the station detects a collision which is known as the voltage level is as twice as

usual, it stops transmitting that frame and transmits a jam signal in order let all the

participating stations know the collision.

(4) After a random time interval, the station that collided attempts to transmit again,

which goes back to step 1 again and the process cycles.

Page 381 page 358



7/22/2019 HCDA v1.6 En


Limited by the algorithm of CSMA/CD, the length of a frame sent over Ethernet

using 10M half duplex should be at least 64 bytes.

Page 382 page 359



7/22/2019 HCDA v1.6 En


Two network devices appeared during the period when the Ethernet developed

from a shared to a switched network, one is the Hub, the other is the Repeater.

When the network is extended, signals degrade as they travel long distances,

which may often lead to corrupted data. The repeater is an electronic device

that helps to recover or amplify signals. The hub and repeater both work at thephysical layer.

Page 383 page 360



7/22/2019 HCDA v1.6 En


The hub is an Ethernet device which works based on the mechanism of

CSMA/CD. The working principles of the hub are quite simple. The hub forwards

the data frame received by one of its ports to all other ports directly no matter

whether the frame is unicast or broadcast. We may say that the hub and repeater

changes only the physical topology of the Ethernet, the logical topology of the

Ethernet is still remains a bus topology. The hub does not have a MAC address

and only forwards data without filtering.

Page 384 page 361



7/22/2019 HCDA v1.6 En


The network connected by hubs or repeaters is considered to be shared Ethernet, so it is no

wonder that this kind of network has all the weaknesses of a shared Ethernet, weaknesses

that include:

•Collisions

•Broadcast flooding

•No Guarantee of Security

Page 385 page 362



7/22/2019 HCDA v1.6 En


Page 386 page 363



7/22/2019 HCDA v1.6 En


The Ethernet switch operates at the data-link layer and has two basic functions:

Learning MAC addresses

Switching or filtering data

Page 387 page 364



7/22/2019 HCDA v1.6 En


In the figure above, DMAC indicates the MAC address of the destination and

SMAC is the MAC address of the source. The meaning of the Length/Type field

various with its values. When its (hexadecimal) value exceeds 1500, it indicates

the field is a type field; when the value is less than or equal to 1500, the field

indicates it is a frame length field. The value of the DATA/PAD field representsthe length of the data f illed to make the frame length to be 64 bytes or above.

FCS refers to the extra checksum characters added to a frame for error detection

and correction.

When the value of the Length/Type field exceeds 1500, the MAC sub-layer can

submit the frame to a protocol at the upper layer immediately without going

through the LLC sub-layer. This structure is the Ethernet_II structure which is

very popular and used by most protocols. In this structure, the data-link layer

only involves the MAC sub-layer anddoes not implement the LLC layer. When

the value of the Length/Type is less than or equals to 1500, it indicates the

Ethernet_SNAP structure which is set by the 802.3 committee but is not widely

used.

Page 388 page 365



7/22/2019 HCDA v1.6 En


An Ethernet frame whose type is 0800 is an Ethernet_II frame, as 0x0800 when

converted from Hexadecimal to Decimal is bigger than 1500 and must be an IP

datagram, since 0800 represents the IP datagram header. In a similar way, it is

possible to determine that a 0806 frame is for ARP request/response and a

8035 frame is for RARP request/response. However, the question remains how

we can identify the ‘type’ of a the next frame header defined in 802.3 since the

802.3 frame indicates only the frame ‘length’ instead of the frame ‘type'?

Page 389 page 366



7/22/2019 HCDA v1.6 En


In an 802.3 frame, there is a three-byte 802.2 LLC and a five-byte 802.2 SNAP

header. The values of Destination Service Access Point (DSAP) and Source

Service Access Point (SSAP) are both set to 0xAA. The Ctrl f ield is set to 3 and

the 3-byte org code field that comes after it is set to 0. The following ‘TYPE’ field

functions the same as that of the Ethernet_II frame.

Page 390 page 367



7/22/2019 HCDA v1.6 En


A MAC address is a 48 bit address and is often represented by a 12-bit

hexadecimal digit. A MAC address is globally unique and IEEE is responsible

for the management and allocation of MAC addresses. A MAC address is made

up of two parts which are the manufacturer assigned and the sequence number.

The first 24 bits identify the organization that issued the identifier and ismanaged and allocated by IEEE. The following 24 bits are assigned by that

organization in nearly any manner they please, subject to the constraint of

uniqueness.

Special MAC addresses:

1. If a MAC address whose 48 bits are all 1s, it is a broadcast address.

2. If a MAC address whose eighth bit is 1, it is a multicast address.

The eighth bit of the destination address indicates whether the frame is sent to a

single station or a group of stations.

The eighth bit of a source address must be 0 since a frame cannot be sent by a

group of stations.

Page 391 page 368



7/22/2019 HCDA v1.6 En


Source MAC Learning

The bridge forwards frames based on its MAC address table which is built using

the source MAC addresses of received frames. A common MAC address table of

a layer-2 switch maps between MAC addresses and switch ports.

We should bear in mind that a switch learns the source address of data frames it

receives, meaning that every port of a switch listens independently for the source

address of data frames they receive.

Initially, the MAC address table is empty, but once a switch receives a frame via

port 1, the switch will check the frame’s destination and search for the MAC

address in its cache however no entry will currently exist. The switch as a result

will flood the frame out of all ports except the port on which the frame was

received and then use the source address of the frame to build it’s MAC address

table, mapping port 1 to the MAC address of station A. Similarly, each station will

map the port on which the frame is received to the source MAC address of that

frame, forming a MAC address table for each switch device.

If a port connects to a hub, then the switch port will recognize multiple MAC

addresses for a single interface.

Every port of a switch corresponds to a collision domain.

Note: For multicasting, address entries are not obtained by learning. They are

obtained by IGMP or protocols such as CGMP.

Page 392 page 369



7/22/2019 HCDA v1.6 En


Forwarding Frames Based on the Destination MAC

The switch forwards frames according to its MAC address table. If the destination

address of the frame is not in the table, the switch will flood the frame. The switch

maintains its MAC address table through an automatic learning and aging

mechanism. Frame structures are not modified in most cases. (VLAN makes

changes to the frame structure by putting a TAG in the frame.)

Page 393 page 370



7/22/2019 HCDA v1.6 En


The switch receives a data frame from the local segment via one of it’s port

interfaces.

The switch builds its MAC address table by learning the source MAC of the

frames and maintains its MAC address table with the aging mechanism. Theswitch looks for the destination MAC in its MAC address table and if the

destination MAC is in the table, then the switch sends the frame to the

corresponding port (the source port is not included); if the switch cannot find the

destination MAC in its table, then it sends the frame to all the ports except the

source port.

Page 394 page 371



7/22/2019 HCDA v1.6 En


There are three switching modes: Cut-Through, Store-and-Forward and

Fragment-free. Their characteristics are as follows:

Cut-Through

The switch starts forwarding a frame before the whole frame has been received,

normally as soon as the destination address is processed.

Low latency

The switch forwards frames without detectingerrors.

Store-and-Forward

The switch starts forwarding a frame after the whole frame has been received.

High latency, and the latency is decided by the frame length. The switch checks

for errors and once it finds an error, the frame is discarded immediately.

Fragment-free

The switch starts forwarding a frame after the first 64 bits (the shortest possiblelength) of the frame has been received. This mode inherits the advantages of

the Cut-Through mode and the Store-and-Forward mode. With this mode, the

switch can start forwarding without the whole frame having being received

which is the same as it does with the Cut-Through mode; and at the same time,

the switch can check errors as it does with the Store-and-Forward mode and

should it find there are errors in the first 64 bits of the frame, it will drop the

frame.

Page 395 page 372



7/22/2019 HCDA v1.6 En


L2 switches help to avoid collisions in a shared Ethernet but broadcast flooding is still

widespread. How can this problem be resolved?

Page 396 page 373



7/22/2019 HCDA v1.6 En


Page 397 page 374



7/22/2019 HCDA v1.6 En


L3 switches tend to take the form of a switch. Compared with routers, L3 switches are

endowed with all the functions that L2 switches possess, including MAC-address based

frame forwarding, STP and VLAN. However, L3 switches also have the L3 functions that

L2 switches are not given, which enables them to realize the L3 internetworking for

VLANs.

Most of the lower or middle-end L3 switches realize L3 forwarding through L3 exact

match, which means to search the cache according to the destination IP address of data

frames directly. While, traditional routers use the longest matching method, that is to

search the routing table for the destination IP address and forward data with the longest

matching address in the table. Different manufacturers use different approaches to

forward data. Exact search is more suitable for a network that has stable routes and

whose topology does not often change.

High-end L3 switches are often applied to complex networks. So if they use the exact

search approach to find routes, the odds to hit the cache is not optimistic. Furthermore,most high-end switches use hardware to realize longest matching search which may be

as efficient as the exact search approach. So for high-end switches, exact search is not a

must choice.

Finally, L3 switches have evolved from L2 switches and they are always thought to be

designed for LANs. So L3 switches do not support many interface types except the

interfaces relevant to VLANs such as Ethernet interface, ATM VLAN virtual interface,

which avoids problems that have bothered routers with multi-type interfaces. Since every

interface of a L3 switch is an Ethernet interface, collisions are avoided and the odds of

segmentation is lowered. But for the efficiency of up-link, many L3 switches are equippedwith high-speed POS interfaces.

Page 398 page 375



7/22/2019 HCDA v1.6 En


IP Network Rules:

1. Communication with the same segment.

When a host communicates with the destination host, it judges whether thedestination is in the same segment with its own IP address and subnet mask. If

they are in the same segment, the host searches for the MAC address of the

destination through ARP and fill the MAC address in the frame header.

2. Communications across segments

If the host finds that the destination is not in the same segment with itself, then it

searches for the MAC address of the gateway instead of the MAC address of the

destination and fills the MAC address of the gateway in the frame header. Layer-

3 switches make decisions on whether to make layer-2 forwarding or layer-3

forwarding according to the above rules. The layer-3 switch performs layer-3

forwarding if it is given the MAC address of an interface defined by a VLAN;otherwise the switch performs layer-2 forwarding within the VLAN.

Page 399 page 376



7/22/2019 HCDA v1.6 En



1. How to communicate over shared Ethernet?

CSMA/CD is an effective way to realize multi-point communications over a sharedmedium. The station listens to the link before it sends frames, so to avoid

collisions. The frame sent by a station can be received by multiple stations. The

station monitors the link while it sends frames and it stops sending frames as soon

as it detects a collision and waits for a random time interval before trying to

send the frame again.

2. What is the principle operation of a L2 switch

The L2 switch works at the data-link layer and has two basic functions: learning

based on the source MAC address and forwarding based on the destination MAC

address.

3. What is the difference between a L3 switch and a router?

L3 switch is small but is powerful in some specific areas; however, the router is

large and has comprehensive abilities.

Page 400 page 377



7/22/2019 HCDA v1.6 En


Page 402 page 378



7/22/2019 HCDA v1.6 En


Page 403 page 379



7/22/2019 HCDA v1.6 En


Page 404 page 380



7/22/2019 HCDA v1.6 En


Page 405 page 381



7/22/2019 HCDA v1.6 En


Auto-negotiation was developed to help devices supporting 10Mbps Ethernet be

compatible with the 100Mbps Fast Ethernet. The auto-negotiation technology takes the

operational modes of the local device, and receives the operational modes from the l ink

partner and determines the highest common shared operational mode that can be

supported. Auto-negotiation works on the revised 10Base-T standard and is achieved depending on

the design of physical layer chips. It does not use any specific datagram or cost any upper

layer protocols. The basic mechanism of auto-negotiation is to encapsulate negotiation

information into a series of revised link conformity test pulses of the 10BASET linking test

wave (Fast Link Pulse). Each device should be able to send a series of pulse when the

device is powered on, or receives management demands, or is interfered with by users.

FLP involves a series of clock/digital sequence formed by linking conformity testing pulse.

Once those data are drawn out, we may know the operational mode the link partner

supports and get information concerning the negotiation hand-shake mechanisms.

Page 406 page 382



7/22/2019 HCDA v1.6 En


When both the negotiation parties support more than one operational mode, there should

be a precedence order to decide the final operational model. The table above lists the

precedence of operational modes from high to low defined by IEEE 802.3. The basic

principle is the 100Mbps mode has a higher precedence than the 10Mbps and full duplex

is better than half duplex. 1000BASE-T4 is listed before 100BASE-TX because 100BASE-T4 supports more cable types. Ethernet over fiber does not support auto-negotiation. You

need to configure the operation mode for the two link parties manually, which includes the

rate, duplex mode and traffic control. If the two parties are configured differently, they

cannot communicate with each other.

Note: 100BASE-T4 can be realized through Type3, Type4 and Type5 UTP and all the four

pairs are used. 100BASE-TX can only run over Type5 UTP or STP and two pairs of the

four pairs are used.

Page 407 page 383



7/22/2019 HCDA v1.6 En


Configuration Example

To set the duplex mode to full duplex:

[Quidway-Ethernet0/1] duplex full

Restore the duplex mode to its default value:

[Quidway-Ethernet0/1] undo duplex

Page 408 page 384



7/22/2019 HCDA v1.6 En


You can configure the speed of Ethernet port with the following commands. If the port

speed is configured to be decided by the auto-configuration mechanism, the two parties

will negotiate to decide the port speed together. You can also configure the port speed

manually by running the speed command.

By default, the port speed is in the auto state (decided by auto-negotiation).


Set the port speed of Ethernet to 100Mbps:

[Quidway-Ethernet0/1] speed 100

Restore the port speed of Ethernet to i ts default value:

[Quidway-Ethernet0/1] undo speed

Page 409 page 385



7/22/2019 HCDA v1.6 En


Page 410 page 386



7/22/2019 HCDA v1.6 En


Network congestion occurs when data are transmitted between two ports with different

speed rates (for example, when a 100Mbps port sends data to a 10Mbps port.) or a link or

node is carrying so much data that its quality of service deteriorates. Typical effects

include queuing delay, packet loss or more retransmissions which wastes network

resources dramatically. In real networks, especially for LANs, network congestion seldomoccurs. So no switch manufacturers produce switches with flow control functions. High-

capability switches should support backpressure in the half duplex mode and flow controlin the full duplex mode defined by IEEE802.3x.

Page 411 page 387



7/22/2019 HCDA v1.6 En


Bridged or half-duplex Ethernet uses a method called backpressure to manage

transmission between stations with different speeds. For example, when a 100Mbps server

sends data to a 10Mbps client PC through the switch, the switch will try its best to cache

frames until its cache is nearly full, at which time it must ask the server to stop sending

more data. To achieve this the switch can generate a collision event with the server to makethe server retreat, or alternatively the switch can apply a carrier test to keep the server port

busy. The two approaches can both cause the server to stop sending data for a while which

gives time for the switch to process the data in its cache.

Page 412 page 388



7/22/2019 HCDA v1.6 En


In the full duplex environment, the link between the server and the switch is a collision-free

channel and the backpressure technology cannot be applied to it. So the server continues

to send packets to the switch until the frame cache of the switch overflows. To solve the

problem, IEEE made a compound full duplex flow control standard, namely, IEEE 802.3x.

IEEE 802.3x defines the format of a 64-byte MAC control f rame named PAUSE. Whencongestion occurs at the port, the switch sends PAUSE to the source to tell

it to stop sending information for a while.

Page 413 page 389



7/22/2019 HCDA v1.6 En


PAUSE can control data flow for the following devices:

A simple point-to-point network, such as between two terminals

A switch and a terminal

The link between switches

PAUSE is applied to prevent frames from being dropped when an instantaneous influx of

traffic causes an overflow to the cache. The PAUSE frame can help the device prevent loss

of frames when the traffic surpasses the cache limit. The device sends a PAUSE frame to

its peer to prevent its cache overflow by requesting the peer device stop sending data after

it receives the PAUSE frame. In this way, the device wins time to relieve the

congestion/buildup in its cache.

Page 414 page 390



7/22/2019 HCDA v1.6 En



Enable the flow control of Ethernet port

[Quidway-Ethernet0/1] flow-control

Shut down the flow control of Ethernet port:[Quidway-Ethernet0/1] undo flow-control

Note: By default, the flow control of Ethernet port is disabled.

Page 415 page 391



7/22/2019 HCDA v1.6 En


Page 416 page 392



7/22/2019 HCDA v1.6 En


Page 417 page 393



7/22/2019 HCDA v1.6 En


Advantages of Port Aggregation

1. Increase bandwidth

Port aggregation can bind multiple transmission ports together to make one logical link toincrease transmission bandwidth and speed. The bandwidth after aggregation is the total

sum of the bandwidth of each aggregated port. With a switch that supports this function,

you can increase the network bandwidth easily when too much traffic on one port impairs

network capability. For example, you can bind two to four 100Mbps ports together to make

a 200-400Mbps link to increase the bandwidth and speed. Port aggregation

can be applied to 10Mbps, 100Mbps and 1000Mbps Ethernet.

2. Improve reliability

Backbone networks run at a very fast speed and once the link fails, large amount of data

will be lost. The connection of high-speed server and backbone network should be

absolutely guaranteed. With port aggregation function, you can prevent such a disaster.

For example, if a cable is pulled out by mistake, the link will not be affected. So for anaggregated port consists of multiple ports, the failure of one port will not affect the whole

connection. Data will be loaded on other working connections automatically. You only

need to change the v isiting address and the whole process is completed in no time. This

function makes network to run continuously.

Page 418 page 394



7/22/2019 HCDA v1.6 En


The parameters of the two peers of aggregation ports must be the same. Parameters here

include physical parameters and logical parameters.

Physical parameters include:

Number of the aggregation ports

Speed of the aggregation ports

Duplex mode of the aggregation ports

Logical parameters include:

Spanning Tree Protocol (STP)

Quality of Service (QoS)

VLAN

Port

STP configuration includes:

enable/disable the STP function at the port, port link type (point-to-point or not point-to-

point), STP preference level, route cost, speed l imit for sending packets, loop protection,

root protection and edge port.

QoS configuration includes: flow speed control, preference mark, the default preference

level of 802.1p, bandwidth guarantee, congestion prevention, flow redirection and flow

statistics.

VLAN configuration includes: VLANs that are allowed to pass the port and default VLAN ID.

Port configuration includes port link types such as Trunk, Hybrid and Access.

Page 419 page 395



7/22/2019 HCDA v1.6 En


Configuration Procedure:

1Configure the IP address of the interface

Create the layer-3 addresses 10.1.1.1/30 and 10.1.1.2/30 of VLAN1 on SW1 and

SW2 respectively.2Configure attributes of the aggregated ports

Before configuring port aggregation, you should make sure that all the aggregated ports of

Sw1 and Sw2 work in the full duplex mode and at the same speed rate instead of the auto-negotiation mode.

3Configure port aggregation

Result Testing:

<Sw1>display link-aggregation

Master port: Ethernet0/1

Other sub-ports:

Ethernet0/2

Mode: both

The configuration commands may be different for some switches, please refer to product

operation manuals for relevant information.

Page 420 page 396



7/22/2019 HCDA v1.6 En


Page 421 page 397



7/22/2019 HCDA v1.6 En


Port mirroring is applied to traff ic observation and fault location by making a copy of service

data and sending them to the monitor device to be analyzed. Port mirroring has two types:

port-based mirroring and f low-based mirroring.

Page 422 page 398



7/22/2019 HCDA v1.6 En


Port-based mirroring makes a full copy of the data on the mirrored port to the mirroring port

to observe its f low and locate faults. Ethernet switches support many to one mapping, which

means a copy of traff ic from multiple ports can be mirrored to a single monitor port.

Page 423 page 399



7/22/2019 HCDA v1.6 En


Flow-based mirroring is only applied to flows that meets certain defined classifications,

which may include the same destination address, the same port number and so on. The

classifications can be set as required.

Page 424 page 400



7/22/2019 HCDA v1.6 En


Networking and Services:

The PC is connected with the E0/24 port and monitor software monitors the data received bythe E0/1 port.

