HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential 1
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses
ContentAll Huawei Career Certification E-Learning courses
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
2 Training Material Download
Content: Huawei product training material and Huawei career certification training material
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC)
ContentThe Huawei career certification training covering all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei professional instructors
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
eNSP (Enterprise Network Simulation Platform) is a graphical network simulation tool which is developed by
Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as
it possible, which makes the lab practice available and easy without any real device.
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
Huawei experts , share exam experiences with others or be acquainted with Huawei Products(
http://support.huawei.com/ecommunity/
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n




Huawei Certification

HCDA-HNTD

Huawei Networking Technology and Device









Huawei Technologies Co.,Ltd

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n



Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or
transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei
Technologies Co., Ltd. All other trademarks and trade names
mentioned in this document are the property of their
respective holders.
Notice
The information in this document is subject to change
without notice. Every effort has been made in the preparation
of this document to ensure accuracy of the contents, but all
statements, information, and recommendations in this
document do not constitute the warranty of any kind, express
or implied.

Huawei Certification
HCDA-HNTD Huawei Networking Technology and
Device
Edition 1.6

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Huawei Certification System
Relaying on iIs sIrong Iechnical and proIessional Iraining sysIem,
according Io diIIerenI cusIomers aI diIIerenI levels oI ICT Iechnology,
Huawei cerIiIicaIion is commiIIed Io provide cusIoms wiIh auIhenIic,
proIessional cerIiIicaIion.
Based on characIerisIics oI ICT Iechnologies and cusIomersneeds aI
diIIerenI levels, Huawei cerIiIicaIion provides cusIomers wiIh
cerIiIicaIion sysIem oI Iour levels.
HCDA (Huawei CerIiIicaIion DaIacom AssociaIe) is primary Ior IP
neIwork mainIenance engineers, and any oIhers who wanI Io learn Ihe IP
neIwork knowledge. HCDA cerIiIicaIion covers Ihe TCP/IP basics, rouIing,
swiIching and oIher common IoundaIional knowledge oI IP neIworks,
IogeIher wiIh Huawei communicaIions producIs, versaIile rouIing
plaIIorm VRP characIerisIics and basic mainIenance.
HCDP (Huawei CerIiIicaIion DaIacom ProIessional-EnIerprise) is aimed aI
enIerprise-class neIwork mainIenance engineers, neIwork design
engineers, and any oIhers who wanI Io in depIh grasp rouIing, swiIching,
neIwork ad|usImenI and opIimizaIion Iechnologies. HCDP-EnIerprise is
consisI oI IESN (ImplemenIOTM EnIerprise SwiIch NeIworkY), IERN
(ImplemenIOTM EnIerprise RouIing NeIworkY), and IENP (Improving
EnIerprise NeIwork perIormance), which includes advanced IPv4
rouIing and swiIching Iechnology principle, IP Iechnology oI neIwork
securiIy, high availabiliIyand Qos, as well as Ihe implemenIaIion in
Huawei producIs.
HCIE (Huawei CerIiIied InIerneIwork ExperI) is designed Io endue
engineers wiIh a varieIy oI IP neIwork Iechnology and proIiciency in
mainIenance, diagnosIics and IroubleshooIing oI Huawei producIs,
which equips Ihe engineers wiIh compeIence in planning, design and
opIimizaIion oI large-scale IP neIwork.

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n



H
C
I
E
-

R
&
S


U
C
&
C

V
C

C
l
o
u
d

S
t
o
r
a
g
e

W
i
r
e
l
e
s
s

T
r
a
n
s
m
i
s
s
i
o
n

S
e
c
u
r
i
t
y

I
C
T

C
a
r
e
e
r

C
e
r
t
i
f
i
c
a
t
i
o
n

E x p e r t
H
C
N
A
-

D
e
s
i
g
n

H
C
N
P
-

D
e
s
i
g
n

H
C
N
A
(
H
C
D
A
)

H
C
A
r

H
C
N
A
-
W
L
A
N

H
C
N
A
-

U
C

H
C
N
A
-

V
C

H
C
N
A
-
C
l
o
u
d

H
C
N
A
-

L
T
E

H
C
N
A
-

T
r
a
n
s
m
i
s
s
i
o
n

H
C
N
A
-
S
e
c
u
r
i
t
y

H
C
N
A
-

C
C

H
C
N
P
-
C
a
r
r
i
e
r

(
H
C
D
P
-
C
a
r
r
i
e
r
)

H
C
N
P
-
W
L
A
N

H
C
N
P
-

U
C

H
C
N
P
-

V
C

H
C
N
P
-

C
l
o
u
d

H
C
N
P
-

L
T
E

H
C
N
P
-
T
r
a
n
s
m
i
s
s
i
o
n

H
C
N
P
-
R
&
S

(
H
C
D
P
)

H
C
N
P
-

S
e
c
u
r
i
t
y

H
C
N
P
-
S
t
o
r
a
g
e

H
C
N
P
-

C
C

H
C
N
A
-
S
t
o
r
a
g
e

H
A s s o c i a t e P r o f e s s i o n a l
H
C
I
E
-

D
e
s
i
g
n

P
r
o
p
o
s
e
d

A
d
v
a
n
c
e
d

r
e
l
a
t
i
o
n
s
h
i
p

N
e
c
e
s
s
a
r
y

a
d
v
a
n
c
e
d

r
e
l
a
t
i
o
n
s
h
i
p


H
C
I
E
-

C
a
r
r
i
e
r


H
C
I
E
-

L
T
E

H
C
I
E
-

W
L
A
N

H
C
I
E
-
S
e
c
u
r
i
t
y

H
C
I
E
-
T
r
a
n
s
m
i
s
s
i
o
n

H
C
I
E
-

C
C

H
C
I
E
-

U
C

H
C
I
E
-

C
l
o
u
d

H
C
I
E
-

V
C

H
C
I
E
-

S
t
o
r
a
g
e

A r c h i t e c t
R
o
u
t
i
n
g

&

S
w
i
t
c
h
i
n
g

W
L
A
N

I
C
T

C
o
n
v
e
r
g
e
n
c
e

D
e
s
i
g
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
,UXK]UXJ
OuIline
This book is abouI Ihe Huawei cerIiIied DaIacom AssociaIe cerIiIicaIion.The
sIudenIs who wanI Io prepare Ior Ihe HCDA exam or wanI Io learn Ihe Iechnology
abouI TCP/IP proIocol sIacks,rouIer,swiIch,WAN,EIherneI and how Io conIigure use
on Ihe VRP.
ConIenI
The guide conIains a IoIal oI six modules, sIarIing Irom Ihe basic knowledge oI
daIa communicaIions, Ihe guide inIroduces Ihe Iields oI rouIing, swiIching, WAN,
Iirewall and oIher basic knowledge, as well as conIiguraIion and implemenIaIion
using Ihe VRP plaIIorm.
Iodule l sysIemaIically inIroduces Ihe IP neIwork inIrasIrucIure, TCP/IP Iour-layer
model Io help Ihe reader Io esIablish Ihe basic Iramework oI Ihe daIa
communicaIions neIwork. In highlighIing IuncIions and roles oI Ihe neIwork layer,
IransporI layer and applicaIion layer ,Ihis module helps readers Io masIer Ihe
IuncIions and roles oI communicaIion neIworks in a varieIy oI producIs.
Iodule 2 describes Ihe basics and operaIion oI Ihe Huawei generic rouIing
plaIIorm VRP and progressive approach Io Ihe basics oI rouIing proIocols, sIaIic
rouIing and dynamic rouIing proIocols. This module helps readers undersIand Ihe
principles and Ihe basic process oI daIa communicaIion by highlighIing RIP and
OSPF, Iwo IGP rouIing proIocols.
Iodule 3 inIroduces Ihe popular EIherneI Iechnology, how EIherneI equipmenI
works as well as Iechnologies used mosIly in Ihe LAN like VLAN, STP, VRRP Io help
readers improve abiliIies Ior planning LAN.
Iodule 4 brieIly describes Ihe basic principles oI WAN Iechnologies such as HDLC,
PPP, Frame Relay conIiguraIion and implemenIaIion on Ihe VRP Io help readers Io
masIer WAN Iechnologies and implemenI Ilexibly.
Iodule 5 brieIly describes Ihe Iypes oI Iirewall Iechnologies and developmenI,
perIormance and Ihe basic IuncIions oI Huawei USG series Iirewalls, and
Page1
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
implemenIaIions on Ihe VRP Io help readers Io undersIand and layouI Ihe neIwork
securiIy policy.
Iodule 6 brieIly describes hardware IeaIures, posiIioning and neIworking
applicaIions oI Huawei rouIers and swiIches. Through sIudying Ihis parI, readers
will develop a comprehensive undersIanding oI Huawei daIa communicaIions
producIs.
The guide enables Ihe readers Io masIer sIep by sIep Irom Ihe basis oI daIa
communicaIion Io rouIing, swiIching, WAN, neIwork securiIy Iechnologies, and
Huawei producIs. Readers can also read selecIively according Io Iheir own
circumsIances.
Readers Knowledge Background
This course is a basic course oI Huawei cerIiIicaIion, Ihe reader should have a basic
knowledge oI Ihe neIwork background.
Page2
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

_

Icons Used in This Book



IPv6 Router SOHO Router Voice Router Low-end Router
Core Router Hub
Convergence Switch
Core Switch
Edge Switch Cascade Switch AP AP Amplifier
Wireless Bridge
Wireless Network Card Access Server Audio Gateway Firewall
Internet Telephony
Socket switch
High-end Router
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
HCDA-HNTD





M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Table of Contents
Module 1 Network Fundamentals .................................................................................Page 1
IP Network Fundamental ...............................................................................................Page 3
TCPIP Basis...........................................................................................................................Page 43
IP Addressing and Routing ...........................................................................................Page 86
Protocols of Transprot Layer.........................................................................................Page 127
Introduction to Common Application........................................................................Page 148
Module 2 Routing ................................................................................................................Page 163
VRP Basis and Operation ...............................................................................................Page 165
Routing Protocol Basis.....................................................................................................Page 202
Static Route .........................................................................................................................Page 230
Dynamic Routing Protocol Basis...................................................................................Page 248
Distance-vector Routing Protocol ...............................................................................Page 260
RIP Routing Protocol.........................................................................................................Page 283
RIP Troubleshooting..........................................................................................................Page 311
OSPF Routing Protocol Basis..........................................................................................Page 342
Module 3 Switching ..............................................................................................................Page 375
Ethernet Overview .............................................................................................................Page 377
Principle of Ethernet Device ...........................................................................................Page 395
Ethernet Port Technology ................................................................................................Page 422
VLAN Technology Principle and Configuration.........................................................Page 449
VLAN Routing .......................................................................................................................Page 470
STP Principle and Configuration.....................................................................................Page 489
VRRP Principle and Configuration..................................................................................Page 522
Page1
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Module 4 WAN ........................................................................................................................Page 545
HDLC Principle and Configuration.................................................................................Page 547
PPP Principle and Configuration ....................................................................................Page 563
FR Principle and Configuration........................................................................................Page 697
Module 5 Network Security-Firewall Product Basis .....................................................Page 631
Firewall Product Basis .........................................................................................................Page 633
USG Basic Function and Configuration ........................................................................Page 655
Module 6 Product.....................................................................................................................Page 695
Huawei NE40E-X Series Router Introduction..............................................................Page 697
AR G3 & Sx7 Brief ...............................................................................................................Page 726
Page2
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 1
Network Fundamentals
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page3
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page4
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page5
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page6
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Data refers to information in any format. The format used to
encode any information must follow agreed or standard rules
before successful communication between a sender and
receiver is possible.
For example, a picture can be broken down into a number of
dots referred to as pixels, each pixel can then be represented by
a number which can then be encoded ready for transmission.
The format used to encode the image data by the sender must
be understood by the receiver to enable them to decode and
rebuild the picture.
Common types of data that can be encoded for transmission
include text, numbers, pictures, audio, and video. many
standard ways of encoding the different types of data exist.
Data communication is the process of exchanging data between
two devices through a transmission medium, such as a wired or
wireless network.
Page7
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A simple data communication system consists of a message, a
sender, a receiver, a (transfer) medium, and a protocol.
Message:
A message contains information that needs to be communicated.
This could be text, numbers, a picture, sound, or video which will
be encoded and transmitted as one or more messages.
Sender:
The sender is a device or system that transmits the message, this
could be a PC, a workstation, a server, or a mobile phone.
Receiver:
The receiver is a device or system that receives the message,
this could be a PC, a workstation, a server, a mobile phone, or a
television.
Medium:
The medium is a physical or logical connection between the
sender and the receiver which is capable of carrying the message.
Typical types of medium are twisted pair cable, coaxial cable,
optical fiber and radio wave.
Protocol:
Page8
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The protocol is the set of rules that controls the way in which data
exchanged. The protocol does not necessarily define what the
original data is or how it is encoded, just how it should be
exchanged by two communicating devices. Protocol rules define
such things as the speed at which data is transferred and the size
of the data unit that is sent. It will also define when a
communication session starts and ends. These rules can be
likened to the rules which define the way we talk to each other or
read and write, without such rules even if we use the same
language we cannot communicate.

Page9
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
There are three different ways in which two devices can
communicate in data networking:
Simplex communication:
Simplex communication is in one direction. One device can only
send messages, the other one can only receive messages.
For example a keyboard is a device which only sends data and a
monitor a device that can only receive data both use simplex
communication.
Half-duplex communication:
Half-duplex communication is two way but only one device can be
sending at any time, the other must be receiving. Both devices
are capable of sending and receiving but communication can only
be in one direction at a time.Two-way radios, such as those used
by police and taxis work in half-duplex mode.
Full-duplex communication:
Full-duplex communication is two way concurrently, both devices
can send and receive messages at the same time.A motorway is
full duplex as traffic is able to travel in both directions at the same
time .Telephony networks are also full duplex, however most
humans can only either talk orlisten - not do both at the same time.
Page10
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page11
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A network is any group of people, things or places that are
interconnected in some way. Networks exist everywhere in our
life, we have road, rail, telephone and postal networks which we
use on a daily basis.
A computer network consists of two or more computers and
peripheral which are interconnected by communication lines.The
computers in a network can easily exchange and share
information and resources .
Computer networks were developed to meet increasing
requirements for exchanging information and sharing resources.
In early computer networks , each computer was an independent
device, there was little or no communication between systems.
As computer and communication technologies evolved,
communication between different systems was made possible.
Standard protocols understood by different systems made
sharing resources and data possible and improved resource
utilisation.
Page12
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In recent years, the computer network is developing rapidly. The
computer communications network and the Internet have become
the basic part of the society. The computer network is applied to
many fields of industry and commerce, including e-bank, e-
commerce, modernized enterprise management,and information
service. From remote education to government routines, and to
todays e-community without the network technology they can not
work.
The saying "network exists everywhere in the world" is not an
exaggerated statement.
The computer network came into being in 1960s. At that time, the
network was a host-based low-speed serial connection providing
program running, remote printing, and data service. The System
Network Architecture (SNA) of IBM and X.25 public data network
are such kind of network. In 1960s, the defense department of
US funded a packet switching network called ARPANET, which
was the earliest rudiment of the Internet.
In 1970s, the commercial computing mode, which featured
personal computers,came forth. Initially, personal computers were
used as independent devices.
Because of the complexity of commercial computing, many
terminal devices needed to cooperate, and thus the local area
network (LAN) was developed. The LAN reduced the expense on
printers and disks dramatically.
Page13
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In 1980s and 1990s, in order to deal with the increasing demand
on remote computing,the computer industry developed many
wide area network protocols (including TCP/IP and IPX/SPX).
Then the Internet was expanded fast. Nowadays TCP/IP is
extensively used on the Internet.


Page14
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The topology defines the organization of devices in a network. A
LAN can adopt various topologies, such as the bus topology and
star topology.
In the bus topology, all devices are connected to a linear network
media, which is called the bus. When a node transmits data in a
network adopting the bus topology, the data reaches all nodes.
Each node checks the data. If the data is not sent to this node,
the node discards the data. If the data is sent to this node,the
node accepts the data and transfers the data to the upper layer
protocol. A typical bus topology has simple layout of lines. Such
layout uses short network media, and thus, the expense on
cables is low. However, this topology makes it difficult to diagnose
and isolate faults. Once a fault occurs, the entire network will be
affected. In addition, each device in the LAN sends data to all the
other devices, which consumes large amount of bandwidth. It will
lower network performance.
In the star topology, devices are connected to a central control
point. A device communicates with another device through the
point-to-point connection between it and the hub or switch. The
start topology is easy to design and install, because network
media connect the hub or switch and workstations. The star
topology is easy to maintain, because the network can be easily
Page15
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
modified and network faults can be easily be located. The star
topology is extensively used in LAN construction. Of course the
star topology has its weakness. Once the central control device
becomes faulty, the single point failure may be occur. In addition,
a Network media can connect only one device, so large amount
of network media are needed and the LAN installation cost
increases.
These topologies are logical structures and are not necessarily
related to the physical structure of devices. For example, logical
bus and ring topologies usually adopt the physical star structure.
A WAN usually adopts the star, tree, fullmeshed, or half-meshed
topology.


Page16
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Internet is a large network formed by networks and devices.
Based on the covered geographic scope, networks are classified
into LAN, WAN, and Metropolitan Area Network (MAN) whose
size is between the LAN and WAN.
Local Area Network (LAN)
A LAN is formed by connected communication devices in a small
area. A LAN covers a room, a building, or an industry garden. A
LAN covers several kilometers. It is a combination of computers,
printers, modems, and other devices interconnected through
various media within several kilometers.
Wide Area Network (WAN)
A WAN covers a larger geographic scope, such as a state or a
continent. It provides the data communication service in a large
area and is used to connect LANs. The China Packet Network
(CHINAPAC), China Data Digital Network (CHINADDN), China
Education and Research network (CERnet), CHINANET, and
China Next Generation Internet (CNGI) are all WANs. A WAN
connects LANs that are far from each other.
Page17
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A LAN is formed by interconnected communication devices in a
small area, such as a room, a building, and a campus. In general,
a LAN covers several kilometers. The LAN is featured by short
distance, low delay, high data transmission speed, and high
reliability.
Common LANs are Ethernet and Asynchronous Transfer Mode
(ATM). They are different in topology, transmission speed, and
data format.Ethernet is the most widely used LAN.
The following network devices are used in LAN construction:
Cables: A LAN is extended by cables. Various cables are used in
LANs, for example, the fiber, twisted pair, and coaxial cable.
Network Interface Card (NIC): An NIC is inserted in the main
board slot of a computer. It transforms the data to the format that
other network devices can identify and transmits the data through
the network media.
Hub: A hub is a shared device that provides many network
interfaces to connect computers in the network. The hub is called
a shared device because all its interfaces share a bus. At the
same time, only one user can transmit data, and so the data
amount and speed of each user (interface) depends on the
number of active users (interfaces).
Switch: also called a switched hub. A switch also provides many
interfaces to connect network nodes but its performance is much
higher than that of a shared hub. It can be considered to have
many buses so that devices connected to each interface can
independently transmit data without affecting other devices. For
Page18
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
users,the interfaces are independent of each other and have
fixed bandwidth. In addition, a switch has some functions that a
hub lacks, such as data filtering,network segmentation, and
broadcast control.
Router: A router is a computer device used to connect networks.
A router works at the third layer (network layer) of the OSI model
and is used to route, store, and forward packets between
networks. Generally, a router supports two or more network
protocols so that it can connect different type of networks A router
can also run dynamic routing protocols to dynamically route
packets.


Page19
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A WAN covers a larger geographic scope, such as a state or a
continent. The China Packet Network (CHINAPAC), China Data
Digital Network (CHINADDN),China Education and Research
network (CERnet), CHINANET, and abuilding China Next
Generation Internet (CNGI) are all WANs.
A WAN connects LANs that are far from each other. It consists of
the end system(users on two ends) and the communication
system (the link between two ends).
The communication system is the key of the WAN and it falls into
the following types:
Integrated Service Digital Network (ISDN): a dial-up connection
mode. The ISDN BRI provides 2B+D data channels. Each B
channel provides the speed of 64 kbit/s and the highest speed
can be 128 kbit/s. The ISDN PRI has two standards:
the European standard (30B+D) and the North America standard
(23B+D). The ISDN uses the data transmission mode, which
features fast connection and high reliability. Two devices in the
ISDN can identify the number of each other. The call cost of the
ISND is higher than that of the ordinary telephony network, but
the double-channel structure supports two independent lines. The
ISND is applicable to individual subscribers or small offices.
Leased Line: called DDN in China. It is a point-to-point
connection that transmits data at the speed of 64 kbit/s to 2.048
Mbit/s. The leased line guarantees data transmission and
provides constant bandwidth, but the cost is high and the point to-
point structure is not very flexible.
Page20
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
X.25: a WAN type that appeared early and is still in extensive use
at present. It transmits data at the speed of 9600 bit/s to 2 Mbit/s.
X.25 adopts the redundant mode and is fault tolerant, so it
features high reliability. But the transmission speed is low and the
delay is high.
Frame Relay: a comparatively newer technology developed on
the basis of X.25. The transmission speed is between 64 kbit/s
and 2.048 Mbit/s. The Frame Relay is flexible. It implements
point-to-multipoint connection. In addition, FR can transmit data
at a speed that exceeds the Committed Information Rate (CIR)
when large amount of data needs to be transmitted, and it allows
certain burst traffic. For these reasons, FR is a good choice for
business subscribers.
Asynchronous Transfer Mode (ATM): a cell exchange network
that features high speed, low delay, and guaranteed transmission
quality. Most of ATM network use fibers as the connection
medium. The fiber provides a high speed of over 1gigabit, but the
cost is also high. ATM is also a WAN protocol.



Page21
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The WAN operates in a scope larger than that of the LAN. In the
WAN, the network access is implemented through various serial
connections. Generally, enterprise networks are connected to the
local ISP through the WAN lines. The WAN provides fulltime and
part-time connections. In the WAN, serial interfaces can work at
different speeds.
The following devices are used in the WAN:
Router: In the WAN, messages are sent to the destination
according to the address. The process of looking for the
transmission path is called routing. A router will send data to the
destination by establishing routes between WANs and LANS
according to their address information.
Modem: As the device used to transform signals between the end
system and communication system, a modem is the
indispensable device in a WAN. Modems are classified into
synchronous modem and asynchronous modem. The
synchronous modem is connected to the synchronous serial
interface and is applied to the leased line, Frame Relay, and X.25.
The asynchronous modem is connected to the asynchronous
serial interface and is applied to the PSTN.
Page22
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
ARPAnet solves the problem of network robustness. That is, once
a device fault or link fault occurs, data transmission must be
ensured between any two nodes if the two nodes are physically
connected. For the high ability of self-healing,ARPAnet meets the
requirement in wars. It comes of the Defence Advanced
Research Projects Agency (DARPA).
In 1985, the National Science Foundation (NSF) established the
NSFnet. NSF established a WAN consisting of regional networks
and connected these regional networks to the super computer
center. In June 1990, the NFSnet took the place of the ARPAnet
and became the backbone network of the Internet. Owing to the
NSFnet, the Internet is open to the public, while it was only used
by computer science researchers and governments before.
The second leap of the Internet was attributed to the
commercialization in early of the 1990s. As soon as commercial
organizations entered the world of Internet, they found the great
potential of Internet in communications, information searching,
and customer service. Then numerous enterprises in the world
swarmed into the Internet, which resulted in a new leap of the
Internet.
In 1995, NSFnet came to an end and it was replaced by a new
Internet backbone network operated by multiple private companies.
Page23
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Currently, the Internet is not a simple hierarchy, instead, it is
formed by many WANs and LANs connected by connecting
devices and exchange devices. End users are connected to the
Internet through the service provided by Internet service
providers (ISPs). ISPs are classified into international service
providers, national service providers, regional ISPs, and local
ISPs.
International service provider
An international service provider connects networks of different
countries.
National service provider (NSP)
A national service provider operates on backbone networks that
are built and maintained by professional companies. These
backbone networks are connected by complicated switching
devices (usually operated by the third party) so that end users
can be connected to the backbone network. The switching
devices are called network access points (NAPs). NAPs transmit
data at a high speed.
Regional ISP
A regional ISP is a small ISP connected to one or more NSPs.
Regional ISPs transmit data at a lower speed.
Local ISP
A local ISP provides service for end users. A local ISP is
connected to a regional ISP or an NSP. Most end users are
connected to local ISPs.
Page24
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
NAP
An NAP connects backbone networks. It is usually a complicated
switching workstation operated by the third party.

Page25
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page26
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A network protocol is a set of formats and conventions stipulated
and observed by communication parties so that devices in
different computer networks can communicate. A network
protocol is the standardized description of a series of rules and
conventions. It defines how network devices exchange
information.Network protocols are basis of the computer network.
Only the devices that comply with related network protocols (laws
for interconnected devices in the network) can communicate with
each other. Any device that does not comply with the network
protocol cannot communicate with other devices.
What is a protocol? Take the telegraph for example. Before
sending a telegraph,the two parties must define the transmission
format of the telegraph, for example,what signal indicates the
start, what signal indicates the end, how to handle errors,and how
to express the name and address of the sender. The predefined
format and convention is a protocol.
Network protocols include the Transfer Control Protocol/Internet
Protocol (TCP/IP), Internetwork Packet eXchange/Sequenced
Packet eXchange (Novell IPX/SPX), and IBM System Network
Architecture (SNA). The most widely used protocol is the TCP/IP
stack, which has become the standard protocol of the Internet.
Page27
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A standard is a set of rules and processes that are widely used or
defined by the government. A standard describes stipulations in a
protocol and sets the simplest performance set for guaranteeing
network communications. IEEE 802.X is the dominant LAN
standard.

Page28
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Many international standardization organizations made great
contributions to development of the computer network. They unify
network standards so that devices of different vendors can
communicate with each other. Till now, the following
standardization organizations have made contributions to
development of the computer network.
International Organization for Standardization (ISO)
ISO stipulates standards for large-scale networks, including the
Internet. The ISP brings forward the OSI model that describes the
working mechanism of network.
The OSI model is a comprehensible and clear hierarchical model
of the computer network.
Institute of Electrical and Electronics (IEEE)
IEEE defines standards for network hardware so that hardware
devices of different vendors can communicate with each other.
The IEEE LAN standard is the dominant standard for LANs. IEEE
defines the 802.X protocol suite. 802.3 is the standard for the
Ethernet; 802.4 is the standard for the token bus network;802.5 is
the standard for token ring; 802.11 the standard fro the wireless
local
Page29
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
area network (WLAN).
American National Standards Institute (ANSI)
ANSI is an organization formed by companies, governments, and
other members voluntarily. The ANSI defines the standard for the
fiber distribution data interface.
Electronic Industries Association/Telecomm Industries
Association (EIA/TIA) They define the standards for network
cables, for example, RS232, CAT5, HSSI,and V.24. They also
define the standard for cabling, for example, EIA/TIA 568B.
International Telecomm Union (ITU)
They define the standard for the telecom network working as the
WAN, for example, X.25 and Frame Relay.
Internet Engineering Task Force (IETF)
Founded at the end of 1985, the IETF is responsible for
researching and establishing technical specifications related to
the Internet. Now IETF has become the most authoritative
research institute in the global Internet field.

Page30
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
IETF produces two types of files: Internet drafts and RFCs.
RFCs, which are used as standards, fall into the following types:
Proposals, namely, the recommended solutions Accepted
standards that are used by all users and cannot be changed
Optimal practices, a kind of introduction IETF standards are
called RFCs, which are a series of files published by IETF.
In the past, RFC stood for Request for Comments. Now RFC is
only a name without any special meaning. Currently, RFCs are
formal files. There are about 5000 RFC files. The first one is RFC
1 Host Software, which was published on April 7th, 1969.
Many Internet-related protocols, such as IP, OSPF, BGP,
and MPLS, are defined by RFCs.

Page31
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page32
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A typical IP network is comprised of a backbone network,
Metropolitan Area Network (MAN) and Access Network. The
backbone network commonly interconnects networks from
different countries and cities. Metropolitan Area Networks are
located between the backbone network and the access network,
and it is commonly comprised of a backbone layer, convergence
layer and access layer. Access networks are used for terminal
user access, it is usually in the layer2 access network, which is
under the service access point. Users can access the internet via
xDSL, Ethernet and so on.
The target network structure of IP MAN is divided into:
IP MAN Service access point (BRAS and service router) and the
upper layer routers that compose the layer3 network.
IP MAN is comprised of a backbone layer, convergence layer
and access layer.
Broadband access network The layer2 access network, which is
under the service access point.
The network structure is divided into the layer2 convergence
network and the last mile access network.

