Huawei Hcna Tutorial (note)

Source: Internet
Author: User

The first chapter of the VRP Operation Foundation
1VRP Foundation

The method of MINIUSB serial port connection switch

2eNSP Getting Started

3 Command-line Basics (1)
ENSP Middle Road by opening (remember Port)---third-party software connection This route method: Telnet 127.0.0.1 port

User view (file)-system view (System SYS)-Interface view (interface interface Gigabitethernet 0/0/0)--Protocol view (routing)

Display Hotkey Function keys
Display Clock Show time
Clock timezone CST Add 8 Set the time zone (the time zone is reset)
Clock datetime set Time

Header Login Information #
Content

Pre-logon information

Header Shell Information Login information (format above) Ctrl +] can exit view this information

User Rights 15 Command permissions 3
to configure password for the console port:
User-interface console 0; Enter the appropriate port
Authentication-mode password; authentication mode is Passwork
Set authentication password cipher Huawei; setup password (router not required)

Set password for vty (telnet)
User-interface vty 0 4
Other ibid.
User privilege level 3; command 3 (admin) ps:console not

Dis history-command; show History command

Configuring 2 IP addresses for an interface (routing only)
System-view
[Huawei]interface gigabitethernet 0/0/0
[Huawei-gigabitethernet0/0/0]ip address 10.0.12.1 255.255.255.0
[huawei-gigabitethernet0/0/0]interface loopback 0; loop-back interface (logical interface)
[Huawei-loopback0]ip Address 1.1.1.1 32

Management Network Port configuration:
Note: The Huawei Switch has a separate management network port, which does not occupy the network port in the machine configuration table.
Interface METH0/0/1//identification of a separate RJ45 network Port with ETH
IP address 192.168.5.250 24//Set IP addresses and masks for management network ports

converged switch Management IP configuration Gateway vlanif is already within the core switch

The new Plus and core switches are also vlanif in the converged switch. and assign IP (network segment with Gateway)

4. Command-line Basics (2)

Cloud configuration: UDP (ingress) 1---binding VMware only host network card (egress) 2
To do a port mapping
1-2 bidirectional 2-1 bidirectional

Display version
To view router basic information
Display Interface Gigabitethernet 0/0/0
Viewing interface status information
Display IP Interface Brief
View IP brief information for all interfaces, including IP addresses
Display IP routing-table
View the routing table
Display Current-configuration
View current configuration (in-memory)
Display Saved-configuration
View saved configurations (in Flash)
Dir Flash:
To view files in Flash
Save
Save configuration file
Reboot
Restarting the device

Telnet Experiment (refer to above command)
3A Authentication (different password for different users)
User-interface vty 0 4
Authentication-mode AAA; Difference password
User Privilege Level 15
Aaa
Local-user admin password cipher Huawei; Build users and give password
Local-user Admin Privilege Level 15
Local-user admin service-type telnet; type

Use DIS users to view the currently logged on user after Telnet login

The grab packet can parse the telnet password "follow TCP Stream"

5.VRP File System Basics

CD Change Folder

More View file contents

Copy replication Copy flash:/vrpcfg.zip vrpcfg.zip (copy the root folder "Flash" under the configuration file to the current folder)

Move Mobile

Delete Deletes

Rename renaming

Undelete Recover files from Recycle Bin

PWD Display Path

mkdir Creating a Folder

RmDir Deleting a folder

Format formatting

Fixdisk Repair File System

Save Build Cfg.zip

Display saved show save configuration

Display cur Displays the current configuration

Reset saved Delete Save configuration + reboot first n ========== device reset

Compare configuration file differences

Delete/Permanently delete files
Delete/unreserved (Dir/all can see the files of the Recycle Bin)
Recovering deleted files
Undelete
Remove files from the Recycle Bin completely
Reset Recycle-bin

loading a different configuration file
Dis startup; View boot information. The path in which the configuration file is loaded
Startup saved-configuration flash:/a.zip; change boot configuration file

