HCNA-HNTD

COMMAND_Notes Jose Murillo G.

―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
■ Vertical bars (|) separate alternative, mutually exclusive elements.
■ Square brackets ([ ]) indicate an optional element.
■ Braces ({ }) indicate a required choice.
■ Braces within brackets ([{ }]) indicate a required choice within an optional element.
■ > User View promt (modo user)
■ ] System-view promt (modo admin)

- Several commands
display current-configuration - Similar to Cisco “show run”
display ip interface brief
display interface description

display port vlan

display port vlan active

display transceiver interface <Interface> verbose - Dicplay F.O parameters on a port (Rx/Tx)

display lldp neighbor brief - Check LLDP neighbor info

display logbuffer
display trapbuffer - Check whether powered on and powered off information is frequently displayed

clear configuration interface ? - Similar to “default interface” of Cisco, the interface turns “shutdown”
interfacex/x]clear configuration this - Dentro de una interfaz, puedo un reset a los paramentros default (borra la config)
display configuration candidate [changes] - Similar to Cisco “show config” on XR
[change] muestra que se borra (-), y que se agrega (+)

- El * significa que existe configuración que no se le aplicaco “commit”

>terminal monitor - Similar to Cisco

- Hardware Information / Device status

dis device - Display device status
dis elabel brief - Display electronic labels of a device
BarCode=xxxxxxxx //Indicate a serial number.
Item=xxxxx //Indicate a part number.

dis sn all - Similar to “sh invent” of Cisco

dis fan - View fan
dis temperature all - View device temperature
dis version - Similar to “sh ver” of Cisco
dis startup
display power

- PoE Power
display poe-power - Check PoE power supply info
display poe information
display poe power slot 0 - Display the output power per port

- Schedule reboot
>schedule reboot ? - Similar to Cisco “reload in”
at Specify the exact time. - Set a time interval TIME (mm or hh:mm) & DATE (YYYY-MM-DD)
delay Specify the time interval - Set a time interval (mm or hh:mm), e.g 15 minutes to reboot

display schedule reboot - Display schedule reboot information, remaining time until reboot
> undo schedule reboot - CANCEL reboot, only works in “>” mode

<Example> - Test on real equipment

<R1>schedule reboot delay 15
Info:Reboot system at 02:00:06 2019/02/26(in 0 hours and 15 minutes) confirm?[Y/N]:y
[R1]dis schedule reboot
Info:System will reboot at 02:00:06 2019/02/26 (in 0 hours and 14 minutes).
<R1>undo schedule reboot
<R1>
<R1>dis schedule reboot - Validate that there are no active scheduled reboot
<R1>

- Check SSH
display ssh server status - Display SSH server status, stelnet must be enable, can be enable with stelnet server enable
display users
display user-interface máximum-vty
display rsa local-key-pair public - Check whether the RSA public key exists, can be config with rsa local-key-pair create

- High CPU Usage

display cpu-defend statistics - Check statistics about packets sent to the CPU
display stp topology-change - Check the alarms or logs generated by switches to determine whether the STP topology has ever changed
display stp tc-bpdu statistics - Check statistics about TC BPDUs received by interfaces
 display mac-address flapping record - Check all historical records of MAC address flapping

- High Memory usage

display memory-usage - Check memory usage

- ARP
>arp -a - Dislay ARP Table (ARP Cache)
>display arp all
>display arp track

>system-view - Access System view / similar “enable”

]sysname <NAME> - Set name

>clock timezone <TIMEZONE_NAME> [add | minus] - Set time zone

- [add] Add time zone offset, format HH:MM:SS
- [minus] Minus time zone offset, format HH:MM:SS
>clock datetime <HH:MM:SS> <YYYY-MM-DD> - Set current time
>clock daylight-saving-time ? - Set daylight saving time to maintain clock synchronization, used ? to help with parameters

]header login information “TEXT” - Set TEXT to displayed on login attempt

]header shell information “TEXT” - Set TEXT to displayed on sucess login attempt to CLI

]command-privilege level 3 view user save - Page 166 HCNA, indicates that only a user "level 3" can execute the command "save" in "user view"
]screen-length <0 - 512> - Console/VTY mode] Modify number of lines displayed, default are 24, max 512
- If screen-legth is set to 0, nothing is display=very bad
]non-authentication - Console/VTY mode] It’s the default value in Console Line, no credential are needed to enter the device
>display interface <INTERFACE> - Display interface status

- Example commands related to: Console, VTY lines & ACL

user-interface con 0 - Enter console user interface
authentication-mode aaa - Define authentication method for console line
history-command max-size 20 - Remember until 20 commands
idle-timeout 8 0 - Keep connection idle for 8 minutes, then disconnect
user-interface vty 0 4 - Enter VTY user interface
acl ADMINISTRACION inbound - Apply named ACL to inbound traffic on VTY line
authentication-mode aaa
history-command max-size 20
idle-timeout 8 0

acl name ADMINISTRACION 3999 - Creation of named ACL

rule 5 permit ip source 190.241.146.0 0.0.0.255 - Allow packets from 190.241.146.0/24
rule 10 permit ip source 172.30.255.5 0 - Allow packets from 172.30.255.5/32, Huawei represent wilcard 0.0.0.0 => 0
rule 15 deny ip - Deny any

user-interface vty 0 4 - Enter VTY user interface

user privilege level <0 - 15> - Defined privilege required to access via VTY line
set authentication password cipher - Set password for VTY line
Enter Password (<8-128>): muri123