Page33
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On the service plane, the structure can be divided into a public
access network plane and the major account access network
plane.

Page34
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Metropolitan Area Network (MAN) is located between the
backbone network and the access network, and interlinks
different areas of a city.
The MAN provides the following services:
Internet access There are two access modes: dialup access
mode and private line access mode.
In the dialup access mode, subscribers have different service
attributes. In the private line access mode, subscribers in the
same group have the same service attributes. The Asymmetric
Digital Subscriber Line (ADSL) and Local Area Network (LAN)
technologies are widely used as Internet access services. Both
technologies support dialup access and private line access
modes.
Virtual private network (VPN)
In recent years, enterprises have increasing requirements for
diversified services. As such, VPN technology has become more
and more popular. VPN is a private network constructed within a
public network infrastructure with the help of Internet service
providers (ISPs) and network service providers (NSPs).
Based on the implementation layer, VPN can be classified into
Layer 2 VPN (L2VPN), Layer 3 VPN (L3VPN) and the Virtual
Page35
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Private Dial Network (VPDN). The VPDN provides network
access to mobile personnel in enterprises and small-sized ISPs
using the dialup function of the public network and the access
network.
Page36
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The common Internet access modes are ADSL, Ethernet, and
leased line. Household users usually choose the ADSL access
mode, residential users prefer the Ethernet access mode, and
enterprise users select the leased line access mode. Normally,
the access network uses Layer 2 devices, such as digital
subscriber line access multiplexers (DSLAM) and Ethernet
switches, to provide the access service for users. The access
network does not perform any control on users and it simply sets
up Layer 2 connections to transparently transmit user information
to upper-layer devices. The access network refers to all devices
at the access layer.
The access layer uses the broadband remote access server
(BRAS) to manage users.
The convergence layer generally uses aggregation routers or
Layer 3 switches. The convergence layer aggregates traffic from
the BRAS into the MAN devices and forwards this traffic through
routing functions.
The following shows the Internet access process:
A user sends an Internet access request. Layer 2 devices in the
access network establish a Layer 2 connection and transparently
transmit the request to the BRAS.
Page37
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The BRAS performs user identity authentication and
authorization, and allocates IP addresses to the user.
The BRAS routes the user packets to devices at the convergence
layer. The devices at the convergence layer forward the packets
through routing functions, to allow the user to have access to the
Internet.

Page38
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VPN services are classified into L3VPN services, L2VPN services
and VPDN services. Here, we talk about the most common
L3VPN services. L3VPN has multiple types, such as Internet
Protocol Security VPN (IPSec VPN), Ground Radar Equipment
VPN (GRE VPN) and Border Gateway Protocol/Multiple protocol
Label Switching VPN (BGP/MPLS VPN).
The BGP/MPLS VPN model has three parts: customer edge
(CE), provider edge (PE) and provider (P).
CE: It is an edge device on the user network. A CE provides
interfaces that are directly connected to the service provider (SP)
network. It can be a router, switch or a host.
PE: It is an edge router provided by the SP. A PE device is
directly connected to the CE. On the MPLS network, all VPN
operations are performed in the PEs.
P: It is a backbone router on the SP network. A P device is not
directly connected to the CE. The P device forwards MPLS data,
and does not maintain VPN information.
As shown in the figure on this slide, enterprise private line users
A, B and C can communicate with each other on the LAN by
means of the BGP/MPLS VPN network.
Page39
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Generally, the performance of the backbone network can be
evaluated using the following indicators:
High reliability Devices on the backbone network must be stable,
which is critical to the stable operation of the entire network.
Therefore, network architects should properly design the network
architecture and develop reliable network backup policies to
ensure strong network self-healing capabilities.
Flexibility and scalability
To meet future network services, the network must be seamlessly
expanded and upgraded while minimally affecting the network
architecture and devices.
Flat networking The number of network layers and hops should
be minimized to facilitate network management.
Proper planning of quality of service (QoS) In, the IP network also
supports voice over IP (VoIP), video and key customer services.
These services have high requirements on service in addition to
carrying Internet access service quality. Therefore, support for
QoS is network to the telecommunications network. To achieve
support for QoS, QoS should be properly planned.
Operability and manageability Centralized monitoring,
Page40
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
rights-based management, and unified allocation of bandwidth
resources are supported, which make the entire network
controllable. one of the necessary conditions for the transition of the IP.

Page41
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Hierarchical plane structure
The hierarchical plane structure is commonly applied in the early-
stage backbone network. Currently, most carriers in China use
this structure, which is divided into three layers, core backbone
layer, core convergence layer and core access layer. The core
backbone layer is divided by area. Areas are connected in full-
mesh or partial-mesh mode to improve network robustness. The
core convergence layer adopts dual homing networking. Devices
at this layer are dual-uplinked to an area or two areas at the core
backbone.
Hierarchical spatial plane structure
In the hierarchical spatial plane structure, the network is divided
in layers and planes. Different planes carry different services.
Normally, services on two different planes are independent from
each other. When one plane fails, the other plane acts as a
backup plane. When designing the network, architects usually
design the plane as one that can carry all services. As a network
requires carrying multiple services, the hierarchical plane network
model stands out with its features of a clear structure, large
backup capacity and high security.
Page42
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page43
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page44
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page45
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page46
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Since the 1960s, computer networks have undergone a dramatic
development. To take the leading position and have a larger share
in the communication market, manufacturers competed in
advertising their own network structures and standards which
included IBMs SNA, Novells IPX/SPX., Apples Apple Talk, DECs
DECnet and TCP/IP, which remains the most widely used today.
These companies pushed software and hardware that use their
protocols to the market enthusiastically. All these efforts promoted
the fast development of network technology and the prosperity of
the market of network devices. However, the network became more
and more complicated due to lack of compatibility between the
various protocols.
To improve network compatibility, the International Organization for
Standardization (ISO) developed the Open System Interconnection
Reference Model (OSI RM) which soon became the model of
network communications. The ISO followed the following principles
when they designed the OSI reference model:
Page47
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. Each layer of the model has its own responsibilities which
should help it stand out as an independent layer.
2. To avoid function overlapping, there should be enough layers.
The OSI reference model has the following advantages:
1. It simplifies network related operations.
2. It provides compatibility and standard interfaces for systems
designed by different institutions.
3. It enables all manufactures to be able to produce compatible
network devices, which facilitates the standardization of networks.
4. It lays the complex concept of communications down into
simpler and smaller problems, which facilitates our
understanding and operations.
5. It separates the whole network into areas, which guarantees
changes in one area will not affect other areas and networks in
each area can be updated quickly and independently.
Page48
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The OSI reference model has seven layers. From bottom to top,
they are physical layer, data link layer, network layer, transport layer,
session layer, presentation layer and application layer.
The bottom three layers are usually called lower layer or the media
layer, which is responsible for transmitting data in the network.
Networking devices often work at lower layers and network
interconnection is achieved by the cooperation of software and
hardware. Layer 5 to layer 7 form the upper layer or the host layer.
The upper layer guarantees data is transmitted correctly, which is
achieved by software.

Page49 HC Series
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The functions of each layer of the OSI Reference Model are listed
as follows:
Physical layer: providing a standardized interface to physical
transmission media including voltage, wire speed and pin-out of
cables.
Data link layer: combines bits into bytes and bytes into frames.
Provides access to media using MAC address and error detection.
Network layer: providing logical addresses for routers to decide
path.(path selection)
Transport layer: providing reliable or unreliable data transfer
services and error correction before retransmission.
Session layer: establishing, managing and terminating the
connections between the local and remote application. Service
requests and responds of application programs in different devices
form the communication of this layer RPC,NFS and SQL belong to
this layer.
Presentation layer: providing data encoding and translation. Make
sure that the data sent by the application layer of one system can
be understood by the application layer of another system.
Application layer: providing network services as the closest layer to
users among the seven layers.
Page50
HUAWEI TECHNOLOGIES Page50 HC Series
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Since the OSI reference model and protocols are comparatively
complicated, they do not spread widely. However, TCP/IP has been
widely accepted for its openness and simplicity. The TCP/IP stack
has already been the main stream protocols for the Internet.
The TCP/IP model also takes a layered structure. Each layer of the
model is independent from each other but they work together very
closely.
The difference between the TCP/IP model and the OSI reference
model is that the former groups the presentation layer and the
session layer have been merged into the application layer. So the
TCP/IP model has only five layers. From bottom to top, they are:
physical layer, data link layer, network layer, transport layer and
application layer.

Page51
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Each layer of the TCP/IP model corresponds to different protocols.
The TCP/IP protocol stack is a set of communication protocols. Its
name, the TCP/IP protocol suite, is named after two of its most
important protocols: the Transmission Control Protocol (TCP) and
the Internet Protocol (IP). The TCP/IP protocol stack ensures the
communication between network devices. It is a set of rules that
define how information is delivered in the network.

Page52
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Each layer of the TCP/IP model uses Protocol Data Unit (PDU) to
exchange information and enable communication between network
services. During encapsulation, each succeeding layer encapsulates
the PDU that it receives from the layer above. At each stage of the
process, a PDU has a different name to reflect its new appearance.
For example, the transport layer adds TCP header to the PDU from
the upper layer to generate the layer 4 PDU, which is called a
segment. Segments are then delivered to the network layer. They
become packets after the network layer adds the IP header into
those PDUs. The packets are transmitted to the data link layer,
where they are added data link layer headers to become frames.
Finally, those frames are encoded into bit stream to be transmitted
through network medium. This process in which data are delivered
following the protocol suite from the top to the bottom and are added
with headers and tails is called encapsulation.
Page53
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After encapsulation, data is sent to the receiving device after
transmission. The receiving device will decode the data to extract
the original service data unit and decides how to pass the data to
an appropriate application program along the protocol stack. This
reverse process is called de-encapsulation. The corresponding
layers, or peers, of different devices communicates through
encapsulation and de-encapsulation.
As the figure above shows, Host A is communicating with Host B.
Host A delivers data transformed from an upper layer protocol to
the transport layer. The transport layer encapsulates the data
within the segment and send it to the network layer, which adds a
header. Then the segment is encapsulated within an IP packet,
which adds another header, called the IP header. Next, the IP
packet is sent to data link layer where it is encapsulated within a
frame header and trailer. The physical layer then transforms the
frame into bit stream and sends it to Host B through the physical
cable.
Page54
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When Host B receives the bit stream, it sends it to its data link layer.
The data link layer removes the frame header and trailer, then
passes the packet to the upper layer - network layer. Then the
network layer removes the IP header from the packet and passes
segment to the transport layer. In the similar way, the transport
layer extracts the original data and delivers it to the top layer, the
application layer.
The process of encapsulation or de-capsulation is done layer by
layer. Each layer of the TCP/IP has to deal with data both from its
upper and lower layers by adding or deleting packet headers.

Page55
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The main functions of the physical layer are:
It specifies the media, interface and signaling types.
It specify the electrical, mechanical, procedural, and functional
requirements for activating, maintaining, and deactivating a physical
link between end systems.
It specify the features such as voltage, wire speed, maximum
transmission distance and pin-out.
The physical layer provides standards of the transmission media
and connectors.
The common physical layer standards include IEEE 802.3 for
Ethernet, IEEE 802.4 for token bus networks, IEEE 802.5 for token
ring networks and Fiber Distributed Data Interface (FDDI) specified
by the X3T9.5 committee of ANSI. The common physical layer
standard for WANs include EIA/TIA-232 (RS-232), V.24 and V.35
developed by ITU for serial ports and G.703, which involves the
physical and electrical and electronic standards for all digital
interfaces.
Page56
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Physical layer mediums include coaxial cable, twisted pair, fiber and
wireless radio. Coaxial cable is an electrical cable consisting of a
round conducting wire. The coaxial cable can be grouped into thick
coaxial cable and thin coaxial cable according to their diameters.
The thick coaxial cable is more suitable for large LANs since its
transmission distance is longer and it is more reliable. The thick
coaxial cable does not need to be cut but you must install transceiver
for networks using thick coaxial cable. The thin coaxial cable is easy
to install and is much cheaper, but you need to cut the thin coaxial
cable and put basic network connectors (BNC) on its two sides and
then inserts the two sides into T-shape connectors when installing
the cable. So when there are many connectors, the safety is
influenced.
Page57
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Twisted pair is the most widely used cable, which is twisted by a
pair of insulated copper wires whose diameters are about 1mm.
Twisted pair has two types: Shielded Twisted Pair (STP) and
Unshielded Twisted Pair (UTP) . STP cabling includes metal
shielding over each individual pair of copper wires, so it is very
capable of keeping electromagnetic interferences and wireless
radio interference at bay. STP is easy to install but its price is
comparatively high. UTP is easy to install and its price is cheaper,
however, its capability of anti-interference is not as powerful as
that of STP and its transmission distance is not that long.
Fiber consists of fiberglass and the shielding layer and it will not
be interfered by electromagnetic signals. The transmission speed
of fiber is fast and the transmission distance is long, but fiber is
very expensive. Optical fiber connectors are connectors for the
light, which are very smooth and should not have any cuts.
Fiber connectors are not installed easily.
Wireless radio makes communications without physical links.
Wireless radio refers to electromagnetic waves with frequencies
within the radio frequency that are transmitted in the space
including the air and vacuum. We should put all the aspects into
consideration such as the distance, price, bandwidth requirement,
cables that the network devices support etc. when we make a
choice of physical medium.
Repeaters and hubs are devices working at the physical layer,
but with the development of networks, they are not used so much
as in the past. Well not discuss them here.

Page58
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Data link layer is the first logical layer of the physical layer. It
encodes physical address for terminals and help network devices
decide whether to pass data to upper layers along the protocol stack.
It also points out which protocol the data should be delivered to with
some of its fields and at the same time, it provides functions like
sequencing and traffic control.
The data link layer has two sub-layers: Logical Link Control sub-layer
(LLC) and Media Access Control sub-layer (MAC) .
LLC lies between the network layer and the MAC sub-layer. This
sub-layer is responsible for identifying protocols and encapsulating
data for transmission. The LLC sub-layer performs most functions of
the data link layer and some functions of the network layer such as
sending and receiving frames. When it sends a frame,it adds the
address and CRC to the original data. When it receives a frame, it
takes apart the frame and performs address identification and CRC.
It also provides flow control, frame sequence check, and error
recovery. Besides these, it can perform some of the network
functions including datagram, virtual links and multiplexing.
The MAC sub-layer defines how data is transmitted through physical
links. It communicates with the physical layer, specifies physical
addresses, network topology, and line standards and performs error
notification, sequence transmission and traffic control etc.
Page59
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Data link layer protocols specify the frame encapsulation at the
data link layer. A common data link layer protocol for LANs is IEEE
802.2LLC.
Common data link layer protocols for WANs include High-level
Data Link Control (HDLC) , Point-to-Point Protocol (PPP) and
Frame Relay (FR).
HDLC is a bit-oriented synchronous data link layer protocol
developed by the ISO. HDLC specifies data encapsulation for
synchronous serial links with frame characters and CRC.
PPP is defined by Request For Comment (RFC) 1661. PPP
consists of the Link Control Protocol (LCP) , the Network Control
Protocol (NCP) and other PPP extended protocol stacks. PPP is
commonly used to act as a data link layer protocol for connection
over synchronous and asynchronous circuits and it supports
multiple network layer protocols. PPP is the default data link layer
protocol for data encapsulation of the serial ports of VRP routers.
FR is a protocol conforming with the industrial standards and it is
an example of packet-switched technology. PPP uses error
verification mechanism, which speeds up data transmission.
Ethernet switches are common network devices work at the data
link layer.
Page60
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As every person is given a name for identification, each network
device is labeled with a physical address, namely, the MAC address.
The MAC address of a network device is unique globally. A MAC
address consists of 48 binary digits and is often printed in
hexadecimal digits for human use. The first six hexadecimal bits are
assigned to producers by IEEE and the last six bits are decided by
producers themselves. For example, the first six hexadecimal bits of
the MAC address of Huaweis products is 0x00e0fc.
Network Interface Card (NIC) has a fixed MAC address. Most NIC
producers burn the MAC address of their products into the ROM.
When an NIC is initialized, the MAC address in the ROM is read into
the RAM. When you insert a new NIC into a computer, the physical
address of the computer is replaced by the physical address of the
NIC.
However if you insert two NICs into your computer, then your
computer may have two MAC addresses, so a network device may
have multiple MAC addresses.
Page61
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The data link layer ensures that datagram are forwarded between
devices on the same network, while the network layer is responsible
for forwarding packets from source to destination across networks.
The functions of the network layer can be generalized as follows:
Provide logical addresses for transmission across networks.
Routing: to forward packets from one network to another.
The router is a common network device that works at the network
layer. Routers functions mainly for forwarding packets among
networks. In the above figure,Host A and Host B reside on different
networks or links. When the router that resides on the same network
as Host A receives frames from Host A, the router passes those
frames to the network layer after it ensures that the frames should be
sent to itself by analyzing the frame header. Then the network layer
checks where those frames should go according to the destination
address in the network layer header and later it forwards those
frames to the next hop. The process repeats until the frames are sent
to Host B.
Page62
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Common network layer protocols include the Internet Protocol (IP) ,
the Internet Control Message Protocol (ICMP) , the Address
Resolution Protocol (ARP) and the Reverse Address Resolution
Protocol (RARP) .
IP is the most important one among the network layer protocols and
its functions represent the main functions of the network layer. The
functions of IP include providing logical address, routing and
encapsulating or de-encapsulating packets. ICMP, ARP and RARP
facilitate IP to achieve the network layer functions.
ICMP is a management protocol and it provides information for IP.
ICMP information is carried by IP packets.
ARP maps an IP address to a hardware address, which is the
standard method for finding a host's hardware address when only its
network layer address is known.
RARP maps a hardware address to an IP address, which means to
get a hosts IP address through its hardware address.
Page63
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The network layer address we mentioned here refers to the IP
address. The IP address is a logical address instead of a hardware
address. The hardware address such as the MAC address, is
burned on the NIC and it is for the communication between devices
that are on the same link. However, the IP address is used for
communication between devices on different networks.
An IP address is 4-byte long and is made up of the network address
and the host address. It is often presented in dotted decimal notation,
for example, 10.8.2.48.
More information about the IP address will be introduced in later
chapters.
Page64
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The transport layer provides transparent transfer of data between
hosts. It shields the complexity of communications for the upper
applications and is usually responsible for end-to-end connection.
The main functions of the transport layer involve:
Encapsulate data received from the application layer and
decapsulate data received from the network layer.
Create end-to-end connections to transmit data streams.
Send data segments from one host to another, perform error
recovery, flow control, and ensure complete data transfer.
Some of the transport layer protocols ensure data are transmitted
correctly which means data are not lost or changed during
transmission and the order of data packets remains the same when
they are received at the end.
Page65
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Transport layer protocols mainly include the Transmission Control
Protocol (TCP) and the User Datagram Protocol (UDP) .

Page66
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Although TCP and UDP are both protocols of the transport layer,
their contributions to the application layer differ greatly.
TCP provides connection-oriented and reliable transmission.
Connection-oriented transmission means that applications which use
TCP as their transport layer protocol need to create a TCP
connection before they exchange data.
TCP provides reliable transmission services for the upper layer
through its mechanisms of error detection, verification and
reassembly. However, creating the TCP connection and performing
these mechanisms may bring a lot of extra efforts and increase the
cost.
UDP does not guarantee reliability or ordering in the way that TCP
does. It provides a simpler service that does not guarantee the
reliability which means datagrams may arrive out of order, appear
duplicated, or go missing without notice. UDP focuses on
applications that require more on transmission efficiency such as
SNMP and Radius. Take SNMP as an example, it monitors networks
and sends out warnings from time to time. If SNMP is demanded to
create a TCP connection every time when it sends a small amount of
information, undoubtedly, the transmission efficiency will be affected.
So time-sensitive applications like SNMP and Radius often use UDP
as their transport layer protocol. Besides this, UDP is also
appropriate for applications that are equipped with some
mechanisms for reliability by themselves.
Page67
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The main functions of the application layer are:
Provide user interfaces and deal with specific applications.
Provide data encryption, de-encryption, compression and
decompression.
Specify the standards of data presentation.













Page68
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The application layer has many protocols and the following protocols
may help you use and manage a TCP/IP network.
File Transfer Protocol (FTP) is used to transfer data from one
computer to another over the Internet, or through a network. It is
often used for interactive user sessions.
Hypertext Transfer Protocol (HTTP) is a communication protocol
used to transfer or convey information on the World Wide Web.
TELNET is used to transmit data that carries the Telnet control
information. It provides standards for interacting with terminal
devices or terminal processing. Telnet supports end-to-end
connections and process-to-process distributed communications.
Simple Message Transfer Protocol (SMTP) and Post Office Protocol
3 (POP3) are for sending and receiving emails.
DNS (Domain Name Server) translates a domain name to an IP
address and allows decentralized management on domain resources.
Trivial File Transfer Protocol (TFTP ) is a very simple file transfer
protocol. TFTP is designed for high throughput file transfer for
ordinary purposes.
Page69
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing Information Protocol (RIP) is the protocol for routers to
change routing information through an IP network.
Simple Network Management Protocol (SNMP) collects network
management information and makes that information exchanged
between the network management control console and network
devices including routers, bridges and servers.
Remote Authentication Dial In User Service (Radius) performs
user authorization, authentication and accounting.
Page70
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page71
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To illustrate the encapsulation process, imagine there is network
whose transport layer uses TCP, the network layer applies IP and
the data link layer takes Ethernet standards. The above figure
shows the encapsulation of a TCP/IP packet on that network.
The original data is encapsulated and delivered to the transport
layer. And then the transport layer adds a TCP header to the data
and passes it down to the network layer. The network layer
encapsulates the IP header in front of the segment and delivers it to
the data link layer. The data link layer encapsulates Ethernet
header and trailer to the IP packet and then passes it to the
physical layer. At last, the physical layer sends the data to the
physical link as bit streams. The length of each field in the header is
pointed out in the above figure. Now, well take a close look into the
whole process from the top to the bottom.
Page72
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The above is a TCP data segment encapsulated in an IP packet. The
TCP segment consists of the TCP header and the TCP data. The
maximum length of a TCP header is 60 bytes. If there is not the
Option field, normally, the header is 20-bytes long.
The structure of a TCP header is shown as in the above figure. We
are going to explain just some of it. For more details, please refer to
the transport layer protocols.
Source Port: Indicates the source port number. TCP allocates
source port numbers for every application.
Destination Port: Indicates the destination port number.
Sequence Number: Indicates the sequence number which labels
TCP data streams.
Port number is used to distinguish applications,80 means HTTP
application,23 for telnet,20 and 21 for ftp,53 for DNS.
Ack Num: Indicates the acknowledgement sequence number. Ack
Num includes the next sequence number that the sender expects.
The value of this field is the sequence number that the sender of the
acknowledgement expects next.
Option: Indicates the optional fields.
Page73
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The network layer adds the IP header to TCP datagram which it
receives from the transport layer. Usually, the IP header has a fixed
length of 20 bytes which does not include the IP options. The IP
header consists of the following fields:
Version: indicates the version of the IP protocol. At present, the
version is 4. The version is 6 for the next generation IP protocol.
IP header length is the number of 32-bit words forming the header
including options. Since it is a 4-bit field, its maximum length is 60
bytes.
TOS: 8 bits. It consists of a 3-bit COS (Class of Service) field, a 4-
bit TOS field and a 1-bit final bit. The 4 bits of the TOS field indicates
the minimum delay, the
maximum throughput, the highest reliability and the minimum cost
respectively.
Total length: indicates the length of the whole IP packet including
the original data. This field is 16 bit long which means an IP packet
can be 65535 bytes at most. Although an IP packet can be up to
65535 byte long, most data link layers segment them before
transmission. Furthermore, hosts cannot receive a packet more than
576 bytes and UDP limits packets within 512 bytes. However,
Page74
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
nowadays many applications allow IP datagram that are more
than 8192 bytes to go through the links especially for
applications that support NFS.
Identification: identifies every datagram the host sends. The
value increases with the number of datagram the host sends.
Time to Live (TTL) : indicates the number of routers a packet
can travel through. The value decreases one every time the
packet passes a router. When the value turns to 0, the packet
will be discarded.
Protocol: indicates the next level protocol used in the data
portion of the internet datagram. It is similar to the port number.
IP protocols use protocol number to mark upper layer protocols.
The protocol number of TCP is 6 and the protocol number of
UDP is 17.
Header checksum: calculates the checksum of the IP header to
see if the header is complete.
The source IP address field and the destination IP address filed
point out the IP addresses of the source and the destination.


Page75
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The physical layer has limitations on the length of frame it sends
every time. Whenever the network layer receives an IP
datagram, it needs to decide which interface the
datagram should choose and check the MTU of that
interface. IP uses a technique called fragmentation to
solve the problem of heterogeneous MTUs.
When a datagram is longer than the MTU of the network over which
it must be sent, it is divided into smaller fragments which
are sent separately.
Fragmentation can be done on the source host or the intermediary
router.
Fragments of an IP datagram are not reassembled until they arrive
at the final destination. The reassembly is performed by
the IP layer at the destination.
Datagram can be fragmented for more than one time. The IP
header provides enough information for fragmentation and
reassembly.
Page76
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Flags: 3 bits
Multiple control bits:
0bit: reserved, must be 0.
1bit: (DF) 0 = can be fragmented, 1 = cannot be
fragmented.
2bit: (MF) 0 = final fragmentation, 1 = more
fragmentation.
The values of DF and MF cannot be 1 at the same time.
0 1 2
+---+---+---+
| | D | M |
| 0 | F | F |
+---+---+---+
Fragment offset: indicates the position of the fragment within the
original datagram. When an IP datagram is fragmented,
each fragment becomes a packet with its own IP
header and will be routed independently of any other
datagrams.


Page77
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Ethernet header is made up of three fields:
DMAC: indicates the MAC address of the destination.
SMAC: indicates the MAC address of the source.
LENGTH/TYPE: its meanings vary with its values.
When the value is bigger than 1500, it indicates the frame
type, for example the upper layer protocol type. The common
protocol types are:
0X0800 IP packets
0X0806 ARP request/response message
0X8035 RARP request/response message
When the value is smaller than 1500, it indicates the length of
data frame.
DATA/PAD: the original data. Ethernet standards specify that the
minimum data length should be 46 bytes. If the data is less than
46 bytes, add the Pad field to fill it.
FCS: the frame check field.
Page78
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page79
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The above is an example of an HTTP packet that is captured, which
may facilitate your understanding towards packet encapsulation. The
bottom displays the actual data and the top is information analyzed
by the software.
Page80
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This page illustrates data encapsulation at the data link layer. The
encapsulation format used here is Ethernet, which is mentioned
earlier.
The figure above shows DMAC at the top and then comes SMAC
and the type field is listed at the bottom.
DMAC is 00d0: f838: 43cf
SMAC is 0011: 5b66: 6666
Type field value is 0x0800, which indicates that it is an IP packet.
Page81
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This page illustrates data encapsulation at the network layer. An IP
packet is made up of two parts, the IP header and the IP data. As
described previously, the IP header consists of many fields. In the
above example, the value of the version field is 4, which indicates
the packet is an IPv4 packet. The packet header is 20-byte long.
The protocol field is 0x06, which tells us that the packet to be
encapsulated is a TCP packet. The IP address of the source is
192.168.0.123 and the IP address of the destination is
202.109.72.70.

Page82
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This page illustrates data encapsulation at the transport layer. The
transport layer here uses TCP protocols. The source port number is
a random number 3514 and the destination port number is 80,
which is the number assigned for the HTTP protocol. So the
datagram is from the source to visit the HTTP service of the
destination host.
















Page83
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. What are the layers of the OSI reference model?
The OSI reference model consists of seven layers, namely, the
physical layer, the data link layer, the network layer, the transport
layer, the session layer and the application layer.
2. What are the functions of each layer in the TCP/IP protocol stack?
The TCP/IP protocol stack has five layers: the physical layer, the
data link layer, the network layer, the transport layer and the
application layer. The physical layer specifies the mechanical,
electrical and electronic standards for transmission. The data link
layer provides controls on the physical layer, detects errors and
performs traffic control (optional). The network layer checks the
network topology to decide the best route for data transmission. The
basic function of the transport layer is to segment the data it
received from the application layer and combines data segments
before it sends the data to the application layer. It builds end-to-end
connections to send data segments from one host to the other host.
The application layer provides network services for application
programs.
Page84
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. What is the process of packet encapsulation and de-
encapsulation?
De-encapsulation is the reverse process of encapsulation.
Encapsulation means to add headers to the original data layer by
layer from the top of the protocol stack to
the bottom; while de-encapsulation is to strip off those headers
from the lower layers to the upper layers.
4. What are the differences between the MAC address and the
IP address?
MAC address is a 48-byte physical address printed on the
hardware of a device. The MAC address cant be changed. The
IP address is a 32-byte address works at the network layer and
IP addresses can be changed. IP addresses are grouped into
public addresses and private addresses. Public addresses are
unique globally, while private addresses can be used repetitively
in different LAN segments.