Configuration Procedure:

(1)Configure the IP address of the port

Create the layer-3 addresses 10.1.1.1/30 and 10.1.1.2/30 of VLAN1 on SW1 and SW2respectively.

(2)Configure the ACL based on the link

(3) Configure the mirroring port

Result Checking

Enable the VLAN monitor on the PC and then send Ping messages from SW1 to SW2. Thenyou can see the message whose source MAC address is the address of SW1 and thedestination address is the address of SW2 appearing on the monitor.

Page 425 page 401



7/22/2019 HCDA v1.6 En



1. What is auto-negotiation?

Auto-negotiation aims to resolve rate inconsistencies between Ethernet devices. This includes

negotiation of the port speed and duplex mode.

2. What are the differences between half-duplex and full-duplex traffic control?

Half-duplex traffic control uses the backpressure method. When network congestion occurs, the

switch will apply the carrier detect mechanism or emulate a collision. In the full-duplex mode,

IEEE 802.3x defines the format of a 64-byte MAC control frame named PAUSE. When

congestion occurs at the port, the switch sends PAUSE to the source to tell it to stop sending

information for a while.

3. What are the functions of port aggregation and port mirroring?

Port aggregation can increase link bandwidth, realize load balancing and improve network

reliability. Port mirroring is applied to support traff ic observation and fault location by

making a copy of service data and sending this data to the monitor device port to be analyzed.

Page 426 page 402



7/22/2019 HCDA v1.6 En


Page 428 page 403



7/22/2019 HCDA v1.6 En


Page 429 page 404



7/22/2019 HCDA v1.6 En


Page 430 page 405



7/22/2019 HCDA v1.6 En


Page 431 page 406



7/22/2019 HCDA v1.6 En


The traditional Ethernet switch adopts source address learning mode when it

forwards data. It can automatically learn the MAC address of host connecting to

each port to, form the forwarding table, and then forward Ethernet frames

according to the table. The whole forwarding process is completed automatically,

all the ports can communicate with each other, and maintenance personnel cannot control the forwarding between any two ports. For example, they can not

implement prevention to restrict host B from reaching host A. The following

disadvantages exist in this kind of network:

• Network Security is bad. All the ports can communicate with each other, which

increases the possibility that users will attack the network.

• Network efficiency is low. Users may receive abundant unnecessary frames,

which is a waste of bandwidth and host CPU resources, e.g. unnecessary

broadcast packets.

• Service expanded capability is bad. The network cannot implement

differentiated services, for example, it can not forward an Ethernet frame used for

network management with higher priority.

Page 432 page 407



7/22/2019 HCDA v1.6 En


VLAN technology divides users into multiple logical networks (groups). Communication is

allowed within a group, but it is prohibited among groups. Layer-2 unicast packet, layer-2

multicast packet and layer-2 broadcast packets can only be forwarded within a group. It is

easy to add and delete group members using VLAN technology.

VLAN technology provides a management method to control the intercommunicationamong terminals regardless of physical location in the LAN. In the figure above, PCs in

group 1 and group 2 can not communicate with each other.

Page 433 page 408



7/22/2019 HCDA v1.6 En


In order to control forwarding, the switch will add a VLAN tag to an Ethernet

frame before forwarding it, then use this tag to manage the frame, which may

include discarding the frame, forwarding the frame, and adding & removing tags.

Before forwarding the frame, the switch will check the VLAN tag of the packet

and decide whether the tag is allowed to be forwarded from the port. In the figureabove, if the switch adds tag 5 to all the frames sent from A, and then look up the

layer-2 forwarding table, and according to the destination MAC address, forward

them to the port connected to B. However this port is configured to only allow

VLAN 1 to pass, so the frames sent by A will be discarded.

The switch supporting VLAN will hence forward Ethernet frames not only

according to the destination MAC address but also the VLAN configuration of the

port, so as to implement layer-2 forwarding control.

Page 434 page 409



7/22/2019 HCDA v1.6 En


4-byte VLAN tag is added to the Ethernet frame header directly. Document IEEE802.1Qdescribes VLAN tagging.

•TPIDTag Protocol Identifier 2 bytesfixed value0x8100new type defined byIEEE, it indicates that it is a frame with 802.1Q tag.

•TCITag Control Information2 bytes.• Priority3 bits, defines the priority of an Ethernet frame. It has 8 priority levels, 07, isused to provide differentiated forwarding service.

• CFICanonical Format Indicator 1 bit. Used to indicate bit order of addressinformation in token ring or source route FDDI media access, namely, whether the low bitis transmitted before high bit.

• VLAN Identifier VLAN ID12 bits, from 0 to 4095. Combined with VLAN configurationof port, it can control the forwarding of an Ethernet frame.

Ethernet frame has two formats: the frame without tag is called an untagged frame; theframe with tagging is called a tagged frame.

This course will only discuss the VLAN ID of VLAN tag.

Page 435 page 410



7/22/2019 HCDA v1.6 En


All the Ethernet frames exist in the switch in the form of tagged frames. Certain

ports may receive untagged frames from peer devices, but the frame from the

port of the local switch must be a tagged frame. If the frame received is tagged, it

will be forwarded; if it is untagged, a tag will be added to it. The device can

implement a VLAN in the following way.

• Port based: Network manager configures a PVID for every port of a switch,

known as the Port VLAN ID or port default VLAN. If an untagged frame is

received, the VLAN ID will be the PVID.

• MAC based: Network manger configures the mapping relation for each MAC

address to a VLAN ID, if an untagged frame is received, the VLAN ID will be

added according to the mapping relationship table.

• Protocol based: Network manager configures a mapped relationship between

the protocol field of the Ethernet frame and a VLAN ID; if an untagged frame is

received, the VLAN ID will be added according to the mapping relationship table.

• Subnet based: Adding of a VLAN ID according to the IP address information ina packet.

• Policy based: Provides strict control capability, based on MAC address and IP

address, MAC address, or IP address and port. If implementation of the VLAN is

successful, it can forbid users from changing the MAC address or the IP address.

If the device can support multiple methods at one time, the general priority order

from high to low is : Policy based—MAC based—Subnet based—Protocol

based—Port based. Presently, port based VLAN tagging is the most common

method.

Page 436 page 411



7/22/2019 HCDA v1.6 En


Page 437 page 412



7/22/2019 HCDA v1.6 En


The tag in Ethernet frames combined with VLAN configuration of the port can

control packet forwarding. A received Ethernet frame on port A will check

whether the destination MAC is attached to port B. After the introduction of VLAN

tagging, two key points will decide whether the frame should be forwarded from

port B:

• Whether the VLAN ID in the frame is created by switch. There are two methods

to create VLANs: Manual configuration or automatically created using GVRP.

• Whether the destination port will allow the VLAN frames to pass. VLAN lists

determine whether to allow frames to pass through a port and can be created by

the administrator or automatically created by GVRP (GARP VLAN Registration

Protocol).

In the forwarding process, there are two types of tag operation:

• Add tagFor untagged frames add the PVID, it is completed after receiving the

frame from the peer device.

• Remove tagdelete the VLAN tagging information in the frame then send it topeer device in the form of an untagged frame. In normal cases, the switch will not

change the VLAN ID in a tagged frame, while some devices supporting special

services may provide the function for changing the VLAN ID.

Page 438 page 413



7/22/2019 HCDA v1.6 En


After introducing VLAN functionality, switch ports may be one of three types: Access port,

Trunk port and Hybrid port.

An access port is used to connect host and has features as follows:

• Only permit allowed VLAN IDs to pass through the port, or the VLAN ID is the same with

PVID of the port.

• If the frame received from peer device is untagged, the switch will add a PVID to the

frame automatically.

• The frame sent by an access port is always an untagged frame.

• The default port type of many types of switch is accessPVID is 1 by defaultVLAN 1

is created by the system and cannot be deleted.

Page 439 page 414



7/22/2019 HCDA v1.6 En


The following command can be used to set ports as access ports and implement the

PVID of the access port after creating the VLAN:

[Switch]vlan 3

[Switch-vlan3]port ethernet 0/1

[Switch]vlan 5

[Switch-vlan5]port ethernet 0/2

The port mode should be specified as either access or trunk when making any change to

the PVID.

Page 440 page 415



7/22/2019 HCDA v1.6 En


Trunk port: used to connect switches and transmit tagged frames among

switches. It can be set to permit multiple VLAN IDs, even those VLAN ID’s that

may differ from its own.

A trunk port will send tagged frames to other devices, using the following rulebase:

If the VLAN ID of the tagged frame does not exist in the VLAN permitted list, it

will be discarded;

• If it does exist and the VLAN ID of the tagged frame is the same as the PVID,

the frame will be forwarded after removing the tag. The PVID of each port is

unique, however in this case, the frame will be untagged when sent by the trunk

port.

• If the VLAN ID of the tagged frame is different from PVID, the frame will be

forwarded to the peer device without modification.

VLAN forwarding will generally query the tagging information of the VLAN frame

for forwarding, and compare the frame to the VLAN permit list to look for a match.If a VLAN which is registered by GVRP however, it must also register on the port,

otherwise the VLAN ID will not exist in the VLAN permit list, and the

corresponding VLAN frame cannot be forwarded from the port.

Page 441 page 416



7/22/2019 HCDA v1.6 En


As shown in the figure above, the following commands can be used to configure the trunk

port attribute:

\\create VLAN

[Switch]vlan 3

\\configure port type

[Switch-Ethernet0/3]port link-type trunk

\\configure PVID of Trunk-Link port

[Switch-Ethernet0/3]port trunk pvid vlan 3

\\configure permitted VLAN of Trunk-Link

[Switch-Ethernet0/3]port trunk allow-pass vlan 5

Page 442 page 417



7/22/2019 HCDA v1.6 En


As an access port, a packet is sent to another device in the form of an untagged frame,

as a trunk port it can send out untagged frame only in when the trunk VLAN ID is the

same as the frame VLANID. In other cases, i t sends frames as tagged. Hybrid VLANs

can be used to effectively control the VLAN tagging process. For example, a device

connected to the switch cannot support VLANs, but the ports still can be used to isolatedthe devices.

Hybrid ports can flexibly control the VLAN tag. In this example, if the VLAN ID of frame is

3, then forward it according to the forwarding mode of trunk port. If it is 4, remove tag 4

and then forward it.

Page 443 page 418



7/22/2019 HCDA v1.6 En


If a Hybrid port is only configured to allow untagged VLAN forwarding, the port will take

on the same role as an access port.

If a port is configured to support only tagged VLANs, it will have the same function as a

trunk port.

If a switch port is configured with a PVID that is both tagged and supports untagged

VLANS for example VLAN2 on Ethernet0/1, it is capable of communicating with other

hybrid ports that support the same untagged VLANS, as opposed to ports such as 0/3,

which only supports VLAN3. The configuration above thus shows how it is possible to

implement isolation between port 0/1 and port 0/3, but still allow both to communicatewith the host connected to port 0/24.

Page 444 page 419



7/22/2019 HCDA v1.6 En


To configure access and trunk ports on SWA and SWB, it is necessary to create

VLAN 2 on SWB, and allow VLAN 2 to traverse the two ports of SWB, to allow

PC1 and PC2 to communicate with each other. SWB will not connect to any

users, it is a transitional switch; in large-scale networks, there may be many

transitional switches for which the configuration and management is difficult. Themanager only cares about the user intercommunication control, for example,

after new user joins the network, the manager should configure the access port

which connects the new user and make the port as part of a certain VLAN group.

If the transition switch can automatically implement intercommunication among

logical group members, it will save cost for network maintenance. GVRP can

implement this function. After all the switches are enabled with GVRP

functionality, VLAN configuration on the edge switches can transmit to the whole

network though GVRP, and automatically implement configuration of VLANs on

each port.

Page 445 page 420



7/22/2019 HCDA v1.6 En


The command “gvrp” is used to enable GVRP on a switch. The command “undo gvrp”

can be used to disable it. The GVRP protocol is disabled by default. In the system view,

the command “GVRP” is used to enable or disable GVRP for all ports, whereas the

command “GVRP” will enable or disable GVRP on a particular port when used at the

interface as shown in the example.Note:

• Before enabling port based GVRP, GVRP must be enabled at the system view first. If

GVRP is in disabled status at the system level, GVRP will also disabled on all ports, and

the user will not able to change the status of the port based GVRP.

• GVRP should be enabled and disabled on the trunk port. After Enabling GVRP on Trunk

port, switch is not allowed to change trunk port to any other port type.

Page 446 page 421



7/22/2019 HCDA v1.6 En


1. How many port types does a Huawei switch support?

Answer: A Huawei switch can support three port types, they are access, trunk and hybrid

port types.

2. Must a frame be tagged when sent from a trunk port to peer devices?

Answer: In general, a frame is tagged, but if the VLAN ID is the same as the PVID of the

trunk, the tag will be removed and forwarded in the form of an untagged frame.

Page 447 page 422



7/22/2019 HCDA v1.6 En


Page 449 page 423



7/22/2019 HCDA v1.6 En


Page 450 page 424



7/22/2019 HCDA v1.6 En


Page 451 page 425



7/22/2019 HCDA v1.6 En


Page 452 page 426



7/22/2019 HCDA v1.6 En


VLANs create and isolate layer-2 broadcasts domains, therefore isolating the traffic of

different VLANs. This results in users being unable to sustain communication when

associated with different VLANs.

Page 453 page 427



7/22/2019 HCDA v1.6 En


Flows between different VLANs cannot directly cross VLAN boundaries, and so the ability

to route traffic is needed to allow the forwarding of packets from one VLAN to another.

Hosts of different VLANS are assigned as entities of different networks. When a default

gateway been configured on a host local for a given VLAN, any communication destined

for hosts that are not associated with the same VLAN will automatically forward traffic to

the default gateway which shall in turn route traffic between VLANS.

Page 454 page 428



7/22/2019 HCDA v1.6 En


One of the methods to solve VLAN intercommunication is to assign a separate physical

interface for each VLAN. The traffic from different VLANs can be forwarded between these

physical interfaces and routed. This method will enable intercommunication between VLANs,

however as the number of VLANs increase, so does the number of router interfaces needed.

Such solutions would result in higher costs and a poor network design. Some VLANs do nothave a need to forward traffic to other VLANs frequently which leads to further waste,

therefore this method is not generally suited to solving the problem of VLAN

intercommunication.

Page 455 page 429



7/22/2019 HCDA v1.6 En


To resolve the physical interface limitation problem, a method of trunking is implemented

using only a single physical interface on the router and a single port on the switch. One single

Ethernet interface on the router can support all VLAN gateways and bear all VLAN traffic

through the creation of sub-interfaces.

As shown above, only a single physical router Ethernet interface is being used, but is

supporting three sub-interfaces as default gateways for each of the three VLANs. Each frame

will contain a VLAN tag used to identify which VLAN it belongs to. When users in VLAN100

need to communicate with users in another VLAN, the user only needs to forward the frame tothe default gateway, the default gateway will modify the VLAN tag of the data frame and then

route it to the VLAN on which the destination host .

Page 456 page 430



7/22/2019 HCDA v1.6 En


The third option for VLAN routing is through the use of a layer-3 switch. A layer-3 switch

effectively integrates the functionality of a layer-2

switch and a layer-3 routing, therefore combines the advantages of advantages of both. The

limitation lies mainly in the cost of such devices due to its extended functionality.

Page 457 page 431



7/22/2019 HCDA v1.6 En


Huawei supports layer-3 switching through the means of switch and route processing units, or

SRU, and may support multiple SRU boards for redundancy. All the routable packets are sent

by the forwarding engine to the SRU board for processing. The SRU board also broadcasts and

filters packets and executes routing policies. The SRU will support VLAN switching, default

VLANs as well as other more advanced VLAN technologies including Q-in-Q and dynamicVLAN allocation based on MAC addressing. The example above reflects how a layer-3 switch

can be used associate VLAN gateways directly with VLAN interfaces within a single device.

Page 458 page 432



7/22/2019 HCDA v1.6 En


Page 459 page 433



7/22/2019 HCDA v1.6 En


In this example two VLANs are present, VLAN100 and VLAN200. A host in VLAN100

wishes to forward traffic to a host in VLAN200. Each VLAN is part of a separate

broadcast domain and therefore as different network. Each host has been assigned a

network host address respective to the VLAN it belongs to, and the gateway address for

the network. The forwarding of traffic requires VLAN trunking to support multiple VLANsover a single physical link and sub interface configuration for the layer 3 router. How is

this achieved?

Page 460 page 434



7/22/2019 HCDA v1.6 En


//create VLAN100

[SWA]vlan 100

//configure ethernet 0/1 belonging to VLAN100

[SWA-vlan100]port ethernet 0/1//create VLAN200

[SWA]vlan 200

//configure ethernet 0/2 belonging to VLAN200

[SWA-vlan200]port ethernet 0/2

//enter into interface view

[SWA]interface ethernet 0/24

//configure port type as Trunk

[SWA-Ethernet0/24]port link-type trunk

//permit all VLAN to pass

[SWA-Ethernet0/24]port trunk allow-pass vlan all

Page 461 page 435



7/22/2019 HCDA v1.6 En


Using the control-vid command, you can specify the mappings between the control VLAN

and the Ethernet sub-interface to differentiate termination sub-interfaces of the same main

interface. Using the undo control-vid command, you can remove the mappings between

the control VLAN and Ethernet sub-interfaces. By default, no mapping between a control

VLAN and an Ethernet sub-interface is specified. The dot1q-termination indicates that theencapsulation mode of a sub-interface is dot1q. This mode applies to single-tagged packets

(as opposed to dual tagged packets used in Q-in-Q configuration).

Using the arp broadcast enable command, you can enable the ARP broadcast function on

a sub-interface for VLAN tag termination. Using the undo arp broadcast enable command,

you can disable the ARP broadcast function on a sub-interface for VLAN tag termination. By

default, the ARP broadcast function is disabled on sub-interfaces for VLAN tag termination.

Page 462 page 436



7/22/2019 HCDA v1.6 En


Connectivity between the hosts of different VLANs can be verif ied through means such as

the ping commandIf the host 192.168.10.10 in VLAN100 can ping host 192.168.20.20 in

VLAN 200, it indicates that the configuration is correct.

Page 463 page 437



7/22/2019 HCDA v1.6 En


On the layer-3 switch (SWA) port 1 and port 2 represent a local network that has been

logically segmented through the implementation of VLANs. The hosts via port 1 have been

assigned to VLAN 100 and hosts via port 2 to VLAN 200. The hosts of VLAN 100 and VLAN

200 are able to support the forwarding of traffic between VLANs 100 & 200 through SWA. The

example demonstrates how a single host from each VLAN would be configured to support thisforwarding of traffic.

Page 464 page 438



7/22/2019 HCDA v1.6 En


When a layer-3 switch needs to communicate with devices at the network layer, a logical

interface can be created, namely, a VLANIF interface. A VLANIF interface is a network layer

interface and can be configured with an IP address. The layer-3 switch then uses the VLANIF

interface to communicate with devices at the network layer. The IP address that is assigned to

each VLANIF is recognised as the gateway address by the respective VLAN hosts. Thecommand “interface vlanif <vlan-id >” specifies the ID of the VLAN that a VLANIF interface

belongs to. The value of the vlan-id is an integer that ranges from 1 to 4094.

Page 465 page 439



7/22/2019 HCDA v1.6 En


In the same way that is was possible to verify VLAN routing using a layer-3 router, it is also

possible to verify connectivity between hosts of different VLANs supported by a layer-3 switch.

If host 192.168.10.10 in VLAN100 is able to successfully ping host 192.168.20.20 in VLAN 200,

it indicates that the configuration is correct.

Page 466 page 440



7/22/2019 HCDA v1.6 En


1.What is the purpose of VLAN routing?

Answer: The main advantage of VLANs is to isolate broadcast domains, but it is often the

case that traffic must flow between these broadcast domains. VLAN routing is used to

resolve this problem by facilitating communication between broadcast domains.

2.What methods can be used to implement VLAN routing?