Compare the current configuration with the next boot configuration
Compare configuration

6.VRP System Management (1)

Router as client:

FTP (Ftpserver address)

Get vrp.cc download files to FTP
Put Vrp.zip upload files to FTP

TFTP-related
TFTP 10.0.1.184 put (get) vrpcfg.zip

7.VRP System Management (2)

chapter II Static routing
8.IP routing principle, static routing basic configuration

source of the route:
Direct-Connect Routing: Link-layer Discovery Routing (direct)
Administrator manually added: Static routing
Router protocol learned routes: Dynamic routing (OSPF RIP)

Static routing Features:
Excellent: simple to implement. Precise control. does not account for resources
Missing: Not applicable to large networks, network changes need to manually change

Dis IP routing-table; View routing table, direct connect 11 bar

IP route-static 192.168.23.0 Serial 1/0/0 192.168.12.2
Purpose of passing (this route exit) Next hop (next to the entrance)

9. Static routing in-depth analysis
Priority pre: Direct connect max 0----ospf---static
Measure cost: Under the same route, select the path of the minimum overhead (multi-factor)

The lower the value, the smaller the number of references. The higher the priority level

matching principle : The destination address and the mask of the route table to do with, and then more than the "Destination address" in the route----priority mask large matching

Next-Hop notation:
Point-to-point: can omit the next hop;
Ethernet: can omit the interface;

Dis fib. Finally, the route table is satisfied

Recursive query (with R flag): Through the middle of multiple queries, finally reached the destination address

Default route: 0.0.0.0 0.0.0.0 Gateway, destination and subnet mask are all 0 routes, the Internet has this

10. Load sharing, routing backup
Dual-line Load (2 lines work at the same time): usually 2 static direction of different routing table, can achieve the role of load.

Floating Routing (routing backup, usually only one line works): Becomes floating (not seen in the routing table) by a route that is set to a low priority (add preference when routing). There's a problem.

Dis IP routing-table 192.168.4.0 verbose. View specific information for a destination route

Chapter III RIP

11. Dynamic Routing Protocol Basics

The common dynamic routing protocols are:
rip:routing information Protocol, routing Information protocol.
Ospf:open Shortest Path First, open Shortest path preferred.


Isis:intermediate system to intermediate system, intermediate systems to intermediate systems.
Bgp:border Gateway Protocol, Border gateways protocol.

Classification:
routing protocols within autonomous systems--IGP:RIPV1/V2, OSPF, ISIS
Routing protocols between autonomous systems--EGP:BGP

Unicast, multicast

Different routing protocols cannot learn from each other directly. But it is possible to import different protocols through route ingestion.

12.RIP Introduction and Basic configuration

Measure: Jump. Can not exceed 15 hops at most

2 routes learning, the update is a direction, the route after learning back is the opposite direction

Rip1.0:udp:520port working in the application layer

RIP Basic Configuration
Rip
Network 10.0.0.0; supporting only the main class of networks 10.0.1.254 must be written 10.0.0.0

RIP 1; Enter the relevant process
Silent-interface gigabitethernet0/0/0; silent (off) an interface sends

Chapter Fourth OSPF

20.OSPF Fundamentals and Basic configuration

Open Shortest Path First (OSPF)
Link State Routing protocol
No loop
Fast Convergence
Good extensibility
Support Certifications

The OSPF message is encapsulated in an IP message with a protocol number of 89.