Page85
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page86
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In TCP/IP protocols, each layer has its own communication method,
Data Link Layer use MAC Addresses, the Network Layer use IP
Addresses. After understanding the functions of these layers, this
course mainly introduces IP Addressing used at the Network Layer,
as well as packet forwarding between Network Layer devices,
which is the basis for routing.
This chapter introduces the layer 3 Network Layer in TCP/IP
protocols. The main function of the Network Layer is achieved
through using the IP protocol, which includes IP Addressing and IP
Routing.
Page87
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page88
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page89
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As the slide shows, this procedure is called encapsulation, in which
data is transferred along the TCP/IP protocol stack, from the upper
layer downward, meanwhile, corresponding header and trailer are
added. After the data encapsulation and transmission in the
network, the receiving equipment will delete the information added,
and decide how to deliver the data to proper application along the
TCP/IP protocol stack, according to the information in the header.
Among different layers of TCP/IP model, information is exchanged
to ensure the communication between network equipment. The
PDU is used for exchanging information. The PDU is different for
different layers, and with different names. For instance, in the
transport layer, the PDU with TCP layer is called a segment; after
the segment is transmitted to network layer, and added with an IP
header, the PDU is called a packet. The PDU with layer 2 header is
called a frame. Finally, the frame is processed as bits, and
transmitted through network media.

Page90
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The network layer receives data from the transport layer, and adds
source address and destination address into the data. As learned in
previous chapters, the data link layer has the physical address
(MAC address), which is globally unique. When there is data to be
sent, the source network equipment queries the MAC address of
the other end equipment, and sends it out.
However, the MAC addresses are existent in a flat address space,
without clear address classification. Thus, it is only suitable for the
communication within the same network segment. Besides, the
MAC address is fixed in the hardware, with poor flexibility. Hence,
for communication between different networks, usually it is based
on IP address based on software, to provide better flexibility.
Page91
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
IP address is composed of 32 bits, which are divided into four
octets, or four bytes.
The IP address could be represented in the following methods:
Dotted decimal format:10.110.128.111
Binary format00001010.01101110.10000000.01101111
Hexadecimal format:0a.7e.80.7f
Usually, IP addresses are represented in the dotted decimal format;
and seldom in hexadecimal format. The hierarchical scheme for IP
addresses is composed of two parts, network and host.
The hierarchical scheme of IP addresses is similar to that of
telephone numbering, which is also globally unique. For example,
the telephone number 010-8288248: the 010 represents the city
code of Beijing, and 82882484 represents a telephone in Beijing
city. It is the same for IP addresses. The preceding network part of
an address represents a network segment, while the latter host
portion represents the device in a given network segment. In using
this hierarchical design for every network layer device, the network
is able to be segmented. This mechanism enables routers to
decrease the number of routing table entries greatly, and increases
routing flexibility.
Page92
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
An IP address contains a network ID, which identifies a network
segment uniquely or identifies the aggregation of multiple network
segments. The devices in the same network segment use the
same network ID. An IP address also contains a host ID, which
identifies a device in the network segment uniquely. How to
distinguish the network ID and the host ID? The Internet designer
classifies the IP addresses into five classes according to the size
of the network, namely, class A, class B, class C, class D, and
class E.
The network ID of the IP address of class A is the first octet, and
the first digit of the first octet is 0. Therefore, the number of valid
bits for network address in class A address is 81=7. The first
octet of class A address ranges from 1 to 126 (0 and 127 are
reserved). For example, 10.1.1.1 and 126.2.4.78 are class A
addresses. The host
ID of the class A address is the last three octets, namely, the last
24 bits. The IP address of class A ranges from 1.0.0.0 to
126.255.255.255. Each class A network can have 224 IP
addresses. The network ID of the class B address is the first two
octets. The first digit of the first octet is 1 and the second digit is 0.
Therefore, the number of valid digits of the class B network
address is 162=14. The first octet of class B address ranges from
128 to 191. For example, 128.1.1.1 and 168.2.4.78 are class B
addresses.
Page93
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The host ID of the class B address is the last two octets, namely,
the last 16 bits. The class B address ranges from 128.0.0.0 to
191.255.255.255. Each class B network can have 216 IP
addresses. The network ID of the class C address is the first
three octets. The first two digits of the first octet are 11, and the
third digit is 0. Therefore, the number of valid digits of class C
network address is 243=21. The first digit of the class C
address ranges from 192 to 223. For example, 192.1.1.1 and
220.2.4.78 are class C addresses. The host ID of the class C
address is the last octet. The class C address range from
192.0.0.0 to 223.255.255.255. Each class C network can have
28=256 IP addresses. The first three digits of the first octet of
class D address is 111, and the fourth digit is 0. Therefore, the
first octet of the class D address ranges from 224 to 239. The
class D address is used as the multicast address. The first octet
of class E address ranges from 240 to 255. It is reserved for
research. The IP address usually used are of class A, class B
and class C. The IP addresses are allocated by the International
Network Information Center (InterNIC) according to the scale of
the company. Basically, the class A addresses are allocated to
governments, the class B addresses are allocated to medium-
sized companies, and class C addresses are allocated to small-
sized companies. With the fast development of the Internet and
also the waste of IP addresses, the IP address is becoming
insufficient.

Page94
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
An IP address uniquely identifies a device in the network. However,
some IP addresses cannot be used to identify devices, because
they are used for some special purposes.
The IP address with all 0s host ID is called network address. The
network address identifies a network segment. For example, class
A address 1.0.0.0 and private addresses 10.0.0.0 and 192.168.1.0
are network addresses.
The IP address with all 1s for the host ID is called a broadcast
address. A broadcast address identifies all the hosts in a network.
For example, 10.255.255.255 and 192.168.1.255 are broadcast
addresses. If the router sends the packet to the broadcast address,
all the nodes on the network segment can receive the packet. The
IP address with the network ID being 127 is the loopback address,
for example, 127.0.0.1, which is used for loopback test usually.
The IP address of all 0s refers to all the hosts. On the Huawei
Quidway routers, IP address 0.0.0.0 specifies the default route. IP
address 255.255.255.255 is also a broadcast address, but it
stands for all hosts and is used to send packets to all the nodes on
the network. Such broadcast packets cannot be forwarded by
routers. In a network segment, some IP addresses cannot be
allocated to hosts.
Page95
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The number of IP addresses that could be allocated can be
calculated. For example, in class B network segment 172.16.0.0,
an IP address has a 16-bit host ID. There are 2 to the power of
16 IP addresses on the network segment, in which 172.16.0.0 is
the network address and 172.16.255.255 is the broadcast
address, so up to 2
16
- 2 IP addresses can be allocated to hosts.
In class C network segment 192.168.1.0, an IP address has an
8-bit host ID. There are 2
8
=256 IP addresses on the network
segment, in which 192.168.1.0 is the network address and
192.168.1.255 is the broadcast address, so up to 254 IP
addresses can be allocated to hosts. Therefore, the number of IP
addresses that can be allocated to hosts is calculated as follows:
Suppose the IP address in the network segment has an n-bit
host ID, and then, the number of IP addresses that can be
allocated to hosts is 2n-2. A network-layer device (like router)
uses the network address to indicate the hosts on the network
segment. Thus, the number of entries in the routing table of the
router is greatly reduced.

Page96
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When planning IP addresses, usually private IP addresses are used
within the same company. Private IP addresses, reserved by
InterNIC, can be freely used by companies. The private IP
addresses cannot be used to access the Internet. The reason is
that the private IP addresses cannot have corresponding routes on
the public network and the IP addresses may conflict.
When the user with private IP address needs access to the Internet,
the private IP address must be translated to the public address that
can be identified by the public network through Network Address
Translation (NAT) technique. InterNIC reserves the following
network segments as the private IP addresses:
class A: 10.0.0.0-10.255.255.255;
class B: 172.16.0.0-172.31.255.255;
class C: 192.168.0.0-192.168.255.255.
By using the private IP addresses, the enterprises reduce the cost
on buying public addresses and the IP addresses are saved.
Page97
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Subnet masks are used to distinguish the network and host bits. In
a subnet mask, the 1 bits represent the network, and 0 for host.
The subnet mask of class A network in dotted decimal format by
default is 255.0.0.0, the subnet mask of class B network is
255.255.0.0, and the subnet mask of class C network is
255.255.255.0.

Page98
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
192.168.1.100 is a standard class C address. The subnet mask is
255.255.255.0. Hence the network address of this IP address is
192.168.1.0.

Page99
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
IP address is a collection of 32 binary digits or bits. Every 8 bits
corresponds to a decimal number. The decimal counting system
is based on the power of 10: 10
1
10
2
, etc. And binary counting
system is based on the power of 2: 2
1
2
2
, etc. In a byte, from
the right to the left bit, the values corresponding as such, 2
0
2
1

2
2
2
7
. As the slide shows, for this byte, from left to right, the
decimal number represented are: 2
7
=1282
6
=642
5
=322
4
=16
2
3
=82
2
=42
1
=22
0
=1. The sum of them is 255. Thus, the
byte (8 bits) with all 1 represents 255 in decimal.

Page100
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As this slide shows, for 11101001, calculate bit by bit as a decimal
number, then convert the binary to the decimal value.

Page101
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
An IP address is a collection of 32 binary digits. It is represented
by 4 bytes, each byte is composed of 8 binary digits.
Page102
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
IP networks without a subnet can be treated as a single network
externally without it being necessary to know what it looks like
internally. For example, all the routes to address 172.16.X.X is
considered as originating from the same direction, without
consideration of third and fourth byte. This reduces the number of
routes in the routing table. However in this way, different subnets
cannot be distinguished. Thus, all the hosts in the network may
receive broadcasts for the network, which reduces the network
performance, and not convenient for network management.
For example, a class B network can contain 65000 hosts. If the
user applied for the class B address only needs 100 IP address, it
is a huge waste since the addresses left cannot be used by others.
Hence, a method is needed to divide this kind of network into
several segments, and to manage it according to different sub
networks.

Page103
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
From the view of address allocation, a subnet is the extension of a
network address. The network administration can decide the size of
the subnet according to the need of development of organization.
Using Subnet Masks, the network devices can determine from the
IP address which bits represent the network and which bit represent
the hosts. In using subnets, the network addresses are used more
efficiently. Externally, it is still a single network, however internally, it
is divided into several different subnets. As the slide shows, the
network 172.16.0.0 is divided to two network segments:
172.16.4.0 and 172.16.8.0.
If a financial department of some company uses the subnet
172.16.4.0; and the engineering department uses subnet
172.16.8.0. Thus, the routing could be implemented according to
the destination subnet address, so as to limit the spread of
broadcast packets of one subnet to other subnets and improve
general the network performance.

Page104
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After learning the conversion between binary and decimal, it is easy
to understand the corresponding relationship for that of IP address
and subnet masks. In this slide, the number of bits of a subnet
mask is 8+8+8+4=28, which indicates the number of consecutive 1
in the network mask is 28, i.e., the network address bits is of a 28-
bit length. The subnet can be represented in another method: as
/28, indicating that the first 28 bits represent the network ID.

Page105
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown in the slide, the IP address and subnet mask are already
known. The network address is obtained from the AND operation
between the IP address and the subnet mask. The AND operation
is 1&1=1, 1&0=0, and 0&0=0. Therefore, the calculation of the AND
operation for the example in this slide is as follows:
11000000, 10101000, 00000001, 00000111&11111111, 11111111,
11111111, 11110000 =11000000, 10101000, 00000001, 00000000
The calculation result is the network address.

Page106
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The number of hosts is calculated through the subnet mask. First, it
is necessary to identify how many 0s there are in the subnet mask.
As shown in the above figure, if there are N-bit 0s, then, the number
of hosts is 2n. The number of IP addresses that can be allocated to
the host is 2n -2 (minus the network address which is all 0s and the
broadcast address which is all 1s).
Page107
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This example shows the calculation of host quantity.
The subnet mask of class A address is 255.0.0.0, namely, 24-bit
host ID. The subnet mask of class B address is 255.255.0.0,
namely, 16-bit host ID. The subnet mask of class C address is
255.255.255.0, namely, 8-bit host ID.
This example is a class C address. The standard subnet mask has
an 8-bit host ID, and in this case, the first 4 bits of it are also used
as the subnet mask. The maximum number of hosts is 2
8-4
.

Page108
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example, the network address is of class C: 201.222.5.0.
Suppose 20 subnets are needed, and 5 hosts in every subnet. it is
necessary to divide the last byte for subnet and host. The bits of the
subnet decide the number of subnets. In this example, because it is
a class C address, there are 8 bits for subnet and hosts. And since
24<20<25 , there are 5 bits for subnets, and the maximum subnets
which could be provided are 32(25). And the 3 bits left are for host,
and 2
3
=8, deducting the network address and broadcast address in
this network, which is 8-2=6. It is can meet the network
requirements.
And each network segment is as follows:
201.222.5.0~201.222.5.7
201.222.5.8~201.222.5.15
201.222.5.16~201.222.5.23

201.222.5.232~201.222.5.239
201.222.5.240~201.222.5.247
201.222.5.248~201.222.5.255

Page109
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
For the network of class B, if there are 8 bits for subnet, then 256
subnets could be provided, and 254 hosts could be included in
each subnet.
Subnet bits subnet mask subnet number host number in each
subnet
1 255.255.128.0 2 32766
2 255.255.192.0 4 16382
3 255.255.224.0 8 8190
4 255.255.240.0 16 4094
5 255.255.248.0 32 2046
6 255.255.252.0 64 1022
7 255.255.254.0 128 510
8 255.255.255.0 256 254
9 255.255.255.128 512 126
10 255.255.255.192 1024 62
11 255.255.255.224 2048 30
12 255.255.255.240 4096 14
13 255.255.255.248 8192 6
14 255.255.255.252 16384 2

Page110
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
For the network of class C, if there are 5 bits for subnet, then 32
subnets could be provided, and 6 hosts could be included in each
subnet.
Subnet bits Subnet mask Host number Subnet number
1 255.255.255.128 126 2
2 255.255.255.192 62 4
3 255.255.255.224 30 8
4 255.255.255.240 14 16
5 255.255.255.248 6 32
6 255.255.255.252 2 64

Page111
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A network can be divided into multiple subnets, and each subnet
uses a unique ID. But the number of hosts in every subnets may be
different. If the length of subnet mask is fixed and the number of IP
addresses in the subnets is the same, lots of IP addresses are
wasted. In this case, the variable length subnet mask (VLSM)
technique can be used. If the subnet has lots of nodes, the subnet
mask could be shorter. The IP address with shorter subnet mask
represents less networks/subnets, but more IP addresses can be
allocated to hosts. If the subnet has a few nodes, the subnet mask
could be longer. The IP address with longer subnet mask
represents more logical networks/subnets, but less IP addresses
can be allocated to hosts. Such addressing scheme can save lots
of IP addresses, which can be used in other subnets. As shown in
the above figure, a company deploys the IP addresses subnet
planning with class C address 192.168.1.0. The company has
bought five routers. One router, which works as the gateway of the
intranet, is connected to the local ISP. The other four routers are
connected to four branch offices. Each office has 20 PCs, so each
office needs 20 host addresses.
Page112
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown in the above figure, 8 subnets are required. 4 offices
need 21 IP addresses (including a router interface). The 4
network segments connected with the gateway need 2 IP
addresses. The IP address number of every network segment is
different, so the VLSM could be used. The four network
segments for the office adopt the subnet mask 255.255.255.224,
3 bits for subnet, and 5 bits for hosts. This means at most 25-
2=30 hosts could be included. The four network segments
connecting office router and gateway, are support 6 bits for
subnet, and 2 bits for hosts, therefore at most 2 hosts could be
included.


Page113
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Classless Inter-Domain Routing (CIDR), defined by RFC 1817,does
not adhere to the IP address classification. It can aggregate multiple
routes into one, so to minimize the size of the routing table and
improve the scalability of the router. As shown in the above figure,
some class C networks are allocated to the ISP, 198.168.0.0-
198.168.255.0. The ISP allocates the class C networks to the user
groups. At present, three class C networks have been allocated to
user groups. If the CIDR technique is not used, the routing table of
the ISPs router has three routes connected to the downlink network
segments, and the routes will advertise them to the routers on the
Internet. By the CIDR technique, the three routes 198.168.1.0,
198.168.2.0, and 198.168.3.0 can be aggregated into one route
198.168.0.0/16. Thus, the ISPs router advertises only route
198.168.0.0/16 to the Internet, and the number of entries in the
routing table is reduced. It should be noted that the number of bits of
the network addresses aggregated by CIDR must be the same. As
shown in the above figure, if the ISP is connected to network segment
172.178.1.0, then the routes of the network segments cannot be
aggregated.
Page114
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page115
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Address Resolution Protocol (ARP) is a broadcast protocol, through
which the host can dynamically find the corresponding MAC
address of an IP address. Every host has an ARP cache, with the
mapping table between IP address and physical address, which are
currently known by the host. When host A wants to send an IP
packet to host B in the same LAN, it will first look up the ARP cache
to find whether there is IP address of host B in the table. If so, the
corresponding physical address could be found, and to send the
data packet according to the physical address.
Sometimes, the corresponding IP address of host B cannot be
found. It is possibly because host B just joined the network, or host
A has just powered and on whose ARP cache is empty. In this case,
suppose host A needs to know the MAC address of host B. host A
will send ARP Request to every host in the network segment by
broadcast. In the ARP Request, the mapping information of its own
IP address to MAC address is contained, as well as the destination
IP address needs to be resolved. When the destination host B
receives the request packet, it stores the mapping information of
host A into its ARP cache, and sends its own mapping information
from IP to MAC address back to host A. After host A receives the
ARP Reply, it obtains the MAC address of host B. At the same time,
host A puts the mapping information of host B into its ARP cache.
Page116
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The function of Proxy ARP is to make hosts or routers in different
networks segment can communicate. Usually, when a router R
receives an ARP Request, it will check whether the requested
destination address is its own: if so, the ARP Reply will be sent; if
not, the request packet is discarded.
However, if the router R enables the Proxy ARP function, when
router R receives an ARP Request, and finds the destination
address is not its own, router R will not discard the packet
immediately. Instead, router R looks up the routing table, if there is
a route to this destination, it will send its own MAC address to the
request party, and the request party will send the packet with this
destination to router R, and router R will forward it further.

Page117
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Gratuitous ARP: The host sends ARP Request to find the
corresponding MAC address of its own IP address. If in the network,
there is no another host with the same IP address, the host will not
receive any reply. However, if the host receives reply, it indicates that
another host in the network is configured with the same IP address.
Hence, in the terminal log of host, an error information will be
created, indicating that a duplicate IP address is configured.
Functions of Gratuitous ARP:
1. Through sending Gratuitous ARP packets, it could be confirmed
whether there is IP address conflict in the network. If the Request
party receives a Gratuitous ARP reply, it indicates that there is an
equipment with a duplicate IP address.
2. Updating the old hardware address information. If the host
sending Gratuitous ARP just changes its hardware address, such as
changing network card, the Gratuitous ARP could be used to update
the old hardware address information. When the receiving party
receives an ARP Request, and this ARP information already exists in
the ARP table, then the receiving party must update the old ARP
information table, using the address information in the new ARP
Request.

Page118
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Sometimes, RARP ( Reverse Address Resolution Protocol) is
needed when dealing with diskless workstations. This equipment
knows its own MAC address, and needs to obtain IP address. In
order to make RARP work properly, in the LAN, at least one host
has to be the RARP Server. In this example, the diskless
workstation needs its own IP address. It broadcasts the RARP
Request in the network. The RARP Server receives this broadcast
request, and sends the reply. Thus, the diskless workstation will
obtain the IP address. Similarly with ARP Request, RARP Request
are sent using broadcasts, ARP Reply and RARP Reply are usually
forwarded as unicast packets
Page119
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page120
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The main function of a router is to interconnect different networks.
The data must also be capable of being forwarded to the Internet.
Data forwarding: A router should have the ability to forward data
packets according to the destination address of data packets.
Routing: In order to forward data packets, the router should have
the ability to establish, update and forward data packets based on
routing table.
Backup, traffic flow control: In order to guarantee the reliability of
network, usually, the router has the ability to switch to backup link
and the function of traffic flow control.
Speed adapting: Different interfaces have different speeds, the
router can implement the adjustment according to its buffer and
other flow control protocols.
Isolating network: The router can isolate broadcast network and
prevent broadcast storms. At the same time, it can apply flexible
filter policy to the data packet, to guarantee network security.
Page121
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Interconnecting heterogeneous networks: Presently, at least
two kinds of network protocols could be implemented in the
router to interconnect heterogeneous networks. For example,
routers that support ATM and FR interfaces can be considered
as belonging to a router that can interconnect heterogeneous
networks.


Page122
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The slide shows the working process of a router:
At the physical layer, the packet is received by one of the router
interfaces, and is sent to the upper layer which is data link layer.
The Data Link Layer will de-encapsulate the frames, and send to
the Network Layer based on the protocol field of the packets. The
network layer will firstly check whether the packet is intended for
the local host.
If so, the network layer encapsulation is de-encapsulated, and the
packet is sent to upper layer. If not, the router will check the
routing table according to the destination address of the packet. If
a route item could be found, the packet is sent to data link layer
of the corresponding port, after the encapsulation of data link
layer, the packet is sent. If no route could be found, the packet
will be discarded, and relative error information would be sent to
the source of the packet.

Page123
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The ability to forward data packets is due to the routing table. Every
router maintains a routing table, in which every route indicates the
corresponding physical port of the router through which the
destination subnet or host could be reached. In the routing table,
the following key items are included:
Destination: It is used to identify the destination address or
network of the IP packet.
Mask: Together with the destination address, it is used to identify
the network segment address in which the destination host or router
is located. After implementing logical AND to the destination
address and network mask, the network segment address could be
obtained in which the destination host or router is located.
Interface: Indicates to the current router, through which interface
the IP packet is to be forwarded.
Next Hop: Indicates the interface address of the next router
through which the IP packet should pass.

Page124
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. What is IP address classification?
IP addresses are divided into Classes A, B, C, D and E. Among
them, Class D is multicast address; Class E is reserved address.
In Class A, B, and C, each has its own private address space.
2. What is the function of ARP/RARP?
ARP stands for Address Resolution Protocol, which is used to
analyze the corresponding MAC address for an IP address; RARP
stands for Reverse Address Resolution Protocol, which is used to
analyze the corresponding IP address for a MAC address.
3. What is the principle function of a router?
At the physical layer, the packet is generally received by one of the
router interfaces, and is sent to the upper layer, namely the data
link layer. The data link encapsulation is de-encapsulated, and
according to the protocol field of packets, it is sent to network layer.
For network layer, first of all, it checks whether the packet is
intended for the local host. If so, the network layer encapsulation is
decapsulated, and the packet is sent to the upper layers. If not, the
router will check the routing table according to the destination
address of the packet. If a route item could be found, the packet
is sent to data link layer and the corresponding interface, after the
encapsulation of data link layer, the packet is forwarded. If no route
could be found, the packet will be discarded, and relative error
Page125
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
information would be sent to the packets source.
Page126
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page127
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page128
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page129
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page130
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
TCP provides reliable, connection-oriented service for applications.
The reliability of TCP is guaranteed through the following aspects:
Connection-oriented transport: In TCP, before any end of the link
begins to transfer data, the connection between two parties of the
link must be established.
MMS: In TCP, it indicates the maximum length of the data packet
could be sent to another end of the link. After the connection is
established, the two parties of the connection should advise its own
MMS, to use the bandwidth resources more efficiently.
Transmission Acknowledgement Mechanism: In TCP, after a
segment is transmitted, a timer would be started, and waiting for the
acknowledgement from the receiver; if the acknowledgement
cannot be received within the timer, the segment will be
retransmitted.
Header and data checksum: TCP will maintain the checksum of
header and data, which is the end-to-end check. Its purpose is to
detect the variation of the data during the transmission procedure. If
there is some error in the segment checksum, this segment will be
discarded by TCP receiver and the acknowledgement will not be
replied. Hence, the TCP retransmission mechanism will be started.
Page131
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Flow control: Both ends of the TCP connection have a buffer with
fixed space. Only the amount of data less than the size of
receivers buffer could be sent by the sender. This mechanism
prevents such a situation happening in which the buffer is
overloaded because of the speed difference of two hosts.


Page132
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
TCP uses IP as the network layer protocol, and TCP segment is
encapsulated into the IP packet.
TCP segment is made up of two parts, TCP Header and TCP Data.
If there is no option field, the length is 20 bytes.
TCP header includes the fields showed in the slide. There are some
explanations of some fields:
16-bit source port number: TCP will allocate a source port number
for the source application.
16-bit destination port number: The port number of destination
application.
Source and Destination Port: Every TCP segment includes the
source and destination port number, used to find the sending and
receiving application. Using these two numbers, together with the
source and destination IP address of IP header, a unique TCP
connection could be confirmed.
Sequence Number is a 32-bit number that identifies where the
encapsulated data fits within a data stream from the sender.
Page133
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Acknowledgment Number is a 32-bit field that identifies the
sequence number the source next expects to receive from the
destination. The Acknowledgement Number is the last data
sequence number plus one.
4-bit header length: It indicates the header is of 32 bits.
Window Size is a 16-bit field used for flow control. It indicates the
number of bytes are expected to receive. Because this field is of
16 bits, the maximum window size is 65535 bytes.
Checksum is 16 bits, covering both the header and the
encapsulated data, allowing error detection.

Page134
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
TCP provides full-duplex transmission protocol which is reliable
and connection-oriented. The reliability of TCP is guaranteed by
some methods. One of them is to establish the connection before
sending any data.
The TCP connection is established through three-way handshakes
procedure:
1. Request end (or Client) sends a SYN field, indicating the
clients expectation to connect to the port of server, with Initial
Sequence Number (ISN) a.
2. The Server replied SYN with sequence number b. At the same
time, the acknowledgement number is set to be a+1 to
acknowledge the SYN packet of the client.
3. The Client will sent the acknowledgement packet with
acknowledgement number set to be b+1 to acknowledge the
SYN packet of the server. The TCP connection is then established.




Page135
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As it is mentioned before, TCP is a full-duplex transport layer
protocol. Full-duplex indicates the two ends of the connection could
transmit or receive data at the same time. Thus, the two parties
should terminate the connection individually. The TCP connection is
established through three-way handshakes procedure, while the
TCP connection is terminated through four-way handshake
procedure:
1. Request end (or Client) sends a FIN field, indicating the clients
expectation to terminate the connection, with initial sequence
number a.
2. The Server set the acknowledgement number to be a+1 to
acknowledge the FIN packet of the Client.
3. The Server replied sends FIN field with sequence number b,
acknowledgement number a+1.
4. The client will send the acknowledgement packet with
acknowledgement number set to be b+1.
The TCP connection is then terminated.







Page136
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Multiplexing indicates that the same transport layer connection is
used by multiple applications to transmit data. The data is divided to
different segments by the transport layer according to different
applications. And based on FIFO rule, the segments are to be sent.
These segments could be with the same or different destinations.
Supposing two servers www.huawei.com and ftp.huawei.com are
sending data packets to destination host at the same time. The
following is the end-to-end communication procedure of transport
layer. When the www and ftp applications are called, the server will
allocate a port number for every application. (Note:This port number
is different from the physical port of network equipment. It is a
virtual interface between the application and transport layer
protocol). The segments are then created.
Page137
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In the transport layer, a session connection should be
established between the server and the host. (Note: It is a virtual
connection instead of a physical one.) In order to begin the data
transmission, the two applications of the server and terminal host
will inform their own operation systems, to initialize the
connection. After the virtual end-to-end connection is established,
the data transmission could begin.
During the transmission procedure, the server and the host
continue to communicate using their protocol software, to check
whether the data has been correctly received.
After the terminal equipment receives the data flow, it will sort the
data so that the transport layer could send the data flow to the
host correctly.
After the data transmission finished, the two party negotiate to
terminate the virtual link.

Page138
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
MSS (Maximum Segment Size) indicates the maximum size of the
segment could be sent to the other end of the connection. When a
connection is established, their two ends should advertise its own
MSS. The default value of MSS is 536 bytes, so the allowable length
of IP packet is 576 bytes(536 +20 byte IP header +20byte TCP
header).
Through the negotiation of MSS, the network resources could be
used more efficiently and the network performance could be
improved.

