2020- Huawei ICT Competition

Network Lab Exam for the Middle East

Region
Issue: 1.0

Huawei Technologies Co., LTD.

All Rights Reserved.
 2020-2021 Huawei ICT Competition
Network Lab Exam for the Middle East Region INTERNAL

1 Task Design Background

A large foreign trade company has completed the construction of the

enterprise headquarters and needs to deploy the network solution for
communication between the headquarters and its branches.
The headquarters network and the harbor networks are connected to the
same ISP. Traffic is transmitted using MPLS VPN technology. A WLAN
network needs to be deployed at the headquarters network in order to
meet wireless office requirements.

2021-07-15 Huawei confidential. No spreading without permission. Page 2 of 15

 1 Exam Description

1.1 Weighting
This exam consists of four parts: Routing & Switching, Security, WLAN, and
Cloud Computing. The total score is 1000.

Domain Weight Score

Datacom 55% 550

Security 30% 300

WLAN 15% 150

1.2 Exam Requirements

1. Carefully read the Exam Guidelines and exam tasks before taking
the exam.
2. If multiple solutions are available, select the best one.

1.3 Exam Platform

This exam is conducted on real devices.

1.3.1.1 Device List

 Two USG6350E firewalls (FW1-FW2)
 Eight AR6120 routers (AR1-AR8)
 Four S5720-36C-PWR-EI-AC switches (SW1-SW4)
 One AC6508 (AC1)
 One AP4050DN (AP1)
 One server (Server1)
 Three computers for examinees
1.3.1.2 Exam Tools
 Three computers for examinees, on which Putty & HedExLite & HedEx
product documentation is available

1.4 Saving Tasks

Before the exam ends, you are required to save the configuration file in
the correct folder. For details, refer to the Exam Guidelines.
 2 Tasks

2.1 Network Topology

Figure 2.1.1.1.1.1.1.1 IP network topology

2.2 VLAN & IP Address Planning Table

Table 2.2.1.1.1.1.1.1.1 VLAN Planning Table
Device
Interface Link Type Allowed VLAN List
Name

SW1 Eth-Trunk 1 Trunk VLAN 10,20,100,111,200

GE0/0/2 Trunk VLAN 10,20,100, 200

GE0/0/3
 GE0/0/1 Access VLAN 21

GE0/0/4 Trunk VLAN 10, 20,23

Eth-Trunk 1 Trunk VLAN 10,20,100,111,200

GE0/0/2
Trunk VLAN 10,20,100, 200
SW2 GE0/0/3

GE0/0/1 Access VLAN 23

GE0/0/4 Access VLAN25

GE0/0/1 Access VLAN 100

GE0/0/4 Trunk VLAN 10(PVID)