Answer: Ordinary layer-2 switches are only able to support communication within a single

VLAN (broadcast) domain. The flow of VLAN traffic between broadcast domains is

achievable through the configuration of VLAN routing on reachable layer-3 device. It is

therefore possible to achieve VLAN routing through the following methods. Communication

through a router connected to the network can achieve VLAN routing, using either a single

physical interface for each VLAN, or more suitably through the implementation of multiple

sub-interfaces on a single physical interface. A layer-3 switch can also be used to

implement VLAN routing, through the configuration of a layer-3 VLAN interface for each

VLAN.

Page 467 page 441



7/22/2019 HCDA v1.6 En


Page 469 page 442



7/22/2019 HCDA v1.6 En


Page 470 page 443



7/22/2019 HCDA v1.6 En


Page 471 page 444



7/22/2019 HCDA v1.6 En


Page 472 page 445



7/22/2019 HCDA v1.6 En


A switch forwards data frames based on the MAC address table. The MAC address table

specifies the mapping between destination MAC addresses and destination ports.

1: Assume that PCA sends a data frame to PCB. The destination MAC address of this data

frame is set to the MAC address of PCB, namely, 00-0D-56-BF-88-20.

When SWA receives this frame, it searches the MAC address table. According to the entries

in the MAC address table, SWA forwards the data frame through port E0/3.

The switch does not make any modification to the data frame before forwarding it. If the

switch receives a broadcast frame or a frame whose MAC address wasn't included in the

MAC address table, it forwards the frame to all ports.

2: When SWB searches the MAC address table, it will use the information stored to make

forwarding decisions. In the example, SWB forwards a frame through port E0/6. No

modification is made to the data frame.

3: When PCB receives the frame, it will search through the MAC address table to f ind that

the destination MAC address is it’s own MAC address. PCB will then process this data frame

and send the de-encapsulated data to the upper layer protocol .

Page 473 page 446



7/22/2019 HCDA v1.6 En


If a switch receives a broadcast data frame from a port, the switch forwards the

data frame to all other ports. In addition, does not make any modification to the

data frame before forwarding it. Therefore, if a loop exists in the network, the

broadcast frames are forwarded in the network infinitely, thus causing thebroadcast storm.

Page 474 page 447



7/22/2019 HCDA v1.6 En


A switch forwards data frames based on the MAC address table, but the MAC

address table is empty when the switch is started. Therefore, the switch needs to

learn the MAC address table.

A switch learns the MAC address table based on the mapping between the source

address of the received data frame and the receiving port.

1: Assume that PCA sends a data frame to PCB. The destination address of the

frame is the MAC address of PCB, namely, 00-0D-56-BF-88-20. The source

address is the MAC address of PCA, namely 00-0D-56-BF-88-10.

When SWA receives the data frame, it checks the source address of the frame

and adds mapping between the source address and receiving port to the MAC

address table. Thus, the mapping between the destination address and

destination port is recorded in the table.

2: When SWB receives this frame, it also adds the mapping between the source

address and receiving port to the MAC address table as a MAC address entry.

3: When PCB receives the frame, it processes this frame.

Page 475 page 448



7/22/2019 HCDA v1.6 En


A switch generates a MAC address entry according to the source address and

receiving port of the received data frame.

PCA sends a data frame. Assume that the destination MAC address of the dataframe does not exist in any MAC address table of the switches in the network.

When SWA receives this data frame, it generates a MAC address entry, in which

the MAC address 00-0D-56-BF-88-10 maps port E0/2.

Because the MAC address table of SWA does not contain any entry with this

destination MAC address, SWA forwards the data frame to E0/3 and E0/4.

The MAC address table of SWB also does not contain any entry with this

destination MAC address. So, after SWB receives the data frame on E0/5, it

forwards the frame to SWA through E0/6.

After SWA receives this data frame on E0/4, it deletes the previous entry with this

address and generates a new entry. In the new entry, MAC address 00-0D-56-

BF-88-10 maps port E0/4. In this case, the MAC address table is unstable and

wrong entries are generated.

Page 476 page 449



7/22/2019 HCDA v1.6 En


Page 477 page 450



7/22/2019 HCDA v1.6 En


The main function of STP (Spanning Tree Protocol) is to avoid switching loops where

redundant links are present in the network. As the figure of this slide shows, a ring is

composed of SWA, SWB and SWC, which may cause problems such as broadcast storms.

After the spanning tree protocol is enabled, calculations cause the network to converge

resulting in the interfaces performing various operational roles including the blocking of oneor more ports in order to remove the possibility of any loop occuring. In this example, it is

assumed that port E0/2 of SWB is blocked to remove the loop.

Page 478 page 451



7/22/2019 HCDA v1.6 En


After the port E0/2 of SWB is blocked, there is no loop in the network.

Page 479 page 452



7/22/2019 HCDA v1.6 En


Another feature of STP is link backup:

If some problems occur along the active path, the blocked interface could be made active,

so as to resume the connectivity of the network through the redundant link. Thus the loop

between switches is usually used for redundancy. STP remove the logical loop in the

network through blocking of port(s), but the physical links are not changed. In the previous

example, it is mentioned that the port E0/20 of SWB is blocked to remove the loop. If

another port is down ( for example, the port E0/20 of SWC), STP could recover the blocked

port through convergence, to make it possible forward packets again.

Page 480 page 453



7/22/2019 HCDA v1.6 En


The basic idea of STP is quite simple. If the network could develop like a tree, the loop will

be prevented. Thus, STP defines some concepts, including Root Bridge, Root Port,

Designated Port, Path Cost, etc. The purpose is to cut out redundant loop through

constructing a tree, and implementing link backup and path optimization at the same time.

The algorithm used to construct the tree is the spanning tree algorithm.

In order to calculate the spanning tree, relative information and parameters need to be

exchanged between switches. These information and parameters are encapsulated in the

BPDU (Bridge Protocol Data Unit), and transmitted between switches.

The following tasks are done through the exchange of BPDU between bridges:

1. Select a bridge as the root bridge among all bridges;

2. Calculate the shortest path from the current bridge to the root bridge;

3. For every shared network segment, select the bridge nearest to the root bridge

as the designated bridge, responsible for the data forwarding of this network

segment;

4. For every bridge, select a root port.

5. Select the designated port besides the root port.

Page 481 page 454



7/22/2019 HCDA v1.6 En


To calculate the spanning tree, switches need to exchange information and

parameters. The information and parameters are encapsulated in the

Configuration Bridge Protocol Data Unit (BPDU) and transmitted between

switches.

In a broad sense, a BPDU refers to a data unit used to exchange information

between switches. The configuration BPDU is one type of the BPDU.

Calculation of the spanning tree starts from election of the root bridge. The root

bridge is elected based on the bridge identifier.

A bridge identifier consists of a 2-byte bridge priority and a 6-byte MAC address.

The bridge priority is configurable. The value ranges from 0 to 65535 and the

default value is 32768.

In the network, the switch with the smallest identifier becomes the root bridge.

The system first compares the priority. If the switches have the same priority, the

system compares their MAC addresses. The switch with the smallest MAC

address is elected first.

In this example, the three switches have the same priority. SWA has the smallest

MAC address, so SWA is elected as the root bridge.

Page 482 page 455



7/22/2019 HCDA v1.6 En


STP elects a root port for each non-root bridge.

Each port of a switch has a port cost parameter. The port cost refers the cost for

sending the data from this port, namely the cost of the outgoing port. STP

considers that no cost is needed for receiving the data on a port.The port cost depends on the bandwidth of the port. The higher the bandwidth is,

the smaller the port cost will be. On the VRP, the cost of a 100M port with half duplex is 200,

the cost of a 100M port with full duplex is 199.

Multiple paths may exist between a non-root bridge and a root bridge. The cost of

a path is the total cost of all outgoing ports on this path.

A root port is a local port on the path with the least cost from a non-root bridge to

the root bridge. The cost of this path is referred to as the root path cost. If multiple

root ports exist, the system compares the identifiers of the upstream switches.

The port whose upstream switch has the smallest identifier is elected. If theupstream switches have the same bri dge identifier, the system compares the

identifier of the upstream ports. The port whose upstream port has the smallest

identifier is elected.

The port identifier consists of a 1-byte port priority and a 1-byte port number.

The port priority is configurable. The default value is 128.

In this example, we assume that all ports are 100 M ports and their cost values

are all 200.

Page 483 page 456



7/22/2019 HCDA v1.6 En


STP elects the designated port for each network segment. The designated port

forwards the data transmitted between the root bridge and this network segment.

The switch where the designated port is located is called the designated switch.

When electing the designated port and designated bridge for a network segment,STP compares the root path cost of the switch on which the port is connected to

this network segment. If the switches have the same root path cost, STP

compares their bridge identifiers. The port on the switch with the smallest

identifier has the highest priority. If their identifiers are also the same, STP

compares the identifiers of the ports connected to the network segment. The port

with the smallest identifier has the highest priority.

On the root bridge, all ports are the designated ports of the connected network

segments. Therefore, the designated ports of LANA and LANB are both on SWA.

LAND and LANE are both connected to the port of only one switch, and theconnected ports are designated port for LAND and LANE respectively.

LANC is connected to the ports of two switches and the two switches have the

same root path cost. Therefore, the identifiers of the switches are compared.

SWB has a smaller identifier (because its MAC address is smaller), so the

designated port for LANC is on SWB.

The port that is neither the root port nor the designated port is called the alternate

port. The alternate port does not forward data and is in Blocking state.

Page 484 page 457



7/22/2019 HCDA v1.6 En


STP defines three roles for the STP-enabled port that works normally on the physical layer

and data link layer. The root port and designated port are in Forwarding state. The port

that is not enabled is called the Disabled port.

Page 485 page 458



7/22/2019 HCDA v1.6 En


After enabled, a port switches to Listening state and begins to calculate the spanning tree.

After the calculation, if the port is set to the alternate port, the port state changes

to Blocking. If the port is set to the root port or designated port, the port state switches from

Listening to Learning after a period of forward delay. After another period of forward delay,

the port state switches from Learning to Forwarding, and the port can forward data frames.

Page 486 page 459



7/22/2019 HCDA v1.6 En


After enabled, a port switches to Listening state and begins to calculate the spanning tree.

After the calculation, if the port is set to the alternate port, the port state changes

to Blocking. If the port is set to the root port or designated port, the port state switches from

Listening to Learning after a period of forward delay. After another period of forward delay,

the port state switches from Learning to Forwarding, and the port can forward data frames.

1:The port is elected as the designated port or root port.

2: The port is elected as the alternate port.

3: The port waits a period of the forward delay. By default, the forward delay is 15 seconds.

When a port is disabled, it switches to Disabled state. Before switching from non-

Forwarding state to Forwarding sate, a port needs to wait two times as along as the forward

delay . Thus, the potential risk of temporary loop is avoided.

Page 487 page 460



7/22/2019 HCDA v1.6 En


Page 488 page 461



7/22/2019 HCDA v1.6 En


This figure shows the physical topology. The priority of SWA is 4096; the priority of SWB is

8192; the priority of SWC is 32678. Therefore, SWA becomes the root bridge and SWB

becomes the designated switch of LANC.

Page 489 page 462



7/22/2019 HCDA v1.6 En


stp { enable | disable }

The stp command is used to enable or disable STP on a switch or on a port. By default, STP

is enabled on the switch.

stp mode { stp | rstp | mstp }The stp mode command is used to set the STP working mode on a switch. By default, the

working mode of the switch is MSTP. RTSP and MSTP will be described in later courses.

This course only describe STP.

stp priority priority

priority : specifies the priority of a switch. The value ranges from 0 to 61440, with the step of

4096. That is, 16 priority values are available for a switch, for example, 0, 4096, 8192, and so

on. The stp priority command is used to set the bridge priority. By default, the bridge priority

is 32768.

Page 490 page 463



7/22/2019 HCDA v1.6 En


In the global information, the root bridge identifier is dif ferent from the identifier of this switch.

It indicates that this switch is a non-root switch.

Page 491 page 464



7/22/2019 HCDA v1.6 En


The STP port information output indicates that:

The port state is Forwarding.

The port is the root port.

The default port priority is 128.The identifier of the designated port of the network segment connected to this port is 0.4c1f-

cc45-aacc, which identifies SWA.

Page 492 page 465



7/22/2019 HCDA v1.6 En


Page 493 page 466



7/22/2019 HCDA v1.6 En


When the port role and state changes, temporary loops may be formed. In this example,

SWA is the root bridge initially. Among all switches, only SWD has an alternate port E0/2

and the port is in a non-Forwarding state. Assume that the priority of SWC is changed so

that SWC becomes the new root switch. In this case, E0/2 of SWD will become the new

root port and switch to a Forwarding state. E0/1 of SWD will become the new designatedport and switch to a Forwarding state. E0/2 of SWB should become the new alternate port

and switch to a non-forwarding state. If E0/2 of SWD switches from a non-Forwarding state

to a Forwarding state before E0/2 of SWB switches from a Forwarding state to a non-

Forwarding state, a temporary loop is formed in the network. To avoid temporary loops, aport (for example, E0/1 of SWC) must wait enough time before switching from anon-

Forwarding state to a Forwarding state. Therefore, the ports that need to switch to a non-

Forwarding state have enough time to calculate the spanning tree and switch to a non-

Forwarding state.

Page 494 page 467



7/22/2019 HCDA v1.6 En


In STP, for a port, the transition from a blocking state to a forwarding state will take the period

at least two times the Forward Delay, which is not suitable for many applications. RSTP

(Rapid Spanning Tree Protocol) resolves this problem through the following mechanism:

1. Allocating two port roles, an Alternate Port and a Backup Port for root port and designated

root, for fast state transition. When the root port is invalid, the Alternate Port will become thenew root port and switch to a forwarding state without delay; when the designated port is

invalid, the Backup Port will become the new designated port and switch to a forwarding state

without delay.

2. In the point to point link only connecting two switch ports, following a one way handshake tothe downstream bridge, the designated port could change to a forwarding state without time

delay. If more than three bridges are connected by the shared link, the downstream bridge will

not respond to the handshake request sent from upstream designated port; only after two

times Forward Delay would it change to a forwarding state.

3. The port is defined as an Edge Port if it is connected with a terminal directly instead of otherbridges, the Edge Port could enter a forwarding state without any time delay. However, it

should be configured manually since the bridge cannot identify whether the port is directly

connected with the terminal or not.

Page 495 page 468



7/22/2019 HCDA v1.6 En


In STP all VLANs in a LAN will generally share the same spanning tree, therefore load

balancing cannot be implemented between VLANs. It is possible that packets of some VLANs

cannot be forwarded. As this slide shows, both of SWB and SWC connect with users of

VLAN10 and VLAN20. The link between SWB and SWA and that between SWA and SWC

allow VLAN10 and VLAN20 to pass. Other links only allow VLAN10 to pass. If the port E0/20is blocked, the VLAN20 users of SWB can only use the link between SWB and SWC to

communicate with SWC. However, this link only allows VLAN10 to pass, thus a failure in

communication occurs.

Page 496 page 469



7/22/2019 HCDA v1.6 En


In order to solve the second problem, MSTP (Multiple Spanning Tree Protocol) is put forward.

MSTP is a newer protocol defined by IEEE under 802.1Q-2005 which introduces the concept

of “Instances”. Simply speaking, STP/RSTP is port based, while MSTP based on instances.

An instance is a collection of multiple VLANs under a single converged spanning tree.

Through binding multiple VLANs into a single instance, the communication cost and networkresources could be saved. In MSTP, the topology calculation of every instance is

independent. Load balancing could be implemented in these instances. In use, multiple

VLANs with the same topology could be mapped to the same instance.

Page 497 page 470



7/22/2019 HCDA v1.6 En


How does STP converge to prevent switching loops in the network?

STP elects a root bridge, and then elects a root port for each non-root switch and elects a

designated port for each network segment. The ports that are neither the root port nor the

designated port are set to be in Blocking state.

How does STP resolve the problem of temporary loops?

Before switching from a non-Forwarding state to a Forwarding state, a port needs to wait

twice the forward delay period. This ensures that other switches have enough time to

calculate the spanning tree.

Page 498 page 471



7/22/2019 HCDA v1.6 En


Page 500 page 472



7/22/2019 HCDA v1.6 En


Page 501 page 473



7/22/2019 HCDA v1.6 En


Page 502 page 474



7/22/2019 HCDA v1.6 En


In this example:

There is only one router RTA in the LAN, which is used as the gateway by all the PCs,

therefore there is no redundancy provided. Should RTA fail, all PCs in the network will be

unable to reach external networks. In other words, there is a single point failure within this

kind of network, resulting in a high chance of isolation from external networks.

Page 503 page 475



7/22/2019 HCDA v1.6 En


VRRP is designed to provide a virtual router on a LAN. In this case:

There are two routers (RTA and RTB) on this LAN, RTA has physical IP address

10.1.1.251/24; RTB has physical IP address 10.1.1.252/24. RTA and RTB are configured to

be associated with the same Virtual Router. This Virtual Router has a virtual IP address

10.1.1.254. All the PCs on this LAN can use the virtual IP address 10.1.1.254 as the defaultgateway, regardless of the physical IP addresses of the two routers. VRRP elects one

router from the VRRP routers as the Master , and the Master processes all the packets sent

to the virtual IP address. If the Master is fails, VRRP elects a new Master from other VRRP

routers.

Page 504 page 476



7/22/2019 HCDA v1.6 En


A Virtual Router is identified by both Virtual Router ID and associated Virtual IP Address.

Multiple Virtual Routers could be configured on the same interface. A Virtual Router ID (VRID)

is the identifier of a Virtual Router. Configurable item in the range 1-255 (decimal). The Virtual

Router IDs configured on all the VRRP routers of the same virtual group must be the same. A

Virtual Router can be associated with more than one Virtual IP Addresses. However, theVirtual IP Addresses configured for the VRRP routers of the same Virtual Router should be the

same. If VRRP routers with the same VRIDs but different virtual IP addresses; or reversely,

with same IP address but dif ferent VRIDs, in VRRP, they are regarded as different Virtual

Routers.

Page 505 page 477



7/22/2019 HCDA v1.6 En


By default, the ICMPEcho messages that are sent to the Virtual IP address will not be

responded to, even by the Master router. In the Master router, under system view, the

following commands can be used to enable the function by which ICMPEcho messages

sent to the Virtual IP address will be responded to.

vrrp virtual ip ping enable

undo vrrp virtual ip ping enable

Page 506 page 478



7/22/2019 HCDA v1.6 En


Master: The VRRP router that is assuming the responsibility of forwarding packets sent to

the IP address(es) associated with the virtual router, and answering ARP requests for these

IP addresses.

Backup: The set of VRRP routers available to assume forwarding responsibility for a v irtual

router if the current Master fails.

The election of Master is based on the value of Priority. For the same interface, differentPriority values could be assigned to different associated virtual routers.

Page 507 page 479



7/22/2019 HCDA v1.6 En


Config Priority: The configured Priority, the default value is 100.

Run Priority:The Priority used when the protocol is running; usually it is the same as Config

Priority. The Priority is in the range of 0-255. The value 255 is reserved for the IP address

owner, and the VRRP packet with Priority 0 is used to trigger the immediate changeover from

Backup to Master.

In this case: he priority of RTA is 100, which is lower than the priority 200 of RTB, RTB will be

the Master while RTA is the Backup.

Page 508 page 480



7/22/2019 HCDA v1.6 En


In this case:

There is a VRRP router that has the virtual router's IP address(es) as real interface address(es).

Such a router is called the IP Address Owner.

Page 509 page 481



7/22/2019 HCDA v1.6 En


No matter what the Config Priority is, the Run Priority of IP address owner is always 255. The

IP address owner is always the Master. Although the configured priority value of RTB is higher

than that of RTA, the RTB is still the Backup, since its Run Priority is lower than that of RTA.

Hence, when it comes to the election of the Master, the contributing factor is the value of Run

Priority instead of Config Priority.