Page139
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The reliability of TCP is guaranteed by the acknowledgement
mechanism to ensure the correct data transmission from the source
equipment to the destination. The working mechanism of
acknowledgement mechanism is as followings:
When the destination equipment receives the data packets sent by
the source equipment, it will reply an acknowledgement to the
sender; and if the sender receives the acknowledgement, it will
continue to send data packets. However, if the sender does not
receive the acknowledgement, after a period of time, ( a timer will be
started by the sender when the data is sent) the sender will decrease
the transmission speed, and retransmit the packets in question.
As the slide shows, a virtual end-to-end link is established between
the source and destination equipment, and data packets are sent.
The source equipment sends 3 data packets (1,2,3) to the
destination at one time. After the destination equipment receives the
data packets, it will acknowledge them by the sequence number of
fourth data packet which is 4.
Page140
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When the source equipment receives the data packets, it will
continue to send another three data packets (4, 5, 6). As the
example shows, because the destination equipment has not
received the fourth data packet correctly, the destination
equipment still uses acknowledgement number 4 as the reply.
Hence, the fourth data packet will be retransmitted by the source
equipment. After the destination equipment receives the fourth
data packet, and acknowledge it by the acknowledgement
number 7, the next three data packets could be sent
continuously.
Page141
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
TCP Sliding Window technology is able to control the data flow
between two hosts by dynamically changing window size. Every
TCP/IP host supports full-duplex data transmission, so there are 2
Sliding Windows in TCP: one is used for receiving, the other is used
for sending. whats more, TCP uses positive acknowledgement
technology whose acknowledgement number refers to next
expected bytes.
As shown above, it is an example of single direction sending, which
introduces how Sliding Window achieves flow control.
The server sends to client 4 1024-byte segments, and the window
size of sender is 4096 bytes. Receiver will acknowledge by using
ACK4097, and modify window size to 2048 bytes. This means client
(receiver) only has 2048-byte buffer space. Therefore, sender
changes its sending speed and sends 2048-byte segment which the
receiver can afford.
Sliding window mechanism provides reliable flow control method for
data transmission between end-to-end devices. However, it is only
on source and destination devices that Sliding Window mechanism
will take effect. When there is congestion between interim devices
( like routers), Sliding Window has no use. Thus ICMP source
quench mechanism could be used in congestion management.
Page142
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page143
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
UDP provides connectionless service for applications, so there is
no need to establish connection before communication take place
between source and destination like TCP. Besides, because UDP
is a connectionless transport protocol, it is not necessary to
maintain connection state, sending or receiving state. So the
server is capable of simultaneously sending the same message to
multiple clients.
UDP is suitable for those applications who requires "best-effort"
transmission and reliability is provided by application layer, such
as Radius protocol which is commonly used in authentication and
accounting and RIP protocol are all based on UDP.
Page144
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
UDP, like TCP, also uses IP as network layer protocol. UDP
segment is encapsulated in a IP packet. Since UDP doesnt provide
reliable transmission like TCP, its segment format is relatively
simple.
The UDP header is made up of the following field:
16-bit source port number: applying source port number for source
application.
16-bit destination number: port number of destination application.
16-bit UDP length: referring to the length of both UDP header part
and UDP data part. The min value is 8.
16-bit UDP checksum: this segment provide the same function as
TCP checksum.
But this is an extra parameter.
Page145
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown above, the picture compare TCP protocol with UDP
protocol. It is able to get a conclusion through comparison that
TCP is suitable for high-reliability service; while UDP is suitable
for speed-sensitive services.
As UDP supports a connectionless service, it requires that the
upper layer of providing error detection and retransmission
mechanism.












Page146
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1.How does TCP establish and terminate a connection?
Connections are established in TCP by means of the three-way
handshake procedure. TCP connections are full-duplex, both of the
two ends which establish the connection will send their own
terminate request and wait for the acknowledgement, for which in all
there are four steps when terminating a connection.
2.How does TCP provide reliability?
TCP provides transmission reliability by sequence number and ACK
mechanism. By using sequence number, the two ends will both
clearly know the sending and receiving information of data segment.
ACK mechanism is able to guarantee transmission reliability, which
will ensure data flow arrives at destination correctly from the source.
3.What is the purpose of TCP Sliding Window technology?
TCP Sliding Window technology adjusts data transmission between
two hosts by dynamically modifying window size. Sliding Window
mechanism provides reliable flow control method for data
transmission between end-to-end devices.
Page147
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page148
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page149
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page150
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The ping command is a common way to check the IP connectivity of
the network and the connection to the host. The ping command
uses a series of Internet Control Message Protocol (ICMP)
messages to check whether the destination is reachable, the
communication delay, and the packet loss ratio. Ping is a process in
which the device sends a request and waits for response. The
device that run the ping command sends an Echo message to the
destination, and then waits for a response. If the Echo message
reaches the destination and an Echo Reply message is returned to
the source within the specified period, the device can ping through
the peer. If the source does not receive the Echo Reply message,
the Request timed out message is displayed. In this example, the
following command is typed on the PC:
Ping 1.1.1.1
To test the connectivity, send the Echo message to address 1.1.1.1.
Besides basic commands, the ping command provides various
optional parameters, for example a and i. -a source-ip-address:
sets the source IP address that sends the ICMP ECHOREQUEST
message. -i interface-type interface-number: sets the interface that
sends the ICMP ECHOREQUEST message. In this example, the
ping 1.1.1.1 a 1.1.1.2 command can also be used.

Page151
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
ICMP is an important part of the network layer. IP does not provide
reliability, so the device cannot obtain the network fault information.
By using ICMP, the device can obtain the information about the
network faults.
ICMP can send the information of error, control, and packet query.
The ICMP packets are encapsulated in IP packets. The value of the
protocol field is 1. Some upper layer applications may use the ICMP
protocol, for example, ping and Tracert.

Page152
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The ICMP packet uses the basic IP header, namely 20 bytes. The
ICMP packet is encapsulated in the IP packet. The first 64 bits of
the datagram refer to the ICMP packet. Therefore, an ICMP packet
consists of an IP packet and the first 64 bits of the datagram.
The ICMP packet consists of the Type, Code, Checksum, and
unused fields. The formats of the messages vary with the message
types. The details are omitted here.
Type: indicates the type of the ICMP message.
Code: in the same ICMP message type, the messages express
different contents by using the codes.
For example: The Destination Unreachable message of which the
Type value is 3 contains the following four types of messages:
0 = net unreachable
1 = host unreachable
2 = protocol unreachable
3 = port unreachable
Checksum: contains 16 bits. This field is not in use and the value is
0.

Page153
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
ICMP provides the various message types. The following are
commonly used:
0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
Some messages are used together. For example, the Echo Reply
message is the response to the Echo message. The messages of
the same type contain different information. The following
describes the message types and formats.

Page154
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Tracert is used to check the path from the source node to the
destination node. It deducts 1 from the TTL value of the packet
every time the packet traverses a router. When the TTL value
becomes 0, the router reports TTL timeout.
Tracert sends a packet of which the TTL value is 1, so the first hop
returns an ICMP error message to notify that the packet cannot be
forwarded because the TTL times out. Then, Tracert sends a packet
of which the TTL is 2, and the second hop returns the same
message. Tracert continuously sends such packets until one packet
can be sent to the destination. The packet uses an invalid port
number (33434 by default), so the destination host returns an ICMP
unreachable message to notify that the Tracert operation completes.
Tracert records the source address that sends the ICMP error
message. Thus it can provide the IP addresses of the gateways
through which the user packets pass.
Tracert can also provide a function to test the connectivity. When a
fault occurs on the network, it can be located according to the path
displayed by Tracert.

Page155
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Ping and Tracert are taken as an example here. The two methods
can test whether RTA and interface 3.3.3.3 of RTC can
communicate.
As shown in the displayed information, the ping command can
directly display whether the RTC is reachable, while Tracert can
display the forwarding path in details. The packet reaches 10.1.1.2,
and then to 10.2.2.2, and finally reaches 3.3.3.3. In addition, the
tracert command can locate the fault. In this example, if the
displayed information is as follows, it indicates that the packet can
be sent to next hop 10.1.1.2, but cannot be forwarded by the router,
therefore the fault occurs between this router and the destination.
[RTA]tracert 3.3.3.3
traceroute to 3.3.3.3(3.3.3.3) 30 hops max,40 bytes packet
1 10.1.1.2 31 ms 31 ms 32 ms
2 * * *

Page156
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Telnet is used for the remote service. The user can log in to the
remote server through Telnet. The transport protocol used by Telnet
is TCP and the port number is 23. The telnet command is as
follows:
telnet 192.168.1.22 23
192.168.1.22: IP address of the router server.
23: port number. The default value is 23. The value can be null. If
the port number is not 23, the user must enter the port number. For
the detailed operation related to telnet based access to a device,
refer to the basic configuration of VRP.

Page157
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
FTP is an Internet standard for file transfer. It adopts two TCP links
to transfer a file. One is control link and the other is the data link.
FTP adopts different TCP ports according to the port mode, Port or
Passive. In the past, the default client mode is Port. In recent years,
the Passive mode is widely used because the Port mode is not
secure (easy to be attacked.) In Port mode, FTP adopts two default
port numbers 20 and 21. Port 20 is used to transfer data, and port
21 is used to transfer commands.
The VRP routers can act as the FTP client or the FTP server. In this
example, the PC functions as the FTP client to log in to the FTP
server through the FTP protocol. The PC run the FTP program. The
system displays the login dialog box to request the user to enter
user name and password, then the user can log in.

Page158
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If the VRP router needs to download a file from the remote server, it
can act as the FTP client to access files from the FTP server. Enter
FTP IP address of the remote server in the VRP system view. The
user is prompted to enter the user name and password. Then, the
prompt is changed into [FTP]. It indicates that the user logs in
successfully.
Get and Put are two operations performed on files. Get means
downloading files from the server, while Put means uploading files
to the server. In this example, the Get vrp.cc vrp1 command
means that the client downloads the vrp.cc file and saves the file
as vrp1.

Page159
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Trivial File Transfer Protocol (TFTP) is used when the user
needs to transfer file between server and client and complex
interaction is not required. TFTP uses UDP and the port number is
69. The VRP router can act as only the TFTP client to download files
from the TFTP server.

Page160
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. What are the functions of Ping and Tracert?
They can test the connectivity of the network. Ping can provide the
options to satisfy test requirements, for example, specifying the
source IP address and source port. Tracert can obtain the forwarding
path of packets. Besides, Tracert can also be used to judge the
distance to a destination.
2. What is the format of the ICMP packet?
The ICMP packet adopts the basic IP header (20 bytes). The packet
is encapsulated in the IP packet. The ICMP packet consists of the
Type, Code, Checksum, and unused fields. The formats vary with
the message types.
3. What is the difference between FTP and TFTP?
FTP is based on TCP, while TFTP is based on UDP. TFTP is a
simple file transfer protocol. It is applicable to the read-only memory.
FTP is designed for file transfer with high throughput. FTP can
control the user name and password, while TFTP cannot. The router
can support FTP Client and FTP Server, while TFTP supports only
the Client.

Page161
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 2
Routing
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page165
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page166
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page167
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page168
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRP is the network operation system used by Huawei based
routing & switching products. VRP can be used as general
software platform of all Huaweis network devices to provide
TCP/IP routing services. Currently version 5.9 is used for many
products.
Page169
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRP adopts componentized architectureVRP is made up of
five planes: GCP, SCP DFP SMP and SSP.
For example, GCP is General Control Plane, it supports internet
protocols such as IPv4 and IPv6. The protocols and functions
that GCP supports include SOCKET, TCP/IP, route management,
routing protocols and so on VRP just needs to add or delete
corresponding planes to fit different switch or router functionality.
Page170
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page171
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
At present, Huaweis routers and switches support three
configuration modes, two of which are listed as follows:
Local configuration through the Console port.
Local or remote configuration through Telnet .
Page172
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
You can build a configuration environment only through the
Console port for the two following occasions:
(1)The router is powered on for the first time. There is only
default configuration .
(2) You can directly connect the device.
The procedures of configuring a router through the Console port
are as follows:
Procedure 1: Connect the console cable.
(1) Connect the RJ45 connector to the Console port of the router.
(2) Connect the 9-pin or 25-pin RS232 connector to the serial
port (COM) of the computer.

Page173
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Procedure 2: Create the super terminal
(1)Run the terminal emulation program, for example, Super
Terminal of WIN XP, on the PC.
2Click Start > Program > Communication > Super
Terminal
3Input any characters as the name after New Connection
appears and choose a COM connection and click OK, then a
page as above appears. The port settings should be configured
in accordance with the image, then click OK.
Page174
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If it is not the first time for the router to be powered on and you
cannot directly connect to the router console port, it may be
possible depending on the current device configuration settings,
to use TELNET to enter the device. There are two methods you
may use to configure the router, either from a PC through the
local network to directly Telnet to the router from a PC using a
console connection to a router (e.g. router1), and then Telnet
from this router to another router. The device running the VRP
system operation can serve as a TELNET client.
Page175
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
For the PC to use Telnet to reach the Telnet server requires two
conditions to be met.
1.Client and server must be able to communicate
2.The server is configured to allow clients to use the Telnet
service establish a session.
In the example given, the configuration is represents the router
configuration that is acting as the Telnet server. The initial step
requires configuration of the router Ethernet interface, to make
sure the client and the server (router) can communicate. The
second step involves configuration of the VTY interface including
selecting the password mode as the authentication mode of
Telnet, setting user permission level.
Page176
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page177
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After accessing the router, the user will be given the prompt in
user view. It is from here that the user can switch to the system
view by entering the System-view command. It is then possible
to enter views of other services by running corresponding
commands in the system view. Commands that can be run in
different views can be seen listed in the graphic.

Page178
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When accessing the device for the first time, all users will start
off in the user view, from where users can switch to the system
view using the System-view command. The system view can be
switched back to the user-view after entering the quit command.
It is possible to return to the user view from any view by entering
the return command or using the composite key command
<Ctrl+Z>.
For example
#Enter the system view from the user view.
<Huawei>system-view
Enter system view, return user view with Ctrl+Z
#Enter the interface view from the system view.
[Huawei]interface Serial 0/0/0
[Huawei-Serial0/0/0]
#Return to the system view from the interface view.
[Huawei-Serial0/0/0]quit
[Huawei]
#Return to the user view from the system view.
[Huawei]return
<Huawei>
Page179
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example, through using the ? command, it is possible to
obtain a brief of all the commands at a given level. All levels will
support the use of this command to display possible completions.
Another use of this command will allow for completion based on
matches to a partial entry. If only the first letter of a command
can be recalled, the ? command can be inserted as shown in the
example above, in order to obtain all the commands with the
same matching parameters, in this case, the same first letter.
Page180
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The command line interface automatically stores commands
input by users which so that users can recall used commands at
any time and repetitively. By default,
the command line interface can keep records of up to 10
commands for a user.
display history-command:
To display the commands that a user has input.
Up-arrow key or <Ctrl+P>:
Display the earlier record if there is one; otherwise the alarm
goes off.
down-arrow key or <Ctrl+N>:
Display the next record if there is one; otherwise, the command
is cleared up and the alarm goes off.
When you use the command record function, please note the
following:
(1) The format of command records kept by VRP complies with
the format of commands input by users. If the format of
commands input by users is not intact,
then the format of commands kept by VRP is not intact either.

Page181
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
(2) If a command is run by a user for many times, VRP only
keeps the first running of this command as record. If a command
is run in different formats several times, it is treated as different
commands. For example, if you run the display ip routing-table
command several times, VRP will keep it as only one record. If
you run disp ip routing and display ip routing-table, VRP will
keep them as two records.


Page182
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Do as following to change the name of a router:
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]sysname Router1
[Router1]

Page183
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Some services require that there be synchronization of time with
other devices, often as a security measure and therefore the
system time should be set correctly.
VRP supports the setting of the time zone and daylight savings
time features.
#Set the time.
<Huawei>clock datetime 10:19:30 2006/12/12
<Huawei>
<Huawei>display clock
2006-12-12 10:19:50
Tuesday
Time Zone(Default Zone Name) : UTC+00:00
<Huawei>

Page184
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
You can display the VRP version information by running the
display version command.
<Hauwei>display version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.90 (AR2200 V200R001C01SPC300)
Copyright (C) 2011 HUAWEI TECH CO., LTD

The version is 5.90 (AR2200 V200R001C01SPC300)
You can view the information about terminal users by running the
display users command.
<Huawei>display users
User-Intf Delay Type Network Address AuthenStatus
+ 0 CON 0 00:00:00
Username : Unspecified
You can view the configurations in the current view by running
the display this command. For example, you can view the
configurations of the interface after you enter the interface view:
[Hauwei]interface Ethernet 0
[Hauwei-Ethernet0]display this
#

Page185
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
interface Ethernet0
ip address 13.13.13.2 255.255.255.252
isis enable 1
#
return
You can obtain the diagnostic information by running the display
diagnostic-information command.

Page186
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRP manages software and configuration files through the file
system. The file system is used for managing the files and
directories in the storage device, which includes creating the
system file, changing names of files and directories, creating,
deleting, modifying files and directories and display files. The two
main functions of the file system are storage device management
and files management. The storage device is the hardware
device that keeps information. At present, flash memory, hard
disks and CF cards can be used by routers as storage devices.
Different products use different devices to store information. File
system is a mechanism for information storage and management.
File directories are mechanisms for organizing files and they are
the logical vessels for keeping files.
Delete a file.
<Huawei> delete flash:/test/test.txt
Delete flash:/test/test.txt?[Y/N]
<Huawei>
Restore the file that was deleted.
<Huawei> undelete sample.bak
Undelete flash:/test/sample.bak ?[Y/N]:y
Page187
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
% Undeleted file flash:/test/sample.bak
Delete files in the recycle bin.
<Huawei> reset recycle-bin
Display a file.
<Huawei> more test.txt
AppWizard has created this test application for you. This file
contains a summary of what you will find in each of the files that
make up your test application.
Test.dsp
Copy a file.
<Huawei> copy hda1:/sample.txt flash:/
Copy hda1:/sample.txt to flash:/sample.txt ?[Y/N]:Y
100% complete.

Page188
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Create a directory
<Huawei> mkdir dd
Info: Create directory sd1:/dd......Done
Delete a directory
<Huawei> rmdir test
Rmdir test?[Y/N]:y
%Removing directory sd1:/test ...Done!
Display the current directory
<Huawei> pwd
flash:/test

Page189
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Format storage device
<Huawei> format flash:
All data(include configuration and system startup file) on flash:
will be lost , proceed with format? (y/n)[n]:Y
%Format flash: completed.
Fix storage device whose file system is abnormal
<Huawei> fixdisk flash:
Fixdisk flash: will take long time if needed.
Fixdisk flash: completed.
Be careful with the format command. It deletes all the files in the
storage device once you run it.

Page190
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When the router is powered on, it reads the configuration file
from the default storage path to initialize itself. The configuration
in the configuration file is called the initial configuration. If there
are no configuration files in the default storage path, the router
will initialize itself with the default parameters. The configuration
used when the router is running is called the current
configuration.
Users can change the current configurations of the router
through the command line interface. To make the current
configuration to be the initial configuration for the router when the
router is powered on next time, you need to save the current
configuration in the default storage path with the save command.
You can view the saved configuration of the router by running the
display saved configuration command.
You can view the current configuration of the router by running
the display current-configuration command.
You can save the current configuration by running the save
command. The detailed procedure is as follows:
<Huawei>save


Page191
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The current configuration will be written to the device.
Are you sure to continue? (y/n)[n]:y
It will take several minutes to save configuration file, please
wait.....
Configuration file had been saved successfully
Note: The configuration file will take effect after being activated
You can erase the configuration file in the storage device by
running the reset saved-configuration command. The detailed
procedure is as follows:
<Huawei>reset saved-configuration
This will delete the configuration in the flash memory.
The device configurations will be erased to reconfigure.
Are you sure? (y/n)[n]:y
Clear the configuration in the device successfully.
You can run the compare configuration command to make
comparisons between the current configuration and the
configuration in the configuration file stored. The following shows
that the message displayed indicates that the current
configuration is not the same as the stored configuration.
<Huawei>compare configuration
Warning:The current configuration is NOT the same as the saved
configuration!
====== Current configuration line 31 ======
ospf 1

====== Saved configuration line 31 ======


Page192
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRP can backup its software and configuration files through FTP,
TFTP. Here we will introduce the basic operations for routers or
switches to obtain version files through the two modes, which is
the general knowledge about version update. For details about
version update methods and procedures, please refer to the
update guidelines we provide for a product or a specific version
of a product.
FTP, TFTP are all file transport protocols for transporting files
between users and devices.
File Transfer Protocol (FTP) is based on TCP and takes the
mode of Server/Client. VRP can act both as the FTP server and
the FTP client. When it acts as the FTP server, users can log in
to the router to visit files on the router by running the FTP client
program. When VRP acts as the FTP client, users can run FTP
commands to connect with the remote FTP server and then visit
files on the remote host after they built connections with the
router through the terminal emulation program or Telnet.
Trivial File Transfer Protocol (TFTP), different from FTP, does not
require any authentication mechanisms, which is fit for an
environment that does not involve much interaction between
clients and servers.
Page193
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
TFTP is based on UDP and takes the mode of Server/Client.
TFTP transfer is initiated by the client. When there are files to
download, the client sends requests to the TFTP server for
reading the files and receives packets from the server and at last,
it sends confirmation to the server.
When there are files to upload, the client sends requests
to the TFTP server for writing the files and sends packets to the
server and at last, it sends confirmation to the server. TFTP files
have two modes, one is the binary mode that is used for program
files and the other is the ASCII mode that is for text files.
VRP can only act as the TFTP client and can transfer files only in
the binary mode.



Page194
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As the above figure illustrates, the PC and Router A are
connected through serial ports and Router A and the FTP server
are connected to the LAN. Router A obtains version files from the
FTP server as the FTP client. Set the username and password to
huawei and huawei respectively on the FTP server. Log in to
Router A from the PC by the super terminal and make the
following operations to obtain version files.
#Log in to the FTP server from Router A.
<RouterA> ftp 172.16.104.110
Trying 172.16.104.110 ...
Connected to 172.16.104.110.
User(172.16.104.110:(none)):huawei
331 Give me your password, please
Password:
230 Logged in successfully
#Obtain the version file vrp.cc from the FTP server by running
the get command.
[RouterA] get vrp.cc
150 "D:\system\vrp.cc" file ready to send (5805100 bytes) in
IMAGE / Binary mode
226 Transfer finished successfully.
FTP: 5805100 byte(s) received in 19.898 second(s)
291.74Kbyte(s)/sec.


Page195
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As the above figure illustrates, the PC and Router A are
connected through serial ports and Router A and the FTP client
are connected to LAN. Router A is configured as the FTP server
to obtain version files from the FTP client. Run the following
commands to configure Router A as the FTP server.
#Enable the FTP server on the router.
[RouterA]ftp server enable
#Enter the AAA view and configure the authentication and
authorization of the FTP server. Only users that pass the
authentication and are authorized successfully can enjoy the
services offered by the FTP server.
[RouterA]aaa
#Create a local user named huawei.
[RouterA-aaa] local-user huawei
#Set the service type to FTP.
[RouterA-aaa] local-user huawei service-type ftp
#Configure the password to huawei.
[RouterA-aaa] local-user huawei password simple huawei
#Configure the authorization directory of FTP users on the FTP
server.
[RouterA-aaa] local-user huawei ftp-directory flash:/ftp/huawei
Page196
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As the above figure illustrates, the PC with the IP address of
10.111.16.160 runs the TFTP software to act as the TFTP server
and Router A obtains version software from the TFTP server.
Run the following command on Router A to obtain version
software.
#Run the tftp command to obtain the vrp.cc file and save it under
cfcard:/.
<RouterA> tftp 10.111.16.160 get vrp.cc cfcard:/vrp.cc
Run the dir command to check if the version file is obtained and
save in the defined directory.
<RouterA> dir
Directory of cfcard:/
0 -rw- 86211956 Jun 08 2006 15:20:14 v300r001b02ssp02.cc
1-rw- 2718 Jun 21 2006 17:46:46 1.cfg
2 -rw- 6247 May 19 2006 15:00:10 license.txt
3 -rw- 80975644 Jun 08 2006 14:50:20 v300r001b02msp06.cc
4 -rw- 86235884 Feb 05 2001 10:23:46 vrp.cc
508752 KB total (261112 KB free)

Page197
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page198
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Simple Network Management Protocol (SNMP) is a widely used
network management protocol. SNMP is a protocol that works at
the application layer and the transport layer protocol is UDP. It
takes up the 161 and 162 ports.
SNMP consists of NMS and Agent. NMS stands for Network
Management Station which sends requests to Agent. Agent is a
process or task that resides on the device that is managed.
Agent makes analysis and obtains information after it receives
requests from NMS and then it generates responding packets to
send back to NMS. SNMP is the application protocol that defines
how to deliver management information between NMS and Agent.
SNMP defines two operations, namely GET and SET. The GET
operation is for obtaining management information from the
device that is under management.
The SET operation is for setting variable values to configure the
management device. Trap is generated by Agent and it reports
abnormalities of the managed device to NMS. Once NMS
receives the trap, it takes measures such as polling detection to
diagnose problems and take methods to solve problems and
make changes to the data of network management.
Page199
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
[RouterA]snmp-agent //Enable the SNMP Agent service
[RouterAsnmp-agent sys-info version v3 //Configure the SNMP
version information.
[RouterA]snmp-agent community read public //Configure the
name of the SNMP read community.
[RouterA]snmp-agent community write private //Configure the
name of the SNMP write community.
Note: The configurations of Agent should agree with that on the
NMS.
[RouterA]snmp-agent trap enable //Enable the router to send
Trap.
[RouterA]snmp-agent target-host udp-domain 10.111.16.160
udp-port 5000 params securityname public
Configure the destination address of Trap, the UDP port number
and community attributes.
Page200
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. How is a console connection established?
Connect the PC serial port with the Console port of the router by
the normal line and run the terminal emulation software such as
the windows terminal emulation software. Configure the
parameters correctly and then log into the router to configure.
2. What are the VRP command levels and command views?
The VRP command levels include the visit level, the monitor
level, the config level and the manage level. The command views
involve the user view, the system
view, the interface view, and the routing protocol view, and so on.
3. How to create a Telnet user?
Enter the vty user view and configure the authentication mode
and the password for authentication and configure user
permissions.
4. What protocols can be used to upgrade VRP file?
FTP, TFTP .
Page201
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page202
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing protocol basics is a basic course with great significance
for understanding the different routing protocols. Based on
previous sections, this section focuses on how the packet is
forwarded between routers and the structure of the routing table.
Page203
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page204
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A router provides mechanisms for interconnecting networks of
different structures which makes the transfer of packets among
networks a reality. Routes are decisions made regarding the path
over which the forwarding of packets will occur for a given
destination. In the internet, routes are decided by routers. A
router chooses an appropriate route according to the destination
address in the header of the packet and sends the packet to the
next router. The last router on the route is responsible for
delivering the packet to the destination host. The whole process
is very similar to a relay race. Each router focuses only on finding
an optimal route and forward packets to the next station along
that route. In this way, packets are delivered from one router to
the next until they reach their destinations. However, packets do
not always travel along the best route if some routing policies
cause interference. In the example above, RTA is going to send
a packet to a destination in network N. By searching the routing
table, RTA finds the egress to network N is E0/0 and the next
hop router is RTB. Then RTA sends out the packet through E0/0
to RTB and RTB forwards the packet to RTC in the same way
and so on until the last router RTC sends the packet to network
N. The packet is sent following the route RTA-RTB-RTC-network
N.


Page205
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Here we take the previous example to explain the process of IP
routing. As the above figure shows: RTA connects with network
10.3.1.0 on the left and RTC connects with network 10.4.1.0 on
the right. Here is a datagram to be sent from network 10.3.1.0 to
network 10.4.1.0. The process of IP routing is as follows:
The packet is sent to E1 port of RTA that directly connects
with network 10.1.1.0.After receiving the packet, RTA looks up
the routing table and finds that the next hop to the destination is
10.1.2.2 and the egress is E0. Then the packet is sent out from
E0 to 10.1.2.2.
When the packet reaches E0 port of network 10.1.2.2, RTB
looks up its routing table to find the route to the destination of the
packet. The routing table tells that the next hop to the destination
is 10.2.1.2 and the egress is E1. Then the packet is sent out
from E1 to head for its next hop, network 10.2.1.2.
When the packet reaches E0 port of network 10.2.1.2, RTC
looks up its routing table and finds that the destination of the
packet is in its own segment and the next hop for the packet is
10.4.1.1 and the egress is E1. Then the packet is sent out from
E1 to its destination.