SW3
GE0/0/2
Trunk VLAN 10,20,100,200
GE0/0/3

GE0/0/1 Access VLAN 200

SW4 GE0/0/2
Trunk VLAN 10,20,100,200
GE0/0/3

AC1 GE0/0/1 Trunk VLAN 10,20,23

Table 2.2.1.1.1.1.1.1.2 IP Address Planning

Device Name Interface IP Address

Loopback0 1.1.1.1/32

G0/0/0 100.1.12.1/30
R1
G0/0/1 100.1.14.1/30

G0/0/2 10.1.11.2/30

Loopback0 2.2.2.2/32

G0/0/0 100.1.12.2/30
R2
G0/0/1 100.1.23.1/30

G0/0/2 100.1.25.1/30

Loopback0 3.3.3.3/32

G0/0/0 100.1.36.1/30
R3
G0/0/1 100.1.23.2/30

S1/0/0 10.1.37.1/30

R4 Loopback0 4.4.4.4/32

G0/0/0 100.1.45.1/30
 G0/0/1 100.1.14.2/30

G0/0/2 10.1.24.2/30

Loopback0 5.5.5.5/32

G0/0/0 100.1.45.2/30
R5
G0/0/1 100.1.56.1/30

G0/0/2 100.1.25.2/30

Loopback0 6.6.6.6/32

G0/0/0 100.1.36.2/30
R6
G0/0/1 100.1.56.2/30

G0/0/2 10.1.68.1/30

Loopback0 7.7.7.7/32

R7 Loopback1 10.1.70.1/32

S1/0/0 10.1.37.2/30

Loopback0 8.8.8.8/32

R8 Loopback1 10.1.80.1/32

G0/0/2 10.1.68.2/30

Loopback0 9.9.9.9/32

VLANIF 21 10.1.21.2/30

VLANIF 23 10.1.23.2/30
SW1
VLANIF 111 10.1.111.1/30

VLANIF 100 192.168.100.253/24

VLANIF 200 192.168.200.253/24

Loopback0 10.10.10.10/32

VLANIF 22 10.1.22.2/30

VLANIF 24 10.1.25.1/30
SW2
VLANIF 111 10.1.111.2/30

VLANIF 100 192.168.100.252/24

VLANIF 200 192.168.200.252/24

VLANIF 10 192.168.10.254/24

AC1 VLANIF 20 192.168.20.254/24

VLANIF 23 10.1.23.1/30

FW1 Loopback0 11.11.11.11/32

 G1/0/0 10.1.12.1/30

G1/0/1 10.1.21.1/30

G1/0/2 10.1.11.1/30

Loopback0 12.12.12.12/32

G1/0/0 10.1.12.2/30
FW2
G1/0/1 10.1.22.1/30

G1/0/2 10.1.24.1/30

Server1 - 10.1.25.2/30

Table 2.2.1.1.1.1.1.1.3 Device Login Information

Management User
Device Password
Address Name

https://192.168.0.1:84 ICT@Huawei2020
FW1 admin
43

https://192.168.0.2:84 ICT@Huawei2020
FW2 admin
43

2.3 HQs Network Settings

2.3.1 Link Aggregation
Configure Link Aggregation Between SW1 and SW2(G0/0/22 to G0/0/24)

1. Using the lacp mode to negotiate the Link aggregation peers.

2. Set the priority of SW1 to 0, and make the SW1 as the Actor.
3. Perform load balancing based on the source and destination MAC
addresses.

2.3.2 VLAN and Port Link Type

Configure VLANs.

1. Create VLANs on all switches.

2. Set the required link type for interfaces on switches, configure allowed
VLANs on the related interfaces, and change PVIDs if required.
2.3.3 IP address
Use the information in the table 3-2 to configure IP addresses.

2.3.4 MSTP,VRRP
Task 1: MSTP
1. Add SW1, SW2, SW3 and Sw4 to region HUAWEI, the Revision level is
10 and create instances MSTI1 and MSTI2 Map VLAN 10 , 100, 111 to MSTI1,
and map VLAN 20 , 200 to MSTI2 to load balance traffic.
2. Set SW1 as the root bridge of MSTI1, Set SW2 as the backup bridge of
MSTI1.
3. Set SW2 as the root bridge of MSTI2, Set SW1 as the backup bridge of
MSTI2.
4. Except for the ports interconnected by switches, ensure that other
ports do not participate in MSTP calculations going to Forwarding state directly.
Enable the protection function on each root bridge.
Task 2: VRRP
5. Create VRRP group 1 on SW1 and SW2 for VLAN 100. Set SW1 as the
master device, priority to 120, virtual ip to 192.168.100.254 and preemption
delay to 20 seconds. Set SW2 as the backup device and retain the default
priority.
6. Create VRRP group 2 on SW1 and SW2 for VLAN 200. Set SW2 as the
master device, priority to 120, virtual ip to 192.168.200.254 and preemption
delay to 20 seconds. Set SW1 as the backup device and retain the default
priority.
7. Associate VRRP group 1 with VLANIF 100 on SW1 and
set reduced value-reduced to 30 when VLANIF 21 becomes down. Associate
VRRP group 2 with VLANIF 200 on SW2 and set reduced value-reduced to 30
when VLANIF 22 becomes down.

2.3.5 DHCP
1. The aggregation switch (SW1 and SW2) functions as a DHCP server to
assign IP addresses to PC1 and PC2.
2. configure IP pool (Name:Pool1)to assign IP addresses to PC1 on SW1
and SW2,and the default gateways address is 192.168.100.254.
3. configure IP pool (Name:Pool2)to assign IP addresses to PC2 on SW1
and SW2,and the default gateways address is 192.168.200.254.

2.3.6 OSPF
1. At the headquarters, use the information in the table 3-4 to configure
OSPF. Configure Loopback0’s IP addresses as their router ID. Set the ospf
process ID to 1.and use Network command to advertise routes .All the 32 bits
must be exactly matched.
 Table 2.3.6.1.1.1.1.1.1 OSPF Planning
Device
Interface Area
Name

Loopback0 0

VLANIF 21 0

SW1 VLANIF 100

VLANIF 111 1

VLANIF 200

Loopback0
0
VLANIF 22

VLANIF 25
SW2
VLANIF 100
1
VLANIF 111

VLANIF 200

Loopback0
FW1 0
G1/0/1

Loopback0
FW2 0
G1/0/1

2. SW1 and SW2 are not allow to transmit OSPF packets with each other
in VLAN 100 and VLAN 200.
3. To ensure the security of the backbone network, configure area
authentication on the devices in the backbone area, and set the authentication
mode to MD5 plain text authentication and the password to ICT@Huawei2020.

