Table of Contents
Theoretical Training ...................................................................................................................................... 2
Entry training ............................................................................................................................................ 2
Intermediate Training ............................................................................................................................. 18
Advanced Enterprise Solutions (Overview) ........................................................................................ 18
Link Aggregation ................................................................................................................................. 18
VLAN(Virutal Local Area Network) Principles ..................................................................................... 19
GARP and GVRP................................................................................................................................... 21
VLAN routing ....................................................................................................................................... 23
Wireless LAN Overview ....................................................................................................................... 23
Principle and Configuration of HDLC and PPP .................................................................................... 24
Frame Relay Principles ........................................................................................................................ 25
Principle and Configuration of PPPoE (Point-to-Point over Ethernet)................................................ 26
Network Address Translation (NAT) ................................................................................................... 27
Establishing Enterprise Radio Access Network Solutions ................................................................... 29
Access Control Lists (ACL) ................................................................................................................... 30
AAA (authentication, Accounting, Authorisation) .............................................................................. 31
Securing Data with IPSec VPN ............................................................................................................. 31
Generic Routing Encapsulation (GRE) ................................................................................................. 32
Simple Network Management Protocol (SNMP) ................................................................................ 33
eSight Network Management Solutions (Huawei solution) ............................................................... 34
Introducing IPv6 Networks.................................................................................................................. 34
IPv6 Routing Technologies .................................................................................................................. 34
IPv6 Application Services DHCPv6 ...................................................................................................... 34
Practical Training......................................................................................................................................... 34
Entry Training .......................................................................................................................................... 34
Intermediate Training ............................................................................................................................. 34
Lessons from the mock exams .................................................................................................................... 35
Multiple choice section ........................................................................................................................... 36
Theoretical Training
Entry training
Point-to-Point network
Wired or wireless
RG-45 cable
Network cables:
Coaxial:
-10Base2 maximum transmission distance 185m
-10Base5 maximum 500m
Or use bridges or boosters, repeaters to extend the distance. Finally use fibre optics others
Ethernet all 100m:
•
•
•
10Base-T
100Base-Tx
1000Base-T 4 pairs of category 5e twisted pair cable supports 1Ghz transmission speed
Fiber Optic
-10Base-F distance of 2000m 10mb/ps
-100Base-FX 100mb/ps
-1000Base-LX 316-50000m 1gb/ps single-mode does not work simultaneously
-1000Base-SX multi-mode supports simultaneous transmission
Serial
-RS-232 20000bps
-RS-422 RECOMMENDED 1200m
Broadcast domains
Sending to multiple from one place
Collision Domains
Place in a network where packets collide.
-Carrier Sense Multiple-Access Collision Detection or Collision Avoidance (CSMA/CD): Tells you
when not to send a packet
Duplex Modes (w.r.t point to point networks):
-Half duplex: You can only send or receive
-Full duplex: You can send and receive at the same time. Act as a server and client
simultaneously.
.
.
.
.
.
Layered Models- OSI
Encryption: Provide protection over the network to mitigate from hacking. Required key.
Application (protocol data units) and Presentation layer are unformatted
Physical layer – bits cables 0/1
Data linked layer: a frame, meta address
Network layer: packet network address
Transport layer uses segments TCP/IP
Session
Sender top to bottom Receiver bottom to top: Application, presentation, session, transportation,
network, data link, physical
Frame Formats
>=1536 0x0600 – ethernet 2
<=1500 (0x05DC) IEEE802.3
Frame check sequence: To check if the packet is complete or if there if it is fragmented. A packet is
1500/1536
2048 (0x0800) - IP
2054(0x0806) - ARP
MAC address are 48 bits (24bits OUI and 24bits organisation)
Huawei addresses are (
Representing a broadcast packet FF:FF:FF;FF:FF:FF
Multicast: Packets sent to unintended devices are dropped.
Carrier sense:
Carrier sense multiple access... Packets can be dropped, received or resent.
Layer 2
Just need a switch and the end device. A switch can establish a connection with only MAC Addresses.
Network layer:
IP packet (0x0800) length 60 bytes, source destination. Time to leave 255-0, packet dropped afterwards
at 0.
IP addresses (Private addresses):
-Class A 10.0.0.0 ~ 10.255(network).255.255 Multiple hosts. Check first that number ranges /8
-Class B /16
-Class C 192.0.0.0 - 223.0.0.2 for smaller networks /24
Class D
-Class E 240.-255.255.244.254 experimental
Private IP addresses are not linked to the internet.
E.G
Class C 192.168.1.0
Network 6
-First binary switch: 0110
-Network range/IP addresses
VLSM or classless inter domain routing.
IP Gateway
GIves us access to the.
Time to live:
If the packet gets to an unintended destination.
Internet Control Message Protocol ICMP
Reporting errors. Routing to test compatibility.
Broadcast messages as Unicast – unknown intended devices.
Investigating Unreachable devices.
ICMP Types
Echo request type=8 code = 0 multicast
Echo reply type=0 code=0 unicast
Every link is counted as a hop count and ads to the time required to send a message.
Address Resolution Protocol
Broadcast send, unicast reply.
Reverse address protocol operates on level 3
Proxy ARP takes longer because of connecting with the proxy gateway.
TCP Wired networks, conjunction control, monitoring packets. Three hand-way shake, security and
sharing of certificates. TCP is the best for safety. UDP. Doesn’t do floor control or three-way handshake.
Company usually wireless network. Wireless access point is linked to the wired connection so that
monitoring occurs on the main router, called traceback. Logs are maintained according to MAC address,
which are constant per devices.
Data forwarding scenarios
ARP to get the MAC address.
VRP (Versatile routing platform)
Multiple collisions.
Establishing connectivity to the Switch or router: Remotely, tele, or mini usb/console physically
Console Access Setup Procedures:
Bits per second 9600
Data bits 8
Party: None
Stop bits 1
Flow control none.
Correct Usage: COM3
Not recommended to autoconfigure
Navigating the CLI
CLI Clock settings
CLI Interfaces:
Allows remote access VTY (Virtual teletype terminal) 0-4 five times. Can be changed.