- Example command related to: SVI, Loopbacks & physical interfaces

interface Vlanif400
description MNG_RACSA
ip address 172.30.255.6 255.255.255.252
#
interface loopback100
description PRUEBA_LOOPBACK
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0/1
description to_PC1
port link-type access
port default vlan 300
port-security enable
#
interface GigabitEthernet0/0/2
description TEST_L3_Interface
undo negotiation auto
duplex full
speed 100
undo switch

- File system navigation & mng

_File/directory attributes (Attr): drwx
d: Directory
r: Read
w: Write
x: Execute
>cd - Change directory
>pwd - Print Word directory
>dir - View content of directory
>more - View file content
>mkdir - Make directory
>rmdir - Remove directory, must be empty
>copy - Copy file/directory
>move - Move file/directory
>rename - Rename file/directory
 >delete ? - Delete file
/quiet - Delete file without confirm by user
/unreserved - Delete a file permanently
STRING<1-64> [drive][path][file name]
flash: Device name
>undelete ? - Recover file
STRING<1-64> [drive][path][file name]
flash: Device name
>reset recycle-bin - Permanently clear the recycle bin

>display current-configuration - It explains itself

>display saved-configuration - It explains itself
>compare configuration - Compare configuration files current-config vs saved-config (startud), display differents
INTEGER<0-65535> - The line of current-configuration to begin comparing
STRING<5-48> - Specify configuration file to be compared, current-cofig vs xx-config
<cr> - Without argument, compare current-config vs startup-config
>display startup - View the current startup parameters
- ar220.cc, example VRP imagen
>save - Save the current configuration, default file -> “vrpcfg.zip”

>startup ? - Startup options

patch STRING<5-64> - Set patch file
saved-configuration STRING<5-64> - Saved-configuration file for system to startup, file that contain startup config
system-software STRING<5-64> - Config system software (VRP, .cc file) for system to startup
- STRING<5-64> format => [drive][file-name] (Default drive is flash:/)

>reset saved-configuration - Erase saved configuration file from the device

>format - Erasing storage devices
flash: Device name - Dependent of device, can hace different storage types: SDRAM, Flash, NVRAM, SD Card, USB
>fixdisk - Repairing the Storage Device
flash: Device name - Dependent of device, can hace different storage types: SDRAM, Flash, NVRAM, SD Card, USB

<AR_VID_RAC_01_(P04)>dir | i cfg
Idx Attr Size(Byte) Date Time(LMT) FileName
7 -rw- 1,916 May 07 2017 12:50:52 vrpcfg.zip - Notar el tamaño del Archivo vrpcfg.zip

<AR_VID_RAC_01_(P04)>reset saved-configuration ?
<cr> Please press ENTER to execute command
<AR_VID_RAC_01_(P04)>reset saved-configuration
Warning: This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n):y.
Info: Clear the configuration in the device successfully.

<AR_VID_RAC_01_(P04)>dir | i cfg
Idx Attr Size(Byte) Date Time(LMT) FileName
7 -rw- 120 Oct 26 2017 23:50:17 vrpcfg.zip - Notar que el archivo vrpcfg.zip se sobre-escribio con la config default

<AR_VID_RAC_01_(P04)>reboot
Info: The system is comparing the configuration, please wait.
Warning: All the configuration will be saved to the next startup configuration. Continue? [y/n]:n - OJO, sí le doy “Y” la config FULL que esta en RAM, pasa nuevamente
al archivo
System will reboot! Continue? [y/n]:y osea, es como no haber hecho NADA. Hay que decirle que NO (n)
Info: system is rebooting, please wait...
Oct 26 2017 23:51:15-06:00 AR_VID_RAC_01_(P04) %%01DEV/4/ENTRESET(l)[0]:Board[0] is reset, The reason is: Reset by user command.
<Huawei> - Se ingresa al equipo con las credenciales default.
El equipo queda con la config DEFAULT

- VRP Image
_Example of the VRP versión upgrades:
Version 5.90 (AR2200 V200R001C00)
Version 5.160 (AR2200 V200R007C00)

Vxxx: Product version

Rxxx: Major version release
Cxxx: Minor version release
SPC value: If pack is used to patch the VRP product version, an SPC value may be included in the VRP product version number

- VRP upgrade Process

1. FTP Server
a. Set connection between devices and FTP Server, trivial…
b. Validated storage space availability, “dir”
c. Retriving files from an FTP server
>ftp <IP_FTP_Server> - Credencials are request for FTP server (User/pass)
[ftp]get <FILE_NAME> - Retrieve the File for FTP to the device