2.4 WLAN Network Configuration

2.4.1 Deploy the WLAN
Deploy a WLAN network at the headquarters according to WLAN Data Planing.

1. Configure network interworking of the AC, AP, and other network device
2. Configure the AP to go online. Configure the AP mac authentication mode
and import the AP offline to allow the AP to go online.
3. Configure WLAN service parameters for STAs to access the WLAN. Ensure
the interconnection within the headquarters so that STA1 can communicate with
PC1 and PC2.
 Table 2.4.1.1.1.1.3.1.1 WLAN Data Planning
Configuration Item Data

Management VLAN VLAN 10 and VLAN 23

Service VLAN VLAN 20

CAPWAP Source VLANIF 23: 10.1.23.1/30

ACs function as DHCP servers to allocate addresses

to APs and STAs from the global address pool.
AP address pool name: AP-ICT; gateway address:
DHCP server
192.168.10.254/24
IP address pool for employee STAs: Employee-ICT;
Gateway address: 192.168.20.254/24

AP group Name: WLAN-ICT

AP name AP1

Regulatory domain Name: default

profile Country code: CN

Name: Employee-ICT
SSID profile SSID name: Employee-X (X indicates your group
name.)

Name: Employee-ICT
Security profile Security policy: WPA-WPA2
Password: ICT@Huawei2020

Name: Employee-ICT
Forwarding mode: Tunnel
VAP profile
Service VLAN: 20
Binding SSID profile, Security profile,

2.5 Multicast
2.5.1 PIM
1. Server1 is the multicast source, PC1-2 is the receiver, and the
loopback0 address of SW1 is the RP address.
2. OSPF has been used on the entire network for interworking. PIM-SM
has been configured on SW1 and SW2.
2.5.2 IGMPV2 and IGMP snooping
1. SW2 is connected to the user network through the Layer 2 switch (SW3
and SW4) and runs IGMPv2.
2. The multicast source sends data to multicast groups 225.1.1.1 to
225.1.1.3. There are two receivers on the network: PC1 and PC2. They are
interested in only the data from 225.1.1.1. Enable IGMP snooping globally and in
VLAN 100 and VLAN 200 on all switches. Configure SW2 as a querier and enable
all switches to discard unknown multicast packets.

2.6 Configuring the ISP Network

2.6.1 IS-IS and OSPF
R1, R2, R3, R4, R5 and R6 belong to ISP.
Task 1: IS-IS
1. Only R1, R2, R4 and R5 need to run ISIS.
2. Enable IS-IS on R1(G0/0/0 ,G0/0/1 and Loopback 0), R2(G0/0/0 ,G0/0/2 and
Loopback 0), R4(G0/0/0 ,G0/0/1 and Loopback 0),and R5(G0/0/0 ,G0/0/2 and
Loopback 0) .Set the IS-IS process ID to 100 and the area ID to 49.0001. Set the
system ID of each AR to 0000.0000.000X (X is a device ID). For example, the
system ID of R1 is 0000.0000.0001, and that of AR2 is 0000.0000.0002. Set the
device type of R1 and R4 to Level-1, and Set the device type of R2 and R5 to
Level-1-2.Set cost type of all ISIS devices to wide.
3. Set all IS-IS physical interface to point-to-point mode and configure all IS-IS
routers to only use the three-way handshake mechanism to establish
adjacencies.
Task 2: OSPF
4. Only R2, R3, R5 and R6 need to run OSPF.
5. Enable OSPF on R2(G0/0/1 ,G0/0/2), R3(G0/0/0 ,G0/0/1 and Loopback 0),
R5(G0/0/1 ,G0/0/2),and R6(G0/0/0 ,G0/0/1) .Set the OSPF process ID to 100 and
all the interface belong to area 0.
6. Configure the cost of G0/0/1 on R2 to 100.
7. Import interface Loopback 0 on R6 into OSPF, and set external routes with
cost 5 as Type 2 AS external routes.
8. Configure route leaking so that all devices on the ISP network can learn
loopback routes. Configure routing policies on R2 and R5 to prevent suboptimal
paths to 6.6.6.6 and potential routing loops on the ISP network.