CLI interface configuration
LoopbacK? Assign IP addresses.
Viewing the file system / Updating the software
Cd, pwd, dir, more
To reboot, Type reboot.
There is one root bridge and following from there are non-root bridges or downstream bridges.
Redundancy is recommended however there may be broadcast storms. MAC instability. So, the
spanning tree protocol was introduced. To send the packet along the shortest path.
-Bridge ID (Bridge number and MAC ID): BPDU packet sent to the switches, returning switch
number and MAC address. Only if the bridge ID is the same, the path codes are used to determine the
shortest path according to the cable speed.
The smallest bridge ID is elected as the root bridge. The highest priority or election criteria. The MAC
address is the determinant.
BPDU (Bridge Protocol Data Unit) through STP (Spanning Tree Protocol) for bridges and switches:
-We are trying to control the management of data to avoid loops and broadcast storms. The
bridge facilitates communication.
-BPDU: A communication from the root to downstream switches to avoid loops.
-TCN BDPU: Goes from downstream roots to the upstream roots to better understand the
topology of the tree. A status call, these protocols are a notification and update the tree hierarchy. Hello
tree over 2 seconds. The TCN BPDU refreshes/responds every 30 seconds.
-This is done to mitigate the loops and broadcast storms.
-Criteria: MAC address and lowest bit
-To select the route bridge. Packets exist for 20seconds.
-Path Cost Standards: Faster and shortest data transmission
•
•
•
•
10 mbps path cost 1999
100 mbps path cost 199
1Gbps path cost 20
10Gbps path cost 2
Finally use the Port ID if the path IDs are equal
-Root port: From a designated port to downstream
-Designated port: Touching/attached to the root bridge
-Alternative port: not a designated or root port
Route Path Cost: In order to determine the shortest path that is loop free. The root bridge path
cost is always 0.
The highest port identifier (the lowest port number) represents the port assigned as the root
port with other ports defaulting to the alternative port role.
To propagate a Hello Timer (2 seconds) the upstream will propagate over 1 second. A maximum
ae timer by default represents a period of 20 seconds.
Root election process
Port role establishment process
Port state Transition SUMMARY
Root Failure:
When a switch is done it cannot send BPDU, so the switches reestablish the bridge root through
the Spanning Tree Protocol (STP). If the device fails
Indirect link failure:
If the port is down. The port table is relabeled. The alternative port is named as a designated
port as it cannot be communicated any other way in this circumstance. Full recovery of the STP
topology occurs after approximately 50 seconds.
Direct Root Failure:
Topology Change MAC instability
A converging spanning tree network. A MAC Address black hole is made
Port transition state:
Disabled, blocking and listening do not send.
STP Modes:
To further mitigate against loops, the switches are not all the same mode and must be
configured by the technician.
-mstp (multiple)
-rstp (rapid)
-stp
If the stp is a priority the priority refers to integers between 0 to 61440 in increments of 4096,
16 increments. With a default value of 32768.
If a legcy stp standard is use the path cost ranges between 1 to 200000
If IEEE 802.1D standard is used the path cost ranges from 1 to 65535
If the IEEE 802.1t standard is used the path cost is ranges from 1 to 200000000.
All root bridges must be designated. Root protection only applies while not an edge port or a
command of loop protection is enabled.
When a link fails: Bridge ID, Path cost, Port ID comparison.]
If a link fails update the MAC address table.
RSTP (Rapid spanning tree protocol)
Improvement on STP, backup
STP Weaknesses: Ensures loop-free network however has a slow network topography as changes occur.
Convergence timers (30-50 seconds). Regular service interuptions
.
RSTP: Employs a proposal and agreement process which allows for immediate negotiation of links to
take place, effectively removing the time taken for convergence-based timers to expire before spanning
tree convergence can occur. Proposal & Agreement, immediate negotiation. Each downstream switch
gradually begins to learn of the true root bridge and the path via which the root bridge can be reached.
RSTP port toles
Backup port role represents the backup for the path for the LAN segment in the direction leading away
from the root bride. An edge port directly connects to a terminal and no other, where redundant links
exist,
RSTP edge ports:
System not participating gin RSTP connect to the edge port. Edge ports do not receive BDPU and instanly
forward data.
Port states of RSTP
-
RST BPDU
-00 unknown
-01 Alternate/backup
-10 root port
-Designated port
Static route would have to be reconfigured manually should the route fail. Only use a static route for
small networks of few users.
The convergence of a RSTP follow on from STP. There is an additional port on the LAN side, the edge
port.
RST BDPU Proposal
All designated ports. One is a superior BPDU. When the BDPU is sent, not propagated downstream. The
edge port is connected to the computer.
RST BPDU Agreement
RSTP Converged Link
The downstream port is blocked, and synchronization occurs. RST BPDU sent back and forth.
Link/Root failure
After not receiving three consecutive Hello intervals, the agreement process is reinsitialised in order to
discover port roles for the LAN segment.
Link failure is noticed immediately, the address entries are flushed. An RST BPDU will negotiate the port
states as part of negotiation and agreement process - MAC Addresses are dropped and updated
No waiting, part of configuration settings. When an STP enabled device is added to an RSTP system it
reverts to STP.
Network Management Station (NMS)
The edge ports that are shut down by the switch can be manually started only by the network
administrator.
STP DPDU-protection command should be ued to enable BDPU protection and is confiugred globally
within the system view.
Distance Vector Routing protocfol (RIP)
Performance is slow, Hop count limit of 15
Loop prevention
Packet is df
RIP has 2 method Extent is UDP.
-Authentication
RIP version 2 is recommended, defauit 1
Does not use I{ adfe
Metric
OSPD
OSPF
For 4 devices
Request + Acknoledgenent X2
10 seconds
4 packets sent over 40 seconds is the limit
Point-to point 10 second interval 40 seconds to withdraw packets
30 second interval
Higher prioirty the better the network
Between 1 - 255 range to select designated and back up value. THe higher the number the better the
network. The higher the authorisation/prioritu on router the beter the network
OSPF metric: By default, the metric is 10 which can be changed as per user preference, there can be
alternative.