Page206
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The analysis of the process of IP routing shows us that data
forwarding is totally dependent on the information in the routing
table. To function effectively and efficiently, a router should:
1. Check the destination of a packet: Does the router have
information about the destination of the packet?
2. Find the source of the information: Where is the information
about the route to the destination from? Is it defined by the
administrator statically? Or is it obtained from other routers?
3. Search for possible routes to the destination: What are the
possible routes to the destination?
4. Select the best route: which is the best route to the destination?
Should the router use the loading balance mechanism to send
the packet by multiple routes?
5. Verify and maintain routing information: Is a route valid? Is it
the latest?
Routers have to verify and maintain routing information to ensure
that the information is correct.

Page207
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routers check the destination of the packets they receive and if
the destination of the packets is not the interface of local routers,
they will look up their routing tables to find out to which port the
packets should be forwarded.
1. If the destination network connects with the router directly, the
router knows to which port the packet should be forwarded.
2. If the destination network does not directly connects with the
router, the router should find out of the possible routes to send
the packet and then select one of them to forward the packet.
Routes in the routing table can be sorted to three categories
according to their sources:
1. Routes found by data-link layer protocols (interface routes or
direct routes)
2. Static routes manually configured by network administrators.
3. Routes found by dynamic routing protocols.
Page208
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The protocol field in the routing table indicates the source of the
routes. Routes come from three sources. The first source is
those routes discovered by the data-link layer. When data-link
layer protocols are up, routes of this sort are generated and their
protocol field value in the routing table is shown as direct.
Routes discovered by the data-link layer do not need
maintenance, which reduces the workload. However, data-link
layer can only find routes to segments directly connected with its
interfaces and can not discover routes that cross segments.
Routes that cross segments can only be discovered by other
methods.

Page209
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The second source is the statically configured routes. Static
routes are configured by administrators manually and they can
also help to build connectivity between networks. Static routes
however cannot make adjustments automatically when networks
fail. They must be managed by administrators.

Page210
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The last group of routes are discovered by dynamic routing
protocols. Configuring routes statically for a network with a
complicated topology is a demanding task and may result in
errors easily. So it is better to use dynamic routing protocols to
find and change routes, which does not need manual
maintenance. However, the cost of dynamic routing protocols is.
As the figure above shows, routes whose Proto field values are
RIP and OSPF are routes discovered by RIP dynamic routing
protocol or OSPF routing protocol. Details about dynamic routing
protocols will be given later.

Page211
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As we mentioned just now, routes come from three sources.
Here, we make a comparison between static routes and dynamic
routes.
1. Static routes must be defined by administrators. When the
network topology changes, administrators have to change the
configurations of static routes
manually. Static routes are more suitable for simple and small
networks. If the network is complicated, administrators may
struggle to support the complexity and work needed to manage
numerous static routes.
2. Routing protocols collect network information for dynamic
routes. When the network topology changes, routers update their
information automatically without the help of administrators.

Page212
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing protocol is a language that works for the communication
between routers. With the routing protocol, routers can share
information about routes and network status. Only routers that
use the same language can communicate with each other.
Routers that do not speak the same language may obtain
information from each other with other approaches, but it will not
be discussed here. Routing protocols set down a set of rules for
the communication between routers.
And routers maintain their routing tables and offer the
best routes through routing protocols.

Page213
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
An AS is a set of networks under unified management. According
to their working area, routing protocols can be divided into:
1. Interior Gateway Protocol (IGP): a protocol for exchanging
routing information between gateways within an autonomous
network. The protocols we introduce here like RIP and OSPF are
IGP protocols. Other IGP protocols that are not mentioned here
include ISIS, IGRP and EIGRP.
2. Exterior Gateway Protocol (EGP): a protocol for exchanging
routing information between two autonomous systems. The
Border Gateway Protocol (BGP) is a kind of EGP.
Page214
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
According to the algorithms used, routing protocols can be
divided into the following categories:
Distance-Vector routing protocol: RIP and BGP. BGP is also
called the Path -Vector Protocol.
Link-State Protocol: OSPF and IS-IS.
The differences between the algorithms used by the Distance-
Vector routing protocols and the Link-State protocols lie in the
way they find and calculate routes. Distance-Vector routing
protocols concern is to the number of the hops to the destination,
while Link-State protocols care more about the network topology
and bandwidth resources used to reach a given destination.

Page215
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing protocols can be divided into unicast routing protocols
and multicast routing protocols according to their applications.
Unicast is one of the data transmission modes. In this mode, the
destination of a datagram is unique, which can be a host or a
device. Multicast is another data transmission mode. In this
mode, the destination address is a multicast address, which
means a group of hosts or devices can receive a datagram at the
same time. Here, we only focus on unicast routing protocols. For
details about multicast routing protocols, see references for
multicast modules.

Page216
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing tables play a key role in packet forwarding. Each router
holds a routing table and every entry in the routing table tells a
packet should be sent through which physical port of a router to
reach a subnet or a host before the packet arrives at the next
hop router or its destination.
A routing table contains the following items:
Destination: indicates the destination or the destination network
of an IP packet.
Mask: We have already learned the structure and functions of
mask in our TCP/IP course. Similarly, network masks are
important information in a routing table. If we let an IP address
and a network mask go through a logical AND operation, we can
get information about the network segment. As the example here,
the destination address is 8.0.0.0 and the mask is 255.0.0.0.
After they go through the logical AND, we may know that the
segment is 8.0.0.0/8 which is a Class A address.
Another function of network masks is that when there are
multiple route entries to the same destination in a routing table,
the router can choose the route with the longest mask.


Page217
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Interface: indicates which interface an IP packet should be
forwarded from. Nexthop: indicates the IP address of the next
interface that an IP packet will go through.
Other fields in the routing table will be discussed later.
Page218
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routes to the same destination may come from different sources.
So the next hop of those routes may be the same or different. In
this case, how routers make their choice about those routes?
Route preference is here for this problem.
In the figure above, there are two routes to the segment 10.0.0.0:
R0 and R1. R0 is discovered by RIP protocol and R1 is
discovered by OSPF protocol. By default, OSPF has a higher
route preference level than that of RIP . So routers use the route
discovered by OSPF on this occasion and add it to the global
routing table for packet forwarding.

Page219
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The default route preference on VRP platform is shown in the
above table. Preference 0 is for direct routes and 255 is for
untrustworthy routes. Except direct routes, the preference of all
dynamic routing protocols can be configured manually according
to the requirements of our customers. And you should note that
usually a preference is for all routes of the protocol with that
preference. For example, routes discovered by IS-IS have the
same preference 15. The static route is an exception because
each static route may have its own preference.


Page220
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The route metric reflects the cost of a route to its destination.
Route metrics are often decided by factors including the delay,
bandwidth, line occupation rate, line reliability, hops and the
maximum transmission unit. Different dynamic routing protocols
choose different factors to calculate a route cost. For example,
RIP uses hops to calculate the route metric. Route metrics make
sense only for routes discovered by the same routing protocol. It
is meaningless to compare route metrics calculated by different
protocols and there is no formula to make conversions between
route metrics come from different routing protocols. The route
metric of the static route is 0.
Router A learns routes to Router D from Router B and Router E
with the same protocol. As the figure above illustrates, the route
metric of the route that Router A gets from Router B is 9. While
the route metric of the route that Router A gets from Router E is
12. Obviously, the route that Router A gets from Router B is
better than the route Router A learns from Router E. So Router A
adds the first route to its routing table. Router B is the next hop
for that route.
Page221
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If there are multiple routes to the same destination and their
route metrics and route preference are the same, all these routes
will be added to the routing table. IP packets are sent on these
routes alternatively, which helps to realize the load balancing.
At present, routing protocols that support load balancing are RIP,
OSPF, BGP and IS-IS. The static route also supports load
balancing.

Page222
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In the routing table above, there are three routes to the network
10.1.1.1/32. The three routes have the same preference and the
preference is the highest preference. So all the three routes are
added to the routing table to balance the load.

Page223
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Data packets are forwarded according to the IP addresses of
their destinations. When a packet reaches a router, the router
first gets to know the IP address of the destination of the packet
and then looks up its routing table to make the logical AND
operation for the IP address and the mask in the table. If the
result of the logical AND operation agrees with the destination IP
address of the entry in the table, it means the entry is the route
to the destination of the IP packet; Otherwise, it is not. When all
the entries that meet the requirement are found, the router will
choose the one with the longest mask among them.

Page224
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Imagine that a packet whose destination IP address is 9.1.2.1
reaches the router. The router looks up its routing table and finds
three matching routes there. They are:
0.0.0.0/0 whose matching length is 0 bit.
9.0.0.0/8 whose matching length is 8 bits.
9.1.0.0/16 whose matching length is 16 bits.
The last route has the longest mask length. So the router will
choose this one to forward the packet through serial 0/0.

Page225
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Routing loop is a network problem in which packets are sent
from one router and return back to the router after travelling in
the network for a while. When the routing loop problem occurs,
packets travel around several routers until they are discarded
when TTL is 0, which wastes the network resource quite a lot.
Steps should taken to keep routing loops at bay.
As the figure above shows, RTA has a packet heading for
network N. The packet is forwarded to RTC and the value of TTL
is decremented by one. When RTC receives the packet, it
forwards it to RTB which leads to a routing loop occurrence, at
which point the TTL value again decrements by one. RTC
receives the packet and forwards it to RTA and then RTA sends
the packet again to RTC. This process continues until the packet
is discarded once the TTL value is reduced to 0. The routing loop
is very harmful to the network and care should taken to avoid its
occurrence.
The possible causes for a routing loop may be:
1. A temporary loop occurs when the network converges.
2. Algorithm defect.


Page226
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Information that can prevent routing loops is lost when
routes are imported to different routing domains.
4. Configuration mistakes.

Page227
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. What are the sources of routes, and what are their
characteristics?
Routes come from three sources: direct routes discovered by the
Data-Link layer; manually configured static routes; routes
discovered by dynamic routing protocols. Routes found by the
Data-Link layer do not need maintenance and they are
discovered automatically when protocols at Data-Link layer are
up. The disadvantage of this source is that it can only find routes
to the directly connected segments and routes to other segments
cannot be discovered. Manually configured static routes need
maintenance and they cannot be modified automatically when
the network topology changes. Dynamic routing protocols can
discover and modify routes automatically without human
interference but the cost of these protocols is huge and the
configuration process is rather complicated.
2. What are the classifications for dynamic routing protocols?
Dynamic routing protocols can be grouped into the IGP and EGP
protocols according to their working areas and Distance-Vector
and Link-State protocols according to their algorithms and
unicast routing protocols and multicast routing protocols
according to their applications.

Page228
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. What are the values that can be found in a routing table?
The routing table includes factors like destination, mask, protocol,
preference, metric, nexthop and interface. The equal cost multi-
path refers to routes that head for the same destination with the
same metric. When these routes have the same preference, they
are all added to the routing table and IP packets are sent on
them alternatively.
4. What does equal cost multi-path mean?
Equal cost multi-path refers to two or more routes to a single
destination from a single source, that are capable of supporting
load balancing due to the fact that both routes support a metric
that is considered equal to the routing protocol being used.
Should the protocol be RIP, the number of hops to a given
destination should be equal. Alternatively if the protocol
happened to be OSPF, the distance between the source and the
destination over the two routes must reflect an equal cost, based
on the link type e.g Serial/Ethernet and supported bandwidth of
the such links in accordance with OSPF cost values.

Page229
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page230
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page231
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page232
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A static route is a special route that is configured by a network
administrator manually. The disadvantage of static routes is that
they cannot adapt to the change in a network automatically, so
network changes require manual reconfiguration. Static routes
are fit for networks with comparatively simple structures. It is not
advisable to configure and maintain static routes for a network
with a complex structure.

Page233
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The command for configuring the static route is:
[Huawei]ip route-static <ip_address> [ <mask> | <masklen> ]
<interface_name> | <gateway_address> [ preference
<preference_value> ] [ reject | blackhole ]
The meaning of the parameters in the command are as follows:
(1)<ip_address>[<mask>|<masklen>]:the IP address and
mask of the Destination
The IP address should take the form of dotted decimal notation;
the mask can be in the form of a dotted decimal or be
represented by the mask length (the number of the bits set as 1
in the mask).
(2) <interface_name>|<gateway_address>: the name of the
sending interface or the address of the next hop
When configuring static routes, you can define an interface name
or the address of the next hop. To define the interface name or
the next hop address should be decided by the real situation.
Actually, for every route entry, there must be a next hop address.
When sending the packets, the routers looks up the routing table
for a route that matches with the address of the destination of the
packet. Only when the next hop address is specified, the data-
link layer can find the corresponding data-link address to forward
the packet.

Page234
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

(3) <preference_value>: preference value
A flexible management technique on routes can be realized by
configuring the preference value differently. If you assign multiple
routes to the same destination with the same preference value,
load balancing can be achieved; otherwise, route backup is
made. You can input preference values more than once in a
command but only the last one is valid.
(4) Others
The attributes reject and blackhole refer to an inaccessible
route and a blackhole route respectively. If one static route is
labeled with the reject attribute, all the packets sent to the
destination of the route will be discarded and an ICMP packet will
be sent to notify the source that the destination is unreachable.
When a static route is assigned the attribute blackhole, any
packet heading for the destination of the static route will be
abandoned and in this case, no ICMP packet will be sent to
notify the source.
In the example above, the two routers to the loopback segment
of RTA on RTB. The command for configuring the route can be in
one of the three forms below:are connected by serial ports and
we can configure a static route destined
[RTB] ip route-static 10.1.1.1 255.255.255.255 1.1.1.1
[RTB] ip route-static 10.1.1.1 32 1.1.1.1
[RTB] ip route-static 10.1.1.1 32 Serial 0
In the first form, the mask is represented by a dotted decimal
number.
In the second form, the mask is shown by its length.
In the last form, gateway address is taken place by the interface
name.


Page235
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
You can query the routing table by running display ip routing-
table command after the static route is configured. The static
route is displayed in the routing table as highlighted in red here.

Page236
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Load balancing: Packets are sent through several links
alternately when there are multiple paths to the destination of
those packets with the same cost. Static routes support load
balancing.
As shown in the figure above, three routes are configured to the
same destination, network 10.1.1.1/32, on RTB. The three static
routes have the same preference value with the default value 60
and there are no routes heading for this network with higher
preference value than these three routes. In this case, these
three routes are equal routes which can share the load, and
packets will be sent through the three routes alternately.

Page237
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Looking up the routing table, you can see there are three routes
destined to the network 10.1.1.1/32 which will share the load
over each ECMP supported link.


















Page238
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Route backup: Multiple routes heading for the same destination
are configured, amongst which there is one with a higher
preference value that acts as the main route. Other equal cost
routes with lower preference values become backup routes.
As the above figure shows, two static routes are configured,
destined for the network 10.1.1.1/32 on RTB. One of the routes
has the preference value of the default value 60 while the other
static route is configured with a less preferred preference value
of 100.

Page239
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
By looking up the routing table, you may find that there is only
one route heading for the network 10.1.1.1/32 which acts as the
main route. The route with the preference value of 100 has not
been added to the routing table. It will be added to the routing
table only after the route with the preference value of 60
becomes invalid.
Page240
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After running the display ip routing-table protocol static
command, you can see the route whose preference value is 60 is
active, which means it is the main route to forward packets to the
network 10.1.1.1/32.
The route whose preference value is 100 is inactive and acts as
the backup route. It will not be added to the routing table or used
for forwarding packets until the route with a preference of 60 is
no longer available, or the preference of this route is changed to
a value lower than the currently preferred route.
Note: The routing table here is a global routing table.
display ip routing-table can only list the active routes
at present.
display ip routing-table protocol static can list all the
static routes, including the active routes and the inactive
routes.
Page241
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A look up of the routing table after disabling a port for the active
route with the shutdown command will result in the backup
route becoming the active route, and being added to the routing
table to forward packets in place of the lost route.
Page242
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The default route is one kind of special route. Usually, default
routes are configured by administrators manually but they can
also be generated by routing protocols such as OSPF and IS-IS.
When a router receives a packet whose destination is not listed
in the routing table, the router will forward the packet to the next
hop defined by the default route. You can run the display ip
routing-table command to see if a default route is configured.
A packet will be forwarded to the default route if its destination
does not match any destinations of the routes in the routing table.
If there is no default route either, then the packet will be
discarded and an ICMP message notifying the source that the
destination or the network is inaccessible will be sent.
Page243
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A default route is configured by setting the destination address
and the mask to be 0s (0.0.0.0 0.0.0.0) when you run the ip
route-static command to configure a static route.

Page244
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In the routing table, you may see the destination address of the
default route is set to be 0.0.0.0 and the mask length is 0.

Page245
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The default route supports both the load balancing and route
backup mechanisms. If multiple default routes are configured
with the same preference value, they will share the load together.
If they have different preference values, the one with the highest
route acts as the main route and others are backup routes.
As the above table shows, the two static routes highlighted in red
share the load for each other after they are configured with the
same preference value of the default value of 60.
Page246
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What are the differences between load balancing and route
backup for static routes?
Load balancing: Packets are sent through several links
alternately when there are multiple paths to the destination of
those packets with the same metric.
Route backup: If there are multiple routes heading for the same
destination, one of them which having the highest preference
value will act as the main route, and the others with lower
preference value will act as the backup routes. The backup
routes will be in use only after the main route becomes invalid.
What is a default route?
The default route is a kind of the special route used for last resort
forwarding. Usually, default routes are configured by
administrators manually but they can also be generated by
routing protocols such as OSPF and IS-IS. A default route is the
route whose network address and mask are both 0s in the
routing table.
Page247
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page248
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page249
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page250
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Routing protocols are like languages that build bridges between
routers for information exchange. Information like the network
status and its accessibility range is shared among routers with
the help of those routing protocols.
Dynamic routing protocols are not only responsible for selecting
routes, they are also capable of finding another best route to the
destination when the original one is not available. This feature of
dynamic routing is especially noteworthy when a network
topology changes which makes it the advantage of dynamic
routing protocol over static routing protocol.
The common routing protocols in use at present are RIP, OSPF,
ISIS and BGP. RIP is famous for its simplicity of configuration
and deployment and it is designed for exchanging routing
information within a small to medium-size network as it
converges slowly.
Developed by IETF, OSPF is a complicated but widely used
protocol. ISIS is a routing protocol based on a simple design with
good extendibility and is extensively applied to large scale SP
networks.
BGP is used for communicating route information between AS.

Page251
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

At present, the common dynamic routing protocols include RIP,
OSPF, ISIS, BGP routing protocols. RIP routing protocol
configuration is simple, but the convergence rate is slow, and
RIP is commonly used in small and medium-sized networks.
OSPF protocol developed by the IETF, the protocol principle of
OSPF is more complex, and it is widely used; the ISIS design
idea is simple, and it has good scalability, presenting in large SP
network configuration.
The BGP is used to exchange routing information between AS.


Page252
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

A traditional definition for autonomous system (AS) is a collection
of IP networks and routers under the control of one entity that
presents a common routing policy to the Internet. Now, the
definition of AS has developed into a collection of networks and
routers that are managed by multiple entities and adhere to
several routing policies.
AS numbers are assigned by the IANA and each AS is allocated
with a unique number to differentiate from another. AS number
ranges from 1 to 65535 and are divided into two ranges. The first
are public AS numbers, which may be used on the Internet and
range from 1 to 64511. AS number in the second range, from
64512 to 65534, are known as private numbers, and can only be
used internally within an organization.
Page253
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Routing protocols can be divided into IGP and EGP according to
their working area.
IGPInterior gateway protocols
A set of routing protocols that are used within an autonomous
system, such as RIP and IS-IS. IGP is mainly used to search and
calculate routes within an autonomous
system.
EGPExterior gateway protocolsis used to connect
different autonomous systems. An EGP, such as BGP, controls
communication of route information between
autonomous systems with routing policies and route filtering
mechanisms.

Page254
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Routing protocols can be divided into Distance-vector protocols
and Link-state protocols. RIP and BGP are examples of
Distance-vector protocols and OSPF and IS-IS fall in the group
of Link-state protocols. BGP is also called Path-vector protocol.
Distance-vector Routing Protocol
They use the Bellman-Ford algorithm to calculate paths. In
Distance-vector routing protocols, each router sends complete
routing tables to their neighboring routers at fixed intervals. It is
the metric which means the distance between the router and the
destination network and the vector which indicates the interface
from which data is forwarded that routers in a Distance-vector
routing protocol network really care about .
Advantages of Distance-vector protocol:
They are easy to configure and take up comparatively few
resources of memory and CPU.
Disadvantages of Distance-vector protocol:
Poor extendibility, for example, the maximum hops of RIP is
limited to 16.


Page255
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Link-state Routing Protocol
They are based on the Dijkstra algorithm which is sometimes
called the Shortest Path First (SPF) algorithm. This algorithm
pays attention to the state of links or interfaces in the network,
including whether they are up or down, their IP addresses and
masks. Routers advertise information about link states they know
to other routers in the area through which each router in the area
builds up a complete link state database for the area. Then every
router draws its own topology map based on the information it
collected in the form of a graph showing which nodes are
connected to which other nodes.
The primary advantage of link-state routing is that it reacts more
quickly, and in a bounded amount of time, to connectivity
changes. Routers send update information only when the link
state changes which saves the bandwidth of the links between
routers. Some of the update information only covers the
information about the changes of link state instead of the whole
routing table.


Page256
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

In some occasions, route information should be shared among
different routing protocols. For example, route information
obtained from RIP may possibly needs to be imported to OSPF.
The process of exchanging route information between protocols
is called route importation. This process could be a one-way
street as we see in the example of import information from RIP to
OSPF. And it could also be a two-way process as RIP and OSPF
can learn route information from each other.
The cost of each protocol can not be compared and there are no
formula to convert the cost of one protocol to another's. So we
must set the Metric again ( some protocols can use the default
value set by the system) when we import route information from
one protocol to another. Improper importation may impose
burdens on routers or lead to loops, so we must be careful with it.

Page257
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

What makes a good dynamic routing protocol?
(1) Correctness: The routing protocol should be able to find the
optimal route without self-loop correctly.
(2) Fast convergence: The routing protocol can respond to a new
network topology quickly.
(3) Low cost: The cost (memory, CPU, network bandwidth) of the
routing protocol itself is minimum.
(4) High security: The routing protocol is resistent to attack and
provide high security.
(5) High adaptability: The routing protocol can be easily applied
to networks of different topologies and scales.
Page258
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

What are the common dynamic routing protocols used?
They are RIP, OSPF, ISIS and BGP.
Dynamic routing protocols can be divided into which domain
classifications?
Routing protocols can be grouped into two distinct classifications,
of either intra-AS based or inter AS based, better known as
Interior Gateway Protocol (IGP) and Exterior Gateway Protocol
(EGP).
What classifications of dynamic routing protocols are there?
RIPv1/v2, OSPF, ISIS fall in the first group and BGP belongs to
the second. According to the algorithm, routing protocols can be
categorized into Distance vector routing protocols and Link-state
routing protocols. RIPv1/RIPv2 and BGP are all Distance-vector
protocols and OSPF and ISIS are Link-state routing protocols.

Page259
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page260
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page261
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page262
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The distance-vector (D-V) routing protocol is based on the
Bellman-ford algorithm. A router using the D-V algorithm sends
the entire routing table to adjacent routers.
The adjacent routers compare the received routing table with
their own routing tables. If the received route is new, it will be
added to the routing tables directly. If the received route had the
same destination as the existing route, the router will compare
the metric of these routes, and will add the one whose metric is
smaller to the routing table. The adjacent routers then broadcast
their routing tables (with the new routes) to their adjacent routers.
The distance-vector routing protocol advertises routing
information in the format of (Distance, Direction). Distance
indicates the metric, and Direction indicates the next hop. The
advantage of the distance-vector routing protocol: The
configuration is simple, so less memory is used and shorter CPU
processing time is needed.
Disadvantage: The expandability is poor. For example, the
maximum hop count in RIP cannot exceed 16.
Page263
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When a router starts (on t
0
), it generates an entry for each
directly-connected network segment. The router is directly
connected to the network segment, so the hop count is 0 and the
next hop router is represented as " " in the entry. The router
then broadcasts the routing information to all links.

Page264
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On t
1
, routers receive and process the first update message. RTA
receives the update message from RTB and finds that RTB has
a route to 10.1.3.0 with 0 hops. This route is not contained in the
routing table of RTA, so RTA adds this route to its routing table
and increases the hop count by 1. Thus RTA learns the route to
10.1.3.0 from the update message sent by RTB. Similarly, RTB
learns the route to 10.1.1.0 from the update message sent by
RTA and learns the route to 10.1.4.0 from the update message
sent by RTC. RTC learns the route to 10.1.2.0 from the update
message sent by RTB.

Page265
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On t
2
, the update period begins and new update packets are
broadcasted. RTA learns the route to 10.1.4.0 from RTB. RTC
learns the route to 10.1.1.0 from RTB. Through the periodical
update mechanism, each router obtains routes to all network
segments. Finally, the network converges.

Page266
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The D-V algorithm requires that each router sends its routing table to adjacent
routers. When receiving the route update message, the router compares the
new routing information with the original routing information in its routing table.
The router then modifies the local routing table according to the comparison to
keep pace with the change of network.
The principles of updating the routing table are:
1. Adding new routes.
As shown in the figure, RTB receives the route update message from RTA. If
a route entry of RTA, for example, the route to 10.1.1.0 does not exist in the
routing table of RTB, RTB will adds this entry to its own routing table. In the
routing table of RTB, the destination network of this route is 10.1.1.0; the
metric (hop count) is the metric of this entry for RTA plus 1; the next hop
address is the IP address of RTA's interface connected to RTB, namely,
10.1.2.1.

Page267
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
2. Changing the next hop address and metric.
RTB receives the update message from RTA and finds that the
metric to a network in the routing table of RTA is less than the
metric in its own routing table minus 1. For example, to the same
network 10.0.1.0, the route in routing table of RTB needs 5 hops,
while the route in routing table of RTA needs 2 hop. 5-1>2, which
indicates that the metric is less if the packet passes through RTA.
Therefore, RTB changes the route entry in its routing table. The
next hop is changed to the IP address of the interface on RTA.
Subsequent packets will be forwarded to the destination network
by RTA. The route metric is the route metric of RTA plus 1.

Page268
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Changing the metric (hop count) only .
As shown in the figure, the next hop to network segment for RTB
is RTA. The update message from RTA shows that the metric to
the destination network segment has changed. At this time, the
metric of this route entry in the routing table of RTB changes to
the new metric of RTA plus 1. That is, the original metric 2
changes to 4+1=5.

Page269
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
4. Deleting unreachable routes.
In RTB's routing table, the next hop to the destination network is
RTA, but routing table of RTA does not contain the route to this
network any more. Then RTB deletes this route entry from the
routing table. Take the 10.0.3.0 entry in the figure as example. In
the routing table of RTB, the next hop is RTA. However, the
update message sent by RTA does not contain this entry. It
indicates that packets cannot reach 10.0.3.0 through RTA, so
RTB needs to delete this entry from its routing table.

Page270
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When a network fault occurs, network convergence may slow
down because the routes in the routing table may be inconsistent
with routes in the actual network topology. In this case, routing
loop may be generated. This figure provides a simple network
structure to show how a route loop is generated. Before a fault
occurs to network 11.4.0.0, all routers have correct and
consistent routing tables and the network is converged. In this
example, route metric is represented by hop count, so the metric
of each link is 1. Router C is directly connected to network
11.4.0.0, so the hop count is 0. Router B is connected to network
11.4.0.0 through Router C, so the hop count is 1. Router A is
connected to network 11.4.0.0 through Router B and Router C,
so the hop count is 2. When a fault occurs to network 11.4.0.0,
route loop may be generated. The process is as follows:
1.When a fault occurs to network 11.4.0.0, Router C receives the
information about the fault first. Router C then regards 11.4.0.0
as unreachable, and waits till the update period begins to
advertise the route change to the adjacent router. If the update
period of Router B begins earlier than the update period of
Router C, Router C will learn a new route to 11.4.0.0 from Router
B. Actually, the learnt route is incorrect.
Page271
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Thus, the routing table of Router C records an incorrect route.
(The next hop is Router B; the destination is 11.4.0.0; the hop
count is increases to 2.)
2. After leaning a wrong route, Router C advertises this route to
Router B. Route B also records a wrong route to 11.4.0.0, of
which the next hop is Router C and the hop count is increases to
3. Router B considers that network 11.4.0.0 is reachable through
Router C, and Router C considers that network 11.4.0.0 is
reachable through Router B. Thus, a loop is generated.