How OSPF works: Routing through LSA flooding--collecting to the routing database (LSDB)--By the SPF algorithm--to calculate the shortest path by itself (not the routing table, but the database)

The hello message establishes a neighbor relationship---adjacency (synchronizes the database. Full status)

OSPF Area: Sub-region in order to reduce data size

Configuration method:
Ospf
Area 0; into the 0 zone.
Network 10.1.1.0 0.0.0.255 (on behalf of the 10.1.1.0 network segment); OSPF is applied to an interface on the router with an address of 10.1.1.X, with 2 network in 2 directions

Equal 10.1.0.0 0.0.255.255 equivalent 0.0.0.0 255.255.255.255

dis OSPF peer brief. View OSPF neighbor Information

Seventh Interview Control List

35. Basic ACL Introduction
ACLs are used to implement the stream recognition function.


ACL (Access Control List. Access Control list) is a set of defined sets of rules that are often used to:
Identify network traffic of interest
Filtering packets that pass through the router

Category:
Source IP address for basic acl:2000~2999 messages
Three or four-tier information such as source IP address, destination IP address, message priority, IP-hosted protocol type, and features for advanced acl:3000~3999 messages

The process of configuring ACLs: essentially telling the router to agree or deny certain packets

ACL Difficulty: Wildcard, statement order, directionality

Single table:
Rule Ten permit source 10.1.1.1 0.0.0.0
Agreed to come from 10.1.1.1 Host IP packets through
Rule ten deny source 10.1.1.2 0.0.0.0
Deny IP packets from the 10.1.1.2 host through

Multiple units:
Rule Ten permit source 10.0.0.0 0.255.255.255
Accepts packets from a host that has an IP address of 10.x.x.x (that is, the first byte of the IP address is 10).

Examples:

Consent to IP packets from 10.0.0.0/255.255.255.0 through
Rule 5 Permit source 10.0.0.0 0.0.0.255; mask bits in turn (simple 0 and 25. Complex
Complex 255.224.0.0 Write words the Lord is 0.31.255.255 224 corresponding machine number 32-1=31

Special Wildcard mask 0 Care bit 255 does not care bit X
1.permit Source Any
= Permit Source 0.0.0.0 255.255.255.255
= Permit
2.permit Source 172.30.16.29 0 A specific host
= Permit Source 172.30.16.29 0.0.0.0

ACL Order matching: One but the match succeeds. The following list will no longer be checked (more demanding put in front)
Miss Rule (one does not match): Different modules are handled differently. Assume that it is a forwarding module. The data packet is forwarded; if it is a Telnet module, it is different, assuming route filtering and not agreeing to routing.

Ban 192.168.1.1-192.168.1.100 Ideas


PS: The last one, 96 should be 100

Examples:
ACL 2000
Rule ........ .......
int gi0/0/0; Enter the relevant interface
Traffic-filter inbound ACL 2000; Apply to related interfaces

Dis ACL 2000. View
Dis traffic-filter applied-record; see which list the interface (direction) is applied to

36. Basic ACL Application case

Disable Telnet:
User-interface vty 0 4; into the vty.
ACL 2999 Inbound. Applied to the interface, and the physical interface is different

Rule primit; The ACL is added to this because, after the ACL match is unsuccessful, the Telnet module does not agree to pass the packet

Telnet-a 10.2.2.1 192.168.12.1. -a parameter to specify the IP source telnet

Time Control:
Time-range work-time 9:0 to 18:00 Working-day 6. Definition "Work-time" Monday to six
ACL 2001
Rule deny Time-range worktime; I don't agree with the Internet during work hours
Rule Permit

Prohibit learning a routing table;
RIP 1. into the relevant RIP
Filter-policy (Filtering Strategy) 2000 export, the defined ACL, the export representative is published outward. Import means I want to learn

Own the initiative to let the matching loose put front, harsh put back
ACL 2200 Match-order Auto

37. Advanced ACLS
ACL number 3000; advanced
Rule 5 Permit TCP destination 172.2.0.250 0 destination-port eq www
。 Agree to all machines TCP access to the WWW service of the target machine
Rule ten deny IP destination 172.2.0.250 0; Deny access to all IP protocols (including ICMP)