10/8*bandwidth
OSFP tree recommended
Shortest path algorithm with the potential
OSFFP Areas for one domain such as uni campus.
OSFP Authentication simply password
OSPF silent interface only receives updates
DHCP
Dynamically assign IP addresses to users.
Usually wireless
To assign an IP address
-Manual: Administrator visits the machine and the IP address assigned is physically
-Dynamic: Assign to specific machines the
-Dynamic however the address is reassigned regularly
DHCP messages
DISCOVER: CLient can locate DHCP server
OFFer: When available
REQUEST: Client sends request but a message broadcast is sent, it is unicast.
Reply is unicast
Once a user/machine leaves the IP address can be reassigned. Maximum of 24hrs usage of an IP
address. Notification to renew sent at 50% usage. Down to the minute and second.
Without the message sent you can be disconnected.
FTP
Used to transfer files from the server to the client. VRP operating system.
Both the client and server must use the same password otherwise they cannot communicate with each
other. Two port numbers used to exchange packets.
-20 – data control/connections between client and server
-21 – file transfer
Two transmission modes
-ASCII mode for text
-Binary mode for pictures/images
Telnet (VTY) with the limit to trials)
Protocol to connect remotely to manage devices
-Port 23
Authentication modes:
-none: Login without authentication
-AAA: AAA authentication
-Password: Authentication
For some you can determine if a change was made and by who
Basic Knowledge of IP Routing (Routing packets)
-AS (Autonomous Systems):
A clear method of sending the data.
E.g 2 LANs connected by a LAN. LAN a, LAN b, LAN c. Where LAN c is he link between LAN a,b.
Relying on the IP address a Router uses the routing table, compared to a switch which utilises
MAC Addresses. Routers are responsible for routing decisions because of the routing table. All network
nodes are included.
ROUTING Protocol: RIPv1, RIPv2, ARP
PRE: Preferences. A router selects the best path based on the highest preferences (smallest val)
Direct = 0 (a direct link)
RIP = 100
OSPF = 10
Static preference = 60
A router command; ‘display’ 10.1.1.0 = router A
Next hop is the next port I.e 20.1.1.2
Routing Decision – preferences
Select the lowest preference value. The protocol helps to decide.
Routing Decision – Metric/cost
The decision maker, the metric.
Routing table forwarding requirements
Inbound: Default gateway
Outbound: To the internet or other network
IP Static (manually, stationery, fixed) Routes
IP static route/path, a unique non-changing path, if unavailable or something changes it is down.
A static route can be assigned on serial links or on ethernet (data link layer) link/cable.
Configuring/creating a static route
[RTB] IP route-static 192.168.1.0 (router A/destination) 255.255.255.0 (subnet mask) 10.0.12.1
(next hop router B)
[RTB} (On router B) ip route-static 192.168.1.0 255.255.255.0 (Subnet mask) Serial 1/0/0
[RTB] ip route-static 192.168.1.0 24 Serial 1/0/0
Static Route load balancing
More than one static route to a destination. Which comes with additional cost, ISP.
Verifying static route load balancing
[RTB] ip route-static 192.168.1.0 255.255.255.0 10.0.12.1 + 2nd line is equivalent to
*[RTB] display ip routing-table
192.168.1.0/24 static 60 0 RD 10.0.12.1 GigabitEthernet 0/0/0 + 2 nd line
Floating static route check but the when a preference is assigned the route chosen might still be the
highest preference by default
Special case of default static route when a destination static route is unknown. Works on any unassigned
network:
[RTA] ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 preference of 60 by default. Can access any + verification
Display ip route-table:
0.0.0./0 static 60 0 RD 10.0.12.2 GigabitEthernet0/0/0
Distance Vector Routing with RIP – a dynamic routing protocol
Without a static route you are required to have a routing protocol saved on the routing table.
Small organisation
Simple to implement
RIP, according to the Bellman-Ford algorithm, operates a n interior gateway protocol
Principle Behavior
Route advertisements periodically
Only carry best route info
Metric number is important
A hope limit of 15 hops to prevent infinite forwarding/loops.
Hops represent a metric of 1
When a network fails the next best route might have loops, the routers learn among themselves. The
metric cap can be changed.
Through the use of split horizons we can prevent loops.
Split horizon:
A route that is down and learnt on an interface cannot be advertised on the same to prevent
loops.
Enabled by default except on NBMA
Loop prevention-poisoned reverse:
Has additional overheads, the routing message size is increased because of advanced
notifications as the routing table is updated.
Allows the speed of erroneous routes to be timed out to become instantaneous.
On Huawei AR2200 series router split horizon and poisoned reverse cannot be applied at the same time,
poison reverse is preferred and enabled.
Loop prevention-triggered update
Updates of the routing table are sent periodically.
RIP extension authentication (RIPv2)
Additional security fixtures. Process of security comparison.
Malicious packets are filtered.
Plaintext is not completely secure.
If the router is not configured for RIP version 2 authentication it reverts back to RIP version 1
and discards authenticated RIPv2 messages.
RIP load balancing
In case of link being down
RIP network advertisement
[RTA] rip
[RTA-rip-1] version 2
[RTA-rip-1] network 10.0.0.0
RIP metricin/out
Supports manipulation of metrics.
Metricin: Change takes effect
Metricout: Changes do not apply
*Command:
[RTC] interface GigabitEthernet 0/0/0
[RTC-GigabitEthernet0/0/0] rip metricin 2
RIP output: Outbound interface
RIP inbound: Inbound interface
*[RTA-GigabitEthernet0/0/0] undo rip output: restrict advertisement. Update message cease to
be forwarded out of the given interface. Usable where an enterprise does not want to share its internal
routes to an external network via the interface.
*[RTA-rip-1]silent-interface GigabitEthernet 0/0/1 receive no advertisement
OSPF (Open Shortest Path First)
Minimal routing traffic
Rapid convergence
Scalable
Accurate route metrics
Configure on ethernet
Configure on serial but defaulted to point-to-point type
Configure as High-level data link control (HDLC) -data link layer OSI model
IP address on the network layer
OSPF can operate on multiaccess network that does not support broadcast.