2. TFTP Server
a. Retrieve files from a TFTP server
>tftp <IP_TFTP_Server> get <FILE_NAME>

3. VRP boot mng process

>startup system-software <FILE_NAME.cc> - Config system software (VRP, .cc file) for system to startup,
- File must be .cc
- Storage directory of a system software file must be the root directory, otherwise the file will fail to run
>display startup - Verify that the change has been performed successfully
- Next startup system software: <FILE_NAME.cc>
4. Applying the changes
>reboot - System must be restarted before the new image can take effect
- STP
>display stp - Display STP status
]stp mode ?
mstp - Multiple Spanning Tree Protocol (MSTP) mode. On Sx7 switch model, MSTP is the default mode
rstp - Rapid Spanning Tree Protocol (RSTP) mode
stp - Spanning Tree Protocol (STP) mode

<Set ROOT priority>

]stp priority INTEGER<0-61440> - Bridge priority, in steps of 4096. Default priority 32768
- It’s best practice to manually define the priority of the root and backup root

]stp root ? - Different from Cisco, Huawei is more straightforward

primary - Primary root switch. Set priority=0 (Simulated)
secondary - Secondary root switch. Set priority=4096 (Simulated)
- If you apply "root primary" to two switches, both of them set the priority to 0, lower MAC wins (Simulated)
<RPC & PC>
]stp pathcost-standard ? - Huawei Sx7 swithces support forms path cost standard in order to provide compatibility where required
dot1d-1998 - IEEE 802.1D-1998
dot1t - IEEE 802.1T, default in Huawei Sx7 switches
legacy - Legacy
- Unlike STP, RSTP does this automatic

]stp cost INTEGER<1-200000000> - interface mode] Set local Path cost

<Root protection>
- Function:
1. Port with root-protection on, if received a superior BPDU, takes the following actions:
stops forwarding packets
turns to listening state
port retains a Designated state
2. If the port does not receive superior BPDU for certain period, restored the port to normal condition (FWD)

]stp root-protection - interface mode] Root protection prevents changes in STP topo,
as result of root bridge transition, caused by receiving superior BPDU

- RSTP
]stp mode rstp - Set RSTP mode
]stp edged-port enable - interface mode] Allows transition of edge port to forwarding without delay (similar PortFast)
- Interfaces on S5700 are "non-edge" ports by default

]stp edged-port default - sytem view] Apply to all ports

]stp edged-port disable - interface mode] Disable edge port on non-edge port, in order to avoid loops

]stp bpdu-protection - sytem view] Edge must not receive BPDUs,

bpdu-protection shutdown all edge port if receive a BPDU,
manual intervention is required to enable the port

]stp loop-protection - interface mode] Similar function to loop-guard

>display stp

- STP Manipulación de costos

interface]stp vlan [VLAN_ID | range of VLAN] port priority <0-240>
- Definir el valor de prioridad para N cantidad de VLANs sobre el puerto, tiene que ser en múltiplos de 16
- El valor default de costo de un puerto es 128, menor = mejor
- Esto es util para controlar puertos activos-pasivos, de cara a conexiones en HA, y definir a discreción cual queda activo
- Nota rue el STP vlan 493 cost 10, no tiene efecto en redes con loop L2 ejemlo (SW1 ====2_enlaces====Hub)
- En el caso anterior poner un costo en el Path de STP no afecta la decisión, dado que SW1 detecta loop, y define en función
de la prioridad del puerto.
- IP Routing
<Routing decision>
1. Longest match
2. Lower Preference (Pre), similar to AD
> Routing protocols/Route type & their default external preference
Direct 0
OSPF 10
IS-IS 15
Static 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 255
EBGP 255

>> 255 indicates routes learnet from unreliable sources

>> A smaller value indicates a higher preference
>> You can manually configure the external preference of all protocols except direct routes
>> During route selection, a router first compares the external preferences of routes

> Routing protocols/Route type & their Internal preference

Direct 0
OSPF 10
IS-IS Level-1 15
IS-IS Level-2 18
Static 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 200
EBGP 20

>> Internal preferences of routing protocols cannot be manually configured

>> When the same external preference is set for different routing protocols, the router selects the optimal route based on the internal preference
>> For Example:
>>> Two routes EXTERNAL:
A.A.A.A/24 static preference 5 (external)
A.A.A.A/24 OSPF preference 5 (external)
>>> In this case, the router determines the optimal route based on the internal preference listed
A.A.A.A/24 Static preference 5 (external), 10 (Internal) → BEST*
A.A.A.A/24 OSPF preference 5 (external), 60 (Internal)
*This indicates that the OSPF route has a higher preference than the static route, so the router selects the OSPF route as the optimal route.

