HCDA v1.6 en

HCDA-HNTD
HC Series HUAWEI TECHNOLOGIES 1

Huawei Certification

HCDA-HNTD

Huawei Networking Technology and Device

Huawei Technologies Co.,Ltd

HCDA-HNTD

2 HUAWEI TECHNOLOGIES HC Series

Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved.
No part of this document may be reproduced or transmitted in any
form or by any means without prior written consent of Huawei
Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei
Technologies Co., Ltd. All other trademarks and trade names mentioned
in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice.
Every effort has been made in the preparation of this document to
ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of
any kind, express or implied.

Huawei Certification
HCDA-HNTD Huawei Networking Technology and Device
Edition 1.6

HCDA-HNTD


Huawei Certification System
Relaying on its strong technical and professional training system,
according to different customers at different levels of ICT technology,
Huawei certification is committed to provide customs with authentic,
professional certification.
Based on characteristics of ICT technologies and customersneeds at
different levels, Huawei certification provides customers with
certification system of four levels.
HCDA (Huawei Certification Datacom Associate) is primary for IP
network maintenance engineers, and any others who want to learn the IP
network knowledge. HCDA certification covers the TCP/IP basics, routing,
switching and other common foundational knowledge of IP networks,
together with Huawei communications products, versatile routing
platform VRP characteristics and basic maintenance.
HCDP-Enterprise (Huawei Certification Datacom Professional-Enterprise)
is aimed at enterprise-class network maintenance engineers, network
design engineers, and any others who want to in depth grasp routing,
switching, network adjustment and optimization technologies.
HCDP-Enterprise is consist of IESN (Implement Enterprise Switch
Network), IERN (Implement Enterprise Routing Network), and IENP
(Improving Enterprise Network performance), which includes advanced
IPv4 routing and switching technology principle, IP technology of
network security, high availability and Qos, as well as the implementation
in Huawei products.
HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is
designed to endue engineers with a variety of IP network technology
and proficiency in maintenance, diagnostics and troubleshooting of
Huawei products, which equips the engineers with competence in
planning, design and optimization of large-scale IP network.

HCDA-HNTD


Foreword
Outline
This book is about the Huawei certified Datacom Associate certification.The
students who want to prepare for the HCDA exam or want to learn the technology
about TCP/IP protocol stacks,router,swith,WAN,eathernet and how to configure
use on the VRP
Content
The guide contains a total of six modules, starting from the basic knowledge of
data communications, the guide introduces the fields of routing, switching, WAN,
firewall and other basic knowledge, as well as configuration and implementation
using the VRP platform.
Module 1 systematically introduces the IP network infrastructure, TCP/IP four-layer
model to help the reader to establish the basic framework of the data
communications network. In highlighting functions and roles of the network layer,
transport layer and application layer ,this module helps readers to master the
functions and roles of communication networks in a variety of products.
Module 2 describes the basics and operation of the Huawei generic routing
platform VRP and progressive approach to the basics of routing protocols, static
routing and dynamic routing protocols. This module helps readers understand the
principles and the basic process of data communication by highlighting RIP and
OSPF, two IGP routing protocols.
Module 3 introduces the popular Ethernet technology, how Ethernet equipment
works as well as technologies used mostly in the LAN like VLAN, STP, VRRP to help
readers improve abilities for planning LAN.
Module 4 briefly describes the basic principles of WAN technologies such as HDLC,
PPP, Frame Relay configuration and implementation on the VRP to help readers to
master WAN technologies and implement flexibly.
Module 5 briefly describes the types of firewall technologies and development,
performance and the basic functions of Huawei Eudemon series firewalls, and
implementations on the VRP to help readers to understand and layout the network
security policy .
Module 6 briefly describes hardware features, positioning and networking
applications of Huawei routers and switches. Through studying this part, readers
will develop a comprehensive understanding of Huawei data communications
products.
HCDA-HNTD


The guide enables the readers to master step by step from the basis of data
communication to routing, switching, WAN, network security technologies, and
Huawei products. Readers can also read selectively according to their own
circumstances.
Readers Knowledge Background
This course is a basic course of Huawei certification, the reader should have a
basic knowledge of the network background.

HCDA-HNTD


Icons Used in This Book

IPv6 Router SOHO Router Voice Router Low-end Router
Core Router Hub
Convergence Switch
Core Switch
Edge Switch Cascade Switch AP AP Amplifier
Wireless Bridge
Wireless Network Card Access Server Audio Gateway Firewall
Internet Telephony
Socket switch
High-end Router

Table of Contents

page 7
Module 1 Network Fundamentals ........................................................................................... Page 9
HC110110000 - IP Network Fundamental ................................................................... Page 11
HC110110001-TCPIP Basis ...........................................................................................Page 44
HC110110003-Protocols of Transprot Layer..................................................................Page 80
HC110110004-Introduction to Common Application ......................................................Page 98
HC110110002-IP Addressing and Routing ..................................................................Page 113
Module 2 Routing ................................................................................................................Page 151
HC110111000-VRP Basis and Operation .................................................................... Page 153
HC110111001-Routing Protocol Basis ......................................................................... Page 187
HC110111002-Static Route .......................................................................................... Page 212
HC110111003-Dynamic Routing Protocol Basis.......................................................... Page 230
HC110111004-Distance-vector Routing Protocol ........................................................Page 241
HC110111005-RIP Routing Protocol ............................................................................ Page 260
HC110111006-RIP Troubleshooting .............................................................................. Page283
HC110111007-OSPF Routing Protocol Basis .............................................................. Page 310
Module 3 Switching .............................................................................................................Page 335
HC110112000-Ethernet Overview ............................................................................... Page 337
HC110112001-Principle of Ethernet Device ................................................................ Page 354
HC110112002-Ethernet Port Technology .................................................................... Page 378
HC110112003-VLAN Technology Principle and Configuration .................................... Page 403
HC110112004-VLAN Routing ......................................................................................Page 423
HC110112005-STP Principle and Configuration.......................................................... Page 442
HC110112006-VRRP Principle and Configuration....................................................... Page 472
Module 4 WAN ....................................................................................................................Page 495
HC110113000-HDLC Principle and Configuration ....................................................... Page 497
HC110113001-PPP Principle and Configuration ......................................................... Page 511

page 8
HC110113002-FR Principle and Configuration ............................................................ Page 540
Module 5 Network Security-Firewall Product Basis ............................................................Page 575
HC110114000-Firewall Product Basis ......................................................................... Page 577
HC110114001-Eudemon Basic Function and Configuration .......................................Page 594
Module 6 product .................................................................................................................Page 627
HC110115001-AR G3 & Sx7 Brief ............................................................................... Page 660
HC110115000-Huawei NE40E-X Series Router Introduction ......................................Page 629