Designated Router are implemented by NBMA (Non-broadcast multi access) act as an access
point with backup routers (neighbor(not BDR-backup designated router) or adjacent(linked to
neighbour))
Link State Establishment: Each router transitions between neighbour and adjacent state.
Each router according to LSA has its own individual unique LSDB
DR election process: Priority set at 1. If priority of 0 then it doesn’t participate in the election. Highest
priority becomes the Designated Router (sends advertisements for efficiency)
Cost metric formula 10^8/bandwidth
By using the bandwidth, the metric accuracy is improved
A link state protocol, uses LSA (link state advertisement) the information is LSA saved on the LSDB (link
state database) on the routing table.
Router ID is 32-bit used to identify each router running OSPF protocol
If a logical interface has been configured the Router ID is the highest configured logical interfaces IP
address
OSPF areas-single area
As the network grows, Area 0 is recommended but can be assigned
Multi area
Allows an OSPF to compartmentalise based on a link state database that is identical for an area
while granting information on destination of the OSPF domain
Default Process id 1
Selects the lowest router ID
[RTA-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
The network to be advertised.
OSPF authentication
Once advertisement is concluded, security can be incorporated
[RTA-GigabitEthernet0/0/0]ospf authentication-mode md5 1 huawei
OSPF silent interface
Prevent an interface from forming neighbor relationships with peers (sharing its router table)
DR and BDR use the multicast address 224.0.0.6
DHCP address acquisition
Discover (broadcast)
Offer (unicast)
Request (broadcast)
ACK (unicast)
DHCP lease renewal request (unicast)
DHCP interface pool configuration
Dhcp select interface
Dhco server dns-list 10.1.1.2
Dhcp server excluded-ip-address 10.1.1.2 ***excluded the Ip address of the DNS IP address
server
Exclude the gateway IP address as it is used by everyone as an entry.
DHCP global pool configuration
Dhcp enable
[Huawei-ip-pool-pool2]network 10.2.2.0 mask 24
[Huawei-ip-pool-pool2]gateway-list 10.2.2.1
[Huawei-ip-pool-pool2]lease day 1
[Huawei-ip-pool-pool2]quit
[Huawei-GigabitEthernet0/0/1]dhcp select global
FTP protocol
Sending files
E.g Updating operating system
Telnet protocol principel
Remote access for large organisations
Security, ssh
Telnet client and telnet server
Password vty 0 4
Gateway vs next hop (address)
Switches have a gateway only if it is layer 3 separating full access to private access. On a router,
its port assigned Ip address
Default gateway: IP address door taking your from one subnet to another.
Layer 2 switch have are not gateways they use MAC addresses and are on the same LAN
VLANs isolate into sub interfaces - datalink layer
Next hop is a link for a specific device to another port.
Intermediate Training
Huawei enterprise solutions for performance, scalability, reliability, security and management
Advanced Enterprise Solutions (Overview)
Expanding Enterprise Networks
Telecoms Solutions for Enterprise Networks
Enterprise Network Efficiency
Enterprise Network Security
Network and application
Enterprise Network Management
Monitoring through eSight. Remote, such as with wire shark.
Next Generation Enterprise Networks
Private, public and hybrid cloud.
Link Aggregation
Optimizing the throughput of data, link aggregation enables the binding of multiple physical interfaces
into a single logical pipe. (Performance, scalability, reliability)
Link Aggregation
Provides for increased bandwidth, enhanced reliability and support of load balancing.
Application in the Enterprise Network
Where is demand for data transmission the highest. Point of departure to foreign destination,
Like Aggregation Modes
on the LACP on a link aggregation
Data Flow Control
Speed 1000.
Frames with the same source MAC addresses are transmitted over the same physical link
Frames with the same destination....
….
….
…
...
L2 Link Aggregation Configuration
L3 Link Aggregation Configuration
Transition the trunk from 2nd layer to the 3rd layer
Use undo port switch, then an IP address can be assigned to the interface.
Displaying Aggrgation
….
VLAN(Virutal Local Area Network) Principles
For safety, put it on a separate VLAN.
Manage the large network by dividing into subnetworks.
Improve the manageability
LAN Limitation
VLAN Technology
Enable logical isolation of network traffic
At the data link layer.
Created on switches same OSI model layer as switches.
VLAN Frame Format
VLAN tag contains Tag Protocol Identifier (TPID)-IEEE 802.1Q tag format and Tag Control Information
(TCI) to carry data. Priority Code Point is a form of traffic classification field that is used to differentiate
forms of traffic. Classification such as voice, video, data, etc. Show as a 3 bit value (0-7) understood on
gerneral 802.1Q class of service (COS).
Drop Eligibility Criteria (DEI) such as true or false bit. determines eligiblity to discard data.
Link Types
Trunk: Backbone for the transmission of VLAN traffic. Difference between switches
Access: Between and end system and a swtich device participating in VLAN tagging.
Port VLAN ID
You can set each VLAN to accept default VLAN for the interface to be recognised as the Port VLAN ID
(PVID). This deter,mines the behaviour that is applied to any frames being received or transmitted.
Port Types – Access
Access ports associated with access links and frames being transmitted from an interface are assigned
VLAN tag that is equal to the Port VLAN ID (PVID).
if a tag and PVID vary the frame is not forwarded and discarded. A untagged fram is forwarded to the
interface of the switch to all other destinations to be understood
Port types –Trunk
Decides what is transmitted. Trunk port associated with the trunk links, the PVID identifies VLAN frames
requried to carry a VLAN tag before forwarding. If it has the PVID it can travel otherwise VLAN tag must
be included
Port Types – Hybrid
Hybrrd ports are either tagged or untagged. VLAN communication is managed port by port. A trunk port
is not connected to a machine but a switch.
Hybrid ports Represent the default for Huawei devices. If it is tagged the PVID allows it to travel. If it is
untagged it must be in the access area to be transmitted. If it is on the trunk it must be tagged to travel.