3. Metric (Cost)
Note: Only best routes are install from FIB to RT (routing table)

<Other Considerations>

1. Route Convergence
> Default convergence priorities of public routes
[Routing Protocol or Route Type] [Convergence Priority]
Direct High
Static Medium
32-bit host routes of OSPF & IS-IS Medium
OSPF routes (excluding 32-bit host routes) Low
IS-IS routes (excluding 32-bit host routes) Low
RIP Low
BGP Low

2. Autonomous Sustems (ASs) Numbers types & ranges

[AS Number Type] [2-Bytes AS Number] [4-Bytes AS Number]
Public AS Number 1 to 64511 1 to 64511, 65536 to 4294967295
Private AS Number 64512 to 65535 64512 to 65535

>display ip routing-table - Display best routes (RT)

- Static Route
]ip route-static <Dest_IP> <Dest_Mask>
<Next-Hop_IP>
<Interface_type> <Outbound_Interface_ID>
{Next-Hop_IP | interface} preference INTEGER<1-255>
<Static route example>
ip route-static 11.0.0.0 255.255.255.0 10.0.0.1
ip route-static 11.0.0.0 255.255.255.0 20.0.0.1 preference 65
ip route-static 33.0.0.0 24 30.0.0.2
- System view] Set Static route. Mask can be subnet mask (255.255.255.0) or prefix format (24)
- Define static route with next-hop, used in Ethernet enviroment
- Define static route with outbound interface, must be configured for serial médium (P2P)
- Preference parameter used for floating static routes or or simply to define a preference different from default (60)
- Load Balancing is applied when there are two or more routes with same weights towards the same destination,
by different next-hops
-

ip route-static 0.0.0.0 0 10.0.0.1 - Default route with next-hop, using prefix format (0), however in the config is stored as 0.0.0.0 (Simulated)
ip route-static 0.0.0.0 0.0.0.0 serial 0/0

- RIP
<All of this was validated via Simulation>
]rip INTEGER<1-65535> - Enable RIP. If no Process ID is defined, default process of 1 is set.
- It is recommended to use the same Process ID on all routers
version 2 - Set RIP version
network x.x.x.x - Match interfaces participating in RIP process
 silent-interface <Interface> - Interface will NOT participate in RIP, but will receive and process RIP routes,
only add info to RT, NOT forwarding out RIP updates
- Takes precedence over rip input & rip output

<Other way to apply silent-interface>

silent-interface all - Apply silent to all interfaces
undo silent-interface <Interface> - Recommended to defined which interfaces are not affected by silent

]interface gigaethernet x/x/x <RIP Interface level commands>

rip metricin INTEGER<0-15> - Add the metric value set in the command, to the metric value received in the adv
rip metricout INTEGER<0-15> - General RIP increment of 1 when send adv to next hop (1 + original_metric), but with metricout..
- ADD an increment of X_Value to the metric before forwarding the adv to the next hop
- Outbound update metric = metricout_Value + original_metric

rip split-horizon - Enabled split-horizon, It's enabled by Default

rip poison-reverse - If both are enabled, only poison-reverse will rake effect

- By Default every interface match in the RIP network command, allow outbound & inbound RIP adv
undo rip output - Outbound RIP adv restricted, RIP update message will cease to be forwarded out
undo rip input - Inbound RIP adv restricted, any inbound RIP update messages will be discarded immediately

]display rip <Process_ID> interface <Interface> verbose

>display rip 2 ?
bfd - Bidirectional Forwarding Detection
database - Database information
graceful-restart - Graceful restart information
interface - Interface information
neighbor - Neighbour information
route - Route information
statistics - Statistical information
| - Matching output
<cr>

- OSPF <All of this was validated via Simulation>

]ospf INTEGER<1-65535> router-id <x.x.x.x>
bandwidth-reference INTEGER<1-2147483648>
silent-interface <interface>
area 0
network <Network> <Wildcard> description <TEXT>
- The reference bandwidth (Mbits/s), default formula = 108/Bandwidth
- Stop Hello on interface = no OSPF neighbor form
- Match interfaces participating in OSPF process, similar to Cisco

]interface <Interface>
ospf enable <Process _ID> area <Area_ID> - Enable OSPF per interface

ospf network-type ?
broadcast - Specify OSPF broadcast network
nbma - Specify OSPF NBMA network
p2mp - Specify OSPF point-to-multipoint network
p2p - Specify OSPF point-to-point networkf

ospf cost INTEGER<1-65535>

ospf authentication-mode md5 <Key_ID> <Password>

]display ospf peer

]display ospf <Process_iD> <Interface>
]terminal debbuging
]debbuging ospf packet

>display ospf ?
INTEGER<1-65535> Process ID
abr-asbr Information of the OSPF ABR and ASBR
asbr-summary Information of aggregate addresses for OSPF(only for ASBR)
bfd Bidirectional forwarding detection
brief Brief information of OSPF processes
cumulative Statistics information
error Error information
global-statistics OSPF global statistics
graceful-restart Display GR information
interface Interface information
ldp-sync LDP-OSPF synchronization Information
lsdb Link state database
mesh-group Detail information for Mesh-Group
nexthop Nexthop information
peer A neighbor router
request-queue Link state request list
retrans-queue Link state retransmission list
routing OSPF route table
spf-statistics Statistics of SPF calculation
statistics Statistics information
vlink Virtual link information

- BGP <All of this was validated via Simulation>

<Overview>
- BGP is a path vector protocol that allows devices between ASs to communicate & selects optimal routes
- RFCs
BGP-4 RFC 1771 (Has een used since 1994), unicast IPv4 networks have been using BGP-4 defined in RFC 4271
MP-BGP* RFC 4760
 * MP-BGP is an extension of BGP-4 and applies to different networks; however, the original message exchange and routing mechanisms of BGP-4 are not changed.
MP-BGP applications on IPv6 unicast and IPv4 multicast networks are called BGP4+ and Multicast BGP (MBGP) respectively.