Page 15
page 11
Page 16
page 12
Page 17
page 13
Page 18
page 14
Data refers to information in any format. The format used to encode any information must
follow agreed or standard rules before successful communication between a sender and
receiver is possible.
For example, a picture can be broken down into a number of dots referred to as pixels,
each pixel can then be represented by a number which can then be encoded ready for
transmission. The format used to encode the image data by the sender must be understood
by the receiver to enable them to decode and rebuild the picture.
Common types of data that can be encoded for transmission include text, numbers,
pictures, audio, and video. many standard ways of encoding the different types of data exist.
Data communication is the process of exchanging data between two devices through a
transmission medium, such as a wired or wireless network.
Page 19
page 15
A simple data communication system consists of a message, a sender, a receiver, a
(transfer) medium, and a protocol.
Message:
A message contains information that needs to be communicated. This could be text,
numbers, a picture, sound, or video which will be encoded and transmitted as one or more
messages.
Sender:
The sender is a device or system that transmits the message, this could be a PC, a
workstation, a server, or a mobile phone.
Receiver:
The receiver is a device or system that receives the message, this could be a PC, a
workstation, a server, a mobile phone, or a television.
Medium:
The medium is a physical or logical connection between the sender and the receiver which
is capable of carrying the message. Typical types of medium are twisted pair cable, coaxial
cable, optical fiber and radio wave.
Protocol:
The protocol is the set of rules that controls the way in which data exchanged. The protocol
does not necessarily define what the original data is or how it is encoded, just how it should
be exchanged by two communicating devices. Protocol rules define such things as the
speed at which data is transferred and the size of the data unit that is sent. It will also define
when a communication session starts and ends. These rules can be likened to the rules
which define the way we talk to each other or read and write, without such rules even if we
use the same language we cannot communicate.
Page 20
page 16
There are three different ways in which two devices can communicate in data networking:
Simplex communication:
Simplex communication is in one direction. One device can only send
messages, the other one can only receive messages.
For example a keyboard is a device which only sends data and a monitor
a device that can only receive data both use simplex communication.
Half-duplex communication:
Half-duplex communication is two way but only one device can be sending at
any time, the other must be receiving. Both devices are capable of sending and
receiving but communication can only be in one direction at a time.
Two-way radios, such as those used by police and taxis work in half-duplex mode.
Full-duplex communication:
Full-duplex communication is two way concurrently, both devices can send and
receive messages at the same time.
A motorway is full duplex as traffic is able to travel in both directions at the same time.
Telephony networks are also full duplex, however most humans can only either talk or
listen - not do both at the same time.
Huawei Networking Technology and Device Module 1 Part 1 IP Network Fundamental
Page 21
page 17
Page 22
page 18
A network is any group of people, things or places that are interconnected in some way.
Networks exist everywhere in our life, we have road, rail, telephone and postal networks
which we use on a daily basis.
A computer network consists of two or more computers and peripheral which are
interconnected by communication lines.
The computers in a network can easily exchange and share information and resources.
Computer networks were developed to meet increasing requirements for exchanging
information and sharing resources.
In early computer networks , each computer was an independent device, there was little
or no communication between systems.
As computer and communication technologies evolved, communication between different
systems was made possible.
Standard protocols understood by different systems made sharing resources and data
possible and improved resource utilisation.
Page 23
page 19
In recent years, the computer network is developing rapidly. The computer
communications network and the Internet have become the basic part of the
society. The computer network is applied to many fields of industry and
commerce, including e-bank, e-commerce, modernized enterprise management,
and information service. From remote education to government routines, and to todays e-
community without the network technology they can not work.
The saying "network exists everywhere in the world" is not an exaggerated statement.
The computer network came into being in 1960s. At that time, the network was a
host-based low-speed serial connection providing program running, remote
printing, and data service. The System Network Architecture (SNA) of IBM and
X.25 public data network are such kind of network. In 1960s, the defense
department of US funded a packet switching network called ARPANET, which was the
earliest rudiment of the Internet.
In 1970s, the commercial computing mode, which featured personal computers,
came forth. Initially, personal computers were used as independent devices.
Because of the complexity of commercial computing, many terminal devices needed to
cooperate, and thus the local area network (LAN) was developed. The LAN reduced the
expense on printers and disks dramatically.
In 1980s and 1990s, in order to deal with the increasing demand on remote computing,
the computer industry developed many wide area network protocols (including
TCP/IP and IPX/SPX). Then the Internet was expanded fast. Nowadays TCP/IP is
extensively used on the Internet.
Page 24
page 20
The topology defines the organization of devices in a network. A LAN can adopt
various topologies, such as the bus topology and star topology.
In the bus topology, all devices are connected to a linear network media, which
is called the bus. When a node transmits data in a network adopting the bus
topology, the data reaches all nodes. Each node checks the data. If the data is
not sent to this node, the node discards the data. If the data is sent to this node,
the node accepts the data and transfers the data to the upper layer protocol. A
typical bus topology has simple layout of lines. Such layout uses short network
media, and thus, the expense on cables is low. However, this topology makes
it difficult to diagnose and isolate faults. Once a fault occurs, the entire network
will be affected. In addition, each device in the LAN sends data to all the other
devices, which consumes large amount of bandwidth. It will lower network
performance.
In the star topology, devices are connected to a central control point. A device
communicates with another device through the point-to-point connection between
it and the hub or switch. The start topology is easy to design and install, because
network media connect the hub or switch and workstations. The star topology
is easy to maintain, because the network can be easily modified and network
faults can be easily be located. The star topology is extensively used in LAN
construction. Of course the star topology has its weakness. Once the central
control device becomes faulty, the single point failure may be occur. In addition, a
Network media can connect only one device, so large amount of network
media are needed and the LAN installation cost increases.
Page 25
page 21
These topologies are logical structures and are not necessarily related to the
physical structure of devices. For example, logical bus and ring topologies usually
adopt the physical star structure. A WAN usually adopts the star, tree, fullmeshed,
or half-meshed topology.
Page 26
page 22
The Internet is a large network formed by networks and devices. Based on the
covered geographic scope, networks are classified into LAN, WAN, and
Metropolitan Area Network (MAN) whose size is between the LAN and WAN.
Local Area Network (LAN)
A LAN is formed by connected communication devices in a small area. A LAN
covers a room, a building, or an industry garden. A LAN covers several
kilometers. It is a combination of computers, printers, modems, and other devices
interconnected through various media within several kilometers.
Wide Area Network (WAN)
A WAN covers a larger geographic scope, such as a state or a continent. It
provides the data communication service in a large area and is used to connect
LANs. The China Packet Network (CHINAPAC), China Data Digital Network
(CHINADDN), China Education and Research network (CERnet), CHINANET,
and China Next Generation Internet (CNGI) are all WANs. A WAN
connects LANs that are far from each other.
Page 27
page 23
A LAN is formed by interconnected communication devices in a small area, such
as a room, a building, and a campus. In general, a LAN covers several
kilometers. The LAN is featured by short distance, low delay, high data
transmission speed, and high reliability.
Common LANs are Ethernet and Asynchronous Transfer Mode (ATM). They are
different in topology, transmission speed, and data format. Ethernet is the most
widely used LAN.
The following network devices are used in LAN construction:
Cables: A LAN is extended by cables. Various cables are used in LANs, for
example, the fiber, twisted pair, and coaxial cable.
Network Interface Card (NIC): An NIC is inserted in the main board slot of a
computer. It transforms the data to the format that other network devices can
identify and transmits the data through the network media.
Hub: A hub is a shared device that provides many network interfaces to connect
computers in the network. The hub is called a shared device because all its
interfaces share a bus. At the same time, only one user can transmit data, and so the
data amount and speed of each user (interface) depends on the number of active
users (interfaces).
Switch: also called a switched hub. A switch also provides many interfaces to
connect network nodes but its performance is much higher than that of a shared
hub. It can be considered to have many buses so that devices connected to each
interface can independently transmit data without affecting other devices. For users,
the interfaces are independent of each other and have fixed bandwidth. In
addition, a switch has some functions that a hub lacks, such as data filtering,
network segmentation, and broadcast control.
Page 28
page 24
Router: A router is a computer device used to connect networks. A router works
at the third layer (network layer) of the OSI model and is used to route, store, and
forward packets between networks. Generally, a router supports two or more
network protocols so that it can connect different type of networks A router can
also run dynamic routing protocols to dynamically route packets.
Page 29
page 25
A WAN covers a larger geographic scope, such as a state or a continent. The
China Packet Network (CHINAPAC), China Data Digital Network (CHINADDN),
China Education and Research network (CERnet), CHINANET, and abuilding
China Next Generation Internet (CNGI) are all WANs.
A WAN connects LANs that are far from each other. It consists of the end system
(users on two ends) and the communication system (the link between two ends).
The communication system is the key of the WAN and it falls into the following
types:
Integrated Service Digital Network (ISDN): a dial-up connection mode. The ISDN
BRI provides 2B+D data channels. Each B channel provides the speed of 64
kbit/s and the highest speed can be 128 kbit/s. The ISDN PRI has two standards:
the European standard (30B+D) and the North America standard (23B+D). The
ISDN uses the data transmission mode, which features fast connection and high
reliability. Two devices in the ISDN can identify the number of each other. The
call cost of the ISND is higher than that of the ordinary telephony network, but the
double-channel structure supports two independent lines. The ISND is applicable
to individual subscribers or small offices.
Leased Line: called DDN in China. It is a point-to-point connection that transmits
data at the speed of 64 kbit/s to 2.048 Mbit/s. The leased line guarantees data
transmission and provides constant bandwidth, but the cost is high and the point to-
point structure is not very flexible.
X.25: a WAN type that appeared early and is still in extensive use at present. It
transmits data at the speed of 9600 bit/s to 2 Mbit/s. X.25 adopts the redundant
mode and is fault tolerant, so it features high reliability. But the transmission
speed is low and the delay is high.
Page 30
page 26
Frame Relay: a comparatively newer technology developed on the basis of X.25. The
transmission speed is between 64 kbit/s and 2.048 Mbit/s. The Frame Relay is
flexible. It implements point-to-multipoint connection. In addition, FR can transmit
data at a speed that exceeds the Committed Information Rate (CIR) when large
amount of data needs to be transmitted, and it allows certain burst traffic. For
these reasons, FR is a good choice for business subscribers.
Asynchronous Transfer Mode (ATM): a cell exchange network that features high
speed, low delay, and guaranteed transmission quality. Most of ATM network use
fibers as the connection medium. The fiber provides a high speed of over 1
gigabit, but the cost is also high. ATM is also a WAN protocol.
Page 31
page 27
The WAN operates in a scope larger than that of the LAN. In the WAN, the network
access is
implemented through various serial connections. Generally, enterprise networks
are connected to the local ISP through the WAN lines. The WAN provides fulltime and
part-time connections. In the WAN, serial interfaces can work at different speeds.
The following devices are used in the WAN:
Router: In the WAN, messages are sent to the destination according to the
address. The process of looking for the transmission path is called routing. A router will
send data to the destination by
establishing routes between WANs and LANS according to their address information.
Modem: As the device used to transform signals between the end system and
communication system, a modem is the indispensable device in a WAN. Modems
are classified into synchronous modem and asynchronous modem. The
synchronous modem is connected to the synchronous serial interface and is
applied to the leased line, Frame Relay, and X.25. The asynchronous modem is
connected to the asynchronous serial interface and is applied to the PSTN.
Page 32
page 28
ARPAnet solves the problem of network robustness. That is, once a device fault
or link fault occurs, data transmission must be ensured between any two nodes if
the two nodes are physically connected. For the high ability of self-healing,
ARPAnet meets the requirement in wars. It comes of the Defence Advanced
Research Projects Agency (DARPA).
In 1985, the National Science Foundation (NSF) established the NSFnet. NSF
established a WAN consisting of regional networks and connected these regional
networks to the super computer center. In June 1990, the NFSnet took the place
of the ARPAnet and became the backbone network of the Internet. Owing to the
NSFnet, the Internet is open to the public, while it was only used by computer
science researchers and governments before.
The second leap of the Internet was attributed to the commercialization in early of
the 1990s. As soon as commercial organizations entered the world of Internet,
they found the great potential of Internet in communications, information
searching, and customer service. Then numerous enterprises in the world
swarmed into the Internet, which resulted in a new leap of the Internet.
In 1995, NSFnet came to an end and it was replaced by a new Internet backbone
network operated by multiple private companies.
Page 33
page 29
Currently, the Internet is not a simple hierarchy, instead, it is formed by many
WANs and LANs connected by connecting devices and exchange devices. End
users are connected to the Internet through the service provided by Internet
service providers (ISPs). ISPs are classified into international service providers,
national service providers, regional ISPs, and local ISPs.
International service provider
An international service provider connects networks of different countries.
National service provider (NSP)
A national service provider operates on backbone networks that are built and
maintained by professional companies. These backbone networks are connected
by complicated switching devices (usually operated by the third party) so that end
users can be connected to the backbone network. The switching devices are
called network access points (NAPs). NAPs transmit data at a high speed.
Regional ISP
A regional ISP is a small ISP connected to one or more NSPs. Regional ISPs
transmit data at a lower speed.
Local ISP
A local ISP provides service for end users. A local ISP is connected to a regional
ISP or an NSP. Most end users are connected to local ISPs.
NAP
An NAP connects backbone networks. It is usually a complicated switching
workstation operated by the third party.
Page 34
page 30
Page 35
page 31
A network protocol is a set of formats and conventions stipulated and observed
by communication parties so that devices in different computer networks can
communicate. A network protocol is the standardized description of a series of
rules and conventions. It defines how network devices exchange information.
Network protocols are basis of the computer network. Only the devices that
comply with related network protocols (laws for interconnected devices in the
network) can communicate with each other. Any device that does not comply with
the network protocol cannot communicate with other devices.
What is a protocol? Take the telegraph for example. Before sending a telegraph,
the two parties must define the transmission format of the telegraph, for example,
what signal indicates the start, what signal indicates the end, how to handle errors,
and how to express the name and address of the sender. The predefined format
and convention is a protocol.
Network protocols include the Transfer Control Protocol/Internet Protocol
(TCP/IP), Internetwork Packet eXchange/Sequenced Packet eXchange (Novell
IPX/SPX), and IBM System Network Architecture (SNA). The most widely used
protocol is the TCP/IP stack, which has become the standard protocol of the
Internet.
Page 36
page 32
A standard is a set of rules and processes that are widely used or defined by the
government. A standard describes stipulations in a protocol and sets the simplest
performance set for guaranteeing network communications. IEEE 802.X is the
dominant LAN standard.
Page 37
page 33
Many international standardization organizations made great contributions to
development of the computer network. They unify network standards so that
devices of different vendors can communicate with each other. Till now, the
following standardization organizations have made contributions to development of
the computer network.
International Organization for Standardization (ISO)
ISO stipulates standards for large-scale networks, including the Internet. The ISP
brings forward the OSI model that describes the working mechanism of network.
The OSI model is a comprehensible and clear hierarchical model of the computer
network.
Institute of Electrical and Electronics (IEEE)
IEEE defines standards for network hardware so that hardware devices of
different vendors can communicate with each other. The IEEE LAN standard is
the dominant standard for LANs. IEEE defines the 802.X protocol suite. 802.3 is
the standard for the Ethernet; 802.4 is the standard for the token bus network;
802.5 is the standard for token ring; 802.11 the standard fro the wireless local
area network (WLAN).
American National Standards Institute (ANSI)
ANSI is an organization formed by companies, governments, and other members
voluntarily. The ANSI defines the standard for the fiber distribution data interface.
Electronic Industries Association/Telecomm Industries Association (EIA/TIA)
Page 38
page 34
They define the standards for network cables, for example, RS232, CAT5, HSSI,
and V.24. They also define the standard for cabling, for example, EIA/TIA 568B.
International Telecomm Union (ITU)
They define the standard for the telecom network working as the WAN, for
example, X.25 and Frame Relay.
Internet Engineering Task Force (IETF)
Founded at the end of 1985, the IETF is responsible for researching and
establishing technical specifications related to the Internet. Now IETF has
become the most authoritative research institute in the global Internet field.
Page 39
page 35
IETF produces two types of files: Internet drafts and RFCs.
RFCs, which are used as standards, fall into the following types:
Proposals, namely, the recommended solutions
Accepted standards that are used by all users and cannot be changed
Optimal practices, a kind of introduction
IETF standards are called RFCs, which are a series of files published by IETF.
In the past, RFC stood for Request for Comments. Now RFC is only a name
without any special meaning. Currently, RFCs are formal files. There are about
5000 RFC files. The first one is RFC 1 Host Software, which was published on
April 7th, 1969.
Many Internet-related protocols, such as IP, OSPF, BGP, and MPLS, are defined
by RFCs.
Page 40
page 36
Page 41
page 37
A typical IP network is comprised of a backbone network, Metropolitan Area Network (MAN) and
Access Network. The backbone network commonly interconnects networks from different
countries and cities. Metropolitan Area Networks are located between the backbone network
and the access network, and it is commonly comprised of a backbone layer, convergence layer
and access layer. Access networks are used for terminal user access, it is usually in the layer2
access network, which is under the service access point. Users can access the internet via xDSL,
Ethernet and so on.
The target network structure of IP MAN is divided into:
IP MAN
Service access point (BRAS and service router) and the upper layer routers that compose the
layer3 network.
IP MAN is comprised of a backbone layer, convergence layer and access layer.
Broadband access network
The layer2 access network, which is under the service access point.
The network structure is divided into the layer2 convergence network and the last mile access
network.
On the service plane, the structure can be divided into a public access network plane and the
major account access network plane.
Page 42
page 38
Group Dedicated user
service identification
differentiated services
The Metropolitan Area Network (MAN) is located between the backbone network and the
access network, and interlinks different areas of a city.
The MAN provides the following services:
Internet access There are two access modes: dialup access mode and private line access mode.
In the dialup access mode, subscribers have different service attributes. In the private line
access mode, subscribers in the same group have the same service attributes. The Asymmetric
Digital Subscriber Line (ADSL) and Local Area Network (LAN) technologies are widely used as
Internet access services. Both technologies support dialup access and private line access modes.
Virtual private network (VPN)
In recent years, enterprises have increasing requirements for diversified services. As such, VPN
technology has become more and more popular. VPN is a private network constructed within a
public network infrastructure with the help of Internet service providers (ISPs) and network
service providers (NSPs).
Based on the implementation layer, VPN can be classified into Layer 2 VPN (L2VPN), Layer 3 VPN
(L3VPN) and the Virtual Private Dial Network (VPDN). The VPDN provides network access to
mobile personnel in enterprises and small-sized ISPs using the dialup function of the public
network and the access network.
Page 44
page 39
The common Internet access modes are ADSL, Ethernet, and leased line. Household users usually
choose the ADSL access mode, residential users prefer the Ethernet access mode, and enterprise
users select the leased line access mode. Normally, the access network uses Layer 2 devices,
such as digital subscriber line access multiplexers (DSLAM) and Ethernet switches, to provide the
access service for users. The access network does not perform any control on users and it simply
sets up Layer 2 connections to transparently transmit user information to upper-layer devices.
The access network refers to all devices at the access layer.
The access layer uses the broadband remote access server (BRAS) to manage users.
The convergence layer generally uses aggregation routers or Layer 3 switches. The convergence
layer aggregates traffic from the BRAS into the MAN devices and forwards this traffic through
routing functions.
The following shows the Internet access process:
A user sends an Internet access request. Layer 2 devices in the access network establish a Layer 2
connection and transparently transmit the request to the BRAS.
The BRAS performs user identity authentication and authorization, and allocates IP addresses to
the user.
The BRAS routes the user packets to devices at the convergence layer. The devices at the
convergence layer forward the packets through routing functions, to allow the user to have
access to the Internet.
Page 46
page 40
VPN services are classified into L3VPN services, L2VPN services and VPDN services. Here, we talk
about the most common L3VPN services. L3VPN has multiple types, such as Internet Protocol
Security VPN (IPSec VPN), Ground Radar Equipment VPN (GRE VPN) and Border Gateway
Protocol/Multiple protocol Label Switching VPN (BGP/MPLS VPN).
The BGP/MPLS VPN model has three parts: customer edge (CE), provider edge (PE) and provider
(P).
CE: It is an edge device on the user network. A CE provides interfaces that are directly connected
to the service provider (SP) network. It can be a router, switch or a host.
PE: It is an edge router provided by the SP. A PE device is directly connected to the CE. On the
MPLS network, all VPN operations are performed in the PEs.
P: It is a backbone router on the SP network. A P device is not directly connected to the CE. The P
device forwards MPLS data, and does not maintain VPN information.
As shown in the figure on this slide, enterprise private line users A, B and C can communicate
with each other on the LAN by means of the BGP/MPLS VPN network.
Page 48
page 41
Generally, the performance of the backbone network can be evaluated using the following
indicators:
High reliability
Devices on the backbone network must be stable, which is critical to the stable operation of the
entire network. Therefore, network architects should properly design the network architecture
and develop reliable network backup policies to ensure strong network self-healing capabilities.
Flexibility and scalability
To meet future network services, the network must be seamlessly expanded and upgraded while
minimally affecting the network architecture and devices.
Flat networking
The number of network layers and hops should be minimized to facilitate network management.
Proper planning of quality of service (QoS)
In, the IP network also supports voice over IP (VoIP), video and key customer services. These
services have high requirements on service in addition to carrying Internet access service quality.
Therefore, support for QoS is one of the necessary conditions for the transition of the IP network
to the telecommunications network. To achieve support for QoS, QoS should be properly
planned.
Operability and manageability
Centralized monitoring, rights-based management, and unified allocation of bandwidth
resources are supported, which make the entire network controllable.
Page 50
page 42
Hierarchical plane structure
The hierarchical plane structure is commonly applied in the early-stage backbone network.
Currently, most carriers in China use this structure, which is divided into three layers, core
backbone layer, core convergence layer and core access layer. The core backbone layer is divided
by area. Areas are connected in full-mesh or partial-mesh mode to improve network robustness.
The core convergence layer adopts dual homing networking. Devices at this layer are dual-
uplinked to an area or two areas at the core backbone.
Hierarchical spatial plane structure
In the hierarchical spatial plane structure, the network is divided in layers and planes. Different
planes carry different services. Normally, services on two different planes are independent from
each other. When one plane fails, the other plane acts as a backup plane. When designing the
network, architects usually design the plane as one that can carry all services. As a network
requires carrying multiple services, the hierarchical plane network model stands out with its
features of a clear structure, large backup capacity and high security.
Page 52
page 43
Page 55
page 44
Page 56
page 45
Page 57
page 46
Page 58
page 47
Since the 1960s, computer networks have undergone a dramatic development. To take the
leading position and have a larger share in the communication market, manufacturers
competed in advertising their own network structures and standards which included IBMs
SNA, Novells IPX/SPX., Apples Apple Talk, DECs DECnet and TCP/IP, which remains
the most widely used today. These companies pushed software and hardware that use
their protocols to the market enthusiastically. All these efforts promoted the fast
development of network technology and the prosperity of the market of network devices.
However, the network became more and more complicated due to lack of compatibility
between the various protocols.
To improve network compatibility, the International Organization for Standardization (ISO)
developed the Open System Interconnection Reference Model (OSI RM) which soon
became the model of network communications. The ISO followed the following principles
when they designed the OSI reference model:
1. Each layer of the model has its own responsibilities which should help it stand
out as an independentlayer.
2. To avoid function overlapping, there should be enough layers.
The OSI reference model has the following advantages:
1. It simplifies network related operations.
2. It provides compatibility and standard interfaces for systems designed by
different institutions.
3. It enables all manufactures to be able to produce compatible network
devices, which facilitates the standardization of networks.
4. It lays the complex concept of communications down into simpler and smaller
problems, which facilitates our understanding and operations.
5. It separates the whole network into areas, which guarantees changes in one
area will not affect other areas and networks in each area can be updated
quickly and independently.
Page 59
page 48
The OSI reference model has seven layers. From bottom to top, they are physical layer,
data link layer, network layer, transport layer, session layer, presentation
layer and application layer.
The bottom three layers are usually called lower layer or the media layer, which is
responsible for transmitting data in the network. Networking devices often work at lower
layers and network interconnection is achieved by the cooperation of software and hardware.
Layer 5 to layer 7 form the upper layer or the host layer. The upper layer guarantees data is
transmitted correctly, which is achieved by software.
Page 60
page 49
The functions of each layer of the OSI Reference Model are listed as follows:
Physical layer: providing a standardized interface to physical transmission media including
voltage, wire speed and pin-out of cables.
Data link layer: combines bits into bytes and bytes into frames. Provides access to media
using MAC address and error detection.
Network layer: providing logical addresses for routers to decide path.(path selection)
Transport layer: providing reliable or unreliable data transfer services and error correction
before retransmission.
Session layer: establishing, managing and terminating the connections between the local
and remote application. Service requests and responds of application
programs in different devices form the communication of this layer RPC,NFS and SQL
belong to this layer.
Presentation layer: providing data encoding and translation. Make sure that the data sent
by the application layer of one system can be understood by the application layer of
another system.
Application layer: providing network services as the closest layer to users among the
seven layers.
Page 61
page 50
Since the OSI reference model and protocols are comparatively complicated, they do not
spread widely. However, TCP/IP has been widely accepted for its openness
and simplicity. The TCP/IP stack has already been the main stream protocols for the
Internet.
The TCP/IP model also takes a layered structure. Each layer of the model is independent
from each other but they work together very closely.
The difference between the TCP/IP model and the OSI reference model is that the former
groups the presentation layer and the session layer have been merged into the application
layer. So the TCP/IP model has only five layers. From bottom to top, they are: physical
layer, data link layer, network layer, transport layer and application layer.
Page 62
page 51
Each layer of the TCP/IP model corresponds to different protocols. The TCP/IP protocol
stack is a set of communication protocols. Its name, the TCP/IP protocol
suite, is named after two of its most important protocols: the Transmission Control
Protocol (TCP) and the Internet Protocol (IP). The TCP/IP protocol stack ensures the
communication between network devices. It is a set of rules that define how information is
delivered in the network.
Page 63
page 52
Each layer of the TCP/IP model uses Protocol Data Unit (PDU) to exchange information
and enable communication between network services. During encapsulation, each
succeeding layer encapsulates the PDU that it receives from the layer above. At each
stage of the process, a PDU has a different name to reflect its new appearance.
For example, the transport layer adds TCP header to the PDU from the upper layer to
generate the layer 4 PDU, which is called a segment. Segments are then
delivered to the network layer. They become packets after the network layer adds the IP
header into those PDUs. The packets are transmitted to the data link
layer, where they are added data link layer headers to become frames. Finally, those
frames are encoded into bit stream to be transmitted through network medium. This
process in which data are delivered following the protocol suite from the top to the bottom
and are added with headers and tails is called
encapsulation.
After encapsulation, data is sent to the receiving device after transmission. The receiving
device will decode the data to extract the original service data unit and
decides how to pass the data to an appropriate application program along the protocol
stack. This reverse process is called de-encapsulation. The corresponding layers, or
peers, of different devices communicates through encapsulation and de-encapsulation.
As the figure above shows, Host A is communicating with Host B. Host A delivers data
transformed from an upper layer protocol to the transport layer. The transport layer
encapsulates the data within the segment and send it to the network layer, which adds a
header. Then the segment is encapsulated within an IP packet, which adds another
header, called the IP header. Next, the IP packet is sent to data link layer where it is
encapsulated within a frame header and trailer. The physical layer then transforms the
frame into bit stream and sends it to Host B through the physical cable.
Page 64
page 53
When Host B receives the bit stream, it sends it to its data link layer. The data link layer
removes the frame header and trailer, then passes the packet to the upper layer - network
layer. Then the network layer removes the IP header from the packet and passes segment
to the transport layer. In the similar way, the transport layer extracts the original data and
delivers it to the top layer, the application layer.
The process of encapsulation or decapsulation is done layer by layer. Each layer of the
TCP/IP has to deal with data both from its upper and lower layers by adding
or deleting packet headers.
Page 65
page 54
The main functions of the physical layer are:
It specifies the media, interface and signaling types.
It specify the electrical, mechanical, procedural, and functional requirements for activating,
maintaining, and deactivating a physical link between end systems.
It specify the features such as voltage, wire speed, maximum transmission distance and
pin-out.
The physical layer provides standards of the transmission media and connectors.
The common physical layer standards include IEEE 802.3 for Ethernet, IEEE 802.4 for
token bus networks, IEEE 802.5 for token ring networks and Fiber Distributed Data
Interface (FDDI) specified by the X3T9.5 committee of ANSI. The common physical layer
standard for WANs include EIA/TIA-232 (RS-232), V.24 and V.35 developed by ITU for
serial ports and G.703, which involves the physical and electrical and electronic standards
for all digital interfaces.
Page 66
page 55
Physical layer mediums include coaxial cable, twisted pair, fiber and wireless radio. Coaxial
cable is an electrical cable consisting of a round conducting wire. The
coaxial cable can be grouped into thick coaxial cable and thin coaxial cable according to their
diameters. The thick coaxial cable is more suitable for large LANs since its transmission
distance is longer and it is more reliable. The thick coaxial cable does not need to be cut but
you must install transceiver for networks using thick coaxial cable. The thin coaxial cable is
easy to install and is much cheaper, but you need to cut the thin coaxial cable and put basic
network connectors (BNC) on its two sides and then inserts the two sides into T-shape
connectors when installing the cable. So when there are many connectors, the safety is
influenced.
Twisted pair is the most widely used cable, which is twisted by a pair of insulated copper
wires whose diameters are about 1mm. Twisted pair has two types: Shielded Twisted Pair
(STP) and Unshielded Twisted Pair (UTP) . STP cabling includes metal shielding over each
individual pair of copper wires, so it is very capable of keeping electromagnetic interferences
and wireless radio interference at bay. STP is easy to install but its price is comparatively
high. UTP is easy to install and its price is cheaper, however, its capability of anti-
interference is not as powerful as that of STP and its transmission distance is not that long.
Fiber consists of fiberglass and the shielding layer and it will not be interfered by
electromagnetic signals. The transmission speed of fiber is fast and the transmission
distance is long, but fiber is very expensive. Optical fiber connectors are connectors for the
light, which are very smooth and should not have any cuts.
Fiber connectors are not installed easily.
Wireless radio makes communications without physical links. Wireless radio refers to
electromagnetic waves with frequencies within the radio frequency that are transmitted in the
space including the air and vacuum. We should put all the aspects into consideration such as
the distance, price, bandwidth requirement, cables that the network devices support etc.
when we make a choice of physical medium.
Repeaters and hubs are devices working at the physical layer, but with the development of
networks, they are not used so much as in the past. Well not discuss them here.
Page 67
page 56
Data link layer is the first logical layer of the physical layer. It encodes physical address for
terminals and help network devices decide whether to pass data to
upper layers along the protocol stack. It also points out which protocol the data should be
delivered to with some of its fields and at the same time, it provides
functions like sequencing and traffic control.
The data link layer has two sub-layers: Logical Link Control sublayer (LLC) and Media
Access Control sublayer (MAC) .
LLC lies between the network layer and the MAC sublayer. This sublayer is responsible for
identifying protocols and encapsulating data for transmission. The LLC sublayer performs
most functions of the data link layer and some functions of the network layer such as
sending and receiving frames. When it sends a frame,
it adds the address and CRC to the original data. When it receives a frame, it takes apart the
frame and performs address identification and CRC. It also provides flow control, frame
sequence check, and error recovery. Besides these, it can perform some of the network
functions including datagram, virtual links and multiplexing.
The MAC sublayer defines how data is transmitted through physical links. It communicates
with the physical layer, specifies physical addresses, network topology, and line standards
and performs error notification, sequence transmission and traffic control etc.
Page 68
page 57
Data link layer protocols specify the frame encapsulation at the data link layer. A
common data link layer protocol for LANs is IEEE 802.2LLC.
Common data link layer protocols for WANs include High-level Data Link Control
(HDLC) , Point-to-Point Protocol (PPP) and Frame Relay (FR).
HDLC is a bit-oriented synchronous data link layer protocol developed by the
ISO. HDLC specifies data encapsulation for synchronous serial links with frame
characters and CRC.
PPP is defined by Request For Comment (RFC) 1661. PPP consists of the Link
Control Protocol (LCP) , the Network Control Protocol (NCP) and other PPP
extended protocol stacks. PPP is commonly used to act as a data link layer
protocol for connection over synchronous and asynchronous circuits and it
supports multiple network layer protocols. PPP is the default data link layer
protocol for data encapsulation of the serial ports of VRP routers.
FR is a protocol conforming with the industrial standards and it is an example of
packet-switched technology. PPP uses error verification mechanism, which
speeds up data transmission.
Ethernet switches are common network devices work at the data link layer.
Page 69
page 58
As every person is given a name for identification, each network device is labeled with a
physical address, namely, the MAC address. The MAC address of a network device is
unique globally. A MAC address consists of 48 binary digits and is often printed in
hexadecimal digits for human use. The first six hexadecimal bits are assigned to
producers by IEEE and the last six bits are decided by producers themselves. For
example, the first six hexadecimal bits of the MAC address of Huaweis products is
0x00e0fc.
Network Interface Card (NIC) has a fixed MAC address. Most NIC producers burn the
MAC address of their products into the ROM. When an NIC is initialized, the MAC
address in the ROM is read into the RAM. When you insert a new NIC into a computer,
the physical address of the computer is replaced by the physical address of the NIC.
However if you insert two NICs into your computer, then your computer may have two
MAC addresses, so a network device may have multiple MAC addresses.
Page 70
page 59
The data link layer ensures that datagram are forwarded between devices on the same
network, while the network layer is responsible for forwarding packets from
source to destination across networks. The functions of the network layer can be
generalized as follows:
Provide logical addresses for transmission across networks.
Routing: to forward packets from one network to another.
The router is a common network device that works at the network layer. Routers functions
mainly for forwarding packets among networks. In the above figure,
Host A and Host B reside on different networks or links. When the router that resides on
the same network as Host A receives frames from Host A, the router
passes those frames to the network layer after it ensures that the frames should be sent to
itself by analyzing the frame header. Then the network layer checks
where those frames should go according to the destination address in the network layer
header and later it forwards those frames to the next hop. The process
repeats until the frames are sent to Host B.
Page 71
page 60
Common network layer protocols include the Internet Protocol (IP) , the Internet Control
Message Protocol (ICMP) , the Address Resolution Protocol (ARP) and the Reverse
Address Resolution Protocol (RARP) .
IP is the most important one among the network layer protocols and its functions
represent the main functions of the network layer. The functions of IP include
providing logical address, routing and encapsulating or de-encapsulating packets. ICMP,
ARP and RARP facilitate IP to achieve the network layer functions.
ICMP is a management protocol and it provides information for IP. ICMP information is
carried by IP packets.
ARP maps an IP address to a hardware address, which is the standard method for finding
a host's hardware address when only its network layer address is known.
RARP maps a hardware address to an IP address, which means to get a hosts IP
address through its hardware address.
Page 72
page 61
The network layer address we mentioned here refers to the IP address. The IP address is
a logical address instead of a hardware address. The hardware address
such as the MAC address, is burned on the NIC and it is for the communication between
devices that are on the same link. However, the IP address is used for communication
between devices on different networks.
An IP address is 4-byte long and is made up of the network address and the host address.
It is often presented in dotted decimal notation, for example, 10.8.2.48.
More information about the IP address will be introduced in later chapters.
Page 73
page 62
The transport layer provides transparent transfer of data between hosts. It shields the
complexity of communications for the upper applications and is usually responsible for
end-to-end connection. The main functions of the transport layer involve:
Encapsulate data received from the application layer and decapsulate data received
from the network layer.
Create end-to-end connections to transmit data streams.
Send data segments from one host to another, perform error recovery, flow control, and
ensure complete data transfer.
Some of the transport layer protocols ensure data are transmitted correctly which means
data are not lost or changed during transmission and the order of data
packets remains the same when they are received at the end.
Page 74
page 63
Transport layer protocols mainly include the Transmission Control Protocol (TCP) and the
User Datagram Protocol (UDP) .
Page 75
page 64
Although TCP and UDP are both protocols of the transport layer, their contributions
to the application layer differ greatly.
TCP provides connection-oriented and reliable transmission. Connection-oriented
transmission means that applications which use TCP as their transport layer
protocol need to create a TCP connection before they exchange data.
TCP provides reliable transmission services for the upper layer through its
mechanisms of error detection, verification and reassembly. However, creating the
TCP connection and performing these mechanisms may bring a lot of extra efforts
and increase the cost.
UDP does not guarantee reliability or ordering in the way that TCP does. It provides
a simpler service that does not guarantee the reliability which means datagrams
may arrive out of order, appear duplicated, or go missing without notice. UDP
focuses on applications that require more on transmission efficiency such as SNMP
and Radius. Take SNMP as an example, it monitors networks and sends out
warnings from time to time. If SNMP is demanded to create a TCP connection every
time when it sends a small amount of information, undoubtedly, the transmission
efficiency will be affected. So time-sensitive applications like SNMP and Radius
often use UDP as their transport layer protocol. Besides this, UDP is also
appropriate for applications that are equipped with some mechanisms for reliability
by themselves.
Page 76
page 65
The main functions of the application layer are:
Provide user interfaces and deal with specific applications.
Provide data encryption, de-encryption, compression and decompression.
Specify the standards of data presentation.
Page 77
page 66
The application layer has many protocols and the following protocols may help you use and
manage a TCP/IP network.
File Transfer Protocol (FTP) is used to transfer data from one computer to another over the
Internet, or through a network. It is often used for interactive user sessions.
Hypertext Transfer Protocol (HTTP) is a communication protocol used to transfer or
convey information on the World Wide Web.
TELNET is used to transmit data that carries the Telnet control information. It provides
standards for interacting with terminal devices or terminal processing. Telnet supports end-
to-end connections and process-to-process distributed communications.
Simple Message Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) are for
sending and receiving emails.
DNS (Domain Name Server) translates a domain name to an IP address and allows
decentralized management on domain resources.
Trivial File Transfer Protocol (TFTP ) is a very simple file transfer protocol. TFTP is
designed for high throughput file transfer for ordinary purposes.
Routing Information Protocol (RIP) is the protocol for routers to change routing information
through an IP network.
Simple Network Management Protocol (SNMP) collects network management information
and makes that information exchanged between the network management control console
and network devices including routers, bridges and servers.
Remote Authentication Dial In User Service (Radius) performs user authorization,
authentication and accounting.
Page 78
page 67
Page 79
page 68
To illustrate the encapsulation process, imagine there is network whose transport layer
uses TCP, the network layer applies IP and the data link layer takes Ethernet standards.
The above figure shows the encapsulation of a TCP/IP packet on that network.
The original data is encapsulated and delivered to the transport layer. And then the
transport layer adds a TCP header to the data and passes it down to the network layer. The
network layer encapsulates the IP header in front of the segment and delivers it to the data
link layer. The data link layer encapsulates Ethernet header and trailer to the IP packet and
then passes it to the physical layer. At last, the physical layer sends the data to the physical
link as bit streams. The length of each field in the header is pointed out in the above figure.
Now, well take a close look into the whole process from the top to the bottom.
Page 80
page 69
The above is a TCP data segment encapsulated in an IP packet. The TCP segment
consists of the TCP header and the TCP data. The maximum length of a TCP header is
60 bytes. If there is not the Option field, normally, the header is 20-bytes long.
The structure of a TCP header is shown as in the above figure. We are going to explain
just some of it. For more details, please refer to the transport layer protocols.
Source Port: Indicates the source port number. TCP allocates source port numbers for
every application.
Destination Port: Indicates the destination port number.
Sequence Number: Indicates the sequence number which labels TCP data streams.
Port number is used to distinguish applications,80 means HTTP application,23 for
telnet,20 and 21 for ftp,53 for DNS.
Ack Num: Indicates the acknowledgement sequence number. Ack Num includes the next
sequence number that the sender expects. The value of this field is the
sequence number that the sender of the acknowledgement expects next.
Option: Indicates the optional fields.
Page 81
page 70
The network layer adds the IP header to TCP datagram which it receives from the transport
layer. Usually, the IP header has a fixed length of 20 bytes which does
not include the IP options. The IP header consists of the following fields:
Version: indicates the version of the IP protocol. At present, the version is 4. The version is
6 for the next generation IP protocol.
IP header length is the number of 32-bit words forming the header including options. Since it
is a 4-bit field, its maximum length is 60 bytes.
TOS: 8 bits. It consists of a 3-bit COS (Class of Service) field, a 4-bit TOS field and a 1-bit
final bit. The 4 bits of the TOS field indicates the minimum delay, the
maximum throughput, the highest reliability and the minimum cost respectively.
Total length: indicates the length of the whole IP packet including the original data. This field
is 16 bit long which means an IP packet can be 65535 bytes at most. Although an IP packet
can be up to 65535 byte long, most data link layers segment them before transmission.
Furthermore, hosts cannot receive a packet more than 576 bytes and UDP limits packets
within 512 bytes. However, nowadays many applications allow IP datagram that are more
than 8192 bytes to go through the links especially for applications that support NFS.
Identification: identifies every datagram the host sends. The value increases with the
number of datagram the host sends.
Time to Live (TTL) : indicates the number of routers a packet can travel through. The value
decreases one every time the packet passes a router. When the value turns to 0, the packet
will be discarded.
Protocol: indicates the next level protocol used in the data portion of the internet datagram.
It is similar to the port number. IP protocols use protocol number to mark upper layer
protocols. The protocol number of TCP is 6 and the protocol number of UDP is 17.
Header checksum: calculates the checksum of the IP header to see if the header is
complete.
The source IP address field and the destination IP address filed point out the IP addresses
of the source and the destination.
Page 82
page 71
The physical layer has limitations on the length of frame it sends every time. Whenever the
network layer receives an IP datagram, it needs to decide which interface the
datagram should choose and check the MTU of that interface. IP uses a
technique called fragmentation to solve the problem of heterogeneous MTUs.
When a datagram is longer than the MTU of the network over which it must be sent, it is
divided into smaller fragments which are sent separately.
Fragmentation can be done on the source host or the intermediary router.
Fragments of an IP datagram are not reassembled until they arrive at the final destination.
The reassembly is performed by the IP layer at the destination.
Datagram can be fragmented for more than one time. The IP header provides enough
information for fragmentationand reassembly.
Flags: 3 bits
Multiple control bits:
0bit: reserved, must be 0.
1bit: (DF) 0 = can be fragmented, 1 = cannot be fragmented.
2bit: (MF) 0 = final fragmentation, 1 = more fragmentation.
The values of DF and MF cannot be 1 at the same time.
0 1 2
+---+---+---+
| | D | M |
| 0 | F | F |
+---+---+---+
Fragment offset: indicates the position of the fragment within the original datagram. When
an IP datagram is fragmented, each fragment becomes a packet with its own
IP header and will be routed independently of any other datagrams.
Page 83
page 72
The Ethernet header is made up of three fields:
DMAC: indicates the MAC address of the destination.
SMAC: indicates the MAC address of the source.
LENGTH/TYPE: its meanings vary with its values.
When the value is bigger than 1500, it indicates the frame type, for example the
upper layer protocol type. The common protocol types are:
0X0800 IP packets
0X0806 ARP request/response message
0X8035 RARP request/response message
When the value is smaller than 1500, it indicates the length of data frame.
DATA/PAD: the original data. Ethernet standards specify that the minimum data length
should be 46 bytes. If the data is less than 46 bytes, add the Pad field to fill it.
FCS: the frame check field.
Page 84
page 73
Page 85
page 74
The above is an example of an HTTP packet that is captured, which may facilitate your
understanding towards packet encapsulation. The bottom displays the actual
data and the top is information analyzed by the software.
Page 86
page 75
This page illustrates data encapsulation at the data link layer. The encapsulation format
used here is Ethernet, which is mentioned earlier.
The figure above shows DMAC at the top and then comes SMAC and the type field is listed
at the bottom.
DMAC is 00d0: f838: 43cf
SMAC is 0011: 5b66: 6666
Type field value is 0x0800, which indicates that it is an IP packet.
Page 87
page 76
This page illustrates data encapsulation at the network layer. An IP packet is made up of
two parts, the IP header and the IP data. As described previously, the IP header consists
of many fields. In the above example, the value of the version field is 4, which indicates
the packet is an IPv4 packet. The packet header is 20-byte long. The protocol field is 0x06,
which tells us that the packet to be encapsulated is a TCP packet. The IP address of the
source is 192.168.0.123 and the IP address of the destination is 202.109.72.70.
Page 88
page 77
This page illustrates data encapsulation at the transport layer. The transport layer here
uses TCP protocols. The source port number is a random number 3514 and
the destination port number is 80, which is the number assigned for the HTTP protocol.
So the datagram is from the source to visit the HTTP service of the destination host.
Page 89
page 78
1. What are the layers of the OSI reference model?
The OSI reference model consists of seven layers, namely, the physical layer, the data link
layer, the network layer, the transport layer, the session layer and the application layer.
2. What are the functions of each layer in the TCP/IP protocol stack?
The TCP/IP protocol stack has five layers: the physical layer, the data link layer, the
network layer, the transport layer and the application layer. The physical layer specifies the
mechanical, electrical and electronic standards for transmission. The data link layer
provides controls on the physical layer, detects errors and performs traffic control (optional).
The network layer checks the network topology to decide the best route for data
transmission. The basic function of the transport layer is to segment the data it received
from the application layer and combines data segments before it sends the data to the
application layer. It builds end-to-end connections to send data segments from one host to
the other host. The application layer provides network services for application programs.
3. What is the process of packet encapsulation and de-encapsulation?
De-encapsulation is the reverse process of encapsulation. Encapsulation means to add
headers to the original data layer by layer from the top of the protocol stack to
the bottom; while de-encapsulation is to strip off those headers from the lower layers to the
upper layers.
4. What are the differences between the MAC address and the IP address?
MAC address is a 48-byte physical address printed on the hardware of a device. The MAC
address cant be changed. The IP address is a 32-byte address works at the network layer
and IP addresses can be changed. IP addresses are grouped into public addresses and
private addresses. Public addresses are unique globally, while private addresses can be
used repetitively in different LAN segments.
Page 90
page 79
Page 92
page 80
Page 93
page 81
Page 94
page 82
Page 95
page 83
TCP provides reliable, connection-oriented service for applications.
The reliability of TCP is guaranteed through the following aspects:
Connection-oriented transport: In TCP, before any end of the link begins to transfer data,
the connection between two parties of the link must be established.
MMS: In TCP, it indicates the maximum length of the data packet could be sent to another
end of the link. After the connection is established, the two parties of the
connection should advise its own MMS, to use the bandwidth resources more efficiently.
Transmission Acknowledgement Mechanism: In TCP, after a segment is transmitted, a
timer would be started, and waiting for the acknowledgement from the receiver; if the
acknowledgement cannot be received within the timer, the segment will be retransmitted.
Header and data checksum: TCP will maintain the checksum of header and data, which is
the end-to-end check. Its purpose is to detect the variation of the data
during the transmission procedure. If there is some error in the segment checksum, this
segment will be discarded by TCP receiver and the acknowledgement will not be replied.
Hence, the TCP retransmission mechanism will be started.
Flow control: Both ends of the TCP connection have a buffer with fixed space. Only the
amount of data less than the size of receivers buffer could be sent by the
sender. This mechanism prevents such a situation happening in which the buffer is
overloaded because of the speed difference of two hosts.
Page 96
page 84
TCP uses IP as the network layer protocol, and TCP segment is encapsulated into
the IP packet.
TCP segment is made up of two parts, TCP Header and TCP Data. If there is
no option field, the length is 20 bytes.
TCP header includes the fields showed in the slide. There are some explanations
of some fields:
16-bit source port number: TCP will allocate a source port number for the source
application.
16-bit destination port number: The port number of destination application.
Source and Destination Port: Every TCP segment includes the source and
destination port number, used to find the sending and receiving application. Using
these two numbers, together with the source and destination IP address of IP
header, a unique TCP connection could be confirmed.
Sequence Number is a 32-bit number that identifies where the encapsulated data
fits within a data stream from the sender.
Acknowledgment Number is a 32-bit field that identifies the sequence number the
source next expects to receive from the destination. The Acknowledgement
Number is the last data sequence number plus one.
Page 97
page 85
4-bit header length: It indicates the header is of 32 bits.
Window Size is a 16-bit field used for flow control. It indicates the number of
bytes are expected to receive. Because this field is of 16 bits, the maximum
window size is 65535 bytes.
Checksum is 16 bits, covering both the header and the encapsulated data,
allowing error detection.
Page 98
page 86
TCP provides full-duplex transmission protocol which is reliable and connection-
oriented. The reliability of TCP is guaranteed by some methods. One of them is
to
establish the connection before sending any data.
The TCP connection is established through three-way handshakes procedure:
1. Request end (or Client) sends a SYN field, indicating the clients expectation
to connect to the port of server, with Initial Sequence Number (ISN) a.
2. The Server replied SYN with sequence number b. At the same time, the
acknowledgement number is set to be a+1 to acknowledge the SYN packet of
the client.
3. The Client will sent the acknowledgement packet with acknowledgement
number set to be b+1 to acknowledge the SYN packet of the server. The TCP
connection is then established.
Page 99
page 87
As it is mentioned before, TCP is a full-duplex transport layer protocol. Full-
duplex indicates the two ends of the connection could transmit or receive data at
the same time. Thus, the two parties should terminate the connection individually.
The TCP connection is established through three-way handshakes procedure,
while the TCP connection is terminated through four-way handshake procedure:
1. Request end (or Client) sends a FIN field, indicating the clients expectation to
terminate the connection, with initial sequence number a.
2. The Server set the acknowledgement number to be a+1 to acknowledge the
FIN packet of the Client.
3. The Server replied sends FIN field with sequence number b,
acknowledgement number a+1.
4. The client will send the acknowledgement packet with acknowledgement
number set to be b+1.
The TCP connection is then terminated.
Page 100
page 88
Multiplexing indicates that the same transport layer connection is used by multiple
applications to transmit data. The data is divided to different segments by the transport layer
according to different applications. And based on FIFO rule, the segments are to be sent.
These segments could be with the same or different destinations.
Supposing two servers www.huawei.com and ftp.huawei.com are sending data packets to
destination host at the same time. The following is the end-to-end communication procedure
of transport layer. When the www and ftp applications are called, the server will allocate a
port number for every application. (Note:
This port number is different from the physical port of network equipment. It is a virtual
interface between the application and transport layer protocol). The
segments are then created.
In the transport layer, a session connection should be established between the server and
the host. (Note: It is a virtual connection instead of a physical one.) In order to begin the data
transmission, the two applications of the server and terminal host will inform their own
operation systems, to initialize the connection. After the virtual end-to-end connection is
established, the data transmission could begin.
During the transmission procedure, the server and the host continue to communicate using
their protocol software, to check whether the data has been correctly received.
After the terminal equipment receives the data flow, it will sort the data so that the transport
layer could send the data flow to the host correctly.
After the data transmission finished, the two party negotiate to terminate the virtual link.
Page 101
page 89
MSS (Maximum Segment Size) indicates the maximum size of the segment could be sent to
the other end of the connection. When a connection is established, their two ends should
advertise its own MSS. The default value of MSS is 536 bytes, so the allowable length of IP
packet is 576 bytes(536 +20 byte IP header +20byte TCP header).
Through the negotiation of MSS, the network resources could be used more efficiently and the
network performance could be improved.
Page 102
page 90
The reliability of TCP is guaranteed by the acknowledgement mechanism to ensure the
correct data transmission from the source equipment to the destination. The working
mechanism of acknowledgement mechanism is as followings:
When the destination equipment receives the data packets sent by the source equipment,
it will reply an acknowledgement to the sender; and if the sender receives the
acknowledgement, it will continue to send data packets. However, if the sender does not
receive the acknowledgement, after a period of time, ( a timer will be started by the
sender when the data is sent) the sender will decrease the transmission speed, and
retransmit the packets in question.
As the slide shows, a virtual end-to-end link is established between the source and
destination equipment, and data packets are sent. The source equipment sends 3 data
packets (1,2,3) to the destination at one time. After the destination equipment receives
the data packets, it will acknowledge them by the sequence number of fourth data packet
which is 4.
When the source equipment receives the data packets, it will continue to send another
three data packets (4, 5, 6). As the example shows, because the destination equipment
has not received the fourth data packet correctly, the destination equipment still uses
acknowledgement number 4 as the reply. Hence, the fourth data packet will be
retransmitted by the source equipment. After the destination equipment receives the
fourth data packet, and acknowledge it by the acknowledgement number 7, the next three
data packets could be sent continuously.
Page 103
page 91
TCP Sliding Window technology is able to control the data flow between two hosts by
dynamically changing window size. Every TCP/IP host supports full-duplex data
transmission, so there are 2 Sliding Windows in TCP: one is used for receiving, the other is
used for sending. whats more, TCP uses positive acknowledgement technology whose
acknowledgement number refers to next expected bytes.
As shown above, it is an example of single direction sending, which introduces how Sliding
Window achieves flow control.
The server sends to client 4 1024-byte segments, and the window size of sender is 4096
bytes. Receiver will acknowledge by using ACK4097, and modify window size to 2048
bytes. This means client (receiver) only has 2048-byte buffer space. Therefore, sender
changes its sending speed and sends 2048-byte segment which the receiver can afford.
Sliding window mechanism provides reliable flow control method for data transmission
between end-to-end devices. However, it is only on source and destination devices that
Sliding Window mechanism will take effect. When there is congestion between interim
devices ( like routers), Sliding Window has no use. Thus ICMP source quench mechanism
could be used in congestion management.
Page 104
page 92
Page 105
page 93
UDP provides connectionless service for applications, so there is no need to establish
connection before communication take place between source and destination like TCP.
Besides, because UDP is a connectionless transport protocol, it is not necessary to
maintain connection state, sending or receiving state. So the server is capable of
simultaneously sending the same message to multiple clients.
UDP is suitable for those applications who requires "best-effort" transmission and
reliability is provided by application layer, such as Radius protocol which is commonly
used in authentication and accounting and RIP protocol are all based on UDP.
Page 106
page 94
UDP, like TCP, also uses IP as network layer protocol. UDP segment is encapsulated in a
IP packet. Since UDP doesnt provide reliable transmission like TCP, its segment format is
relatively simple.
The UDP header is made up of the following field:
16-bit source port number: applying source port number for source application.
16-bit destination number: port number of destination application.
16-bit UDP length: referring to the length of both UDP header part and UDP data part. The
min value is 8.
16-bit UDP checksum: this segment provide the same function as TCP checksum.
But this is an extra parameter.
Page 107
page 95
As shown above, the picture compare TCP protocol with UDP protocol. It is able to get a
conclusion through comparison that TCP is suitable for high-reliability service;
while UDP is suitable for speed-sensitive services.
As UDP supports a connectionless service, it requires that the upper layer of providing
error detection and retransmission mechanism.
Page 108
page 96
1.How does TCP establish and terminate a connection?
Connections are established in TCP by means of the three-way handshake procedure.
TCP connections are full-duplex, both of the two ends which establish the connection will
send their own terminate request and wait for the acknowledgement, for which in all there
are four steps when terminating a connection.
2.How does TCP provide reliability?
TCP provides transmission reliability by sequence number and ACK mechanism. By using
sequence number, the two ends will both clearly know the sending and
receiving information of data segment. ACK mechanism is able to guarantee transmission
reliability, which will ensure data flow arrives at destination correctly
from the source.
3.What is the purpose of TCP Sliding Window technology?
TCP Sliding Window technology adjusts data transmission between two hosts by
dynamically modifying window size. Sliding Window mechanism provides reliable
flow control method for data transmission between end-to-end devices.
Page 109
page 97
Page 111
page 98
Page 112
page 99
Page 113
page 100
The ping command is a common way to check the IP connectivity of the network and the
connection to the host. The ping command uses a series of Internet Control Message
Protocol (ICMP) messages to check whether the destination is reachable, the
communication delay, and the packet loss ratio. Ping is a process in which the device
sends a request and waits for response. The device that run the ping command sends an
Echo message to the destination, and then waits for a response. If the Echo message
reaches the destination and an Echo Reply message is returned to the source within the
specified period, the device can ping through the peer. If the source does not receive the
Echo Reply message, the Request timed out message is displayed. In this example, the
following command is typed on the PC:
Ping 1.1.1.1
To test the connectivity, send the Echo message to address 1.1.1.1.
Besides basic commands, the ping command provides various optional parameters, for
example a and i. -a source-ip-address: sets the source IP address that sends the ICMP
ECHOREQUEST message. -i interface-type interface-number: sets the interface that
sends the ICMP ECHOREQUEST message. In this example, the ping 1.1.1.1 a 1.1.1.2
command can also be used.
Page 114
page 101
ICMP is an important part of the network layer. IP does not provide reliability, so the device
cannot obtain the network fault information. By using ICMP, the device
can obtain the information about the network faults.
ICMP can send the information of error, control, and packet query. The ICMP packets are
encapsulated in IP packets. The value of the protocol field is 1. Some upper layer
applications may use the ICMP protocol, for example, ping and Tracert.
Page 115
page 102
The ICMP packet uses the basic IP header, namely 20 bytes. The ICMP packet is
encapsulated in the IP packet. The first 64 bits of the datagram refer to the ICMP
packet. Therefore, an ICMP packet consists of an IP packet and the first 64 bits of the
datagram.
The ICMP packet consists of the Type, Code, Checksum, and unused fields. The formats
of the messages vary with the message types. The details are omitted here.
Type: indicates the type of the ICMP message.
Code: in the same ICMP message type, the messages express different contents by using
the codes.
For example: The Destination Unreachable message of which the Type value is 3 contains
the following four types of messages:
0 = net unreachable
1 = host unreachable
2 = protocol unreachable
3 = port unreachable
Checksum: contains 16 bits. This field is not in use and the value is 0.
Page 116
page 103
ICMP provides the various message types. The following are commonly used:
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
Some messages are used together. For example, the Echo Reply message is the response
to the Echo message. The messages of the same type contain different information. The
following describes the message types and formats.
Page 117
page 104
Tracert is used to check the path from the source node to the destination node. It deducts 1
from the TTL value of the packet every time the packet traverses a router. When the TTL
value becomes 0, the router reports TTL timeout.
Tracert sends a packet of which the TTL value is 1, so the first hop returns an ICMP error
message to notify that the packet cannot be forwarded because the TTL times out. Then,
Tracert sends a packet of which the TTL is 2, and the second hop returns the same
message. Tracert continuously sends such packets until one packet can be sent to the
destination. The packet uses an invalid port number (33434 by default), so the destination
host returns an ICMP unreachable message to notify that the Tracert operation completes.
Tracert records the source address that sends the ICMP error message. Thus it can
provide the IP addresses of the gateways through which the user packets pass.
Tracert can also provide a function to test the connectivity. When a fault occurs on the
network, it can be located according to the path displayed by Tracert.
Page 118
page 105
Ping and Tracert are taken as an example here. The two methods can test whether RTA and
interface 3.3.3.3 of RTC can communicate.
As shown in the displayed information, the ping command can directly display whether the
RTC is reachable, while Tracert can display the forwarding path in details. The packet
reaches 10.1.1.2, and then to 10.2.2.2, and finally reaches 3.3.3.3. In addition, the tracert
command can locate the fault. In this example, if the displayed information is as follows, it
indicates that the packet can be sent to next hop 10.1.1.2, but cannot be forwarded by the
router, therefore the fault occurs between this router and the destination.
[RTA]tracert 3.3.3.3
traceroute to 3.3.3.3(3.3.3.3) 30 hops max,40 bytes packet
1 10.1.1.2 31 ms 31 ms 32 ms
2 * * *
Page 119
page 106
Telnet is used for the remote service. The user can log in to the remote server through Telnet.
The transport protocol used by Telnet is TCP and the port number is 23. The telnet command
is as follows:
telnet 192.168.1.22 23
192.168.1.22: IP address of the router server.
23: port number. The default value is 23. The value can be null. If the port number is not 23,
the user must enter the port number. For the detailed operation related to telnet based access
to a device, refer to the basic configuration of VRP.
Page 120
page 107
FTP is an Internet standard for file transfer. It adopts two TCP links to transfer a file. One is
control link and the other is the data link. FTP adopts different TCP ports according to the port
mode, Port or Passive. In the past, the default client mode is Port. In recent years, the Passive
mode is widely used because the Port mode is not secure (easy to be attacked.) In Port mode,
FTP adopts two default port numbers 20 and 21. Port 20 is used to transfer data, and port 21
is used to transfer commands.
The VRP routers can act as the FTP client or the FTP server. In this example, the PC
functions as the FTP client to log in to the FTP server through the FTP protocol. The PC run
the FTP program (that is, enter the ftp 1.1.1.1 command). The system displays the login
dialog box to request the user to enter user name and password, then the user can log in.
Page 121
page 108
If the VRP router needs to download a file from the remote server, it can act as the FTP
client to access files from the FTP server. Enter FTP IP address of the remote server in
the VRP system view. The user is prompted to enter the user name and password. Then,
the prompt is changed into [FTP]. It indicates that the user logs in successfully.
Get and Put are two operations performed on files. Get means downloading files from the
server, while Put means uploading files to the server. In this example, the Get vrpcfg.def
vrp1 command means that the client downloads the vrpcfg.dev file and saves the file as
vrp1.
Page 122
page 109
To upload files to the FTP server, use the put command. In this example, the Put
vrpcfg.def command means that the local file vrpcfg.def is uploaded to the authorized
directory of the FTP server and the file name is not changed. The configuration software
of the FTP server is different. The details are omitted here.
Page 123
page 110
The Trivial File Transfer Protocol (TFTP) is used when the user needs to transfer file
between server and client and complex interaction is not required. TFTP uses
UDP and the port number is 69. The VRP router can act as only the TFTP client to
download files from the TFTP server.
Page 124
page 111
1. What are the functions of Ping and Tracert?
They can test the connectivity of the network. Ping can provide the options to satisfy test
requirements, for example, specifying the source IP address and source port. Tracert can
obtain the forwarding path of packets. Besides, Tracert can also be used to judge the distance
to a destination.
2. What is the format of the ICMP packet?
The ICMP packet adopts the basic IP header (20 bytes). The packet is encapsulated in the IP
packet. The ICMP packet consists of the Type, Code, Checksum, and unused fields. The
formats vary with the message types.
3. What is the difference between FTP and TFTP?
FTP is based on TCP, while TFTP is based on UDP. TFTP is a simple file transfer protocol. It
is applicable to the read-only memory. FTP is designed for file transfer with high throughput.
FTP can control the user name and password, while TFTP cannot. The router can support FTP
Client and FTP Server, while TFTP supports only the Client.
Page 125
page 112
Page 127
page 113
In TCP/IP protocols, each layer has its own communication method, Data Link Layer use
MAC Addresses, the Network Layer use IP Addresses. After understanding the functions
of these layers, this course mainly introduces IP Addressing used at the Network Layer,
as well as packet forwarding between Network Layer devices, which is the basis for
routing.
This chapter introduces the layer 3 Network Layer in TCP/IP protocols. The main
function of the Network Layer is achieved through using the IP protocol, which includes IP
Addressing and IP Routing.
Page 128
page 114
Page 129
page 115
Page 130
page 116
As the slide shows, this procedure is called encapsulation, in which data is
transferred along the TCP/IP protocol stack, from the upper layer downward,
meanwhile, corresponding header and trailer are added. After the data
encapsulation and transmission in the network, the receiving equipment will delete
the information added, and decide how to deliver the data to proper application
along the TCP/IP protocol stack, according to the information in the header.
Among different layers of TCP/IP model, information is exchanged to ensure the
communication between network equipment. The PDU is used for exchanging
information. The PDU is different for different layers, and with different names. For
instance, in the transport layer, the PDU with TCP layer is called a segment; after
the segment is transmitted to network layer, and added with an IP header, the PDU
is called a packet. The PDU with layer 2 header is called a frame. Finally, the
frame is processed as bits, and transmitted through network media.
Page 131
page 117
The network layer receives data from the transport layer, and adds source address and
destination address into the data. As learned in previous chapters, the data link layer has
the physical address (MAC address), which is globally unique. When there is data to be
sent, the source network equipment queries the MAC address of the other end equipment,
and sends it out.
However, the MAC addresses are existent in a flat address space, without clear address
classification. Thus, it is only suitable for the communication within the same network
segment. Besides, the MAC address is fixed in the hardware, with poor flexibility. Hence,
for communication between different networks, usually it is based on IP
address based on software, to provide better flexibility.
Page 132
page 118
IP address is composed of 32 bits, which are divided into four octets, or four
bytes.
The IP address could be represented in the following methods:
Dotted decimal format:10.110.128.111
Binary format00001010.01101110.10000000.01101111
Hexadecimal format:0a.7e.80.7f
Usually, IP addresses are represented in the dotted decimal format; and seldom
in hexadecimal format. The hierarchical scheme for IP addresses is composed of
two parts, network and host.
The hierarchical scheme of IP addresses is similar to that of telephone
numbering, which is also globally unique. For example, the telephone number
010-8288248: the 010 represents the city code of Beijing, and 82882484
represents a telephone in Beijing city. It is the same for IP addresses. The
preceding network part of an address represents a network segment, while the
latter host portion represents the device in a given network segment. In using this
hierarchical design for every network layer device, the network is able to be
segmented. This mechanism enables routers to decrease the number of routing
table entries greatly, and increases routing flexibility.
Page 133
page 119
An IP address contains a network ID, which identifies a network segment
uniquely or identifies the aggregation of multiple network segments. The devices
in the same network segment use the same network ID. An IP address also
contains a host ID, which identifies a device in the network segment uniquely.
How to distinguish the network ID and the host ID? The Internet designer
classifies the IP addresses into five classes according to the size of the network,
namely, class A, class B, class C, class D, and class E.
The network ID of the IP address of class A is the first octet, and the first digit of
the first octet is 0. Therefore, the number of valid bits for network address in
class A address is 81=7. The first octet of class A address ranges from 1 to 126
(0 and 127 are reserved). For example, 10.1.1.1 and 126.2.4.78 are class A
addresses. The host
ID of the class A address is the last three octets, namely, the last 24 bits. The IP
address of class A ranges from 1.0.0.0 to 126.255.255.255. Each class A
network can have 224 IP addresses. The network ID of the class B address is
the first two octets. The first digit of the first octet is 1 and the second digit is 0.
Therefore, the number of valid digits of the class B network address is 162=14.
The first octet of class B address ranges from 128 to 191. For example, 128.1.1.1
and 168.2.4.78 are class B addresses.
The host ID of the class B address is the last two octets, namely, the last 16 bits.
The class B address ranges from 128.0.0.0 to 191.255.255.255. Each class B
network can have 216 IP addresses. The network ID of the class C address is
the first three octets. The first two digits of the first octet are 11, and the third digit
is 0. Therefore, the number of valid digits of class C network address is 243=21.
The first digit of the class C address ranges from 192 to 223. For example,
192.1.1.1 and 220.2.4.78 are class C addresses. The host ID of the class C
address is the last octet. The class C address range from 192.0.0.0 to
223.255.255.255. Each class C network can have 28=256 IP addresses. The
first three digits of the first octet of class D address is 111, and the fourth digit is
0. Therefore, the first octet of the class D address ranges from 224 to 239. The
class D address is used as the multicast address. The first octet of class E
address ranges from 240 to 255. It is reserved for research. The IP address
usually used are of class A, class B and class C. The IP addresses are allocated
by the International Network Information Center (InterNIC) according to the scale
of the company. Basically, the class A addresses are allocated to governments,
Page 134
page 120
the class B addresses are allocated to medium-sized companies, and class C addresses
are allocated to small-sized companies. With the fast development of the Internet and
also the waste of IP addresses, the IP address is becoming insufficient.
Page 135
page 121
An IP address uniquely identifies a device in the network. However, some IP
addresses cannot be used to identify devices, because they are used for some
special purposes.
The IP address with all 0s host ID is called network address. The network
address identifies a network segment. For example, class A address 1.0.0.0 and
private addresses 10.0.0.0 and 192.168.1.0 are network addresses.
The IP address with all 1s for the host ID is called a broadcast address. A
broadcast address identifies all the hosts in a network. For example,
10.255.255.255 and 192.168.1.255 are broadcast addresses. If the router sends
the packet to the broadcast address, all the nodes on the network segment can
receive the packet. The IP address with the network ID being 127 is the loopback
address, for example, 127.0.0.1, which is used for loopback test usually. The IP
address of all 0s refers to all the hosts. On the Huawei Quidway routers, IP
address 0.0.0.0 specifies the default route. IP address 255.255.255.255 is also a
broadcast address, but it stands for all hosts and is used to send packets to all
the nodes on the network. Such broadcast packets cannot be forwarded by
routers. In a network segment, some IP addresses cannot be allocated to hosts.
The number of IP addresses that could be allocated can be calculated. For
example, in class B network segment 172.16.0.0, an IP address has a 16-bit host
ID. There are 2 to the power of 16 IP addresses on the network segment, in
which 172.16.0.0 is the network address and 172.16.255.255 is the broadcast
address, so up to 2
16
- 2 IP addresses can be allocated to hosts.
In class C network segment 192.168.1.0, an IP address has an 8-bit host ID.
There are 2
8
=256 IP addresses on the network segment, in which 192.168.1.0 is
the network address and 192.168.1.255 is the broadcast address, so up to 254
IP addresses can be allocated to hosts. Therefore, the number of IP addresses
that can be allocated to hosts is calculated as follows: Suppose the IP address in
the network segment has an n-bit host ID, and then, the number of IP addresses
that can be allocated to hosts is 2n-2. A network-layer device (like router) uses
the network address to indicate the hosts on the network segment. Thus, the
number of entries in the routing table of the
router is greatly reduced.
Page 136
page 122
When planning IP addresses, usually private IP addresses are used within the
same company. Private IP addresses, reserved by InterNIC, can be freely used
by companies. The private IP addresses cannot be used to access the Internet.
The reason is that the private IP addresses cannot have corresponding routes on
the public network and the IP addresses may conflict.
When the user with private IP address needs access to the Internet, the private
IP address must be translated to the public address that can be identified by the
public network through Network Address Translation (NAT) technique. InterNIC
reserves the following network segments as the private IP addresses:
class A: 10.0.0.0-10.255.255.255;
class B: 172.16.0.0-172.31.255.255;
class C: 192.168.0.0-192.168.255.255.
By using the private IP addresses, the enterprises reduce the cost on buying
public addresses and the IP addresses are saved.
Page 137
page 123
Subnet masks are used to distinguish the network and host bits. In a subnet mask, the 1
bits represent the network, and 0 for host. The subnet mask of class A network in dotted
decimal format by default is 255.0.0.0, the subnet mask of class B network is 255.255.0.0,
and the subnet mask of class C network is 255.255.255.0.
Page 138
page 124
192.168.1.100 is a standard class C address. The subnet mask is 255.255.255.0. Hence
the network address of this IP address is 192.168.1.0.
Page 139
page 125
IP address is a collection of 32 binary digits or bits. Every 8 bits corresponds to a decimal
number. The decimal counting system is based on the power of 10: 10
1
10
2
, etc. And
binary counting system is based on the power of 2: 2
1
2
2
, etc. In a byte, from the right
to the left bit, the values corresponding as such, 2
0
2
1
2
2
2
7
. As the slide shows, for
this byte, from left to right, the decimal number represented are: 2
7
=1282
6
=642
5
=32
2
4
=162
3
=82
2
=42
1
=22
0
=1. The sum of them is 255. Thus, the byte (8 bits) with all
1 represents 255 in decimal.
Page 140
page 126
As this slide shows, for 11101001, calculate bit by bit as a decimal number, then convert
the binary to the decimal value.
Page 141
page 127
An IP address is a collection of 32 binary digits. It is represented by 4 bytes, each byte is
composed of 8 binary digits.
Page 142
page 128
IP networks without a subnet can be treated as a single network externally
without it being necessary to know what it looks like internally. For example, all
the routes to address 172.16.X.X is considered as originating from the same
direction, without consideration of third and fourth byte. This reduces the number
of routes in the routing table. However in this way, different subnets cannot be
distinguished. Thus, all the hosts in the network may receive broadcasts for the
network, which reduces the network performance, and not convenient for
network management.
For example, a class B network can contain 65000 hosts. If the user applied for
the class B address only needs 100 IP address, it is a huge waste since the
addresses left cannot be used by others. Hence, a method is needed to divide
this kind of network into several segments, and to manage it according to
different sub networks.
Page 143
page 129
From the view of address allocation, a subnet is the extension of a network
address. The network administration can decide the size of the subnet according
to the need of development of organization. Using Subnet Masks, the network
devices can determine from the IP address which bits represent the network and
which bit represent the hosts. In using subnets, the network addresses are used
more efficiently. Externally, it is still a single network, however internally, it is
divided into several different subnets. As the slide shows, the network 172.16.0.0
is divided to two network segments:
172.16.4.0 and 172.16.8.0.
If a financial department of some company uses the subnet 172.16.4.0; and the
engineering department uses subnet 172.16.8.0. Thus, the routing could be
implemented according to the destination subnet address, so as to limit the
spread of broadcast packets of one subnet to other subnets and improve general
the network performance.
Page 144
page 130
After learning the conversion between binary and decimal, it is easy to understand the
corresponding relationship for that of IP address and subnet masks. In this slide, the
number of bits of a subnet mask is 8+8+8+4=28, which indicates the number of
consecutive 1 in the network mask is 28, i.e., the network address bits is of a 28-bit
length. The subnet can be represented in another method: as /28, indicating that the first
28 bits represent the network ID.
Page 145
page 131
As shown in the slide, the IP address and subnet mask are already known. The network
address is obtained from the AND operation between the IP address and the subnet
mask. The AND operation is 1&1=1, 1&0=0, and 0&0=0. Therefore, the calculation of the
AND operation for the example in this slide is as follows:
11000000, 10101000, 00000001, 00000111
&11111111, 11111111, 11111111, 11110000
11000000, 10101000, 00000001, 00000000
The calculation result is the network address.
Page 146
page 132
The number of hosts is calculated through the subnet mask. First, it is necessary to
identify how many 0s there are in the subnet mask. As shown in the above figure, if there
are N-bit 0s, then, the number of hosts is 2n. The number of IP addresses that can be
allocated to the host is 2n -2 (minus the network address which is all 0s and the
broadcast address which is all 1s).
Page 147
page 133
This example shows the calculation of host quantity.
The subnet mask of class A address is 255.0.0.0, namely, 24-bit host ID. The
subnet mask of class B address is 255.255.0.0, namely, 16-bit host ID. The
subnet mask of class C address is 255.255.255.0, namely, 8-bit host ID.
This example is a class C address. The standard subnet mask has an 8-bit host ID, and
in this case, the first 4 bits of it are also used as the subnet mask. The maximum number
of hosts is 2
8-4
.
Page 148
page 134
In this example, the network address is of class C: 201.222.5.0. Suppose 20
subnets are needed, and 5 hosts in every subnet. it is necessary to divide the
last byte for subnet and host. The bits of the subnet decide the number of
subnets. In this example, because it is a class C address, there are 8 bits for
subnet and hosts. And since 24<20<25 , there are 5 bits for subnets, and the
maximum subnets which could be provided are 32(25). And the 3 bits left are for
host, and 2
3
=8, deducting the network address and broadcast address in this
network, which is 8-2=6. It is can meet the network requirements.
And each network segment is as follows:
201.222.5.0~201.222.5.7
201.222.5.8~201.222.5.15
201.222.5.16~201.222.5.23
201.222.5.232~201.222.5.239
201.222.5.240~201.222.5.247
201.222.5.248~201.222.5.255
Page 149
page 135
For the network of class B, if there are 8 bits for subnet, then 256 subnets could
be provided, and 254 hosts could be included in each subnet.
Subnet bits subnet mask subnet number host number in each subnet
1 255.255.128.0 2 32766
2 255.255.192.0 4 16382
3 255.255.224.0 8 8190
4 255.255.240.0 16 4094
5 255.255.248.0 32 2046
6 255.255.252.0 64 1022
7 255.255.254.0 128 510
8 255.255.255.0 256 254
9 255.255.255.128 512 126
10 255.255.255.192 1024 62
11 255.255.255.224 2048 30
12 255.255.255.240 4096 14
13 255.255.255.248 8192 6
14 255.255.255.252 16384 2
Page 150
page 136
For the network of class C, if there are 5 bits for subnet, then 32 subnets could be
provided, and 6 hosts could be included in each subnet.
Subnet bits Subnet mask Host number in each subnet Subnet number
1 255.255.255.128 126 2
2 255.255.255.192 62 4
3 255.255.255.224 30 8
4 255.255.255.240 14 16
5 255.255.255.248 6 32
6 255.255.255.252 2 64
Page 151
page 137
A network can be divided into multiple subnets, and each subnet uses a unique
ID. But the number of hosts in every subnets may be different. If the length of
subnet mask is fixed and the number of IP addresses in the subnets is the same,
lots of IP addresses are wasted. In this case, the variable length subnet mask
(VLSM) technique can be used. If the subnet has lots of nodes, the subnet mask
could be shorter. The IP address with shorter subnet mask represents less
networks/subnets, but more IP addresses can be allocated to hosts. If the subnet
has a few nodes, the subnet mask could be longer. The IP address with longer
subnet mask represents more logical networks/subnets, but less IP addresses
can be allocated to hosts. Such addressing scheme can save lots of IP
addresses, which can be used in other subnets. As shown in the above figure, a
company deploys the IP addresses subnet planning with class C address
192.168.1.0. The company has bought five routers. One router, which works as
the gateway of the intranet, is connected to the local ISP. The other four routers
are connected to four branch offices. Each office has 20 PCs, so each office
needs 20 host addresses.
As shown in the above figure, 8 subnets are required. 4 offices need 21 IP
addresses (including a router interface). The 4 network segments connected with
the gateway need 2 IP addresses. The IP address number of every network
segment is different, so the VLSM could be used. The four network segments for
the office adopt the subnet mask 255.255.255.224, 3 bits for subnet, and 5 bits
for hosts. This means at most 25-2=30 hosts could be included. The four network
segments connecting office router and gateway, are support 6 bits for subnet,
and 2 bits for hosts, therefore at most 2 hosts could be included.
Page 152
page 138
Classless Inter-Domain Routing (CIDR), defined by RFC 1817,does not adhere
to the IP address classification. It can aggregate multiple routes into one, so to
minimize the size of the routing table and improve the scalability of the router. As
shown in the above figure, some class C networks are allocated to the ISP,
198.168.0.0-198.168.255.0. The ISP allocates the class C networks to the user
groups. At present, three class C networks have been allocated to user groups. If
the CIDR technique is not used, the routing table of the ISPs router has three
routes connected to the downlink network segments, and the routes will
advertise them to the routers on the Internet. By the CIDR technique, the three
routes 198.168.1.0, 198.168.2.0, and 198.168.3.0 can be aggregated into one
route 198.168.0.0/16. Thus, the ISPs router advertises only route 198.168.0.0/16
to the Internet, and the number of entries in the routing table is reduced. It should
be noted that the number of bits of the network addresses aggregated by CIDR
must be the same. As shown in the above figure, if the ISP is connected to
network segment 172.178.1.0, then the routes of the network segments cannot
be
aggregated.
Page 153
page 139
Page 154
page 140
Address Resolution Protocol (ARP) is a broadcast protocol, through which the
host can dynamically find the corresponding MAC address of an IP address.
Every host has an ARP cache, with the mapping table between IP address and
physical address, which are currently known by the host. When host A wants to
send an IP packet to host B in the same LAN, it will first look up the ARP cache
to find whether there is IP address of host B in the table. If so, the corresponding
physical address could be found, and to send the data packet according to the
physical address.
Sometimes, the corresponding IP address of host B cannot be found. It is
possibly because host B just joined the network, or host A has just powered and
on whose ARP cache is empty. In this case, suppose host A needs to know the
MAC address of host B. host A will send ARP Request to every host in the
network segment by broadcast. In the ARP Request, the mapping information of
its own IP address to MAC address is contained, as well as the destination IP
address needs to be resolved. When the destination host B receives the request
packet, it stores the mapping information of host A into its ARP cache, and sends
its own mapping information from IP to MAC address back to host A. After host A
receives the ARP Reply, it obtains the MAC address of host B. At the same time,
host A puts the mapping information of host B into its ARP cache.
Page 155
page 141
The function of Proxy ARP is to make hosts or routers in different networks segment can
communicate. Usually, when a router R receives an ARP Request, it will check whether
the requested destination address is its own: if so, the ARP Reply will be sent; if not, the
request packet is discarded.
However, if the router R enables the Proxy ARP function, when router R receives an ARP
Request, and finds the destination address is not its own, router R will not discard the
packet immediately. Instead, router R looks up the routing table, if there is a route to this
destination, it will send its own MAC address to the request party, and the request party
will send the packet with this destination to router R, and router R will forward it further.
Page 156
page 142
Gratuitous ARP: The host sends ARP Request to find the corresponding MAC
address of its own IP address. If in the network, there is no another host with the
same IP address, the host will not receive any reply. However, if the host
receives reply, it indicates that another host in the network is configured with the
same IP address. Hence, in the terminal log of host, an error information will be
created, indicating that a duplicate IP address is configured.
Functions of Gratuitous ARP:
1. Through sending Gratuitous ARP packets, it could be confirmed whether there
is IP address conflict in the network. If the Request party receives a Gratuitous
ARP reply, it indicates that there is an equipment with a duplicate IP address.
2. Updating the old hardware address information. If the host sending Gratuitous
ARP just changes its hardware address, such as changing network card, the
Gratuitous ARP could be used to update the old hardware address information.
When the receiving party receives an ARP Request, and this ARP information
already exists in the ARP table, then the receiving party must update the old
ARP information table, using the address information in the new ARP Request.
Page 157
page 143
Sometimes, RARP ( Reverse Address Resolution Protocol) is needed when dealing with
diskless workstations. This equipment knows its own MAC address, and needs to obtain
IP address. In order to make RARP work properly, in the LAN, at least one host has to be
the RARP Server. In this example, the diskless workstation needs its own IP address. It
broadcasts the RARP Request in the network. The RARP Server receives this broadcast
request, and sends the reply. Thus, the diskless workstation will obtain the IP address.
Similarly with ARP Request, RARP Request are sent using broadcasts, ARP Reply and
RARP Reply are usually forwarded as unicast packets
Page 158
page 144
Page 159
page 145
The main function of a router is to interconnect different networks. The data must
also be capable of being forwarded to the Internet.
Data forwarding: A router should have the ability to forward data packets
according to the destination address of data packets.
Routing: In order to forward data packets, the router should have the ability to
establish, update and forward data packets based on routing table.
Backup, traffic flow control: In order to guarantee the reliability of network,
usually, the router has the ability to switch to backup link and the function of
traffic flow control.
Speed adapting: Different interfaces have different speeds, the router can
implement the adjustment according to its buffer and other flow control protocols.
Isolating network: The router can isolate broadcast network and prevent
broadcast storms. At the same time, it can apply flexible filter policy to the data
packet, to guarantee network security.
Interconnecting heterogeneous networks: Presently, at least two kinds of
network protocols could be implemented in the router to interconnect
heterogeneous networks. For example, routers that support ATM and FR
interfaces can be considered as belonging to a router that can interconnect
heterogeneous networks.
Page 160
page 146
The slide shows the working process of a router:
At the physical layer, the packet is received by one of the router interfaces, and is sent to
the upper layer which is data link layer. The Data Link Layer will de-encapsulate the
frames, and send to the Network Layer based on the protocol field of the packets. The
network layer will firstly check whether the packet is intended for the local host.
If so, the network layer encapsulation is de-encapsulated, and the packet is sent to upper
layer. If not, the router will check the routing table according to the destination address of
the packet. If a route item could be found, the packet is sent to data link layer of the
corresponding port, after the encapsulation of data link layer, the packet is sent. If no
route could be found, the packet will be discarded, and relative error information would be
sent to the source of the packet.
Page 161
page 147
The ability to forward data packets is due to the routing table. Every router
maintains a routing table, in which every route indicates the corresponding
physical port of the router through which the destination subnet or host could be
reached. In the routing table, the following key items are included:
Destination: It is used to identify the destination address or network of the IP
packet.
Mask: Together with the destination address, it is used to identify the network
segment address in which the destination host or router is located. After
implementing logical AND to the destination address and network mask, the
network segment address could be obtained in which the destination host or
router is located.
Interface: Indicates to the current router, through which interface the IP packet is
to be forwarded.
Next Hop: Indicates the interface address of the next router through which the IP
packet should pass.
Page 162
page 148
1. What is IP address classification?
IP addresses are divided into Classes A, B, C, D and E. Among them, Class D is
multicast address; Class E is reserved address. In Class A, B, and C, each has
its own private address space.
2. What is the function of ARP/RARP?
ARP stands for Address Resolution Protocol, which is used to analyze the
corresponding MAC address for an IP address; RARP stands for Reverse
Address Resolution Protocol, which is used to analyze the corresponding IP
address for a MAC address.
3. What is the principle function of a router?
At the physical layer, the packet is generally received by one of the router
interfaces, and is sent to the upper layer, namely the data link layer. The data
link encapsulation is de-encapsulated, and according to the protocol field of
packets, it is sent to network layer. For network layer, first of all, it checks
whether the packet is intended for the local host. If so, the network layer
encapsulation is decapsulated, and the packet is sent to the upper layers. If not,
the router will check the routing table according to the
destination address of the packet. If a route item could be found, the packet is
sent to data link layer and the corresponding interface, after the encapsulation of
data link
layer, the packet is forwarded. If no route could be found, the packet will be
discarded, and relative error information would be sent to the packets source.
Page 163
page 149
page 150
Page 167
page 153
Page 168
page 154
Page 169
page 155
Page 170
page 156
VRP is the network operation system used by Huawei based routing & switching products.
VRP can be used as general software platform of all Huaweis network devices to
provide TCP/IP routing services. Currently version 5.7 is used for many products.
Page 171
page 157
VRP adopts componentized architectureVRP is made up of five planes: GCP, SCP DFP
SMP and SSP.
For example, GCP is General Control Plane, it supports internet protocols such as IPv4
and IPv6. The protocols and functions that GCP supports include SOCKET, TCP/IP, route
management, routing protocols and so on VRP just needs to add or delete corresponding
planes to fit different switch or router functionality.
Page 172
page 158
Page 173
page 159
At present, Huaweis routers and switches support three configuration modes, two of which
are listed as follows:
Local configuration through the Console port
Local or remote configuration through Telnet
Page 174
page 160
You can build a configuration environment only through the Console port for the two
following occasions:
(1)The router is powered on for the first time. There is only default configuration
(2) You can directly connect the device
The procedures of configuring a router through the Console port are as follows:
Procedure 1: Connect the console cable
(1) Connect the RJ45 connector to the Console port of the router.
(2) Connect the 9-pin or 25-pin RS232 connector to the serial port (COM) of the computer.
Page 175
page 161
Procedure 2: Create the super terminal
(1)Run the terminal emulation program, for example, Super Terminal of WIN XP,
on the PC.
2Click Start > Program > Communication > Super Terminal
3Input any characters as the name after New Connection appears and choose a COM
connection and click OK, then a page as above appears. The port settings should be
configured in accordance with the image, then click OK
Page 176
page 162
If it is not the first time for the router to be powered on and you cannot directly connect to the
router console port, it may be possible depending on the current device configuration settings,
to use TELNET to enter the device. There are two methods you may use to configure the
router, either from a PC through the local network to directly Telnet to the router from a PC
using a console connection to a router (e.g. router1), and then Telnet from this router to
another router. The device running the VRP system operation can serve as a TELNET client.
Page 177
page 163
For the PC to use Telnet to reach the Telnet server requires two conditions to be met
1Client and server must be able to communicate
2The server is configured to allow clients to use the Telnet service establish a session.
In the example given, the configuration is represents the router configuration that is acting
as the Telnet server. The initial step requires configuration of the router Ethernet interface,
to make sure the client and the server (router) can communicate. The second step involves
configuration of the VTY interface including selecting the password mode as the
authentication mode of Telnet, setting user permission level.
Page 178
page 164
Page 179
page 165
After accessing the router, the user will be given the prompt in user view. It is from here
that the user can switch to the system view by entering the System-view command. It is
then possible to enter views of other services by running corresponding commands in the
system view. Commands that can be run in different views can be seen listed in the graphic.
Page 180
page 166
When accessing the device for the first time, all users will start off in the user view, from
where users can switch to the system view using the System-view command. The system
view can be switched back to the user-view after entering the quit command. It is possible
to return to the user view from any view by entering the return command or using the
composite key command <Ctrl+Z>.
For example
#Enter the system view from the user view.
<Huawei>system-view
Enter system view, return user view with Ctrl+Z
#Enter the interface view from the system view.
[Quidway]interface Serial 0/0/0
[Quidway-Serial0/0/0]
#Return to the system view from the interface view.
[Quidway-Serial0/0/0]quit
[Quidway]
#Return to the user view from the system view.
[Quidway]return
<Huawei>
Page 181
page 167
In this example, through using the ? command, it is possible to obtain a brief of all the
commands at a given level. All levels will support the use of this command to display
possible completions. Another use of this command will allow for completion based on
matches to a partial entry. If only the first letter of a command can be recalled, the ?
command can be inserted as shown in the example above, in order to obtain all the
commands with the same matching parameters, in this case, the same first letter.
Page 182
page 168
VRP supports two languages and allows users to enter the language-mode command to
switch between the two languages. The procedure is as follows:
<Huawei>language-mode ?
chinese Chinese environment
english English environment
<Huawei>language-mode chinese
Change language mode, confirm? [Y/N]y
Info:Switchto the Chinese mode.
<Huawei>
Page 183
page 169
The command line interface automatically stores commands input by users which so that
users can recall used commands at any time and repetitively. By default,
the command line interface can keep records of up to 10 commands for a user.
display history-command:
To display the commands that a user has input.
Up-arrow key or <Ctrl+P>:
Display the earlier record if there is one; otherwise the alarm goes off.
down-arrow key or <Ctrl+N>:
Display the next record if there is one; otherwise, the command is cleared up and the alarm
goes off.
When you use the command record function, please note the following:
(1) The format of command records kept by VRP complies with the format of commands
input by users. If the format of commands input by users is not intact,
then the format of commands kept by VRP is not intact either.
(2) If a command is run by a user for many times, VRP only keeps the first running of this
command as record. If a command is run in different formats several times, it is treated as
different commands. For example, if you run the display ip routing-table command
several times, VRP will keep it as only one record. If you run disp ip routing and display
ip routing-table, VRP will keep them as two records.
Page 184
page 170
Do as following to change the name of a router:
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]
[Quidway]sysname Router1
[Router1]
Page 185
page 171
Some services require that there be synchronization of time with other devices, often as a
security measure and therefore the system time should be set correctly.
VRP supports the setting of the time zone and daylight savings time features.
#Set the time.
<Huawei>clock datetime 10:19:30 2006/12/12
<Huawei>
<Huawei>display clock
10:19:36 UTC Tue 2006/12/12
<Huawei>
Page 186
page 172
You can display the VRP version information by running the display version command.
<Router>display version
Huawei Versatile Routing Platform Software
VRP WVRP-CEN Software Version VRPV5R1B12D054
Copyright (c) 2003-2010 by VRP Team Beijing Institute Huawei Tech, Inc
The version is VRPV5R1B12D054.