A tag must be added by the port which received an untagged frame from an end system.
Hybrid ports something about tags corresponding to a PVID
VLAN Assignment Methods
Port based e.g. G0/0, g0/0/7
MAC Address 00:01:02:03:04:AA,
IP based subnet 10.0.0.1
Protocol based e.g. IP, IPX
Policy based10.0.1, g0/07, 00:01:02:04:AA
Creating a VLAN
VLAN range 1-4094.
VLAN batch (each host)
All ports are associated with VLAN 1 as the default
Setting the port Link type
0/0/1 the layer for trunks: tagged
0/0/5 trunk access: untagged
All Huawei switches are Hybrid Look at the image for the switch.
Creating VLANs
vlan <ID>
port <location>
port link type <access/trunk>
Forwarding over the Trunk
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 2 3 #forwarding over the trunk
Access untagged, link down(inactive) as it as it is unspecified
Access untagged, link up(active), specified... it was added to the trunk
Configuring Hybrid Port
[SWA.....0/0/5]
Voice VLAN Application
voice-vlan 2 enable …..(required)
mode auto: to add the port or not
voice-vlan mac-address <mac-address>
Associated with voice VLAN based on the Organisationallu Unique identifer (OUI)
GARP and GVRP
The VLAN organising themselves as though they were routers (network layer 2), this is however the
datalink layer 2. For implementation and removal of
Generic Attribute Registration Protocol (GARP)
An architecture for the registration, deregistration and propagation of attributes between switches is
enabled. GARP is employed by GVRP - the shell, the virtual machine.
PDU (Protocol Data Unit) are sent from GARP and use multicast MAC address 01:20-C2-00-00-21.
Events between switches:
0: LeaveAll event
1: JoinEmpty event
2: JoinIn event
3: LeaveEmpty event
4: LeaveIn event
5: Empty event
Attrbute events – Join Message
Allows the device to join the attributes. Either:
JoinEmpty: Unregistered
JoinIn: Declared a registered attribute
Attribute events - leave message
Trying to deregister what has been registered.
LeaveIn:
LeaveEmpty:
Attribute events – Leave All message
GVRP
Registration modes
VLAN Types:
Static (Manually for registration)
Dynamic (Automatically for registration)
Registration modes:
Fixed: Only sends declaration static registration
Normal: Permits static and dynamic VLANs
Forbidden: The GVRP interface is disabled from dynamically registering and
deregistering VLANs except for VLAN 1 – default Huawei router
Enabling GVRP
Command gvrp is used to enable GVRP once the interface has neem configured to operate as part of
VLAN.
port trunk allow-pass vlan all
gvrp registration fixed/normal
[SWA]display gvrp status … “GVRP is enabled”
VLAN routing
VLAN Disadvantages
Forbidden access
VLAN Routing
VLAN frames are routed over a trunk link for port conservation.
VLAN routing features
2 IP addresses however one IP address is virtual – sub interface
VLAN Routing Config
**[SWA]vlan batch 2 3
[SWA]port link-type access
[SWA]port trunk allow-access all**
[RTA] interface GigabitEthenet0/0/0/1.1... Creating the sub interface
[RTA-GigabitEthernet0/0/1.1]dotlq terminate vid 2
performs port receiving VLAN packet will remove the VLAN tag from the fram and forward the
packet via layer 3 routing
[RTA-GigabitEthernet0/0/1.1]arp broadcast enable
Applied to each logical interface, if it remains disabled on the sub-interface the router will
discard packets!!
*** learn the sequence of all commands****
L3 Switch based VLAN routing
VLANIF (VLAN interfaces) are used by each VLAN as a route gateway.
Benefit over router:
Forwarding VLAN traffic with minimum delay.
Known as line speed forwarding
VLAN Gateway assigned
Wireless LAN Overview
Development of WLAN
Wireless Local Area Network Evolution
Fixed network
802.11a/b 54 MBps 2.4GHz
802.11n 600Mbps
2.4-5GHz
802.11 ac >1 Gbps 5GHz
BYOD
Wireless coverage
Wireless LAN solutions
Wireless LAN security
Principle and Configuration of HDLC and PPP
Point-to-point : Data link layer 2
Frame relay : Data link layer 2
HDLC : Data layer 2
Serial Signaling
Connect via ethernet or serial link
Synchrnoous access
Asynchrnonouos access
THe HDLC (High Level Data Link Control) Protocol
Supports both
Basic Config of HDLC
[RTA[ interface serial 1/0/0
[RTA] link-protocoo hdlc
[RTA] ip address 10.0.1.1 30
Assigning Unnumbered Addresses in HDLC
IP addresses can be borrowed from other interfaces in order to establish connectivity I.e. Eduroam
ISP provides links occasionally.
Config validation
[RTA] display ip interface brief
PPP protocol Application
A multiprotocol standard used as with HDLC to define the link layer operation over a serial medium.
Encapsulates and transmits network layer packets over point-to-point (P2P) over full-duplex
synchronous and asynchronous links. Built on Serial Line Internet Protocol (SLIP).
Frame relay (FR) only supports synchronous links – such as with Banks that are standalone.
Components of PPP
PPP encapsulation method: ….
Link Control protocol: …
Network Control Protocol: ….
PPP Frame:
LCP packets, NCP packets...
Packet types used in LCP negotiation
Configure Request
Configure-Acknolodgement
Configure-Nak, unaccepted configuration options
Configure-Reject
Common Link Parameters of LCP Negotiation
Maximum Receive Unit
Authenticaton protocol
Magic Number
PPP Basic Configuration
[RTA] interface serial 0/0/0
[RTA serial ] protocol PPP
PPP Authentication Mode – PAP
PPP Authentication Mode – CHAP (Challenge handshake authentication protocol)
Configuring PAP Authentication
Less secure than CHAP (encryption based) as it is plaintext
[RTA] aaa
[RTA-aaa] local-user huawei password: cipher huawei123
AAA: Authentication, Acknowledge
Frame Relay Principles
Frame relay networks comprise of Data terminal equipment (DTE) and Data circuit terminating
equipment(DCE).