Page 510 page 482



7/22/2019 HCDA v1.6 En


When the Master stops running VRRP, it will immediately send a VRRP advertisement with

the value of 0 in Priority field. When the Backup receives such an advertisement, it will

change from the Backup to Master state immediately.

Page 511 page 483



7/22/2019 HCDA v1.6 En


In this case:

There are two routers in this LAN, RTA and RTB. A single Virtual Router is to be configured,

with VRID 1 and Virtual IP Address 10.1.1.254. The Priority of RTB is to be configured as 200,

and that of RTA as 100, so as to make RTB the Master.

Page 512 page 484



7/22/2019 HCDA v1.6 En


The VRRP is configured under the interface view.

vrrp vrid virtual-router-ID virtual-ip virtual-address

undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]

virtual-router-IDThe identifier of Virtual Router, in the range of 1-255.virtual-addressVirtual IP address.

By default, if the Priority of the virtual router is not designated, the default value is 100.

Page 513 page 485



7/22/2019 HCDA v1.6 En


The VRID and Virtual IP Address should be the same as is configured on RTA.

vrrp vrid virtual-router-ID priority priority-value

undo vrrp vrid virtual-router-ID priority

virtual-router-IDThe identifier of Virtual Router, in the range of 1-255. priority-valueThe value of Priority, with configured range from 1 to 254.

When configuring the priority, the VRID should be specified. Different virtual routers can be

configured with different priority values.

Page 514 page 486



7/22/2019 HCDA v1.6 En


In this case:

There are two routers in the LAN. Two Virtual Routers are to be configured. One of them iswith VRID 1 and Virtual IP Address 10.1.1.100; the other with VRID 2 and Virtual IP Address10.1.1.200. Configuring the Priority of Virtual Router 1 as 200 on RTA while 100 on RTB, so

that in Virtual router 1, RTA is the Master. Configuring the Priority of Virtual Router 2 as 200on RTB while 100 on RTA, so that in Virtual router 2, RTB is the Master.

Hence, RTA is the Master of Virtual Router 1 and the Backup of Virtual Router 2; RTB is theMaster of Virtual Router 2 and the Backup of Virtual Router 1. In the LAN, PCs can usedifferent Virtual IP addresses as the default gateway, so as to implement traffic sharing.

Page 515 page 487



7/22/2019 HCDA v1.6 En


On RTA, configuring two Virtual Routers as followings:

Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 200;

Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 100 (default).

Page 516 page 488



7/22/2019 HCDA v1.6 En


On RTB, configuring two Virtual Routers as followings:

Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 100 (default);

Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 200.

Page 517 page 489



7/22/2019 HCDA v1.6 En


VRRP can track upstream interfaces. In this case:

RTB is the Master Router. If the interface Ethernet 1/0 (WAN interface) of RTB is down, we

hope RTA to be the new Master immediately. VRP supports such function by configuring

RTB to enable the Virtual Router tracking interface Ethernet 1/0. If the interface Ethernet 1/0

is down, the Priority of the Virtual Router would be reduced by a configured value to be anew value lower than that of RTA. Hence, RTA will be the new Master Router automatically.

If the interface E1/0 of RTB recovers and works properly, the priority of RTB will come back

to the original value, and RTB will be the Master again.

Page 518 page 490



7/22/2019 HCDA v1.6 En


The configuration of RTA is the same as the configuration of single Virtual Router.

By default, the Priority is 100.

Page 519 page 491



7/22/2019 HCDA v1.6 En


By configuring the Priority as 200, RTB is the Master. Configuring tracking interface

Ethernet 1/0 on RTB. If interface Ethernet 1/0 is down, the Priority is reduced by 150, and

the new Priority is 50. Hence, RTA will be the new Master.

Page 520 page 492



7/22/2019 HCDA v1.6 En


This is the VRRP States if the tracked interface is down. On RTB, although the Configured

Priority is 200, the Running Priority is reduced to 50. Hence, RTA will become the Master.

Page 521 page 493



7/22/2019 HCDA v1.6 En


This chapter covers the following points:

1. Why is VRRP needed?

Because the single gateway cannot provide any redundancy, it is of very poor availability.

2. What is VRRPThe result of running VRRP is to provide a virtual router in the LAN.

3. How can a virtual router be identified?

It can be identified by the VRID and the Virtual IP address(es) associated.

4. How is the Master elected?

The election of Master is based on the Priority of the Virtual Router.

5. What are the priority values?

The value of Priority is 255 indicating the current router is the Virtual IP address owner.

The value of Priority is 0 indicating the device stop taking part of the backup group.

6. How is a Single Virtual Router configured?

Configuring a Virtual Router, Virtual IP address and the value of Priority.

7. How are Multiple Virtual Routers configured?

Configuring multiple Virtual Routers. For different Virtual Routers, different routers are made

as the Master through proper configuration of the value of Priority.

8. How does the tracking of an up-link interface support VRRP operation?

Through configuring the VRRP router so as to make the priority value change along with the

state of a tracked interface should it fail.

Page 522 page 494



7/22/2019 HCDA v1.6 En


Page 527 page 497



7/22/2019 HCDA v1.6 En


Page 528 page 498



7/22/2019 HCDA v1.6 En


Page 529 page 499



7/22/2019 HCDA v1.6 En


Page 530 page 500



7/22/2019 HCDA v1.6 En


The HDLC drafted by the ISO is a bit-based communication protocol. The basic unit

transmitted by HDLC is the frame. The most outstanding feature is that the data may not be

the specified set of character . Any bit flows can be transmitted transparently.

In the 1970s, IBM put forward the bit-oriented synchronous data link control (SDLC). Then,

ANSI and ISO adopted and developed the SDLC, and also put forward their own standards: Advanced Data Communication Control Procedure (ADCCP) of ANSI and HDLC of ISO.

As a bit-based protocol, the HDLC protocol has the following features:

1. The protocol is independent of any set of characters .

2. Packets can be transmitted transparently. The “0-bit insert method” for transparent

transmission can be implemented based on hardware.

3. The full-duplex communication can be implemented. Data can be transmitted continuously

without waiting. The data transmission on the l ink is highly efficient.

4. All the frames adopt CRC check. The frames are numbered. Thus no frame is lost orreceived repeatedly. The transmission reliability is high.

5. The transmission control is separated from processing, which makes HDLC flexible and

controllable.

All of the protocols in the standard HDLC protocol suite run on the synchronous serial lines.

Page 531 page 501



7/22/2019 HCDA v1.6 En


An HDLC frame consists of the flag field (F), the address field (A), the control field (C), theinformation field (I), and the sequence number field (FCS).

Flag field (F)

The flag field is in the 01111110 format. The two flag fields indicate the start and the end of aframe. The flag field can also be used as the f illing character between frames.

Address field (A)

The address field carries the address information.

Control field (C)

The control field forms the commands and the responses to monitor and control the l ink. Themain node or the combination node of the sender uses the control field to

request the slave node or the combination node to perform the specified operation. The slavenode uses this field to respond to the commands and report the completed operations or thechange of status.

Information field (I)

The information field can be any binary bit string. The length of the string is not

limited. The upper limit of the string length depends on the FCS field or the cache

capacity of the communication node. The commonly used length is 1000-2000 bytes.

The lower limit can be 0, namely, no information field. The supervisory frame,however, cannot have the information field.

Sequence number field (FCS)

The FCS field contains 16 bits. It is used to verify the entire frame between the

two flag fields.

Page 532 page 502



7/22/2019 HCDA v1.6 En


The HDLC frame is classified into the information frame (I frame), the supervisory

frame (S frame), and the unnumbered frame (U frame).

Information frame (I frame)

The I frame transmits the valid information or data.Supervisory (S frame)

The S frame controls errors and traffic. If the first two bits of the control field in a

frame are “10”, it is an S frame. The S frame does not contain the information bit. It

contains only 6 bytes, namely, 48 bits.

Unnumbered frame (U frame)

The U frame is used to establish, delete, and control the link.

Page 533 page 503



7/22/2019 HCDA v1.6 En


Page 534 page 504



7/22/2019 HCDA v1.6 En


The HDLC configuration on the serial link is simple. The user only needs to configure HDLC

in the interface view, and then configure the IP address. The link-protocol hdlc command

configures the link-layer protocol for the encapsulation on the interface to be HDLC.

NOTE: The encapsulation modes on the two interfaces of the communication nodes must

be the same. The default encapsulation protocol on the serial interface of the

VRP based routers is PPP. When the VRP-based routers are interconnected with thedevices of other vendors, make sure that the encapsulation modes are the same.

Page 535 page 505



7/22/2019 HCDA v1.6 En


After configuration is complete, the user can use ping to check whether the configuration is

correct. If the two nodes can send and receive ping packets, the configuration is deemed

successful; otherwise, check whether the configuration on the corresponding interfaces is

accurate.

Page 536 page 506



7/22/2019 HCDA v1.6 En


As is shown in the figure above, RouterA and RouterB are connected through the serial

interface. HDLC runs on the interfaces. Interface S0/0/1 on Router A borrows the IP address

of the local loopback interface. The IP address of the loopback interface adopts the 32-bit

mask. The ip address unnumbered interface LoopBack 0 command configures interface

S0/0/1 to borrow the IP address of interface loopback 0. The ip route-static 10.1.1.0 24

Serial 0/0/1 command configures the static route. The egress of the static route to network

10.1.1.0 is Serial0/0/1. For the configuration of the static route, refer to the routing module.

Page 537 page 507



7/22/2019 HCDA v1.6 En


The display ip interface brief command displays the IP addresses of the interfaces. In this

example, you can see that Serail0/0/1 and Loopback0 use the same IP address. If the

interface does not borrow the IP address of another interface, a message is displayed to

remind you of the IP addresses conflict. In this example, however, Serial0/0/1 borrows the IP

address of Loopback0, so the IP addresses are not in conflict.

Page 538 page 508



7/22/2019 HCDA v1.6 En


We can use PING to test the connectivity between the two routers. If the test succeeds, it

verifies that the router configuration is correct, otherwise it will be necessary to check

whether the corresponding interface configuration match.

Page 539 page 509



7/22/2019 HCDA v1.6 En


1. What is HDLC?

High-level Data Link Control, HDLC, is a bit-based link-layer protocol. The protocols of the

HDLC protocol suite run on synchronous serial links.

2. The HDLC frame structure is comprised of which fields?

An HDLC frame consists of the flag field (F), address field (A), control field (C), information

field (I), and a sequence number field (FCS).

Page 540 page 510



7/22/2019 HCDA v1.6 En


Page 542 page 511



7/22/2019 HCDA v1.6 En


Page 543 page 512



7/22/2019 HCDA v1.6 En


Page 544 page 513



7/22/2019 HCDA v1.6 En


Page 545 page 514



7/22/2019 HCDA v1.6 En


PPP is placed in the data link layer of the TCP/IP stack. It is the most popular point-to-

point link layer protocol. PPP is used to encapsulate and transmit IP packets on the serial

link, ATM link, and SDH link.

Page 546 page 515



7/22/2019 HCDA v1.6 En


PPP consists of three components, namely, data encapsulation method, Link Control

Protocol (LCP) , and Network Control Protocol (NCP) . The datagram encapsulation method

defines how to encapsulate multi-protocol packets.

To be adapted to various link types, PPP defines LCP. LCP can test the link environment (for

example, whether a loop is generated) and negotiate link parameters (for example, the

maximum length of the packet and the type of the authentication protocol) . Compared with

other link layer protocols, PPP can

provide authentication. The two ends of the l ink can negotiate the authentication protocol to

be used and implement the authentication. The session can be

established only after the authentication succeeds. With this feature, PPP can be used by

ISP to receive the access of dispersive subscribers.

PPP defines a group of NCP protocols. Each protocol matches a network layer protocol. The

NCP protocol is used to negotiate the parameters like IP addresses. For example, IPCP

negotiates IP control parameters, and IPXCP negotiates IPX control parameters.

Page 547 page 516



7/22/2019 HCDA v1.6 En


The encapsulation method of PPP data frame is used for differentiating the packets of each

upper layer protocol. The encapsulation format of PPP contains only three fields.

Protocol: This field contains two bytes. It identifies the type of protocol encapsulated in thePPP frame, for example, IP, LCP, and NCP. The common values are shown in the above

figure.

Information: This field contains the data encapsulated in PPP, for example, LCP data, NCP

data, and network-layer packets. The length of this field is variable.

Padding: This f ield is used for f illing in the information field.

The total length of the Padding and Information fields is the maximum receive unit (MRU) of

PPP. The default value of MRU is 1500 bytes.

If the Information field is shorter than MRU, PPP fills in the Padding field to reach the length of

MRU to make the transmission convenient. But the padding is not mandatory. That is to say,

the Padding field is optional.

Page 548 page 517



7/22/2019 HCDA v1.6 En


PPP frames cannot be transmitted directly on the link. Additional encapsulation modes and

control mechanisms must be used depending on the types of the links. The PPP frames

transmitted on the serial link must comply with HDLC.

Flag: indicates the start bit or the end bit of the frame. The value is “01111110”.

Address: indicates the IP address. It is all “1”s. Because PPP is a point-to-point protocol, it

does not need the addressing mechanism. The address of all “1s”

represents the receiver end.

Control: indicates the control field. HDLC can use this f ield to transmit data and control

packets orderly. In PPP, the value of this field is 0x03, which indicates that the data is

transmitted in countless mode. This is a simple working mechanism.

Page 549 page 518



7/22/2019 HCDA v1.6 En


The basic configuration of PPP on the serial link is simple. Configure PPP encapsulation

interface view, and then configure the IP address. The link-protocol ppp command is used

to configure the link layer protocol of the interface as PPP.

Page 550 page 519



7/22/2019 HCDA v1.6 En


Page 551 page 520



7/22/2019 HCDA v1.6 En


This table lists four types of LCP packets used to negotiate link-layer parameters.

Configure-RequestThe first packet during the link-layer negotiation process, indicating

the beginning of link-layer parameter negotiation of the two ends.

Configure-Ack After receiving the Configure-Request packet sent by the peer, if thevalues of negotiated parameters are acceptable, this packet is used for acknowledgement.

Configure-Nak After receiving the Configure-Request packet sent by the peer, if the

values of the negotiated parameters are not acceptable, this packet is used for reply,

carrying the locally acceptable parameters.

Configure-Reject After receiving the Configure-Request packet sent by the peer, if the

values of the negotiated parameters cannot be identified, this packet is used for reply

carrying the parameters not identified.

Page 552 page 521



7/22/2019 HCDA v1.6 En


As is shown in the figure above, RTA and RTB are connected through the serial link and

they run PPP. When the physical layer link is up, RTA and RTB negotiate the link

parameters through LCP. In this example, RTA sends an LCP packet. RTA sends a

Configure-Request packet to RTB. The packet contains the link layer parameters

configured on RTA. After RTB receives the Configure-Request packet, it returns aConfigure-Ack packet to RTA if RTB can identify the parameters in the packet and the

parameter values are acceptable.

If RTA does not receive the Configure-Ack packet, it will re-sends the Configure-Requestpacket every three seconds. If RTA still dose not receive the Configure -Ack packet after it

sends 10 Configure-Request packets, RTA considers RTB failed and stops sending the

Configure-Request packet.

NOTE: If the above process has f inished it only indicates that RTB considers the link

parameters on RTA acceptable. RTB still needs to send the Configure-Request packet to

RTA to let RTA check whether the parameters on RTB are acceptable.

Page 553 page 522



7/22/2019 HCDA v1.6 En


After RTB receives the Configure-Request packet sent by RTA, RTB checks the parameterscontained in the packet. If RTB can identify the link layer parameters but finds that some orany of the parameter values cannot be accepted, RTB returns a Configure-Nak packet to RTA.

This Configure-Nak packet contains only the unacceptable parameters. The values (or valueranges) of these parameters are changed into the values that

can be accepted by RTB.

After receiving the Configure-Nak packet, RTA modifies the parameter values locallyaccording to the parameter values in the packet, and then re-sends a

Configure-Request packet.

After five negotiations, if the values still cannot be accepted, the parameters are forbiddenwithout further negotiation.

Page 554 page 523



7/22/2019 HCDA v1.6 En


After RTB receives the Configure-Request packet sent by RTA, RTB checks the parameters

contained in the packet. If RTB cannot identify some or any of the

link layer parameters in the packet, RTB returns a Configure-Reject packet to RTA. The

Configure-Reject packet contains only the unidentified parameters.

After receiving the Configure-Reject packet, RTA re-sends a Configure-Request packet to RTB.

This packet does not contain the unidentified parameters.

Page 555 page 524



7/22/2019 HCDA v1.6 En


On the VRP platform, MRU is represented by MTU configured on the interface. The PPP

authentication protocols widely used are PAP and CHAP (will be

described in the following chapters). The two ends of a PPP link can authenticate each other

using different authentication protocols. The authenticated party, however, must support the

authentication protocol used by the peer and the authentication information such as username and password should be configured correctly.

LCP uses magic number to detect abnormal cases such as loop. A magic number is

generated randomly. The random mechanism has to guarantee that the two ends generate

the magic numbers.

After one end receives the Configure-Request packet, it compares the magic number

contained in the packet with the local magic number. If the two numbers are different, it

indicates that no loop occurs on the link, and the receiver end sends a Configure-Ack packet

(other parameters are also agreed), indicating the magic number is agreed. If the packets

sent later contain the magic numbers, the magic numbers are set to the negotiated one, andLCP does not generate new magic numbers any more.

If the magic number in the Configure-Request packet is the same as the local magic number,

the receiver end sends a Configure-Nak packet, which contains a new magic number. Then,LCP sends a new Configure-Request packet with a mew magic number whether the

received Configure-Nak packet contains the same magic number or not . If loop occurs on

the link, this process is repeated continuously. If there is no loop, the packet interaction is

restored.

Page 556 page 525



7/22/2019 HCDA v1.6 En


If the authentication fails or the administrator closes the connection manually, LCP will stop

the connection.

LCP stop connections by using the Terminate-Request and Terminate-Ack packets. The

Terminate-Request packet is used for the peer to request stop the

connection. If one end receives a Terminate-Request packet, LCP must return a Terminate-

Ack packet to confirm the closure of connection.

If the sender does not receive the Terminate-Ack packet, it will re-sends the Terminate-

Request packet every three seconds. If the sender still fails to receive

the Terminate-Ack packet after it sends two request packets, it considers the peer failed and

will close the connection.

Page 557 page 526



7/22/2019 HCDA v1.6 En


After establishing a connection, LCP detects the status of the link by using the Echo-

Request and Echo-Reply packets. After receiving an Echo-Request packet, it returns an

Echo-Reply packet to tell that the link status is normal. On the VRP platform, an Echo-

Request packet is sent every 10 seconds.

Page 558 page 527



7/22/2019 HCDA v1.6 En


Page 559 page 528



7/22/2019 HCDA v1.6 En


PAP is the Password Authentication Protocol. It is used for passwords authentication.

The configuration of PAP contains two steps:

1. Enable PAP authentication on the authenticator; create a PPP user.2. Configure the user name and password for PAP authentication on the

authenticated party.

local-userhuaweipassword simple hello

This command is used for the creation of a local user, of which the user name is huawei

and the password is hello. Key word simple indicates that the password is plain text in the

configuration file. If the key word is cipher , it indicates that the password is cipher text in

the configuration file.

local-userhuawei service-type ppp

This command is used for configuring user huawei as a PPP user.

ppp authentication-mode pap

This command is used for enabling PAP authentication on the authenticator. That is,

request the peer to use PAP authentication.

ppp pap local-user huawei password simple hello

This command is used for configuring the user name and password for PAP authentication

on the authenticated party.

Page 560 page 529



7/22/2019 HCDA v1.6 En


The working process of PAP authentication is simple. After LCP negotiation, the authenticator

requests the peer to use PAP authentication. The peer sends the user name and password inplain text through the Authenticate-Request packet to the authenticator. In this example, the

user name is huawei and the password is hello.