Page272
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When a route loop occurs, the count of hops to network 11.4.0.0
keeps increasing, and the network cannot converge. To avoid
this problem, the RIP protocol limits the maximum hop count to
16. In the figure, when the hop count reaches 16, network
11.4.0.0 is considered unreachable. The router marks this route
unreachable in the routing table and does not update the route to
11.4.0.0 any more. By defining the maximum hop count, the
distance-vector routing protocol prevents the route metric from
increasing infinitely when route loop occurs. In addition, incorrect
route information is corrected. However, routing loop still exists
before the hop count reaches the maximum value. That is to say,
this solution is only a remedial measure but it cannot avoid route
loops. This solution can only mitigate the damage caused by
route loop. Therefore, designers of routing protocols provide
other solutions to reduce the probability generating the route
loops, for example, split horizon and triggered update.

Page273
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Split horizon is a common solution among distance-vector
routing protocols to avoid routing loops. One cause of routing
loops is due to a router learning the route from its neighbor, and
then advertising this route to the same neighbor who advertised
this route to it. With split horizon, a router does not send the
routing information to the neighbor from whom the routing
information is sent.
As shown in the figure:
1.Router C advertises the route to network 11.4.0.0 to Router B.
Router B then advertises this routing information to Router A. At
the same time, Router B also sends this routing information to
Router C. If network 11.4.0.0 works normally, Router C does not
accept the route to 11.4.0.0 advertised by Router B, because
Router C has a route with smaller metric to 11.4.0.0.
2. If route from Router C to 11.4.0.0 becomes unreachable,
Router C accepts the route to 11.4.0.0 advertised by Router B,
although it is an incorrect route now. (Since the route from
Router C to 11.4.0.0 is unreachable, the route learned by Router
B from Router C is incorrect.) However, Router C does not know
that the route is incorrect. Router B considers that 11.4.0.0 is
reachable through Router C, and Router C considers that
11.4.0.0 is reachable through Router B. Thus, the routing loop
generates.
Page274
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Split horizon solves this problem. Split horizon forbids a router
to return the routing information to the interface from which the
routing information arrived. In the figure, Router B learns the
route to 11.4.0.0 from Router C. Split horizon forbids Router B to
advertise this route to Router C again. This avoids routing loops
to some extent.


Page275
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Route poisoning is a supplement to split horizon. Route
poisoning can prevent routing loops to some extent and can
suppress network flapping caused by interface resetting. When a
fault occurs in the network or an interface is reset, route
poisoning suppresses the related route and starts a hold-down
timer. Within the hold-down time, the router does not update the
routing table. In this way, the routing loop is avoided and network
flapping is suppressed.
As shown in the figure:
When a fault occurs in network 11.4.0.0, Router C sets the metric
of the route to this network to 16 (unreachable) in its routing table,
and thus this route is suppressed. Router C does not accept the
update message of the route to 11.4.0.0 from the adjacent router.
After Router B receives the advertisement from Router C,
indicating that the route metric to 11.4.0.0 is infinite, Router B
sends a poison reverse update message to Router C. The
update message indicates that 11.4.0.0 is unreachable. The
update message violates the principle of split horizon, but it is
used to confirm that all routers on this network segment know
that the route is suppressed.

Page276
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Route poisoning can avoid routing loops to some extent and can
suppress network flapping caused by interface resetting. When a
fault occurs in the network or an interface is reset, route
poisoning suppresses the related route and starts a hold-down
timer. Within the hold-down time, the router does not update the
routing table. In this way, the routing loop is avoided and network
flapping is suppressed.
As shown in the figure:
1. When a fault occurs in network 11.4.0.0, Router C suppresses
the related route entry in the routing table, that is, it sets the
metric of the route to this network to 16 or unreachable. At the
same time, Router C starts a hold-down timer. Within the hold-
down time, if Router C receives a route reachable message from
the same neighbor (or the same direction), it marks the network
as reachable and stops the hold-down timer.
2. If Router C receives an update message from other neighbors,
advertising the route with higher weight, Router C updates the
routing table by selecting the new route. At the same time,
Router C stops the hold-down timer.
Page277
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Within the hold-down time, if Router C receives a route
reachable update message, but the weight of the new route is
lower, Router C will not accept the new route. After the hold-
down timer expires, if Router C receives this update message
again, it will update the routing table.



Page278
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown in the figure, when network 11.4.0.0 becomes
unreachable, Router C obtains this information first. Generally,
route update messages are sent to adjacent routers periodically.
For example, RIP specifies that a router sends route update
messages every 30 seconds. However, if the update message
sent by Router B reaches Router C before the update period of
Router C begins, Router C will learns the wrong route to 11.4.0.0.
Thus the routing loop generates. If Router C sends the update
message immediately, instead of waiting for the update period,
this problem will be avoided. This mechanism is call triggered
update. Triggered update means that a router sends a triggered
update message to adjacent routers immediately after the routing
information changes. When a router detects that the network
topology changes, it immediately sends the triggered update
message to adjacent router. All other routers also send the
triggered update messages immediately, and thus the triggered
update messages spread in the entire network. In the figure,
Router C immediately sends an update message to advertise
that network 11.4.0.0 is unreachable. After Router B receives this
message, it sends the network unreachable message from
interface S0. Router A then advertises this message from
interface E0.
Page279
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Triggered update avoids the route loop to some extent, but it still
cannot avoid the following problems:
1. The packet containing the update message may be discarded
or damaged.
2. If a router receives the periodically sent update message from
the adjacent router before receiving the triggered update
messages, the router will learn the wrong routing information.
The above problems can be solved when triggered update is
combined with the hold-down timers. Within the hold-down timers,
the router does not update the route to the destination network
which becomes unreachable. Therefore, combining triggered
updates with the hold-down timers ensures that the triggered
update message has enough time to be transmitted in the
network. As shown in the figure, when Route C detects that
network 11.4.0.0 is disconnected, it deletes the route to this
network immediately. Then Router C sends a triggered update
message to Router B. Router C sets the route metric to 11.4.0.0
to infinite (16) to suppress this route. After receiving the triggered
update message,
Page280
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Router B starts the hold-down timer and marks the network as
"may be disconnected." At the same time, Router B sends a
reverse update message to Router C, then sends a triggered
update message to Router A to advertise that network 11.4.0.0 is
unreachable. Router A then suppresses the route to 11.4.0.0 and
sends a reverse update message to Router B.



Page281
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What is distance-vector routing protocol?
A distance-vector routing protocol is an algorithm based on
distance and vector. The distance-vector routing protocol is also
called Bellman-ford algorithm or Ford-Fulkerson algorithm.
Based on this protocol, a route is advertised in the format of
distance (metric, hop count) and vector (direction, outgoing
interface). Every router periodically sends its routing table to
directly connected routers.
What are the methods used to prevent routing loop?
The methods for avoiding routing loops are: split horizon, route
poisoning, hold-down timers, and triggered updates.

Page282
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page283
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page284
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page285
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Routing Information Protocol (RIP) is a relatively simple
dynamic routing protocol, but it is widely used. RIP is a routing
protocol based on the distance vector (D-V) algorithm. RIP
exchanges routing information through UDP. Based on RIP, a
router sends update messages every 30 seconds. If a router
does not receive the update message from the peer router within
180 seconds, the router marks all routes learned from the peer
router as unreachable. If the router still does not receive the
update message from the peer router in the subsequent 120
seconds, it deletes these routes from the routing table. RIP
represents the distance to the destination network by the hop
count. In RIP, the hop count between a router and the directly
connected network is 0. If the network can be reached through
another router, the hop count increases by 1. The hop count
increases with the number of routers between the source router
and the destination network. In RIP, the metric is an integer
ranging from 0 to 15. The hop count equal to or larger than 16 is
defined as infinite, that is, the destination network or host is
unreachable. RIP is on the upper layer of UDP. Routing
information for RIP is encapsulated in the datagram of UDP. RIP
uses port 520 to exchange routing information. When a router
receives the route update message from the remote router, the
router notifies other routers of the changed route. In this way,
routes are synchronized on all routers in the network. To improve
the routing performance and avoid route loop, RIP supports split
horizon, poison reverse, and triggered updates. In addition, RIP
can import routes learned through other routing protocols.

Page286
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When RIP is enabled, the initial routing table contains only direct
routes. After RIP is enabled on a router, the router broadcast
Request packets to all directly connected interfaces. When the
adjacent router receives the Request packet from an interface, it
broadcast Response packet to the network connected to this
interface according to its routing table. When the router receives
the Response packet from the adjacent router, it generates the
routing table according to the Response packet. Based on the
characteristics of the D-V algorithm, the devices involved in RIP
are classified into active devices and passive devices. The active
device actively broadcasts route update packets, and the passive
device receives route update packets passively. Generally, a host
is a passive device, and a router is both an active device and a
passive device. That is, a router not only broadcasts route
update packets, but also receives the D-V packets from other
active devices and updates the routing table.

Page287
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Based on RIP, a router broadcasts its routing table through the
Response packets every 30 seconds. After receiving the
Response packet from the neighbor, the router calculates the
route metric in the packet through RIP. Then the router compares
the calculated metric with the metric of the route in the routing
table and updates the routing table. The route metric is
calculated by the following formula: metric = Min (metric + cost,
16). Here, "metric" is the metric in the packet. Cost is the metric
from the neighbor to the network where the packet is received.
The default value of cost is 1 (one hop). 16 means that the
destination network is unreachable. When the local router
receives a route update packet, it updates the routing table
based on the following principles:
For an existing route entry in the routing table, if the next hop is
the adjacent router, the local router updates the entry (keeps the
original metric and only resets the aging timer), regardless of
whether the metric in the route up date packet is larger or smaller.
If the next hop is not the adjacent router, the local router updates
the route entry only when the metric in the router update packet
is smaller than the previous metric. For a route entry that does
not exist in the routing table, the router adds it to the routing table
if the metric is less than 16 (unreachable). Each entry in the
routing table has an aging timer. If a route entry is not updated
within 180 seconds, the aging timer times out and the metric of
this route changes to 16 (unreachable).

Page288
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After the metric of a route changes to 16 and the route is
advertised through the Response packet for four times (120
seconds), this route will be deleted from the
routing table.


Page289
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support
Variable Length Subnet Masks (VLSM). RIPv2 supports VLSM,
route aggregation, and Classless Inter-Domain Routing (CIDR).
In addition, RIPv2 supports plain text authentication and MD5
authentication. In RIPv1, packets are transmitted in broadcast
mode. RIPv2 supports two transmission modes: broadcast and
multicast. Multicast is adopted by RIPv2 by default. The multicast
address for RIPv2 is 224.0.0.9. An advantage of multicast
transmission is that the networks that do not support RIP will not
receive the RIP packets. Also with multicast, network segments
that run RIPv1 will not receive or process the RIPv2 routes.

Page290
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This figure shows the format of the RIPv1 packet. A RIPv1
packet contains a command field, a version field, and multiple
route entries (up to 25 entries). Each route entry consists of the
Address Family Identifier, reachable IP address, and hop count
(Metric). If a router needs to send more than 25 route entries, the
entries must be sent in multiple RIP packets. From this figure,
you can see that the RIP packet header takes four bytes, and
each route entry takes 20 bytes. Therefore, the length of a RIP
packet is 4 + 25 x 20 = 504 bytes. Counting the 8-byte UDP
header, the maximum length of the RIP packet (excluding the IP
header) is 512 bytes.
The values and functions of the fields in the RIP packet are as
follows:
Command: The value can be only 1 or 2. 1 represents the
Request packet; 2 represents the Response packet. A router or
host sends the Request packet to require routing information
from the peer router. The peer router responds by the Response
packet. But in most cases, a router periodically sends Response
packets without waiting for the Request packet.
Version: For RIPv1, the value is 1.

Page291
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Address Family Identifier (AFI): For the IP protocol, the value is 2.
IP address: indicates the destination address of the route. The
value can be a network address or the address of a host.
Metric: indicates the hop count. The value ranges from 1 to 16.

Page292
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Compared with the RIPv1 packet, the RIPv2 packet has the
following new fields:
Route tag: 16 bits, used to mark the external route or the route
redistributed to RIPv2 protocol.
Subnet mask: 32-bit mask, used to identify the network address
and subnet address in the IP address.
Next hop: 32-bit next-hop IP address.

Page293
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
All command lines base on VRP 5.9.
In the VRP series routers, the default RIP version is 1. Unless
otherwise specified, the RIP version is RIPv2.0 in this course.
The method of changing the RIP protocol version will be
described later. The basic RIP configuration includes the
following:
Enable RIP.
[Huawei] RIP
By default, RIP is not enabled.
Specify the network segment for RIP.
[Huawei-rip] network network-address
RIP runs only on the interfaces in the specified network segment.
For an interface out of the specified network segment, RIP does
not send or receive routes on the interface. RIP does not forward
routes on this interface to other interfaces either. Therefore, you
must specify a network segment after RIP is enabled. The
network-address specifies the address of the network where RIP
is enabled. It can be the network address of the interface. When
this parameter is specified, RIP is enabled on all interfaces in this
network segment.
Page294
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The display rip command is used to display the running status
and configuration of RIP. Part of the display information is
described in the following. Pay attention to the contents marked
in red.
RIP process: 1 indicates that the RIP process number is 1.
Public VPN-Instance indicates the public network VPN.
RIP version: RIP-2 indicates that the RIP version is 2.
Preference: 100 indicates that the precedence of the RIP
protocol is 100.
Maximum number of balanced paths: 8 indicates that the
maximum number of equal-cost routes is 8.
Update time: 30 sec indicates that the route update interval is
30 seconds.
Age time: 180 sec indicates that the aging time of the RIP
route is 180 seconds.
Networks: 192.168.1.0 172.16.0.0 indicates the network
where RIP is enabled.
Page295
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The display rip route command is used to display all active and
inactive routes, and the timer of each route.
Destination (Dest) destination IP address
Nexthop next hop of the route
Cost weight of the route
Tag flag used to identify the internal route and external
route
Sec period in which a route entry keeps in certain status

Page296
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
All command lines base on VRP 5.3.
You can configure any of the following RIP versions:
1. Global RIP version
version { 1 | 2 }: configure the RIP version globally. This
command is supported by vrp5.x only.
2. Interface RIP version
rip version { 1| { 2 [ broadcast | multicast ] } }: configures the
RIP version on an interface. This command is configured in the
interface view. By default, the RIP
version on an interface is RIPv1. RIPv2 supports two packet
transmission modes: broadcast and multicast. Multicast is
adopted by default. The multicast address for RIPv2 is 224.0.0.9.
An advantage of using multicast is that the networks not running
RIP will not process the RIP packets. With multicast, network
segments that run RIPv1 will not receive or process the RIPv2
routes. If the interface with the RIP version RIPv1, the interface
process only RIPv1 and RIPv2 broadcast packets and does not
process RIPv2 multicast packets. If RIPv2 broadcast mode is
adopted on the interface, the interface receives only RIPv1 and
RIPv2 broadcast packets and does not receive RIPv2 multicast
packets. If RIPv2 multicast mode is adopted on the interface, the
interface receives only RIPv2 multicast packets and does not
receive RIPv1 and RIPv2 broadcast packets.

Page297
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Note: If the global RIP version is configured, you need not
configure the RIP version in the interface view vrp5.x
supports this function.


Page298
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page299
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On Router A, the summary command is used to configure route
aggregation. Thus, routes 172.16.1.1/32, 172.16.1.2/32, and
172.16.1.3/32 are aggregated to one route: 172.16.0.0/16. The
aggregated route uses the natural mask. 172 indicates that the
address is a Class-B address, so the mask length of the
aggregated route is 16.
RIPv2 supports route aggregation. By default, route aggregation
is enabled. That is, when the RIP version is configured to RIPv2,
route aggregation takes effect automatically, unless you use the
undo summary command to disable route aggregation. Route
aggregation in RIP-2 improves the extendibility and efficiency of
large scale networks. After route aggregation, the RIP routing
table does not contain sub route entries, namely, the route entry
containing a single IP address. In this way, the routing table is
condensed, thus the router can process more routes. When the
classful aggregation is enabled, the router aggregates the subnet
addresses to the natural network segment when it advertises
routes to the destination out of the network segment. However,
when split horizon or poison reverse is configured, classful
aggregation becomes invalid. Therefore, to configure the router
to advertise aggregated routes to the destination out of the
natural network segment, you must disable the split horizon and
poison reverse functions in the corresponding view by using the
following commands:
[RTA-Serial0/0/0]undo rip split-horizon
[RTA-Serial0/0/0]undo rip poison-reverse// supported by
VRP5.X

Page300
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the undo summary command, you can disable classful
route aggregation to allow routing between subnets. In this case,
routing information of the subnet is advertised. Route
aggregation reduces the routing information in the routing table.
By default, route aggregation is enabled in RIPv2. In this
example, three IP addresses are configured for three loopback
interfaces on Router A. RIP is enabled on these IP addresses.
Route aggregation is disabled by the undo summary command.
These IP addresses are advertised to other routers. Viewing the
routing table of Router B, you can find three host routes with
these IP addresses.

Page301
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the rip summary-address ip-address mask command,
you can configure a RIP router to advertise an aggregated local
IP address. This command is supported by VRP5.9.
ip-address: network address to be aggregated
mask: subnet mask
Using the undo rip summary-address ip-address mask
command you can cancel the configuration. If both auto route
aggregation and manual route aggregation are enabled, the
manually aggregated routes are integrated into the automatically
aggregated routes. Namely, auto route aggregation take effect. If
the mask length of aggregated route is smaller than natural mask
length, use manual route aggregation to perform it and do not
use auto route aggregation together.

Page302
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Each routing protocol has a preference. The preference
influences the routing policy in selecting the route learned
through a certain protocol as the best route. The larger the value,
the lower is the preference. You can set the preference of the
RIP protocol manually.
Set the preference of RIP protocol.
[Huawei-rip] preference value
Restore the preference of the RIP protocol to the default value.
[Huawei-rip] undo preference
By default, the preference of RIP protocol is 100.

Page303
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RIP allows RIP to import the routing information of other routing
protocol into the RIP routing table. You can set the default cost of
the imported route. Routes that can be imported to the RIP
routing table are: direct routes, static routes, OSPF routes, BGP
routes, and IS-IS routes. Enable RIP to import routes of other
routing protocols.
[Huawei-rip] import-route protocol [ allow-ibgp ] [ cost
value ] [ route-policy
route-policy-name ]
Disable RIP to import routes of other routing protocols by
default.
[Huawei-rip] undo import-route protocolBy default, RIP does
not import routes of other routing protocols. When protocol is
specified as BGP, the allow-ibgp keyword is optional. The
import-route bgp command configures RIP to import only
EBGP routes. The import-route bgp allow-ibgp command
configures RIP to import both EBGP routes and IBGP routes.
This configuration may cause route disorder, so use this
command with caution then takes default-cost as route cost. If
route cost is not set for the imported routes.
Page304
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The default-cost value is 0. In this example, the route cost is set
to 10. Therefore, the cost of imported routes is calculated by
route-cost plus 1,so the cost of routes received by RTB is 11.


Page305
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the rip metricin value command, you can set the metric
increment for the RIP route received on an interface.
value: specifies the metric increment for the RIP route received
on an interface.
The value ranges from 0 to 15. By default, the value is 0.
When receiving a route, the router adds the RIP increment of the
receiving interface to the route, and then adds the route to the
routing table. Thus, the metric in the routing table is changed.
Therefore, when the RIP metric of an interface increases, the
metric value of the RIP routes received on the interface also
increases.
when RTA receiving route 10.1.1.1/32 by rip update message, it
will calculate cost 10.1.1.1/32. The metric-in value of RTA's
receiving interface is changed to 5, the
cost of 10.1.1.1/32 in rip message is 1. So the cost of 10.1.1.1/32
in RTA's the routing-table is 6 (5+1=6).

Page306
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the rip metricout value command, you can set the
increment of metric for the RIP route sent from an interface.
value: specify the metric increment for the RIP route sent from
an interface. The value ranges from 1 to 15. By default, the value
is 1.
Before a route is advertised, the metric increment is added to this
route. Therefore, when the RIP metric of an interface increases,
the metric value of the RIP routes
sent from the interface also increases. However, the metric in the
routing table is not changed. When RTB receives routes
172.16.1.X by rip update messages, the metric of 172.16.1.X in
the update is 4, which is set by "rip metricout 4" on RTA's serial
interface. The default metric in of RTB's serial interface is 0, so
RTB calculates 4+0=4, 4 being the cost of 172.16.1.X in RTB's
routing table.
Page307
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RIPv1 does not support packets authentication. In RIPv2, two
authentication modes are used: plain text authentication and
MD5 authentication. MD5 authentication packets have two
formats. One is described in RFC 2453, and the other is
described in RFC 2082. The router supports both formats and
you can select the format as required.
You can configure the RIP authentication mode by using the
following command:
rip authentication-mode { { simple password } | { md5 { rfc2082
key-string key-id
| huawei key-string } } }.
simple: adopt simple text authentication.
password: specify the password for plain text authentication. The
value is a character string. For the plain text password, the string
can contain 1 to 16 characters. For the cipher text password, the
string must contain 24 characters.
md5: adopt MD5 authentication.
rfc2082: indicate that the MD5 authentication packet adopts the
non-standard format (described in RFC 2082)
huawei: indicate that the MD5 authentication packet adopts the
standard format (described in RFC 2453).

Page308
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
key-string: specify the password for MD5 authentication. For the
plain text password, the string can contain 1 to 16 characters, for
example, 1234567. For the cipher text password, the string must
contain 24 characters, and the format must be cipher text, for
example, _(TT8F]Y\5SQ=^Q`MAF4<1!!.
key-id: specify the ID of the key used in MD5 authentication. The
value ranges from 1 to 255.
Using the rip authentication-mode command, you can
configure the authentication mode and authentication parameters
for RIPv2.
Using the undo rip authentication-mode command, you can
disable RIPv2 authentication.
The rip input command is used to allow an interface to receive
RIP packets. The rip output command is used to allow an
interface to send RIP packets. By default, an interface can
receive and send RIP update packets at the same time.


Page309
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What are the characteristics of the RIP protocol?
The Routing Information Protocol (RIP) is a distance-vector
routing protocol. It is an IGP protocol. The RIP protocol is
applicable to medium and small-sized networks. It has two
versions: RIPv1 and RIPv2. The RIP protocol exchanges routing
information through UDP, using port number 520. RIP supports
the route loop avoidance mechanisms, such as split horizon,
route poisoning, and triggered update.
What are the differences between RIPv1 and RIPv2?
RIPv1 is a classful routing protocol and does not support VLSM
and CIDR. RIPv1 sends packets in broadcast mode and does
not support authentication. RIPv2 is a classless routing protocol
and supports route aggregation and CIDR. RIPv2 sends packets
in broadcast or multicast mode (using multicast address
240.0.0.9). RIPv2 supports plain text authentication and MD5
authentication.
Page310
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page311
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page312
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page313
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page314
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The Routing Information Protocol (RIP) is a relatively simple
dynamic routing protocol. RIP is a routing protocol based on the
distance-vector (D-V) algorithm.
RIP exchanges routing information through UDP. Based on RIP,
a router sends update messages every 30 seconds. If a router
does not receive the update message from the peer router within
180 seconds, the router marks all routes learned from the peer
router as unreachable. If the router still does not receive the
update message from the peer router in the subsequent 120
seconds, it deletes these routes from the routing table.
RIP represents the distance to the destination network by the
hop count. In RIP, the hop count between a router and the
directly connected network is 0. If the network is reachable
reached through another router, the hop count is 1. The hop
count increases with the number of routers between the source
router and the destination network. In RIP, the metric is an
integer ranging from 0 to 15. The hop count equal to or larger
than 16 is defined as infinite, that is, the destination network or
host is unreachable.


Page315
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RIP is on the upper layer of UDP. Routing information for RIP is
encapsulated in the datagram of UDP. RIP uses port 520 to
exchange routing information. When a router receives the route
update message from the remote router, the router notifies other
routers of the changed route. In this way, routes are
synchronized on all routers in the network.
To improve the routing performance and avoid route loop, RIP
supports split horizon, poisoned reverse, and triggered update. In
addition, RIP can import routes learned through other routing
protocols.


Page316
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RIP has two versions: RIPv1 and RIPv2. RIPv1 does not support
Variable Length Subnet Masks (VLSM). RIPv2 supports VLSM,
route aggregation, and Classless Inter-Domain Routing (CIDR).
In addition, RIPv2 supports plain text authentication and MD5
authentication. In RIPv1, packets are transmitted in broadcast
mode. RIPv2 supports two transmission modes: broadcast and
multicast. Multicast is adopted by RIPv2 by default. The multicast
address for RIPv2 is 224.0.0.9. An advantage of multicast
transmission is that the networks that do not support RIP will not
receive the RIP packets. Also with multicast, network segments
that run RIPv1 will not receive or process the RIPv2 routes.

Page317
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page318
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Network description:
RTA is connected to RTB through serial interface. RTA and RTB
are configured with two loopback interfaces each. IP addresses
of these interfaces are shown in the figure.
Fault description:
After the configuration, the routes learned through RIP are not
found in the routing table.
Page319
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The flowchart provides the main procedure for troubleshooting.
When a router fails to receive part of or all the routes, follow the
following steps to locate the fault:
1. Check whether RIP is enabled on the incoming interface.
Use the network command to specify the network segment
where RIP is enabled. An interface can receive and send RIP
routes only if the RIP protocol is enabled on this interface. You
can use the display current-configuration configuration rip
command to view the information about the RIP-enabled network
segment and check whether the incoming interface is included in
this network segment. The specified network segment must be a
natural network segment.
2. Check whether the incoming interface works normally.
Use the display interface command to view the status of the
incoming interface. If the physical status of the interface is Down
or Administratively Down, or the protocol status is Down, RIP
cannot function normally on the interface. Therefore, you must
ensure that the status of the incoming interface is normal.

Page320
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Check whether the version of the RIP packets sent from the
peer is the same as the RIP version configured on the local
interface. If the version of the received RIP packets is different
from the RIP version configured on the incoming interface, the
RIP routes may not be accepted correctly.
4. Check whether the undo rip input command is configured on
incoming interface. The rip input command is used to allow the
specified interface to receive RIP packets. The undo rip input
command is used to prohibit the specified interface to receive
RIP packets. If the undo rip input is configured on the incoming
interface, RIP packets received on this interface cannot be
processed, so RIP routes cannot be received.
5. Check whether a routing policy is configured to filter RIP
routes.
The filter-policy import command is used to filter the received
RIP routing information. If the ACL is used, use the display
current-configuration
configuration acl-basic command to check whether the RIP
routes from the neighbor are filtered. If the IP address prefix is
used, use the display ip ip-prefix command to check the
configured routing policy. If RIP routes are filtered by the routing
policy, you need to configure the correct touting policy.
6. Check whether the additional metric set by the rip metricin
command makes the metric of the received route exceed 15. The
rip metricin command is used to set the metric increment for the
route in the received RIP packets. If the metric of the received
route exceeds 15, the router considers the route as unreachable
and does not add this route to the routing table.
7. Check whether the metric of the received RIP route exceeds
15. Similarly, if the metric of the received route exceeds 15, the
router considers the route as unreachable and dose not add this
route to the routing table.
8. Check whether the routing table contains the same route
learned through another protocol.
Use the display rip 1 route command to check whether the
local router receives the RIP route. It is possible that the RIP
routes are accepted correctly, but the routing table contains the
same routes learned through another routing protocol,
Page321
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
for example, OSPF or IS-IS. Generally, the priority of OSPF or
IS-IS is higher than the priority of RIP, so the routing
management module selects the routes learned through OSPF
or IS-IS. Using the display ip routing-table protocol rip
verbose command, you can see that these routes are inactive. If
the fault still exists after these steps, contact technical support
engineers of Huawei or visit http://support.huawei.com.

Page322
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page323
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page324
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Networking description:
RTA is connected to RTB through serial interface. RTA and RTB
are configured with two loopback interface each. IP addresses of
these interfaces are shown in the figure.
Fault description:
After the configuration, the router does not send all or some of
the routes.

Page325
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The flowchart provides the main procedure for troubleshooting.
When a router fails to send part of or all routes, follow the
following steps to locate the fault:
1. Check whether RIP is enabled on the outgoing interface.
Use the network command to enable the network segment of
the interface .
An interface can receive and send RIP routes only if the RIP
protocol is enabled on this interface. You can use the display
current-configuration configuration rip command to view the
information about the RIP-enabled network segment and check
whether the outgoing interface is included in this network
segment. The specified network segment must be a natural
network segment.
2. Check whether the outgoing interface works normally.
Use the display interface command to view the status of the
outgoing interface. If the physical status of the interface is Down
or Administratively Down, or theprotocol status is Down, RIP
cannot function normally on the interface. Therefore,you must
ensure that the status of the incoming interface is normal.