Traffic-filter inbound ACL 3000; Enter port. and apply

ACL Drop location

Basic ACL as close as possible to the destination
Advanced ACL as close as possible to source

inside can ping outside, outside can not ping inside (ping analysis: Go type: echo back type: echo-reply)
ACL number 3000
Rule 5 deny ICMP Icmp-type Echo
Rule Ten Permit IP
Traffic-filter Inbound ACL 3000

within the ability to telnet outside. Outside the Telnet (TCP three-time handshake is not possible.) First package without ACK bit)
Rule 8 Permit TCP Tcp-flag ACK, release with ACK
Rule 9 deny TCP. Reject without an ACK

Eighth chapter Network Address translation

38. Static NAT, dynamic NAT

Static NAT and Extranet address one by one corresponding, n–n can not reduce the public network address;

Ring-back port configuration
int Lookback 1
IP Add 192.168.1.1

IP route-static 0.0.0.0 0 gi0/0/1 61.0.0.2; route table to be added to the Internet

static NAT Configuration
int GI0/0/1. Access to the external network interface
Nat Static Global 61.0.0.11 (public IP. Not necessarily an interface IP) inside 192.168.1.1
Features: IP address translation of packet source IP address conversion
dis nat static; View static NAT

Dynamic NAT Configuration
int GI0/0/1; Go to the Outer network interface
ACL 2000; define ACL number
Rule Permit 192.168.1.0 0.0.0.255. Address range Intranet
Nat Address-group 1 61.0.0.11 61.0.0.20; extranet address range
Nat Outbound Address-group 1 No-pat, first inside and outside No-pat not port conversion
Features: 100 to 50 can only save part of the address
Dis NAT session all; show NAT conversion status

39.PAT, Natserver

napt or PAT (port address translation) : Dynamic port Conversion
Set up with dynamic NAT
Nat Outbound Address-group 1, first internal and external vs. dynamic NAT: No-pat

Easy IP configuration (home use, no fixed IP)
Nat outbound 2000; Just specify the source IP

Port Mappings
NAT server Protocol TCP global 202.10.10.1 www inside 192.168.1.1 8080

11th Chapter Exchange Base, VLAN

50.VLAN principle and configuration
Simple VLAN Configuration
VLAN 10; Create Valn
Dis VLAN
DIS port VLAN, interface VLAN status
int eth0/0/0
Port type-link access; interface type
Port default VLAN 10;

Accessport will increase the VLAN Tag,vlan ID and Port Pvid the same after receiving the data.
Accessport The VLAN Tag is removed before forwarding the data.

When Trunkport receives a frame, it is assumed that the frame does not include tag. The pvid of port will be hit; if the frame includes tag, it does not change.
When Trunkport sends a frame, the VLAN ID of the frame is in the trunk's agreed to send list: If the Pvid (TRUNK2-side pvid must be the same as the port. The default is 1) the same time, the Peel tag is sent, if it is different from the port's pvid, it is sent directly.

VLAN Batch 10 20 30; Batch to 30 (10,11,12 .......) 30)

Configure Trunk
int GI0/0/1
Port Link-type Trunk
Port trunk allow-pass VLAN all;
Port trunk pvid VLAN 1; change Pvid, default is 1

DIS port VLAN active; see if the trunk interface is marking, T or U

PS: Remove Trunk
Undo Port Trunk Allow-pass VLAN All
Port Trunk Allow-pass VLAN 1
Port Link-type Access

51.Hybrid interface

Access port to connect no matter what device

13th. Inter-VLAN routing, VRRP

58. Single-arm routing for inter-VLAN routing

One physical connection per VLAN (one line)
Switch and Route 2 lines (there are several VLANs there are several lines) PS: Disadvantage
Switch-side: This side configuration and "Customer port" Also
Routing side: only need to be equipped with IP (gateway)

Single-arm routing

The link between the switch and the router is configured as a trunk link, and a sub-interface is created on the router to support VLAN routing.