After receiving the user name and password, the authenticator checks whether the informationis correct in the local database. If the information is correct, it returns an Authenticate-Ack

packet; otherwise, it returns an Authenticate-Nak packet, indicating failure of theauthentication.

Page 561 page 530



7/22/2019 HCDA v1.6 En


CHAP is the Challenge Handshake Authentication Protocol. It is an authentication method

that sends password information in cipher text. Compared with PAP,

CHAP is more secure.

local-userhuaweipassword cipher hello

This command is used for creating a local user, of which the user name is huawei and the

password is hello. Key word cipher indicates that the password information is displayed in

cipher text in the configuration file.

local-userhuawei service-type ppp

This command is used for configuring user huawei as a PPP user.

ppp authentication-mode chap

This command is used for enabling CHAP authentication on the authenticator. That is,

request the peer to use CHAP authentication.

ppp chap user huawei

This command is used for configuring the user name for CHAP authentication to be huawei

on the peer.ppp chap password simple hello

This command is used for configuring the password for CHAP authentication to be hello on

the peer.

Page 562 page 531



7/22/2019 HCDA v1.6 En


The CHAP authentication contains three interaction phases. To match the request packet

and response packet, the packet carries the Identifier field. All the packets in oneauthentication process use the same identifier.

After the LCP negotiation, the authenticator sends a Challenge packet to the peer. The

packet contains the Identifier field and the Challenge character string which is generated

randomly. This Identifier will be used by the consequent packet of the same authentication

process.

After the peer receives the Challenge packet, it encrypts the packet. The encryption formula

is MD5{ Identifier + password + Challenge }. The character string consisting of Identif ier,

password, and Challenge undergoes the MD5 calculation. Then, a 16-byte digest is

generated. The digest and the CHAP user name configured on the port are encapsulated in

the Response packet and sent back to the authenticator. In this example, after the

encryption, the digest information and user name huawei are sent to the authenticator.

After the authenticator receives the Response packet sent by the peer, it searches the local

database for the challenge message matching the user name.

Then, the authenticator encrypts the password. The encryption calculation is the same as

that used by the peer. Then, the authenticator compares the digest information with that

encapsulated in the Response packet. If they are the same, the authentication succeeds;

otherwise, the authentication fails.

As this shown in the previous process, CHAP sends the password in cipher text instead of

plain text, hence the security is enhanced greatly.

Page 563 page 532



7/22/2019 HCDA v1.6 En


Page 564 page 533



7/22/2019 HCDA v1.6 En


PPP defines a group of NCP protocols. Each protocol matches a network layer protocol. The

NCP protocol negotiates the network layer parameters. For example, IPCP is used for

negotiating and controlling IP parameters, and MPLSCP is used for negotiating and MPLS

parameters. This course discusses only IPCP.

Page 565 page 534



7/22/2019 HCDA v1.6 En


IPCP uses the same negotiation mechanism and packet type as LCP, but IPCP does not

invoke LCP. This is the same as LCP in terms of working procedure, packet and so on.

There are two types of IP address negotiation methods: static configuration and dynamic

configuration.

As it is shown in the figure, the IP addresses on the two ends are 10.1.1.1/30 and10.1.1.2/30. The two IP addresses are in network segment 10.1.1.0/30.

The negotiation process for the static configuration of IP addresses is as follows:

1. The two ends send the Configure-Request packets, which contain the local IP address.

2. After receiving the Configure-Request packet, the two ends check the IP address

contained in the packet. If the IP address is a valid unicast IP address and it is different

from that configured locally (no confliction), it indicates that the peer can use this IP

address and the local end returns a Configure-Ack packet.

Page 566 page 535



7/22/2019 HCDA v1.6 En


As it is shown in the routing table, the IP address of the peer on the PPP link is a 32-bit

host address. The reason is that by sending information through IPCP, the two ends of

the PPP link can know the IP address of the peer.

Page 567 page 536



7/22/2019 HCDA v1.6 En


As is shown in the figure above, RTA asks the peer to allocate an IP address, and RTB uses

static IP address 10.1.1.2/30. RTB enables the function to allocate IP address for the peer,allocating IP address 10.1.1.1 for RTA.

The process of the dynamic negotiation of dynamic IP address is as follows:

RTA sends a Configure-Request packet to RTB. The packet contains IP address 0.0.0.0,

which indicates a request for an IP address allocating . After RTB receives the Configure-

Request packet, it considers IP address 0.0.0.0 invalid and returns a Configure-Nak packet

containing IP address 10.1.1.1; After RTA receives the Configure-Nak packet, it updates

the local IP address and re-sends a Configure-Request packet, which contains IP address

10.1.1.1; When RTB receives the Configure-Request packet, it considers the IP address

contained in the packet valid and returns a Configure-Ack packet.

At the same time, RTB sends a Configure-Request packet to RTA, which means that RTB

requests to use IP address 10.1.1.2. If RTA considers the IP address valid, it will return a

Configure-Ack packet.

Page 568 page 537



7/22/2019 HCDA v1.6 En


The VRP platform supports IP address negotiation in PPP.

ip address ppp-negotiate

This command is used for enabling the function of requesting the peer to al locate IP

addresses.

remote address 10.1.1.1

This command is used for enabling the function of allocating IP addresses to the peer. In this

example, IP address 10.1.1.1 is allocated to the peer.

Note: The IP address obtained through negotiation is a 32-bit host address. The route of the

corresponding network segment will not be generated in the routing table.

Page 569 page 538



7/22/2019 HCDA v1.6 En


What are the components in PPP?

PPP has three components, namely, data encapsulation method, LCP and NCP.

Which packets can be used for negotiating link parameters in LCP?Configure-RequestThe first packet during the link-layer negotiation process,

indicating the beginning of link-layer parameter negotiation of the two ends.

Configure-Ack After receiving the Configure-Request packet sent by the peer,

if the values of negotiated parameters are acceptable, this packet is used for

responsing.

Configure-Nak After receiving the Configure-Request packet sent by the peer,

if the values of negotiated parameters are not acceptable, this packet is used for

responsing, carrying the locally acceptable parameters.

Configure-Reject After receiving the Configure-Request packet sent by the

peer, if the values of negotiated parameters cannot be identified, this packet is

used for responsing, carrying the parameters not identified.

How many packet exchanges are necessary for CHAP?

Three. Sending of user name and password in cipher text.

What do the main IPCP parameters negotiate?

IP address.

Page 570 page 539



7/22/2019 HCDA v1.6 En


Page 572 page 540



7/22/2019 HCDA v1.6 En


Page 573 page 541



7/22/2019 HCDA v1.6 En


Page 574 page 542



7/22/2019 HCDA v1.6 En


Page 575 page 543



7/22/2019 HCDA v1.6 En


The FR technology is a fast packet switching technology that transmits and switches dataunits in a simplif ied manner when compared to X.25. The FR adopts a virtual circuit basedbehavior, transmitting data through logical links, rather than physical links. Multiple logicallinks can be multiplexed on one physical link. The bandwidth can therefore be multiplexed

and dynamically allocated. This facilitates the transmission of data for multiple users andmultiple rates. The network resource is fully used. As shown in the f igure above, the virtualcircuit is used so that the network resource is fully utilized. Frame Relay has the features ofhigh throughput and low delay. It is applicable to the service that has burst traffic.

FR simplifies the layer-3 function of X.25, however does not support retransmission when anerror occurs.

Page 576 page 544



7/22/2019 HCDA v1.6 En


Frame Relay is found at the second layer of the OSI model. It is a simplified way to transmit

and switch data units at the data link layer. FR realizes the functions of the physical layer

and the link layer. The functions such as traffic control and error checking are realized by the

intelligent terminal. Hence the protocol between nodes is simplif ied. FR can transmit various

routing protocols. The packets of the routing protocols are encapsulated in the FR dataframe, as shown in the figure above.

Page 577 page 545



7/22/2019 HCDA v1.6 En


FR has the following features:

The FR technology is used for transmitting data service. Data is transmitted as frames. FR

is a fast packet switching technology, which is connection-oriented. FR transmits data over

the logical links, rather than physical links. Multiple logical links can be multiplexed on one

physical link. Bandwidth can be multiplexedand dynamicallyallocated.

The simplified X.25 protocol realizes statistics multiplexing, frame transparent transmission,

and error detection on the data link layer, but does not support retransmission. The FR

protocol simplifies the layer-3 function of X.25. It simplifies the processing on network

nodes and improves the information processing efficiency. The 2-layer structure consisting

of physical layer and data link layer is adopted. Only the core subset of the data link layer

is kept. The mechanisms like frame numbering, traffic control, response, and monitor are

not required. The cost of switches is reduced, and the network throughput is improved, and

the delay in communication is reduced. The access rate of FR users is between 64 Kbit/s

and 2 Mbit/s.

A mechanism is provided to manage bandwidth and prevent congestion. The user can fullyuse the reserved bandwidth, namely, the committed information rate (CIR). The burst data

of the user can occupy the unreserved bandwidth. Thus the network resource is fully used.

Similar to packet switching, FR adopts the connection-oriented switching technology. It canprovide the SVC and PVC services. In the current FR network, only the PVC service is

used.

Switching unit-The length of the frame is longer than the length of the packet. The

maximum length of the frame is at least 1600 bytes. It is used for encapsulating the data of

LAN.

Page 578 page 546



7/22/2019 HCDA v1.6 En


The above figure shows the FR network model. The model consists of the DTE and the

FR switching fabric.

The FR switching fabric consists of a group of DCE. The LANs on the two ends are

interconnected through the FR network. The data of the LAN is transmitted through the

PVC.

The terms related to the FR network are as follows:

Data Terminal Equipment (DTE): refers to the user-side device.

Data Circuit-terminating Equipment (DCE): refers to the switching equipment on the

network, like FR switch. The DTE and the DCE are directly connected. The DCE is

connected to a port on the switch. Multiple connections are set up between multiple

switches. The links between the DTE are established, as shown in the figure above.

Data Link Connection Identifier (DLCI): identifies the link interface. Every link on the FR

network uses a DLCI. The FR is a connection-oriented technology. Before communication

starts, a link must be established between the devices. The link between the DTE is calledvirtual circuit. The virtual circuit of the FR is classified into PVC and SVC. The PVC is

widely used in FR.

Page 579 page 547



7/22/2019 HCDA v1.6 En


A Frame Relay (FR) network provides data communication between user devices (such as

routers and hosts).

According to different functions, FR devices and interfaces can be divided into the followingthree types:

•The user device is called Data Terminal Equipment (DTE). The interfaces on the DTE are

called DTE interfaces.

•The device that provides access for DTE is called Data Circuit-terminating Equipment

(DCE). The interfaces on the DCE devices are called DCE interfaces or Network-to-

Network Interfaces (NNIs) interfaces. The interfaces that connect the DTE and the DCE

are User-to-Network Interfaces (UNIs).

•The interface between the FR switches are NNIs. In practice, the DTE interface can be

connected only with the DCE interface; the NNI interface can be connected only with the

NNI interface.

Page 580 page 548



7/22/2019 HCDA v1.6 En


The FR is a connection-oriented technology. Before communication starts, a link must be

established between the devices. The link between the DTE is called virtual circuit.

The virtual circuit of FR is classified into PVC and SVC. The PVC is widely used in FR.

Permanent Virtual Circuit (PVC): refers to the fixed virtual circuit provided for users. Oncethe link is established, it will always be valid; unless the administrator deletes it manually.

The PVC transmits frequent and stable data between two ends frequently and stably.

Switched Virtual Circuit (SVC): refers to the virtual circuit automatically allocated by

protocol. After communication completes, the virtual circuit can be deleted by the local

equipment or switch. The burst data is often transmitted through the SVC.

Page 581 page 549



7/22/2019 HCDA v1.6 En


FR is a statistical multiplexing protocol. One physical link can provide multiple virtual links.

Each virtual link is identif ied by the DLCI. The address field in the FR frame can identify the

virtual link that FR frame belongs to.

The DLCI is applied to the local interface and the peer interface that is directly connected to

the local interface. It is not used globally. That is, in the FR network, a DLCI on different

physical interfaces may identify multiple virtual links. The user interface on a FR network

supports up to 1024 virtual circuits. The value of the DLCI that can be used by users ranges

from 16 to 1007. The virtual circuit is connection-oriented, so dif ferent local DLCIs areconnected to different peer devices. The local DLCI can be considered as the “FR address ”

of the peer device. The FR network is public facility. It is often provided by the telecom

service provider. Users can also establish a FR network by using private switches. No matter

which method is used, the provider of the FR network allocates the DLCI to the PVCs that

are used by the users’ routers. Some DLCI numbers represent special functions. For

example, DLCI 0 and DLCI 1023 are used by only the LMI protocol.

Address mapping of FR is to associate the protocol address of the peer device with the FRaddress (local DLCI) of the peer device so that the upper layer protocol can find the peer

device through the protocol address of the peer device. FR is mainly used to carry the IPprotocol. Before the device sends the IP packet, the DLCI matching the next hop address

must be known . The device can f ind the DLCI by searching the mapping table. Address

mapping can be configured manually or dynamically maintained by the protocol.

Page 582 page 550



7/22/2019 HCDA v1.6 En


Local Management Interface (LMI): monitors the status of the PVC. The system supports

three kinds of LMI protocol: Q.933 Annex A of ITU-T, T1.617 Annex D of ANSI, and the non-

standard compatible protocol. The nonstandard compatible protocol is used for

interconnecting a device with the devices of other vendors.

The working method of LMI is : DTE sends ak Status Enquiry packet at a interval to query thestatus of the virtual circuit. When the DCE receives the packet, it sends a Status packet to

notify DTE of the status of all the virtual circuits on the current interface.

The PVC status of the DTE-side devices depends on the DCE-side devices. The PVC status

of the DCE-side devices depends on the network. If two network devices are directly

connected, the PVC status of the DCE-side devices is set by the administrator.

Page 583 page 551



7/22/2019 HCDA v1.6 En


The FR network can connect the disparate networks. The network architecture may be full-

meshed, partial-meshed, or star. In terms of cost, the star structure is the best as it limits the

number of PVCs required. A central node is connected to the distributed nodes by using

multiple PVCs on one interface. This architecture is applicable to the company where the

headquarters needs to be connected to multiple branches. The disadvantage of thisarchitecture is that the disparate nodes can communicate only through the central node.

In the full-meshed structure, all the nodes are interconnected through PVCs. Any two nodes

can communicate directly without passing other nodes. The reliability of such a architecture

is high. If one PVC fails, the data can be transmitted through another. The disadvantage of

such architecture is that a great number of PVCs are required. If one node is added to the

network, many new PVCs need to be added.

In the partial-meshed structure, some nodes are connected directly. The default FR network

architecture is non-broadcast multi-access (NBMA). That is to say, although the nodes in the

FR network can communicate with each other, the FR network does not support broadcasts.If a node receives routing information, it recreates the packet and then sends the duplicated

packet carrying the routing information to other nodes.

Page 584 page 552



7/22/2019 HCDA v1.6 En


Address mapping of FR associates the protocol address of the peering device with the local

DLCI, so that frame relay can identify the PVC that should be used in order to reach a given

destination.

It should be noted that the mapping table is based on a logical interface. The logical

interface has its own mapping table. The key in the mapping table is the relationship

between the peer protocol address and the local DLCI.

Page 585 page 553



7/22/2019 HCDA v1.6 En


The inverse ARP protocol is used for resolving the network address of a peer over a virtual

circuit, with support for both IP and IPX addressing. If the protocol address of the peer is

known, the inverse ARP protocol can locally generate a mapping relationship between the

peer network address and the DLCI (MAP). The address mapping therefore need not be

configured manually.

The process is as follows:

When a new virtual circuit is found (the local interface is already configured with the protocol

address), the inverse ARP protocol sends an Inverse ARP request packet to the peer. The

packet contains the local protocol address. When the peer receives the request, it obtains the

local protocol address, and generates a mapping relationship. At the same time, the inverse

ARP protocol sends a response packet and generates the mapping locally.

It should be noted that:

1) If the static mapping relationship is configured manually, the Inverse ARP protocol does

not send the request packet to the peer, no matter whether the peer's address is in thestatic mapping is correct or not.

2) After receiving the inverse ARP request packet, the dynamic mapping cannot be

generated if the receiver discovers that the peer protocol address is the same as the

network address in the local mapping table.

3) The multiprotocol host responds only to the protocol address that is the same as the

protocol address in the request packet.

4) The multiprotocol host applies addresses for all the protocol addresses on each interface.

Page 586 page 554



7/22/2019 HCDA v1.6 En


As is shown in the figure above, Router A is connected to three routers, Router B, Router C,

and Router D, through interface S0. If three DLCIs are mapped to three routers over S0,

then the route update information on S0 is not sent out through S0. The distance vector

routing protocol implements split horizon. The router cannot forward the route update

information out through the interface on which the information was received. As shown,Router B advertizes the routing information to Router A. The split horizon mechanism

results in Router A being unable to forward to Router C and Router D through interface S0.

There are two ways to resolve this problem, one is to connect multiple neighboring nodes

through multiple physical interfaces. This method requires that the router have multiplephysical interfaces, which results in increased cost to support the additional physical node

interfaces. Another method is to implement sub-interfaces. In this manner, a single physical

interface is configured with multiple logical interfaces. Each sub-interface has its own

network address, and operated like an independent physical interface. It is also possible to

disable the split horizon feature, but doing so will increase the possibility of routing loops

being generated.

Page 587 page 555



7/22/2019 HCDA v1.6 En


The split horizon problem can be solved by configuration of sub-interfaces. One physical

interface can support multiple logical sub-interfaces. Each sub-interface can be connected to

the peer router through one or many DLCIs over a FR network.

The logical sub-interfaces are defined on the serial link. The sub-interfaces are connected to

the peer router through one or more DLCIs. After a DLCI is configured on the sub-interface,

the mapping between the addressing of the destination end and the DLCI should be

generated.

As is shown in the figure above, the physical serial interface S0 on Router A, the DLCI of S0.1

is mapped to Router B, the DLCI of S0.2 is mapped to Router C, and the DLCI of S0.3 is

mapped to Router D.

The sub-interfaces in FR are classified into two types:

Point-to-point sub-interface: connects to a single remote node. Each sub-interface is

configured with one PVC. The peer can be found without the static address mapping.Therefore, the peer address is determined when the sub-interface is configured on the PVC.

Point-to-multipoint sub-interface: connects multiple remote nodes. One sub-interface is

configured with multiple PVCs. Each PVC is mapped to the connected remote protocol

address. Thus, the PVC can be connected to the corresponding remote end. The address

mapping must be configured manually or set up through the inverse ARP protocol.

Before creating the FR sub-interface, the user should configure the interface to use FR as the

link-layer protocol. The default sub-interface type is p2mp.

Page 588 page 556



7/22/2019 HCDA v1.6 En


Page 589 page 557



7/22/2019 HCDA v1.6 En


RTA and RTB are connected by a serial link. The IP address planning is as shown in the

above figure. The link-layer protocol is FR. The configuration of FR in this example is

similar to the configuration in the preceding example. The difference is that the mapping

between the interface network address and the FR address is generated by the inverse

ARP protocol.The fr inarp [ ip [ dlci-number ] ] command enables the dynamic address mapping. In

VRP, the dynamic address mapping is enabled on the FR interface by default. So this step

is optional.

Page 590 page 558



7/22/2019 HCDA v1.6 En


The display fr interface command displays the information about the FR interfaces, the

operation mode of the FR interfaces, and the physical status and protocol status of the FR

interfaces.

The display interface Serial 0 command displays the information about the interfaces,

including the physical status and protocol status of the interfaces, the IP address, the link-layer encapsulation mode, and the LMI type.

Page 591 page 559



7/22/2019 HCDA v1.6 En


RTA and RTB are connected by a serial link. The IP address planning is as shown in the

above figure. The link-layer protocol is FR.

The link-protocol fr command encapsulates the link-layer protocol into FR. By default, the

link-layer protocol is encapsulated into PPP. When the FR protocol is encapsulated, the

encapsulation format is IETF by default.

ietf: indicates the standard IETF encapsulation, which complies with the RFC 1490. It is the

default encapsulation format.

nonstandard: indicates the encapsulation format of the nonstandard compatible protocol.