- EBGP vs IBGP
> EBGP runs between ASs
> IBGP runs within an AS
>> To prevent routing loops within an AS, a BGP does not advertise the routes learned from an IBGP peer to the other IBGP peers & establishes full-mesh connections with all IBGP peers
>> To address the problem of too many IBGP connections between IBGP peers, BGP uses Route Reflector and BGP Confederation.

- Devices roles in BGP message exchange

> Speaker
>> Device that sends BGP messages
>> Receives & generates new routes
>> Advertises routes to other BGP speakers
> Peer
>> BGP speakers that exchanfe messages with each other are BGP Peers
>> A group of BGP peers sharing the same policies can form a peer group

- BGP Router ID
> 32-bit value
> Often represented by an IPv4 address to identify a BGP device
> It is carried in the Open message sent during the establishment of a BGP session
> When 2 BGP peers need to establisd a BGP session, they each requiere a unique router ID. Otherwise, the two peers cannot establish a BGP session
- BGP Messages
> Open
>> Used to establish BGP peer relationships.
> Update
>> Used to exchange routes between BGP peers.
> Notification
>> Used to terminate BGP connections.
> Keepalive
>> Used to maintain BGP connections.
> Route-refresh
>> Used to request the peer to retransmit routes if routing policies are changed.
>> Only the BGP devices supporting route-refresh can send and respond to Route-refresh messages.

- BGP state machine

> BGP uses a fine state machine (FSM) to determine its operations with peers
> FSM states: Three common states are involved in BGP peer establishment: Idle, Active, and Established.
>> Idle
>> Connect
>> Active
>> OpenSent
>> OpenConfirm
>> Established

]ospf INTEGER<1-65535> router-id <x.x.x.x>

bandwidth-reference INTEGER<1-2147483648> - The reference bandwidth (Mbits/s), default formula = 108/Bandwidth
silent-interface <interface> - Stop Hello on interface = no OSPF neighbor form
area 0
network <Network> <Wildcard> description <TEXT> - Match interfaces

- DHCP
<Interface Pool mode>
]dhcp enable - system view] Enable the service DHCP
]interface <Interface>
ip address <IP> <Mask> - Without IP, can not be configure the following commands
dhcp select interface - Used the local interface pool
dhcp server dns-list <DNS_IP>
dhcp server excluded-ip-address <Excluded_IP> - The Gateway = ip address of interface, cannot be excluded
dhcp server lease day <X> - Defualt 1 day

]display ip pool interface <Interface>

<Global Pool mode>

]dhcp enable
]ip pool <Pool_NAME>
network <Network> mask <Mask>
gateway-list <Gateway_IP>
lease day <X>

]interface <Interface>
dhcp select global - Asociated the interface with a global DHCP pool

- FTP
]ftp server enable - Is required to enable FTP service
 ]set dafault ftp-directory <Location> - Must set default local directory

]aaa
local-user MURI password cipher CISCO
local-user MURI service-type ftp
local-user MURI ftp-directory <Location>
local-user MURI access-limit 200
local-user MURI idle-timeout 0 0
local-user MURI privilege level 3
<Connect to FTP server>
>ftp <IP_FTP_Server> - Credencials are request for FTP server (User/pass)
[ftp]get <FILE_NAME> - Retrieve the File for FTP to the device

- Example:
local-user ftp_user1 password irreversible-cipher cisco123
local-user ftp_user1 privilege level 15
local-user ftp_user1 ftp-directory flash:
local-user ftp_user1 service-type ftp

- Telnet
]user-interface vty 0 4
authentication-mode ?
aaa - AAA authentication
none - Login without checking
password - Authentication through the password of a user terminal interface

]user-interface vty 0 4
authentication-mode password
set authetication password cipher CISCO

- Link aggregation / Eth-Trunk

_Modes
- Manual
- LACP

<Manual L2 Eth-Trunk>
interface Eth-Trunk20 - Default a Eth-trunk is on L2 “portswitch”
#
interface GigabitEthernet0/0/1
eth-trunk 20
#
interface GigabitEthernet0/0/2
eth-trunk 20

<Manual L3 Eth-Trunk>
interface Eth-Trunk20
undo portswitch - Force Eth-trunk to L3 mode
ip address <IP> <Mask>
#
interface GigabitEthernet0/0/1
eth-trunk 20
#
interface GigabitEthernet0/0/2
eth-trunk 20

<LACP L2 EthTrunk with LACP>

interface Eth-Trunk51
description to_XXXXXXXX
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp
#
interface GigabitEthernet0/0/27
eth-trunk 51
#
interface GigabitEthernet0/0/28
eth-trunk 51