DTE is at the edge of the customer network
LMI Negotiation Process
LMI protocol one link can negotiate with the frame relay switch
Inverse ARP Neogtiation Process
Main function to resolve the IP address of the remote device that is connected to every virtual circuit.
(VC). If protocol address of the remote device connected to the VC is known, the mapping between the
remote protocol address and DLCI can be created on the local end, which can avoid configuring the
address mapping manually.
Frame Relay & Split Horizon
Split Horizon: Prevents data received on an interface from being forwarded out of the same
physical interface.
Frame relay sub-interfaces
Apply a logical sub-interface to a single physical interface. Two types:
Point-to-Point: Connect a single remote device. The peer address is identified
Point-to-Multipoint: Used to connect multiple remote devices, each PVC will map the protocol
address of its connected remote device. Different PVCs can reach different remote devices.
The address mapping must be configured manually, or dynamically set up through the Inverse address
resolution protocol(InARP)
Frame Relay Config –Dynamic Mapping
You need InArp – Inverse Address Resolution Protocol, Need a linked layer ptocol type. The interface on
the custome side must be DTE on the edge. . This is by default on Huawei ARG3 series routers, set to
DTE.
To allow the dynamic mapping to cocur the fr in arp command is applied.
***See Syntax***
Using the fr Inarp it is possible to discover all permanent virtual circuits (PVC) associated with the local
interface
Frame Relay Configuration –Static Mapping
The fr map ip [des-addr [mask] dlci-numer] configures a static mapping by associating the protocol
address.
This config helps upper layer protocols locate a peer device based on the protocol address o f the peer
device.
READ rules
Need DLCI number.
Simple methods to transmit and exchange data.
Principle and Configuration of PPPoE (Point-to-Point over Ethernet)
Fiber is possible.
Digital Subscriber Lines
Old tech, dial-up,
BRAS (Broadband Remote Access Server)
PPPoE Application in DSL
No security, no authentiation
PPPoE Protocol Packets:
PADI: Active Discovery Initiative Packet
PADO:
PADR:
PADS:
PADT:
Padi, Pado, Padr needed to open a connection.
PADT to close the connection
PPPoE session Establishment Protocol
PADI to all to determine who needs the data.
PADO sent back,
If no response is received, PADR sent to the address that is relevant
PADS is the session to be open.
PADT: The session is over terminate the session
Configuring A PPP Dialer interface
Old reliable. Three steps:
Dial-up interface
Network Address Translation (NAT)
Private & Public Networks
NAT behaviour
Uses the established boundary of the gateway router to identify network domains for translation.
Separates public from private.
A NAT must be able to create a mapping table within the gateway to allow the gateway to allow the
gateway to determine as to which private network destination address a packet received from the
public network should be sent, again requiring address translation to be performed along the return
path
Static NAT
Represents a one –to-one (1 IP address) mapping of static NAT that is manually configured by the
administrator
Dynamic NAT
Works on the principle of an address pool. Internal end systems wishing to forward traffic to a public
network can associate with a public address from an address pool.
Network Address port translation (NAPT)
Security reason. Internals ports should not be available externally. Hide the IP address and the port
numbers. The ISP provides public port numbers in lieu of the private individuals port number. More like
dynamic.
Easy IP
The WAN interfaces address used as a single public address for all internal users, with port numbers
used to distinguish sessions. Create an Easy IP through a dial-up to receive a temporary public IP address
received by the outbound interface. Small scale enterprises.
NAT Internal Server
E.g. Accessing the UCT/WITs server externally
External sources can reach internal addresses.
Mapping of both the IP address and port number is performed.
Mapping occurs.
Static NAT Config
[RTA]interface GigabitEthernet0/0/1 …. Inbound, default gateway
[RTA-GigabitEthernet0/0/1]ip address 19.2.168.1.254 24 ….
[RTA] interface Serial1/0/0
[RTA-Serial1/0/1]ip address 200.10.10.1 24
[RTA]nat static global 200.10.10.5 inside 192.168.1.1 .... invoking NAT static
[RTA} display nat static
…
…
…
...
Netmask: 255.255.255.255
Dynamic NAT Config
[RTA]nat address-group 1 200.10.10.11 200.10.10.16 …. pool of IP addresses
[RTA]acl 2000 …. Access Control List (ACL)
[RTA-acl-basic-2000]rule 5 permit source 192.168.1 0 0.0.255 (subnet)
[RTA-acl-basic-2000]quit
[RTA-Serial1/0/0]nat outbound 2000 address-group 1 no-pat
We have ACL (Access Control List) 2000
Rule 5, 10, 15
outbound – we request their port numbers and IP addresses, belongs to address group 1
no-pat : No port address translation
Easy IP Configuration
Very similar to dynamic, rely on the creation of an access control list for defining address range to which
to translate. Perform the nat outbound command.
NAT Internal Server Configuration
[RTA] nat server protcol tcp global. 200.10.10.5 www inside 192.168.1.1 8080
Establishing Enterprise Radio Access Network Solutions
Wireless WAN Overview (WWAN)
Mobile station (MS) or User Equipment (UE) to communicate. On 3G (UMTS) and 4G (LTE)
Wireless WAN and the Enterprise Network
Security, reliability
Enterprise Wireless WAN Solution
Failover solutions for 2G and 3G... If 2G is down you seamlessly transfer to 3G vice versa
Establishing the 3G Network
3G network parameters are defined on the cellular interface. Create the interface, known as
[Huawei] \interface cellular. 0/0/0
ip address ppp-negotiate
prof
Setting the dial control center
Dial Control Center is implemented. The dialer-rule command inititiates the dialer-rule view where the
rules are defined to enable IPv4 –32 bits- to carry over the interface. Dialer-rule number (E.g. +27 ZAR).
Configure NAT Role & Static Route
[Huawei]acl number 3002
[Huawei-acl-adv-3002]acl <5,10,15> permit ip source 192.168.1.0 0.0.0.255
[Huawei-acl-adv-3002]quit
[Huawei]interface cellular 0/0/0
[Huawei0cellular0/0/0]nat outbound 3002
[Huawei-cellular0/0/0]quit
[Huawei]ip route-static 0.0.0.0 cellular 0/0/0
Access Control Lists (ACL)
IPv4 –32 bits security but bulky.