You can view the information about terminal users by running the display users command.
<Router>display users
User-Intf Delay Type Network Address AuthenStatus
+ 0 CON 0 00:00:00
Username : Unspecified
You can view the configurations in the current view by running the display this command. For
example, you can view the configurations of the interface after you enter the interface view:
[Router]interface Ethernet 0
[Router-Ethernet0]display this
#
interface Ethernet0
ip address 13.13.13.2 255.255.255.252
isis enable 1
#
return
You can obtain the diagnostic information by running the display diagnostic-information
command.
Page 187
page 173
VRP manages software and configuration files through the file system. The file system is
used for managing the files and directories in the storage device, which
includes creating the system file, changing names of files and directories, creating, deleting,
modifying files and directories and display files. The two main functions of the file system are
storage device management and files management. The storage device is the hardware
device that keeps information. At present, flash memory, hard disks and CF cards can be
used by routers as storage devices. Different products use different devices to store
information. File system is a mechanism for information storage and management. File
directories are mechanisms for organizing files and they are the logical vessels for keeping
files.
Delete a file
<Huawei> delete flash:/test/test.txt
Delete flash:/test/test.txt?[Y/N]
<Huawei>
Restore the file that was deleted.
<Huawei> undelete sample.bak
Undelete flash:/test/sample.bak ?[Y/N]:y
% Undeleted file flash:/test/sample.bak
Delete files in the recycle bin.
<Huawei> reset recycle-bin
Display a file.
<Huawei> more test.txt
AppWizard has created this test application for you. This file contains a summary of what
you will find in each of the files that make up your test application.
Test.dsp
Copy a file.
<Huawei> copy hda1:/sample.txt flash:/
Copy hda1:/sample.txt to flash:/sample.txt ?[Y/N]:Y
% Copyed file hda1:/sample.txt to flash:/sample.txt
Page 188
page 174
Create a directory
<Huawei> mkdir dd
Created dir dd.
Delete a directory
<Huawei> rmdir test
Rmdir test?[Y/N]:y
% Removed directory test
Display the current directory
<Huawei> pwd
flash:/test
Page 189
page 175
Format storage device
<Huawei> format flash:
All data on flash: will be lost , proceed with format ? [Y/N]:y
%Format flash: completed.
Fix storage device whose file system is abnormal
<Huawei> fixdisk flash:
Fixdisk flash: will take long time if needed.
Fixdisk flash: completed.
Be careful with the format command. It deletes all the files in the storage device once you
run it.
Page 190
page 176
When the router is powered on, it reads the configuration file from the default storage path
to initialize itself. The configuration in the configuration file is called
the initial configuration. If there are no configuration files in the default storage path, the
router will initialize itself with the default parameters. The configuration used when the
router is running is called the current configuration.
Users can change the current configurations of the router through the command line
interface. To make the current configuration to be the initial configuration for
the router when the router is powered on next time, you need to save the current
configuration in the default storage path with the save command. You can view the saved
configuration of the router by running the display saved configuration command.
You can view the current configuration of the router by running the display current-
configuration command.
You can save the current configuration by running the save command. The detailed
procedure is as follows:
<Huawei>save
The current configuration will be written to the device.
Please make sure configuration recovery has been finished.
Are you sure?[Y/N]y
Now saving the current configuration to the device.....
Info:Thecurrent configuration was saved to the device successfully
You can erase the configuration file in the storage device by running the reset saved-
configuration command. The detailed procedure is as follows:
<Huawei>reset saved-configuration
Page 191
page 177
The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure.
Are you sure?[Y/N]y
Now clearing the configuration in the device.
Info:Clear the configuration in the device successfully
You can run the compare configuration command to make comparisons between the
current configuration and the configuration in the configuration file
stored. The following shows that the message displayed indicates that the current
configuration is not the same as the stored configuration.
<Huawei>compare configuration
Warning:Thecurrent configuration is NOT the same as the saved configuration!
====== Current configuration line 31 ======
ospf 1
====== Saved configuration line 31 ======
Page 192
page 178
VRP can backup its software and configuration files through FTP, TFTP and XMODEM.
Here we will introduce the basic operations for routers or switches to obtain version files
through the three modes, which is the general knowledge about version update. For details
about version update methods and procedures, please refer to the update guidelines we
provide for a product or a specific version of a product.
FTP, TFTP and XMODEM are all file transport protocols for transporting files between
users and devices.
File Transfer Protocol (FTP) is based on TCP and takes the mode of Server/Client. VRP
can act both as the FTP server and the FTP client. When it acts as the FTP server, users
can log in to the router to visit files on the router by running the FTP client program. When
VRP acts as the FTP client, users can run FTP commands to connect with the remote FTP
server and then visit files on the remote host after they built connections with the router
through the terminal emulation program or Telnet.
Trivial File Transfer Protocol (TFTP), different from FTP, does not require any
authentication mechanisms, which is fit for an environment that does not involve much
interaction between clients and servers. TFTP is based on UDP and takes the mode of
Server/Client. TFTP transfer is initiated by the client. When there are
files to download, the client sends requests to the TFTP server for reading the files and
receives packets from the server and at last, it sends confirmation to the
server. When there are files to upload, the client sends requests to the TFTP server for
writing the files and sends packets to the server and at last, it sends confirmation to the
server. TFTP files have two modes, one is the binary mode that is used for program files
and the other is the ASCII mode that is for text files.
VRP can only act as the TFTP client and can transfer files only in the binary mode.
XModem protocol transfers files through serial ports, which is widely used for its simplicity
and capabilities. VRP supports receiving program through XModem
which can be applied to the AUX interface.
Page 193
page 179
As the above figure illustrates, the PC and Router A are connected through serial ports
and Router A and the FTP server are connected to the LAN. Router A
obtains version files from the FTP server as the FTP client. Set the username and
password to quidway and huawei respectively on the FTP server. Log in to Router A from
the PC by the super terminal and make the following operations to obtain version files.
#Log in to the FTP server from Router A.
<Router> ftp 172.16.104.110
Trying 172.16.104.110 ...
Connected to 172.16.104.110.
User(172.16.104.110:(none)):quidway
331 Give me your password, please
Password:
230 Logged in successfully
#Obtain the version file vrp.cc from the FTP server by running the get command.
[ftp] get vrp.cc
150 "D:\system\vrp.cc" file ready to send (5805100 bytes) in IMAGE / Binary