Page326
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Check whether the silent-interface command is configured on
the outgoing interface. The silent-interface command is used to
suppress the interface from sending the RIP packet. The display
current-configuration configuration rip command is used to
check whether the interface is suppressed from sending the RIP
packet. Enable the interface if it is disabled.
4. Check whether the undo rip output command is configured
on outgoing interface. The rip output command is used to allow
the specified interface to send RIP packets. The undo rip
output command is used to prohibit the specified interface
to send RIP packets. If the undo rip output is configured on the
outgoing interface, RIP packets cannot be sent from this
interface.
5. Checking whether the rip split-horizon command is
configured on the outgoing interface. Run the display current-
configuration command on the outgoing interface to
view whether the rip split-horizon command is configured. If the
command is configured, the split-horizon is enabled on the
outgoing interface. By default, the split-horizon is enabled on all
outgoing interfaces, and it is used to could the route loop,so
please be careful if you want to cancel split-horizon .
6. Check whether a routing policy is configured to filter RIP
routes. The filter-policy export command is used to filter the
RIP routes. Only the route that passes the filtering policy can be
added to the advertised routing table of RIP.
7. Check the status of the interface when the route contains the
address of the local interface. Run the display interface
command to check the status of the interface. If the physical
state of the interface is Down or Administratively Down, or the
current status of the protocol on the interface is Down, the IP
address of the interface cannot be added to the advertised
routing table of RIP. Therefore, the routing information will not be
sent to the neighbor.
8. Check whether there are other problems.
If the outgoing interface does not support the multicast or
broadcast mode and a packet needs to be sent to the multicast
or broadcast address, the fault occurs.
Page327
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
You can configure the peer command in the RIP mode to make
routers send packets with unicast address. If the fault still exists
after these steps, contact technical support engineers of Huawei
or visit http://support.huawei.com.

Page328
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page329
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page330
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Fault description: RTA and RTB use different authentication keys,
so they cannot receive routes from each other.
Analysis: If a router cannot receive any route from the peer,
check the following:
1. Whether RIP is enabled on the interfaces connecting the peer.
2. Whether the link between the routers is normal.
3. Whether the routing protocol is configured properly.
Using related commands, you can see that RIP is enabled on the
interfaces and the link between the routers is normal, but the
configuration of RTA is different from that of RTB. Comparing
their configurations, you can see that password authentication is
configured for RTA and RTB. Following the preceding sections,
you already know that RIPv2 supports the authentication of
update packets to improve security. The authentication modes
and authentication keys must be the same on the two routers. If
the authentication modes or authentication keys on two routers
are different, the routers cannot exchange routing information
and they ignore the update packets.

Page331
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After the authentication mode and key are configured correctly,
the routers can learn routing information of each other from the
update packets.


















Page332
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Fault description: The metric of the route exceeds the hop count
limit in RIP, so the router cannot accept route.
Analysis: RIP limits the hop count to 15. If the hop count in a
network exceeds 15, RIP is not applicable to this network.
Additional metric is the increment (hop count) added to the
original metric. The rip metricin command is used to set the
increment added to the received route when the route is added
to the routing table. The metric of this route is also changed in
the routing table. The rip metricout command is used to set the
increment added to a route to be advertised. But the metric of
this route is not changed in the local routing table. For example,
after you configure rip metricin 15 on RTB, the hop count of the
route to 172.16.3.0 is 16 when the route is received by RTA. RTA
does not add the route to the routing table.
Command lines used here are based on VRP3.4.

Page333
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Viewing the routing tables of RTA and RTB, you can find that the
route to 172.16.2.0 is added to the routing table of RTB, while
route to 172.16.3.0 is not added to the routing table of RTA.

Page334
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Change the additional metric to 15, and RTA will add the route to
172.16.3.0 to its routing table.

Page335
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Fault description: The subnets are not continuous, and thus the
routing information cannot be added to the routing table.
Analysis: Network 162.16.0.0 segment is divided by network
segment. RTA and RTB uses RIPv1, which is a classful routing
protocol. Therefore, the routers send update packets with a
Class-B network segment address 162.16.0.0 but not the
accurate network addresses 162.16.2.0 and 162.16.3.0.

Page336
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When RTA receives the update packet for the route to 162.16.0.0,
RTA does not add the route to the routing table, because it has a
directly connected network segment 162.16.2.0.

Page337
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To solve this problem, you can enable RIPv2 on the routers,
because RIPv2 is a classless routing protocol. Use the undo
summary command to enable the CIDR function.

Page338
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After you modify the configuration, RTB advertises the route with
the accurate address 162.16.3.0, and RTA adds the route to the
routing table.

Page339
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What are the steps for troubleshooting received RIP routes?
1. Check whether RIP is enabled on the incoming interface.
2. Check whether the incoming interface works normally.
3. Check whether the version of the received RIP packet is the
same as the RIP version configured on the incoming interface.
4. Check whether the undo rip input command is configured on
the incoming interface.
5. Check whether the routing policy is configured to filter the
received RIP routes.
6. Check whether the additional metric set by the rip metricin
command makes the metric of the received route exceed 15.
7. Check whether the metric of the received route exceeds 15.
8. Check whether the routing table contains the same route
learned through another routing protocol.
What are the steps for troubleshooting sent RIP routes?
1. Check whether RIP is enabled on the outgoing interface.
2. Check whether the outgoing interface works normally.

Page340
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3. Check whether the silent-interface command is configured on
the outgoing interface.
4. Check whether the undo rip output command is configured
on the outgoing interface.
5. Check whether split horizon is configured on the outgoing
interface.
6. Check whether the routing policy is configured to filter the
routes imported to RIP.
7. Check status of the local interface if the route to be advertised
contains the address of the local interface.
8. Check whether other problems exist.

Page341
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page342
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page343
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page344
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Open Shortest Path First (OSPF) is an IGP protocol based on
the link state algorithm. OSPF is brought forward by the Internet
Engineering Task Force (IETF). OSPF has three versions.
OSPFv1 is defined in RFC 1131. This version was in the
experimental stage and has never been released for public use.
OSPFv2 is used for IPv4 and was initially defined in RFC 1247.
RFC2328 is the latest standard document for OSPFv2. OSPFv3
is used for IPv6. Unless otherwise specified, OSPF refers to
OSPFv2 in this course.
OSPF is borne by the IP protocol and uses IP protocol number
89. An OSPF packet consists of the header and the packet body.
The format of the OSPF packet is described in the HCDP course
and is not explained here.

Page345
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The following features of OSPF enable extensive use of OSPF:
Supports CIDR.
Early routing protocols, such as RIPv1, do not support CIDR.
OSPF supports CIDR and allows the advertised routing
information to contain the subnet mask so that routing
information is not limited to the classful network.
Supports area division.
OSPF allows dividing an autonomous system (AS) into areas so
that the users can be managed more flexibly.
Avoids route loops.
The design of OSPF avoids route loops. OSPF allows dividing an
AS into areas. Routers in an area use the SPF algorithm to
avoid route loops. Route loop between areas is avoided through
the area connection rule specified by OSPF.
The routes converge very quickly when the network
topology is changed.
OSPF adopts the triggered update mode. When the network
topology changes, the new link state is flooded immediately.
OSPF is sensitive to the change of network topology, so the
routes converge quickly.
Forwards protocol data through IP multicast.
An OSPF router sends and receives protocol data through
multicast or unicast, which uses low network traffic.

Page346
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Supports equal-cost routes.
OSPF supports equal-cost routes. When multiple routes to the
same destination have the same cost, the traffic is shared by
these routes evenly. Through load balancing, the link bandwidth
is used more efficiently.
Supports authentication of protocol packets.
In a network that requires higher security, OSPF routers can
provide the authentication function. Packets can be exchanged
between OSPF routers only after they pass the authentication.
The authentication improves security of the network.


Page347
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
OSPF is an open standard routing protocol and is extensively
used by various network carriers. OSPF can be applied to both
the enterprise network and the carrier-class IP network. This
slide lists the differences between OSPF, RIPv2 and RIPv1.

Page348
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Compared with RIP, OSPF is a more advanced interior gateway
protocol. OSPF and RIP are totally different, although they are
both IGPs. OSPF is based on the link state algorithm, while RIP
is based on the distance-vector algorithm. As described in the
course of the RIP protocol, distance-vector protocols select
routes based on the hop count and do not consider network
resources such as the link bandwidth. Under this condition, a
path with high bandwidth may not be selected.
OSPF selects routes according to the link state. OSPF enables
fast convergence of routes and do not limit the hop count. OSPF
routers advertise the link information, instead of periodically
sending route update packets. Therefore, OSPF is more
applicable to large-scale networks. (A link can be regarded as an
interface on a router. The link state is the description of the
interface and the relation between the local router and the
adjacent router.) The calculation process of OSPF will be
described later.








Page349
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Unlike early routing protocols that use the distance-vector
algorithm, OSPF uses the link state algorithm. The following
describes the route calculation process of the link state algorithm.
An OSPF router floods the link state advertisement (LSA) to
notify other routers of the status of the local link, for example,
available interface, reachable neighbor, and the information
about the adjacent network segment. Flooding is a process of
sending and synchronizing the link state between routers.
Each router generates a link state database (LSDB) according to
the LSAs advertised by other routers and its local LSAs. The
LSDB describes the detailed network topology in the routing area.
In the same area, all routers have the same LSDB.
Based on the LSDB, each router calculates a shortest path tree
with the SPF algorithm. The local router is the root of the tree,
and other nodes in the network are leaves. The shortest path
tree calculated through the SPF algorithm does not have route
loops.
The shortest path tree of each router provides the routing table
listing the routes to other nodes in the network. Thus, each
OSPF router knows the routes to other routers.

Page350
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
OSPF supports five types of packets, which contain the same
OSPF header. An OSPF router uses the following packets to
discover neighbors and maintain the neighbor relation,
synchronize the LSDB, and exchange routing information:
Hello packet: It is a common packet used to discover neighbors
and maintain the neighbor relation. The Hello packet is also used
to elect the designated router (DR) and backup designated router
(BDR) in the broadcast network and NBMA network.
DD packet: Routers use DD packets to describe their LSDBs
when they synchronize the LSDBs. A DD packet consists of an
LSA and an LSA header. The header uniquely identifies an LSA.
The LSA header makes a small part of the packet, and thus the
traffic of protocol packets transmitted between routers can be
reduced. The peer router checks whether an LSA already exists
according to the LSA header.
LSR packet: After two routers exchange the DD packets, each
router knows the LSAs that exist in the LSDB of the peer but do
not exist in the local LSDB. Then the router sends an LSR packet
to request for these LSAs. The LSR packet contains the
summary of the required LSAs.
Page351
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
LSU packet: This packet is used to send the required LSAs to
the peer router. An LSU packet contains the combination of
multiple LSAs.
LSAck packet: This packet is used to acknowledge the received
LSU packet.


Page352
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To exchange the link status and routing information, two OSPF
routers need to establish the neighbor relation.
Neighbor
After an OSPF router is started, it sends Hello packets through
the OSPF interface to discover neighbors. The OSPF router that
receives the Hello packet checks the parameters in the Hello
packet. If the parameters are consistent on the two routers, the
two routers establish the neighbor relation.
Adjacency
Not all neighboring routers can establish the adjacency.
Adjacency establishment depends on the network type. The real
adjacency is established only if the routers exchange DD packets
successfully and can exchange LSAs. To send LSAs, a router
must discover the neighbor and establish the adjacency with the
neighbor.
In this example, RTA is connected to three routers through
Ethernet. RTA has three neighbors, but you cannot say that RTA
establishes three adjacencies.

Page353
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Not all neighbors can establish the adjacency to exchange link
status and routing information. Adjacency establishment depends
on the network type, namely, the layer-2 link type of the OSPF
network.
Based on the link-layer protocol, OSPF networks are classified
into the point-to-point network, broadcast network, NBMA
network, and point-to-multipoint network. A point-to-point network
is a network that directly connects two routers.
Link layer protocols for the point-to-point network are PPP, LAPB,
and HDLC. In a point-to-point network, neighboring routers can
establish the adjacency directly. Broadcast network: If the link-
layer protocol is Ethernet or FDDI, the network is considered as
a broadcast network by default. The network shown in the right
of the figure is a broadcast network.
Ethernet is a common link layer protocol for a broadcast network.
In the broadcast network, NBMA network, and point-to-multipoint
network, routers establish adjacency selectively.

Page354
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A non-broadcast network can connect more than two routers, but
it does not support broadcast.
In non-broadcast networks, OSPF has two operation modes:
non broadcast multi-access (NBMA) and point-to-multipoint.
NBMA
In an NBMA network, routers must establish a full connection. An
ATM network adopting full connection is an NBMA network.
In an NBMA network, OSPF simulates the operations on
broadcast networks, however neighbors of each router must be
configured manually.
Common link layer protocols for the NBMA network are Frame
Relay and ATM.

Page355
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Point-to-multipoint
A network that cannot establish the full connection needs to
adopt the point-to-multipoint mode. A Frame Relay network is
such a network. In this mode, the entire non-broadcast network
is regarded as a group of point-to-point networks. A router
discovers its neighbors by using a lower layer protocol, for
example, inverse ARP. The point-to-multipoint network type is not
a default type in OSPF.

Page356
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In broadcast and NBMA networks, if any two routers need to
establish the adjacency, route convergence is very slow. Use of
the designated router (DR) and backup designated router (BDR)
solves this problem.
A broadcast network or NBMA network containing at least two
routers has one DR and a BDR.
Functions of the DR and BDR:
The DR and BDR reduce adjacencies, thus reduce exchanges of
link state information and routing information. Use of the DR and
BDR reduces bandwidth consumption and lowers the burden of
routers. A router that is neither the DR nor the BDR is called a
DRother. A DRother establishes the adjacencies and exchanges
the link state information and routing information only with the
DR and BDR. This mode greatly reduces adjacencies and raises
route convergence speed in large-scale broadcast and NBMA
networks.
In the figure, RTA has three neighbors, but it establishes
adjacencies only with the DR and BDR. RTA does not establish
the adjacency with the other router and does not exchange
routing information with this router.
Page357
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To sum up, establishment of the adjacency depends on the
network type. In a point-to-point network, two routers can
establish the adjacency. A point-tomultipoint network can be
regarded as a group of point-to-point networks. An adjacency is
established between each two directly connected routers. In a
broadcast or NBMA network, a DR and a BDR are selected.
Drothers establishes adjacencies only with the DR and the BDR.


Page358
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Autonomous system
An autonomous system is a combination of routers that use the
same routing policy and are managed by the same technical
management organization. In the course of OSPF, an
autonomous system refers to a group of routers that exchange
routing information by using the same routing protocol. In this
course, autonomous system is referred to as AS for short. As an
IGP protocol based on the link state algorithm, OSPF takes
effect only within the AS.
Area
An area is a combination of routers and the networks connected
to these routers. As shown in the figure, three routers and the
networks connected to the routers forms an area. Single area
means that all routers running OSPF belong to the same area.
OSPF requires that all routers in the same area have the same
LSDBs.
Router ID:
To run OSPF, a router must have a router ID. The LSDB records
the topology of the network, including routers in the network.
Page359
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Each router must have a unique identifier to identify itself in the
LSDB. A router ID is a 32-bit integer used to uniquely identifies a
router in an AS. Each OSPF router has a router ID. Router ID
uses the format of an IP address. The IP address of Loopback
interface of a router is recommended as the router ID.



Page360
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example, the topology for OSPF single area configuration
is as follows:
RTA and RTB are located in the network. Each router uses the IP
address of Loopback0 as the router ID. RTA and RTB belong to
Area 0. Here, configuration of interfaces and IP addresses is not
mentioned. For the configuration, refer to related basic courses.
The procedure for basic OSPF configuration is as follows:
Run the router id router-id command to specify the router ID. If
the router ID is not specified, OSPF uses the largest loopback IP
address as the router ID. If no loopback interface is configured,
the largest IP address of physical interfaces is used as the router
ID.
Run the ospf [ process-id] command to enable OSPF. OSPF
supports multiple processes. If the process ID is not specified,
process 1 is used by default. Run the area area-id command to
enter the area view.
Run the network ip-address wildcard command to specify the
network segment included in the area. When specifying the
network, use the wildcard mask of the network segment.

Page361
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After the configuration, you can use related commands to check
the configuration. For example, you can use the display ospf
routing command to display information about the OSPF routing
table.
[RTA] display ospf routing
In this example, this command displays the OSPF routing table
of RTA. The display shows that the OSPF routing table of RTA
contains three route entries and they are all in Area 0. Each route
entry shows network segment, next hop, router that advertises
this route, and the area the route belongs to. From the display
information, you can see that the OSPF configuration is correct
and RTA and RTB can exchange routing information.

Page362
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As the network size keeps increasing it increases the number of
devices that are part of the same converged domain and in turn
their routing tables. If all routers in a large-scale network run
OSPF, an increasing amount of storage space becomes
occupied, The reason is that the LSDB becomes very large when
a large number of routers are added to the network. A huge
LSDB makes calculation of SPF algorithm very complicated and
burdens the CPU. When the network size is enlarged, the
probability of topology changes also increases and the network
often flaps. Under such a condition, a large amount of OSPF
packets are transmitted in the network, which lowers the
bandwidth utility. To make it worse, each time the network
topology changes, all routers in the network need to recalculate
routes.
To avoid this problem, OSPF divides an AS into areas. Areas
logically classify routers into different groups. An area is
identified by the area ID.
An area is a combination of network segments.
OSPF allows network segment to form an area.
Dividing an AS into areas reduces the LSDB size and
reduces network traffic.
The detailed topology within an area is not sent to other areas.
Areas exchanges only abstract routing information but not the
link state information. Areas maintain different LSDBs.

Page363
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Each router maintains a independent LSDB that records each
area connected to it. Since the link state information is not
advertised to other areas, the size of LSDB is much more smaller.
Area 0 is the backbone area that advertises the inter-area routing
information (not detailed link state information) summarized by
edge routers to non-backbone areas. To avoid routing loop, non-
backbone areas cannot advertise inter-area routing information.
Each edge router, therefore, must have at least one interface in
Area 0. That is, all non-backbone networks must be connected to
the backbone area.

Page364
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
OSPF defines the following types of router:
Internal Router (IR)
An IR is the whole interfaces of a router connected to network
segments in the same area. IRs in the same area maintain the
same LSDBs.
Area border router (ABR)
An ABR is a router connected to multiple areas. An ABR
maintains an LSBD for each area connected to it. ABRs
exchange inter-area routing information.
Backbone router (BR)
A BR is a router that has at least one interface (or virtual
connection) in the backbone area. All ABRs and routers that
have all interfaces in the backbone area are BRs. Non-backbone
areas must be directly connected to the backbone area, and so
BRs usually process routing information of multiple areas.
AS boundary router (ASBR)
An ASBR is a router used to exchange routing information with
routers in other AS.

Page365
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The ASBR advertises routing information of other AS to all
routers in the same AS. Routers in an AS communicate with
routers in other AS through the ASBR. An IR or ABR can act as
the ASBR. An ASBR can be in the backbone area or a non-
backbone area.

Page366
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Only one area (Area 1) is configured on RTA, and so network
segments are specified only for Area 1.

Page367
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown in the figure, the area is divided into Area 0, Area 1,
and Area 2. OSPF requires non-backbone areas to be directly
connected to the backbone network, and so Area 1 and Area 2
are connected to Area 0. On RTA, Area 1 must be configured. On
RTB, Area 0 and Area 1 must be configured. On RTC, Area 0
and Area 2 must be configured. On RTD, Area 2 must be
configured. RTA and RTB exchanges LSAs to generate LSDBs.
LSDBs of RTA and RTB are the same. Since RTB also belongs
to Area 0, RTB maintains another LSDB for Area 0. This LSDB is
the same as the LSDB on RTC. Similarly, RTD and RTC
maintain same LSDBs for Area 2.
The configuration is similar to configuration of a single area, and
the commands are omitted here. When configuring multiple
areas, network segments must be specified for area separately.
For example, network segment 2.2.2.2 is specified Area 1, and
so this network segment cannot be specified in Area 0. Note that
a network segment cannot belong to multiple areas.
The configuration of RTA is similar that of RTD. please take note
of the configuration of RTD later.


Page368
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This page shows the configuration of RTC. Two areas are
configured on RTC:
Area 0 and Area 2. Their network segments are specified
separately.

Page369
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Only one area (Area 2) is configured on RTD, and so network
segments are specified only for Area 2.

Page370
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the display ospf routing command, you can verify the
configuration. You can also use the following command to view
information about neighbors of an OSPF router.
display ospf peer
In the output information:
Area indicates the area a neighbor belongs to.
Interface indicates the interface connected to this neighbor.
Router Id indicates the router ID of the neighbor.
Address indicates the address of the neighboring interface.
RTB has two neighbors: RTA in Area 1 and RTC in Area 0.
First line of the output information: OSPF Process 1 with Router
ID 2.2.2.2 indicates that the router ID of RTB is 2.2.2.2.
The following lines:
Area 0.0.0.0 interface 10.1.2.1(Ethernet0/1)'s neighbors
Router ID: 3.3.3.3 Address: 10.1.2.2
These lines indicate that the neighbor belongs to backbone area
Area 0; the IP address of the interface connected to the neighbor
is 10.1.2.1; the router ID of the neighbor is 3.3.3.3;


Page371
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
the IP address of the neighboring interface is 10.1.2.2.
Information about the neighbor in Area 2 is similar to the above
information.

Page372
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example, you can use the display ip routing-table
protocol ospf command to view the global routing table. The
output information shows that five route entries are learned
through OSPF.
Page373
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What is the calculation process of the link state algorithm?
Each router in the network advertises the local link state
information to other routers and collects the link state information
advertised by other routers. In this way, each router generates an
LSDB that describes the network topology. Based on the LSDB,
routers calculate a shortest path tree by using the SPF algorithm.
The shortest path tree provides routes to all nodes in the network.
What is an OSPF area?
An OSPF area is a combination of network segments.
What is the procedure for basic OSPF configuration?
Enable the OSPF process. Create OSPF areas. Specify network
segments for each area.

Page374
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 3
Switching
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page377
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

LAN technology includes Ethernet, token ring and token bus. In
these technologies, Ethernet technology gradually occupy a
dominant position with its efficient and low prices.
Page378
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page379
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

The history of Ethernet:
1973, Ethernet was invented at Xerox in Palo Alto, California. Dr
Robert Metcalfe is regarded as the father of Ethernet. Early
Ethernet standards, the prototype of todays Ethernet ran at a
speed of 2.94 Mbps.
1980, Digital Equipment Corporation, Intel and Xerox promoted
Ethernet as a standard, the so called Ethernet DIX80 or
Ethernet version 1 standard which standardized 10Mbps
Ethernet.
1982, A second revision of Ethernet, known as Ethernet DIX82 or
Ethernet version II. The Ethernet II remains the Ethernet
standard used in todays networks.
1995, IEEE issued the standard for Fast Ethernet, namely, the
802.3u standard.
1998, IEEE issued the standard for gigabit Ethernet.
1999, IEEE 802.3ab or 1000 BASE-T standard was published.
July 18th, 2002, IEEE published the 802.3ae or 10G Ethernet
standard which involves three physical interface standards,
namely, 10GBASE-R, 10GBASE-W and 10GBASE-LX4.
March, 2004, IEEE issued the 802.3ak standard or 10GBASE-CX4 for 10G Ethernet
over copper twin-axial cable.
Page380
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

In the early days, Ethernet was a shared network medium. It
often ran using the following transmission media:
10Base5: thick coaxial cable commonly known as thicknet. The 5
refers to a maximum transmission distance of 500 meters.
10Base2: thin coaxial cable commonly known as thinnet. The 2
refers to a maximum transmission distance of close to 200
meters, the true distance is 185 meters.
Before shared Ethernet came into being, coaxial cable was
connected with a device called a pigtail which is was inserted by
cutting a small hole in the coaxial cable. Extreme care had to be
taken when inserting a pigtail into the coaxial cable due to the
potential for the central core to short out on contact with the
metallic shield, which could cause the failure of an entire
segment.

Page381
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

At the end of 1980s, unshielded twisted pair (UTP) came into
being and was soon widely used. UTP is cheap and easily made
and with UTP data can be sent and received over different wires,
which makes full duplex easily applied.
Twisted pair cable comes in two types: shielded twisted pair
(STP) and unshielded twisted pair (UTP). STP is very effective at
protecting cables from external electromagnetic interference.
Twisted cables are categorized by the length of a single twist for
each wire pair, and they come in the following types:
Category-3 twisted-pair cable The cable defined by ANSI
and EIA/TIA568. Its transmission frequency is 16MHz and is
mainly for transmitting voice or transmitting data with data rates
of up to 10Mbps. It is often used for 10base-T networks.
Category-4 twisted-pair cable Mainly used for transmitting
voice or transmitting data with a typical data rate of 16Mbps. It is
commonly used in token ring LANs and 10base-T/100base-T
networks.

Page382
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Category-5 twisted-pair cable Mainly for transmitting voice or
data at the rates of up to 100Mbps. It is often used for 100base-T
and 10base-T networks. It one of the most widely used Ethernet
cables, however has generally been superseded by an enhanced
version known as Cat5e. The Cat5e standards are much more
stringent and give a support the use of 4 wire pairs as opposed
to 2 wire pairs used by Cat5, allowing Cat5e to support Gigabit
Ethernet transmissions.

Page383
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Ethernet interfaces on networking devices come into two types:
Medium Dependent Interface (MDI) and Medium Dependent
Interface Crossover (MDI_X). Ethernet interfaces of routers and
interfaces of Network Interface Cards (NIC) are often MDIs. The
Interfaces of hubs are considered MDI_X interfaces.
Twisted-pair cables can be divided into straight cable and
crossover cable types. Straight cables are used for connecting
MDI and MDI_X type devices; crossover cables are mainly for
connecting MDI and MDI or MDI_X and MDI_X device types. It
should be noted that the pair sequence in a crossover cable
results in a crossover at each end of the cable between pins 1 &
3 and 2 & 6.

Page384
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page385
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Usually 10 Mbit/s Ethernet is only located at the access layer of
the network. The new generation multimedia products, video and
database products may easily chew up the bandwidth of
10Mbit/s Ethernet.

Page386
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Besides coaxial cable and twisted pair cable, the IEEE802.3
cable also use fiber 10BASE-F. 10BASE-F was once used at the
early age of Ethernet and its transmission distance can reach 2
Km.

Page387
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

The standard (10Mbps) Ethernet transmission rate is too low to
meet the demands of todays networks. To meet these higher
demands, IEEE issued the IEEE802.3u standard for fast
Ethernet, supporting data transmission rates of 100Mbps.

Page388
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Full-duplex fast Ethernet is capable of sending and receiving
data at 100 Mbps/s rate simultaneously. Data sending and
receiving are independent due to the use of separate wire pairs
for transmitted and received data, which avoids collisions and
interference and improves the network efficiency.
The standards body EIA/TIA stands for Electronic Industries
Alliance/Telecommunication Industry Association.

Page389
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Gigabit Ethernet is an extension of the Ethernet defined by
IEEE802.3, for which transmission speeds of 1Gbps are
achieved.
There are two standards that have been defined for gigabit
Ethernet, they are IEEE802.3z (for fiber and copper) and
IEEE802.3ab (for twisted-pair).

Page390
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

IEEE802.3ab specifies the standard for 1000BaseT. 1000BaseT
is a kind of 10G Ethernet technologies using Type5 UTP to
transmit data and its effective transmission distance reaches 100
meters as that of 100BASETX does. Users can upgrade their
100Mbps Ethernet to 1000Mbps Ethernet smoothly in their
original fast Ethernet system with this technology.
IEEE802.3z sets standards for three kinds of cables:
1000BaseCX is based on a kind of copper shielded twisted-pair
cables with high quality. The transmission distance of this cable
is 25 meters and is connected by 9um D type connectors.
1000BaseSX is a kind of technology using shortwave laser as
the signal source. The wavelength of the laser is set to be within
the scope of 770-860nm (usually 800nm). It supports only multi-
mode fiber and cannot operate on the single mode
fiber.
1000BaseLX is another optical gigabit Ethernet standard, using a
long wavelength laser (1270-1355, usually is 1300nm),It can
drive not only multi-mode fiber but also single-mode fiber.