IPv6-128 bits due to increased security, however it is streamlined and incorporated making it less bulky
Monitoring (performance) and Security.
ACL: For better management and filtering of traffic as part of security.
Filtering Restricted Traffic
ACL is a mechanism that implements access control for a system resource by listing the entities based on
parameters (rules) to permit access to the resource.
Filtering Interesting Traffic
ACL Types
Basic
Value Range: 2000-2999
Parameter: Source IP
Advanced
Value Range: 3000-3999
Parameter: Source & Destination IP, Protocol, Source & Destination port
Layer 2 ACL
Value Range: 4000-49999
Parameter: MAC Address
Can all be applied on AR2200 series routers
Packet filtering parameters vary for each ACL types
ACL Rule Management
Rules increment 5 -> 10-> 15-> 20
Basic ACL
[RTA-acl-basic-2000]rule deny source 192.168.1.0 0.0.0.255
[RTA-acl-basic-2000[rule permit source 192.168.2.0 0.0.0.255
[RTA]interface GigabitEthernet 0/0/0
[RTA-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
Advanced ACL
[RTA]acl 3000
[RTA-acl-adv-3000]rule deny tcp source 192.168.1.0 0.0.0.255 desination 172.16.10.1 0.0.0.0
destination-port eq 21 … FTP ports 20 or 21
[RTA-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 172.16.10.2 0.0.0.0 ..default
route, all IPv4 addresses on the local machine
[RTA-GigabitEthernet0/0/1]traffic-filter inbound acl 3000
ACL Application –NAT (Network Address Translation)
You can apply ACL on NAT
AAA (authentication, Accounting, Authorisation)
Authentication
You must be authenticated to communicate
Accounting
AAA Local Config
Both must have the same user name and password
Securing Data with IPSec VPN
The methods of securing your environment.
IPSec – network layer 3
A SA (Security Association) is shared in a single direction
Two modes:
IPSec Transport Mode:
IPSec Tunnel Mode: More secure
Reachability
Identify interesting traffic
Establish IPSec Proposal
Create IPSec Policy
Apply Policy to Interface
IPSec VPN Configuration
…
…
...
Required network layer communication for an IPSec VPN. An advanced ACL is needed to determine the
protocols, ports and ip addresses.
E.g. use authentication algorithms [md5 | sha1 | sha2-256 | sha 2-384 | ….]
The sha* must correlate between devices that are to communicate.
IPSec Policy Creation
IPSec Policy defines parameters for establishing IPSec SA:
Policy-name
seq-number (1-15)
Multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group. The IPSec
policy gorup contains a maximum of 16 IPSec policies. The smalledst IPSec sequence number has the
highest priority. The group must be applied to an interface
The Tunnel local and Tunnel remote have links that determine where the tunnel starts and ends.
The SPI (Source Parameter Index)
The Inbound SPI must be the same as the outbound SPI, the number
Finally, authentication key must be defined as inbound and outbound, they must be the same
IPSec policy Creation
[RTA]ipsec policy P1 10 manual
[RTA-ipsec-policy-manual-P1-10]security acl 3001
…
...
Applying policies to interfaces
…
IPSec Policy Verification
Generic Routing Encapsulation (GRE)
GRE Application
Supports encapsulation of protocols over other protocols: supports multiple protocols simultaneously.
Enables routing between remote and disparate networks.
Can be implemented on tunneling. Less secure. Ideal to implement GRE tunnel and IPSec VPN
IPSec VPN (Virtual Private Network) support for GRE (Generic Routing Encapsulation)
GRE Keepalive
,,,
GRE Configuration
Simple Network Management Protocol (SNMP)
Management solutions widely used in TCP/IP networks. Adaptation of SGMP protocol, forms the basis
for common network management throughout the system. SNMP is effectively a communication
medium between the network elements and the network adminstrator/(NMS).
Network Management Station (NMS) relies on SNMP to define sources for network information.
SNMP relays reports in the form of trap messages to the NMS so that the station can obtain network
status in near real time. This allows the network administrator to quickly act on system discrepancies
and failures.
SNMP is used to manage:
Software:
Applications
User Accounts
Write/read permissions (licenses)
Hardware:
Workstations
Servers
Network cards
Routing devices
Switches
SNMP Architecture
The network management station (NMS) has network management requests that it makes know to the
elements; hosts, gateways, terminal servers etc. The management agent resides on the network
element in order to Retrieve/get or alter/set vaiables.
NMS associates with the management agent on each of the network elements that perform NMS
designed functions composing the MIB (Management Information Base) objects.
SNMP messages of IP require UDP
MIB Objects
Specifies the variables to be maintained by each network element. These variables are queried and set
by the management process.
The SNMP MIB has the same tree structure as the DNS (Domain Name System) with the top objects:
ISO
ITU-T (CCITT)
Joint organisation branch
V1;
Version2: Security upgrade
Version 3:
eSight Network Management Solutions (Huawei solution)
Monitors each component
Traffic
Introducing IPv6 Networks
IPv6 Routing Technologies
IPv6 Application Services DHCPv6
Practical Training
Entry Training
..
//
Intermediate Training
..
Lessons from the mock exams
Loopback address 127.0.0.1
VLAN 12 bits
Huawei switch forwarding delay: 0.15 seconds
ICMP protocol is applied to the network layer
ID of the Backbone OSFP = area 0
OSI Model layer:
-Application
-Presentation
-Session
-Transportation
-Network
-Data link
-Physical
TCP/IP Model Layers:
-Application, sessio, presentation
-Transport
-Network
-Data link
OSFP uses SPF (Shortest Path First) algorithm to calculate the shortest route
Link state routing protocol = OSPF (Open Shortest First Protocol)
Repeaters, hubs, network interface cards, cables and connector operate on the Physical layer
Maximum hop count RIP
DNS port number 53
Two others will either exchange LSA or send Hello packet to each other due to the existence of DR in
Broadcast network of OSPF
A static route can be neither configured manually by a network administrator nor generated
automatically.