mode
226 Transfer finished successfully.
FTP: 5805100 byte(s) received in 19.898 second(s) 291.74Kbyte(s)/sec.
Page 194
page 180
As the above figure illustrates, the PC and Router A are connected through serial ports and
Router A and the FTP client are connected to LAN. Router A is configured as the FTP
server to obtain version files from the FTP client. Run the following commands to configure
Router A as the FTP server.
#Enable the FTP server on the router.
[Quidway]ftp server enable
#Enter the AAA view and configure the authentication and authorization of the FTP server.
Only users that pass the authentication and are authorized successfully can enjoy the
services offered by the FTP server.
[Quidway]aaa
#Create a local user named quidway.
[Quidway-aaa] local-user quidway
#Set the service type to FTP.
[Quidway-aaa] local-user quidway service-type ftp
#Configure the password to huawei.
[Quidway-aaa] local-user quidway password simple huawei
#Configure the authorization directory of FTP users on the FTP server.
[Quidway-aaa] local-user quidway ftp-directory flash:/ftp/quidway
Page 195
page 181
As the above figure illustrates, the PC with the IP address of 10.111.16.160 runs the TFTP
software to act as the TFTP server and Router A obtains version software from the TFTP
server.
Run the following command on Router A to obtain version software.
#Run the tftp command to obtain the vrp.cc file and save it under cfcard:/.
<Huawei> tftp 10.111.16.160 get vrp.cc cfcard:/vrp.cc
Run the dir command to check if the version file is obtained and save in the
defined directory.
<Huawei> dir
Directory of cfcard:/
0 -rw- 86211956 Jun 08 2006 15:20:14 v300r001b02ssp02.cc
1 -rw- 40 Jun 24 2006 09:30:40 private-data.txt
2 -rw- 396 May 19 2006 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2006 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2006 17:46:46 1.cfg
5 -rw- 14343 May 19 2006 15:00:10 paf.txt
6 -rw- 6247 May 19 2006 15:00:10 license.txt
7 -rw- 14343 May 16 2006 14:13:42 paf.txt.bak
8 -rw- 80975644 Jun 08 2006 14:50:20 v300r001b02msp06.cc
9 -rw- 86235884 Feb 05 2001 10:23:46 vrp.cc
508752 KB total (261112 KB free)
Page 196
page 182
Page 197
page 183
Simple Network Management Protocol (SNMP) is a widely used network management
protocol. SNMP is a protocol that works at the application layer and the transport layer
protocol is UDP. It takes up the 161 and 162 ports.
SNMP consists of NMS and Agent. NMS stands for Network Management Station which
sends requests to Agent. Agent is a process or task that resides on the
device that is managed. Agent makes analysis and obtains information after it receives
requests fromNMS and then it generates responding packets to send
back to NMS. SNMP is the application protocol that defines how to deliver management
information between NMS and Agent.
SNMP defines two operations, namely GET and SET. The GET operation is for obtaining
management information fromthe device that is under management.
The SET operation is for setting variable values to configure the management device. Trap
is generated by Agent and it reports abnormalities of the managed device to NMS. Once
NMS receives the trap, it takes measures such as polling detection to diagnose problems
and take methods to solve problems and make changes to the data of network
management.
Page 198
page 184
[Quidway]snmp-agent //Enable the SNMP Agent service
[Quidway]snmp-agent sys-info version v3 //Configure the SNMP version information.
[Quidway]snmp-agent community read public //Configure the name of the SNMP read
community.
[Quidway]snmp-agent community write private //Configure the name of the SNMP write
community.
Note: The configurations of Agent should agree with that on the NMS.
[Quidway]snmp-agent trap enable //Enable the router to send Trap.
[Quidway]snmp-agent target-host udp-domain 10.111.16.160 udp-port 5000
params securityname public Configure the destination address of Trap, the UDP port
number and community attributes.
Page 199
page 185
1. How is a console connection established?
Connect the PC serial port with the Console port of the router by the normal line and run the
terminal emulation software such as the windows terminal emulation software. Configure
the parameters correctly and then log into the router to configure.
2. What are the VRP command levels and command views?
The VRP command levels include the visit level, the monitor level, the config level and the
manage level. The command views involve the user view, the system
view, the interface view, and the routing protocol view, and so on.
3. How to create a Telnet user?
Enter the vty user view and configure the authentication mode and the password for
authentication and configure user permissions.
4. What protocols can be used to upgrade VRP file?
FTP, TFTP & XMODEM.
Page 200
page 186
Page 202
page 187
Each layer of the TCP/IP layered model has its own function and role. Built around the
main principles of network layer addressing and routing. This section of Routing Protocol
Basics focuses on details of IP address structure, address classification and subnet
planning; In addition, how the data packet is carried in network, and router principles are
further illustrated. Routing protocol basics is a basic course with great significance for
understanding the different routing protocols. Based on previous sections, this section
focuses on how the packet is forwarded between routers and the structure of the routing
table.
Page 203
page 188
Page 204
page 189
A router provides mechanisms for interconnecting networks of different
structures which makes the transfer of packets among networks a reality. Routes
are
decisions made regarding the path over which the forwarding of packets will
occur for a given destination.
In the internet, routes are decided by routers. A router chooses an appropriate
route according to the destination address in the header of the packet and sends
the packet to the next router. The last router on the route is responsible for
delivering the packet to the destination host. The whole process is very similar to
a relay race. Each router focuses only on finding an optimal route and forward
packets to the next station along that route. In this way, packets are delivered
from one router to the next until they reach their destinations. However, packets
do not always travel along the best route if some routing policies cause
interference.
In the example above, RTA is going to send a packet to a destination in network
N. By searching the routing table, RTA finds the egress to network N is E0/0 and
the next hop router is RTB. Then RTA sends out the packet through E0/0 to RTB
and RTB forwards the packet to RTC in the same way and so on until the last
router RTC sends the packet to network N. The packet is sent following the route
RTA-RTB-RTC-network N
Page 205
page 190
Here we take the previous example to explain the process of IP routing. As the above
figure shows: RTA connects with network 10.3.1.0 on the left and RTC connects with
network 10.4.1.0 on the right. Here is a datagram to be sent from network 10.3.1.0 to
network 10.4.1.0. The process of IP routing is as follows:
1. The packet is sent to E1 port of RTA that directly connects with network 10.1.1.0.After
receiving the packet, RTA looks up the routing table and finds that
the next hop to the destination is 10.1.2.2 and the egress is E0. Then the packet is sent
out from E0 to 10.1.2.2.
2. When the packet reaches E0 port of network 10.1.2.2, RTB looks up its routing table to
find the route to the destination of the packet. The routing table tells that the next hop
to the destination is 10.2.1.2 and the egress is E1. Then the packet is sent out from
E1 to head for its next hop, network 10.2.1.2.
3. When the packet reaches E0 port of network 10.2.1.2, RTC looks up its routing table
and finds that the destination of the packet is in its own segment and
the next hop for the packet is 10.4.1.1 and the egress is E1. Then the packet is sent out
from E1 to its destination.
0
Page 206
page 191
The analysis of the process of IP routing shows us that data forwarding is totally dependent
on the information in the routing table. To function effectively and
efficiently, a router should:
1. Check the destination of a packet: Does the router have information about the destination
of the packet?
2. Find the source of the information: Where is the information about the route to the
destination from? Is it defined by the administrator statically? Or is it obtained from other
routers?
3. Search for possible routes to the destination: What are the possible routes to the
destination?
4. Select the best route: which is the best route to the destination? Should the router use
the loading balance mechanism to send the packet by multiple routes?
5. Verify and maintain routing information: Is a route valid? Is it the latest?
Routers have to verify and maintain routing information to ensure that the information is
correct.
Page 207
page 192
Routers check the destination of the packets they receive and if the destination of the
packets is not the interface of local routers, they will look up their routing tables to find out
to which port the packets should be forwarded.
1. If the destination network connects with the router directly, the router knows to which port
the packet should be forwarded.
2. If the destination network does not directly connects with the router, the router should
find out of the possible routes to send the packet and then select one of them to forward the
packet. Routes in the routing table can be sorted to three categories according to their
sources:
1. Routes found by data-link layer protocols (interface routes or direct routes)
2. Static routes manually configured by network administrators.
3. Routes found by dynamic routing protocols.
Page 208
page 193
The protocol field in the routing table indicates the source of the routes. Routes come from
three sources. The first source is those routes discovered by the data-link layer. When
data-link layer protocols are up, routes of this sort are generated and their protocol field
value in the routing table is shown as direct. Routes discovered by the data-link layer do
not need maintenance, which reduces the workload. However, data-link layer can only find
routes to segments directly connected with its interfaces and can not discover routes that
cross segments. Routes that cross segments can only be discovered by other methods.
Page 209
page 194
The second source is the statically configured routes. Static routes are configured by
administrators manually and they can also help to build connectivity between networks.
Static routes however cannot make adjustments automatically when networks fail. They must
be managed by administrators.
Page 210
page 195
The last group of routes are discovered by dynamic routing protocols. Configuring routes
statically for a network with a complicated topology is a demanding task and may result in
errors easily. So it is better to use dynamic routing protocols to find and change routes, which
does not need manual maintenance. However, the cost of dynamic routing protocols is. As
the figure above shows, routes whose Proto field values are RIP and OSPF are routes
discovered by RIP dynamic routing protocol or OSPF routing protocol. Details about dynamic
routing protocols will be given later.
Page 211
page 196
As we mentioned just now, routes come from three sources. Here, we make a comparison
between static routes and dynamic routes.
1. Static routes must be defined by administrators. When the network topology changes,
administrators have to change the configurations of static routes
manually. Static routes are more suitable for simple and small networks. If the network is
complicated, administrators may struggle to support the complexity and work needed to
manage numerous static routes.
2. Routing protocols collect network information for dynamic routes. When the network
topology changes, routers update their information automatically without the help of
administrators.
Page 212
page 197
Routing protocol is a language that works for the communication between
routers. With the routing protocol, routers can share information about routes
and network status. Only routers that use the same language can communicate
with each other. Routers that do not speak the same language may obtain
information from each other with other approaches, but it will not be discussed
here. Routing protocols set down a set of rules for the communication between
routers. And routers maintain their routing tables and offer the best routes
through routing protocols.
Page 213
page 198
An AS is a set of networks under unified management. According to their working area,
routing protocols can be divided into:
1. Interior Gateway Protocol (IGP): a protocol for exchanging routing information between
gateways within an autonomous network. The protocols we introduce here like RIP and OSPF
are IGP protocols. Other IGP protocols that are not mentioned here include ISIS, IGRP and
EIGRP.
2. Exterior Gateway Protocol (EGP): a protocol for exchanging routing information between
two autonomous systems. The Border Gateway Protocol (BGP) is a kind of EGP.
Page 214
page 199
According to the algorithms used, routing protocols can be divided into the following
categories:
Distance-Vector routing protocol: RIP and BGP. BGP is also called the Path -Vector
Protocol.
Link-State Protocol: OSPF and IS-IS.
The differences between the algorithms used by the Distance-Vector routing protocols and
the Link-State protocols lie in the way they find and calculate routes. Distance-Vector
routing protocols concern is to the number of the hops to the destination, while Link-State
protocols care more about the network topology and bandwidth resources used to reach a
given destination.
Page 215
page 200
Routing protocols can be divided into unicast routing protocols and multicast routing
protocols according to their applications. Unicast is one of the data transmission modes. In
this mode, the destination of a datagram is unique, which can be a host or a device.
Multicast is another data transmission mode. In this mode, the destination address is a
multicast address, which means a group of hosts or devices can receive a datagram at the
same time. Here, we only focus on unicast routing protocols. For details about multicast
routing protocols, see references for multicast modules.
Page 216
page 201
Routing tables play a key role in packet forwarding. Each router holds a routing table and
every entry in the routing table tells a packet should be sent through which physical port of
a router to reach a subnet or a host before the packet arrives at the next hop router or its
destination.
A routing table contains the following items:
Destination: indicates the destination or the destination network of an IP packet.
Mask: We have already learned the structure and functions of mask in our TCP/IP course.
Similarly, network masks are important information in a routing
table. If we let an IP address and a network mask go through a logical AND operation, we
can get information about the network segment. As the example
here, the destination address is 8.0.0.0 and the mask is 255.0.0.0. After they go through
the logical AND, we may know that the segment is 8.0.0.0/8 which is a Class A address.
Another function of network masks is that when there are multiple route entries to the
same destination in a routing table, the router can
choose the route with the longest mask.
Interface: indicates which interface an IP packet should be forwarded from.
Nexthop: indicates the IP address of the next interface that an IP packet will go through.
Other fields in the routing table will be discussed later.
Page 217
page 202
Routes to the same destination may come from different sources. So the next hop of those
routes may be the same or different. In this case, how routers
make their choice about those routes? Route preference is here for this problem.
In the figure above, there are two routes to the segment 10.0.0.0: R0 and R1. R0 is
discovered by RIP protocol and R1 is discovered by OSPF protocol. By
default, OSPF has a higher route preference level than that of RIP . So routers use the
route discovered by OSPF on this occasion and add it to the global
routing table for packet forwarding.
Page 218
page 203
The default route preference on VRP platform is shown in the above table. Preference 0 is
for direct routes and 255 is for untrustworthy routes. Except direct routes, the preference of
all dynamic routing protocols can be configured manually according to the requirements of
our customers. And you should note that usually a preference is for all routes of the
protocol with that preference. For example, routes discovered by IS-IS have the same
preference 15. The static route is an exception because each static route may have its own
preference.
An operator can adjust preference to control routes. If a router receives two routes, one
route from an IBGP source and one route from an EBGP source, it will select EBGP source
according BGP protocol's principle. 255 is the maximum preference value. Routes learned
from an IGP source is more credible than those from an EGP (BGP) source. By default the
preference of IBGP and EBGP is set to 255.
Page 219
page 204
The route metric reflects the cost of a route to its destination. Route metrics are often
decided by factors including the delay, bandwidth, line occupation rate, line reliability, hops
and the maximum transmission unit. Different dynamic routing protocols choose different
factors to calculate a route cost. For example, RIP uses hops to calculate the route metric.
Route metrics make sense only for routes discovered by the same routing protocol. It is
meaningless to compare route metrics calculated by different protocols and there is no
formula to make conversions between route metrics come from different routing protocols.
The
route metric of the static route is 0.
Router A learns routes to Router D from Router B and Router E with the same protocol. As
the figure above illustrates, the route metric of the route that Router A gets from Router B is
9. While the route metric of the route that Router A gets from Router E is 12. Obviously, the
route that Router A gets from Router B is better than the route Router A learns from Router
E. So Router A adds the first route to its routing table. Router B is the next hop for that route.
Page 220
page 205
If there are multiple routes to the same destination and their route metrics and route
preference are the same, all these routes will be added to the routing table. IP packets are
sent on these routes alternatively, which helps to realize the load balancing.
At present, routing protocols that support load balancing are RIP, OSPF, BGP and IS-IS.
The static route also supports load balancing.
Page 221
page 206
In the routing table above, there are three routes to the network 10.1.1.1/32. The three
routes have the same preference and the preference is the highest
preference. So all the three routes are added to the routing table to balance the load.
Page 222
page 207
Data packets are forwarded according to the IP addresses of their destinations. When a
packet reaches a router, the router first gets to know the IP address of the destination of the
packet and then looks up its routing table to make the logical AND operation for the IP
address and the mask in the table. If the result of the logical AND operation agrees with the
destination IP address of the entry in the table, it means the entry is the route to the
destination of the IP packet; Otherwise, it is not. When all the entries that meet the
requirement are found, the router will choose the one with the longest mask among them.
Page 223
page 208
Imagine that a packet whose destination IP address is 9.1.2.1 reaches the router. The router
looks up its routing table and finds three matching routes there. They are:
0.0.0.0/0 whose matching length is 0 bit.
9.0.0.0/8 whose matching length is 8 bits.
9.1.0.0/16 whose matching length is 16 bits.
The last route has the longest mask length. So the router will choose this one to forward the
packet through serial 0/0.
Page 224
page 209
Routing loop is a network problem in which packets are sent from one router and return back
to the router after travelling in the network for a while. When the routing loop problem occurs,
packets travel around several routers until they are discarded when TTL is 0, which wastes
the network resource quite a lot. Steps should taken to keep routing loops at bay.
As the figure above shows, RTA has a packet heading for network N. The packet is
forwarded to RTC and the value of TTL is decremented by one. When RTC receives the
packet, it forwards it to RTB which leads to a routing loop occurrence, at which point the TTL
value again decrements by one. RTC receives the packet and forwards it to RTA and then
RTA sends the packet again to RTC. This process continues until the packet is discarded
once the TTL value is reduced to 0. The routing loop is very harmful to the network and care
should taken to avoid its occurrence.
The possible causes for a routing loop may be:
1. A temporary loop occurs when the network converges
2. Algorithm defect
3. Information that can prevent routing loops is lost when routes are imported to different
routing domains.
4. Configuration mistakes
Page 225
page 210
1. What are the sources of routes, and what are their characteristics?
Routes come from three sources: direct routes discovered by the Data-Link layer; manually
configured static routes; routes discovered by dynamic routing protocols. Routes found by
the Data-Link layer do not need maintenance and they are discovered automatically when
protocols at Data-Link layer are up. The
disadvantage of this source is that it can only find routes to the directly connected segments
and routes to other segments cannot be discovered. Manually
configured static routes need maintenance and they cannot be modified automatically when
the network topology changes. Dynamic routing protocols can
discover and modify routes automatically without human interference but the cost of these
protocols is huge and the configuration process is rather complicated.
2. What are the classifications for dynamic routing protocols?
Dynamic routing protocols can be grouped into the IGP and EGP protocols according to their
working areas and Distance-Vector and Link-State protocols
according to their algorithms and unicast routing protocols and multicast routing protocols
according to their applications.
3. What are the values that can be found in a routing table?
The routing table includes factors like destination, mask, protocol, preference, metric,
nexthop and interface.
The equal cost multi-path refers to routes that head for the same destination with
the same metric. When these routes have the same preference, they are all
added to the routing table and IP packets are sent on them alternatively.
4. What does equal cost multi-path mean?
Equal cost multi-path refers to two or more routes to a single destination from a single
source, that are capable of supporting load balancing due to the fact that both routes support
a metric that is considered equal to the routing protocol being used. Should the protocol be
RIP, the number of hops to a given destination should be equal. Alternatively if the protocol
happened to be OSPF, the distance between the source and the destination over the two
routes must reflect an equal cost, based on the link type e.g Serial/Ethernet and supported
bandwidth of the such links in accordance with OSPF cost values.
Page 226
page 211
Page 228
page 212
Page 229
page 213
Page 230
page 214
A static route is a special route that is configured by a network administrator manually. The
disadvantage of static routes is that they cannot adapt to the change in a network automatically,
so network changes require manual reconfiguration. Static routes are fit for networks with
comparatively simple structures. It is not advisable to configure and maintain static routes for a
network with a complex structure.
Page 231
page 215
The command for configuring the static route is:
[Quidway]iproute-static <ip_address> [ <mask> | <masklen> ]
<interface_name> | <gateway_address> [ preference
<preference_value> ] [ reject | blackhole ]
The meaning of the parameters in the command are as follows:
(1)<ip_address>[<mask>|<masklen>]:the IP address and mask of the
Destination
The IP address should take the form of dotted decimal notation; the mask can be in the
form of a dotted decimal or be represented by the mask length (the number of the bits set
as 1 in the mask).
(2) <interface_name>|<gateway_address>: the name of the sending
interface or the address of the next hop
When configuring static routes, you can define an interface name or the address of the next
hop. To define the interface name or the next hop address
should be decided by the real situation. Actually, for every route entry, there must be a next
hop address. When sending the packets, the routers looks up the routing table for a route
that matches with the address of the destination of the packet. Only when the next hop
address is specified, the data-link layer can find the corresponding data-link address to
forward the packet.
(3) <preference_value>: preference value
A flexible management technique on routes can be realized by configuring the preference
value differently. If you assign multiple routes to the same destination with the same
preference value, load balancing can be achieved; otherwise, route backup is made. You
can input preference values more than once in a command but only the last one is valid.
(4) Others
The attributes reject and blackhole refer to an inaccessible route and a blackhole route
Page 232
page 216
respectively. If one static route is labeled with the reject attribute, all the packets sent to
the destination of the route will be discarded and an ICMP packet will be sent to notify the
source that the destination is unreachable. When a static route is assigned the attribute
blackhole, any packet heading for the destination of the static route will be abandoned
and in this case, no ICMP packet will be sent to notify the source.
In the example above, the two routers to the loopback segment of RTA on RTB. The
command for configuring the route can be in one of the three forms below:are connected
by serial ports and we can configure a static route destined
[RTB] ip route-static 10.1.1.1 255.255.255.255 1.1.1.1
[RTB] ip route-static 10.1.1.1 32 1.1.1.1
[RTB] ip route-static 10.1.1.1 32 Serial 0
In the first form, the mask is represented by a dotted decimal number.
In the second form, the mask is shown by its length.
In the last form, gateway address is taken place by the interface name.
Page 233
page 217
You can query the routing table by running display ip routing-table command after the
static route is configured. The static route is displayed in the routing table as highlighted in
red here.
Page 234
page 218
Load balancing: Packets are sent through several links alternately when there are multiple
paths to the destination of those packets with the same cost. Static routes support load
balancing.
As shown in the figure above, three routes are configured to the same destination,
network 10.1.1.1/32, on RTB. The three static routes have the same preference value with
the default value 60 and there are no routes heading for this network with higher
preference value than these three routes. In this case, these three routes are equal routes
which can share the load, and packets will be sent through the three routes alternately.
Page 235
page 219
Looking up the routing table, you can see there are three routes destined to the network
10.1.1.1/32 which will share the load over each ECMP supported link.
Page 236
page 220
Route backup: Multiple routes heading for the same destination are configured, amongst
which there is one with a higher preference value that acts as the main route. Other equal
cost routes with lower preference values become backup routes.
As the above figure shows, two static routes are configured, destined for the network
10.1.1.1/32 on RTB. One of the routes has the preference value of the default value 60
while the other static route is configured with a less preferred preference value of 100.
Page 237
page 221
By looking up the routing table, you may find that there is only one route heading for the
network 10.1.1.1/32 which acts as the main route. The route with the preference value of 100
has not been added to the routing table. It will be added to the routing table only after the route
with the preference value of 60 becomes invalid.
Page 238
page 222
After running the display ip routing-table protocol static command, you can see the route
whose preference value is 60 is active, which means it is the main route to forward packets
to the network 10.1.1.1/32.
The route whose preference value is 100 is inactive and acts as the backup route. It will not
be added to the routing table or used for forwarding packets until the route with a preference
of 60 is no longer available, or the preference of this route is changed to a value lower than
the currently preferred route.
Note: The routing table here is a global routing table.
display ip routing-table can only list the active routes at present.
display ip routing-table protocol static can list all the static routes, including the
active routes and the inactive routes.
Page 239
page 223
A look up of the routing table after disabling a port for the active route with the shutdown
command will result in the backup route becoming the active route, and being added to the
routing table to forward packets in place of the lost route.
Page 240
page 224
The default route is one kind of special route. Usually, default routes are configured by
administrators manually but they can also be generated by routing protocols such as OSPF
and IS-IS.
When a router receives a packet whose destination is not listed in the routing table, the
router will forward the packet to the next hop defined by the default route. You can run the
display ip routing-table command to see if a default route is configured.
A packet will be forwarded to the default route if its destination does not match any
destinations of the routes in the routing table. If there is no default route either, then the
packet will be discarded and an ICMP message notifying the source that the destination or
the network is inaccessible will be sent.
Page 241
page 225
A default route is configured by setting the destination address and the mask to be 0s
(0.0.0.0 0.0.0.0) when you run the ip route-static command to configure a static route.
Page 242
page 226
In the routing table, you may see the destination address of the default route is set to be
0.0.0.0 and the mask length is 0.
Page 243
page 227
The default route supports both the load balancing and route backup mechanisms. If multiple
default routes are configured with the same preference value, they will share the load
together. If they have different preference values, the one with the highest route acts as the
main route and others are backup routes.
As the above table shows, the two static routes highlighted in red share the load for each
other after they are configured with the same preference value of the default value of 60.
Page 244
page 228
What are the differences between load balancing and route backup for static routes?
Load balancing: Packets are sent through several links alternately when there are multiple
paths to the destination of those packets with the same metric.
Route backup: If there are multiple routes heading for the same destination, one of them
which having the highest preference value will act as the main route, and the others with
lower preference value will act as the backup routes. The backup routes will be in use only
after the main route becomes invalid.
What is a default route?
The default route is a kind of the special route used for last resort forwarding. Usually,
default routes are configured by administrators manually but they can also be generated
by routing protocols such as OSPF and IS-IS. A default route is the route whose network
address and mask are both 0s in the routing table.
Page 245
page 229
Page 247
page 230
Page 248
page 231
Page 249
page 232
Routing protocols are like languages that build bridges between routers for information
exchange. Information like the network status and its accessibility range is
shared among routers with the help of those routing protocols.
Dynamic routing protocols are not only responsible for selecting routes, they are also capable
of finding another best route to the destination when the original one
is not available. This feature of dynamic routing is especially noteworthy when a network
topology changes which makes it the advantage of dynamic routing protocol over static routing
protocol.
The common routing protocols in use at present are RIP, OSPF, ISIS and BGP. RIP is famous
for its simplicity of configuration and deployment and it is designed for exchanging routing
information within a small to medium-size network as it converges slowly.
Developed by IETF, OSPF is a complicated but widely used protocol. ISIS is a routing
protocol based on a simple design with good extendibility and is extensively applied to large
scale SP networks.
BGP is used for communicating route information between AS.
Page 250
page 233
At present, the common dynamic routing protocols include RIP, OSPF, ISIS, BGP routing
protocols. RIP routing protocol configuration is simple, but the convergence rate is slow,
and RIP is commonly used in small and medium-sized networks. OSPF protocol
developed by the IETF, the protocol principle of OSPF is more complex, and it is widely
used; the ISIS design idea is simple, and it has good scalability, presenting in large SP
network configuration.
The BGP is used to exchange routing information between AS.
Page 251
page 234
A traditional definition for autonomous system (AS) is a collection of IP networks and routers
under the control of one entity that presents a common routing policy to the Internet. Now,
the definition of AS has developed into a collection of networks and routers that are
managed by multiple entities and adhere to several routing policies.
AS numbers are assigned by the IANA and each AS is allocated with a unique number to
differentiate from another. AS number ranges from 1 to 65535 and are divided into two
ranges. The first are public AS numbers, which may be used on the Internet and range from
1 to 64511. AS number in the second range, from 64512 to 65534, are known as private
numbers, and can only be used internally within an organization.
Page 252
page 235
Routing protocols can be divided into IGP and EGP according to their working area.
IGPInterior gateway protocols
A set of routing protocols that are used within an autonomous system, such as RIP and IS-IS.
IGP is mainly used to search and calculate routes within an autonomous
system.
EGPExterior gateway protocolsis used to connect different autonomous systems. An
EGP, such as BGP, controls communication of route information between
autonomous systems with routing policies and route filtering mechanisms.
Page 253
page 236
Routing protocols can be divided into Distance-vector protocols and Link-state protocols. RIP
and BGP are examples of Distance-vector protocols and OSPF and IS-IS fall in the group of
Link-state protocols. BGP is also called Path-vector protocol.
Distance-vector Routing Protocol
They use the Bellman-Ford algorithm to calculate paths. In Distance-vector routing protocols,
each router sends complete routing tables to their neighboring routers at fixed intervals. It is
the metric which means the distance between the router and the destination network and the
vector which indicates the interface from which data is forwarded that routers in a Distance-
vector routing protocol network really care about .
Advantages of Distance-vector protocol:
They are easy to configure and take up comparatively few resources of memory and CPU.
Disadvantages of Distance-vector protocol:
Poor extendibility, for example, the maximum hops of RIP is limited to 16.
Link-state Routing Protocol
They are based on the Dijkstra algorithm which is sometimes called the Shortest Path First
(SPF) algorithm. This algorithm pays attention to the state of links or interfaces in the
network, including whether they are up or down, their IP addresses and masks. Routers
advertise information about link states they know to other routers in the area through which
each router in the area builds up a complete link state database for the area. Then every
router draws its own topology map based on the information it collected in the form of a
graph showing which nodes are connected to which other nodes.
The primary advantage of link-state routing is that it reacts more quickly, and in a bounded
amount of time, to connectivity changes. Routers send update information only when the link
state changes which saves the bandwidth of the links between routers. Some of the update
information only covers the information about the changes of link state instead of the whole
routing table.
Page 254
page 237
In some occasions, route information should be shared among different routing protocols. For
example, route information obtained from RIP may possibly needs to be imported to OSPF.
The process of exchanging route information between protocols is called route importation.
This process could be a one-way street as we see in the example of import information from
RIP to OSPF. And it could also be a two-way process as RIP and OSPF can learn route
information from each other.
The cost of each protocol can not be compared and there are no formula to convert the cost of
one protocol to another's. So we must set the Metric again ( some protocols can use the
default value set by the system) when we import route information from one protocol to another.
Improper importation may impose burdens on routers or lead to loops, so we must be careful
with it.
Page 255
page 238
What makes a good dynamic routing protocol?
(1) Correctness: The routing protocol should be able to find the optimal route
without self-loop correctly.
(2) Fast convergence: The routing protocol can respond to a new network
topology quickly.
(3) Low cost: The cost (memory, CPU, network bandwidth) of the routing
protocol itself is minimum.
(4) High security: The routing protocol is resistent to attack and provide high
security.
(5) High adaptability: The routing protocol can be easily applied to networks of
different topologies and scales.
Page 256
page 239
What are the common dynamic routing protocols used?
They are RIP, OSPF, ISIS and BGP.
Dynamic routing protocols can be divided into which domain classifications?
Routing protocols can be grouped into two distinct classifications, of either intra-AS based or
inter AS based, better known as Interior Gateway Protocol (IGP) and Exterior Gateway
Protocol (EGP).
What classifications of dynamic routing protocols are there?
RIPv1/v2, OSPF, ISIS fall in the first group and BGP belongs to the second. According to the
algorithm, routing protocols can be categorized into Distance vector routing protocols and
Link-state routing protocols. RIPv1/RIPv2 and BGP are all Distance-vector protocols and
OSPF and ISIS are Link-state routing protocols.
Page 257
page 240
Page 259
page 241
Page 260
page 242
Page 261
page 243
The distance-vector (D-V) routing protocol is based on the Bellman-ford
algorithm. A router using the D-V algorithm sends the entire routing table to
adjacent routers.
The adjacent routers compare the received routing table with their own routing
tables. If the received route is new, it will be added to the routing tables directly.
If the received route had the same destination as the existing route, the router
will compare the metric of these routes, and will add the one whose metric is
smaller to the routing table. The adjacent routers then broadcast their routing
tables (with the new routes) to their adjacent routers. The distance-vector routing
protocol advertises routing information in the format of (Distance, Direction).
Distance indicates the metric, and Direction indicates the next hop. The
advantage of the distance-vector routing protocol: The configuration is simple, so
less memory is used and shorter CPU processing time is needed.
Disadvantage: The expandability is poor. For example, the maximum hop count
in RIP cannot exceed 16.
Page 262
page 244
When a router starts (on t
0
), it generates an entry for each directly-connected network
segment. The router is directly connected to the network segment, so the hop count is 0
and the next hop router is represented as " " in the entry. The router then broadcasts
the routing information to all links.
Page 263
page 245
On t
1
, routers receive and process the first update message. RTA receives the update
message from RTB and finds that RTB has a route to 10.1.3.0 with 0 hops. This route is
not contained in the routing table of RTA, so RTA adds this route to its routing table and
increases the hop count by 1. Thus RTA learns the route to 10.1.3.0 from the update
message sent by RTB. Similarly, RTB learns the route to 10.1.1.0 from the update
message sent by RTA and learns the route to 10.1.4.0 from the update message sent by
RTC. RTC learns the route to 10.1.2.0 from the update message sent by RTB.
Page 264
page 246
On t
2
, the update period begins and new update packets are broadcasted. RTA learns the
route to 10.1.4.0 from RTB. RTC learns the route to 10.1.1.0 from RTB. Through the
periodical update mechanism, each router obtains routes to all network segments. Finally,
the network converges.
Page 265
page 247
The D-V algorithm requires that each router sends its routing table to adjacent
routers. When receiving the route update message, the router compares the new
routing information with the original routing information in its routing table. The
router then modifies the local routing table according to the comparison to keep
pace with the change of network.
The principles of updating the routing table are:
1. Adding new routes.
As shown in the figure, RTB receives the route update message from RTA. If a
route entry of RTA, for example, the route to 10.1.1.0 does not exist in the routing
table of RTB, RTB will adds this entry to its own routing table. In the routing table
of RTB, the destination network of this route is 10.1.1.0; the metric (hop count) is
the metric of this entry for RTA plus 1; the next hop address is the IP address of
RTA's interface connected to RTB, namely, 10.1.2.1.
Page 266
page 248
2. Changing the next hop address and metric.
RTB receives the update message from RTA and finds that the metric to a network in the
routing table of RTA is less than the metric in its own routing table minus 1. For example,
to the same network 10.0.1.0, the route in routing table of RTB needs 5 hops, while the
route in routing table of RTA needs 2 hop. 5-1>2, which indicates that the metric is less if
the packet passes through RTA. Therefore, RTB changes the route entry in its routing
table. The next hop is changed to the IP address of the interface on RTA. Subsequent
packets will be forwarded to the destination network by RTA. The route metric is the route
metric of RTA plus 1.
Page 267
page 249
3. Changing the metric (hop count) only .
As shown in the figure, the next hop to network segment for RTB is RTA. The update
message from RTA shows that the metric to the destination network segment has
changed. At this time, the metric of this route entry in the routing table of RTB changes to
the new metric of RTA plus 1. That is, the original metric 2 changes to 4+1=5.
Page 268
page 250
4. Deleting unreachable routes.
In RTB's routing table, the next hop to the destination network is RTA, but routing table of
RTA does not contain the route to this network any more. Then RTB deletes this route
entry from the routing table. Take the 10.0.3.0 entry in the figure as example. In the
routing table of RTB, the next hop is RTA. However, the update message sent by RTA
does not contain this entry. It indicates that packets cannot reach 10.0.3.0 through RTA,
so RTB needs to delete this entry from its routing table.
Page 269
page 251
When a network fault occurs, network convergence may slow down because the
routes in the routing table may be inconsistent with routes in the actual network
topology. In this case, routing loop may be generated. This figure provides a
simple network structure to show how a route loop is generated. Before a fault
occurs to network 11.4.0.0, all routers have correct and consistent routing tables
and the network is converged. In this example, route metric is represented by
hop count, so the metric of each link is 1. Router C is directly connected to
network 11.4.0.0, so the hop count is 0. Router B is connected to network
11.4.0.0 through Router C, so the hop count is 1. Router A is connected to
network 11.4.0.0 through Router B and Router C, so the hop count is 2. When a
fault occurs to network 11.4.0.0, route loop may be generated. The process is as
follows:
1. When a fault occurs to network 11.4.0.0, Router C receives the information
about the fault first. Router C then regards 11.4.0.0 as unreachable, and
waits till the update period begins to advertise the route change to the
adjacent router. If the update period of Router B begins earlier than the
update period of Router C, Router C will learn a new route to 11.4.0.0 from
Router B. Actually, the learnt route is incorrect. Thus, the routing table of
Router C records an incorrect route. (The next hop is Router B; the
destination is 11.4.0.0; the hop count is increases to 2.)
2. After leaning a wrong route, Router C advertises this route to Router B. Route
B also records a wrong route to 11.4.0.0, of which the next hop is Router C
and the hop count is increases to 3.
3. Router B considers that network 11.4.0.0 is reachable through Router C, and
Router C considers that network 11.4.0.0 is reachable through Router B. Thus, a
loop is generated.
Page 270
page 252
When a route loop occurs, the count of hops to network 11.4.0.0 keeps
increasing, and the network cannot converge. To avoid this problem, the RIP
protocol limits the maximum hop count to 16. In the figure, when the hop count
reaches 16, network 11.4.0.0 is considered unreachable. The router marks this
route unreachable in the routing table and does not update the route to 11.4.0.0
any more. By defining the maximum hop count, the distance-vector routing
protocol prevents the route metric from increasing infinitely when route loop
occurs. In addition, incorrect route information is corrected. However, routing
loop still exists before the hop count reaches the maximum value. That is to say,
this solution is only a remedial measure but it cannot avoid route loops. This
solution can only mitigate the damage caused by route loop. Therefore,
designers of routing protocols provide other solutions to reduce the probability
generating the route loops, for example, split horizon and triggered update.
Page 271
page 253
Split horizon is a common solution among distance-vector routing protocols to
avoid routing loops. One cause of routing loops is due to a router learning the
route from
its neighbor, and then advertising this route to the same neighbor who advertised
this route to it. With split horizon, a router does not send the routing information
to the neighbor from whom the routing information is sent.
As shown in the figure:
1.Router C advertises the route to network 11.4.0.0 to Router B. Router B then
advertises this routing information to Router A. At the same time, Router B also
sends this routing information to Router C. If network 11.4.0.0 works normally,
Router C does not accept the route to 11.4.0.0 advertised by Router B, because
Router C has a route with smaller metric to 11.4.0.0.
2. If route from Router C to 11.4.0.0 becomes unreachable, Router C accepts the
route to 11.4.0.0 advertised by Router B, although it is an incorrect route now.
(Since the route from Router C to 11.4.0.0 is unreachable, the route learned by
Router B from Router C is incorrect.) However, Router C does not know that the
route is incorrect. Router B considers that 11.4.0.0 is reachable through Router C,
and Router C considers that 11.4.0.0 is reachable through Router B. Thus, the
routing loop generates.
3. Split horizon solves this problem. Split horizon forbids a router to return the
routing information to the interface from which the routing information arrived. In
the figure, Router B learns the route to 11.4.0.0 from Router C. Split horizon
forbids Router B to advertise this route to Router C again. This avoids routing
loops
to some extent.
Page 272
page 254
Route poisoning is a supplement to split horizon. Route poisoning can prevent
routing loops to some extent and can suppress network flapping caused by
interface resetting. When a fault occurs in the network or an interface is reset,
route poisoning suppresses the related route and starts a hold-down timer.
Within the hold-down time, the router does not update the routing table. In this
way, the routing loop is avoided and network flapping is suppressed.
When a fault occurs in network 11.4.0.0, Router C sets the metric of the route to
this network to 16 (unreachable) in its routing table, and thus this route is
suppressed. Router C does not accept the update message of the route to
11.4.0.0 from the adjacent router. After Router B receives the advertisement from
Router C, indicating that the route metric to 11.4.0.0 is infinite, Router B sends a
poison reverse update message to Router C. The update message indicates that
11.4.0.0 is unreachable. The update message violates the principle of split
horizon, but it is used to confirm that all routers on this network segment know
that the route is suppressed.
Page 273
page 255
Route poisoning can avoid routing loops to some extent and can suppress
network flapping caused by interface resetting. When a fault occurs in the
network or an
interface is reset, route poisoning suppresses the related route and starts a hold-
down timer. Within the hold-down time, the router does not update the routing
table. In this way, the routing loop is avoided and network flapping is suppressed.
1. When a fault occurs in network 11.4.0.0, Router C suppresses the related
route entry in the routing table, that is, it sets the metric of the route to this
network to 16 or unreachable. At the same time, Router C starts a hold-down
timer. Within the hold-down time, if Router C receives a route reachable
message from the same neighbor (or the same direction), it marks the network
as reachable and stops the hold-down timer.
2. If Router C receives an update message from other neighbors, advertising the
route with higher weight, Router C updates the routing table by selecting the new
route. At the same time, Router C stops the hold-down timer.
3. Within the hold-down time, if Router C receives a route reachable update
message, but the weight of the new route is lower, Router C will not accept the
new route. After the hold-down timer expires, if Router C receives this update
message again, it will update the routing table.
Page 274
page 256
As shown in the figure, when network 11.4.0.0 becomes unreachable, Router C
obtains this information first. Generally, route update messages are sent to
adjacent routers periodically. For example, RIP specifies that a router sends
route update messages every 30 seconds. However, if the update message sent
by Router B reaches Router C before the update period of Router C begins,
Router C will learns the wrong route to 11.4.0.0. Thus the routing loop generates.
If Router C sends the update message immediately, instead of waiting for the
update period, this problem will be avoided. This mechanism is call triggered
update. Triggered update means that a router sends a triggered update message
to adjacent routers immediately after the routing information changes. When a
router detects that the network topology changes, it immediately sends the
triggered update message to adjacent router. All other routers also send the
triggered update messages immediately, and thus the triggered update
messages spread in the entire network. In the figure, Router C immediately
sends an update message to advertise that network 11.4.0.0 is unreachable.
After Router B receives this message, it sends the network unreachable
message from interface S0. Router A then advertises this message from
interface E0.
Page 275
page 257
Triggered update avoids the route loop to some extent, but it still cannot avoid
the following problems:
1. The packet containing the update message may be discarded or damaged.
2. If a router receives the periodically sent update message from the adjacent
router before receiving the triggered update messages, the router will learn the
wrong routing information.
The above problems can be solved when triggered update is combined with the
hold-down timers. Within the hold-down timers, the router does not update the
route
to the destination network which becomes unreachable. Therefore, combining
triggered updates with the hold-down timers ensures that the triggered update
message has enough time to be transmitted in the network. As shown in the
figure, when Route C detects that network 11.4.0.0 is disconnected, it deletes the
route to this network immediately. Then Router C sends a triggered update
message to Router B. Router C sets the route metric to 11.4.0.0 to infinite (16) to
suppress this route. After receiving the triggered update message, Router B
starts the hold-down timer and marks the network as "may be disconnected." At
the same time, Router B sends a reverse update message to Router C, then
sends a triggered update message to Router A to advertise that network 11.4.0.0
is unreachable. Router A then suppresses the route to 11.4.0.0 and sends a
reverse update message to Router B.
Page 276
page 258
What is distance-vector routing protocol?
A distance-vector routing protocol is an algorithm based on distance and vector. The
distance-vector routing protocol is also called Bellman-ford algorithm or Ford-Fulkerson
algorithm. Based on this protocol, a route is advertised in the format of distance (metric,
hop count) and vector (direction, outgoing interface). Every router periodically sends its
routing table to directly connected routers.
What are the methods used to prevent routing loop?
The methods for avoiding routing loops are: split horizon, route poisoning, hold-down
timers, and triggered updates.
Page 277
page 259
Page 279
page 260
Page 280
page 261
Page 281
page 262
The Routing Information Protocol (RIP) is a relatively simple dynamic routing
protocol, but it is widely used. RIP is a routing protocol based on the distance
vector
(D-V) algorithm. RIP exchanges routing information through UDP. Based on RIP,
a router sends update messages every 30 seconds. If a router does not receive
the update message from the peer router within 180 seconds, the router marks
all routes learned from the peer router as unreachable. If the router still does not
receive the update message from the peer router in the subsequent 120 seconds,
it deletes these routes from the routing table. RIP represents the distance to the
destination network by the hop count. In RIP, the hop count between a router
and the directly connected network is 0. If the network can be reached through
another router, the hop count increases by 1. The hop count increases with the
number of routers between the source router and the destination network. In RIP,
the metric is an integer ranging from 0 to 15. The hop count equal to or larger
than 16 is defined as infinite, that is, the destination network or host is
unreachable. RIP is on the upper layer of UDP. Routing information for RIP is
encapsulated in the datagram of UDP. RIP uses port 520 to exchange routing
information. When a router receives the route update message from the remote
router, the router notifies other routers of the changed route. In this way, routes
are synchronized on all routers in the network.
To improve the routing performance and avoid route loop, RIP supports split
horizon, poison reverse, and triggered updates. In addition, RIP can import
routes learned through other routing protocols.
Page 282
page 263
When RIP is enabled, the initial routing table contains only direct routes. After
RIP is enabled on a router, the router broadcast Request packets to all directly
connected interfaces. When the adjacent router receives the Request packet
from an interface, it broadcast Response packet to the network connected to this
interface according to its routing table. When the router receives the Response
packet from the adjacent router, it generates the routing table according to the
Response packet. Based on the characteristics of the D-V algorithm, the devices
involved in RIP are classified into active devices and passive devices. The active
device actively broadcasts route update packets, and the passive device
receives route update packets passively. Generally, a host is a passive device,
and a router is both an
active device and a passive device. That is, a router not only broadcasts route
update packets, but also receives the D-V packets from other active devices and
updates the routing table.
Huawei Networking Technology and Device Module 2 Part 6 RIP Routing
Protocol
Confidential Information of Huawei. No Spreading without Permission
Copyright 2008 Huawei Technologies Co., Ltd. All rights reserved.
Page 294
Page 283
page 264
Based on RIP, a router broadcasts its routing table through the Response
packets every 30 seconds. After receiving the Response packet from the
neighbor, the router calculates the route metric in the packet through RIP. Then
the router compares the calculated metric with the metric of the route in the
routing table and updates the routing table. The route metric is calculated by the
following formula: metric = Min (metric + cost, 16). Here, "metric" is the metric in
the packet. Cost is the metric from the neighbor to the network where the packet
is received. The default value of cost is 1 (one hop). 16 means that the
destination network is unreachable. When the local router receives a route
update packet, it updates the routing table based on the following principles:
For an existing route entry in the routing table, if the next hop is the adjacent
router, the local router updates the entry (keeps the original metric and only
resets the aging timer), regardless of whether the metric in the route up date
packet is larger or smaller. If the next hop is not the adjacent router, the local
router updates the route entry only when the metric in the router update packet is
smaller than the previous metric.
For a route entry that does not exist in the routing table, the router adds it to the
routing table if the metric is less than 16 (unreachable). Each entry in the routing
table has an aging timer. If a route entry is not updated within 180 seconds, the
aging timer times out and the metric of this route changes to 16 (unreachable).
After the metric of a route changes to 16 and the route is advertised through the
Response packet for four times (120 seconds), this route will be deleted from the
routing table.
Page 284
page 265
RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support Variable Length Subnet
Masks (VLSM). RIPv2 supports VLSM, route aggregation, and Classless Inter-Domain
Routing (CIDR). In addition, RIPv2 supports plain text authentication and MD5