- VLAN
<Creating VLANs>
vlan INTEGER<1-4094>
<Examples VLAN creation>
vlan 10 - One VLAN creation
vlan batch 2 to 20 - Range VLAN creation
vlan batch 2 7 22 - Random VLAN creation

display vlan
display port vlan active

<Setting the port Link Type>

]interface <Interface>
port link-type ?
access - Access port
dot1q-tunnel - QinQ port
hybrid - Hybrid port
trunk - Trunk port

<Assignig Ports to VLANs>

 vlan 10
port <Interface>

interface <interface>
port link-type access
port default vlan 10

<Forwarding Over the Trunk>

interface <Interface>
port link-type trunk
port trunk pvid vlan 10 - PVID = Port VLAN ID, assign a VLAN to TRUNK port, traffic for VLAN 10 is send UNTAGGED under the trunk
<Different methods allow VLANs>
port trunk allow-pass vlan 11 to 20 - Range
port trunk allow-pass vlan 2 3 7 - Random
port trunk allow-pass vlan all - ALL

<configuring Hybrid Ports>

<Access port (Host - UNTAGGED)>
interface g0/0/1
port link-type hybrid
port hybrid pvid vlan 3
port hybrid untagged vlan 3

interface g0/0/2
port link-type hybrid
port hybrid pvid vlan 4
<Ways to allow send traffic untag for different VLANs on port>
port hybrid untagged vlan 3 4 - Send untag traffic for VLANs 3 and 4, under this port
port hybrid untagged vlan 3 to 9
port hybrid untagged vlan all

<Trunk port (switch to switch - TAGGED)>

interface <Interface>
port link-type hybrid
port hybrid pvid vlan 2 - Assign VLAN to hybrid port, ALL VLANs are TAGGED on Hybrid ports, so VLAN 2 is TAG
- Note that if VLAN 2 is not explicit carrier over this port, It is not going to pass over the port

port hybrid tagged vlan 3 4 - Define VLANs TAG that are carried over this port
port hybrid tagged vlan 3 to 9 - Hybrid port does not have ALLOW parameter like trunk port, with tagged parameter is sufficient
port hybrid tagged vlan all

<Voice VLAN>
]voice 30

]interface <Interface>
voice-vlan 2 enable
voice-vlan mode auto

]voic-vlan mac-address <MAC> mask <MAC_Mask> - Example of MAC_Mask = FFFF-FF00-0000

]display voice-vlan status

<VLAN - CUIDADO>
display vlan summary - Validar la parte de “Reserved VLAN”, validar las VLANs que NO puedo utilizar
- VLANs reservadas no se pueden configurar, un cambio de las VLANs reservadas implica un reinicio del equipo

- GARP & GVRP // Similar to VTP

_GARP (Generic Attribute Registration Protocol):
- GARP is architecture on which the registration, deregistration & propagation of attributes between switches is enabled
_GVRP (GARP VLAN Registration Protocol or Generic VLAN Registration Protocol):
- GVRP is an application of GARP, GVRP maintains dynamic VLAN registration info in a device & propagates info to others devices

]gvrp - Enable globally GVRP

]interface <Interface>
port link-type trunk - Similar to VTP, GVRP operate only on trunk ports
port trunk allow-pass vlan all
gvrp - Enable GVRP on interface
gvrp registration ?
fixed - Registration type fixed // Deny Dynamic VLAN, allow send Static VLAN
forbidden - Registration type forbidden // Deny all, allow only VLAN1
normal - Registration type normal, default mode //Allow all (Static & Dynamic VLAN)

- VLAN Routing
1. Switch + Router (similar to Cisco router on stick)
<Switch>
- Port connect to router must be TRUNK
 - Trunk port must allow VLANs received on the router
- VLAN must send TAGGED to the router
- Normal configuration must be set on the switch

<Router>
- Need subinterface
- Need define dot1q tagging on the subinterface and the VLAN ID. Allow send traffic TAGGED, and read/removed VID tag from incoming traffic
- Must be enable arp broadcast on the subinterface, defualt is not

]interface gigaethernet0/0/0.1 - Range of subinterfaces can be from 1-4096

dot1q termination vid <VLAN_ID>
ip address <IP> <Mask>
arp broadcast enable

2. L3 Switch (Cisco SVI concept)

- L3 Switch is more efficient
- Used VLANIF as termination of L3 interface and gateway of the VLAN segment
- Normal configuration must be set on the switch (VLAN, Trunks, access...)
- VLANIF is UP when: related VLAN is created, VLAN is allow on at least one trunk port or asociated to an access port

]interface vlanif <1 - 4094>

ip address <IP> <Mask>

- HDLC
interface serial x/x/x
link-protocol hdlc
ip address <IP> <Mask>

interface serial x/x/x

link-protocol hdlc - Serial P2P network support assigning unnumbered address
ip address unnumbered interface <Interface_Source_of_IP> - Borrowed IP from another interface

- PPP
interface serial x/x/x
link-protocol ppp
ip address <IP> <Mask>

<PAP Authentication>
R1 (s0/0)----------PPP----------(s0/1) R2

R1
aaa
local-user MURI password cipher CISCO - PAP/CHAP Credentials can be configured over aaa or interface mode
local-user MURI service-type ppp

interface s0/0
link-protocol ppp
ppp authentication-mode pap - Pass/user are send in clear text over the link
ip address <x.x.x.1> <30>