When a network condition changes a static route canNOT be rectified automatically without
reconfiguration by the network administrator
Root bridges provide root ports and designated, alternative ports
Routing information Protocol (RIP) is NOT available in the RIPv2, RIPv2 and RIPv3 versions
When a trunk port receives an untagged frame, the switch will NOT drop the frame
One router forwards the packets according to the routing table on itself without considering the routing
table of any neighbour routers
A trunk port does not always send tagged frames to the peer equipment.
Each router only knows how to forward the packet to the net hop IP address. It doesn’t know the end to
end forwarding path. This type of forwarding is called Hop by Hop forwarding
OSFP version specific to the IPv6 technology = OSPFv3
The IP protocol is unreliable and connectionless orientated.
The subnet mask of a class A address is 255.255.240.0 has 12 bits
When a node transmits data over a network medium, the data is transmitted to all the nodes on the
network. The topology used is BUS
A router runs OSFP and its interface serial 0 and IP address 10.0.0.1/30 belongs to the backbone area.
The command used to enable OSFP on this interface is = [Quidway-osfp –1area-0.0.0.0]network
10.0.0.0 0.0.0.3
Switch –A and Switch-B are configured with ports in VLAN for deparments. Each VLAN contains 20 users.
Only 5 subnets are required.
Multiple choice section
The functions of all seven layers of the OSI reference model
-The email server
-network management server.
Access ports:
-Belong to only one VLAN
-Are used for connection between switches and PC’s
Data link layer has two sub-layers:
-MAC sub-layer
-LLC sub-layer
RIP (Routing information protocol):
-User can specify the route preference of RIP higher than that of static routes
-If the route calculated by other routing protocol which is imported by RIP does not specify the
cost value, the cost value will be set as 1 by default
Routed protocols:
-IP
-OSPF (Open shortest path first)
VLAN interfaces:
-A virtual interface is required to be created for VLAN if we want to assign an IP address for that
VLAN
-VLAN interface number must be the same as the VLAN ID
If two static routes are configured to the route 10.1.1.1/32. If one does not have a value for the
preference_value parameter and the other static route is assigned with 100 for the preference_value
parameter
-The route not assigned a preference_value parameter will function as the working route
-A static route supports route backup
Functions of a router:
-Check the destination address in a datagram
-Discover possible routes
-Verify and maintain route information
Packet filtering firewall filters packet based on quintuplet. Components of quintuplet:
-IP address
-Protocol number
-Port number
Protocols used for file transfer:
-FTP
-TFTP
Standards defined by IEEE to regulate the implementation of VLAN between switches
OSPF takes the precedence to select the biggest IP address of all the loopback addresses as a router ID
unless you specify a router ID manually.
The frame is the PDU that resides at the data link layer
EUI-64 used to configure IPv6
ICMP used to ping test sending a series of packets
DD packets are used to describe LSDBs
STP interface states:
-Blocking
-Listening
-Learning
-Forwarding
-Disabled
Interior Gateway Protocol (IGP):
Route Information Protocol uses the hop count to determine the value cost
IP address consists of: Network address, Host address, subnet field, non-default masks, default subnet
mask
CHAP (Challenge-Handshake authentication protocol):
-Verify remote clients
-Challenge packet
-Response packet
-Success packet
-Failure packet
Link aggregation benefits:
-Increased bandwidth (the capacity of multiple links is combined into one logical link
-Automatic failover
-Failback (The traffic from a failed link is automatically switched over to other working links
ESight is supported by SNMPv1, SNMPv2c and SNMPv3
DHCP offer packet can carry more than one DNS server address
After a fault occurs in a network, a static route canNOT be rectified automatically and the network
administrator is needed to reconfigure.
(RIP) Routing Information Protocol is not available in RIPv1, RIPv2 and RIPv3 versions
On Huawei switches you can run the VLAN batch command to create multiple VLANs in batches
HDLC is ISO standard link layer protocol and it is used to encapsulate data transmitted on asynchronous
link
One of the significant features of the PPP protocol is the authentication function. With this function, the
two ends of a link can negotiate with each other to use which authentication protocol and then perform
authentication. A PPP connection is established only when the authentication is successful.
When you configure Frame Relay on Quidway routers, you can configure inverse ARP instead of static
address mapping because the function of inverse ARP is to provide dynamic address mapping.
The operation deleting the configuration files saved in the storage devices will become effective after
rebooting the router.
Frame relay point-to-multipoint sub-port canNOT connect multiple remote nodes together through a
PVC
ICMP protocol is applied to the Network Layer
Protocols can dynamically register VLAN information:
-MVRP (Multiple VLAN registration Protocol) sends PDU (protocol data unit)
-MRP (Multiple Registration Protocol)
-GARP (Generic Attribute Registration Protocol))
ARP (Address Resolution Protocol) performs required IP routing. It finds the hardware address (MAC
address) from the IP address. ARP maintains a cache table of MAC addresses mapped to IP addresses.
HDLC is NOT ISO standard link layer protocol and it is used to encapsulated data transmitted on
asynchronous link.
The standard defined by IEEE to regulate the implementation of VLAN between switches is 802.1Q
A switch supporting 802.1Q protocol can support a maximum number of 4096 VLANs
ESight is not only for Huawei
When two routers synchronise their LSDBs they use DD packets to describe their LSDBs
IGP(Internal gateway protocol) is the protocol which is used for asynchronous systems
OSPF takes the precedence to select the IP address of all loopback port addresses as a router ID unless
you specify a router ID
Hop count is the parameter used by RIP to calculate the value of cost
On Huawei switches running STP, the default value of forward delay is 15 seconds
The broadcast MAC address is FF:FF:FF:FF:FF
To release the IP address assigned by the DHCP server on Windows XP, command IPconfig/release
IPv6 is 128 bits, processed in order
The protocols that can be used for file transfer is FTP and TFTP
CHAP packets:
Challenge
Response
Success
Failure