authentication. In RIPv1, packets are transmitted in broadcast mode. RIPv2 supports two
transmission modes: broadcast and multicast. Multicast is adopted by RIPv2 by default.
The multicast address for RIPv2 is 224.0.0.9. An advantage of multicast transmission is
that the networks that do not support RIP will not receive the RIP packets. Also with
multicast, network segments that run RIPv1 will not receive or process the RIPv2 routes.
Page 285
page 266
This figure shows the format of the RIPv1 packet. A RIPv1 packet contains a
command field, a version field, and multiple route entries (up to 25 entries). Each
route entry consists of the Address Family Identifier, reachable IP address, and
hop count (Metric). If a router needs to send more than 25 route entries, the
entries must be sent in multiple RIP packets. From this figure, you can see that
the RIP packet header takes four bytes, and each route entry takes 20 bytes.
Therefore, the length of a RIP packet is 4 + 25 x 20 = 504 bytes. Counting the 8-
byte UDP header, the maximum length of the RIP packet (excluding the IP
header) is 512 bytes.
The values and functions of the fields in the RIP packet are as follows:
Command: The value can be only 1 or 2. 1 represents the Request packet; 2
represents the Response packet. A router or host sends the Request packet to
require routing information from the peer router. The peer router responds by the
Response packet. But in most cases, a router periodically sends Response
packets without waiting for the Request packet.
Version: For RIPv1, the value is 1.
Address Family Identifier (AFI): For the IP protocol, the value is 2.
IP address: indicates the destination address of the route. The value can be a
network address or the address of a host.
Metric: indicates the hop count. The value ranges from 1 to 16.
Page 286
page 267
Compared with the RIPv1 packet, the RIPv2 packet has the following new fields:
Route tag: 16 bits, used to mark the external route or the route redistributed to RIPv2
protocol.
Subnet mask: 32-bit mask, used to identify the network address and subnet address in
the IP address.
Next hop: 32-bit next-hop IP address.
Page 287
page 268
All command lines base on VRP 5.3.
In the VRP series routers, the default RIP version is 1.0. Unless otherwise
specified, the RIP version is RIPv2.0 in this course. The method of changing the
RIP protocol version will be described later. The basic RIP configuration includes
the following:
Enable RIP.
[Quidway] RIP
By default, RIP is not enabled.
Specify the network segment for RIP.
[Quidway-rip] network network-address
RIP runs only on the interfaces in the specified network segment. For an
interface out of the specified network segment, RIP does not send or receive
routes on the interface. RIP does not forward routes on this interface to other
interfaces either. Therefore, you must specify a network segment after RIP is
enabled. The network-address specifies the address of the network where RIP is
enabled. It can be the network address of the interface. When this parameter is
specified, RIP is enabled on all interfaces in this network segment.
Page 288
page 269
The display rip command is used to display the running status and configuration
of RIP. Part of the display information is described in the following. Pay attention
to the contents marked in red.
RIP process: 1indicates that the RIP process number is 1.
Public VPN-Instance indicates the public network VPN.
RIP version: RIP-2 indicates that the RIP version is 2.
Preference: 100 indicates that the precedence of the RIP protocol is 100.
Maximum number of balanced paths: 6 indicates that the maximum number of
equal-cost routes is 6.
Update time: 30 sec indicates that the route update interval is 30 seconds.
Age time: 180 sec indicates that the aging time of the RIP route is 180
seconds.
Suppress time: 0 sec indicates that the route suppression duration is 0
seconds.
Networks: 192.168.1.0 172.16.0.0 indicates the network where RIP is enabled.
Page 289
page 270
The display rip route command is used to display all active and inactive routes, and the
timer of each route.
Destination (Dest) destination IP address
Nexthop next hop of the route
Cost weight of the route
Tag flag used to identify the internal route and external route
Sec period in which a route entry keeps in certain status
Page 290
page 271
All command lines base on VRP 5.3.
You can configure any of the following RIP versions:
1. Global RIP version
version { 1 | 2 }: configure the RIP version globally. This command is
supported by vrp5.x only.
2. Interface RIP version
rip version { 1| { 2 [ broadcast | multicast ] } }: configures the RIP version on an
interface. This command is configured in the interface view. By default, the RIP
version on an interface is RIPv1.
RIPv2 supports two packet transmission modes: broadcast and multicast.
Multicast is adopted by default. The multicast address for RIPv2 is 224.0.0.9. An
advantage of using multicast is that the networks not running RIP will not process
the RIP packets. With multicast, network segments that run RIPv1 will not
receive or process the RIPv2 routes. If the interface with the RIP version RIPv1,
the interface process only RIPv1 and RIPv2 broadcast packets and does not
process RIPv2 multicast packets. If RIPv2 broadcast mode is adopted on the
interface, the interface receives only RIPv1 and RIPv2 broadcast packets and
does not receive RIPv2 multicast
packets. If RIPv2 multicast mode is adopted on the interface, the interface
receives only RIPv2 multicast packets and does not receive RIPv1 and RIPv2
broadcast
packets.
Note: If the global RIP version is configured, you need not configure the
RIP version in the interface view vrp5.x supports this function.
Page 291
page 272
Page 292
page 273
On Router A, the summary command is used to configure route aggregation.
Thus, routes 172.16.1.1/32, 172.16.1.2/32, and 172.16.1.3/32 are aggregated to
one route: 172.16.0.0/16. The aggregated route uses the natural mask. 172
indicates that the address is a Class-B address, so the mask length of the
aggregated route is 16.
RIPv2 supports route aggregation. By default, route aggregation is enabled. That
is, when the RIP version is configured to RIPv2, route aggregation takes effect
automatically, unless you use the undo summary command to disable route
aggregation. Route aggregation in RIP-2 improves the extendibility and efficiency
of large scale networks. After route aggregation, the RIP routing table does not
contain sub route entries, namely, the route entry containing a single IP address.
In this
way, the routing table is condensed, thus the router can process more routes.
When the classful aggregation is enabled, the router aggregates the subnet
addresses to the natural network segment when it advertises routes to the
destination out of the network segment. However, when split horizon or poison
reverse is configured, classful aggregation becomes invalid. Therefore, to
configure the router to advertise aggregated routes to the destination out of the
natural network segment, you must disable the split horizon and poison reverse
functions in the corresponding view by using the following commands:
[RTA-Serial0/0/0]undo rip split-horizon
[RTA-Serial0/0/0]undo rip poison-reverse// supported by VRP5.X
Page 293
page 274
Using the undo summary command, you can disable classful route aggregation to allow
routing between subnets. In this case, routing information of the subnet is
advertised. Route aggregation reduces the routing information in the routing table. By
default, route aggregation is enabled in RIPv2. In this example, three IP addresses are
configured for three loopback interfaces on Router A. RIP is enabled on these IP
addresses. Route aggregation is disabled by the undo summary command. These IP
addresses are advertised to other routers. Viewing the routing table of Router B, you can
find three host routes with these IP addresses.
Page 294
page 275
Using the rip summary-address ip-address mask command, you can configure
a RIP router to advertise an aggregated local IP address. This command is
supported
by VRP5.3.
ip-address: network address to be aggregated
mask: subnet mask
Using the undo rip summary-address ip-address mask command you can
cancel the configuration. If both auto route aggregation and manual route
aggregation are enabled, the manually aggregated routes are integrated into the
automatically aggregated routes. Namely, auto route aggregation take effect. If
the mask length of aggregated route is smaller than natural mask length, use
manual route aggregation to perform it and do not use auto route aggregation
together.
Page 295
page 276
Each routing protocol has a preference. The preference influences the routing policy in
selecting the route learned through a certain protocol as the best route. The larger the
value, the lower is the preference. You can set the preference of the RIP protocol
manually.
Set the preference of RIP protocol.
[Quidway-rip] preference value
Restore the preference of the RIP protocol to the default value.
[Quidway-rip] undo preference
By default, the preference of RIP protocol is 100.
Page 296
page 277
RIP allows RIP to import the routing information of other routing protocol into the
RIP routing table. You can set the default cost of the imported route. Routes that
can be imported to the RIP routing table are: direct routes, static routes, OSPF
routes, BGP routes, and IS-IS routes. Enable RIP to import routes of other
routing protocols.
[Quidway-rip] import-route protocol [ allow-ibgp ] [ cost value ] [ route-
policy
route-policy-name ]
Disable RIP to import routes of other routing protocols by default.
[Quidway-rip] undo import-route protocol
By default, RIP does not import routes of other routing protocols. When protocol
is specified as BGP, the allow-ibgp keyword is optional. The import-route bgp
command configures RIP to import only EBGP routes. The import-route bgp
allow-ibgp command configures RIP to import both EBGP routes and IBGP
routes. This configuration may cause route disorder, so use this command with
caution then takes default-cost as route cost. If route cost is not set for the
imported routes. The default-cost value is 0. In this example, the route cost is set
to 10. Therefore, the cost of imported routes is calculated by route-cost plus 1,so
the cost of routes received by RTB is 11.
Page 297
page 278
Using the rip metricin value command, you can set the metric increment for the
RIP route received on an interface.
value: specifies the metric increment for the RIP route received on an interface.
The value ranges from 0 to 15. By default, the value is 0.
When receiving a route, the router adds the RIP increment of the receiving
interface to the route, and then adds the route to the routing table. Thus, the
metric in the routing table is changed. Therefore, when the RIP metric of an
interface increases, the metric value of the RIP routes received on the interface
also increases.
when RTA receiving route 10.1.1.1/32 by rip update message, it will calculate
cost 10.1.1.1/32. The metric-in value of RTA's receiving interface is changed to 5,
the
cost of 10.1.1.1/32 in rip message is 1. So the cost of 10.1.1.1/32 in RTA's the
routing-table is 6 (5+1=6).
Page 298
page 279
Using the rip metricout value command, you can set the increment of metric for the RIP
route sent from an interface.
value: specify the metric increment for the RIP route sent from an interface. The value
ranges from 1 to 15. By default, the value is 1.
Before a route is advertised, the metric increment is added to this route. Therefore, when
the RIP metric of an interface increases, the metric value of the RIP routes
sent from the interface also increases. However, the metric in the routing table is not
changed. When RTB receives routes 172.16.1.X by rip update messages, the metric of
172.16.1.X in the update is 4, which is set by "rip metricout 4" on RTA's serial interface.
The default metric in of RTB's serial interface is 0, so RTB calculates 4+0=4, 4 being the
cost of 172.16.1.X in RTB's routing table.
Page 299
page 280
RIPv1 does not support packets authentication. In RIPv2, two authentication
modes are used: plain text authentication and MD5 authentication. MD5
authentication packets have two formats. One is described in RFC 2453, and the
other is described in RFC 2082. The router supports both formats and you can
select the format as required.
You can configure the RIP authentication mode by using the following command:
rip authentication-mode { { simple password } | { md5 { rfc2082 key-string key-
id
| huawei key-string } } }.
simple: adopt simple text authentication.
password: specify the password for plain text authentication. The value is a
character string. For the plain text password, the string can contain 1 to 16
characters. For the cipher text password, the string must contain 24 characters.
md5: adopt MD5 authentication.
rfc2082: indicate that the MD5 authentication packet adopts the non-standard
format (described in RFC 2082)
huawei: indicate that the MD5 authentication packet adopts the standard format
(described in RFC 2453).
key-string: specify the password for MD5 authentication. For the plain text
password, the string can contain 1 to 16 characters, for example, 1234567. For
the cipher text password, the string must contain 24 characters, and the format
must be cipher text, for example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
key-id: specify the ID of the key used in MD5 authentication. The value ranges
from 1 to 255.
Using the rip authentication-mode command, you can configure the
authentication mode and authentication parameters for RIPv2.
Using the undo rip authentication-mode command, you can disable RIPv2
authentication.
The rip input command is used to allow an interface to receive RIP packets. The
rip output command is used to allow an interface to send RIP packets. By
default, an interface can receive and send RIP update packets at the same time.
Page 300
page 281
What are the characteristics of the RIP protocol?
The Routing Information Protocol (RIP) is a distance-vector routing protocol. It is
an IGP protocol. The RIP protocol is applicable to medium and small-sized
networks. It has two versions: RIPv1 and RIPv2. The RIP protocol exchanges
routing information through UDP, using port number 520. RIP supports the route
loop avoidance mechanisms, such as split horizon, route poisoning, and
triggered update.
What are the differences between RIPv1 and RIPv2?
RIPv1 is a classful routing protocol and does not support VLSM and CIDR.
RIPv1 sends packets in broadcast mode and does not support authentication.
RIPv2 is a classless routing protocol and supports route aggregation and CIDR.
RIPv2 sends packets in broadcast or multicast mode (using multicast address
240.0.0.9). RIPv2 supports plain text authentication and MD5 authentication.
Page 301
page 282
Page 303
page 283
Page 304
page 284
Page 305
page 285
Page 306
page 286
The Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol. RIP
is a routing protocol based on the distance-vector (D-V) algorithm.
RIP exchanges routing information through UDP. Based on RIP, a router sends update
messages every 30 seconds. If a router does not receive the update
message from the peer router within 180 seconds, the router marks all routes learned from
the peer router as unreachable. If the router still does not receive
the update message from the peer router in the subsequent 120 seconds, it deletes these
routes from the routing table.
RIP represents the distance to the destination network by the hop count. In RIP, the hop
count between a router and the directly connected network is 0. If the network is reachable
reached through another router, the hop count is 1. The hop count increases with the
number of routers between the source router and the destination network. In RIP, the
metric is an integer ranging from 0 to 15. The hop count equal to or larger than 16 is
defined as infinite, that is, the destination network or host is unreachable.
RIP is on the upper layer of UDP. Routing information for RIP is encapsulated in the
datagram of UDP. RIP uses port 520 to exchange routing information. When a router
receives the route update message from the remote router, the router notifies other routers
of the changed route. In this way, routes are synchronized on all routers in the network.
To improve the routing performance and avoid route loop, RIP supports split horizon,
poisoned reverse, and triggered update. In addition, RIP can import
routes learned through other routing protocols.
Page 307
page 287
RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support Variable Length Subnet
Masks (VLSM). RIPv2 supports VLSM, route aggregation, and Classless Inter-Domain
Routing (CIDR). In addition, RIPv2 supports plain text authentication and MD5
authentication. In RIPv1, packets are transmitted in broadcast mode. RIPv2 supports two
transmission modes: broadcast and multicast. Multicast is adopted by RIPv2 by default.
The multicast address for RIPv2 is 224.0.0.9. An advantage of multicast transmission is
that the networks that do not support RIP will not receive the RIP packets. Also with
multicast, network segments that run RIPv1 will not receive or process the RIPv2 routes.
Page 308
page 288
Page 309
page 289
Network description:
RTA is connected to RTB through serial interface. RTA and RTB are configured with two
loopback interfaces each. IP addresses of these interfaces are shown in the figure.
Fault description:
After the configuration, the routes learned through RIP are not found in the routing table.
Command lines in part 7 RTP trouble shooting base on V3.4.
Page 310
page 290
The flowchart provides the main procedure for troubleshooting. When a router fails to receive
part of or all the routes, follow the following steps to locate the fault:
1. Check whether RIP is enabled on the incoming interface.
Use the network command to specify the network segment where RIP is enabled. An
interface can receive and send RIP routes only if the RIP protocol is enabled on this interface.
You can use the display current-configuration configuration rip command to view the
information about the RIP-enabled network segment and check whether the incoming
interface is included in this network segment. The specified network segment must be a
natural network segment.
2. Check whether the incoming interface works normally.
Use the display interface command to view the status of the incoming interface. If the
physical status of the interface is Down or Administratively Down, or the protocol status is
Down, RIP cannot function normally on the interface. Therefore, you must ensure that the
status of the incoming interface is normal.
3. Check whether the version of the RIP packets sent from the peer is the same
as the RIP version configured on the local interface. If the version of the received RIP
packets is different from the RIP version configured on the incoming interface, the RIP routes
may not be accepted correctly.
4. Check whether the undo rip input command is configured on incoming interface. The rip
input command is used to allow the specified interface to receive RIP packets. The undo rip
input command is used to prohibit the specified interface to receive RIP packets. If the undo
rip input is configured on the incoming interface, RIP packets received on this interface
cannot be processed, so RIP routes cannot be received.
Page 311
page 291
5. Check whether a routing policy is configured to filter RIP routes.
The filter-policy import command is used to filter the received RIP routing information. If
the ACL is used, use the display current-configuration
configuration acl-basic command to check whether the RIP routes from the neighbor
are filtered. If the IP address prefix is used, use the display ip ip-prefix command to
check the configured routing policy. If RIP routes are filtered by the routing policy, you
need to configure the correct touting policy.
6. Check whether the additional metric set by the rip metricin command makes the
metric of the received route exceed 15. The rip metricin command is used to set the
metric increment for the route in the received RIP packets. If the metric of the received
route exceeds 15, the router considers the route as unreachable and does not add this
route to the routing table.
7. Check whether the metric of the received RIP route exceeds 15. Similarly, if the metric
of the received route exceeds 15, the router considers the route as unreachable and dose
not add this route to the routing table.
8. Check whether the routing table contains the same route learned through another
protocol.
Use the display rip 1 route command to check whether the local router receives the RIP
route. It is possible that the RIP routes are accepted correctly, but the routing table
contains the same routes learned through another routing protocol, for example, OSPF or
IS-IS. Generally, the priority of OSPF or IS-IS is higher than the priority of RIP, so the
routing management module selects the routes learned through OSPF or IS-IS. Using the
display ip routing-table protocol rip verbose command, you can see that these routes
are inactive. If the fault still exists after these steps, contact technical support engineers of
Huawei or visit http://support.huawei.com.
Page 312
page 292
Page 313
page 293
Page 314
page 294
Networking description:
RTA is connected to RTB through serial interface. RTA and RTB are configured with two
loopback interface each. IP addresses of these interfaces are shown in
the figure.
Fault description:
After the configuration, the router does not send all or some of the routes.
Page 315
page 295
The flowchart provides the main procedure for troubleshooting. When a router
fails to send part of or all routes, follow the following steps to locate the fault:
1. Check whether RIP is enabled on the outgoing interface.
Use the network command to enable the network segment of the interface .
An interface can receive and send RIP routes only if the RIP protocol is enabled
on this interface. You can use the display current-configuration configuration
rip command to view the information about the RIP-enabled network segment and
check whether the outgoing interface is included in this network segment. The
specified network segment must be a natural network segment.
2. Check whether the outgoing interface works normally.
Use the display interface command to view the status of the outgoing interface. If
the physical status of the interface is Down or Administratively Down, or the
protocol status is Down, RIP cannot function normally on the interface. Therefore,
you must ensure that the status of the incoming interface is normal.
3. Check whether the silent-interface command is configured on the outgoing
interface.
The silent-interface command is used to suppress the interface from sending the
RIP packet.
The display current-configuration configuration rip command is used to check
whether the interface is suppressed from sending the RIP packet.
Enable the interface if it is disabled.
Page 316
page 296
4. Check whether the undo rip output command is configured on outgoing
interface.
The rip output command is used to allow the specified interface to send RIP
packets. The undo rip output command is used to prohibit the specified interface
to send RIP packets. If the undo rip output is configured on the outgoing
interface, RIP packets cannot be sent from this interface.
5. Checking whether the rip split-horizon command is configured on the outgoing
interface.
Run the display current-configuration command on the outgoing interface to
view whether the rip split-horizon command is configured. If the command is
configured, the split-horizon is enabled on the outgoing interface.
By default, the split-horizon is enabled on all outgoing interfaces, and it is used to
could the route loop,so please be careful if you want to cancel split-horizon .
6. Check whether a routing policy is configured to filter RIP routes.
The filter-policy export command is used to filter the RIP routes. Only the route
that passes the filtering policy can be added to the advertised routing table of RIP.
7. Check the status of the interface when the route contains the address of the
local interface.
Run the display interface command to check the status of the interface. If the
physical state of the interface is Down or Administratively Down, or the current
status of the protocol on the interface is Down, the IP address of the
interface cannot be added to the advertised routing table of RIP. Therefore, the
routing information will not be sent to the neighbor.
8. Check whether there are other problems.
If the outgoing interface does not support the multicast or broadcast mode and a
packet needs to be sent to the multicast or broadcast address, the fault occurs.
You can configure the peer command in the RIP mode to make routers send
packets with unicast address.
If the fault still exists after these steps, contact technical support engineers of
Huawei or visit http://support.huawei.com.
Page 317
page 297
Page 318
page 298
Page 319
page 299
Fault description: RTA and RTB use different authentication keys, so they cannot receive
routes from each other.
Analysis: If a router cannot receive any route from the peer, check the following:
1. Whether RIP is enabled on the interfaces connecting the peer.
2. Whether the link between the routers is normal.
3. Whether the routing protocol is configured properly.
Using related commands, you can see that RIP is enabled on the interfaces and the link
between the routers is normal, but the configuration of RTA is different from that of RTB.
Comparing their configurations, you can see that password authentication is configured for
RTA and RTB. Following the preceding sections, you already know that RIPv2 supports
the authentication of update packets to improve security. The authentication modes and
authentication keys must be the same on the two routers. If the authentication modes or
authentication keys on two routers are different, the routers cannot exchange routing
information and they ignore the update packets.
Page 320
page 300
After the authentication mode and key are configured correctly, the routers can learn
routing information of each other from the update packets.
Page 321
page 301
Fault description: The metric of the route exceeds the hop count limit in RIP, so the router
cannot accept route.
Analysis: RIP limits the hop count to 15. If the hop count in a network exceeds 15, RIP is
not applicable to this network.
Additional metric is the increment (hop count) added to the original metric. The rip metricin
command is used to set the increment added to the received route when the route is added
to the routing table. The metric of this route is also changed in the routing table. The rip
metricout command is used to set the increment added to a route to be advertised. But the
metric of this route is not changed in the local routing table. For example, after you
configure rip metricout 16 on RTB, the hop count of the route to 172.16.3.0 is 16 when the
route is received by RTA. RTA does not add the route to the routing table.
Command lines used here are based on VRP3.4.
Page 322
page 302
Viewing the routing tables of RTA and RTB, you can find that the route to 172.16.2.0 is
added to the routing table of RTB, while route to 172.16.3.0 is not added to the routing table
of RTA.
Page 323
page 303
Change the additional metric to 15, and RTA will add the route to 172.16.3.0 to its routing
table. Command lines used here are based on VRP3.4.
Page 324
page 304
Fault description: The subnets are not continuous, and thus the routing information cannot be
added to the routing table.
Analysis: Network 162.16.0.0 segment is divided by network segment. RTA and RTB uses
RIPv1, which is a classful routing protocol. Therefore, the routers send
update packets with a Class-B network segment address 162.16.0.0 but not the accurate
network addresses 162.16.2.0 and 162.16.3.0.
Page 325
page 305
When RTA receives the update packet for the route to 162.16.0.0, RTA does not add the
route to the routing table, because it has a directly connected network
segment 162.16.2.0.
Page 326
page 306
To solve this problem, you can enable RIPv2 on the routers, because RIPv2 is a classless
routing protocol. Use the undo summary command to enable the CIDR function.
Page 327
page 307
After you modify the configuration, RTB advertises the route with the accurate address
162.16.3.0, and RTA adds the route to the routing table.
Page 328
page 308
What are the steps for troubleshooting received RIP routes?
1. Check whether RIP is enabled on the incoming interface.
2. Check whether the incoming interface works normally.
3. Check whether the version of the received RIP packet is the same as the RIP version
configured on the incoming interface.
4. Check whether the undo rip input command is configured on the incoming interface.
5. Check whether the routing policy is configured to filter the received RIP routes.
6. Check whether the additional metric set by the rip metricin command makes the metric
of the received route exceed 15.
7. Check whether the metric of the received route exceeds 15.
8. Check whether the routing table contains the same route learned through another routing
protocol.
What are the steps for troubleshooting sent RIP routes?
1. Check whether RIP is enabled on the outgoing interface.
2. Check whether the outgoing interface works normally.
3. Check whether the silent-interface command is configured on the outgoing interface.
4. Check whether the undo rip output command is configured on the outgoing interface.
5. Check whether split horizon is configured on the outgoing interface.
6. Check whether the routing policy is configured to filter the routes imported to RIP.
7. Check status of the local interface if the route to be advertised contains the address of the
local interface.
8. Check whether other problems exist.
Page 329
page 309
Page 331
page 310
Page 332
page 311
Page 333
page 312
Open Shortest Path First (OSPF) is an IGP protocol based on the link state algorithm.
OSPF is brought forward by the Internet Engineering Task Force (IETF). OSPF has three
versions. OSPFv1 is defined in RFC 1131. This version was in the experimental stage and
has never been released for public use. OSPFv2 is used for IPv4 and was initially defined in
RFC 1247. RFC2328 is the latest standard document for OSPFv2. OSPFv3 is used for IPv6.
Unless otherwise specified, OSPF refers to OSPFv2 in this course.
OSPF is borne by the IP protocol and uses IP protocol number 89. An OSPF packet
consists of the header and the packet body. The format of the OSPF packet is described in
the HCDP course and is not explained here
Page 334
page 313
The following features of OSPF enable extensive use of OSPF:
Supports CIDR.
Early routing protocols, such as RIPv1, do not support CIDR. OSPF supports CIDR and
allows the advertised routing information to contain the subnet mask so that routing
information is not limited to the classful network.
Supports area division.
OSPF allows dividing an autonomous system (AS) into areas so that the users can be
managed more flexibly.
Avoids route loops.
The design of OSPF avoids route loops. OSPF allows dividing an AS into areas. Routers in
an area use the SPF algorithm to avoid route loops. Route loop between areas is avoided
through the area connection rule specified by OSPF.
The routes converge very quickly when the network topology is changed.
OSPF adopts the triggered update mode. When the network topology changes, the new link
state is flooded immediately. OSPF is sensitive to the change of network topology, so the
routes converge quickly.
Forwards protocol data through IP multicast.
An OSPF router sends and receives protocol data through multicast or unicast, which uses
low network traffic.
Supports equal-cost routes.
OSPF supports equal-cost routes. When multiple routes to the same destination have the
same cost, the traffic is shared by these routes evenly. Through load balancing, the link
bandwidth is used more efficiently.
Supports authentication of protocol packets.
In a network that requires higher security, OSPF routers can provide the authentication
function. Packets can be exchanged between OSPF routers only after they pass the
authentication. The authentication improves security of the network.
Page 335
page 314
OSPF is an open standard routing protocol and is extensively used by various network carriers.
OSPF can be applied to both the enterprise network and the carrier-class IP network. This slide
lists the differences between OSPF, RIPv2 and RIPv1.
Page 336
page 315
Compared with RIP, OSPF is a more advanced interior gateway protocol. OSPF
and RIP are totally different, although they are both IGPs. OSPF is based on the
link state algorithm, while RIP is based on the distance-vector algorithm. As
described in the course of the RIP protocol, distance-vector protocols select
routes based on the hop count and do not consider network resources such as
the link bandwidth. Under this condition, a path with high bandwidth may not be
selected.
OSPF selects routes according to the link state. OSPF enables fast convergence
of routes and do not limit the hop count. OSPF routers advertise the link
information, instead of periodically sending route update packets. Therefore,
OSPF is more applicable to large-scale networks. (A link can be regarded as an
interface on a router. The link state is the description of the interface and the
relation between the local router and the adjacent router.) The calculation
process of OSPF will be described later.
Page 337
page 316
Unlike early routing protocols that use the distance-vector algorithm, OSPF uses the link
state algorithm. The following describes the route calculation process of the link state
algorithm.
An OSPF router floods the link state advertisement (LSA) to notify other routers of the
status of the local link, for example, available interface, reachable neighbor, and the
information about the adjacent network segment. Flooding is a process of sending and
synchronizing the link state between routers.
Each router generates a link state database (LSDB) according to the LSAs advertised by
other routers and its local LSAs. The LSDB describes the detailed network topology in the
routing area. In the same area, all routers have the same LSDB.
Based on the LSDB, each router calculates a shortest path tree with the SPF algorithm. The
local router is the root of the tree, and other nodes in the network are leaves. The shortest
path tree calculated through the SPF algorithm does not have route loops.
The shortest path tree of each router provides the routing table listing the routes to other
nodes in the network. Thus, each OSPF router knows the routes to other routers.
Page 338
page 317
OSPF supports five types of packets, which contain the same OSPF header. An OSPF
router uses the following packets to discover neighbors and maintain the neighbor relation,
synchronize the LSDB, and exchange routing information:
Hello packet: It is a common packet used to discover neighbors and maintain the neighbor
relation. The Hello packet is also used to elect the designated router (DR) and backup
designated router (BDR) in the broadcast network and NBMA network.
DD packet: Routers use DD packets to describe their LSDBs when they synchronize the
LSDBs. A DD packet consists of an LSA and an LSA header. The header uniquely identifies
an LSA. The LSA header makes a small part of the packet, and thus the traffic of protocol
packets transmitted between routers can be reduced. The peer router checks whether an
LSA already exists according to the LSA header.
LSR packet: After two routers exchange the DD packets, each router knows the LSAs that
exist in the LSDB of the peer but do not exist in the local LSDB. Then the router sends an
LSR packet to request for these LSAs. The LSR packet contains the summary of the
required LSAs.
LSU packet: This packet is used to send the required LSAs to the peer router. An LSU
packet contains the combination of multiple LSAs.
LSAck packet: This packet is used to acknowledge the received LSU packet.
Page 339
page 318
To exchange the link status and routing information, two OSPF routers need to establish the
neighbor relation.
Neighbor
After an OSPF router is started, it sends Hello packets through the OSPF interface to
discover neighbors. The OSPF router that receives the Hello packet checks the parameters
in the Hello packet. If the parameters are consistent on the two routers, the two routers
establish the neighbor relation.
Adjacency
Not all neighboring routers can establish the adjacency. Adjacency establishment depends
on the network type. The real adjacency is established only if the routers exchange DD
packets successfully and can exchange LSAs. To send LSAs, a router must discover the
neighbor and establish the adjacency with the neighbor.
In this example, RTA is connected to three routers through Ethernet. RTA has three
neighbors, but you cannot say that RTA establishes three adjacencies.
Page 340
page 319
Not all neighbors can establish the adjacency to exchange link status and routing
information. Adjacency establishment depends on the network type, namely, the layer-2 link
type of the OSPF network.
Based on the link-layer protocol, OSPF networks are classified into the point-to-point
network, broadcast network, NBMA network, and point-to-multipoint network. A point-to-
point network is a network that directly connects two routers.
Link layer protocols for the point-to-point network are PPP, LAPB, and HDLC. In a point-to-
point network, neighboring routers can establish the adjacency directly. Broadcast network:
If the link-layer protocol is Ethernet or FDDI, the network is considered as a broadcast
network by default. The network shown in the right of the figure is a broadcast network.
Ethernet is a common link layer protocol for a broadcast network. In the broadcast network,
NBMA network, and point-to-multipoint network, routers establish adjacency selectively.
Page 341
page 320
A non-broadcast network can connect more than two routers, but it does not support
broadcast.
In non-broadcast networks, OSPF has two operation modes: non broadcast multi-
access (NBMA) and point-to-multipoint.
NBMA
In an NBMA network, routers must establish a full connection. An ATM network adopting full
connection is an NBMA network.
In an NBMA network, OSPF simulates the operations on broadcast networks, however
neighbors of each router must be configured manually.
Common link layer protocols for the NBMA network are Frame Relay and ATM.
Page 342
page 321
Point-to-multipoint
A network that cannot establish the full connection needs to adopt the point-to-multipoint
mode. A Frame Relay network is such a network. In this mode, the entire non-broadcast
network is regarded as a group of point-to-point networks. A router discovers its neighbors
by using a lower layer protocol, for example, inverse ARP. The point-to-multipoint network
type is not a default type in OSPF.
Page 343
page 322
In broadcast and NBMA networks, if any two routers need to establish the adjacency, route
convergence is very slow. Use of the designated router (DR) and backup designated router
(BDR) solves this problem.
A broadcast network or NBMA network containing at least two routers has one DR and a
BDR.
Functions of the DR and BDR:
The DR and BDR reduce adjacencies, thus reduce exchanges of link state information and
routing information. Use of the DR and BDR reduces bandwidth consumption and lowers the
burden of routers. A router that is neither the DR nor the BDR is called a DRother. A DRother
establishes the adjacencies and exchanges the link state information and routing information
only with the DR and BDR. This mode greatly reduces adjacencies and raises route
convergence speed in large-scale broadcast and NBMA networks.
In the figure, RTA has three neighbors, but it establishes adjacencies only with the DR and
BDR. RTA does not establish the adjacency with the other router and does not exchange
routing information with this router. To sum up, establishment of the adjacency depends on
the network type. In a point-to-point network, two routers can establish the adjacency. A
point-tomultipoint network can be regarded as a group of point-to-point networks. An
adjacency is established between each two directly connected routers. In a broadcast or
NBMA network, a DR and a BDR are selected. Drothers establishes adjacencies only with
the DR and the BDR.
Page 344
page 323
Autonomous system
An autonomous system is a combination of routers that use the same routing policy and are
managed by the same technical management organization. In the course of OSPF, an
autonomous system refers to a group of routers that exchange routing information by using
the same routing protocol. In this course, autonomous system is referred to as AS for short.
As an IGP protocol based on the link state algorithm, OSPF takes effect only within the AS.
Area
An area is a combination of routers and the networks connected to these routers. As shown
in the figure, three routers and the networks connected to the routers forms an area. Single
area means that all routers running OSPF belong to the same area. OSPF requires that all
routers in the same area have the same LSDBs.
Router ID:
To run OSPF, a router must have a router ID. The LSDB records the topology of the
network, including routers in the network. Each router must have a unique identifier to
identify itself in the LSDB. A router ID is a 32-bit integer used to uniquely identifies a router
in an AS. Each OSPF router has a router ID. Router ID uses the format of an IP address.
The IP address of Loopback interface of a router is recommended as the router ID.
Page 345
page 324
In this example, the topology for OSPF single area configuration is as follows:
RTA and RTB are located in the network. Each router uses the IP address of Loopback0 as
the router ID. RTA and RTB belong to Area 0. Here, configuration of interfaces and IP
addresses is not mentioned. For the configuration, refer to related basic courses.
The procedure for basic OSPF configuration is as follows:
Run the router id router-id command to specify the router ID. If the router ID is not specified,
OSPF uses the largest loopback IP address as the router ID. If no loopback interface is
configured, the largest IP address of physical interfaces is used as the router ID.
Run the ospf [ process-id] command to enable OSPF. OSPF supports multiple processes. If
the process ID is not specified, process 1 is used by default. Run the area area-id command
to enter the area view.
Run the network ip-address wildcard command to specify the network segment included in
the area. When specifying the network, use the wildcard mask of the network segment.
Page 346
page 325
After the configuration, you can use related commands to check the configuration. For
example, you can use the display ospf routing command to display information about the
OSPF routing table.
[RTA] display ospf routing
In this example, this command displays the OSPF routing table of RTA. The display shows
that the OSPF routing table of RTA contains three route entries and they are all in Area 0.
Each route entry shows network segment, next hop, router that advertises this route, and the
area the route belongs to. From the display information, you can see that the OSPF
configuration is correct and RTA and RTB can exchange routing information.
Page 347
page 326
As the network size keeps increasing it increases the number of devices that are part of the same
converged domain and in turn their routing tables. If all routers in a large-scale network run OSPF,
an increasing amount of storage space becomes occupied, The reason is that the LSDB becomes
very large when a large number of routers are added to the network. A huge LSDB makes
calculation of SPF algorithm very complicated and burdens the CPU. When the network size is
enlarged, the probability of topology changes also increases and the network often flaps. Under
such a condition, a large amount of OSPF packets are transmitted in the network, which lowers the
bandwidth utility. To make it worse, each time the network topology changes, all routers in the
network need to recalculate routes.
To avoid this problem, OSPF divides an AS into areas. Areas logically classify routers into different
groups. An area is identified by the area ID.
An area is a combination of network segments.
OSPF allows network segment to form an area.
Dividing an AS into areas reduces the LSDB size and reduces network
traffic.
The detailed topology within an area is not sent to other areas. Areas exchanges only abstract
routing information but not the link state information. Areas maintain different LSDBs. Each router
maintains a independent LSDB that records each area connected to it. Since the link state
information is not advertised to other areas, the size of LSDB is much more smaller.
Area 0 is the backbone area that advertises the inter-area routing information (not detailed link
state information) summarized by edge routers to non-backbone areas. To avoid routing loop, non-
backbone areas cannot advertise inter-area routing information. Each edge router, therefore, must
have at least one interface in Area 0. That is, all non-backbone networks must be connected to the
backbone area.
Page 348
page 327
OSPF defines the following types of router:
Internal Router (IR)
An IR is the whole interfaces of a router connected to network segments in the same area.
IRs in the same area maintain the same LSDBs.
Area border router (ABR)
An ABR is a router connected to multiple areas. An ABR maintains an LSBD for each area
connected to it. ABRs exchange inter-area routing information.
Backbone router (BR)
A BR is a router that has at least one interface (or virtual connection) in the backbone area.
All ABRs and routers that have all interfaces in the backbone area are BRs. Non-backbone
areas must be directly connected to the backbone area, and so BRs usually process routing
information of multiple areas.
AS boundary router (ASBR)
An ASBR is a router used to exchange routing information with routers in other AS. The
ASBR advertises routing information of other AS to all routers in the same AS. Routers in an
AS communicate with routers in other AS through the ASBR. An IR or ABR can act as the
ASBR. An ASBR can be in the backbone area or a non-backbone area.
Page 349
page 328
As shown in the figure, the area is divided into Area 0, Area 1, and Area 2. OSPF requires
non-backbone areas to be directly connected to the backbone network, and so Area 1 and
Area 2 are connected to Area 0. On RTA, Area 1 must be configured. On RTB, Area 0 and
Area 1 must be configured. On RTC, Area 0 and Area 2 must be configured. On RTD, Area 2
must be configured.
RTA and RTB exchanges LSAs to generate LSDBs. LSDBs of RTA and RTB are the same.
Since RTB also belongs to Area 0, RTB maintains another LSDB for Area 0. This LSDB is
the same as the LSDB on RTC. Similarly, RTD and RTC maintain same LSDBs for Area 2.
The configuration is similar to configuration of a single area, and the commands are omitted
here. When configuring multiple areas, network segments must be specified for area
separately. For example, network segment 2.2.2.2 is specified Area 1, and so this network
segment cannot be specified in Area 0. Note that a network segment cannot belong to
multiple areas.
The configuration of RTA is similar that of RTD. please take note of the configuration of RTD
later.
Page 350
page 329
This page shows the configuration of RTC. Two areas are configured on RTC:
Area 0 and Area 2. Their network segments are specified separately.
Page 351
page 330
Only one area (Area 2) is configured on RTD, and so network segments are
specified only for Area 2.
Page 352
page 331
Using the display ospf routing command, you can verify the configuration. You can also use
the following command to view information about neighbors of an OSPF router.
display ospf peer
In the output information:
Area indicates the area a neighbor belongs to.
Interface indicates the interface connected to this neighbor.
Router Id indicates the router ID of the neighbor.
Address indicates the address of the neighboring interface.
RTB has two neighbors: RTA in Area 1 and RTC in Area 0.
First line of the output information: OSPF Process 1 with Router ID 2.2.2.2 indicates that the
router ID of RTB is 2.2.2.2.
The following lines:
Area 0.0.0.0 interface 10.1.2.1(Ethernet0/1)'s neighbors
Router ID: 3.3.3.3 Address: 10.1.2.2
These lines indicate that the neighbor belongs to backbone area Area 0; the IP address of the
interface connected to the neighbor is 10.1.2.1; the router ID of the neighbor is 3.3.3.3; the IP
address of the neighboring interface is 10.1.2.2.
Information about the neighbor in Area 2 is similar to the above information.
Page 353
page 332
Besides the OSPF routing table and OSPF neighbor information, you can view the global
routing table. In this example, you can use the display ip routing-table command to view
the global routing table. The output information shows that five route entries are learned
through OSPF.
Page 354
page 333
What is the calculation process of the link state algorithm?
Each router in the network advertises the local link state information to other routers and
collects the link state information advertised by other routers. In this way, each router
generates an LSDB that describes the network topology. Based on the LSDB, routers
calculate a shortest path tree by using the SPF algorithm. The shortest path tree provides
routes to all nodes in the network.
What is an OSPF area?
An OSPF area is a combination of network segments.
What is the procedure for basic OSPF configuration?
Enable the OSPF process. Create OSPF areas. Specify network segments for each area.
Page 355
page 334
Page 359
page 337
Page 360
page 338
Page 361
page 339
The history of Ethernet:
1973 Ethernet was invented at Xerox in Palo Alto, California. Dr Robert Metcalfe
is regarded as the father of Ethernet. Early Ethernet standards, the prototype of todays
Ethernet ran at a speed of 2.94 Mbps.
1980 Digital Equipment Corporation, Intel and Xerox promoted Ethernet as a
standard, the so called Ethernet DIX80 or Ethernet version 1 standard which
standardized 10Mbps Ethernet.
1982 A second revision of Ethernet, known as Ethernet DIX82 or Ethernet
version II. The Ethernet II remains the Ethernet standard used in todays networks.
1995 IEEE issued the standard for Fast Ethernet, namely, the 802.3u standard.
1998 IEEE issued the standard for gigabit Ethernet.
1999 IEEE 802.3ab or 1000 BASE-T standard was published.
July 18th, 2002
IEEE published the 802.3ae or 10G Ethernet standard which involves three
physical interface standards, namely, 10GBASE-R, 10GBASE-W and 10GBASE-LX4.
March, 2004
IEEE issued the 802.3ak standard or 10GBASE-CX4 for 10G Ethernet over
copper twin-axial cable.
Page 362
page 340
In the early days, Ethernet was a shared network medium. It often ran using the following
transmission media:
10Base5: thick coaxial cable commonly known as thicknet. The 5 refers to a maximum
transmission distance of 500 meters.
10Base2: thin coaxial cable commonly known as thinnet. The 2 refers to a maximum
transmission distance of close to 200 meters, the true distance is 185 meters.
Before shared Ethernet came into being, coaxial cable was connected with a device called
a pigtail which is was inserted by cutting a small hole in the coaxial cable. Extreme care had
to be taken when inserting a pigtail into the coaxial cable due to the potential for the central
core to short out on contact with the metallic shield, which could cause the failure of an
entire segment.
Page 363
page 341
At the end of 1980s, unshielded twisted pair (UTP) came into being and was soon
widely used. UTP is cheap and easily made and with UTP data can be sent and
received over different wires, which makes full duplex easily applied.
Twisted pair cable comes in two types: shielded twisted pair (STP) and unshielded twisted
pair (UTP). STP is very effective at protecting cables from external electromagnetic
interference. Twisted cables are categorized by the length of a single twist for each wire
pair, and they come in the following types:
Category-3 twisted-pair cable The cable defined by ANSI and EIA/TIA568. Its
transmission frequency is 16MHz and is mainly for transmitting voice or transmitting data
with data rates of up to 10Mbps. It is often used for 10base-T networks.
Category-4 twisted-pair cable Mainly used for transmitting voice or transmitting data
with a typical data rate of 16Mbps. It is commonly used in token ring LANs and 10base-
T/100base-T networks.
Category-5 twisted-pair cable Mainly for transmitting voice or data at the rates of up to
100Mbps. It is often used for 100base-T and 10base-T networks. It one of the most widely
used Ethernet cables, however has generally been superseded by an enhanced version
known as Cat5e. The Cat5e standards are much more stringent and give a support the
use of 4 wire pairs as opposed to 2 wire pairs used by Cat5, allowing Cat5e to support
Gigabit Ethernet transmissions.
Page 364
page 342
Ethernet interfaces on networking devices come into two types: Medium Dependent
Interface (MDI) and Medium Dependent Interface Crossover (MDI_X). Ethernet interfaces
of routers and interfaces of Network Interface Cards (NIC) are often MDIs. The Interfaces of
hubs are considered MDI_X interfaces.
Twisted-pair cables can be divided into straight cable and crossover cable types. Straight
cables are used for connecting MDI and MDI_X type devices; crossover cables are mainly
for connecting MDI and MDI or MDI_X and MDI_X device types. It should be noted that the
pair sequence in a crossover cable results in a crossover at each end of the cable between
pins 1 & 3 and 2 & 6.
Page 365
page 343
Page 366
page 344
Usually 10 Mbit/s Ethernet is only located at the access layer of the network. The
new generation multimedia products, video and database products may easily
chew up the bandwidth of 10Mbit/s Ethernet.
Page 367
page 345
Besides coaxial cable and twisted pair cable, the IEEE802.3 cable also incudes
fiber 10BASE-F. 10BASE-F was once used at the early age of Ethernet and its
transmission distance can reach 2 Km.
Page 368
page 346
The standard (10Mbps) Ethernet transmission rate is too low to meet the demands of
todays networks. To meet these higher demands, IEEE issued the IEEE802.3u standard
for fast Ethernet, supporting data transmission rates of 100Mbps.
Page 369
page 347
Full-duplex fast Ethernet is capable of sending and receiving data at 100 Mbps/s rate
simultaneously. Data sending and receiving are independent due to the use of separate
wire pairs for transmitted and received data, which avoids collisions and interference and
improves the network efficiency.
The standards body EIA/TIA stands for Electronic Industries Alliance/Telecommunication
Industry Association.
Page 370
page 348
Gigabit Ethernet is an extension of the Ethernet defined by IEEE802.3, for which transmission
speeds of 1Gbps are achieved.
There are two standards that have been defined for gigabit Ethernet, they are IEEE802.3z (for
fiber and copper) and
IEEE802.3ab (for twisted-pair).
Page 371
page 349
IEEE802.3ab specifies the standard for 1000BaseT. 1000BaseT is a kind of 10G
Ethernet technologies using Type5 UTP to transmit data and its effective
transmission distance reaches 100 meters as that of 100BASETX does. Users can
upgrade their 100Mbps Ethernet to 1000Mbps Ethernet smoothly in their original
fast Ethernet system with this technology.
IEEE802.3z sets standards for three kinds of cables:
1000BaseCX is based on a kind of copper shielded twisted-pair cables with high
quality. The transmission distance of this cable is 25 meters and is connected by
9um D type connectors.
1000BaseSX is a kind of technology using shortwave laser as the signal source.
The wavelength of the laser is set to be within the scope of 770-860nm (usually
800nm). It supports only multi-mode fiber and cannot operate on the single mode
fiber.
1000BaseLX is another optical gigabit Ethernet standard, using a long wavelength
laser (1270-1355, usually is 1300nm),It can drive not only multi-mode fiber but
also single-mode fiber.
Page 372
page 350
10G Ethernet is the cutting-edge technology in the Ethernet world. Its transmission speed is
10 times that of a gigabit Ethernet and its working area is much wider. 10G Ethernet can be
applied not only to the traditional LANs, but also WANs and MANs which were once closed to
Ethernet due to its limited capabilities. 10G Ethernet can be compatible with DWDM
seamlessly which stretches Ethernet to a global geographical scope without being limited by
distance.
Two organizations, IEEE and 10 Gigabit Ethernet Alliance (10GEA), played an important role
in the standardization of 10G Ethernet. IEEE is in charge of setting standards for 10G
Ethernet and it has issued IEEE802.3ae as of June 2006. IEEE802.3ae specifies the
standard of 10G Ethernet that runs on fiber, a standard not so suitable for enterprise LANs
that commonly transmit data through copper cabling. To meet the requirements from the 10G
Ethernet that runs on copper cables, IEEE issued the 802.3ak standard in March 2004 and
the IEEE 802.3an standard for 10G Ethernet over twisted-pair cabling.
Page 373
page 351
The standard for 10G Ethernet over fiber is IEEE802.3ae, which consists of 10G
BASE-X, 10GBASE-R and 10GBASE-W.
10GBASE-X uses a tightly packed package which involves a rather simple WDM device, four
receivers and four lasers that work at the wavelength of about 1300nm at an interval of around
25nm. Each sender and receiver pair works at a speed of 3.125 Gbps with a data rate of 2.5
Gbps.
10GBASE-R is a form of serial interface based on a 64B/66B coding scheme instead of the
8B/10B scheme applied to the gigabit Ethernet. Its data rate is 10.000 Gbps/s which leads to a
clock rate of 10.3 Gbps.
10GBASE-W refers to the WAN interface, which is compatible with SONET OC-192. The
clock rate and data rate of 10 GBASE-W are 9.953 Gbps and 9.585 Gbps respectively.
The 10G Ethernet standard for fiber is IEEE802.3ae. IEEE802.3ak is the standard for 10G
Ethernet over coaxial cables. 10GBASE-CX4 allows 10G Ethernet to transmit over coaxial
copper lines up to a distance of 15 meters.
Page 374
page 352
This chapter involves the following contents:
1. How was the Ethernet standard formed?
Xerox first presented the original Ethernet technology whose speed was only 3Mbps in 1973.
Later, Digital Equipment Corporation, Intel and Xerox jointly proposed the 10Mbps DIX
standard for Ethernet. This was then developed into early forms of the IEEE802.3 standard in
1980.
2. Which media types are supported by Ethernet?
Ethernet has defined standards for support of Ethernet over coaxial, twisted-pair and fiber
optic media types.
3. What are the speed rates of Ethernet?
10M, 100M, 1000M and 10G. Early category 4 cabling also supports speeds of 16Mbps for
token ring.
Page 375
page 353
Page 377
page 354
Page 378
page 355
Page 379
page 356
Page 380
page 357
Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is a set of rules
determining how network devices respond when two devices attempt to use a data
channel simultaneously. The basic working theories of CSMA/CD are as follows:
(1) If the transmission media is not occupied at that time, a particular station can
transmit, otherwise move on to the next step.