The fr interface-type command sets the FR interface type.

dte, dce, and nni: indicates the three types of the FR interfaces.

In FR, the two parties of the communication are at the user side and the network side

respectively. The user-side party is called DTE. The network-side party is called DCE.

In the FR network, the interfaces between the FR switches are NNI interfaces. The

corresponding interfaces adopt the NNI mode. If the devices are used for FR switching, the

interfaces should work in NNI mode or DCE mode.

The fr dlci command configures the virtual circuit for the FR interface. The IP address

10.1.1.1 30 command configures the IP address for the interface.

The fr map ip command adds a mapping relationship between the FR address and the DLCI

static address. ip-address: indicates the IP address of the peer.

ip-mask : indicates the subnet mask. The format of the subnet mask is X.X.X.X. X is an integer

ranging from 0 to 255. dlci-number : indicates the number of the local virtual circuit. The value

ranges from 16 to 1007.

Page 592 page 560



7/22/2019 HCDA v1.6 En


The display fr map-info command displays the mapping between the protocol address and

the FR address.

In this example, RTA displays the information showing that the address mapped to DLCI 200

is 10.1.1.2, the network address and FR address of RTB. The local interface S0 on RTA

works in DCE mode.

Page 593 page 561



7/22/2019 HCDA v1.6 En


Using ping to check FR configuration and interface’s reachability.

Page 594 page 562



7/22/2019 HCDA v1.6 En


In this example, the router functions as the FR switch. The PVC is configured manually.

Page 595 page 563



7/22/2019 HCDA v1.6 En


fr dlci-switch in-dlci interface interface-type interface-number dlci outdlci

undo fr dlci-switch in-dlci

Configuration view: FR interface view, MFR interface view

Using the fr dlci-switch command, you can configure a static route for the FR PVC switching.Using the undo fr dlci-switch command, you can delete a static route for the FR PVCswitching.

By default, no static route for the FR PVC switching is configured.

Parameter:

in-dlci: specifies the DLCI of the interface where the packet is received, the value ranges from

16 to 1007.

interface-type: specifies the type of egress.

interface-number: specifies the number of egress. The format is slot number/card

number/interface number.

out-dlci: specifies the DLCI of the specified interface forwarding a packet. The value is ranges

from 16 to 1007.

Page 596 page 564



7/22/2019 HCDA v1.6 En


The configuration of RTC is similar to those of RTB.

Page 597 page 565



7/22/2019 HCDA v1.6 En


Configuration of RTD is similar to those of RTA. It needs to Configure data link protocol,

interface type and IP address.

Page 598 page 566



7/22/2019 HCDA v1.6 En


Using display fr dlci-switch to show PVC state.

Active Serial0(100) Serial2(200)

Active Serial2(200) Serial0(100)

Active means that PVC is OK.

Page 599 page 567



7/22/2019 HCDA v1.6 En



Page 600 page 568



7/22/2019 HCDA v1.6 En


Using the display fr map-info command, you can view the FR address mapping table.

[RTA]dis fr map-info

Map Statistics for interface Serial0 (DTE)

DLCI = 100, IP INARP 10.1.1.2, Serial0create time = 2007/06/04 17:34:59, status = ACTIVE

encapsulation = ietf, vlink = 20, broadcast

It is possible to verify the PVC is operational from the ‘active’ state.

<RTA>ping 10.1.1.2

PING 10.1.1.2: 56 data bytes, press CTRL_C to break

Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms





Page 601 page 569



7/22/2019 HCDA v1.6 En


The fr switch command enables the backup function for the PVCs of the switches.

fr switch name [ interface interface-type in-interface-number dlci indlci

interface interface-type out-interface-numberdlci out-dlci

name: specifies the name of the PVC for FR switching. The value is a string of 1 to 31characters.

interface interface-type in-interface-number dlci in-dlci: specifies the interface type, interface

number, and DLCI value on the ingress of the PVC. The value of dlci-number ranges from 16

to 1007. interface interface-type out-interface-number dlci out-dlci: specifies the interface type,

interface number, and DLCI value on the ingress of the active or

backup PVC. The value of dlci-number, ranges from 16 to 1007.

It should be noted that:

The interface for FR switching must be set to NNI or DCE mode; otherwise, the FR switching

function cannot take effect. Before or after the static route of the PVC is configured, the user

must run the fr switching command to enable the FR switching route.

Page 602 page 570



7/22/2019 HCDA v1.6 En



[RTB]display fr switch-table all

Total PVC switch records:1

PVC-Name Status Interface(Dlci) <---> Interface(Dlci)1 Active Serial0(100) Serial2(200)

PVC is ok When status of PVC is Active.

<RTA>ping 10.1.1.2

PING 10.1.1.2: 56 data bytes, press CTRL_C to break






--- 10.1.1.2 ping statistics ---5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 31/31/31 ms

Page 603 page 571



7/22/2019 HCDA v1.6 En


Using the display fr pvc-info command, you can view the configuration and statistics of

the FR PVC:

If no parameter is specif ied, basic FR configuration and statist ics of all interfaces are

displayed.

If interface numbers are specified but the DLCI number is not specified, basic FRconfiguration and statistics of DLCI of the specified interface are displayed. If both interface

number and DLCI number are specified, basic FR configuration and statistics of specified

DLCI of specified interface are displayed. The FR QoS configuration and statistics are also

displayed. By the statistic of input packets and output packets, It is easy to know PVC is OK.

Page 604 page 572



7/22/2019 HCDA v1.6 En


1. How many modes does the FR interface have?

Three, DTE, DCE, and NNI. In FR, the user-side is called DTE and the network-side party

is called DCE. In the FR network, the interfaces between the FR switches are NNI

interfaces. The corresponding interfaces adopt the NNI mode. If the devices are used for

FR switching, the interfaces should work in NNI mode or DCE mode.

2. What’s the meaning of FR DLCI?

The DLCI identifies the data links. All the v irtual circuits are identified by the DLCIs. The

DLCI is applied to the local interface and the peer interface that is directly connected to the

local interface. It is not used globally. That is, in the FR network, a DLCI on different

physical interfaces may identify multiple virtual links.

3. How to establish a virtual circuit?

In the FR network, the DTE are interconnected with through virtual circuits. The virtual

circuit can be set up in PVC or SVC mode. PVC mode is commonly adopted.

Page 605 page 573



7/22/2019 HCDA v1.6 En


page 574

7/22/2019 HCDA v1.6 En


Page 609 page 577



7/22/2019 HCDA v1.6 En


Page 610 page 578



7/22/2019 HCDA v1.6 En


Page 611 page 579



7/22/2019 HCDA v1.6 En


Page 612 page 580



7/22/2019 HCDA v1.6 En


In a practical sense, a firewall acts as a separator, and also an analyzer, to supervise anyactivity between an internal and external network, and assist in assuring the security ofthe internal network is maintained.

The firewall can be in the form of a series of hardware devices or supported softwarewithin a given device.

The firewall can be divided into several parts, some parts implement other functionbesides the function of a firewall.

Firewall is the accumulation of hardware, software and control policies, where the controlpolicy can be divided into two kinds:

1. Strict policy— highly secure but may disrupt many services due to non-reviewed policyrestrictions

2. Loose policy—provides much freedom to users however may leave many securityholes in the network if good policy management has not been applied.

Commonly firewalls will take on a more secure policy and assess policy for additionalpermissions on a case by case basis should additional policy restrictions need to berelinquished. However this can take some effort due to a series of security reviewprocesses that are often necessary to ensure the permission for release of restrictionsdoes not threaten the integrity of the internal network to external threats.

Page 613 page 581



7/22/2019 HCDA v1.6 En


With the development of firewall technology, the function of firewall is more and more

diverse, seen from the technology development aspect, variations have formed and can be

classified into three kinds: packet fi ltering, proxy and state detection. At present, the more

popular type is the state detection firewall.

Page 614 page 582



7/22/2019 HCDA v1.6 En


Packet filtering firewall:

Packet filtering technology utilizes special rules predefined to filter packets. The firewall

obtains source IP address, destination IP address, source TCP/UDP port, destination

TCP/UDP port and protocol number of data packet, compare partial or overall information

above with the rule to filter the data packet through the firewall. The defined rule applicationis done according to the features of the IP packet, the elements mentioned above can be

used to define the condition that allows the packet to pass through the firewall.

The feature of packet filtering firewall is that it is simple, but lacks flexibility, additionally

packet filtering firewall will implement policy detection on every data packet, which affects

the performance of a firewall.

Page 615 page 583



7/22/2019 HCDA v1.6 En


Proxy firewall:

Proxy firewall regards itself as a intermediary node of service access; for a client node, it

represents a server; for a server, it represents the client. A proxy firewall provides high

security, but the cost is also high. It is hard to develop a corresponding proxy service for

every application, so a proxy firewall can not support an abundance of services, it can onlyprovide proxy service for some applications such as HTTP services, Proxy etc.

Page 616 page 584



7/22/2019 HCDA v1.6 En


Page 617

State detection firewall:

State detection technology is an advanced communication filtering technology. State

detection is used to detect protocol information of the application layer and supervise theprotocol state of connection-oriented application layer. Through detecting the state of

TCP/UDP based connection, a firewall can dynamically determine whether the packet canpass through the firewall or not. The firewall will maintain a session item that takes five-element group

(source/destination IP address, source/destination port number, protocol number) as Keyvalues; for the received data packet, the firewall can match the session item to determine

which is legal and which is illegal.

As shown in the figure above, for Telnet access, when TCP completes the three-wayhandshake, the firewall will create a session item based on this five-element group. When a

telnet response packet of user A passes through firewall, only the packet that matches thesession item can be permitted to pass through the firewall, the Telnet response packet of

other users will be blocked by firewall. Session item can be changed if the TCP protocol

state changes, before completion of three-handshake, illegal packet can not pass throughthe firewall. After telnet session finishing, the session item will be deleted immediately, the

spurious illegal telnet packet remains unable to pass through the firewall.

Session identifies a “complete connection”, a complete connection is composed of fiveelements (source address, destination address, source port, destination port, protocol

number). When a three-way handshake of TCP is completed, the firewall will create acomplete session item, the session item can be used to supervise the state transition of a

session.

page 585



7/22/2019 HCDA v1.6 En


As shown in the figure above, in the security system, firewall is analogous to a door, it can

prevent people from entering, but it can not prevent malicious attacks from people that have

permission to enter the network or are located internally. An access control system can

prevent people with low priority from doing work which exceeds their authority, but it can not

prevent people with high priority from malicious actions. It also cannot prevent people withlow priority from obtaining high priority through illegal behavior. Intrusion detection system

(IDS) is a unique device to identify whether the system is safe or not according to the data

and behavior mode, it is the second security door following the firewall. There is a classical

comparison: firewall corresponds a security system of a community, it will audit all the peoplewho go through the gateway. But it cannot audit the people inside the community or with legal

identity. IDS can supervise the internal community.

IDS is analogous to a security camera of a network, it can capture and record all the data; at

the same time ,it is also an intelligent camera, it can analyze and abstract doubtful and

abnormal network data with the intelligence to

Penetrate disguised data and identify the actual content. The advanced IDS can beat back,

terminate connection and close path automatically to regulate illegal behavior.

There are other technologies in security system besides those mentioned, for example,

identity authentication technology, ACL packet filtering, special user system access,

protection to special source linked servers through

reinforced and installed immunity systems, discovery of system holes and patching through

scanning software; transmission of encrypted data or use of VPN technology to transmit, so

as to guarantee the security (often end to end). Supervisory system operation through a

security management center, and operational event logging and threat detection using

alarms and threat response processes.

Page 618 page 586



7/22/2019 HCDA v1.6 En


Firewall strictly manages access from external networks into the internal network. The

access from the internal network to external network is relatively loose in comparison.

Firewall can not renew operation software periodically as other virus software, so the

defense provided to new generated safety menace is sometimes not enough.

If depth detection function is configured, the firewall will detect the partial content of a datapacket, which will also increase the forwarding delay time and affect forwarding

performance.

Firewall cannot provide detection to encrypted packets or other packets transmitted in VPN

tunnels that passes through the firewall.

Page 619 page 587



7/22/2019 HCDA v1.6 En


Page 620 page 588



7/22/2019 HCDA v1.6 En


The Eudemon series firewall is the firewall product series of HUAWEI. According to the

system structure of Eudemon, the following are the three series models: E100 , E200 ,

E300 and 5001000.

E100 is foremost series of f irewall, it has two fixed 100M Ethernet module and two

extended slots.

E200 and E300 , 500, 1000 are more popular products, the performance also increases

orderly according to the series number. E200 has one main control board, with two

Ethernet interfaces on the board and the interface is connected to system bridge directly.

This allows the two interfaces to have a higher performance than other interfaces. There

are also two extended slots, they are the number 1 slot and number 2 slot from left to right,

the bottom layer is equipped with a dummy panel which is used for extended usage.

E300/500/1000 also has one main control board, the two Ethernet interfaces on the board

has low service performance, it can not be chosen as service interface, but as a servicemanagement interface. There is one NP board behind the main control board, it is used for

service forwarding. The device provides 4 service slots, from left to right, they are number

1, 2, 3 and number 4 slots. The number 3 slot is a low speed slot, it can only support a low

speed service board. Number 1, 2, 4 are high speed slots used support high speed service

boards. The high speed board can only be supported by high speed slots, low speed

boards can be supported on low speed slots and also high speed slots.

Page 621 page 589



7/22/2019 HCDA v1.6 En


Throughput

Usually, large packets of 1K1.5K byte are used to scale the packet f iltering performance

of a firewall. In the network, most of the traffic is comprised of packets of around 200 bytes,

so it is necessary to consider the performance of forwarding small packets. ACL rule should

also be configured on a firewall, so it is also necessary to consider the performancecapability of firewall when a great number of rules have been defined.

The rate of establishing connection for every second

It indicates that number of complete TCP connections that can be established through a

firewall every second. The connection of firewall is dynamic, which is established

dynamically according to state of the communicating peer. Before the session

establishment for exchanging data packets, a connection must be established with the

firewall. If the rate of establishing a connection with the firewall is low, the reflection on

client is that a great delay exists in communication. So the larger the index, the higher the

forwarding speed. When the firewall is attacked, the larger the index, the stronger the

defense ability. The larger the index, the stronger the state backup abil ity.

Subsequent connection number

It indicates the maximum number of connections that a f irewall can support at one time, one

connection is one TCP/IP access.

Note:

As shown in the figure above, some high capability service boards can not guarantee line

speed forwarding, for example, 2G service board provides two 1G service interfaces, but

the bandwidth of backboard slot is only 1G, if 2G

throughput is needed, it is suggested to choose two 1G boards.

Page 622 page 590



7/22/2019 HCDA v1.6 En


Shown in the figure above is the hardware system structure of Eudemon200. The blue pane

is the processing board (RPU) of the firewall. On the RPU board, there are two 10/100Base-TX interfaces which are connected to the system bridge directly, it adopts MAC forwarding

on the main control board, so the two interfaces have a higher performance than other

interfaces. Eudemon200 adopts dual PCI bus structure and connects to two slots separately.This kind of structure reduces the collision in packet forwarding, and improves the forwarding

performance effectively.

Eudemon200 processing board mainly completes protocol processing, low-speed packet

forwarding, interface control, fault detection and so on, it is the core part of the product. The

component state supervising in the system for components such as the fan, power, system

working state, is indicated by light indicators on the RPU board of the f irewall. It also canreport alarm relating to the fan, power and system temperature. The RPU board also

supports a hardware reset button.

Page 623 page 591



7/22/2019 HCDA v1.6 En


As illustrated in the figure above, the hardware system structure of Eudemon500/1000 is

built around the core structure of the Eudemon200, with additional architecture including a

network processor board connected to the FPGA. The NPU board adopt hardware to

forward, with forwarding rate reaching 4.5Mpps. Low-speed cards insert into the PCI slot,

though at present number 3 slot provides a slot for low-speed cards, so the performance islower than that of high speed slots. The FE interface is the same as that on the main control

board. High-speed cards can be supported by high-speed slots, namely number 1,2 and 4slots.

TCP, UDP header is processed by NP, which can guarantee that the newly established

connection rate is larger than 100,000 items per second and ensures the network security.

Hardware-based ACL can ensure that the performance will not be affected when a large

number of rules are configured.

Page 624 page 592



7/22/2019 HCDA v1.6 En


Page 625

Q: How many variations of firewall are there, and what features do they support?

A: Firewalls represent three variations: packet filtering, proxy and state detection.

Packet filtering firewall utilizes special rule defined before (source/destination IPaddress, source/destination TCP/IP port and protocol number) to filter packets.

Proxy firewalls are regarded as middle node of service access; for a client node, it

represents a server and for a server, it represents the client. State detection is

used to detect protocol information of the application layer and supervise the

protocol state of connection-oriented application layer. Through detecting the state

of TCP/UDP based connection, a firewall can dynamically determine whether the

packet can pass through the firewall or not.

Q: Which models make up the Eudemon firewall series?

A: it includes: E100, E200 and E300, 500, 1000.

page 593



7/22/2019 HCDA v1.6 En


Page 627 page 594



7/22/2019 HCDA v1.6 En


Page 628 page 595



7/22/2019 HCDA v1.6 En


Page 629 page 596



7/22/2019 HCDA v1.6 En


Page 630 page 597



7/22/2019 HCDA v1.6 En


A zone is an important firewall security concept. Firewalls is are generally located at theboundary of a network, and so allows different networks to be represented part ofalternative zones. The f irewall adds interfaces into zones and enables security detectionbetween zones (called a security policy). It can be used to filter the data flowing throughdifferent zones. The common methods used for security detection includes ACL based

detection and application state detection.

Eudemon firewall has four reserved security Zones:

Untrusted zone: A low-level security zone, the security priority assigned is 5.

DMZ: A mid-level security zone, the security priority assigned is 50.

Trust Zone: A high-level security zone, the security priority assigned is 85.

Local Zone: The highest-level security zone, the security priority assigned is 100.

If necessary, users can configure new security zones and define the security priority. Withexception to the Local zone, before using any other zones, the security zone should beassociated with the firewall interfaces, achieved by adding the interface of firewall into asecurity zone. The interface can only be added into only one zone. The interface can be aphysical or logical interface. Adding an interface to a zone means that the networkconnected to the interface belongs to the zone, the interface itself belongs to the local zone.

Association of security zones and networks should obey the following rules: internalnetworks should belong to Zone with a higher priority; external networks should belong tozones with a lower priority; some network that can provide

conditioned services for external users should belong to the DMZ.

The purpose of defining security priority is to distinguish the direction of data flow amongstsecurity zones, whether inbound or outbound.

Page 631 page 598



7/22/2019 HCDA v1.6 En


When the data flow is forwarded between security zones, the firewall security detection

mechanisms will spring into action, in particular the security policy of the firewall

implemented between zones to manage traffic flow for example between the untrusted zone

and trusted zone. Different security policies can be implemented between different zones for

example, packet filtering policy, state filtering policy and so on.

There are two directions of data f low between zones:

Inbound: In which the data f low is transmitted from a zone with a low priority to a zone with a

high priority.

Outbound: In which the data flow is transmitted from a zone with a high priority to a zone with

a low priority.

Any two security zones cannot operate the same priority; the interfaces in the same Zone

can forward packets directly without fil tering, thus nullifying the zone defenses. An interface

is unable to forward packets before it is added into a zone.

Page 632 page 599



7/22/2019 HCDA v1.6 En


This example introduces how a security zone is created and how to configure the priority

and apply an interface to the created zone.

[Eudemon] firewall zone name userzone

// creates a security zone named userzone, the system can support up to 16 zones in total,

including the default 4 zones.

[Eudemon-zone-userzone] set priority 60

//configures the priority, with a range from 1 to 100, any two zones can not use the same

priority, the priority of default 4 zones cannot be modified.