2.6.2 OSPFv3 and BGP4+

Task 1: OSPFv3
1. Enable OSPFv3 on R2, R3 , R4 and R6. For the IPv6 addresses, refer to
Table 3-5.
 2. Ensure that the physical interfaces on R2, R3 , R4 and R6 can
communicate with each other through the IPv6 network.

Table 2.6.2.1.1.1.2.1.1 IPv6 Address Planning

Device Name Interface IP Address

G0/0/1 2001:23::1/64

AR2 G0/0/2 2001:25::1/64

Loopback 0 2001:2::2/128

G0/0/1 2001:23::2/64

AR3 G0/0/0 2001:36::1/64

Loopback 0 2001:3::3/128

G0/0/1 2001:56::1/64

AR5 G0/0/2 2001:25::2/64

Loopback 0 2001:5::5/128

G0/0/0 2001:36::2/64

AR6 G0/0/1 2001:56::2/64

Loopback 0 2001:6::6/128

Task 2: BGP4+
3. Using loopback0 to establish BGP4+ full mesh peer between R2, R3 , R5
and R6 in AS 100.
4. Ensure that all the four routers can learn the IPv6 routes of all Loopback0s
from each other, and that the Origin attribute of the routes is incomplete.

2.7 Connect the HQs and Branches

2.7.1 Configuring the Firewalls
Task 1: Configure connectivity between FW1 & FW2 and the ISP
network.

1. Configure the G1/0/1 belong to trust zone, G1/0/2 belong to untrust zone
and the G1/0/0 belongs to DMZ zone.
2. Establish hot standby between FW1 and FW2 and heartbeats interface.
3. Configure security policy rule Trust to allow PC1 and PC2 in the HQs can
communicate with Branch1 and Brach2.
2.7.2 Configuring MPLS VPN
Task 1: Implement MPLS VPN in the ISP, provide the links to
connect HQs and branches.
1. Configure FW1 as CE1 and FW2 as CE2 to connect to the Branches through
R1 (PE1), R4(PE4), R3 (PE3) and R6 (PE6) in AS100, R7 is the CE3, R8 is the CE4.
CE1 and CE2 are Hub-CEs of vpn1, PE1 and PE4 are Hub-PEs. CE3 and CE4 are
Spoke sites of vpn1, and PE3 and PE6 are Spoke PEs.
2. Enable MPLS and MPLS LDP on the routers, set the loopback0 as the
LSR-ID to establish an MPLS LSP public network tunnel, and transmit VPN data.
3. The RD of R1, R3, R4 and R6 are 100:1, 100:3, 100:4 and 100:6,
respectively.
4. CE1 and CE2 are Hub-CEs of VPN1, PE1 and PE2 are Hub-CEs. CE3 and CE4
are Spoke sites of VPN1, and PE3 and PE4 are Spoke PEs.
5. Create a VPN instance on R1, R4, R3 and R6. R1 vpn1's RD is 100:1, Export
RT is 100:1, and Import RT is 200:1.The interface connected to the CE is bound to
the corresponding VPN instance to access the VPN user. Properly set vpn1 VPN-
target to ensure that the data transmitted between spoke sites passes through
the Hub-PE.
6. Configure Full-mesh MP-IBGP between PE1 , PE3, PE4 and PE6 to exchange
VPN routing information.
7. Run BGP AS 65001 on FW1 to establish EBGP peers with R1 vpn-instance
vpn1, Run BGP AS 65001 on FW2 to establish EBGP peers with R3 vpn-instance
vpn1 ,Configure bidirectional route import between ospf and bgp on FW1 and
FW2.

Task 2: Configuring the Branch Network

8. Configure PPP CHAP authentication between R3 and R7. R3 is the
primary authenticator. The user name is Huawei, and the password is
ICT@Huawei2020.
9. Run BGP AS 65002 on R7 to establish EBGP peers with R3 vpn-instance
vpn1, import the direct routes into the vpn1.
10. Run OSPF on R8 to establish ospf peers with R6 vpn-instance vpn1,
import the direct routes into the vpn1.

2.8 Feature
2.8.1 SNMP
Create the following alarm notification rule: Huawei-ICT.
1. Configure SNMP v2c on SW1, SW2.
2. Set read community as Admin@123, write community as Huawei@123.
3. The network management server address is 10.1.24.2.
 4. Security name is Huawei-ICT.
5. snmp-agent trap enable.

2.8.2 QoS
In the outbound interface (GE 0/0/2 on PE1 and PE2), 8:00–18:00 from Monday
to Friday The committed average rate is 1 Mbit/s for the traffic with UDP
destination port numbers ranging from 7888 to 7999.