(2) The station waits for a while until the data channel is not occupied and then it begins
to send data.
(3) If the station detects a collision which is known as the voltage level is as twice as
usual, it stops transmitting that frame and transmits a jam signal in order let all the
participatingstations know the collision.
(4) After a random time interval, the station that collided attempts to transmit again,
which goes back to step 1 again and the process cycles.
Page 381
page 358
Limited by the algorithm of CSMA/CD, the length of a frame sent over Ethernet
using 10M half duplex should be at least 64 bytes.
Page 382
page 359
Two network devices appeared during the period when the Ethernet developed
from a shared to a switched network, one is the Hub, the other is the Repeater.
When the network is extended, signals degrade as they travel long distances,
which may often lead to corrupted data. The repeater is an electronic device
that helps to recover or amplify signals. The hub and repeater both work at the
physical layer.
Page 383
page 360
The hub is an Ethernet device which works based on the mechanism of
CSMA/CD. The working principles of the hub are quite simple. The hub forwards
the data frame received by one of its ports to all other ports directly no matter
whether the frame is unicast or broadcast. We may say that the hub and repeater
changes only the physical topology of the Ethernet, the logical topology of the
Ethernet is still remains a bus topology. The hub does not have a MAC address
and only forwards data without filtering.
Page 384
page 361
The network connected by hubs or repeaters is considered to be shared Ethernet, so it is no
wonder that this kind of network has all the weaknesses of a shared Ethernet, weaknesses
that include:
Collisions
Broadcast flooding
No Guarantee of Security
Page 385
page 362
Page 386
page 363
The Ethernet switch operates at the data-link layer and has two basic functions:
Learning MAC addresses
Switching or filtering data
Page 387
page 364
In the figure above, DMAC indicates the MAC address of the destination and
SMAC is the MAC address of the source. The meaning of the Length/Type field
various with its values. When its (hexadecimal) value exceeds 1500, it indicates
the field is a type field; when the value is less than or equal to 1500, the field
indicates it is a frame length field. The value of the DATA/PAD field represents
the length of the data filled to make the frame length to be 64 bytes or above.
FCS refers to the extra checksumcharacters added to a frame for error detection
and correction.
When the value of the Length/Type field exceeds 1500, the MAC sub-layer can
submit the frame to a protocol at the upper layer immediately without going
through the LLC sub-layer. This structure is the Ethernet_II structure which is
very popular and used by most protocols. In this structure, the data-link layer
only involves the MAC sub-layer anddoes not implement the LLC layer. When
the value of the Length/Type is less than or equals to 1500, it indicates the
Ethernet_SNAP structure which is set by the 802.3 committee but is not widely
used.
Page 388
page 365
An Ethernet frame whose type is 0800 is an Ethernet_II frame, as 0x0800 when
converted from Hexadecimal to Decimal is bigger than 1500 and must be an IP
datagram, since 0800 represents the IP datagram header. In a similar way, it is
possible to determine that a 0806 frame is for ARP request/response and a
8035 frame is for RARP request/response. However, the question remains how
we can identify the type of a the next frame header defined in 802.3 since the
802.3 frame indicates only the frame length instead of the frame type'?
Page 389
page 366
In an 802.3 frame, there is a three-byte 802.2 LLC and a five-byte 802.2 SNAP
header. The values of Destination Service Access Point (DSAP) and Source
Service Access Point (SSAP) are both set to 0xAA. The Ctrl field is set to 3 and
the 3-byte org code field that comes after it is set to 0. The following TYPE field
functions the same as that of the Ethernet_II frame.
Page 390
page 367
A MAC address is a 48 bit address and is often represented by a 12-bit
hexadecimal digit. A MAC address is globally unique and IEEE is responsible
for the management and allocation of MAC addresses. A MAC address is made
up of two parts which are the manufacturer assigned and the sequence number.
The first 24 bits identify the organization that issued the identifier and is
managed and allocated by IEEE. The following 24 bits are assigned by that
organization in nearly any manner they please, subject to the constraint of
uniqueness.
Special MAC addresses:
1. If a MAC address whose 48 bits are all 1s, it is a broadcast address.
2. If a MAC address whose eighth bit is 1, it is a multicast address.
The eighth bit of the destination address indicates whether the frame is sent to a
single station or a group of stations.
The eighth bit of a source address must be 0 since a frame cannot be sent by a
group of stations.
Page 391
page 368
Source MAC Learning
The bridge forwards frames based on its MAC address table which is built using
the source MAC addresses of received frames. A common MAC address table of
a layer-2 switch maps between MAC addresses and switch ports.
We should bear in mind that a switch learns the source address of data frames it
receives, meaning that every port of a switch listens independently for the source
address of data frames they receive.
Initially, the MAC address table is empty, but once a switch receives a frame via
port 1, the switch will check the frames destination and search for the MAC
address in its cache however no entry will currently exist. The switch as a result
will flood the frame out of all ports except the port on which the frame was
received and then use the source address of the frame to build its MAC address
table, mapping port 1 to the MAC address of station A. Similarly, each station will
map the port on which the frame is received to the source MAC address of that
frame, forming a MAC address table for each switch device.
If a port connects to a hub, then the switch port will recognize multiple MAC
addresses for a single interface.
Every port of a switch corresponds to a collision domain.
Note: For multicasting, address entries are not obtained by learning. They are
obtained by IGMP or protocols such as CGMP.
Page 392
page 369
Forwarding Frames Based on the Destination MAC
The switch forwards frames according to its MAC address table. If the destination
address of the frame is not in the table, the switch will flood the frame. The switch
maintains its MAC address table through an automatic learning and aging
mechanism. Frame structures are not modified in most cases. (VLAN makes
changes to the frame structure by putting a TAG in the frame.)
Page 393
page 370
The switch receives a data frame from the local segment via one of its port
interfaces.
The switch builds its MAC address table by learning the source MAC of the
frames and maintains its MAC address table with the aging mechanism. The
switch looks for the destination MAC in its MAC address table and if the
destination MAC is in the table, then the switch sends the frame to the
corresponding port (the source port is not included); if the switch cannot find the
destination MAC in its table, then it sends the frame to all the ports except the
source port.
Page 394
page 371
There are three switching modes: Cut-Through, Store-and-Forward and
Fragment-free. Their characteristics are as follows:
Cut-Through
The switch starts forwarding a frame before the whole frame has been received,
normally as soon as the destination address is processed.
Low latency
The switch forwards frames without detecting errors.
Store-and-Forward
The switch starts forwarding a frame after the whole frame has been received.
High latency, and the latency is decided by the frame length. The switch checks
for errors and once it finds an error, the frame is discarded immediately.
Fragment-free
The switch starts forwarding a frame after the first 64 bits (the shortest possible
length) of the frame has been received. This mode inherits the advantages of
the Cut-Through mode and the Store-and-Forward mode. With this mode, the
switch can start forwarding without the whole frame having being received
which is the same as it does with the Cut-Through mode; and at the same time,
the switch can check errors as it does with the Store-and-Forward mode and
should it find there are errors in the first 64 bits of the frame, it will drop the
frame.
Page 395
page 372
L2 switches help to avoid collisions in a shared Ethernet but broadcast flooding is still
widespread. How can this problem be resolved?
Page 396
page 373
Page 397
page 374
L3 switches tend to take the form of a switch. Compared with routers, L3 switches are
endowed with all the functions that L2 switches possess, including MAC-address based
frame forwarding, STP and VLAN. However, L3 switches also have the L3 functions that
L2 switches are not given, which enables them to realize the L3 internetworking for
VLANs.
Most of the lower or middle-end L3 switches realize L3 forwarding through L3 exact
match, which means to search the cache according to the destination IP address of data
frames directly. While, traditional routers use the longest matching method, that is to
search the routing table for the destination IP address and forward data with the longest
matching address in the table. Different manufacturers use different approaches to
forward data. Exact search is more suitable for a network that has stable routes and
whose topology does not often change.
High-end L3 switches are often applied to complex networks. So if they use the exact
search approach to find routes, the odds to hit the cache is not optimistic. Furthermore,
most high-end switches use hardware to realize longest matching search which may be
as efficient as the exact search approach. So for high-end switches, exact search is not a
must choice.
Finally, L3 switches have evolved from L2 switches and they are always thought to be
designed for LANs. So L3 switches do not support many interface types except the
interfaces relevant to VLANs such as Ethernet interface, ATM VLAN virtual interface,
which avoids problems that have bothered routers with multi-type interfaces. Since every
interface of a L3 switch is an Ethernet interface, collisions are avoided and the odds of
segmentation is lowered. But for the efficiency of up-link, many L3 switches are equipped
with high-speed POS interfaces.
Page 398
page 375
IP Network Rules:
1. Communication with the same segment.
When a host communicates with the destination host, it judges whether the
destination is in the same segment with its own IP address and subnet mask. If
they are in the same segment, the host searches for the MAC address of the
destination through ARP and fill the MAC address in the frame header.
2. Communications across segments
If the host finds that the destination is not in the same segment with itself, then it
searches for the MAC address of the gateway instead of the MAC address of the
destination and fills the MAC address of the gateway in the frame header. Layer-
3 switches make decisions on whether to make layer-2 forwarding or layer-3
forwarding according to the above rules. The layer-3 switch performs layer-3
forwarding if it is given the MAC address of an interface defined by a VLAN;
otherwise the switch performs layer-2 forwarding within the VLAN.
Page 399
page 376
1. How to communicate over shared Ethernet?
CSMA/CD is an effective way to realize multi-point communications over a shared
medium. The station listens to the link before it sends frames, so to avoid
collisions. The frame sent by a station can be received by multiple stations. The
station monitors the link while it sends frames and it stops sending frames as soon
as it detects a collision and waits for a random time interval before trying to
send the frame again.
2. What is the principle operation of a L2 switch
The L2 switch works at the data-link layer and has two basic functions: learning
based on the source MAC address and forwarding based on the destination MAC
address.
3. What is the difference between a L3 switch and a router?
L3 switch is small but is powerful in some specific areas; however, the router is
large and has comprehensive abilities.
Page 400
page 377
Page 402
page 378
Page 403
page 379
Page 404
page 380
Page 405
page 381
Auto-negotiation was developed to help devices supporting 10Mbps Ethernet be
compatible with the 100Mbps Fast Ethernet. The auto-negotiation technology takes the
operational modes of the local device, and receives the operational modes from the link
partner and determines the highest common shared operational mode that can be
supported.
Auto-negotiation works on the revised 10Base-T standard and is achieved depending on
the design of physical layer chips. It does not use any specific datagram or cost any upper
layer protocols. The basic mechanism of auto-negotiation is to encapsulate negotiation
information into a series of revised link conformity test pulses of the 10BASET linking test
wave (Fast Link Pulse). Each device should be able to send a series of pulse when the
device is powered on, or receives management demands, or is interfered with by users.
FLP involves a series of clock/digital sequence formed by linking conformity testing pulse.
Once those data are drawn out, we may know the operational mode the link partner
supports and get information concerning the negotiation hand-shake mechanisms.
Page 406
page 382
When both the negotiation parties support more than one operational mode, there should
be a precedence order to decide the final operational model. The table above lists the
precedence of operational modes from high to low defined by IEEE 802.3. The basic
principle is the 100Mbps mode has a higher precedence than the 10Mbps and full duplex
is better than half duplex. 1000BASE-T4 is listed before 100BASE-TX because 100BASE-
T4 supports more cable types. Ethernet over fiber does not support auto-negotiation. You
need to configure the operation mode for the two link parties manually, which includes the
rate, duplex mode and traffic control. If the two parties are configured differently, they
cannot communicate with each other.
Note: 100BASE-T4 can be realized through Type3, Type4 and Type5 UTP and all the four
pairs are used. 100BASE-TX can only run over Type5 UTP or STP and two pairs of the
four pairs are used.
Page 407
page 383
Configuration Example
To set the duplex mode to full duplex:
[Quidway-Ethernet0/1] duplex full
Restore the duplex mode to its default value:
[Quidway-Ethernet0/1] undo duplex
Page 408
page 384
You can configure the speed of Ethernet port with the following commands. If the port
speed is configured to be decided by the auto-configuration mechanism, the two parties
will negotiate to decide the port speed together. You can also configure the port speed
manually by running the speed command.
By default, the port speed is in the auto state (decided by auto-negotiation).
Set the port speed of Ethernet to 100Mbps:
[Quidway-Ethernet0/1] speed 100
Restore the port speed of Ethernet to its default value:
[Quidway-Ethernet0/1] undo speed
Page 409
page 385
Page 410
page 386
Network congestion occurs when data are transmitted between two ports with different
speed rates (for example, when a 100Mbps port sends data to a 10Mbps port.) or a link or
node is carrying so much data that its quality of service deteriorates. Typical effects
include queuing delay, packet loss or more retransmissions which wastes network
resources dramatically. In real networks, especially for LANs, network congestion seldom
occurs. So no switch manufacturers produce switches with flow control functions. High-
capability switches should support backpressure in the half duplex mode and flow control
in the full duplex mode defined by IEEE802.3x.
Page 411
page 387
Bridged or half-duplex Ethernet uses a method called backpressure to manage
transmission between stations with different speeds. For example, when a 100Mbps server
sends data to a 10Mbps client PC through the switch, the switch will try its best to cache
frames until its cache is nearly full, at which time it must ask the server to stop sending
more data. To achieve this the switch can generate a collision event with the server to make
the server retreat, or alternatively the switch can apply a carrier test to keep the server port
busy. The two approaches can both cause the server to stop sending data for a while which
gives time for the switch to process the data in its cache.
Page 412
page 388
In the full duplex environment, the link between the server and the switch is a collision-free
channel and the backpressure technology cannot be applied to it. So the server continues
to send packets to the switch until the frame cache of the switch overflows. To solve the
problem, IEEE made a compound full duplex flow control standard, namely, IEEE 802.3x.
IEEE 802.3x defines the format of a 64-byte MAC control frame named PAUSE. When
congestion occurs at the port, the switch sends PAUSE to the source to tell
it to stop sending information for a while.
Page 413
page 389
PAUSE can control data flow for the following devices:
A simple point-to-point network, such as between two terminals
A switch and a terminal
The link between switches
PAUSE is applied to prevent frames from being dropped when an instantaneous influx of
traffic causes an overflow to the cache. The PAUSE frame can help the device prevent loss
of frames when the traffic surpasses the cache limit. The device sends a PAUSE frame to
its peer to prevent its cache overflow by requesting the peer device stop sending data after
it receives the PAUSE frame. In this way, the device wins time to relieve the
congestion/buildup in its cache.
Page 414
page 390
Enable the flow control of Ethernet port
[Quidway-Ethernet0/1] flow-control
Shut down the flow control of Ethernet port:
[Quidway-Ethernet0/1] undo flow-control
Note: By default, the flow control of Ethernet port is disabled.
Page 415
page 391
Page 416
page 392
Page 417
page 393
Advantages of Port Aggregation
1. Increase bandwidth
Port aggregation can bind multiple transmission ports together to make one logical link to
increase transmission bandwidth and speed. The bandwidth after aggregation is the total
sum of the bandwidth of each aggregated port. With a switch that supports this function,
you can increase the network bandwidth easily when too much traffic on one port impairs
network capability. For example, you can bind two to four 100Mbps ports together to make
a 200-400Mbps link to increase the bandwidth and speed. Port aggregation
can be applied to 10Mbps, 100Mbps and 1000Mbps Ethernet.
2. Improve reliability
Backbone networks run at a very fast speed and once the link fails, large amount of data
will be lost. The connection of high-speed server and backbone network should be
absolutely guaranteed. With port aggregation function, you can prevent such a disaster.
For example, if a cable is pulled out by mistake, the link will not be affected. So for an
aggregated port consists of multiple ports, the failure of one port will not affect the whole
connection. Data will be loaded on other working connections automatically. You only
need to change the visiting address and the whole process is completed in no time. This
function makes network to run continuously.
Page 418
page 394
The parameters of the two peers of aggregation ports must be the same. Parameters here
include physical parameters and logical parameters.
Physical parameters include:
Number of the aggregation ports
Speed of the aggregation ports
Duplex mode of the aggregation ports
Logical parameters include:
Spanning Tree Protocol (STP)
Quality of Service (QoS)
VLAN
Port
STP configuration includes:
enable/disable the STP function at the port, port link type (point-to-point or not point-to-
point), STP preference level, route cost, speed limit for sending packets, loop protection,
root protection and edge port.
QoS configuration includes: flow speed control, preference mark, the default preference
level of 802.1p, bandwidth guarantee, congestion prevention, flow redirection and flow
statistics.
VLAN configuration includes: VLANs that are allowed to pass the port and default VLAN ID.
Port configuration includes port link types such as Trunk, Hybrid and Access.
Page 419
page 395
Configuration Procedure:
1Configure the IP address of the interface
Create the layer-3 addresses 10.1.1.1/30 and 10.1.1.2/30 of VLAN1 on SW1 and
SW2 respectively.
2Configure attributes of the aggregated ports
Before configuring port aggregation, you should make sure that all the aggregated ports of
Sw1 and Sw2 work in the full duplex mode and at the same speed rate instead of the auto-
negotiation mode.
3Configure port aggregation
Result Testing:
<Sw1>display link-aggregation
Master port: Ethernet0/1
Other sub-ports:
Ethernet0/2
Mode: both
The configuration commands may be different for some switches, please refer to product
operation manuals for relevant information.
Page 420
page 396
Page 421
page 397
Port mirroring is applied to traffic observation and fault location by making a copy of service
data and sending them to the monitor device to be analyzed. Port mirroring has two types:
port-based mirroring and flow-based mirroring.
Page 422
page 398
Port-based mirroring makes a full copy of the data on the mirrored port to the mirroring port
to observe its flow and locate faults. Ethernet switches support many to one mapping, which
means a copy of traffic from multiple ports can be mirrored to a single monitor port.
Page 423
page 399
Flow-based mirroring is only applied to flows that meets certain defined classifications,
which may include the same destination address, the same port number and so on. The
classifications can be set as required.
Page 424
page 400
Networking and Services:
The PC is connected with the E0/24 port and monitor software monitors the data received by
the E0/1 port.
Configuration Procedure:
(1)Configure the IP address of the port
Create the layer-3 addresses 10.1.1.1/30 and 10.1.1.2/30 of VLAN1 on SW1 and SW2
respectively.
(2)Configure the ACL based on the link
(3) Configure the mirroring port
Result Checking
Enable the VLAN monitor on the PC and then send Ping messages from SW1 to SW2. Then
you can see the message whose source MAC address is the address of SW1 and the
destination address is the address of SW2 appearing on the monitor.
Page 425
page 401
1. What is auto-negotiation?
Auto-negotiation aims to resolve rate inconsistencies between Ethernet devices. This includes
negotiation of the port speed and duplex mode.
2. What are the differences between half-duplex and full-duplex traffic control?
Half-duplex traffic control uses the backpressure method. When network congestion occurs, the
switch will apply the carrier detect mechanism or emulate a collision. In the full-duplex mode,
IEEE 802.3x defines the format of a 64-byte MAC control frame named PAUSE. When
congestion occurs at the port, the switch sends PAUSE to the source to tell it to stop sending
information for a while.
3. What are the functions of port aggregation and port mirroring?
Port aggregation can increase link bandwidth, realize load balancing and improve network
reliability. Port mirroring is applied to support traffic observation and fault location by
making a copy of service data and sending this data to the monitor device port to be analyzed.
Page 426
page 402
Page 428
page 403
Page 429
page 404
Page 430
page 405
Page 431
page 406
The traditional Ethernet switch adopts source address learning mode when it
forwards data. It can automatically learn the MAC address of host connecting to
each port to, form the forwarding table, and then forward Ethernet frames
according to the table. The whole forwarding process is completed automatically,
all the ports can communicate with each other, and maintenance personnel can
not control the forwarding between any two ports. For example, they can not
implement prevention to restrict host B from reaching host A. The following
disadvantages exist in this kind of network:
Network Security is bad. All the ports can communicate with each other, which
increases the possibility that users will attack the network.
Network efficiency is low. Users may receive abundant unnecessary frames,
which is a waste of bandwidth and host CPU resources, e.g. unnecessary
broadcast packets.
Service expanded capability is bad. The network cannot implement
differentiated services, for example, it can not forward an Ethernet frame used for
network management with higher priority.
Page 432
page 407
VLAN technology divides users into multiple logical networks (groups). Communication is
allowed within a group, but it is prohibited among groups. Layer-2 unicast packet, layer-2
multicast packet and layer-2 broadcast packets can only be forwarded within a group. It is
easy to add and delete group members using VLAN technology.
VLAN technology provides a management method to control the intercommunication
among terminals regardless of physical location in the LAN. In the figure above, PCs in
group 1 and group 2 can not communicate with each other.
Page 433
page 408
In order to control forwarding, the switch will add a VLAN tag to an Ethernet
frame before forwarding it, then use this tag to manage the frame, which may
include discarding the frame, forwarding the frame, and adding & removing tags.
Before forwarding the frame, the switch will check the VLAN tag of the packet
and decide whether the tag is allowed to be forwarded from the port. In the figure
above, if the switch adds tag 5 to all the frames sent from A, and then look up the
layer-2 forwarding table, and according to the destination MAC address, forward
them to the port connected to B. However this port is configured to only allow
VLAN 1 to pass, so the frames sent by A will be discarded.
The switch supporting VLAN will hence forward Ethernet frames not only
according to the destination MAC address but also the VLAN configuration of the
port, so as to implement layer-2 forwarding control.
Page 434
page 409
4-byte VLAN tag is added to the Ethernet frame header directly. Document IEEE802.1Q
describes VLAN tagging.
TPIDTag Protocol Identifier2 bytesfixed value0x8100new type defined by
IEEE, it indicates that it is a frame with 802.1Q tag.
TCITag Control Information2 bytes.
Priority3 bits, defines the priority of an Ethernet frame. It has 8 priority levels, 07, is
used to provide differentiated forwarding service.
CFICanonical Format Indicator1 bit. Used to indicate bit order of address
information in token ring or source route FDDI media access, namely, whether the low bit
is transmitted before high bit.
VLAN IdentifierVLAN ID12 bits, from 0 to 4095. Combined with VLAN configuration
of port, it can control the forwarding of an Ethernet frame.
Ethernet frame has two formats: the frame without tag is called an untagged frame; the
frame with tagging is called a tagged frame.
This course will only discuss the VLAN ID of VLAN tag.
Page 435
page 410
All the Ethernet frames exist in the switch in the form of tagged frames. Certain
ports may receive untagged frames from peer devices, but the frame from the
port of the local switch must be a tagged frame. If the frame received is tagged, it
will be forwarded; if it is untagged, a tag will be added to it. The device can
implement a VLAN in the following way.
Port based: Network manager configures a PVID for every port of a switch,
known as the Port VLAN ID or port default VLAN. If an untagged frame is
received, the VLAN ID will be the PVID.
MAC based: Network manger configures the mapping relation for each MAC
address to a VLAN ID, if an untagged frame is received, the VLAN ID will be
added according to the mapping relationship table.
Protocol based: Network manager configures a mapped relationship between
the protocol field of the Ethernet frame and a VLAN ID; if an untagged frame is
received, the VLAN ID will be added according to the mapping relationship table.
Subnet based: Adding of a VLAN ID according to the IP address information in
a packet.
Policy based: Provides strict control capability, based on MAC address and IP
address, MAC address, or IP address and port. If implementation of the VLAN is
successful, it can forbid users from changing the MAC address or the IP address.
If the device can support multiple methods at one time, the general priority order
from high to low is : Policy basedMAC basedSubnet basedProtocol
basedPort based. Presently, port based VLAN tagging is the most common
method.
Page 436
page 411
Page 437
page 412
The tag in Ethernet frames combined with VLAN configuration of the port can
control packet forwarding. A received Ethernet frame on port A will check
whether the destination MAC is attached to port B. After the introduction of VLAN
tagging, two key points will decide whether the frame should be forwarded from
port B:
Whether the VLAN ID in the frame is created by switch. There are two methods
to create VLANs: Manual configuration or automatically created using GVRP.
Whether the destination port will allow the VLAN frames to pass. VLAN lists
determine whether to allow frames to pass through a port and can be created by
the administrator or automatically created by GVRP (GARP VLAN Registration
Protocol).
In the forwarding process, there are two types of tag operation:
Add tagFor untagged frames add the PVID, it is completed after receiving the
frame from the peer device.
Remove tagdelete the VLAN tagging information in the frame then send it to
peer device in the form of an untagged frame. In normal cases, the switch will not
change the VLAN ID in a tagged frame, while some devices supporting special
services may provide the function for changing the VLAN ID.
Page 438
page 413
After introducing VLAN functionality, switch ports may be one of three types: Access port,
Trunk port and Hybrid port.
An access port is used to connect host and has features as follows:
Only permit allowed VLAN IDs to pass through the port, or the VLAN ID is the same with
PVID of the port.
If the frame received from peer device is untagged, the switch will add a PVID to the
frame automatically.
The frame sent by an access port is always an untagged frame.
The default port type of many types of switch is accessPVID is 1 by defaultVLAN 1
is created by the system and cannot be deleted.
Page 439
page 414
The following command can be used to set ports as access ports and implement the
PVID of the access port after creating the VLAN:
[Switch]vlan3
[Switch-vlan3]port ethernet 0/1
[Switch]vlan5
[Switch-vlan5]port ethernet 0/2
The port mode should be specified as either access or trunk when making any change to
the PVID.
Page 440
page 415
Trunk port: used to connect switches and transmit tagged frames among
switches. It can be set to permit multiple VLAN IDs, even those VLAN IDs that
may differ from its own.
A trunk port will send tagged frames to other devices, using the following rule
base:
If the VLAN ID of the tagged frame does not exist in the VLAN permitted list, it
will be discarded;
If it does exist and the VLAN ID of the tagged frame is the same as the PVID,
the frame will be forwarded after removing the tag. The PVID of each port is
unique, however in this case, the frame will be untagged when sent by the trunk
port.
If the VLAN ID of the tagged frame is different from PVID, the frame will be
forwarded to the peer device without modification.
VLAN forwarding will generally query the tagging information of the VLAN frame
for forwarding, and compare the frame to the VLAN permit list to look for a match.
If a VLAN which is registered by GVRP however, it must also register on the port,
otherwise the VLAN ID will not exist in the VLAN permit list, and the
corresponding VLAN frame cannot be forwarded from the port.
Page 441
page 416
As shown in the figure above, the following commands can be used to configure the trunk
port attribute:
\\create VLAN
[Switch]vlan 3
\\configure port type
[Switch-Ethernet0/3]port link-type trunk
\\configure PVID of Trunk-Link port
[Switch-Ethernet0/3]port trunk pvid vlan 3
\\configure permitted VLAN of Trunk-Link
[Switch-Ethernet0/3]port trunk allow-pass vlan 5
Page 442
page 417
As an access port, a packet is sent to another device in the form of an untagged frame,
as a trunk port it can send out untagged frame only in when the trunk VLAN ID is the
same as the frame VLANID. In other cases, it sends frames as tagged. Hybrid VLANs
can be used to effectively control the VLAN tagging process. For example, a device
connected to the switch cannot support VLANs, but the ports still can be used to isolated
the devices.
Hybrid ports can flexibly control the VLAN tag. In this example, if the VLAN ID of frame is
3, then forward it according to the forwarding mode of trunk port. If it is 4, remove tag 4
and then forward it.
Page 443
page 418
If a Hybrid port is only configured to allow untagged VLAN forwarding, the port will take
on the same role as an access port.
If a port is configured to support only tagged VLANs, it will have the same function as a
trunk port.
If a switch port is configured with a PVID that is both tagged and supports untagged
VLANS for example VLAN2 on Ethernet0/1, it is capable of communicating with other
hybrid ports that support the same untagged VLANS, as opposed to ports such as 0/3,
which only supports VLAN3. The configuration above thus shows how it is possible to
implement isolation between port 0/1 and port 0/3, but still allow both to communicate
with the host connected to port 0/24.
Page 444
page 419
To configure access and trunk ports on SWA and SWB, it is necessary to create
VLAN 2 on SWB, and allow VLAN 2 to traverse the two ports of SWB, to allow
PC1 and PC2 to communicate with each other. SWB will not connect to any
users, it is a transitional switch; in large-scale networks, there may be many
transitional switches for which the configuration and management is difficult. The
manager only cares about the user intercommunication control, for example,
after new user joins the network, the manager should configure the access port
which connects the new user and make the port as part of a certain VLAN group.
If the transition switch can automatically implement intercommunication among
logical group members, it will save cost for network maintenance. GVRP can
implement this function. After all the switches are enabled with GVRP
functionality, VLAN configuration on the edge switches can transmit to the whole
network though GVRP, and automatically implement configuration of VLANs on
each port.
Page 445
page 420
The command gvrp is used to enable GVRP on a switch. The command undo gvrp
can be used to disable it. The GVRP protocol is disabled by default. In the system view,
the command GVRP is used to enable or disable GVRP for all ports, whereas the
command GVRP will enable or disable GVRP on a particular port when used at the
interface as shown in the example.
Note:
Before enabling port based GVRP, GVRP must be enabled at the system view first. If
GVRP is in disabled status at the system level, GVRP will also disabled on all ports, and
the user will not able to change the status of the port based GVRP.
GVRP should be enabled and disabled on the trunk port. After Enabling GVRP on Trunk
port, switch is not allowed to change trunk port to any other port type.
Page 446
page 421
1. How many port types does a Huawei switch support?
Answer: A Huawei switch can support three port types, they are access, trunk and hybrid
port types.
2. Must a frame be tagged when sent from a trunk port to peer devices?
Answer: In general, a frame is tagged, but if the VLAN ID is the same as the PVID of the
trunk, the tag will be removed and forwarded in the form of an untagged frame.
Page 447
page 422
Page 449
page 423
Page 450
page 424
Page 451
page 425
Page 452
page 426
VLANs create and isolate layer-2 broadcasts domains, therefore isolating the traffic of
different VLANs. This results in users being unable to sustain communication when
associated with different VLANs.
Page 453
page 427
Flows between different VLANs cannot directly cross VLAN boundaries, and so the ability
to route traffic is needed to allow the forwarding of packets from one VLAN to another.
Hosts of different VLANS are assigned as entities of different networks. When a default
gateway been configured on a host local for a given VLAN, any communication destined
for hosts that are not associated with the same VLAN will automatically forward traffic to
the default gateway which shall in turn route traffic between VLANS.
Page 454
page 428
One of the methods to solve VLAN intercommunication is to assign a separate physical
interface for each VLAN. The traffic from different VLANs can be forwarded between these
physical interfaces and routed. This method will enable intercommunication between VLANs,
however as the number of VLANs increase, so does the number of router interfaces needed.
Such solutions would result in higher costs and a poor network design. Some VLANs do not
have a need to forward traffic to other VLANs frequently which leads to further waste,
therefore this method is not generally suited to solving the problem of VLAN
intercommunication.
Page 455
page 429
To resolve the physical interface limitation problem, a method of trunking is implemented
using only a single physical interface on the router and a single port on the switch. One single
Ethernet interface on the router can support all VLAN gateways and bear all VLAN traffic
through the creation of sub-interfaces.
As shown above, only a single physical router Ethernet interface is being used, but is
supporting three sub-interfaces as default gateways for each of the three VLANs. Each frame
will contain a VLAN tag used to identify which VLAN it belongs to. When users in VLAN100
need to communicate with users in another VLAN, the user only needs to forward the frame to
the default gateway, the default gateway will modify the VLAN tag of the data frame and then
route it to the VLAN on which the destination host .
Page 456
page 430
The third option for VLAN routing is through the use of a layer-3 switch. A layer-3 switch
effectively integrates the functionality of a layer-2
switch and a layer-3 routing, therefore combines the advantages of advantages of both. The
limitation lies mainly in the cost of such devices due to its extended functionality.
Page 457
page 431
Huawei supports layer-3 switching through the means of switch and route processing units, or
SRU, and may support multiple SRU boards for redundancy. All the routable packets are sent
by the forwarding engine to the SRU board for processing. The SRU board also broadcasts and
filters packets and executes routing policies. The SRU will support VLAN switching, default
VLANs as well as other more advanced VLAN technologies including Q-in-Q and dynamic
VLAN allocation based on MAC addressing. The example above reflects how a layer-3 switch
can be used associate VLAN gateways directly with VLAN interfaces within a single device.
Page 458
page 432
Page 459
page 433
In this example two VLANs are present, VLAN100 and VLAN200. A host in VLAN100
wishes to forward traffic to a host in VLAN200. Each VLAN is part of a separate
broadcast domain and therefore as different network. Each host has been assigned a
network host address respective to the VLAN it belongs to, and the gateway address for
the network. The forwarding of traffic requires VLAN trunking to support multiple VLANs
over a single physical link and sub interface configuration for the layer 3 router. How is
this achieved?
Page 460
page 434
//create VLAN100
[SWA]vlan 100
//configure ethernet 0/1 belonging to VLAN100
[SWA-vlan100]port ethernet 0/1
//create VLAN200
[SWA]vlan 200
//configure ethernet 0/2 belonging to VLAN200
[SWA-vlan200]port ethernet 0/2
//enter into interface view
[SWA]interface ethernet 0/24
//configure port type as Trunk
[SWA-Ethernet0/24]port link-type trunk
//permit all VLAN to pass
[SWA-Ethernet0/24]port trunk allow-pass vlan all
Page 461
page 435
Using the control-vid command, you can specify the mappings between the control VLAN
and the Ethernet sub-interface to differentiate termination sub-interfaces of the same main
interface. Using the undo control-vid command, you can remove the mappings between
the control VLAN and Ethernet sub-interfaces. By default, no mapping between a control
VLAN and an Ethernet sub-interface is specified. The dot1q-termination indicates that the
encapsulation mode of a sub-interface is dot1q. This mode applies to single-tagged packets
(as opposed to dual tagged packets used in Q-in-Q configuration).
Using the arp broadcast enable command, you can enable the ARP broadcast function on
a sub-interface for VLAN tag termination. Using the undo arp broadcast enable command,
you can disable the ARP broadcast function on a sub-interface for VLAN tag termination. By
default, the ARP broadcast function is disabled on sub-interfaces for VLAN tag termination.
Page 462
page 436
Connectivity between the hosts of different VLANs can be verified through means such as
the ping commandIf the host 192.168.10.10 in VLAN100 can ping host 192.168.20.20 in
VLAN 200, it indicates that the configuration is correct.
Page 463
page 437
On the layer-3 switch (SWA) port 1 and port 2 represent a local network that has been
logically segmented through the implementation of VLANs. The hosts via port 1 have been
assigned to VLAN 100 and hosts via port 2 to VLAN 200. The hosts of VLAN 100 and VLAN
200 are able to support the forwarding of traffic between VLANs 100 & 200 through SWA. The
example demonstrates how a single host from each VLAN would be configured to support this
forwarding of traffic.
Page 464
page 438
When a layer-3 switch needs to communicate with devices at the network layer, a logical
interface can be created, namely, a VLANIF interface. A VLANIF interface is a network layer
interface and can be configured with an IP address. The layer-3 switch then uses the VLANIF
interface to communicate with devices at the network layer. The IP address that is assigned to
each VLANIF is recognised as the gateway address by the respective VLAN hosts. The
command interface vlanif <vlan-id> specifies the ID of the VLAN that a VLANIF interface
belongs to. The value of the vlan-id is an integer that ranges from 1 to 4094.
Page 465
page 439
In the same way that is was possible to verify VLAN routing using a layer-3 router, it is also
possible to verify connectivity between hosts of different VLANs supported by a layer-3 switch.
If host 192.168.10.10 in VLAN100 is able to successfully ping host 192.168.20.20 in VLAN 200,
it indicates that the configuration is correct.
Page 466
page 440
1.What is the purpose of VLAN routing?
Answer: The main advantage of VLANs is to isolate broadcast domains, but it is often the
case that traffic must flow between these broadcast domains. VLAN routing is used to
resolve this problem by facilitating communication between broadcast domains.
2.What methods can be used to implement VLAN routing?
Answer: Ordinary layer-2 switches are only able to support communication within a single
VLAN (broadcast) domain. The flow of VLAN traffic between broadcast domains is
achievable through the configuration of VLAN routing on reachable layer-3 device. It is
therefore possible to achieve VLAN routing through the following methods. Communication
through a router connected to the network can achieve VLAN routing, using either a single
physical interface for each VLAN, or more suitably through the implementation of multiple
sub-interfaces on a single physical interface. A layer-3 switch can also be used to
implement VLAN routing, through the configuration of a layer-3 VLAN interface for each
VLAN.
Page 467
page 441
Page 469
page 442
Page 470
page 443
Page 471
page 444
Page 472
page 445
A switch forwards data frames based on the MAC address table. The MAC address table
specifies the mapping between destination MAC addresses and destination ports.
1: Assume that PCA sends a data frame to PCB. The destination MAC address of this data
frame is set to the MAC address of PCB, namely, 00-0D-56-BF-88-20.
When SWA receives this frame, it searches the MAC address table. According to the entries
in the MAC address table, SWA forwards the data frame through port E0/3.
The switch does not make any modification to the data frame before forwarding it. If the
switch receives a broadcast frame or a frame whose MAC address wasn't included in the
MAC address table, it forwards the frame to all ports.
2: When SWB searches the MAC address table, it will use the information stored to make
forwarding decisions. In the example, SWB forwards a frame through port E0/6. No
modification is made to the data frame.
3: When PCB receives the frame, it will search through the MAC address table to find that
the destination MAC address is its own MAC address. PCB will then process this data frame
and send the de-encapsulated data to the upper layer protocol .
Page 473
page 446
If a switch receives a broadcast data frame from a port, the switch forwards the
data frame to all other ports. In addition, does not make any modification to the
data frame before forwarding it. Therefore, if a loop exists in the network, the
broadcast frames are forwarded in the network infinitely, thus causing the
broadcast storm.
Page 474
page 447
A switch forwards data frames based on the MAC address table, but the MAC
address table is empty when the switch is started. Therefore, the switch needs to
learn the MAC address table.
A switch learns the MAC address table based on the mapping between the source
address of the received data frame and the receiving port.
1: Assume that PCA sends a data frame to PCB. The destination address of the
frame is the MAC address of PCB, namely, 00-0D-56-BF-88-20. The source
address is the MAC address of PCA, namely 00-0D-56-BF-88-10.
When SWA receives the data frame, it checks the source address of the frame
and adds mapping between the source address and receiving port to the MAC
address table. Thus, the mapping between the destination address and
destination port is recorded in the table.
2: When SWB receives this frame, it also adds the mapping between the source
address and receiving port to the MAC address table as a MAC address entry.
3: When PCB receives the frame, it processes this frame.
Page 475
page 448
A switch generates a MAC address entry according to the source address and
receiving port of the received data frame.
PCA sends a data frame. Assume that the destination MAC address of the data
frame does not exist in any MAC address table of the switches in the network.
When SWA receives this data frame, it generates a MAC address entry, in which
the MAC address 00-0D-56-BF-88-10 maps port E0/2.
Because the MAC address table of SWA does not contain any entry with this
destination MAC address, SWA forwards the data frame to E0/3 and E0/4.
The MAC address table of SWB also does not contain any entry with this
destination MAC address. So, after SWB receives the data frame on E0/5, it
forwards the frame to SWA through E0/6.
After SWA receives this data frame on E0/4, it deletes the previous entry with this
address and generates a new entry. In the new entry, MAC address 00-0D-56-
BF-88-10 maps port E0/4. In this case, the MAC address table is unstable and
wrong entries are generated.
Page 476
page 449
Page 477
page 450
The main function of STP (Spanning Tree Protocol) is to avoid switching loops where
redundant links are present in the network. As the figure of this slide shows, a ring is
composed of SWA, SWB and SWC, which may cause problems such as broadcast storms.
After the spanning tree protocol is enabled, calculations cause the network to converge
resulting in the interfaces performing various operational roles including the blocking of one
or more ports in order to remove the possibility of any loop occuring. In this example, it is
assumed that port E0/2 of SWB is blocked to remove the loop.
Page 478
page 451
After the port E0/2 of SWB is blocked, there is no loop in the network.
Page 479
page 452
Another feature of STP is link backup:
If some problems occur along the active path, the blocked interface could be made active,
so as to resume the connectivity of the network through the redundant link. Thus the loop
between switches is usually used for redundancy. STP remove the logical loop in the
network through blocking of port(s), but the physical links are not changed. In the previous
example, it is mentioned that the port E0/20 of SWB is blocked to remove the loop. If
another port is down ( for example, the port E0/20 of SWC), STP could recover the blocked
port through convergence, to make it possible forward packets again.
Page 480
page 453
The basic idea of STP is quite simple. If the network could develop like a tree, the loop will
be prevented. Thus, STP defines some concepts, including Root Bridge, Root Port,
Designated Port, Path Cost, etc. The purpose is to cut out redundant loop through
constructing a tree, and implementing link backup and path optimization at the same time.
The algorithm used to construct the tree is the spanning tree algorithm.
In order to calculate the spanning tree, relative information and parameters need to be
exchanged between switches. These information and parameters are encapsulated in the
BPDU (Bridge Protocol Data Unit), and transmitted between switches.
The following tasks are done through the exchange of BPDU between bridges:
1. Select a bridge as the root bridge among all bridges;
2. Calculate the shortest path from the current bridge to the root bridge;
3. For every shared network segment, select the bridge nearest to the root bridge
as the designated bridge, responsible for the data forwarding of this network
segment;
4. For every bridge, select a root port.
5. Select the designated port besides the root port.
Page 481
page 454
To calculate the spanning tree, switches need to exchange information and
parameters. The information and parameters are encapsulated in the
Configuration Bridge Protocol Data Unit (BPDU) and transmitted between
switches.
In a broad sense, a BPDU refers to a data unit used to exchange information
between switches. The configuration BPDU is one type of the BPDU.
Calculation of the spanning tree starts from election of the root bridge. The root
bridge is elected based on the bridge identifier.
A bridge identifier consists of a 2-byte bridge priority and a 6-byte MAC address.
The bridge priority is configurable. The value ranges from 0 to 65535 and the
default value is 32768.
In the network, the switch with the smallest identifier becomes the root bridge.
The system first compares the priority. If the switches have the same priority, the
system compares their MAC addresses. The switch with the smallest MAC
address is elected first.
In this example, the three switches have the same priority. SWA has the smallest
MAC address, so SWA is elected as the root bridge.
Page 482
page 455
STP elects a root port for each non-root bridge.
Each port of a switch has a port cost parameter. The port cost refers the cost for
sending the data from this port, namely the cost of the outgoing port. STP
considers that no cost is needed for receiving the data on a port.
The port cost depends on the bandwidth of the port. The higher the bandwidth is,
the smaller the port cost will be. On the VRP, the cost of a 100M port with half duplex is 200,
the cost of a 100M port with full duplex is 199.
Multiple paths may exist between a non-root bridge and a root bridge. The cost of
a path is the total cost of all outgoing ports on this path.
A root port is a local port on the path with the least cost from a non-root bridge to
the root bridge. The cost of this path is referred to as the root path cost. If multiple
root ports exist, the system compares the identifiers of the upstream switches.
The port whose upstream switch has the smallest identifier is elected. If the
upstream switches have the same bri dge identifier, the system compares the
identifier of the upstream ports. The port whose upstream port has the smallest
identifier is elected.
The port identifier consists of a 1-byte port priority and a 1-byte port number.
The port priority is configurable. The default value is 128.
In this example, we assume that all ports are 100 M ports and their cost values
are all 200.
Page 483
page 456
STP elects the designated port for each network segment. The designated port
forwards the data transmitted between the root bridge and this network segment.
The switch where the designated port is located is called the designated switch.
When electing the designated port and designated bridge for a network segment,
STP compares the root path cost of the switch on which the port is connected to
this network segment. If the switches have the same root path cost, STP
compares their bridge identifiers. The port on the switch with the smallest
identifier has the highest priority. If their identifiers are also the same, STP
compares the identifiers of the ports connected to the network segment. The port
with the smallest identifier has the highest priority.
On the root bridge, all ports are the designated ports of the connected network
segments. Therefore, the designated ports of LANA and LANB are both on SWA.
LAND and LANE are both connected to the port of only one switch, and the
connected ports are designated port for LAND and LANE respectively.
LANC is connected to the ports of two switches and the two switches have the
same root path cost. Therefore, the identifiers of the switches are compared.
SWB has a smaller identifier (because its MAC address is smaller), so the
designated port for LANC is on SWB.
The port that is neither the root port nor the designated port is called the alternate
port. The alternate port does not forward data and is in Blocking state.
Page 484
page 457
STP defines three roles for the STP-enabled port that works normally on the physical layer
and data link layer. The root port and designated port are in Forwarding state. The port
that is not enabled is called the Disabled port.
Page 485
page 458
After enabled, a port switches to Listening state and begins to calculate the spanning tree.
After the calculation, if the port is set to the alternate port, the port state changes
to Blocking. If the port is set to the root port or designated port, the port state switches from
Listening to Learning after a period of forward delay. After another period of forward delay,
the port state switches from Learning to Forwarding, and the port can forward data frames.
Page 486
page 459
After enabled, a port switches to Listening state and begins to calculate the spanning tree.
After the calculation, if the port is set to the alternate port, the port state changes
to Blocking. If the port is set to the root port or designated port, the port state switches from
Listening to Learning after a period of forward delay. After another period of forward delay,
the port state switches from Learning to Forwarding, and the port can forward data frames.
1:The port is elected as the designated port or root port.
2: The port is elected as the alternate port.
3: The port waits a period of the forward delay. By default, the forward delay is 15 seconds.
When a port is disabled, it switches to Disabled state. Before switching from non-
Forwarding state to Forwarding sate, a port needs to wait two times as along as the forward
delay . Thus, the potential risk of temporary loop is avoided.
Page 487
page 460
Page 488
page 461
This figure shows the physical topology. The priority of SWA is 4096; the priority of SWB is
8192; the priority of SWC is 32678. Therefore, SWA becomes the root bridge and SWB
becomes the designated switch of LANC.
Page 489
page 462
stp { enable | disable }
The stp command is used to enable or disable STP on a switch or on a port. By default, STP
is enabled on the switch.
stp mode { stp | rstp | mstp }
The stp mode command is used to set the STP working mode on a switch. By default, the
working mode of the switch is MSTP. RTSP and MSTP will be described in later courses.
This course only describe STP.
stp priority priority
priority: specifies the priority of a switch. The value ranges from 0 to 61440, with the step of
4096. That is, 16 priority values are available for a switch, for example, 0, 4096, 8192, and so
on. The stp priority command is used to set the bridge priority. By default, the bridge priority
is 32768.
Page 490
page 463
In the global information, the root bridge identifier is different from the identifier of this switch.
It indicates that this switch is a non-root switch.
Page 491
page 464
The STP port information output indicates that:
The port state is Forwarding.
The port is the root port.
The default port priority is 128.
The identifier of the designated port of the network segment connected to this port is 0.4c1f-
cc45-aacc, which identifies SWA.
Page 492
page 465
Page 493
page 466
When the port role and state changes, temporary loops may be formed. In this example,
SWA is the root bridge initially. Among all switches, only SWD has an alternate port E0/2
and the port is in a non-Forwarding state. Assume that the priority of SWC is changed so
that SWC becomes the new root switch. In this case, E0/2 of SWD will become the new
root port and switch to a Forwarding state. E0/1 of SWD will become the new designated
port and switch to a Forwarding state. E0/2 of SWB should become the new alternate port
and switch to a non-forwarding state. If E0/2 of SWD switches from a non-Forwarding state
to a Forwarding state before E0/2 of SWB switches from a Forwarding state to a non-
Forwarding state, a temporary loop is formed in the network. To avoid temporary loops, a
port (for example, E0/1 of SWC) must wait enough time before switching from anon-
Forwarding state to a Forwarding state. Therefore, the ports that need to switch to a non-
Forwarding state have enough time to calculate the spanning tree and switch to a non-
Forwarding state.
Page 494
page 467
In STP, for a port, the transition from a blocking state to a forwarding state will take the period
at least two times the Forward Delay, which is not suitable for many applications. RSTP
(Rapid Spanning Tree Protocol) resolves this problem through the following mechanism:
1. Allocating two port roles, an Alternate Port and a Backup Port for root port and designated
root, for fast state transition. When the root port is invalid, the Alternate Port will become the
new root port and switch to a forwarding state without delay; when the designated port is
invalid, the Backup Port will become the new designated port and switch to a forwarding state
without delay.
2. In the point to point link only connecting two switch ports, following a one way handshake to
the downstream bridge, the designated port could change to a forwarding state without time
delay. If more than three bridges are connected by the shared link, the downstream bridge will
not respond to the handshake request sent from upstream designated port; only after two
times Forward Delay would it change to a forwarding state.
3. The port is defined as an Edge Port if it is connected with a terminal directly instead of other
bridges, the Edge Port could enter a forwarding state without any time delay. However, it
should be configured manually since the bridge cannot identify whether the port is directly
connected with the terminal or not.
Page 495
page 468
In STP all VLANs in a LAN will generally share the same spanning tree, therefore load