Switch-side: Configure Trunk
Router-side:
[Rta]interface gigabitethernet0/0/1.1. Defining sub-interfaces
[rta-gigabitethernet0/0/1.1]dot1q termination vid 2. Assigning VLANs
[Rta-gigabitethernet0/0/1.1]ip address 192.168.2.254 24. Configure the Gateway
[Rta-gigabitethernet0/0/1.1]arp broadcast Enable. Turn on ARP broadcast

59. Three-layer switching for inter-VLAN routing

2-layer + router routing with virtual Portvlan and gateways
[Swa]interface vlanif 2; 2 with associated VLAN number
[Swa-vlanif2]ip address 192.168.2.254 24; Gateway PS: This address does not appear in other VLAN network segments

Complex mode: Three Layer two layer (with management)
The middle is set to trunk, three layer is to be built and two layer related vlan,int vlanif on three layer.

14th Chapter Switch Port Technology
63 Link Aggregation (manual mode)

[Swa]interface Eth-trunk 1
[Swa-eth-trunk1]interface GIGABITETHERNET0/0/1
[Swa-gigabitethernet0/0/1]eth-trunk 1
[Swa-gigabitethernet0/0/1]interface GIGABITETHERNET0/0/2
[Swa-gigabitethernet0/0/2]eth-trunk 1

Dis eth-trunk 1; View link

Ps:trunkport the link aggregation method: Do the link aggregation first, and then do the trunk under the int eth-trunk number

72. Firewall Technology

According to the way the firewall is implemented, the firewall is generally divided into such as the following categories:
Packet filtering firewall: Simple, every package must be checked. Lack of flexibility, multiple policy impact performance
Proxy firewall: Security, but inconvenient, targeted (HTTP proxy), non-generic
Stateful inspection firewall: Based on connection state. Combine the strengths of the 2 firewall types above

Only anti-network layer and transport layer. No application layer (for example, site vulnerability).
Anti-outside, not inside;

Security Zones for firewalls:

Local (100 Mesh)----trust (85 external network)
-----DMZ (50WEBserver)
High access to low, low access to ask high

Configuration Ideas
Configure security zones and secure domains.
Add the interface to the security zone.


Configure ACLs.


Configure ACL-based packet filtering between secure domains.

1. Configure security zones and secure domains on the AR2200
System-view
[Huawei] Firewall zone Trust
[Huawei-zone-trust] Priority 15
[Huawei-zone-trust] Quit
[Huawei] Firewall zone untrust
[Huawei-zone-untrust] Priority 1
[Huawei-zone-untrust] Quit
[Huawei] Firewall Interzone Trust Untrust. Configure (enter) between domains
[Huawei-interzone-trust-untrust] firewall enable. Turn on the firewall between the domains
[Huawei-interzone-trust-untrust] Quit

2. Increase the security zone on the AR2200 interface
int GI0/0/1
Zone OUTSIDE; The associated interface is added to the relevant area (Huawei Firewall: If not added, the connected PC cannot access the port.) differs from routing)

PS: The other equivalent method above
Firewall Zone Trust; Enter the relevant area
add int gi0/0/1; add associated port

Ps:dis Firewall session All; View all session information for the firewall

3. Configure ACLs on AR2200 (allow extranet to telnet)
ACL 3001
Rule permit TCP destination 192.168.1.100 0 Destination-port eq 23; Consent Telnet
Firewall Interzone INSIDE OUTSIDE. Go to related domains
Packet-filter 3001 Inbound; apply related ACLs

FTP Active (FTP itself), passive (client) mode

Intranet access to the external network FTP. FTP Active mode (PORT) is not able to transmit data (often outside the network ftpserver access to ask. FTP download software to change to passive mode), but passive mode (PASV) can access

ASPF Configuration works in the application layer, detects HTTP, FTP, etc., can open the release channel for these protocols
Firewall Interzone INSIDE OUTSIDE; Enter the relevant area
Detect ASPF All; turn on the test

Huawei Hcna Tutorial (note)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.