R2
interface serial 0/1
link-protocol ppp
ppp pap local-user MURI password cipher CISCO - PAP/CHAP Credentials can be configured over aaa or interface mode
ip address <x.x.x.2> <30>

>debugging ppp pap all

<CHAP Authentication>
R1 (s0/0)----------PPP----------(s0/1) R2

R1
aaa
local-user MURI password cipher CISCO
local-user MURI service-type ppp

interface s0/0
link-protocol ppp
ppp authentication-mode chap
ip address <x.x.x.1> <30>

R2
interface serial 0/1
link-protocol ppp
ppp chap user MURI
ppp chap password cipher CISCO - Password is NOT send over the link
ip address <x.x.x.2> <30>

>debugging ppp chap all

- Frame-Relay
DTE-1 -----------------DCE-1--------DCE-2-----------------DTE-2
10.0.0.1 DLCI:100 DLCI:200 10.0.0.2

DTE
interface <Interface>
link-protocol fr
fr interface-type dte
ip address 10.0.0.1 24
fr inarp - Dynamic mapping InverseARP enable
 <Manual option>
undo fr inarp - Static MAP configuration, disable InARP
fr map ip 10.0.0.2 100 <broadcast> - Manual mapping. If there is a manual entry, it has a presedence on inarp entry
- Broadcast is used when need to carried broadcast over PVC. Example I need dynamic protocolo ver the link
display fr pvc-info
display fr map-info

- PPPoE
R1-G0/1---------------------------------R2
PPPoE_Client PPPoE_Server

1. Configuring a PPP DIALER INTERFACE

R1
]dialer-rule
dialer-rule 1 ip permit
quit
interface dialer 1
dialer user enterprise
dialer-group 1 - Must match dialer-rule number
dialer bundle 1
ppp chap user enterprise@huawei
ppp chap password cipher huawei
ip address ppp-negotiate

2. PPPoE SESSION BINDING

A binding is performed of the PPPoE session with the dialer bundle, and associated with the PPPoE WAN interface

R1
interface g0/1
pppoe-client dial-buldle-number 1 on-demand
quit
ip route-static 0.0.0.0 0 dialer 1

display interface dialer 1

display pppoe-client sesstion summary

- ACL
Type Ranges Parameters
Basic 2000-2999 Source IP
Advanced 3000-3999 Source & Destinaton IP, Protocol, Source & Destination Port
Layer 2 ACL 4000-4999 MAC address

<Basic ACL>
acl 2000
rule deny source 192.168.1.0 0.0.0.255
rule permit source 192.0.2.0 0.0.0.255
interface <Interface>
traffic-filter outbound acl 2000

]display acl 2000

<Advanced ACL>
acl 3000
rule deny tcp source 192.0.0.0 0.0.0.255 destination 172.0.0.0 0.0.0.255 destination-port eq 21
rule deny ip source 192.0.2.0 0.0.0.255 destination 172.0.2.2 0.0.0.0
interface <Interface>
traffic-filter inbound acl 3000

]display acl 3000

<ACL Application – NAT>

nat address-group 1 200.0.0.1 200.0.0.10
nat address-group 2 200.0.2.1 200.0.2.10
acl 2000
rule permit source 10.0.0.0 0.0.0.255
acl 2001
rule permit source 20.0.0.0 0.0.0.255

interface <interface>
nat outbound 2000 address-group 1 - More than one NAT statement can be configured
nat outbound 2002 address-group 2
- NAT
<Static NAT>
Pool: 200.0.0.5 - .10
<------Inside global----->

RED_LAN-----------------------------------------------G0/1 R1 G0/2--------------------Internet
Internal Server:10.0.0.22/24 10.0.0.1/24 200.0.0.1/24

R1
interface gi0/1
ip address 10.0.0.1 24
interface gi0/2
ip address 200.0.0.1 24

nat static global 200.0.0.5 inside 10.0.0.22 - Set public IP from pool static to 10.0.0.22

]display nat static

<Dynamic NAT>
R1
]nat address-group 1 200.0.0.1 200.0.0.10 - Pool public address

]acl 2000
rule 5 permit source 10.0.0.0 0.0.0.255 - Match interesting NAT traffic to traslate
quit

interface gi0/2
nat outbound 2000 address-group 1 no-pat - no-pat avoid Port Address Treanslation to be in used

]display nat address-group 1

]display nat outbound

<Easy IP (PAT interface overload)>

R1
]acl 2000
rule 5 permit source 10.0.0.0 0.0.0.255 - Match interesting NAT traffic to traslate
quit

interface gi0/2
nat outbound 2000

]display nat outbound

<NAT Internal Server Configuration>

R1
interface gi0/1
ip address 10.0.0.1 24
interface gi0/2
ip address 200.0.0.1 24
nat server protocol tcp global 200.0.0.5 www inside 10.0.0.22 8080

]display nat server

]display nat session all - similar to “sh ip nat tr”

- 3G Network
< Configuring a 3G cellular interface >
interface cellular x/x/x
ip address ppp-negotiate
profile créate 1 static 3GNET
mode wcdma wcdma-precedence
quit