balancing cannot be implemented between VLANs. It is possible that packets of some VLANs
cannot be forwarded. As this slide shows, both of SWB and SWC connect with users of
VLAN10 and VLAN20. The link between SWB and SWA and that between SWA and SWC
allow VLAN10 and VLAN20 to pass. Other links only allow VLAN10 to pass. If the port E0/20
is blocked, the VLAN20 users of SWB can only use the link between SWB and SWC to
communicate with SWC. However, this link only allows VLAN10 to pass, thus a failure in
communication occurs.
Page 496
page 469
In order to solve the second problem, MSTP (Multiple Spanning Tree Protocol) is put forward.
MSTP is a newer protocol defined by IEEE under 802.1Q-2005 which introduces the concept
of Instances. Simply speaking, STP/RSTP is port based, while MSTP based on instances.
An instance is a collection of multiple VLANs under a single converged spanning tree.
Through binding multiple VLANs into a single instance, the communication cost and network
resources could be saved. In MSTP, the topology calculation of every instance is
independent. Load balancing could be implemented in these instances. In use, multiple
VLANs with the same topology could be mapped to the same instance.
Page 497
page 470
How does STP converge to prevent switching loops in the network?
STP elects a root bridge, and then elects a root port for each non-root switch and elects a
designated port for each network segment. The ports that are neither the root port nor the
designated port are set to be in Blocking state.
How does STP resolve the problem of temporary loops?
Before switching from a non-Forwarding state to a Forwarding state, a port needs to wait
twice the forward delay period. This ensures that other switches have enough time to
calculate the spanning tree.
Page 498
page 471
Page 500
page 472
Page 501
page 473
Page 502
page 474
In this example:
There is only one router RTA in the LAN, which is used as the gateway by all the PCs,
therefore there is no redundancy provided. Should RTA fail, all PCs in the network will be
unable to reach external networks. In other words, there is a single point failure within this
kind of network, resulting in a high chance of isolation from external networks.
Page 503
page 475
VRRP is designed to provide a virtual router on a LAN. In this case:
There are two routers (RTA and RTB) on this LAN, RTA has physical IP address
10.1.1.251/24; RTB has physical IP address 10.1.1.252/24. RTA and RTB are configured to
be associated with the same Virtual Router. This Virtual Router has a virtual IP address
10.1.1.254. All the PCs on this LAN can use the virtual IP address 10.1.1.254 as the default
gateway, regardless of the physical IP addresses of the two routers. VRRP elects one
router from the VRRP routers as the Master, and the Master processes all the packets sent
to the virtual IP address. If the Master is fails, VRRP elects a new Master from other VRRP
routers.
Page 504
page 476
A Virtual Router is identified by both Virtual Router ID and associated Virtual IP Address.
Multiple Virtual Routers could be configured on the same interface. A Virtual Router ID (VRID)
is the identifier of a Virtual Router. Configurable item in the range 1-255 (decimal). The Virtual
Router IDs configured on all the VRRP routers of the same virtual group must be the same. A
Virtual Router can be associated with more than one Virtual IP Addresses. However, the
Virtual IP Addresses configured for the VRRP routers of the same Virtual Router should be the
same. If VRRP routers with the same VRIDs but different virtual IP addresses; or reversely,
with same IP address but different VRIDs, in VRRP, they are regarded as different Virtual
Routers.
Page 505
page 477
By default, the ICMPEcho messages that are sent to the Virtual IP address will not be
responded to, even by the Master router. In the Master router, under system view, the
following commands can be used to enable the function by which ICMPEcho messages
sent to the Virtual IP address will be responded to.
vrrp virtual-ip ping enable
undo vrrp virtual-ip ping enable
Page 506
page 478
Master: The VRRP router that is assuming the responsibility of forwarding packets sent to
the IP address(es) associated with the virtual router, and answering ARP requests for these
IP addresses.
Backup: The set of VRRP routers available to assume forwarding responsibility for a virtual
router if the current Master fails.
The election of Master is based on the value of Priority. For the same interface, different
Priority values could be assigned to different associated virtual routers.
Page 507
page 479
Config Priority: The configured Priority, the default value is 100.
Run Priority:The Priority used when the protocol is running; usually it is the same as Config
Priority. The Priority is in the range of 0-255. The value 255 is reserved for the IP address
owner, and the VRRP packet with Priority 0 is used to trigger the immediate changeover from
Backup to Master.
In this case: he priority of RTA is 100, which is lower than the priority 200 of RTB, RTB will be
the Master while RTA is the Backup.
Page 508
page 480
In this case:
There is a VRRP router that has the virtual router's IP address(es) as real interface address(es).
Such a router is called the IP Address Owner.
Page 509
page 481
No matter what the Config Priority is, the Run Priority of IP address owner is always 255. The
IP address owner is always the Master. Although the configured priority value of RTB is higher
than that of RTA, the RTB is still the Backup, since its Run Priority is lower than that of RTA.
Hence, when it comes to the election of the Master, the contributing factor is the value of Run
Priority instead of Config Priority.
Page 510
page 482
When the Master stops running VRRP, it will immediately send a VRRP advertisement with
the value of 0 in Priority field. When the Backup receives such an advertisement, it will
change from the Backup to Master state immediately.
Page 511
page 483
In this case:
There are two routers in this LAN, RTA and RTB. A single Virtual Router is to be configured,
with VRID 1 and Virtual IP Address 10.1.1.254. The Priority of RTB is to be configured as 200,
and that of RTA as 100, so as to make RTB the Master.
Page 512
page 484
The VRRP is configured under the interface view.
vrrp vrid virtual-router-ID virtual-ip virtual-address
undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]
virtual-router-IDThe identifier of Virtual Router, in the range of 1-255.
virtual-addressVirtual IP address.
By default, if the Priority of the virtual router is not designated, the default value is 100.
Page 513
page 485
The VRID and Virtual IP Address should be the same as is configured on RTA.
vrrp vrid virtual-router-ID priority priority-value
undo vrrp vrid virtual-router-ID priority
virtual-router-IDThe identifier of Virtual Router, in the range of 1-255.
priority-valueThe value of Priority, with configured range from 1 to 254.
When configuring the priority, the VRID should be specified. Different virtual routers can be
configured with different priority values.
Page 514
page 486
In this case:
There are two routers in the LAN. Two Virtual Routers are to be configured. One of them is
with VRID 1 and Virtual IP Address 10.1.1.100; the other with VRID 2 and Virtual IP Address
10.1.1.200. Configuring the Priority of Virtual Router 1 as 200 on RTA while 100 on RTB, so
that in Virtual router 1, RTA is the Master. Configuring the Priority of Virtual Router 2 as 200
on RTB while 100 on RTA, so that in Virtual router 2, RTB is the Master.
Hence, RTA is the Master of Virtual Router 1 and the Backup of Virtual Router 2; RTB is the
Master of Virtual Router 2 and the Backup of Virtual Router 1. In the LAN, PCs can use
different Virtual IP addresses as the default gateway, so as to implement traffic sharing.
Page 515
page 487
On RTA, configuring two Virtual Routers as followings:
Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 200;
Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 100 (default).
Page 516
page 488
On RTB, configuring two Virtual Routers as followings:
Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 100 (default);
Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 200.
Page 517
page 489
VRRP can track upstream interfaces. In this case:
RTB is the Master Router. If the interface Ethernet 1/0 (WAN interface) of RTB is down, we
hope RTA to be the new Master immediately. VRP supports such function by configuring
RTB to enable the Virtual Router tracking interface Ethernet 1/0. If the interface Ethernet 1/0
is down, the Priority of the Virtual Router would be reduced by a configured value to be a
new value lower than that of RTA. Hence, RTA will be the new Master Router automatically.
If the interface E1/0 of RTB recovers and works properly, the priority of RTB will come back
to the original value, and RTB will be the Master again.
Page 518
page 490
The configuration of RTA is the same as the configuration of single Virtual Router.
By default, the Priority is 100.
Page 519
page 491
By configuring the Priority as 200, RTB is the Master. Configuring tracking interface
Ethernet 1/0 on RTB. If interface Ethernet 1/0 is down, the Priority is reduced by 150, and
the new Priority is 50. Hence, RTA will be the new Master.
Page 520
page 492
This is the VRRP States if the tracked interface is down. On RTB, although the Configured
Priority is 200, the Running Priority is reduced to 50. Hence, RTA will become the Master.
Page 521
page 493
This chapter covers the following points:
1. Why is VRRP needed?
Because the single gateway cannot provide any redundancy, it is of very poor availability.
2. What is VRRP
The result of running VRRP is to provide a virtual router in the LAN.
3. How can a virtual router be identified?
It can be identified by the VRID and the Virtual IP address(es) associated.
4. How is the Master elected?
The election of Master is based on the Priority of the Virtual Router.
5. What are the priority values?
The value of Priority is 255 indicating the current router is the Virtual IP address owner.
The value of Priority is 0 indicating the device stop taking part of the backup group.
6. How is a Single Virtual Router configured?
Configuring a Virtual Router, Virtual IP address and the value of Priority.
7. How are Multiple Virtual Routers configured?
Configuring multiple Virtual Routers. For different Virtual Routers, different routers are made
as the Master through proper configuration of the value of Priority.
8. How does the tracking of an up-link interface support VRRP operation?
Through configuring the VRRP router so as to make the priority value change along with the
state of a tracked interface should it fail.
Page 522
page 494
Page 527
page 497
Page 528
page 498
Page 529
page 499
Page 530
page 500
The HDLC drafted by the ISO is a bit-based communication protocol. The basic unit
transmitted by HDLC is the frame. The most outstanding feature is that the data may not be
the specified set of character . Any bit flows can be transmitted transparently.
In the 1970s, IBM put forward the bit-oriented synchronous data link control (SDLC). Then,
ANSI and ISO adopted and developed the SDLC, and also put forward their own standards:
Advanced Data Communication Control Procedure (ADCCP) of ANSI and HDLC of ISO.
As a bit-based protocol, the HDLC protocol has the following features:
1. The protocol is independent of any set of characters .
2. Packets can be transmitted transparently. The 0-bit insert method for transparent
transmission can be implemented based on hardware.
3. The full-duplex communication can be implemented. Data can be transmitted continuously
without waiting. The data transmission on the link is highly efficient.
4. All the frames adopt CRC check. The frames are numbered. Thus no frame is lost or
received repeatedly. The transmission reliability is high.
5. The transmission control is separated from processing, which makes HDLC flexible and
controllable.
All of the protocols in the standard HDLC protocol suite run on the synchronous serial lines.
Page 531
page 501
An HDLC frame consists of the flag field (F), the address field (A), the control field (C), the
information field (I), and the sequence number field (FCS).
Flag field (F)
The flag field is in the 01111110 format. The two flag fields indicate the start and the end of a
frame. The flag field can also be used as the filling character between frames.
Address field (A)
The address field carries the address information.
Control field (C)
The control field forms the commands and the responses to monitor and control the link. The
main node or the combination node of the sender uses the control field to
request the slave node or the combination node to perform the specified operation. The slave
node uses this field to respond to the commands and report the completed operations or the
change of status.
Information field (I)
The information field can be any binary bit string. The length of the string is not
limited. The upper limit of the string length depends on the FCS field or the cache
capacity of the communication node. The commonly used length is 1000-2000 bytes.
The lower limit can be 0, namely, no information field. The supervisory frame,
however, cannot have the information field.
Sequence number field (FCS)
The FCS field contains 16 bits. It is used to verify the entire frame between the
two flag fields.
Page 532
page 502
The HDLC frame is classified into the information frame (I frame), the supervisory
frame (S frame), and the unnumbered frame (U frame).
Information frame (I frame)
The I frame transmits the valid information or data.
Supervisory (S frame)
The S frame controls errors and traffic. If the first two bits of the control field in a
frame are 10, it is an S frame. The S frame does not contain the information bit. It
contains only 6 bytes, namely, 48 bits.
Unnumbered frame (U frame)
The U frame is used to establish, delete, and control the link.
Page 533
page 503
Page 534
page 504
The HDLC configuration on the serial link is simple. The user only needs to configure HDLC
in the interface view, and then configure the IP address. The link-protocol hdlc command
configures the link-layer protocol for the encapsulation on the interface to be HDLC.
NOTE: The encapsulation modes on the two interfaces of the communication nodes must
be the same. The default encapsulation protocol on the serial interface of the
VRP based routers is PPP. When the VRP-based routers are interconnected with the
devices of other vendors, make sure that the encapsulation modes are the same.
Page 535
page 505
After configuration is complete, the user can use ping to check whether the configuration is
correct. If the two nodes can send and receive ping packets, the configuration is deemed
successful; otherwise, check whether the configuration on the corresponding interfaces is
accurate.
Page 536
page 506
As is shown in the figure above, RouterA and RouterB are connected through the serial
interface. HDLC runs on the interfaces. Interface S0/0/1 on Router A borrows the IP address
of the local loopback interface. The IP address of the loopback interface adopts the 32-bit
mask. The ip address unnumbered interface LoopBack 0 command configures interface
S0/0/1 to borrow the IP address of interface loopback 0. The ip route-static 10.1.1.0 24
Serial 0/0/1 command configures the static route. The egress of the static route to network
10.1.1.0 is Serial0/0/1. For the configuration of the static route, refer to the routing module.
Page 537
page 507
The display ip interface brief command displays the IP addresses of the interfaces. In this
example, you can see that Serail0/0/1 and Loopback0 use the same IP address. If the
interface does not borrow the IP address of another interface, a message is displayed to
remind you of the IP addresses conflict. In this example, however, Serial0/0/1 borrows the IP
address of Loopback0, so the IP addresses are not in conflict.
Page 538
page 508
We can use PING to test the connectivity between the two routers. If the test succeeds, it
verifies that the router configuration is correct, otherwise it will be necessary to check
whether the corresponding interface configuration match.
Page 539
page 509
1. What is HDLC?
High-level Data Link Control, HDLC, is a bit-based link-layer protocol. The protocols of the
HDLC protocol suite run on synchronous serial links.
2. The HDLC frame structure is comprised of which fields?
An HDLC frame consists of the flag field (F), address field (A), control field (C), information
field (I), and a sequence number field (FCS).
Page 540
page 510
Page 542
page 511
Page 543
page 512
Page 544
page 513
Page 545
page 514
PPP is placed in the data link layer of the TCP/IP stack. It is the most popular point-to-
point link layer protocol. PPP is used to encapsulate and transmit IP packets on the serial
link, ATM link, and SDH link.
Page 546
page 515
PPP consists of three components, namely, data encapsulation method, Link Control
Protocol (LCP) , and Network Control Protocol (NCP) . The datagram encapsulation method
defines how to encapsulate multi-protocol packets.
To be adapted to various link types, PPP defines LCP. LCP can test the link environment (for
example, whether a loop is generated) and negotiate link parameters (for example, the
maximum length of the packet and the type of the authentication protocol) . Compared with
other link layer protocols, PPP can
provide authentication. The two ends of the link can negotiate the authentication protocol to
be used and implement the authentication. The session can be
established only after the authentication succeeds. With this feature, PPP can be used by
ISP to receive the access of dispersive subscribers.
PPP defines a group of NCP protocols. Each protocol matches a network layer protocol. The
NCP protocol is used to negotiate the parameters like IP addresses. For example, IPCP
negotiates IP control parameters, and IPXCP negotiates IPX control parameters.
Page 547
page 516
The encapsulation method of PPP data frame is used for differentiating the packets of each
upper layer protocol. The encapsulation format of PPP contains only three fields.
Protocol: This field contains two bytes. It identifies the type of protocol encapsulated in the
PPP frame, for example, IP, LCP, and NCP. The common values are shown in the above
figure.
Information: This field contains the data encapsulated in PPP, for example, LCP data, NCP
data, and network-layer packets. The length of this field is variable.
Padding: This field is used for filling in the information field.
The total length of the Padding and Information fields is the maximum receive unit (MRU) of
PPP. The default value of MRU is 1500 bytes.
If the Information field is shorter than MRU, PPP fills in the Padding field to reach the length of
MRU to make the transmission convenient. But the padding is not mandatory. That is to say,
the Padding field is optional.
Page 548
page 517
PPP frames cannot be transmitted directly on the link. Additional encapsulation modes and
control mechanisms must be used depending on the types of the links. The PPP frames
transmitted on the serial link must comply with HDLC.
Flag: indicates the start bit or the end bit of the frame. The value is 01111110.
Address: indicates the IP address. It is all 1s. Because PPP is a point-to-point protocol, it
does not need the addressing mechanism. The address of all 1s
represents the receiver end.
Control: indicates the control field. HDLC can use this field to transmit data and control
packets orderly. In PPP, the value of this field is 0x03, which indicates that the data is
transmitted in countless mode. This is a simple working mechanism.
Page 549
page 518
The basic configuration of PPP on the serial link is simple. Configure PPP encapsulation
interface view, and then configure the IP address. The link-protocol ppp command is used
to configure the link layer protocol of the interface as PPP.
Page 550
page 519
Page 551
page 520
This table lists four types of LCP packets used to negotiate link-layer parameters.
Configure-RequestThe first packet during the link-layer negotiation process, indicating
the beginning of link-layer parameter negotiation of the two ends.
Configure-AckAfter receiving the Configure-Request packet sent by the peer, if the
values of negotiated parameters are acceptable, this packet is used for acknowledgement.
Configure-NakAfter receiving the Configure-Request packet sent by the peer, if the
values of the negotiated parameters are not acceptable, this packet is used for reply,
carrying the locally acceptable parameters.
Configure-RejectAfter receiving the Configure-Request packet sent by the peer, if the
values of the negotiated parameters cannot be identified, this packet is used for reply
carrying the parameters not identified.
Page 552
page 521
As is shown in the figure above, RTA and RTB are connected through the serial link and
they run PPP. When the physical layer link is up, RTA and RTB negotiate the link
parameters through LCP. In this example, RTA sends an LCP packet. RTA sends a
Configure-Request packet to RTB. The packet contains the link layer parameters
configured on RTA. After RTB receives the Configure-Request packet, it returns a
Configure-Ack packet to RTA if RTB can identify the parameters in the packet and the
parameter values are acceptable.
If RTA does not receive the Configure-Ack packet, it will re-sends the Configure-Request
packet every three seconds. If RTA still dose not receive the Configure -Ack packet after it
sends 10 Configure-Request packets, RTA considers RTB failed and stops sending the
Configure-Request packet.
NOTE: If the above process has finished it only indicates that RTB considers the link
parameters on RTA acceptable. RTB still needs to send the Configure-Request packet to
RTA to let RTA check whether the parameters on RTB are acceptable.
Page 553
page 522
After RTB receives the Configure-Request packet sent by RTA, RTB checks the parameters
contained in the packet. If RTB can identify the link layer parameters but finds that some or
any of the parameter values cannot be accepted, RTB returns a Configure-Nak packet to RTA.
This Configure-Nak packet contains only the unacceptable parameters. The values (or value
ranges) of these parameters are changed into the values that
can be accepted by RTB.
After receiving the Configure-Nak packet, RTA modifies the parameter values locally
according to the parameter values in the packet, and then re-sends a
Configure-Request packet.
After five negotiations, if the values still cannot be accepted, the parameters are forbidden
without further negotiation.
Page 554
page 523
After RTB receives the Configure-Request packet sent by RTA, RTB checks the parameters
contained in the packet. If RTB cannot identify some or any of the
link layer parameters in the packet, RTB returns a Configure-Reject packet to RTA. The
Configure-Reject packet contains only the unidentified parameters.
After receiving the Configure-Reject packet, RTA re-sends a Configure-Request packet to RTB.
This packet does not contain the unidentified parameters.
Page 555
page 524
On the VRP platform, MRU is represented by MTU configured on the interface. The PPP
authentication protocols widely used are PAP and CHAP (will be
described in the following chapters). The two ends of a PPP link can authenticate each other
using different authentication protocols. The authenticated party, however, must support the
authentication protocol used by the peer and the authentication information such as user
name and password should be configured correctly.
LCP uses magic number to detect abnormal cases such as loop. A magic number is
generated randomly. The random mechanism has to guarantee that the two ends generate
the magic numbers.
After one end receives the Configure-Request packet, it compares the magic number
contained in the packet with the local magic number. If the two numbers are different, it
indicates that no loop occurs on the link, and the receiver end sends a Configure-Ack packet
(other parameters are also agreed), indicating the magic number is agreed. If the packets
sent later contain the magic numbers, the magic numbers are set to the negotiated one, and
LCP does not generate new magic numbers any more.
If the magic number in the Configure-Request packet is the same as the local magic number,
the receiver end sends a Configure-Nak packet, which contains a new magic number. Then,
LCP sends a new Configure-Request packet with a mew magic number whether the
received Configure-Nak packet contains the same magic number or not . If loop occurs on
the link, this process is repeated continuously. If there is no loop, the packet interaction is
restored.
Page 556
page 525
If the authentication fails or the administrator closes the connection manually, LCP will stop
the connection.
LCP stop connections by using the Terminate-Request and Terminate-Ack packets. The
Terminate-Request packet is used for the peer to request stop the
connection. If one end receives a Terminate-Request packet, LCP must return a Terminate-
Ack packet to confirm the closure of connection.
If the sender does not receive the Terminate-Ack packet, it will re-sends the Terminate-
Request packet every three seconds. If the sender still fails to receive
the Terminate-Ack packet after it sends two request packets, it considers the peer failed and
will close the connection.
Page 557
page 526
After establishing a connection, LCP detects the status of the link by using the Echo-
Request and Echo-Reply packets. After receiving an Echo-Request packet, it returns an
Echo-Reply packet to tell that the link status is normal. On the VRP platform, an Echo-
Request packet is sent every 10 seconds.
Page 558
page 527
Page 559
page 528
PAP is the Password Authentication Protocol. It is used for passwords authentication.
The configuration of PAP contains two steps:
1. Enable PAP authentication on the authenticator; create a PPP user.
2. Configure the user name and password for PAP authentication on the
authenticated party.
local-user huawei password simple hello
This command is used for the creation of a local user, of which the user name is huawei
and the password is hello. Key word simple indicates that the password is plain text in the
configuration file. If the key word is cipher, it indicates that the password is cipher text in
the configuration file.
local-user huawei service-type ppp
This command is used for configuring user huawei as a PPP user.
ppp authentication-mode pap
This command is used for enabling PAP authentication on the authenticator. That is,
request the peer to use PAP authentication.
ppp pap local-user huawei password simple hello
This command is used for configuring the user name and password for PAP authentication
on the authenticated party.
Page 560
page 529
The working process of PAP authentication is simple. After LCP negotiation, the authenticator
requests the peer to use PAP authentication. The peer sends the user name and password in
plain text through the Authenticate-Request packet to the authenticator. In this example, the
user name is huawei and the password is hello.
After receiving the user name and password, the authenticator checks whether the information
is correct in the local database. If the information is correct, it returns an Authenticate-Ack
packet; otherwise, it returns an Authenticate-Nak packet, indicating failure of the
authentication.
Page 561
page 530
CHAP is the Challenge Handshake Authentication Protocol. It is an authentication method
that sends password information in cipher text. Compared with PAP,
CHAP is more secure.
local-user huawei password cipher hello
This command is used for creating a local user, of which the user name is huawei and the
password is hello. Key word cipher indicates that the password information is displayed in
cipher text in the configuration file.
local-user huawei service-type ppp
This command is used for configuring user huawei as a PPP user.
ppp authentication-mode chap
This command is used for enabling CHAP authentication on the authenticator. That is,
request the peer to use CHAP authentication.
ppp chap user huawei
This command is used for configuring the user name for CHAP authentication to be huawei
on the peer.
ppp chap password simple hello
This command is used for configuring the password for CHAP authentication to be hello on
the peer.
Page 562
page 531
The CHAP authentication contains three interaction phases. To match the request packet
and response packet, the packet carries the Identifier field. All the packets in one
authentication process use the same identifier.
After the LCP negotiation, the authenticator sends a Challenge packet to the peer. The
packet contains the Identifier field and the Challenge character string which is generated
randomly. This Identifier will be used by the consequent packet of the same authentication
process.
After the peer receives the Challenge packet, it encrypts the packet. The encryption formula
is MD5{ Identifier + password + Challenge }. The character string consisting of Identifier,
password, and Challenge undergoes the MD5 calculation. Then, a 16-byte digest is
generated. The digest and the CHAP user name configured on the port are encapsulated in
the Response packet and sent back to the authenticator. In this example, after the
encryption, the digest information and user name huawei are sent to the authenticator.
After the authenticator receives the Response packet sent by the peer, it searches the local
database for the challenge message matching the user name.
Then, the authenticator encrypts the password. The encryption calculation is the same as
that used by the peer. Then, the authenticator compares the digest information with that
encapsulated in the Response packet. If they are the same, the authentication succeeds;
otherwise, the authentication fails.
As this shown in the previous process, CHAP sends the password in cipher text instead of
plain text, hence the security is enhanced greatly.
Page 563
page 532
Page 564
page 533
PPP defines a group of NCP protocols. Each protocol matches a network layer protocol. The
NCP protocol negotiates the network layer parameters. For example, IPCP is used for
negotiating and controlling IP parameters, and MPLSCP is used for negotiating and MPLS
parameters. This course discusses only IPCP.
Page 565
page 534
IPCP uses the same negotiation mechanism and packet type as LCP, but IPCP does not
invoke LCP. This is the same as LCP in terms of working procedure, packet and so on.
There are two types of IP address negotiation methods: static configuration and dynamic
configuration.
As it is shown in the figure, the IP addresses on the two ends are 10.1.1.1/30 and
10.1.1.2/30. The two IP addresses are in network segment 10.1.1.0/30.
The negotiation process for the static configuration of IP addresses is as follows:
1. The two ends send the Configure-Request packets, which contain the local IP address.
2. After receiving the Configure-Request packet, the two ends check the IP address
contained in the packet. If the IP address is a valid unicast IP address and it is different
from that configured locally (no confliction), it indicates that the peer can use this IP
address and the local end returns a Configure-Ack packet.
Page 566
page 535
As it is shown in the routing table, the IP address of the peer on the PPP link is a 32-bit
host address. The reason is that by sending information through IPCP, the two ends of
the PPP link can know the IP address of the peer.
Page 567
page 536
As is shown in the figure above, RTA asks the peer to allocate an IP address, and RTB uses
static IP address 10.1.1.2/30. RTB enables the function to allocate IP address for the peer,
allocating IP address 10.1.1.1 for RTA.
The process of the dynamic negotiation of dynamic IP address is as follows:
RTA sends a Configure-Request packet to RTB. The packet contains IP address 0.0.0.0,
which indicates a request for an IP address allocating . After RTB receives the Configure-
Request packet, it considers IP address 0.0.0.0 invalid and returns a Configure-Nak packet
containing IP address 10.1.1.1; After RTA receives the Configure-Nak packet, it updates
the local IP address and re-sends a Configure-Request packet, which contains IP address
10.1.1.1; When RTB receives the Configure-Request packet, it considers the IP address
contained in the packet valid and returns a Configure-Ack packet.
At the same time, RTB sends a Configure-Request packet to RTA, which means that RTB
requests to use IP address 10.1.1.2. If RTA considers the IP address valid, it will return a
Configure-Ack packet.
Page 568
page 537
The VRP platform supports IP address negotiation in PPP.
ip address ppp-negotiate
This command is used for enabling the function of requesting the peer to allocate IP
addresses.
remote address 10.1.1.1
This command is used for enabling the function of allocating IP addresses to the peer. In this
example, IP address 10.1.1.1 is allocated to the peer.
Note: The IP address obtained through negotiation is a 32-bit host address. The route of the
corresponding network segment will not be generated in the routing table.
Page 569
page 538
What are the components in PPP?
PPP has three components, namely, data encapsulation method, LCP and NCP.
Which packets can be used for negotiating link parameters in LCP?
Configure-RequestThe first packet during the link-layer negotiation process,
indicating the beginning of link-layer parameter negotiation of the two ends.
Configure-AckAfter receiving the Configure-Request packet sent by the peer,
if the values of negotiated parameters are acceptable, this packet is used for
responsing.
Configure-NakAfter receiving the Configure-Request packet sent by the peer,
if the values of negotiated parameters are not acceptable, this packet is used for
responsing, carrying the locally acceptable parameters.
Configure-RejectAfter receiving the Configure-Request packet sent by the
peer, if the values of negotiated parameters cannot be identified, this packet is
used for responsing, carrying the parameters not identified.
How many packet exchanges are necessary for CHAP?
Three. Sending of user name and password in cipher text.
What do the main IPCP parameters negotiate?
IP address.
Page 570
page 539
Page 572
page 540
Page 573
page 541
Page 574
page 542
Page 575
page 543
The FR technology is a fast packet switching technology that transmits and switches data
units in a simplified manner when compared to X.25. The FR adopts a virtual circuit based
behavior, transmitting data through logical links, rather than physical links. Multiple logical
links can be multiplexed on one physical link. The bandwidth can therefore be multiplexed
and dynamically allocated. This facilitates the transmission of data for multiple users and
multiple rates. The network resource is fully used. As shown in the figure above, the virtual
circuit is used so that the network resource is fully utilized. Frame Relay has the features of
high throughput and low delay. It is applicable to the service that has burst traffic.
FR simplifies the layer-3 function of X.25, however does not support retransmission when an
error occurs.
Page 576
page 544
Frame Relay is found at the second layer of the OSI model. It is a simplified way to transmit
and switch data units at the data link layer. FR realizes the functions of the physical layer
and the link layer. The functions such as traffic control and error checking are realized by the
intelligent terminal. Hence the protocol between nodes is simplified. FR can transmit various
routing protocols. The packets of the routing protocols are encapsulated in the FR data
frame, as shown in the figure above.
Page 577
page 545
FR has the following features:
The FR technology is used for transmitting data service. Data is transmitted as frames. FR
is a fast packet switching technology, which is connection-oriented. FR transmits data over
the logical links, rather than physical links. Multiple logical links can be multiplexed on one
physical link. Bandwidth can be multiplexedand dynamically allocated.
The simplified X.25 protocol realizes statistics multiplexing, frame transparent transmission,
and error detection on the data link layer, but does not support retransmission. The FR
protocol simplifies the layer-3 function of X.25. It simplifies the processing on network
nodes and improves the information processing efficiency. The 2-layer structure consisting
of physical layer and data link layer is adopted. Only the core subset of the data link layer
is kept. The mechanisms like frame numbering, traffic control, response, and monitor are
not required. The cost of switches is reduced, and the network throughput is improved, and
the delay in communication is reduced. The access rate of FR users is between 64 Kbit/s
and 2 Mbit/s.
A mechanism is provided to manage bandwidth and prevent congestion. The user can fully
use the reserved bandwidth, namely, the committed information rate (CIR). The burst data
of the user can occupy the unreserved bandwidth. Thus the network resource is fully used.
Similar to packet switching, FR adopts the connection-oriented switching technology. It can
provide the SVC and PVC services. In the current FR network, only the PVC service is
used.
Switching unit-The length of the frame is longer than the length of the packet. The
maximum length of the frame is at least 1600 bytes. It is used for encapsulating the data of
LAN.
Page 578
page 546
The above figure shows the FR network model. The model consists of the DTE and the
FR switching fabric.
The FR switching fabric consists of a group of DCE. The LANs on the two ends are
interconnected through the FR network. The data of the LAN is transmitted through the
PVC.
The terms related to the FR network are as follows:
Data Terminal Equipment (DTE): refers to the user-side device.
Data Circuit-terminating Equipment (DCE): refers to the switching equipment on the
network, like FR switch. The DTE and the DCE are directly connected. The DCE is
connected to a port on the switch. Multiple connections are set up between multiple
switches. The links between the DTE are established, as shown in the figure above.
Data Link Connection Identifier (DLCI): identifies the link interface. Every link on the FR
network uses a DLCI. The FR is a connection-oriented technology. Before communication
starts, a link must be established between the devices. The link between the DTE is called
virtual circuit. The virtual circuit of the FR is classified into PVC and SVC. The PVC is
widely used in FR.
Page 579
page 547
A Frame Relay (FR) network provides data communication between user devices (such as
routers and hosts).
According to different functions, FR devices and interfaces can be divided into the following
three types:
The user device is called Data Terminal Equipment (DTE). The interfaces on the DTE are
called DTE interfaces.
The device that provides access for DTE is called Data Circuit-terminating Equipment
(DCE). The interfaces on the DCE devices are called DCE interfaces or Network-to-
Network Interfaces (NNIs) interfaces. The interfaces that connect the DTE and the DCE
are User-to-Network Interfaces (UNIs).
The interface between the FR switches are NNIs. In practice, the DTE interface can be
connected only with the DCE interface; the NNI interface can be connected only with the
NNI interface.
Page 580
page 548
The FR is a connection-oriented technology. Before communication starts, a link must be
established between the devices. The link between the DTE is called virtual circuit.
The virtual circuit of FR is classified into PVC and SVC. The PVC is widely used in FR.
Permanent Virtual Circuit (PVC): refers to the fixed virtual circuit provided for users. Once
the link is established, it will always be valid; unless the administrator deletes it manually.
The PVC transmits frequent and stable data between two ends frequently and stably.
Switched Virtual Circuit (SVC): refers to the virtual circuit automatically allocated by
protocol. After communication completes, the virtual circuit can be deleted by the local
equipment or switch. The burst data is often transmitted through the SVC.
Page 581
page 549
FR is a statistical multiplexing protocol. One physical link can provide multiple virtual links.
Each virtual link is identified by the DLCI. The address field in the FR frame can identify the
virtual link that FR frame belongs to.
The DLCI is applied to the local interface and the peer interface that is directly connected to
the local interface. It is not used globally. That is, in the FR network, a DLCI on different
physical interfaces may identify multiple virtual links. The user interface on a FR network
supports up to 1024 virtual circuits. The value of the DLCI that can be used by users ranges
from 16 to 1007. The virtual circuit is connection-oriented, so different local DLCIs are
connected to different peer devices. The local DLCI can be considered as the FR address
of the peer device. The FR network is public facility. It is often provided by the telecom
service provider. Users can also establish a FR network by using private switches. No matter
which method is used, the provider of the FR network allocates the DLCI to the PVCs that
are used by the users routers. Some DLCI numbers represent special functions. For
example, DLCI 0 and DLCI 1023 are used by only the LMI protocol.
Address mapping of FR is to associate the protocol address of the peer device with the FR
address (local DLCI) of the peer device so that the upper layer protocol can find the peer
device through the protocol address of the peer device. FR is mainly used to carry the IP
protocol. Before the device sends the IP packet, the DLCI matching the next hop address
must be known . The device can find the DLCI by searching the mapping table. Address
mapping can be configured manually or dynamically maintained by the protocol.
Page 582
page 550
Local Management Interface (LMI): monitors the status of the PVC. The system supports
three kinds of LMI protocol: Q.933 Annex A of ITU-T, T1.617 Annex D of ANSI, and the non-
standard compatible protocol. The nonstandard compatible protocol is used for
interconnecting a device with the devices of other vendors.
The working method of LMI is : DTE sends ak Status Enquiry packet at a interval to query the
status of the virtual circuit. When the DCE receives the packet, it sends a Status packet to
notify DTE of the status of all the virtual circuits on the current interface.
The PVC status of the DTE-side devices depends on the DCE-side devices. The PVC status
of the DCE-side devices depends on the network. If two network devices are directly
connected, the PVC status of the DCE-side devices is set by the administrator.
Page 583
page 551
The FR network can connect the disparate networks. The network architecture may be full-
meshed, partial-meshed, or star. In terms of cost, the star structure is the best as it limits the
number of PVCs required. A central node is connected to the distributed nodes by using
multiple PVCs on one interface. This architecture is applicable to the company where the
headquarters needs to be connected to multiple branches. The disadvantage of this
architecture is that the disparate nodes can communicate only through the central node.
In the full-meshed structure, all the nodes are interconnected through PVCs. Any two nodes
can communicate directly without passing other nodes. The reliability of such a architecture
is high. If one PVC fails, the data can be transmitted through another. The disadvantage of
such architecture is that a great number of PVCs are required. If one node is added to the
network, many new PVCs need to be added.
In the partial-meshed structure, some nodes are connected directly. The default FR network
architecture is non-broadcast multi-access (NBMA). That is to say, although the nodes in the
FR network can communicate with each other, the FR network does not support broadcasts.
If a node receives routing information, it recreates the packet and then sends the duplicated
packet carrying the routing information to other nodes.
Page 584
page 552
Address mapping of FR associates the protocol address of the peering device with the local
DLCI, so that frame relay can identify the PVC that should be used in order to reach a given
destination.
It should be noted that the mapping table is based on a logical interface. The logical
interface has its own mapping table. The key in the mapping table is the relationship
between the peer protocol address and the local DLCI.
Page 585
page 553
The inverse ARP protocol is used for resolving the network address of a peer over a virtual
circuit, with support for both IP and IPX addressing. If the protocol address of the peer is
known, the inverse ARP protocol can locally generate a mapping relationship between the
peer network address and the DLCI (MAP). The address mapping therefore need not be
configured manually.
The process is as follows:
When a new virtual circuit is found (the local interface is already configured with the protocol
address), the inverse ARP protocol sends an Inverse ARP request packet to the peer. The
packet contains the local protocol address. When the peer receives the request, it obtains the
local protocol address, and generates a mapping relationship. At the same time, the inverse
ARP protocol sends a response packet and generates the mapping locally.
It should be noted that:
1) If the static mapping relationship is configured manually, the Inverse ARP protocol does
not send the request packet to the peer, no matter whether the peer's address is in the
static mapping is correct or not.
2) After receiving the inverse ARP request packet, the dynamic mapping cannot be
generated if the receiver discovers that the peer protocol address is the same as the
network address in the local mapping table.
3) The multiprotocol host responds only to the protocol address that is the same as the
protocol address in the request packet.
4) The multiprotocol host applies addresses for all the protocol addresses on each interface.
Page 586
page 554
As is shown in the figure above, Router A is connected to three routers, Router B, Router C,
and Router D, through interface S0. If three DLCIs are mapped to three routers over S0,
then the route update information on S0 is not sent out through S0. The distance vector
routing protocol implements split horizon. The router cannot forward the route update
information out through the interface on which the information was received. As shown,
Router B advertizes the routing information to Router A. The split horizon mechanism
results in Router A being unable to forward to Router C and Router D through interface S0.
There are two ways to resolve this problem, one is to connect multiple neighboring nodes
through multiple physical interfaces. This method requires that the router have multiple
physical interfaces, which results in increased cost to support the additional physical node
interfaces. Another method is to implement sub-interfaces. In this manner, a single physical
interface is configured with multiple logical interfaces. Each sub-interface has its own
network address, and operated like an independent physical interface. It is also possible to
disable the split horizon feature, but doing so will increase the possibility of routing loops
being generated.
Page 587
page 555
The split horizon problem can be solved by configuration of sub-interfaces. One physical
interface can support multiple logical sub-interfaces. Each sub-interface can be connected to
the peer router through one or many DLCIs over a FR network.
The logical sub-interfaces are defined on the serial link. The sub-interfaces are connected to
the peer router through one or more DLCIs. After a DLCI is configured on the sub-interface,
the mapping between the addressing of the destination end and the DLCI should be
generated.
As is shown in the figure above, the physical serial interface S0 on Router A, the DLCI of S0.1
is mapped to Router B, the DLCI of S0.2 is mapped to Router C, and the DLCI of S0.3 is
mapped to Router D.
The sub-interfaces in FR are classified into two types:
Point-to-point sub-interface: connects to a single remote node. Each sub-interface is
configured with one PVC. The peer can be found without the static address mapping.
Therefore, the peer address is determined when the sub-interface is configured on the PVC.
Point-to-multipoint sub-interface: connects multiple remote nodes. One sub-interface is
configured with multiple PVCs. Each PVC is mapped to the connected remote protocol
address. Thus, the PVC can be connected to the corresponding remote end. The address
mapping must be configured manually or set up through the inverse ARP protocol.
Before creating the FR sub-interface, the user should configure the interface to use FR as the
link-layer protocol. The default sub-interface type is p2mp.
Page 588
page 556
Page 589
page 557
RTA and RTB are connected by a serial link. The IP address planning is as shown in the
above figure. The link-layer protocol is FR. The configuration of FR in this example is
similar to the configuration in the preceding example. The difference is that the mapping
between the interface network address and the FR address is generated by the inverse
ARP protocol.
The fr inarp [ ip [ dlci-number ] ] command enables the dynamic address mapping. In
VRP, the dynamic address mapping is enabled on the FR interface by default. So this step
is optional.
Page 590
page 558
The display fr interface command displays the information about the FR interfaces, the
operation mode of the FR interfaces, and the physical status and protocol status of the FR
interfaces.
The display interface Serial 0 command displays the information about the interfaces,
including the physical status and protocol status of the interfaces, the IP address, the link-
layer encapsulation mode, and the LMI type.
Page 591
page 559
RTA and RTB are connected by a serial link. The IP address planning is as shown in the
above figure. The link-layer protocol is FR.
The link-protocol fr command encapsulates the link-layer protocol into FR. By default, the
link-layer protocol is encapsulated into PPP. When the FR protocol is encapsulated, the
encapsulation format is IETF by default.
ietf: indicates the standard IETF encapsulation, which complies with the RFC 1490. It is the
default encapsulation format.
nonstandard: indicates the encapsulation format of the nonstandard compatible protocol.
The fr interface-type command sets the FR interface type.
dte, dce, and nni: indicates the three types of the FR interfaces.
In FR, the two parties of the communication are at the user side and the network side
respectively. The user-side party is called DTE. The network-side party is called DCE.
In the FR network, the interfaces between the FR switches are NNI interfaces. The
corresponding interfaces adopt the NNI mode. If the devices are used for FR switching, the
interfaces should work in NNI mode or DCE mode.
The fr dlci command configures the virtual circuit for the FR interface. The IP address
10.1.1.1 30 command configures the IP address for the interface.
The fr map ip command adds a mapping relationship between the FR address and the DLCI
static address. ip-address: indicates the IP address of the peer.
ip-mask: indicates the subnet mask. The format of the subnet mask is X.X.X.X. X is an integer
ranging from 0 to 255. dlci-number: indicates the number of the local virtual circuit. The value
ranges from 16 to 1007.
Page 592
page 560
The display fr map-info command displays the mapping between the protocol address and
the FR address.
In this example, RTA displays the information showing that the address mapped to DLCI 200
is 10.1.1.2, the network address and FR address of RTB. The local interface S0 on RTA
works in DCE mode.
Page 593
page 561
Using ping to check FR configuration and interfaces reachability.
Page 594
page 562
In this example, the router functions as the FR switch. The PVC is configured manually.
Page 595
page 563
fr dlci-switch in-dlci interface interface-type interface-number dlci outdlci
undo fr dlci-switch in-dlci
Configuration view: FR interface view, MFR interface view
Using the fr dlci-switch command, you can configure a static route for the FR PVC switching.
Using the undo fr dlci-switch command, you can delete a static route for the FR PVC
switching.
By default, no static route for the FR PVC switching is configured.
Parameter:
in-dlci: specifies the DLCI of the interface where the packet is received, the value ranges from
16 to 1007.
interface-type: specifies the type of egress.
interface-number: specifies the number of egress. The format is slot number/card
number/interface number.
out-dlci: specifies the DLCI of the specified interface forwarding a packet. The value is ranges
from 16 to 1007.
Page 596
page 564
The configuration of RTC is similar to those of RTB.
Page 597
page 565
Configuration of RTD is similar to those of RTA. It needs to Configure data link protocol,
interface type and IP address.
Page 598
page 566
Using display fr dlci-switch to show PVC state.
Active Serial0(100) Serial2(200)
Active Serial2(200) Serial0(100)
Active means that PVC is OK.
Page 599
page 567
Page 600
page 568
Using the display fr map-info command, you can view the FR address mapping table.
[RTA]dis fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 100, IP INARP 10.1.1.2, Serial0
create time = 2007/06/04 17:34:59, status = ACTIVE
encapsulation = ietf, vlink = 20, broadcast
It is possible to verify the PVC is operational from the active state.
<RTA>ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
Page 601
page 569
The fr switch command enables the backup function for the PVCs of the switches.
fr switch name [ interface interface-type in-interface-number dlci indlci
interface interface-type out-interface-number dlci out-dlci
name: specifies the name of the PVC for FR switching. The value is a string of 1 to 31
characters.
interface interface-type in-interface-number dlci in-dlci: specifies the interface type, interface
number, and DLCI value on the ingress of the PVC. The value of dlci-number ranges from 16
to 1007. interface interface-type out-interface-number dlci out-dlci: specifies the interface type,
interface number, and DLCI value on the ingress of the active or
backup PVC. The value of dlci-number, ranges from 16 to 1007.
It should be noted that:
The interface for FR switching must be set to NNI or DCE mode; otherwise, the FR switching
function cannot take effect. Before or after the static route of the PVC is configured, the user
must run the fr switching command to enable the FR switching route.
Page 602
page 570
[RTB]display fr switch-table all
Total PVC switch records:1
PVC-Name Status Interface(Dlci) <---> Interface(Dlci)
1 Active Serial0(100) Serial2(200)
PVC is ok When status of PVC is Active.
<RTA>ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/31/31 ms
Page 603
page 571
Using the display fr pvc-info command, you can view the configuration and statistics of
the FR PVC:
If no parameter is specified, basic FR configuration and statistics of all interfaces are
displayed.
If interface numbers are specified but the DLCI number is not specified, basic FR
configuration and statistics of DLCI of the specified interface are displayed. If both interface
number and DLCI number are specified, basic FR configuration and statistics of specified
DLCI of specified interface are displayed. The FR QoS configuration and statistics are also
displayed. By the statistic of input packets and output packets, It is easy to know PVC is OK.
Page 604
page 572
1. How many modes does the FR interface have?
Three, DTE, DCE, and NNI. In FR, the user-side is called DTE and the network-side party
is called DCE. In the FR network, the interfaces between the FR switches are NNI
interfaces. The corresponding interfaces adopt the NNI mode. If the devices are used for
FR switching, the interfaces should work in NNI mode or DCE mode.
2. Whats the meaning of FR DLCI?
The DLCI identifies the data links. All the virtual circuits are identified by the DLCIs. The
DLCI is applied to the local interface and the peer interface that is directly connected to the
local interface. It is not used globally. That is, in the FR network, a DLCI on different
physical interfaces may identify multiple virtual links.
3. How to establish a virtual circuit?
In the FR network, the DTE are interconnected with through virtual circuits. The virtual
circuit can be set up in PVC or SVC mode. PVC mode is commonly adopted.
Page 605
page 573
page 574
Page 609
page 577
Page 610
page 578
Page 611
page 579
Page 612
page 580
In a practical sense, a firewall acts as a separator, and also an analyzer, to supervise any
activity between an internal and external network, and assist in assuring the security of
the internal network is maintained.
The firewall can be in the form of a series of hardware devices or supported software
within a given device.
The firewall can be divided into several parts, some parts implement other function
besides the function of a firewall.
Firewall is the accumulation of hardware, software and control policies, where the control
policy can be divided into two kinds:
1. Strict policyhighly secure but may disrupt many services due to non-reviewed policy
restrictions
2. Loose policyprovides much freedom to users however may leave many security
holes in the network if good policy management has not been applied.
Commonly firewalls will take on a more secure policy and assess policy for additional
permissions on a case by case basis should additional policy restrictions need to be
relinquished. However this can take some effort due to a series of security review
processes that are often necessary to ensure the permission for release of restrictions
does not threaten the integrity of the internal network to external threats.
Page 613
page 581
With the development of firewall technology, the function of firewall is more and more
diverse, seen from the technology development aspect, variations have formed and can be
classified into three kinds: packet filtering, proxy and state detection. At present, the more
popular type is the state detection firewall.
Page 614
page 582
Packet filteringfirewall:
Packet filtering technology utilizes special rules predefined to filter packets. The firewall
obtains source IP address, destination IP address, source TCP/UDP port, destination
TCP/UDP port and protocol number of data packet, compare partial or overall information
above with the rule to filter the data packet through the firewall. The defined rule application
is done according to the features of the IP packet, the elements mentioned above can be
used to define the condition that allows the packet to pass through the firewall.
The feature of packet filtering firewall is that it is simple, but lacks flexibility, additionally
packet filtering firewall will implement policy detection on every data packet, which affects
the performance of a firewall.
Page 615
page 583
Proxy firewall:
Proxy firewall regards itself as a intermediary node of service access; for a client node, it
represents a server; for a server, it represents the client. A proxy firewall provides high
security, but the cost is also high. It is hard to develop a corresponding proxy service for
every application, so a proxy firewall can not support an abundance of services, it can only
provide proxy service for some applications such as HTTP services, Proxy etc.