[Eudemon-zone-userzone] add interface Ethernet 0/0/1

//adds an interface to a zone, one zone can support 1024 interfaces at most.

Command “[Eudemon]display zone username” can be used to display related informationfor a given security zone.

Page 633 page 600



7/22/2019 HCDA v1.6 En


This example introduces how to configure security policy between zones. When data flows

between security zones, the security detection mechanism will initialize. Generally, data from

an untrusted zone can not enter a trusted zone, unless permitted explicitly. After applying the

configuration displayed, data from an untrusted zone can forward to a trusted Zone.

[Eudemon]acl 3000

[Eudemon-acl-adv-3000] rule permit ip

//create ACL rule, to permit any data to pass.

[Eudemon] firewall interzone trust untrust

//enter trust-untrust view.

[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound

//distribute security policy.

inboundFilters the data packet forwarding from a low level zone to a high level zone.

outboundFilters the data packet forwarding from a high level zone to a low level zone.

Input the command “firewall interzone “ and choose the two zones involved, the relation of

inbound and outbound is determined by the priority. For example, a trusted zone and anuntrusted zone, inbound means that data is received from the untrusted zone by the trusted

zone. When implementing ACL between Zones, for every direction (inbound or outbound),

Eudemon200, Eudemon300 and Eudemon500 can implement one ACL rule.

Page 634 page 601



7/22/2019 HCDA v1.6 En


Page 635 page 602



7/22/2019 HCDA v1.6 En


Eudemon firewall can work in three modes: route mode, transparent mode and composite

mode.

If the Eudemon firewall connects to the external network at layer 3 (meaning an IP addresshas been configured on the external interface), it is regarded that the firewall is operating in

route mode. As shown in the figure above, when the Eudemon firewall is located between aninternal network and an external network, the three interfaces on the firewall that connect to

internal network, external network and the DMZ area should be configured with IP addresses

as part of different network segments. The topology would recognize the firewall as

corresponding to the operation of a router. When adopting route mode, it can complete ACL

packet filtering, ASPF (status based packet filtering) dynamic filtering and NAT functionality.

However, when using route mode the network topology should be modified (the users on the

internal network should change the gateway of the end system, the router should change the

route configuration and so on).

Page 636 page 603



7/22/2019 HCDA v1.6 En


If the Eudemon firewall connects externally at layer 2 (an IP address is not configured on the

interface), the firewall is considered to be operating in transparent mode. If the Eudemon

firewall adopts the transparent mode, the f irewall only needs to be inserted into the network

as bridge, the greatest advantage is that it is not necessary to modify any configuration; the

firewall functions as a switch, and the internal network and external network must remain inthe same subnet. At present, the Eudemon firewall can not support STP, so the usage of

firewall should be done with care so as to avoid layer 2 loops in the network. In this mode,

the firewall will not only forward packets like a switch, but also analyze the packet.

Page 637 page 604



7/22/2019 HCDA v1.6 En


If Eudemon firewall has not only interface which is working in route mode (interface has IP

address ) but also supports an interface which is working in transparent mode (interface has

no IP address), then the f irewall is considered to be working in composite mode. This kind of

mode is the mix of transparent mode and route mode, at

present, it is only used in special applications of transparent mode to provide dual device hotbackup.

The IP address should be configured for the interface which has VRRP (Virtual Router

Redundancy Protocol) function enabled. The other interfaces do not require an IP address,

furthermore the internal network and external network must be in the same subnet.

Page 638 page 605



7/22/2019 HCDA v1.6 En


Use the following command to set working mode of Eudemon firewall.

[Eudemon]firewall mode composite

//Configure firewall to operate in composite mode. firewall mode { composite |

route | transparent }The firewall operates in route mode by default.

[Eudemon]quit

<Eudemon>reboot

//Restart the f irewalls.

The transition between operational modes may cause some operational issues. Operation

will not be affected when transitioning from a transparent mode to a composite mode and

will maintain forwarding performance without packet loss. The firewall will not dispose of or

affect forwarding performance in this case. In the transition to other modes, the f irewall willneed to restart, because the transition will affect forwarding performance.

[Eudemon]display firewall mode

//Used to check the f irewall working mode.

Page 639 page 606



7/22/2019 HCDA v1.6 En


Page 640 page 607



7/22/2019 HCDA v1.6 En


A firewall must provide the ability to control the network data flow, so as to guarantee security,

QoS requirement and constituting policy. ACL (Access Control Lists) are one of the methodsthat can be used to control data flow. An ACL is a series of ordered rules composed of permit

or deny statements. These rules describe data packet through parameters such as the source

address, destination address, port number and protocol. An ACL can be applied in thefollowing situations:

1, Packet filtering as part of the network security protection mechanism. Packet filtering is

used between two networks with different priorities to control the data flow of a network

(inbound and outbound). When a firewall forwards the data packet, it will first detect packet

header (i.e: source address/destination address, source port/destination port and upper-layer

protocol), and then compare with configured rules. According to the result of the comparison,it can determine whether to forward the packet or to discard the packet. To implement packet

filtering, a series of fi ltering rules are needed. It is possible to adopt an ACL to define filtering

rule, and then apply the ACL to filter between the firewall zones, so as to implement packet

filtering.

2, NAT (Network Address Translation) is the process used to translate the IP address in a

data packet header to another IP address. It mainly implements this function so that the

internal network (using a private IP addressing) can forward traff ic to the external network

(using public IP addressing). In the actual application, it is hoped that some internal hosts

(supporting private IP addresses) can access the external network or Internet, while otherinternal hosts can not. It is implemented through association of the ACL and NAT address

pool, meaning only data packets that satisfy the ACL rule can translate addresses, so as to

control the range of address translation.

An ACL can also be applied to other scenarios involving IPSec, QoS and routing policies.

Page 641 page 608



7/22/2019 HCDA v1.6 En


The firewall defines an ACL based on a numeral value. On Eudemon 300/500/1000, an

ACL can be divided into three kinds: basic ACL (20002999), advanced ACL (30003999), and firewall ACL (50005499). Users can choose ACL according to the requirement

in order to define different data flows.

The data flow defined by the three kinds of ACL is different: basic ACL only uses source

address to define data flow; advanced ACL uses source address, destination address,

source port number, destination port number and protocol

number to define data flow. The firewall ACL uses source address, destination address and

destination port number to define data flow.

Page 642 page 609



7/22/2019 HCDA v1.6 En


One ACL can be composed of multiple ACL rules that include key word permit or

deny.

Use command “acl [ number ] acl-number [ vpn-instance vpn-instance-name ]” in

system view to create an ACL.

[ number ] acl-number can define one ACL. For basic ACL, the range is 20002999;

for advanced ACL, the range is 30003999; for a firewall ACL, the range is 5000

5499.

vpn-instance refers to the creation of a firewall ACL rule.

After enter basic ACL view, the command “rule [ rule-id ] { permit | deny }

[ source { source-address source-wildcard | any } ] [ time-range time-name ]” can be

used to create basic ACL rule:

rule-id is the number for each ACL rule, it is an optional parameter. When defining

the ACL rule, if the ACL defines a number that already exists, the newly defined rule

overwrite the old one. If it does not exist, it will create a new rule. If an ACL number is

not appointed, and an ACL rule is defined, the system will automatically assign a

number to the ACL rule.

Permit and deny means the applied action when a match occurs. “permit” will

implement NAT or security policy detection on the data packet and allow accordingly.

“deny” is opposite, it will not implement corresponding detection on a packet that is

Page 643 page 610



7/22/2019 HCDA v1.6 En


not in accordance with the conditions set in the ACL.

“source { source-address source-wildcard | any }” indicates source address of an ACL

rule

“time-range time-name” indicates the time at which an ACL will take effect.

After enter advanced ACL view, the command “rule [ rule-id ] { permit |

deny } protocol [ source { source-address source-wildcard | any } ] [ destination

{ dest-address dest-mask | any } ] [ source-port operator port1 [ port2 ] ]

[ destination-portoperator port1 [ port2 ] ] [ icmp-type { icmp-type icmp-code | icmp-

message } ] [ precedence precedence ] [ tos tos ] [ time-range timename ]” can be used

to create an advanced ACL rule: the usage of the key word and parameter is the same

with those in basic ACL rules.

“ protocol ” uses name or number to indicate protocol type of IP carrier.

An advanced ACL can filter multiple protocols, for example: TCP . UDPICMPIP and

so on. The IP packet is used to transmit TCP and UDP, if we choose to filter IP protocolsin protocol field, it means to permit or refuse all the IP transmission based protocol, like

ICMP message, TCP messages or UDP messages; if we only plan to discard packets of

specific protocols and permit other packets to pass, then we must appoint those specific

protocols.

“destination { dest-address dest -wildcard | any }” indicates the layer three destination of

an ACL rule.

“icmp-type” indicates message type and code information of an ICMP packet, it can take

effect only when the ICMP protocol packet type parameter is defined. If it is not

configured, it means any ICMP packet can match.

“source-port” is used to indicate the layer four source port, it can take effect only when

the source port is defined. If it is not indicated, it means any packet from any source port

can match.

“destination-port”is used to indicate the layer four destination port, it can take effect

only when the destination port it defined. If it is not indicated, it means a packet for any

destination port can match.

Precedence: An optional parameter, in which a data packet can be f iltered according to

priority, the range is 07 number or name.

tos: An optional parameter, that allows a data packet to be fi ltered according to the

service type. The range is 015 number or name.

One firewall can include multiple ACL groups. When a packet matches an ACL rule, it

should obey the following rule: when matching an ACL rule, the firewall ACL has priority

over an advanced ACL, an advanced ACL has priority over a basic ACL. In f irewall ACL,

advanced ACL and basic ACL types, the ACL with the smaller acl-number will be

matched first. In the same ACL rule group, rule with smaller rule-id has priority over

others. Once the data flow has matched an ACL successfully, it will not continue to look

for further matches. A firewall will implement other operations on data flow according to

the ACL rule.

Page 644 page 611



7/22/2019 HCDA v1.6 En


The following example will introduce an example of ACL application and configuration of the

firewall.

A certain company accesses the Internet through Ethernet 1/0/0 of the Eudemon firewall, the

interface belongs to ‘Untrust’ Zone. The firewall connects to the internal network through

Ethernet 0/0/0, this interface belongs to the ‘Trust’ Zone. The company provides WWW, FTPand Telnet services for outside, the subnet is 129.38.1.0. The internal FTP server address is

129.38.1.1, the internal Telnet server address is 129.38.1.2, and the internal WWW server

address is 129.38.1.3. Through configuring the firewall, it is hoped the following requirements

will be implemented:

In the external network, only the special user 202.39.2.3 can access internal servers.

In the internal network, the three servers and special user 129.38.1.4 can access the external

server.

Page 645 page 612



7/22/2019 HCDA v1.6 En


[Eudemon] acl number 3101

//create ACL of 3101.

[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0

[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.1 0[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.2 0

[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.3 0

// configure ACL rules to permit the special host to access the external network, permitthe internal servers to access the external network.

[Eudemon-acl-adv-3101] rule deny ip

[Eudemon-acl-adv-3101] quit

//configure ACL rule to restrict all IP packets f rom passing.

[Eudemon] acl number 3102

[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0

[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.2 0[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.3 0

//configure ACL rules to permit the special user to access internal servers from outside.

Use ACL in packet f iltering application.

[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound

// use ACL rule 3101 in the outbound direction from Trust to Untrust.

[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound

//use ACL rule 3102 in the inbound direction from Trust to Untrust.

Page 646 page 613



7/22/2019 HCDA v1.6 En


Page 647 page 614



7/22/2019 HCDA v1.6 En


NAT is the process to transitioning individual IP addresses in IP data packet headers to an

alternative IP address. In the actual application, NAT mainly implements the function to allow

end systems in a private network to forward traffic over the external network.

Public IP address space is limited, and as the world’s networks continue to grow, availablepublic IP address ranges have been completely absorbed. It is impossible to use the IPv4

address scheme for to apply individual public IP addresses for all end system devices. The

solution has been until now to use private IP addresses in internal enterprise networks and

use public IP addressing as an external interface to an internal network. The private IP

address cannot be used within the WAN domain, so if users with private IP addresses needto access the public network, addresses must be translated using NAT. It is possible to use a

small number of public address to represent such a large number of private addresses

(internal users).

Attacks to government and enterprise networks over public networks has become

increasingly frequent and complex. NAT can effectively hide private IP addresses, implement

security precautions on the NAT egress routers which can reduce the difficulty associatedwith effective security.

In some cases, two enterprise networks may need to combine into a single network, however

private address overlapping commonly occurs. IP addressing schemes should be redesigned,

but it is hard to implement effectively in a short time without causing downtime to users. Here,

we can configure NAT on the egress routers for the two internal networks. The egress

routers can act as a public interface between the two private networks. Hosts of one internal

network can translate private addresses a public IP address in order to reach the external

interface of the other network. The NAT router of the receiving network can verify the source

and translate accordingly.

Page 648 page 615



7/22/2019 HCDA v1.6 En


Internet address distribution regulates that the following three network address ranges are

reserved as private address ranges.

10.0.0.0 - 10.255.255.255

172.16.0.0 -172.31.255.255

192.168.0.0-192.168.255.255

The three network addresses will not be distributed on Internet, but they can be used as part

of an internal enterprise (LAN). The enterprise chooses proper network address range

according to foreseeable host quantity required. Different enterprises can have the same

internal network addressing. If a company does not choose the network address above as an

internal network address, the routing table may endure some confusion. So when

constructing an internal LAN, it is recommended that one of the network address schemes

above should be used for internal network addressing.

Public addressing is legal and IP addresses can be obtained from Internet address

distribution organization, most this means application of public addressing from ISP as part of

a typical subscription package.

As referred before, when private IP address users wish to access public address domains

such as the Internet, they must translate private addresses to public addresses through NAT.

Page 649 page 616



7/22/2019 HCDA v1.6 En


When the Trust Zone establishes a connection to the Untrust Zone and DMZ on the Eudemon

firewall, it will detect whether corresponding data needs to implement NAT translation. If it is

needed, it will be completed at the egress of IP forwarding interface, the source address of the

packet (a private address) is translated to a public address. At the

ingress of the IP layer, the reply packet destination address (public address) will be translatedto a private address.

As shown in the figure above, the Eudemon firewall is located at a private/public network

boundary. When an internal PC A (192.168.1.3) sends data packet1 to external server B

(202.120.10.2), the data packet will go through the firewall. The NAT process will check the

content of the packet header, it will f ind that the packet is destined for an external network,

and translate private address 192.168.1.3 in the source address field of packet 1 into public

address 202.169.10.1. The packet can then be sent with the translated address to external

server B and record the private to public address mapping in the NAT table. External server B

will send a reply packet (packet 2) to internal PC A (the initial destination address is202.169.10.1), when the packet gets to the firewall, NAT will check the packet and lookup

record in the NAT table. The destination address will be replaced by a private address

192.168.1.3 of the internal PC. The NAT process referred above is transparent to end system

devices (for example, the PC A-D and server). For the external server, it regards IP address

of internal PC as 202.169.10.1, it is totally unaware of the address 192.168.1.3. Therefore in

this manner, NAT is able to “hide” the private network of an enterprise.

Page 650 page 617



7/22/2019 HCDA v1.6 En


On Eudemon firewall, there are two modes of address transition: NO_PAT and NAPT.

NO_PAT: Individual private addresses correspond to individual public addresses, it does not

need to associate ports with addresses in order to translate, and is straight forward to

implement. The disadvantage is that by corresponding a single private address to a single

public address, i t does not solve the shortage problem associated with public addressing. It

does help to map internal devices such as servers to allow direct mapping which simplifies the

ability for external devices to reach such devices internally without knowing the associated

internal address, or having any means to bypass the firewall.

NAPT: It permits multiple private addresses to map to a single public address. NAPT will map

IP addresses and port numbers. The data packet from different internal addresses can be

mapped to the same external address, but the port number in each case or session will be

different so as to distinguish between the different internal hosts. As shown in the figure above,

when four data packets with internal addresses reach the NAT server, packet 1 and 2 are

shown to be from the same internal address but since the destination is different for the two

packets, there will be a different port number associated with each packet. Packet 3 and 4 arefrom different internal addresses but have same port number. Through NAT transition, the four

packets are transited to the same external address, but each packet has dif ferent source portnumber, so the differentiation between the four packets is maintained. When the reply packet

gets to the NAT server, the NAT server will also identify the packet according to the

destination address, and the port number of the reply packet helps to forward packet to the

right internal host. Eudemon adopts this mode by default. Eudemon series of firewall supports

overlapping of IP addresses for outgoing interfaces and address pools. Eudemon100/200

supports regarding IP address of outbound interface as translated source addresses (called

Easy IP), Eudemon300/500/1000 however does not support this function.

Page 651 page 618



7/22/2019 HCDA v1.6 En


NAT hides the structure of the internal network, and has the capability to “shield” internal

hosts, while at the same time it makes it capable for external devices to access internal hosts,

for example, WWW server or FTP server. NAT can support internal servers, for example,

address 202.168.0.11 which can be used as an external address for the Web server, or

address 202.168.0.12 which can be used as the external address of internally located FTP

server.

NAT provides internal server function that external network can access. As shown in the

figure above, when user of external network access internal server, NAT will translate public

destination IP addresses of packets into private destination IP addresses of internal servers.

For the reply packet of each internal server, NAT can translate the source of reply packets to

public addresses.

NAT and NAPT can only translate header addresses of IP packets and also the port

information of TCP/UDP headers. For some special protocol, like ICMP and FTP, the data

part of a packet may include an IP address or port information, this content can not be

translated by NAT effectively, which will lead to problems. For example, one FTP server that

uses an internal IP address needs to send its IP address to a peer when it establishes a

session with an external host. The address information is carried in the data part of the packet,

it can not be translated by NAT. When external network host receives the private address and

uses it, FTP server will regard it as unreachable. The solution to solve this NAT problem is

through a special protocol ALG (Application Level Gateway) in NAT implementation. ALG is a

translation proxy of a special application protocol, it alternates with NAT and uses NAT state

information to change special data that is encapsulated in data part of an IP packet, it alsocompletes other necessary work to make the application protocol run in different ranges.

Eudemon firewalls functions as a perfect address translation application level gateway

mechanism, it can support all kinds of special application protocol, it is unnecessary to modify

NAT platform and has good extension.

At present, it has implemented ALG function of application protocol for: DNS, FTP, H.323,HWCC, ICMP, ILS, MGCP (Media Gateway Control Protocol), MSN , NetBIOS, PPTP , QQ,

RAS and SNP.Page 652

page 619



7/22/2019 HCDA v1.6 En


NAT combines NO-PAT mode and NAPT effectively on Eudemon firewall. If NAPT function

is configured, in the process of address transition, NAT will first translate private IP

addresses into one public IP address, and then choose

another public IP address to complete address translation. Address pool is the aggregation

of public IP addresses used for transition. Users should configure a proper address poolaccording to the legal IP address quantity, host quantity within internal network and actual

applications.

Eudemon firewall utilizes ACL to limit address translation. Only the data packets that satisfy

ACL can implement address translation, which can control the range of address translations

effectively and allow the special host access to the external network.

Page 653 page 620



7/22/2019 HCDA v1.6 En


This example introduces how NAT is configured on Eudemon. As shown in the figure above,

firewall divides network into the internal network Trust Zone, external Untrust Zone and DMZ.

The host with the private address in Trust Zone needs to access the external network

(Internet). The host with public address in Untrust Zone needs to access

the three servers of the DMZ.

Page 654 page 621



7/22/2019 HCDA v1.6 En


[Eudemon] acl 2000

[Eudemon-acl-basic-2000]rule permit

[Eudemon-acl-basic-2000]quit

//configure ACL 2000 to permit any data to pass.[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20

//configure NAT address pool with series number 1, it includes public address for NAT

transition.

[Eudemon] acl 3000

[Eudemon-acl-adv-3000] rule permit ip source-address 192.168.0.0 0.0.0.255

//configure ACL to permit packet with source IP 192.168.0.0/24.