< Set the Dial Control Centre >

Dialer-rule
Dialer-rule 1 ip permit
quit

interface cellular x/x/x - Similar to Cisco

dialer enable-circular
dialer-group 1
dialer number *99#

< Conf NAT Role & Static route >

acl number 3xxx
rule 5 permit ip source x.x.x.x mask
quit

interface cellular x/xx

nat outbound 3xxx
quit

ip route-static 0.0.0.0 0 cellular 0/0/0

display interface cellular x/x/x

display nat outbound
- AAA & SSH
< Local Configuration>
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
local-aaa-user password policy administrator
password expire 0
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user rc_jomurillo password irreversible-cipher <PASSWORD>
local-user rc_jomurillo privilege level 15
local-user rc_jomurillo service-type terminal ssh

stelnet server enable - Enabled STelnt service

ssh user rc_jomurillo
ssh user rc_jomurillo authentication-type password
ssh user rc_jomurillo service-type stelnet
ssh client first-time enable - Enabled first-time authenticacion on SSH Client.
It is to skip checking whether the RSA public key of the SSH server is valid when the STelnet or
SFTP client logs in to the SSH server for the first time.

rsa local-ky-pair create

display ssh server status

display users
display current | i ssh
display rsa local-key-pair public
display domain name <NAME>

- IPsec
LAN1---------------R1 (G0/0)----------((IP Network))----------(G0/1) R2------------LAN2
10.0.0.0/24 .1 20.0.0.0/30 .2 30.0.0.0/24

<IPsec VPN Config>

[R1]
ip route-static 30.0.0.0 24 20.0.0.2
acl number 3xxx
rule permit ip source 10.0.0.0 0.0.0.255 destination 30.0.0.0 0.0.0.255

]ipsec ?
policy - Config IPSec security policy
policy-template - Policy template
profile - Config IPSec security profile
proposal - Config IPSec security proposal

ipsec proposal <PROPOSAL_NAME>

encapsulation-mode {transport | tunnel }
esp authentication-algorithm [md5 | sha1 | sha2-256 | sha2-384 | sha2-512 ]
esp encryption-algorithm [des | 3des | aes-128 | aes-192 | aes-256 ]
ah authentication-algorithm [md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3]
- Specify the packet encapsulation mode of security protocol
Transport: Only the payload of IP packet is protected
Tunnel: The entire IP packet is protected
- Specify the authentication algorithm of IPSec security protocol

display ipsec proposal

<IPsec Policy Creation>

[R1]
ipsec policy <POLICY_NAME> <SEQUENCE#> [isakmp | manual] - Config IPSec security policy
isakmp Indicates use IKE to establish the IPSec SA
manual Indicates use manual to establish the IPSec SA
security acl 3xxx - Specify the packets to be protected by this policy by ACL
proposal <PROPOSAL_NAME> - Config IPSec security proposal
tunnel remote 20.0.0.2 - Specify the IP address of IPSec tunnel remote peer
tunnel local 20.0.0.1 - Specify the IP address of IPSec tunnel local peer

<Specify the parameters of security association (SA)>

sa spi outbound esp 55555 - Outbound SA using ESP protocol value of security parameter index(SPI)
sa spi inbound esp 12121 - OInbound SA using ESP protocol value of security parameter index(SPI)

<Specify the key of manual SA with string format>

sa string-key outbound esp [cipher | simple] PASSWORD - Specify parameters of outbound manual SA
sa string-key inbound esp [cipher | simple] PASSWORD - Specify parameters of inbound manual SA
 <Applying IPsec Policies to interfaces>
[R1]
]interface gi0/0
Ipsec policy <POLICY_NAME>
quit

display ipsec policy

- GRE
LAN1---------------R1 (G0/0)----------((IP Network))----------(G0/1) R2------------LAN2
10.0.0.0/24 .1 20.0.0.0/30 .2 30.0.0.0/24

=========== GRE Tunnel ============

.1 40.0.0.0/24 .2

<GRE Config>
[R1]
Interface tunnel 0/0
ip addess 40.0.0.1 24
tunnel-protocol gre
source 20.0.0.1
destination 20.0.0.2
keepalive period <period> [retry-times <retry-times> ] -
quit

ip route-static 30.0.0.0 24 tunnel 0/0

display interface tunnel 0/0

display ip routing-table

Network Management and Monitoring

< NQA> - Network Quality Analysis (NQA)
nqa test-instance <STRING<1-32> NQA test administer name > <STRING<1-32> name of NQA test instance > - Enterto NQA options

- Example:
<Definir NQA>
nqa test-instance ENLACE1 ICMP - Create NQA
test-type icmp
destination-address ipv4 172.30.254.33
frequency 10
probe-count 2
start now

<Asociar NQA a una ruta estatica>

ip route-static <Dest_IP> <Mask> <Next-Hop> preference 70 description Backup - Ruta backup peso AD=70
ip route-static <Dest_IP> <Mask> <Next-Hop> track nqa ENLACE1 ICMP description Principal - Si el NQA falla, saca la ruta principal (AD=60)