Page 616
page 584
Page 617
State detection firewall:
State detection technology is an advanced communication filtering technology. State
detection is used to detect protocol information of the application layer and supervise the
protocol state of connection-oriented application layer. Through detecting the state of
TCP/UDP based connection, a firewall can dynamically determine whether the packet can
pass through the firewall or not. The firewall will maintain a session item that takes five-
element group
(source/destination IP address, source/destination port number, protocol number) as Key
values; for the received data packet, the firewall can match the session item to determine
which is legal and which is illegal.
As shown in the figure above, for Telnet access, when TCP completes the three-way
handshake, the firewall will create a session item based on this five-element group. When a
telnet response packet of user A passes through firewall, only the packet that matches the
session item can be permitted to pass through the firewall, the Telnet response packet of
other users will be blocked by firewall. Session item can be changed if the TCP protocol
state changes, before completion of three-handshake, illegal packet can not pass through
the firewall. After telnet session finishing, the session item will be deleted immediately, the
spurious illegal telnet packet remains unable to pass through the firewall.
Session identifies a complete connection, a complete connection is composed of five
elements (source address, destination address, source port, destination port, protocol
number). When a three-way handshake of TCP is completed, the firewall will create a
complete session item, the session item can be used to supervise the state transition of a
session.
page 585
As shown in the figure above, in the security system, firewall is analogous to a door, it can
prevent people from entering, but it can not prevent malicious attacks from people that have
permission to enter the network or are located internally. An access control system can
prevent people with low priority from doing work which exceeds their authority, but it can not
prevent people with high priority from malicious actions. It also cannot prevent people with
low priority from obtaining high priority through illegal behavior. Intrusion detection system
(IDS) is a unique device to identify whether the system is safe or not according to the data
and behavior mode, it is the second security door following the firewall. There is a classical
comparison: firewall corresponds a security system of a community, it will audit all the people
who go through the gateway. But it cannot audit the people inside the community or with legal
identity. IDS can supervise the internal community.
IDS is analogous to a security camera of a network, it can capture and record all the data; at
the same time ,it is also an intelligent camera, it can analyze and abstract doubtful and
abnormal network data with the intelligence to
Penetrate disguised data and identify the actual content. The advanced IDS can beat back,
terminate connection and close path automatically to regulate illegal behavior.
There are other technologies in security system besides those mentioned, for example,
identity authentication technology, ACL packet filtering, special user system access,
protection to special source linked servers through
reinforced and installed immunity systems, discovery of system holes and patching through
scanning software; transmission of encrypted data or use of VPN technology to transmit, so
as to guarantee the security (often end to end). Supervisory system operation through a
security management center, and operational event logging and threat detection using
alarms and threat response processes.
Page 618
page 586
Firewall strictly manages access from external networks into the internal network. The
access from the internal network to external network is relatively loose in comparison.
Firewall can not renew operation software periodically as other virus software, so the
defense provided to new generated safety menace is sometimes not enough.
If depth detection function is configured, the firewall will detect the partial content of a data
packet, which will also increase the forwarding delay time and affect forwarding
performance.
Firewall cannot provide detection to encrypted packets or other packets transmitted in VPN
tunnels that passes through the firewall.
Page 619
page 587
Page 620
page 588
The Eudemon series firewall is the firewall product series of HUAWEI. According to the
system structure of Eudemon, the following are the three series models: E100 , E200 ,
E300 and 5001000.
E100 is foremost series of firewall, it has two fixed 100M Ethernet module and two
extended slots.
E200 and E300 , 500, 1000 are more popular products, the performance also increases
orderly according to the series number. E200 has one main control board, with two
Ethernet interfaces on the board and the interface is connected to system bridge directly.
This allows the two interfaces to have a higher performance than other interfaces. There
are also two extended slots, they are the number 1 slot and number 2 slot from left to right,
the bottom layer is equipped with a dummy panel which is used for extended usage.
E300/500/1000 also has one main control board, the two Ethernet interfaces on the board
has low service performance, it can not be chosen as service interface, but as a service
management interface. There is one NP board behind the main control board, it is used for
service forwarding. The device provides 4 service slots, from left to right, they are number
1, 2, 3 and number 4 slots. The number 3 slot is a low speed slot, it can only support a low
speed service board. Number 1, 2, 4 are high speed slots used support high speed service
boards. The high speed board can only be supported by high speed slots, low speed
boards can be supported on low speed slots and also high speed slots.
Page 621
page 589
Throughput
Usually, large packets of 1K1.5K byte are used to scale the packet filtering performance
of a firewall. In the network, most of the traffic is comprised of packets of around 200 bytes,
so it is necessary to consider the performance of forwarding small packets. ACL rule should
also be configured on a firewall, so it is also necessary to consider the performance
capability of firewall when a great number of rules have been defined.
The rate of establishing connection for every second
It indicates that number of complete TCP connections that can be established through a
firewall every second. The connection of firewall is dynamic, which is established
dynamically according to state of the communicating peer. Before the session
establishment for exchanging data packets, a connection must be established with the
firewall. If the rate of establishing a connection with the firewall is low, the reflection on
client is that a great delay exists in communication. So the larger the index, the higher the
forwarding speed. When the firewall is attacked, the larger the index, the stronger the
defense ability. The larger the index, the stronger the state backup ability.
Subsequent connection number
It indicates the maximum number of connections that a firewall can support at one time, one
connection is one TCP/IP access.
Note:
As shown in the figure above, some high capability service boards can not guarantee line
speed forwarding, for example, 2G service board provides two 1G service interfaces, but
the bandwidth of backboard slot is only 1G, if 2G
throughput is needed, it is suggested to choose two 1G boards.
Page 622
page 590
Shown in the figure above is the hardware system structure of Eudemon200. The blue pane
is the processing board (RPU) of the firewall. On the RPU board, there are two 10/100Base-
TX interfaces which are connected to the system bridge directly, it adopts MAC forwarding
on the main control board, so the two interfaces have a higher performance than other
interfaces. Eudemon200 adopts dual PCI bus structure and connects to two slots separately.
This kind of structure reduces the collision in packet forwarding, and improves the forwarding
performance effectively.
Eudemon200 processing board mainly completes protocol processing, low-speed packet
forwarding, interface control, fault detection and so on, it is the core part of the product. The
component state supervising in the system for components such as the fan, power, system
working state, is indicated by light indicators on the RPU board of the firewall. It also can
report alarm relating to the fan, power and system temperature. The RPU board also
supports a hardware reset button.
Page 623
page 591
As illustrated in the figure above, the hardware system structure of Eudemon500/1000 is
built around the core structure of the Eudemon200, with additional architecture including a
network processor board connected to the FPGA. The NPU board adopt hardware to
forward, with forwarding rate reaching 4.5Mpps. Low-speed cards insert into the PCI slot,
though at present number 3 slot provides a slot for low-speed cards, so the performance is
lower than that of high speed slots. The FE interface is the same as that on the main control
board. High-speed cards can be supported by high-speed slots, namely number 1,2 and 4
slots.
TCP, UDP header is processed by NP, which can guarantee that the newly established
connection rate is larger than 100,000 items per second and ensures the network security.
Hardware-based ACL can ensure that the performance will not be affected when a large
number of rules are configured.
Page 624
page 592
Page 625
Q: How many variations of firewall are there, and what features do they support?
A: Firewalls represent three variations: packet filtering, proxy and state detection.
Packet filtering firewall utilizes special rule defined before (source/destination IP
address, source/destination TCP/IP port and protocol number) to filter packets.
Proxy firewalls are regarded as middle node of service access; for a client node, it
represents a server and for a server, it represents the client. State detection is
used to detect protocol information of the application layer and supervise the
protocol state of connection-oriented application layer. Through detecting the state
of TCP/UDP based connection, a firewall can dynamically determine whether the
packet can pass through the firewall or not.
Q: Which models make up the Eudemon firewall series?
A: it includes: E100, E200 and E300, 500, 1000.
page 593
Page 627
page 594
Page 628
page 595
Page 629
page 596
Page 630
page 597
A zone is an important firewall security concept. Firewalls is are generally located at the
boundary of a network, and so allows different networks to be represented part of
alternative zones. The firewall adds interfaces into zones and enables security detection
between zones (called a security policy). It can be used to filter the data flowing through
different zones. The common methods used for security detection includes ACL based
detection and application state detection.
Eudemon firewall has four reserved security Zones:
Untrusted zone: A low-level security zone, the security priority assigned is 5.
DMZ: A mid-level security zone, the security priority assigned is 50.
Trust Zone: A high-level security zone, the security priority assigned is 85.
Local Zone: The highest-level security zone, the security priority assigned is 100.
If necessary, users can configure new security zones and define the security priority. With
exception to the Local zone, before using any other zones, the security zone should be
associated with the firewall interfaces, achieved by adding the interface of firewall into a
security zone. The interface can only be added into only one zone. The interface can be a
physical or logical interface. Adding an interface to a zone means that the network
connected to the interface belongs to the zone, the interface itself belongs to the local zone.
Association of security zones and networks should obey the following rules: internal
networks should belong to Zone with a higher priority; external networks should belong to
zones with a lower priority; some network that can provide
conditioned services for external users should belong to the DMZ.
The purpose of defining security priority is to distinguish the direction of data flow amongst
security zones, whether inbound or outbound.
Page 631
page 598
When the data flow is forwarded between security zones, the firewall security detection
mechanisms will spring into action, in particular the security policy of the firewall
implemented between zones to manage traffic flow for example between the untrusted zone
and trusted zone. Different security policies can be implemented between different zones for
example, packet filtering policy, state filtering policy and so on.
There are two directions of data flow between zones:
Inbound: In which the data flow is transmitted from a zone with a low priority to a zone with a
high priority.
Outbound: In which the data flow is transmitted from a zone with a high priority to a zone with
a low priority.
Any two security zones cannot operate the same priority; the interfaces in the same Zone
can forward packets directly without filtering, thus nullifying the zone defenses. An interface
is unable to forward packets before it is added into a zone.
Page 632
page 599
This example introduces how a security zone is created and how to configure the priority
and apply an interface to the created zone.
[Eudemon] firewall zone name userzone
// creates a security zone named userzone, the system can support up to 16 zones in total,
including the default 4 zones.
[Eudemon-zone-userzone] set priority 60
//configures the priority, with a range from 1 to 100, any two zones can not use the same
priority, the priority of default 4 zones cannot be modified.
[Eudemon-zone-userzone] add interface Ethernet 0/0/1
//adds an interface to a zone, one zone can support 1024 interfaces at most.
Command [Eudemon]display zone username can be used to display related information
for a given security zone.
Page 633
page 600
This example introduces how to configure security policy between zones. When data flows
between security zones, the security detection mechanism will initialize. Generally, data from
an untrusted zone can not enter a trusted zone, unless permitted explicitly. After applying the
configuration displayed, data from an untrusted zone can forward to a trusted Zone.
[Eudemon]acl 3000
[Eudemon-acl-adv-3000] rule permit ip
//create ACL rule, to permit any data to pass.
[Eudemon] firewall interzone trust untrust
//enter trust-untrust view.
[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound
//distribute security policy.
inboundFilters the data packet forwarding from a low level zone to a high level zone.
outboundFilters the data packet forwarding from a high level zone to a low level zone.
Input the command firewall interzone and choose the two zones involved, the relation of
inbound and outbound is determined by the priority. For example, a trusted zone and an
untrusted zone, inbound means that data is received from the untrusted zone by the trusted
zone. When implementing ACL between Zones, for every direction (inbound or outbound),
Eudemon200, Eudemon300 and Eudemon500 can implement one ACL rule.
Page 634
page 601
Page 635
page 602
Eudemon firewall can work in three modes: route mode, transparent mode and composite
mode.
If the Eudemon firewall connects to the external network at layer 3 (meaning an IP address
has been configured on the external interface), it is regarded that the firewall is operating in
route mode. As shown in the figure above, when the Eudemon firewall is located between an
internal network and an external network, the three interfaces on the firewall that connect to
internal network, external network and the DMZ area should be configured with IP addresses
as part of different network segments. The topology would recognize the firewall as
corresponding to the operation of a router. When adopting route mode, it can complete ACL
packet filtering, ASPF (status based packet filtering) dynamic filtering and NAT functionality.
However, when using route mode the network topology should be modified (the users on the
internal network should change the gateway of the end system, the router should change the
route configuration and so on).
Page 636
page 603
If the Eudemon firewall connects externally at layer 2 (an IP address is not configured on the
interface), the firewall is considered to be operating in transparent mode. If the Eudemon
firewall adopts the transparent mode, the firewall only needs to be inserted into the network
as bridge, the greatest advantage is that it is not necessary to modify any configuration; the
firewall functions as a switch, and the internal network and external network must remain in
the same subnet. At present, the Eudemon firewall can not support STP, so the usage of
firewall should be done with care so as to avoid layer 2 loops in the network. In this mode,
the firewall will not only forward packets like a switch, but also analyze the packet.
Page 637
page 604
If Eudemon firewall has not only interface which is working in route mode (interface has IP
address ) but also supports an interface which is working in transparent mode (interface has
no IP address), then the firewall is considered to be working in composite mode. This kind of
mode is the mix of transparent mode and route mode, at
present, it is only used in special applications of transparent mode to provide dual device hot
backup.
The IP address should be configured for the interface which has VRRP (Virtual Router
Redundancy Protocol) function enabled. The other interfaces do not require an IP address,
furthermore the internal network and external network must be in the same subnet.
Page 638
page 605
Use the following command to set working mode of Eudemon firewall.
[Eudemon]firewall mode composite
//Configure firewall to operate in composite mode. firewall mode { composite |
route | transparent }
The firewall operates in route mode by default.
[Eudemon]quit
<Eudemon>reboot
//Restart the firewalls.
The transition between operational modes may cause some operational issues. Operation
will not be affected when transitioning from a transparent mode to a composite mode and
will maintain forwarding performance without packet loss. The firewall will not dispose of or
affect forwarding performance in this case. In the transition to other modes, the firewall will
need to restart, because the transition will affect forwarding performance.
[Eudemon]display firewall mode
//Used to check the firewall working mode.
Page 639
page 606
Page 640
page 607
A firewall must provide the ability to control the network data flow, so as to guarantee security,
QoS requirement and constituting policy. ACL (Access Control Lists) are one of the methods
that can be used to control data flow. An ACL is a series of ordered rules composed of permit
or deny statements. These rules describe data packet through parameters such as the source
address, destination address, port number and protocol. An ACL can be applied in the
following situations:
1, Packet filtering as part of the network security protection mechanism. Packet filtering is
used between two networks with different priorities to control the data flow of a network
(inbound and outbound). When a firewall forwards the data packet, it will first detect packet
header (i.e: source address/destination address, source port/destination port and upper-layer
protocol), and then compare with configured rules. According to the result of the comparison,
it can determine whether to forward the packet or to discard the packet. To implement packet
filtering, a series of filtering rules are needed. It is possible to adopt an ACL to define filtering
rule, and then apply the ACL to filter between the firewall zones, so as to implement packet
filtering.
2, NAT (Network Address Translation) is the process used to translate the IP address in a
data packet header to another IP address. It mainly implements this function so that the
internal network (using a private IP addressing) can forward traffic to the external network
(using public IP addressing). In the actual application, it is hoped that some internal hosts
(supporting private IP addresses) can access the external network or Internet, while other
internal hosts can not. It is implemented through association of the ACL and NAT address
pool, meaning only data packets that satisfy the ACL rule can translate addresses, so as to
control the range of address translation.
An ACL can also be applied to other scenarios involving IPSec, QoS and routing policies.
Page 641
page 608
The firewall defines an ACL based on a numeral value. On Eudemon 300/500/1000, an
ACL can be divided into three kinds: basic ACL (20002999), advanced ACL (3000
3999), and firewall ACL (50005499). Users can choose ACL according to the requirement
in order to define different data flows.
The data flow defined by the three kinds of ACL is different: basic ACL only uses source
address to define data flow; advanced ACL uses source address, destination address,
source port number, destination port number and protocol
number to define data flow. The firewall ACL uses source address, destination address and
destination port number to define data flow.
Page 642
page 609
One ACL can be composed of multiple ACL rules that include key word permit or
deny.
Use command acl [ number ] acl-number [ vpn-instance vpn-instance-name ] in
system view to create an ACL.
[ number ] acl-number can define one ACL. For basic ACL, the range is 20002999;
for advanced ACL, the range is 30003999; for a firewall ACL, the range is 5000
5499.
vpn-instance refers to the creation of a firewall ACL rule.
After enter basic ACL view, the command rule [ rule-id ] { permit | deny }
[ source { source-address source-wildcard | any } ] [ time-range time-name ] can be
used to create basic ACL rule:
rule-id is the number for each ACL rule, it is an optional parameter. When defining
the ACL rule, if the ACL defines a number that already exists, the newly defined rule
overwrite the old one. If it does not exist, it will create a new rule. If an ACL number is
not appointed, and an ACL rule is defined, the system will automatically assign a
number to the ACL rule.
Permit and deny means the applied action when a match occurs. permit will
implement NAT or security policy detection on the data packet and allow accordingly.
deny is opposite, it will not implement corresponding detection on a packet that is
Page 643
page 610
not in accordance with the conditions set in the ACL.
source { source-address source-wildcard | any } indicates source address of an ACL
rule
time-range time-name indicates the time at which an ACL will take effect.
After enter advanced ACL view, the command rule [ rule-id ] { permit |
deny } protocol [ source { source-address source-wildcard | any } ] [ destination
{ dest-address dest-mask | any } ] [ source-port operator port1 [ port2 ] ]
[ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-type icmp-code | icmp-
message } ] [ precedence precedence ] [ tos tos ] [ time-range timename ] can be used
to create an advanced ACL rule: the usage of the key word and parameter is the same
with those in basic ACL rules.
protocol uses name or number to indicate protocol type of IP carrier.
An advanced ACL can filter multiple protocols, for example: TCP . UDPICMPIP and
so on. The IP packet is used to transmit TCP and UDP, if we choose to filter IP protocols
in protocol field, it means to permit or refuse all the IP transmission based protocol, like
ICMP message, TCP messages or UDP messages; if we only plan to discard packets of
specific protocols and permit other packets to pass, then we must appoint those specific
protocols.
destination { dest-address dest-wildcard | any } indicates the layer three destination of
an ACL rule.
icmp-type indicates message type and code information of an ICMP packet, it can take
effect only when the ICMP protocol packet type parameter is defined. If it is not
configured, it means any ICMP packet can match.
source-port is used to indicate the layer four source port, it can take effect only when
the source port is defined. If it is not indicated, it means any packet from any source port
can match.
destination-port is used to indicate the layer four destination port, it can take effect
only when the destination port it defined. If it is not indicated, it means a packet for any
destination port can match.
Precedence: An optional parameter, in which a data packet can be filtered according to
priority, the range is 07 number or name.
tos: An optional parameter, that allows a data packet to be filtered according to the
service type. The range is 015 number or name.
One firewall can include multiple ACL groups. When a packet matches an ACL rule, it
should obey the following rule: when matching an ACL rule, the firewall ACL has priority
over an advanced ACL, an advanced ACL has priority over a basic ACL. In firewall ACL,
advanced ACL and basic ACL types, the ACL with the smaller acl-number will be
matched first. In the same ACL rule group, rule with smaller rule-id has priority over
others. Once the data flow has matched an ACL successfully, it will not continue to look
for further matches. A firewall will implement other operations on data flow according to
the ACL rule.
Page 644
page 611
The following example will introduce an example of ACL application and configuration of the
firewall.
A certain company accesses the Internet through Ethernet 1/0/0 of the Eudemon firewall, the
interface belongs to Untrust Zone. The firewall connects to the internal network through
Ethernet 0/0/0, this interface belongs to the Trust Zone. The company provides WWW, FTP
and Telnet services for outside, the subnet is 129.38.1.0. The internal FTP server address is
129.38.1.1, the internal Telnet server address is 129.38.1.2, and the internal WWW server
address is 129.38.1.3. Through configuring the firewall, it is hoped the following requirements
will be implemented:
In the external network, only the special user 202.39.2.3 can access internal servers.
In the internal network, the three servers and special user 129.38.1.4 can access the external
server.
Page 645
page 612
[Eudemon] acl number 3101
//create ACL of 3101.
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0
// configure ACL rules to permit the special host to access the external network, permit
the internal servers to access the external network.
[Eudemon-acl-adv-3101] rule deny ip
[Eudemon-acl-adv-3101] quit
//configure ACL rule to restrict all IP packets from passing.
[Eudemon] acl number 3102
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0
//configure ACL rules to permit the special user to access internal servers from outside.
Use ACL in packet filtering application.
[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound
// use ACL rule 3101 in the outbound direction from Trust to Untrust.
[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound
//use ACL rule 3102 in the inbound direction from Trust to Untrust.
Page 646
page 613
Page 647
page 614
NAT is the process to transitioning individual IP addresses in IP data packet headers to an
alternative IP address. In the actual application, NAT mainly implements the function to allow
end systems in a private network to forward traffic over the external network.
Public IP address space is limited, and as the worlds networks continue to grow, available
public IP address ranges have been completely absorbed. It is impossible to use the IPv4
address scheme for to apply individual public IP addresses for all end system devices. The
solution has been until now to use private IP addresses in internal enterprise networks and
use public IP addressing as an external interface to an internal network. The private IP
address cannot be used within the WAN domain, so if users with private IP addresses need
to access the public network, addresses must be translated using NAT. It is possible to use a
small number of public address to represent such a large number of private addresses
(internal users).
Attacks to government and enterprise networks over public networks has become
increasingly frequent and complex. NAT can effectively hide private IP addresses, implement
security precautions on the NAT egress routers which can reduce the difficulty associated
with effective security.
In some cases, two enterprise networks may need to combine into a single network, however
private address overlapping commonly occurs. IP addressing schemes should be redesigned,
but it is hard to implement effectively in a short time without causing downtime to users. Here,
we can configure NAT on the egress routers for the two internal networks. The egress
routers can act as a public interface between the two private networks. Hosts of one internal
network can translate private addresses a public IP address in order to reach the external
interface of the other network. The NAT router of the receiving network can verify the source
and translate accordingly.
Page 648
page 615
Internet address distribution regulates that the following three network address ranges are
reserved as private address ranges.
10.0.0.0 - 10.255.255.255
172.16.0.0 -172.31.255.255
192.168.0.0-192.168.255.255
The three network addresses will not be distributed on Internet, but they can be used as part
of an internal enterprise (LAN). The enterprise chooses proper network address range
according to foreseeable host quantity required. Different enterprises can have the same
internal network addressing. If a company does not choose the network address above as an
internal network address, the routing table may endure some confusion. So when
constructing an internal LAN, it is recommended that one of the network address schemes
above should be used for internal network addressing.
Public addressing is legal and IP addresses can be obtained from Internet address
distribution organization, most this means application of public addressing from ISP as part of
a typical subscription package.
As referred before, when private IP address users wish to access public address domains
such as the Internet, they must translate private addresses to public addresses through NAT.
Page 649
page 616
When the Trust Zone establishes a connection to the Untrust Zone and DMZ on the Eudemon
firewall, it will detect whether corresponding data needs to implement NAT translation. If it is
needed, it will be completed at the egress of IP forwarding interface, the source address of the
packet (a private address) is translated to a public address. At the
ingress of the IP layer, the reply packet destination address (public address) will be translated
to a private address.
As shown in the figure above, the Eudemon firewall is located at a private/public network
boundary. When an internal PC A (192.168.1.3) sends data packet1 to external server B
(202.120.10.2), the data packet will go through the firewall. The NAT process will check the
content of the packet header, it will find that the packet is destined for an external network,
and translate private address 192.168.1.3 in the source address field of packet 1 into public
address 202.169.10.1. The packet can then be sent with the translated address to external
server B and record the private to public address mapping in the NAT table. External server B
will send a reply packet (packet 2) to internal PC A (the initial destination address is
202.169.10.1), when the packet gets to the firewall, NAT will check the packet and lookup
record in the NAT table. The destination address will be replaced by a private address
192.168.1.3 of the internal PC. The NAT process referred above is transparent to end system
devices (for example, the PC A-D and server). For the external server, it regards IP address
of internal PC as 202.169.10.1, it is totally unaware of the address 192.168.1.3. Therefore in
this manner, NAT is able to hide the private network of an enterprise.
Page 650
page 617
On Eudemon firewall, there are two modes of address transition: NO_PAT and NAPT.
NO_PAT: Individual private addresses correspond to individual public addresses, it does not
need to associate ports with addresses in order to translate, and is straight forward to
implement. The disadvantage is that by corresponding a single private address to a single
public address, it does not solve the shortage problem associated with public addressing. It
does help to map internal devices such as servers to allow direct mapping which simplifies the
ability for external devices to reach such devices internally without knowing the associated
internal address, or having any means to bypass the firewall.
NAPT: It permits multiple private addresses to map to a single public address. NAPT will map
IP addresses and port numbers. The data packet from different internal addresses can be
mapped to the same external address, but the port number in each case or session will be
different so as to distinguish between the different internal hosts. As shown in the figure above,
when four data packets with internal addresses reach the NAT server, packet 1 and 2 are
shown to be from the same internal address but since the destination is different for the two
packets, there will be a different port number associated with each packet. Packet 3 and 4 are
from different internal addresses but have same port number. Through NAT transition, the four
packets are transited to the same external address, but each packet has different source port
number, so the differentiation between the four packets is maintained. When the reply packet
gets to the NAT server, the NAT server will also identify the packet according to the
destination address, and the port number of the reply packet helps to forward packet to the
right internal host. Eudemon adopts this mode by default. Eudemon series of firewall supports
overlapping of IP addresses for outgoing interfaces and address pools. Eudemon100/200
supports regarding IP address of outbound interface as translated source addresses (called
Easy IP), Eudemon300/500/1000 however does not support this function.
Page 651
page 618
NAT hides the structure of the internal network, and has the capability to shield internal
hosts, while at the same time it makes it capable for external devices to access internal hosts,
for example, WWW server or FTP server. NAT can support internal servers, for example,
address 202.168.0.11 which can be used as an external address for the Web server, or
address 202.168.0.12 which can be used as the external address of internally located FTP
server.
NAT provides internal server function that external network can access. As shown in the
figure above, when user of external network access internal server, NAT will translate public
destination IP addresses of packets into private destination IP addresses of internal servers.
For the reply packet of each internal server, NAT can translate the source of reply packets to
public addresses.
NAT and NAPT can only translate header addresses of IP packets and also the port
information of TCP/UDP headers. For some special protocol, like ICMP and FTP, the data
part of a packet may include an IP address or port information, this content can not be
translated by NAT effectively, which will lead to problems. For example, one FTP server that
uses an internal IP address needs to send its IP address to a peer when it establishes a
session with an external host. The address information is carried in the data part of the packet,
it can not be translated by NAT. When external network host receives the private address and
uses it, FTP server will regard it as unreachable. The solution to solve this NAT problem is
through a special protocol ALG (Application Level Gateway) in NAT implementation. ALG is a
translation proxy of a special application protocol, it alternates with NAT and uses NAT state
information to change special data that is encapsulated in data part of an IP packet, it also
completes other necessary work to make the application protocol run in different ranges.
Eudemon firewalls functions as a perfect address translation application level gateway
mechanism, it can support all kinds of special application protocol, it is unnecessary to modify
NAT platform and has good extension.
At present, it has implemented ALG function of application protocol for: DNS, FTP, H.323,
HWCC, ICMP, ILS, MGCP (Media Gateway Control Protocol), MSN , NetBIOS, PPTP , QQ,
RAS and SNP.
Page 652
page 619
NAT combines NO-PAT mode and NAPT effectively on Eudemon firewall. If NAPT function
is configured, in the process of address transition, NAT will first translate private IP
addresses into one public IP address, and then choose
another public IP address to complete address translation. Address pool is the aggregation
of public IP addresses used for transition. Users should configure a proper address pool
according to the legal IP address quantity, host quantity within internal network and actual
applications.
Eudemon firewall utilizes ACL to limit address translation. Only the data packets that satisfy
ACL can implement address translation, which can control the range of address translations
effectively and allow the special host access to the external network.
Page 653
page 620
This example introduces how NAT is configured on Eudemon. As shown in the figure above,
firewall divides network into the internal network Trust Zone, external Untrust Zone and DMZ.
The host with the private address in Trust Zone needs to access the external network
(Internet). The host with public address in Untrust Zone needs to access
the three servers of the DMZ.
Page 654
page 621
[Eudemon] acl 2000
[Eudemon-acl-basic-2000]rule permit
[Eudemon-acl-basic-2000]quit
//configure ACL 2000 to permit any data to pass.
[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20
//configure NAT address pool with series number 1, it includes public address for NAT
transition.
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit ip source-address 192.168.0.0 0.0.0.255
//configure ACL to permit packet with source IP 192.168.0.0/24.
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] packet-filter 2000 outbound
//bind ACL, permit data packet is forwarded from trust Zone to untrust Zone.
[Eudemon-interzone-trust-untrust] nat outbound 3000 address-group 1
//associate ACL to address pool; the address specified by acl-number can use address pool
group-number to implement address translation.
Besides, E200/E100 can configure Easy IP, but E300/500/1000 can not configure Easy IP.
Page 655
page 622
[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100
[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside 192.168.1.101 8080
[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside 192.168.1.102 ftp
//command nat server is used to define the mapping table of the internal server. The three
commands above define separately that each user can access the internal server
192.168.1.100 through public address 202.168.0.10 is able to access the internal server,
192.168.1.101:8080 through public address 202.168.0.11:80, is able to access the internal
Web server, and 192.168.1.102 through public address 202.168.0.12:1021. is able to access
the internal FTP server.
[Eudemon] acl 3000
[Eudemon] rule permit ip destination-address 192.168.1.0 0.0.0.255
[Eudemon] firewall interzone DMZ untrust
[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound
//permit data the flow of traffic with destination 192.168.1.0/24 to be forwarded from untrust
Zone to DMZ.
[Eudemon-interzone-DMZ-untrust] detect ftp
//configure NAT ALG detection for FTP.
Page 656
page 623
Command Display nat all can be used to display Nat information for the firewall. The
information includes three parts: address pool, address transition and internal server mapping
information.
Page 657
page 624
Q: Which operational modes does Eudemon support?
A: Route mode, transparent mode and composite mode.
Q: What are the default Eudemon security zones?
A: Trust Zone, Untrust Zone, DMZ and Local.
Q: What is the difference between a basic ACL and an advanced ACL?
A: A basic ACL only uses the source address to define data flow, whereas an advanced
ACL uses source/destination address, source/destination port and upper-layer protocol to
define data flow.
Q: Which forms of NAT does Eudemon support?
A: NO-PAT, NAPT.
Page 658
page 625
page 626
Page 663
page 629
Page 664
page 630
Huawei routers have evolved for three generations. The first generation
routers use integrated single-core design, the second generation routers
integrated multi-core design, and the third-generation routers distributed
multi-core design.
Huawei AR G3 series routers (AR G3 routers for short) support multiple
network access modes, including Ethernet, PON, and 3G.
The AR G3 routers are the next-generation routing and gateway devices
that provide routing, switching, wireless, voice, and security services. The
AR G3 routers include the AR1200, AR2200, and AR3200 series routers.
Page 665
page 631
The AR G3 routers provide the highest port density in the industry and
flexible service interface card (SIC) slots, allowing enterprise customers to
connect to a LAN, WAN, or wireless network. The AR G3 routers provide
the most economical enterprise network solutions.
The AR G3 routers provide flexible slot combinations. Two SIC slots can be
combined into one WSIC slot, two WSIC slots into one XSIC slot, and two
XSIC slots into one EXSIC slot.
With extensible hardware design, the AR G3 routers allow customers to
choose SICs flexibly and to expand networks economically.
Page 666
page 632
The AR G3 routers integrate various services of routers, switches, and
wireless devices, including voice, firewall, and VPN.
Page 667
page 633
Depending on telecom carriers' networks, users can access these networks by using CE1/CT1, FE/GE,
ADSL, G.SHDSL, or Synchronization Agent (SA). The AR G3 routers provide dual-uplink to ensure
service reliability. These routers provide the following services for access users:
Provide the security, routing, switching, VPN, and wireless services to ensure secure, fast,
and reliable data packet forwarding.
Provide a variety of value-added services, including DHCP, network address translation
(NAT), domain name system (DNS), and billing services.
Provide security control mechanisms, including controlling access to internal networks and
user rights, to ensure the access security on the enterprise intranet and isolate the
departments of an enterprise.
Provide the attack defense function to protect user traffic against attacks from the external
and internal networks.
Guarantee user-specific QoS and service-specific QoS and flexibly allocate bandwidth for
services as needed.
The headquarters and branches use the AR G3 routers to connect each other on the Internet. The
enterprise establishes a VPN and uses GRE/IPSec VPN tunnels to secure the data. The employees on
a business trip use IPSec VPN tunnels to communicate with the headquarters.
The AR G3 routers, located between the enterprise intranet and the Internet, ensure information
security on the entire intranet and intranet LANs. Additionally, the AR G3 routers provide network
access control (NAC) to restrict the access permissions of internal users. This ensures that only
authorized users can access the intranet.
An enterprise can build a voice communication system over the IP network, saving fees on internal
communication. Within the voice communication system, an AR G3 router can function as an IP PBX
or SIP access gateway (AG). In the downlink direction, the router connects to POTS users (analog
phones or fax machines) and SIP user equipment (UE) users (IP phones or PC software terminals)
through FXS or Ethernet interfaces. In the uplink direction, the router connects to the PSTN through
E1 or FXS interfaces or to the IP network through Ethernet interfaces.
Page 668
page 634
The AR200 series routers apply to small-scale offices. They integrate switching and routing functions.
These routers provide wireline LAN access and wireless AP access to users. With them, users can
access the Internet through Ethernet, 3G, or PPPoE.
The AR1200 series routers feature powerful routing functions. They provide multiple access modes,
such as wireline LAN and wireless AP. Additionally, these routers provide flexible slots that allow users
to install subcards to extend interfaces and enrich functions.
The AR2200 series routers feature powerful routing functions and multiple access modes. They
support a variety of subcards to apply to different usage scenarios. Their slots can be combined to
achieve a higher port density. Among them, the AR2240 is equipped with two main control boards
and two power supplies for redundancy backup. This redundancy backup design improves the router
usability and reliability.
The AR3200 series routers have a large capacity. They provide many flexible slots that allow users to
install different cards in different usage scenarios. Additionally, their slots can be combined to provide
a higher port density. To improve system reliability, these routers are configured with two main
control boards and two power supplies for redundancy backup.
Page 669
page 635
Page 670
page 636
Page 671
page 637
Page 672
page 638
Huawei has the most extensive enterprise switch families in the industry, ranging from low-end,
medium-range, to high-end.
The S1700, S2700, S3700, and S5700 switches are used at the access layer of a campus network. The
S1700 and S2700 provide Layer 2 FE access. The S3700 supports Layer 3 FE access. The S5700 allows
for Layer 3 GE access and has a high port density. Additionally, the S5700 supports cluster
management and features high fault tolerance through the use of stacking technology.
The S5700, S7700, and S9300 are used at the convergence layer of a campus network. These switches
provide powerful switching functions and have a high port density. They also support a variety of
cards to apply to different usage scenarios where varying interfaces are required.
The S5700, S6700, S9300, and S12700 are high-end switches. These switches are used at the core
layer of a campus network. They also apply to the access and core switching layers of a large-scale
data center. With a high port density and a variety of cards, these switches provide various ports to
meet different requirements.
Page 673
page 639
Page 674
page 640
The SX7 series switches are intended for the enterprise market. They provide Layer 2 and Layer 3
access and FE, GE, and 10GE ports. Among these series switches, the ST-level core switch7700 uses a
distributed architecture and provides up to 12 slots that allow users to install different cards in
various usage scenarios.
Page 675
page 641
jS2700_)||j|S2700-9TP-SI.S2700-9TP-EI.S2700-18TP-SI.S2700-18TP-EI.
S2700-26TP-SI.S2700-26TP-EI.S2700-52P-EI.S2700-9TP-PWR-EI|S2700-26TP-PWR-EI
Page 676
page 642
Page 677
page 643
Page 678
page 644
Page 679
page 645
Page 680
page 646
Page 681
page 647
Page 682
page 648
Page 683
page 649
Page 684
page 650
Principle
S2700/3700/5700/6700 is integrated with internal HTTP server, and can access the device in the
switch three-layer interface through a variety of WEB browse.
Page 685
page 651
The following requirements must be met to implement stacking:
All the member switches belong to the same series. The EI series and SI series cannot form a stack.
All the member switches are connected by using stack cables and stack modules.
The stack rear card cannot be used together with the E4GF/E4GFA or E4XY front card.
Page 686
page 652
If all the member switches meet the stack setup prerequisites, the stack system is automatically
created when these switches are powered on.
The master switch is selected as follows:
The device that starts first becomes the master switch.
If all the devices start at the same time, the one of the highest priority becomes the master switch.
If all the devices have the same priority and start at the same time, the one with the smallest MAC
address becomes the master switch.
The slave switch is selected as follows:
The device that starts first among all the other devices excluding the master switch becomes the
slave switch.
If all the other switches excluding the master switch start at the same time, the master switch
preferentially selects the switch connected to its stack interface 1 as the standby switch.
If all the other switches excluding the master switch start at the same time and no switch is
connected to stack interface 1 on the master switch, the master switch selects the switch
connected to its stack interface 0 as the standby switch.
Page 687
page 653
The S7700 is a next generation switch of Huawei. It provides large capacity, line-speed forwarding,
and high density ports. The S7700 is an important product for establishing the MANs in the future.
The S7700 can be used as an aggregation switch or a core switch for enterprise networks, campus
networks, and data centers.
The S7700s are classified into the S7703, S7706, and S7712.
The S7700 is a high-end network product that provides wire-speed FE, GE, and 10GE interfaces. The
S7700 can function as a core switch for enterprise networks, campus networks, and data centers.
Page 688
page 654
The S7700s are classified into the S7703, S7706, and S7712.
The S7700 uses a fully distributed architecture and the latest hardware forwarding engine
technology. The services supported by all the interfaces can be forwarded at wire speed.
These services include IPv4, MPLS, and Layer 2 forwarding services. The S7700 can also use
ACLs to forward packets at wire speed.
The S7700 supports wire-speed forwarding of multicast packets. The hardware implements
2-level multicast replication:
The SFU replicates multicast packets to the LPU.
Then the forwarding engine of the LPU replicates the multicast packets to the interfaces on
the LPU.
The S7700 supports 2 Tbit/s switching capacity and various high-density cards to meet the
requirements for the large capacity and high-density interfaces of core and convergence
layer devices. The S7700 can meet the increasing bandwidth requirements and maximally
reduce investments.
S7703's switching capacity:
Adopting the full mesh architecture, the S7703 provides 16 Gbit/s bandwidth in each HIG group, that
is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between each slot and the backplane supports
eight HIG groups; therefore, the total bandwidth for each slot is 128 Gbit/s.
There is no switching network unit in the full mesh architecture. The switching capability is 720 Gbit/s,
that is, 120 Gbit/s x 2 x 3 (3 LPUs).
S7706/S7712's switching capacity:
Adopting the switching network architecture, the S7706 or S7712 provides 16 Gbit/s bandwidth in
each HIG group, that is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between each slot and the
backplane supports four HIG groups (an active SRU and a standby SRU); therefore, the total
bandwidth for each slot is 64 Gbit/s. Each 12x10GE LPU slot supports eight HIG groups; therefore, the
total bandwidth is 128 Gbit/s. (Only two 12x10GE LPUs of the S7712 support wire-speed forwarding.)
The maximum switching capability of the S7706 or S7712 is 2048 Gbit/s, that is, 16 Gbit/s x 16 (ports)
x 1 (switching network unit) x 2 (bidirectional) x 4 SRUAs.
Page 689
page 655
Page 690
page 656
ISSU=In-service software upgrade.
Page 691
page 657
Page 692
page 658
The figure on this slide shows a typical enterprise campus network. Within this network, you can
clearly see where Huawei switches, routers, firewalls, servers and other IT products are located.
Actually, Huawei can provide a full range of IT products and the most comprehensive network
solutions in the industry.
Page 693
page 659
Page 695
page 660
Page 696
page 661
Page 697
page 662
Page 698
page 663
Huawei HUAWEI NetEngine40E Universal Service Router (hereinafter referred to as the
NE40E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone
networks. The NE40E is positioned as the edge or convergence router on the IP backbone
network.
Page 699
page 664
Page 700
page 665
This is the introduction of NE40E product family. All LPUs can be applied to NE40E-X16,
X8 or X3. The main differencebetween LPUs is forwarding capability.
Page 701
page 666
Page 702
page 667
The NE40E-X adopts a system architecture as shown in Figure above. In this architecture, the
data plane, management and control plane, and monitoring plane are separated. This design
helps to improve system reliability and facilitates separate upgrade of each plane.
Page 703
page 668
Page 704
page 669
Page 705
page 670
The SFU on the NE40E-X16 switches data for the entire system at wire speed of 640 Gbit/s
(320 Gbit/s for the upstream traffic and 320 Gbit/s for the downstream traffic). This ensures
a non-blocking switching network.
The NE40E-X16 has four SFUs working in 3+1 load balancing mode. The entire system
provides a switching capacity at wire speed of 2.56 Tbit/s.
The four SFUs load balance services at the same time. When one SFU is faulty or replaced,
the other three SFUs automatically take over its tasks to ensure normal running of services.
Page 706
page 671
Page 707
page 672
Page 708
page 673
The SFU on the NE40E-X8 switches data for the entire system at wire speed of 480 Gbit/s (240
Gbit/s for the upstream traffic and 240 Gbit/s for the downstream traffic). This ensures a non-
blocking switching network.
The NE40E-X8 has three SFUs working in 2+1 load balancing mode. The entire system provides
a switching capacity at wire speed of 1.44 Tbit/s.
The three SFUs load balance services at the same time. When one SFU is faulty or replaced, the
other two SFUs automatically take over its tasks to ensure normal running of services.
Page 709
page 674
Page 710
page 675
Page 711
page 676
With full-mesh architecture, NE40E-X3 does not need a SFU.
Page 712
page 677
Page 713
page 678
Page 714
page 679
The control plane of the NE40E-X16 adopts MPU.
The following USB interface attributes are supported by MPU:
Supports the biggest USB fat32 format, and supports the memory available in the market.
For security reasons not allowed to write USB storage device .
Updates automatically, insert the USB memory without any operating.
Page 715
page 680
The control plane of the NE40E is separated from the data plane and the monitoring plane.
The SRU is adopted on the NE40E-X8. The SRU integrates an SFU used for data switching.
The following USB interface attributes are supported by SRU:
Supports the biggest USB fat32 format, and supports the memory available in the
market.
For security reasons not allowed to write USB storage device .
Updates automatically, insert the USB memory without any operating.
Page 716
page 681
The MPU of the NE40E-X3 controls and manages the system and switches data. The MPUs
work in 1+1 backup mode. The MPU consists of the main control unit, switching unit, system
clock unit, synchronous clock unit, and system maintenance unit. The functions of the MPU are
described from the following aspects.
Page 717
page 682
A switching network is a key component of the NE40E and is responsible for switching data
between LPUs.
Page 718
page 683
Page 719
page 684
Page 720
page 685
As shown in the figure, the Packet Forwarding Engine (PFE) adopts a Network Processor (NP) or
an Application Specific Integrated Circuit (ASIC) to implement high-speed packet routing.
External memory types include Static Random Access Memory (SRAM), Dynamic Random
Access Memory (DRAM), and Net Search Engine (NSE). The SRAM stores forwarding entries; the
DRAM stores packets; the NSE performs non-linear searching.
Data forwarding processes can be divided into upstream and downstream processes based on
the direction of the data flow.
Upstream process: The Physical Interface Card (PIC) encapsulates packets to frames and then
sends them to the PFE. On the PFE of the inbound interface, the system decapsulates the
frames and identifies the packet types. It then classifies traffic according to the QoS
configurations on the inbound interface. After traffic classification, the system searches the
Forwarding Information Base (FIB) for the outbound interfaces and next hops of packets to be
forwarded. To forward an IPv4 unicast packet, for instance, the system searches the FIB for the
outbound interface and next hop according to the destination IP address of the packet. Finally,
the system sends the packets containing information about outbound interfaces and next hops
to the traffic management (TM) module.
Downstream process: Information about packet types that have been identified in the upstream
process and about the outbound interfaces is encapsulated through the link layer protocol and
the packets are stored in corresponding queues for transmission. If an IPv4 packet whose
outbound interface is an Ethernet interface, the system needs to obtain the MAC address of the
next hop. Outgoing traffic is then classified according to the QoS configurations on the
outbound interfaces. Finally, the system encapsulates the packets with new Layer 2 headers on
the outbound interfaces and sends them to the PIC.
Page 721
page 686
Page 722
page 687
Page 723
page 688
Page 724
page 689
Page 725
page 690
Page 726
page 691
The NE40E supports entire HQoS solutions, HUAWE is the only vendor that supports HQoS,
DS-TE and MPLS HQoS, the other vendors support one or two. Thus, HUAWEI can provide
a entire HQoS solution to meet kinds of scenarios of carrier-class services.
Page 727
page 692
Page 728
page 693
The main scenario of NE40E Router: Campus and IDC interconnection, Large branch
access, Key nodes of WAN.
Page 729
page 694
Page 730
page 695
What is the difference between the control planes of NE40E-X8 and NE40E-X16?
The control plane of the NE40E-X8 is separated from the data plane and the monitoring
plane. The SRU is adopted on the NE40E-X8. The SRU integrates an SFU used for data
switching.
The control plane of the NE40-X16 is MPU, on which doesnt integrate SFU.
What is the difference between the SFUs of NE40E-X8 and NE40E-X16?
The SFU on the NE40E-X8 switches data for the entire system at wire speed of 480
Gbit/s (240 Gbit/s for the upstream traffic and 240 Gbit/s for the downstream traffic).
This ensures a non-blocking switching network. The NE40E-X8 has three SFUs working
in 2+1 load balancing mode. The entire system provides a switching capacity at wire
speed of 1.44 Tbit/s. The three SFUs load balance services at the same time. When one
SFU is faulty or replaced, the other two SFUs automatically take over its tasks to ensure
normal running of services.
The SFU on the NE40E-X16 switches data for the entire system at wire speed of 640
Gbit/s (320 Gbit/s for the upstream traffic and 320 Gbit/s for the downstream traffic).
This ensures a non-blocking switching network. The NE40E-X16 has four SFUs working
in 3+1 load balancing mode. The entire system provides a switching capacity at wire
speed of 2.56 Tbit/s. The four SFUs load balance services at the same time. When one
SFU is faulty or replaced, the other three SFUs automatically take over its tasks to ensure
normal running of services.
Page 731
page 696

HCDA v1.6 en

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HCDA v1.6 en

Enviado por

Direitos autorais:

Formatos disponíveis

HCDA-HNTD

HC Series HUAWEI TECHNOLOGIES 1

The version is VRPV5R1B12D054.

====== Saved configuration line 31 ======

150 "D:\system\vrp.cc" file ready to send (5805100 bytes) in IMAGE / Binary

Você também pode gostar