[Eudemon] firewall interzone trust untrust

[Eudemon-interzone-trust-untrust] packet-filter 2000 outbound

//bind ACL, permit data packet is forwarded from trust Zone to untrust Zone.

[Eudemon-interzone-trust-untrust] nat outbound 3000 address-group 1//associate ACL to address pool; the address specified by acl-number can use address pool

group-number to implement address translation.

Besides, E200/E100 can configure Easy IP, but E300/500/1000 can not configure Easy IP.

Page 655 page 622



7/22/2019 HCDA v1.6 En


[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100

[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside 192.168.1.101 8080

[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside 192.168.1.102 ftp

//command “nat server” is used to define the mapping table of the internal server. The threecommands above define separately that each user can access the internal server

192.168.1.100 through public address 202.168.0.10 is able to access the internal server,

192.168.1.101:8080 through public address 202.168.0.11:80, is able to access the internal

Web server, and 192.168.1.102 through public address 202.168.0.12:1021. is able to access

the internal FTP server.

[Eudemon] acl 3000

[Eudemon] rule permit ip destination-address 192.168.1.0 0.0.0.255

[Eudemon] firewall interzone DMZ untrust

[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound

//permit data the flow of traffic with destination 192.168.1.0/24 to be forwarded from untrust

Zone to DMZ.[Eudemon-interzone-DMZ-untrust] detect ftp

//configure NAT ALG detection for FTP.

Page 656 page 623



7/22/2019 HCDA v1.6 En


Command “Display nat all” can be used to display Nat information for the firewall. The

information includes three parts: address pool, address transition and internal server mapping

information.

Page 657 page 624



7/22/2019 HCDA v1.6 En


Q: Which operational modes does Eudemon support?

A: Route mode, transparent mode and composite mode.

Q: What are the default Eudemon security zones? A: Trust Zone, Untrust Zone, DMZ and Local.

Q: What is the difference between a basic ACL and an advanced ACL?

A: A basic ACL only uses the source address to define data flow, whereas an advanced

ACL uses source/destination address, source/destination port and upper-layer protocol to

define data flow.

Q: Which forms of NAT does Eudemon support?

A: NO-PAT, NAPT.

Page 658 page 625



7/22/2019 HCDA v1.6 En


page 626

7/22/2019 HCDA v1.6 En


Page 663 page 629



7/22/2019 HCDA v1.6 En


Page 664 page 630



7/22/2019 HCDA v1.6 En


Huawei routers have evolved for three generations. The first generation

routers use integrated single-core design, the second generation routers

integrated multi-core design, and the third-generation routers distributed

multi-core design.Huawei AR G3 series routers (AR G3 routers for short) support multiple

network access modes, including Ethernet, PON, and 3G.

The AR G3 routers are the next-generation routing and gateway devices

that provide routing, switching, wireless, voice, and security services. The

AR G3 routers include the AR1200, AR2200, and AR3200 series routers.

Page 665 page 631



7/22/2019 HCDA v1.6 En


The AR G3 routers provide the highest port density in the industry and

flexible service interface card (SIC) slots, allowing enterprise customers to

connect to a LAN, WAN, or wireless network. The AR G3 routers provide

the most economical enterprise network solutions.The AR G3 routers provide flexible slot combinations. Two SIC slots can be

combined into one WSIC slot, two WSIC slots into one XSIC slot, and two

XSIC slots into one EXSIC slot.

With extensible hardware design, the AR G3 routers allow customers to

choose SICs flexibly and to expand networks economically.

Page 666 page 632



7/22/2019 HCDA v1.6 En


The AR G3 routers integrate various services of routers, switches, and

wireless devices, including voice, firewall, and VPN.

Page 667 page 633



7/22/2019 HCDA v1.6 En


Depending on telecom carriers' networks, users can access these networks by using CE1/CT1, FE/GE,

ADSL, G.SHDSL, or Synchronization Agent (SA). The AR G3 routers provide dual-uplink to ensure

service reliability. These routers provide the following services for access users:

Provide the security, routing, switching, VPN, and wireless services to ensure secure, fast,

and reliable data packet forwarding.Provide a variety of value-added services, including DHCP, network address translation

(NAT), domain name system (DNS), and billing services.

Provide security control mechanisms, including controlling access to internal networks and

user rights, to ensure the access security on the enterprise intranet and isolate the

departments of an enterprise.

Provide the attack defense function to protect user traffic against attacks from the external

and internal networks.

Guarantee user-specific QoS and service-specific QoS and flexibly allocate bandwidth for

services as needed.

The headquarters and branches use the AR G3 routers to connect each other on the Internet. The

enterprise establishes a VPN and uses GRE/IPSec VPN tunnels to secure the data. The employees on

a business trip use IPSec VPN tunnels to communicate with the headquarters.

The AR G3 routers, located between the enterprise intranet and the Internet, ensure informationsecurity on the entire intranet and intranet LANs. Additionally, the AR G3 routers provide network

access control (NAC) to restrict the access permissions of internal users. This ensures that only

authorized users can access the intranet.

An enterprise can build a voice communication system over the IP network, saving fees on internal

communication. Within the voice communication system, an AR G3 router can function as an IP PBX

or SIP access gateway (AG). In the downlink direction, the router connects to POTS users (analog

phones or fax machines) and SIP user equipment (UE) users (IP phones or PC software terminals)

through FXS or Ethernet interfaces. In the uplink direction, the router connects to the PSTN through

E1 or FXS interfaces or to the IP network through Ethernet interfaces.

Page 668 page 634



7/22/2019 HCDA v1.6 En


The AR200 series routers apply to small-scale offices. They integrate switching and routing functions.

These routers provide wireline LAN access and wireless AP access to users. With them, users can

access the Internet through Ethernet, 3G, or PPPoE.

The AR1200 series routers feature powerful routing functions. They provide multiple access modes,

such as wireline LAN and wireless AP. Additionally, these routers provide flexible slots that allow usersto install subcards to extend interfaces and enrich functions.

The AR2200 series routers feature powerful routing functions and multiple access modes. They

support a variety of subcards to apply to different usage scenarios. Their slots can be combined to

achieve a higher port density. Among them, the AR2240 is equipped with two main control boards

and two power supplies for redundancy backup. This redundancy backup design improves the router

usability and reliability.

The AR3200 series routers have a large capacity. They provide many flexible slots that allow users to

install different cards in different usage scenarios. Additionally, their slots can be combined to provide

a higher port density. To improve system reliability, these routers are configured with two main

control boards and two power supplies for redundancy backup.

Page 669 page 635



7/22/2019 HCDA v1.6 En


Page 670 page 636



7/22/2019 HCDA v1.6 En


Page 671 page 637



7/22/2019 HCDA v1.6 En


Page 672 page 638



7/22/2019 HCDA v1.6 En


Huawei has the most extensive enterprise switch families in the industry, ranging from low-end,

medium-range, to high-end.

The S1700, S2700, S3700, and S5700 switches are used at the access layer of a campus network. The

S1700 and S2700 provide Layer 2 FE access. The S3700 supports Layer 3 FE access. The S5700 allows

for Layer 3 GE access and has a high port density. Additionally, the S5700 supports clustermanagement and features high fault tolerance through the use of stacking technology.

The S5700, S7700, and S9300 are used at the convergence layer of a campus network. These switches

provide powerful switching functions and have a high port density. They also support a variety of

cards to apply to different usage scenarios where varying interfaces are required.

The S5700, S6700, S9300, and S12700 are high-end switches. These switches are used at the core

layer of a campus network. They also apply to the access and core switching layers of a large-scale

data center. With a high port density and a variety of cards, these switches provide various ports to

meet different requirements.

Page 673 page 639



7/22/2019 HCDA v1.6 En


Page 674 page 640



7/22/2019 HCDA v1.6 En


The SX7 series switches are intended for the enterprise market. They provide Layer 2 and Layer 3

access and FE, GE, and 10GE ports. Among these series switches, the ST-level core switch7700 uses a

distributed architecture and provides up to 12 slots that allow users to install different cards in

various usage scenarios.

Page 675 page 641



7/22/2019 HCDA v1.6 En


S2700S2700-9TP-SIS2700-9TP-EIS2700-18TP-SIS2700-18TP-EI

S2700-26TP-SIS2700-26TP-EIS2700-52P-EIS2700-9TP-PWR-EIS2700-26TP-PWR-EI

Page 676 page 642



7/22/2019 HCDA v1.6 En


Page 677 page 643



7/22/2019 HCDA v1.6 En


Page 678 page 644



7/22/2019 HCDA v1.6 En


Page 679 page 645



7/22/2019 HCDA v1.6 En


Page 680 page 646



7/22/2019 HCDA v1.6 En


Page 681 page 647



7/22/2019 HCDA v1.6 En


Page 682 page 648



7/22/2019 HCDA v1.6 En


Page 683 page 649



7/22/2019 HCDA v1.6 En


Page 684 page 650



7/22/2019 HCDA v1.6 En


Principle

S2700/3700/5700/6700 is integrated with internal HTTP server, and can access the device in the

switch three-layer interface through a variety of WEB browse.

Page 685 page 651



7/22/2019 HCDA v1.6 En


The following requirements must be met to implement stacking:

All the member switches belong to the same series. The EI series and SI series cannot form a stack.

All the member switches are connected by using stack cables and stack modules.

The stack rear card cannot be used together with the E4GF/E4GFA or E4XY front card.

Page 686 page 652



7/22/2019 HCDA v1.6 En


If all the member switches meet the stack setup prerequisites, the stack system is automatically

created when these switches are powered on.

The master switch is selected as follows:

The device that starts first becomes the master switch.

If all the devices start at the same time, the one of the highest priority becomes the master switch.If all the devices have the same priority and start at the same time, the one with the smallest MAC

address becomes the master switch.

The slave switch is selected as follows:

The device that starts first among all the other devices excluding the master switch becomes the

slave switch.

If all the other switches excluding the master switch start at the same time, the master switch

preferentially selects the switch connected to its stack interface 1 as the standby switch.

If all the other switches excluding the master switch start at the same time and no switch is

connected to stack interface 1 on the master switch, the master switch selects the switch

connected to its stack interface 0 as the standby switch.

Page 687 page 653



7/22/2019 HCDA v1.6 En


The S7700 is a next generation switch of Huawei. It provides large capacity, line-speed forwarding,

and high density ports. The S7700 is an important product for establishing the MANs in the future.

The S7700 can be used as an aggregation switch or a core switch for enterprise networks, campus

networks, and data centers.

The S7700s are classified into the S7703, S7706, and S7712.The S7700 is a high-end network product that provides wire-speed FE, GE, and 10GE interfaces. The

S7700 can function as a core switch for enterprise networks, campus networks, and data centers.

Page 688 page 654



7/22/2019 HCDA v1.6 En


The S7700s are classified into the S7703, S7706, and S7712.

The S7700 uses a fully distributed architecture and the latest hardware forwarding engine

technology. The services supported by all the interfaces can be forwarded at wire speed.

These services include IPv4, MPLS, and Layer 2 forwarding services. The S7700 can also use

ACLs to forward packets at wire speed.The S7700 supports wire-speed forwarding of multicast packets. The hardware implements

2-level multicast replication:

The SFU replicates multicast packets to the LPU.

Then the forwarding engine of the LPU replicates the multicast packets to the interfaces on

the LPU.

The S7700 supports 2 Tbit/s switching capacity and various high-density cards to meet the

requirements for the large capacity and high-density interfaces of core and convergence

layer devices. The S7700 can meet the increasing bandwidth requirements and maximally

reduce investments.

S7703's switching capacity:

Adopting the full mesh architecture, the S7703 provides 16 Gbit/s bandwidth in each HIG group, that

is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between each slot and the backplane supports

eight HIG groups; therefore, the total bandwidth for each slot is 128 Gbit/s.There is no switching network unit in the full mesh architecture. The switching capability is 720 Gbit/s,

that is, 120 Gbit/s x 2 x 3 (3 LPUs).

S7706/S7712's switching capacity:

Adopting the switching network architecture, the S7706 or S7712 provides 16 Gbit/s bandwidth in

each HIG group, that is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between each slot and the

backplane supports four HIG groups (an active SRU and a standby SRU); therefore, the total

bandwidth for each slot is 64 Gbit/s. Each 12x10GE LPU slot supports eight HIG groups; therefore, the

total bandwidth is 128 Gbit/s. (Only two 12x10GE LPUs of the S7712 support wire-speed forwarding.)

The maximum switching capability of the S7706 or S7712 is 2048 Gbit/s, that is, 16 Gbit/s x 16 (ports)

x 1 (switching network unit) x 2 (bidirectional) x 4 SRUAs.

Page 689 page 655



7/22/2019 HCDA v1.6 En


Page 690 page 656



7/22/2019 HCDA v1.6 En


ISSU=In-service software upgrade.

Page 691 page 657



7/22/2019 HCDA v1.6 En


Page 692 page 658



7/22/2019 HCDA v1.6 En


The figure on this slide shows a typical enterprise campus network. Within this network, you can

clearly see where Huawei switches, routers, firewalls, servers and other IT products are located.

Actually, Huawei can provide a full range of IT products and the most comprehensive network

solutions in the industry.

Page 693 page 659



7/22/2019 HCDA v1.6 En


Page 695 page 660



7/22/2019 HCDA v1.6 En


Page 696 page 661



7/22/2019 HCDA v1.6 En


Page 697 page 662



7/22/2019 HCDA v1.6 En


Page 698 page 663



7/22/2019 HCDA v1.6 En


Huawei HUAWEI NetEngine40E Universal Service Router (hereinafter referred to as the

NE40E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone

networks. The NE40E is positioned as the edge or convergence router on the IP backbone

network.

Page 699 page 664



7/22/2019 HCDA v1.6 En


Page 700 page 665



7/22/2019 HCDA v1.6 En


This is the introduction of NE40E product family. All LPUs can be applied to NE40E-X16,

X8 or X3. The main difference between LPUs is forwarding capability.

Page 701 page 666



7/22/2019 HCDA v1.6 En


Page 702 page 667



7/22/2019 HCDA v1.6 En


The NE40E-X adopts a system architecture as shown in Figure above. In this architecture, the

data plane, management and control plane, and monitoring plane are separated. This design

helps to improve system reliability and facilitates separate upgrade of each plane.

Page 703 page 668



7/22/2019 HCDA v1.6 En


Page 704 page 669



7/22/2019 HCDA v1.6 En


Page 705 page 670



7/22/2019 HCDA v1.6 En


The SFU on the NE40E-X16 switches data for the entire system at wire speed of 640 Gbit/s

(320 Gbit/s for the upstream traffic and 320 Gbit/s for the downstream traffic). This ensures

a non-blocking switching network.

The NE40E-X16 has four SFUs working in 3+1 load balancing mode. The entire system

provides a switching capacity at wire speed of 2.56 Tbit/s.

The four SFUs load balance services at the same time. When one SFU is faulty or replaced,

the other three SFUs automatically take over its tasks to ensure normal running of services.

Page 706 page 671



7/22/2019 HCDA v1.6 En


Page 707 page 672



7/22/2019 HCDA v1.6 En


Page 708 page 673



7/22/2019 HCDA v1.6 En


The SFU on the NE40E-X8 switches data for the entire system at wire speed of 480 Gbit/s (240

Gbit/s for the upstream traffic and 240 Gbit/s for the downstream traffic). This ensures a non-

blocking switching network.

The NE40E-X8 has three SFUs working in 2+1 load balancing mode. The entire system provides

a switching capacity at wire speed of 1.44 Tbit/s.

The three SFUs load balance services at the same time. When one SFU is faulty or replaced, the

other two SFUs automatically take over its tasks to ensure normal running of services.

Page 709 page 674



7/22/2019 HCDA v1.6 En


Page 710 page 675



7/22/2019 HCDA v1.6 En


Page 711 page 676



7/22/2019 HCDA v1.6 En


With full-mesh architecture, NE40E-X3 does not need a SFU.

Page 712 page 677



7/22/2019 HCDA v1.6 En


Page 713 page 678



7/22/2019 HCDA v1.6 En


Page 714 page 679



7/22/2019 HCDA v1.6 En


The control plane of the NE40E-X16 adopts MPU.

The following USB interface attributes are supported by MPU:

Supports the biggest USB fat32 format, and supports the memory available in the market.

For security reasons not allowed to write USB storage device .

Updates automatically, insert the USB memory without any operating.

Page 715 page 680



7/22/2019 HCDA v1.6 En


The control plane of the NE40E is separated from the data plane and the monitoring plane.

The SRU is adopted on the NE40E-X8. The SRU integrates an SFU used for data switching.

The following USB interface attributes are supported by SRU:

Supports the biggest USB fat32 format, and supports the memory available in the

market.

For security reasons not allowed to write USB storage device .

Updates automatically, insert the USB memory without any operating.

Page 716 page 681



7/22/2019 HCDA v1.6 En


The MPU of the NE40E-X3 controls and manages the system and switches data. The MPUs

work in 1+1 backup mode. The MPU consists of the main control unit, switching unit, system

clock unit, synchronous clock unit, and system maintenance unit. The functions of the MPU are

described from the following aspects.

Page 717 page 682



7/22/2019 HCDA v1.6 En


A switching network is a key component of the NE40E and is responsible for switching data

between LPUs.

Page 718 page 683



7/22/2019 HCDA v1.6 En


Page 719 page 684



7/22/2019 HCDA v1.6 En


Page 720 page 685



7/22/2019 HCDA v1.6 En


As shown in the figure, the Packet Forwarding Engine (PFE) adopts a Network Processor (NP) or

an Application Specific Integrated Circuit (ASIC) to implement high-speed packet routing.

External memory types include Static Random Access Memory (SRAM), Dynamic Random

Access Memory (DRAM), and Net Search Engine (NSE). The SRAM stores forwarding entries; theDRAM stores packets; the NSE performs non-linear searching.

Data forwarding processes can be divided into upstream and downstream processes based on

the direction of the data flow.

Upstream process: The Physical Interface Card (PIC) encapsulates packets to frames and then

sends them to the PFE. On the PFE of the inbound interface, the system decapsulates the

frames and identifies the packet types. It then classifies traffic according to the QoS

configurations on the inbound interface. After traffic classification, the system searches the

Forwarding Information Base (FIB) for the outbound interfaces and next hops of packets to be

forwarded. To forward an IPv4 unicast packet, for instance, the system searches the FIB for the

outbound interface and next hop according to the destination IP address of the packet. Finally,

the system sends the packets containing information about outbound interfaces and next hops

to the traffic management (TM) module.

Downstream process: Information about packet types that have been identified in the upstream

process and about the outbound interfaces is encapsulated through the link layer protocol and

the packets are stored in corresponding queues for transmission. If an IPv4 packet whose

outbound interface is an Ethernet interface, the system needs to obtain the MAC address of the

next hop. Outgoing traffic is then classified according to the QoS configurations on the

outbound interfaces. Finally, the system encapsulates the packets with new Layer 2 headers on

the outbound interfaces and sends them to the PIC.

Page 721 page 686



7/22/2019 HCDA v1.6 En


Page 722 page 687



7/22/2019 HCDA v1.6 En


Page 723 page 688



7/22/2019 HCDA v1.6 En


Page 724 page 689



7/22/2019 HCDA v1.6 En


Page 725 page 690



7/22/2019 HCDA v1.6 En


Page 726 page 691



7/22/2019 HCDA v1.6 En


The NE40E supports entire HQoS solutions, HUAWE is the only vendor that supports HQoS,

DS-TE and MPLS HQoS, the other vendors support one or two. Thus, HUAWEI can provide

a entire HQoS solution to meet kinds of scenarios of carrier-class services.

Page 727 page 692



7/22/2019 HCDA v1.6 En


Page 728 page 693



7/22/2019 HCDA v1.6 En


The main scenario of NE40E Router: Campus and IDC interconnection, Large branch

access, Key nodes of WAN.



HCDA v1.6 En

Documents