Page391
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

10G Ethernet is the cutting-edge technology in the Ethernet
world. Its transmission speed is 10 times that of a gigabit
Ethernet and its working area is much wider. 10G Ethernet can
be applied not only to the traditional LANs, but also WANs and
MANs which were once closed to Ethernet due to its limited
capabilities. 10G Ethernet can be compatible with DWDM
seamlessly which stretches Ethernet to a global geographical
scope without being limited by distance.
Two organizations, IEEE and 10 Gigabit Ethernet Alliance
(10GEA), played an important role in the standardization of 10G
Ethernet. IEEE is in charge of setting standards for 10G Ethernet
and it has issued IEEE802.3ae as of June 2006. IEEE802.3ae
specifies the standard of 10G Ethernet that runs on fiber, a
standard not so suitable for enterprise LANs that commonly
transmit data through copper cabling. To meet the requirements
from the 10G Ethernet that runs on copper cables, IEEE issued
the 802.3ak standard in March 2004 and the IEEE 802.3an
standard for 10G Ethernet over twisted-pair cabling.

Page392
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

The standard for 10G Ethernet over fiber is IEEE802.3ae, which
consists of 10G BASE-X, 10GBASE-R and 10GBASE-W.
10GBASE-X uses a tightly packed package which involves a
rather simple WDM device, four receivers and four lasers that
work at the wavelength of about 1300nm at an interval of around
25nm. Each sender and receiver pair works at a speed of 3.125
Gbps with a data rate of 2.5 Gbps.
10GBASE-R is a form of serial interface based on a 64B/66B
coding scheme instead of the 8B/10B scheme applied to the
gigabit Ethernet. Its data rate is 10.000 Gbps/s which leads to a
clock rate of 10.3 Gbps.
10GBASE-W refers to the WAN interface, which is compatible
with SONET OC-192. The clock rate and data rate of 10 GBASE-
W are 9.953 Gbps and 9.585 Gbps respectively.
The 10G Ethernet standard for fiber is IEEE802.3ae.
IEEE802.3ak is the standard for 10G Ethernet over coaxial
cables. 10GBASE-CX4 allows 10G Ethernet to transmit over
coaxial copper lines up to a distance of 15 meters.

Page393
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

This chapter involves the following contents:
1. How was the Ethernet standard formed?
Xerox first presented the original Ethernet technology whose
speed was only 3Mbps in 1973. Later, Digital Equipment
Corporation, Intel and Xerox jointly proposed the 10Mbps DIX
standard for Ethernet. This was then developed into early forms
of the IEEE802.3 standard in 1980.
2. Which media types are supported by Ethernet?
Ethernet has defined standards for support of Ethernet over
coaxial, twisted-pair and fiber optic media types.
3. What are the speed rates of Ethernet?
10M, 100M, 1000M and 10G. Early category 4 cabling also
supports speeds of 16Mbps for token ring.

Page394
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page395
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page396
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page397
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page398
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
5
Carrier Sense Multiple Access with Collision Detection
(CSMA/CD) is a set of rules determining how network devices
respond when two devices attempt to use a data channel
simultaneously. The basic working theories of CSMA/CD are as
follows:
(1) If the transmission media is not occupied at that time, a
particular station can transmit, otherwise move on to the next
step.
(2) The station waits for a while until the data channel is not
occupied and then it begins to send data.
(3) If the station detects a collision which is known as the voltage
level is as twice as usual, it stops transmitting that frame and
transmits a jam signal in order let all the participating stations
know the collision.
(4) After a random time interval, the station that collided attempts
to transmit again, which goes back to step 1 again and the
process cycles.

Page399
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
6
Limited by the algorithm of CSMA/CD, the length of a frame sent
over Ethernet using 10M half duplex should be at least 64 bytes.
Page400
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
7
Two network devices appeared during the period when the
Ethernet developed from a shared to a switched network, one is
the Hub, the other is the Repeater.
When the network is extended, signals degrade as they travel
long distances, which may often lead to corrupted data. The
repeater is an electronic device that helps to recover or amplify
signals.
The hub and repeater both work at the physical layer.
Page401
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
8
The hub is an Ethernet device which works based on the
mechanism of CSMA/CD. The working principles of the hub are
quite simple. The hub forwards the data frame received by one of
its ports to all other ports directly no matter whether the frame is
unicast or broadcast.
We may say that the hub and repeater changes only the physical
topology of the Ethernet, the logical topology of the Ethernet is
still remains a bus topology.
The hub does not have a MAC address and only forwards data
without filtering.

Page402
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
9
The network connected by hubs or repeaters is considered to be
shared Ethernet, so it is no wonder that this kind of network has
all the weaknesses of a shared Ethernet, weaknesses that
include:
Collisions
Broadcast flooding
No Guarantee of Security

Page403
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
10
Page404
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
11
The Ethernet switch operates at the data-link layer and has two
basic functions:
Learning MAC addresses;
Switching or filtering data.

Page405
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
12
In the figure above, DMAC indicates the MAC address of the
destination and SMAC is the MAC address of the source. The
meaning of the Length/Type field various with its values. When
its (hexadecimal) value exceeds 1500, it indicates the field is a
type field; when the value is less than or equal to 1500, the field
indicates it is a frame length field. The value of the DATA/PAD
field represents the length of the data filled to make the frame
length to be 64 bytes or above. FCS refers to the extra
checksum characters added to a frame for error detection and
correction.
When the value of the Length/Type field exceeds 1500, the MAC
sub-layer can submit the frame to a protocol at the upper layer
immediately without going through the LLC sub-layer. This
structure is the Ethernet_II structure which is very popular and
used by most protocols. In this structure, the data-link layer only
involves the MAC sub-layer and does not implement the LLC
layer.
When the value of the Length/Type is less than or equals to 1500,
it indicates the Ethernet_SNAP structure which is set by the
802.3 committee but is not widely used.

Page406
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
13
An Ethernet frame whose type is 0800 is an Ethernet_II frame,
as 0x0800 when converted from Hexadecimal to Decimal is
bigger than 1500 and must be an IP datagram, since 0800
represents the IP datagram header.
In a similar way, it is possible to determine that a 0806 frame is
for ARP request/response and a 8035 frame is for RARP
request/response.
However, the question remains how we can identify the type of
a the next frame header defined in 802.3 since the 802.3 frame
indicates only the frame length instead of the frame type'?












Page407
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
14
In an 802.3 frame, there is a three-byte 802.2 LLC and a five-
byte 802.2 SNAP header. The values of Destination Service
Access Point (DSAP) and Source Service Access Point (SSAP)
are both set to 0xAA. The Ctrl field is set to 3 and the 3-byte org
code field that comes after it is set to 0. The following TYPE
field functions the same as that of the Ethernet_II frame.

Page408
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
15
A MAC address is a 48 bit address and is often represented by a
12-bit hexadecimal digit. A MAC address is globally unique and
IEEE is responsible for the management and allocation of MAC
addresses. A MAC address is made up of two parts which are
the manufacturer assigned and the sequence number. The first
24 bits identify the organization that issued the identifier and is
managed and allocated by IEEE. The following 24 bits are
assigned by that organization in nearly any manner they please,
subject to the constraint of uniqueness.
Special MAC addresses:
1. If a MAC address whose 48 bits are all 1s, it is a broadcast
address.
2. If a MAC address whose eighth bit is 1, it is a multicast
address.
The eighth bit of the destination address indicates whether the
frame is sent to a single station or a group of stations.
The eighth bit of a source address must be 0 since a frame
cannot be sent by a group of stations.

Page409
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
16
Source MAC Learning
The bridge forwards frames based on its MAC address table
which is built using the source MAC addresses of received
frames. A common MAC address table of a layer-2 switch maps
between MAC addresses and switch ports.
We should bear in mind that a switch learns the source address
of data frames it receives, meaning that every port of a switch
listens independently for the source address of data frames they
receive.
Initially, the MAC address table is empty, but once a switch
receives a frame via port 1, the switch will check the frames
destination and search for the MAC address in its cache however
no entry will currently exist. The switch as a result will flood the
frame out of all ports except the port on which the frame was
received and then use the source address of the frame to build
its MAC address table, mapping port 1 to the MAC address of
station A. Similarly, each station will map the port on which the
frame is received to the source MAC address of that frame,
forming a MAC address table for each switch device.
Page410
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If a port connects to a hub, then the switch port will recognize multiple
MAC addresses for a single interface.
Every port of a switch corresponds to a collision domain.
Note: For multicasting, address entries are not obtained by learning.
They are obtained by IGMP or protocols such as CGMP.
17
Page411
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
18
Forwarding Frames Based on the Destination MAC
The switch forwards frames according to its MAC address table.
If the destination address of the frame is not in the table, the
switch will flood the frame. The switch maintains its MAC
address table through an automatic learning and aging
mechanism. Frame structures are not modified in most cases.
(VLAN makes changes to the frame structure by putting a TAG in
the frame.)
Page412
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
19
The switch receives a data frame from the local segment via one
of its port interfaces.
The switch builds its MAC address table by learning the source
MAC of the frames and maintains its MAC address table with the
aging mechanism. The switch looks for the destination MAC in its
MAC address table and if the destination MAC is in the table,
then the switch sends the frame to the corresponding port (the
source port is not included); if the switch cannot find the
destination MAC in its table, then it sends the frame to all the
ports except the source port.
Page413
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
20
There are three switching modes: Cut-Through, Store-and-
Forward and
Fragment-free. Their characteristics are as follows:
Cut-Through
The switch starts forwarding a frame before the whole frame has
been received, normally as soon as the destination address is
processed.
Low latency
The switch forwards frames without detecting errors.
Store-and-Forward
The switch starts forwarding a frame after the whole frame has
been received.
High latency, and the latency is decided by the frame length. The
switch checks for errors and once it finds an error, the frame is
discarded immediately.
Page414
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Fragment-free
The switch starts forwarding a frame after the first 64 bits (the
shortest possible length) of the frame has been received. This
mode inherits the advantages of the Cut-Through mode and the
Store-and-Forward mode. With this mode, the switch can start
forwarding without the whole frame having being received which
is the same as it does with the Cut-Through mode; and at the
same time, the switch can check errors as it does with the Store-
and-Forward mode and should it find there are errors in the first
64 bits of the frame, it will drop the frame.
21
Page415
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
22
L2 switches help to avoid collisions in a shared Ethernet but
broadcast flooding is still widespread. How can this problem be
resolved?

Page416
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
23
Page417
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
24
L3 switches tend to take the form of a switch. Compared with
routers, L3 switches are endowed with all the functions that L2
switches possess, including MAC-address based frame
forwarding, STP and VLAN. However, L3 switches also have the
L3 functions that L2 switches are not given, which enables them
to realize the L3 internetworking for VLANs.
Most of the lower or middle-end L3 switches realize L3
forwarding through L3 exact match, which means to search the
cache according to the destination IP address of data frames
directly. While, traditional routers use the longest matching
method, that is to search the routing table for the destination IP
address and forward data with the longest matching address in
the table. Different manufacturers use different approaches to
forward data. Exact search is more suitable for a network that
has stable routes and whose topology does not often change.
High-end L3 switches are often applied to complex networks. So
if they use the exact search approach to find routes, the odds to
hit the cache is not optimistic. Furthermore, most high-end
switches use hardware to realize longest matching search which
may be as efficient as the exact search approach. So for high-
end switches, exact search is not a must choice.
Page418
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Finally, L3 switches have evolved from L2 switches and they are
always thought to be designed for LANs. So L3 switches do not
support many interface types except the interfaces relevant to
VLANs such as Ethernet interface, ATM VLAN virtual interface,
which avoids problems that have bothered routers with multi-type
interfaces. Since every interface of a L3 switch is an Ethernet
interface, collisions are avoided and the odds of segmentation is
lowered. But for the efficiency of up-link, many L3 switches are
equipped with high-speed POS interfaces.
25
Page419
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
26
IP Network Rules:
1. Communication with the same segment.
When a host communicates with the destination host, it judges
whether the destination is in the same segment with its own IP
address and subnet mask. If they are in the same segment, the
host searches for the MAC address of the destination through
ARP and fill the MAC address in the frame header.
2. Communications across segments.
If the host finds that the destination is not in the same segment
with itself, then it searches for the MAC address of the gateway
instead of the MAC address of the destination and fills the MAC
address of the gateway in the frame header. Layer-3 switches
make decisions on whether to make layer-2 forwarding or layer-3
forwarding according to the above rules. The layer-3 switch
performs layer-3 forwarding if it is given the MAC address of an
interface defined by a VLAN; otherwise the switch performs
layer-2 forwarding within the VLAN.

Page420
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
27
This chapter involves the following contents:
1. How to communicate over shared Ethernet?
CSMA/CD is an effective way to realize multi-point
communications over a shared medium. The station listens to the
link before it sends frames, so to avoid collisions. The frame sent
by a station can be received by multiple stations. The station
monitors the link while it sends frames and it stops sending
frames as soon as it detects a collision and waits for a random
time interval before trying to
send the frame again.
2. What is the principle operation of a L2 switch
The L2 switch works at the data-link layer and has two basic
functions: learning based on the source MAC address and
forwarding based on the destination MAC address.
3. What is the difference between a L3 switch and a router?
L3 switch is small but is powerful in some specific areas;
however, the router is large and has comprehensive abilities.

Page421
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page422
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page423
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page424
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page425
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Auto-negotiation was developed to help devices supporting
10Mbps Ethernet be compatible with the 100Mbps Fast Ethernet.
The auto-negotiation technology takes the operational modes of
the local device, and receives the operational modes from the
link partner and determines the highest common shared
operational mode that can be supported.
Auto-negotiation works on the revised 10Base-T standard and is
achieved depending on the design of physical layer chips. It does
not use any specific datagram or cost any upper layer protocols.
The basic mechanism of auto-negotiation is to encapsulate
negotiation information into a series of revised link conformity
test pulses of the 10BASET linking test wave (Fast Link Pulse).
Each device should be able to send a series of pulse when the
device is powered on, or receives management demands, or is
interfered with by users. FLP involves a series of clock/digital
sequence formed by linking conformity testing pulse. Once those
data are drawn out, we may know the operational mode the link
partner supports and get information concerning the negotiation
hand-shake mechanisms.

Page426
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When both the negotiation parties support more than one
operational mode, there should be a precedence order to decide
the final operational model. The table above lists the precedence
of operational modes from high to low defined by IEEE 802.3.
The basic principle is the 100Mbps mode has a higher
precedence than the 10Mbps and full duplex is better than half
duplex. 1000BASE-T4 is listed before 100BASE-TX because
100BASE-T4 supports more cable types. Ethernet over fiber
does not support auto-negotiation. You need to configure the
operation mode for the two link parties manually, which includes
the rate, duplex mode and traffic control. If the two parties are
configured differently, they cannot communicate with each other.
Note: 100BASE-T4 can be realized through Type3, Type4 and
Type5 UTP and all the four pairs are used. 100BASE-TX can
only run over Type5 UTP or STP and two pairs of the four pairs
are used.

Page427
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Configuration Example
To set the duplex mode to full duplex:
[Quidway-Ethernet0/1] duplex full
Restore the duplex mode to its default value:
[Quidway-Ethernet0/1] undo duplex

Page428
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
You can configure the speed of Ethernet port with the following
commands. If the port speed is configured to be decided by the
auto-configuration mechanism, the two parties will negotiate to
decide the port speed together. You can also configure the port
speed manually by running the speed command.
By default, the port speed is in the auto state (decided by auto-
negotiation).
Configuration Example
Set the port speed of Ethernet to 100Mbps:
[Quidway-Ethernet0/1] speed 100
Page429
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page430
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Network congestion occurs when data are transmitted between
two ports with different speed rates (for example, when a
100Mbps port sends data to a 10Mbps port.) or a link or node is
carrying so much data that its quality of service deteriorates.
Typical effects include queuing delay, packet loss or more
retransmissions which wastes network resources dramatically.
In real networks, especially for LANs, network congestion seldom
occurs. So no switch manufacturers produce switches with flow
control functions. High-capability switches should support
backpressure in the half duplex mode and flow control in the full
duplex mode defined by IEEE802.3x.

Page431
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Bridged or half-duplex Ethernet uses a method called
backpressure to manage transmission between stations with
different speeds. For example, when a 100Mbps server sends
data to a 10Mbps client PC through the switch, the switch will try
its best to cache frames until its cache is nearly full, at which
time it must ask the server to stop sending more data.
To achieve this the switch can generate a collision event with the
server to make the server retreat, or alternatively the switch can
apply a carrier test to keep the server port busy. The two
approaches can both cause the server to stop sending data for a
while which gives time for the switch to process the data in its
cache.

Page432
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In the full duplex environment, the link between the server and
the switch is a collision-free channel and the backpressure
technology cannot be applied to it. So the server continues to
send packets to the switch until the frame cache of the switch
overflows. To solve the problem, IEEE made a compound full
duplex flow control standard, namely, IEEE 802.3x.
IEEE 802.3x defines the format of a 64-byte MAC control frame
named PAUSE. When congestion occurs at the port, the switch
sends PAUSE to the source to tell it to stop sending information
for a while.

Page433
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PAUSE is applied to prevent frames from being dropped when
an instantaneous influx of traffic causes an overflow to the cache.
The PAUSE frame can help the device prevent loss of frames
when the traffic surpasses the cache limit. The device sends a
PAUSE frame to its peer to prevent its cache overflow by
requesting the peer device stop sending data after it receives the
PAUSE frame. In this way, the device wins time to relieve the
congestion/buildup in its cache.

Page434
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Configuration Example
Enable the flow control of Ethernet port
[Quidway-Ethernet0/1]flow-control
Shut down the flow control of Ethernet port:
[Quidway-Ethernet0/1]undo flow-control
Note: By default, the flow control of Ethernet port is disabled.

Page435
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page436
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page437
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Advantages of Port Aggregation
1. Increase bandwidth
Port aggregation can bind multiple transmission ports together to
make one logical link to increase transmission bandwidth and
speed. The bandwidth after aggregation is the total sum of the
bandwidth of each aggregated port. With a switch that supports
this function, you can increase the network bandwidth easily
when too much traffic on one port impairs network capability. For
example, you can bind two to four 100Mbps ports together to
make a 200-400Mbps link to increase the bandwidth and speed.
Port aggregation can be applied to 10Mbps, 100Mbps and
1000Mbps Ethernet.
2. Improve reliability
Backbone networks run at a very fast speed and once the link
fails, large amount of data will be lost. The connection of high-
speed server and backbone network should be absolutely
guaranteed. With port aggregation function, you can prevent
such a disaster. For example, if a cable is pulled out by mistake,
the link will not be affected. So for an aggregated port consists of
multiple ports, the failure of one port will not affect the whole

Page438
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
connection. Data will be loaded on other working connections
automatically. You only need to change the visiting address and
the whole process is completed in no time. This function makes
network to run continuously.
Page439
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The parameters of the two peers of aggregation ports must be
the same. Parameters here include physical parameters and
logical parameters.
Physical parameters include: Number of the aggregation ports,
Speed of the aggregation ports, Duplex mode of the aggregation
ports.
Logical parameters include: Spanning Tree Protocol (STP),
Quality of Service (QoS), VLAN, Port.
STP configuration includes: enable/disable the STP function at
the port, port link type (point-to-point or not point-to-point), STP
preference level, route cost, speed limit for sending packets, loop
protection, root protection and edge port.
QoS configuration includes: flow speed control, preference mark,
the default preference level of 802.1p, bandwidth guarantee,
congestion prevention, flow redirection and flow statistics.
VLAN configuration includes: VLANs that are allowed to pass the
port and default VLAN ID.
Port configuration includes port link types such as Trunk, Hybrid
and Access.

Page440
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Configuration Procedure:
1Configure the IP address of the interface
Create the layer-3 addresses 10.1.1.1/30 and 10.1.1.2/30 of
VLAN1 on SW1 and
SW2 respectively.
2Configure attributes of the aggregated ports
Before configuring port aggregation, you should make sure that
all the aggregated ports of Sw1 and Sw2 work in the full duplex
mode and at the same speed rate instead of the auto-negotiation
mode.
3Configure port aggregation
Result Testing:
<Sw1>display link-aggregation
Master port: Ethernet0/1
Other sub-ports:
Ethernet0/2
Mode: both

Page441
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The configuration commands may be different for some
switches, please refer to product operation manuals for relevant
information.

Page442
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page443
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Port mirroring is applied to traffic observation and fault location
by making a copy of service data and sending them to the
monitor device to be analyzed. Port mirroring has two types:
port-based mirroring and flow-based mirroring.

Page444
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page445
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Flow-based mirroring is only applied to flows that meets certain
defined classifications, which may include the same destination
address, the same port number and so on. The classifications
can be set as required.

Page446
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Case:PC1 connects to interface E0/1 of SW, though this
interface you can analyse the data which enters into interface
E0/24.
Configuration:
1.Configure interface E0/1 of SW as observe-port
[SW]observe-port 1 interface Ethernet 0/1
2.Configure interface E0/24 of SW as mirroring port, and
transferring data to observe-port.
[SW-Ethernet0/24] port-mirroring to observe-port 1 inbound

Page447
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This chapter involves the following contents:
1. What is auto-negotiation?
Auto-negotiation aims to resolve rate inconsistencies between
Ethernet devices. This includes negotiation of the port speed and
duplex mode.
2. What are the differences between half-duplex and full-duplex
traffic control?
Half-duplex traffic control uses the backpressure method. When
network congestion occurs, the switch will apply the carrier
detect mechanism or emulate a collision. In the full-duplex mode,
IEEE 802.3x defines the format of a 64-byte MAC control frame
named PAUSE. When congestion occurs at the port, the switch
sends PAUSE to the source to tell it to stop sending information
for a while.
3. What are the functions of port aggregation and port mirroring?
Port aggregation can increase link bandwidth, realize load
balancing and improve network reliability. Port mirroring is
applied to support traffic observation and fault location by making
a copy of service data and sending this data to the monitor
device port to be analyzed.
Page448
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page449
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page450
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page451
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page452
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The traditional Ethernet switch adopts source address learning
mode when it forwards data. It can automatically learn the MAC
address of host connecting to each port to, form the forwarding
table, and then forward Ethernet frames according to the table.
The whole forwarding process is completed automatically, all the
ports can communicate with each other, and maintenance
personnel can not control the forwarding between any two ports.
For example, they can not implement prevention to restrict host
B from reaching host A. The following disadvantages exist in this
kind of network:
Network Security is bad. All the ports can communicate with
each other, which increases the possibility that users will attack
the network.
Network efficiency is low. Users may receive abundant
unnecessary frames, which is a waste of bandwidth and host
CPU resources, e.g. unnecessary broadcast packets.
Service expanded capability is bad. The network cannot
implement differentiated services, for example, it can not forward
an Ethernet frame used for network management with higher
priority.


Page453
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VLAN technology divides users into multiple logical networks
(groups). Communication is allowed within a group, but it is
prohibited among groups. Layer-2 unicast packet, layer-2
multicast packet and layer-2 broadcast packets can only be
forwarded within a group. It is easy to add and delete group
members using VLAN technology.
VLAN technology provides a management method to control the
intercommunication among terminals regardless of physical
location in the LAN. In the figure above, PCs in group 1 and
group 2 can not communicate with each other.

Page454
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In order to control forwarding, the switch will add a VLAN tag to
an Ethernet frame before forwarding it, then use this tag to
manage the frame, which may include discarding the frame,
forwarding the frame, and adding & removing tags. Before
forwarding the frame, the switch will check the VLAN tag of the
packet and decide whether the tag is allowed to be forwarded
from the port. In the figure above, if the switch adds tag 5 to all
the frames sent from A, and then look up the layer-2 forwarding
table, and according to the destination MAC address, forward
them to the port connected to B. However this port is configured
to only allow VLAN 1 to pass, so the frames sent by A will be
discarded.
The switch supporting VLAN will hence forward Ethernet frames
not only according to the destination MAC address but also the
VLAN configuration of the port, so as to implement layer-2
forwarding control.

Page455
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
4-byte VLAN tag is added to the Ethernet frame header directly.
Document IEEE802.1Q describes VLAN tagging.
TPIDTag Protocol Identifier2 bytesfixed value0x8100
new type defined by IEEE, it indicates that it is a frame with
802.1Q tag.
TCITag Control Information2 bytes.
Priority3 bits, defines the priority of an Ethernet frame. It has
8 priority levels, 07, is used to provide differentiated forwarding
service.
CFICanonical Format Indicator1 bit. Used to indicate bit
order of address information in token ring or source route FDDI
media access, namely, whether the low bit is transmitted before
high bit.
VLAN IdentifierVLAN ID12 bits, from 0 to 4095. Combined
with VLAN configuration of port, it can control the forwarding of
an Ethernet frame.
Ethernet frame has two formats: the frame without tag is called
an untagged frame; the frame with tagging is called a tagged
frame.
This course will only discuss the VLAN ID of VLAN tag.
Page456
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
All the Ethernet frames exist in the switch in the form of tagged
frames. Certain ports may receive untagged frames from peer
devices, but the frame from the port of the local switch must be a
tagged frame. If the frame received is tagged, it will be forwarded;
if it is untagged, a tag will be added to it. The device can
implement a VLAN in the following way.
Port based: Network manager configures a PVID for every port
of a switch, known as the Port VLAN ID or port default VLAN. If
an untagged frame is received, the VLAN ID will be the PVID.
MAC based: Network manger configures the mapping relation
for each MAC address to a VLAN ID, if an untagged frame is
received, the VLAN ID will be added according to the mapping
relationship table.
Protocol based: Network manager configures a mapped
relationship between the protocol field of the Ethernet frame and
a VLAN ID; if an untagged frame is received, the VLAN ID will be
added according to the mapping relationship table.
Subnet based: Adding of a VLAN ID according to the IP
address information in a packet.
Policy based: Provides strict control capability, based on MAC
address and IP address, MAC address, or IP address and port.
Page457
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If implementation of the VLAN is successful, it can forbid users
from changing the MAC address or the IP address.
If the device can support multiple methods at one time, the
general priority order from high to low is : Policy basedMAC
basedSubnet basedProtocol basedPort based. Presently,
port based VLAN tagging is the most common method.
Page458
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page459
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The tag in Ethernet frames combined with VLAN configuration of
the port can control packet forwarding. A received Ethernet frame
on port A will check whether the destination MAC is attached to
port B. After the introduction of VLAN tagging, two key points will
decide whether the frame should be forwarded from port B:
Whether the VLAN ID in the frame is created by switch. There
are two methods to create VLANs: Manual configuration or
automatically created using GVRP.
Whether the destination port will allow the VLAN frames to pass.
VLAN lists determine whether to allow frames to pass through a
port and can be created by the administrator or automatically
created by GVRP (GARP VLAN Registration Protocol).
In the forwarding process, there are two types of tag operation:
Add tagFor untagged frames add the PVID, it is completed
after receiving the frame from the peer device.
Remove tagdelete the VLAN tagging information in the frame
then send it to peer device in the form of an untagged frame. In
normal cases, the switch will not change the VLAN ID in a
tagged frame, while some devices supporting special services
may provide the function for changing the VLAN ID.


Page460
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After introducing VLAN functionality, switch ports may be one of
three types: Access port, Trunk port and Hybrid port.
An access port is used to connect host and has features as
follows:
Only permit allowed VLAN IDs to pass through the port, or the
VLAN ID is the same with PVID of the port.
If the frame received from peer device is untagged, the switch
will add a PVID to the frame automatically.
The frame sent by an access port is always an untagged frame.
The default port type of many types of switch is accessPVID
is 1 by defaultVLAN 1 is created by the system and cannot be
deleted.
Page461
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The following command can be used to set ports as access ports
and implement the PVID of the access port after creating the
VLAN:
[SWA]vlan 3
[SWA-vlan3]port ethernet 0/1
[SWA]vlan 5
[SWA-vlan5]port ethernet 0/2
The port mode should be specified as either access or trunk
when making any change to the PVID.
Page462
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Trunk port: used to connect switches and transmit tagged frames
among switches. It can be set to permit multiple VLAN IDs, even
those VLAN IDs that may differ from its own.
A trunk port will send tagged frames to other devices, using the
following rule base:
If the VLAN ID of the tagged frame does not exist in the VLAN
permitted list, it will be discarded;
If the VLAN ID of the tagged frame is the same as the
PVID ,also exist in the VLAN permitted list, the frame will be
forwarded after removing the tag. The PVID of each port is
unique, however in this case, the frame will be untagged when
sent by the trunk port.
If the VLAN ID of the tagged frame is different from PVID, the
frame will be forwarded to the peer device without modification.
VLAN forwarding will generally query the tagging information of
the VLAN frame for forwarding, and compare the frame to the
VLAN permit list to look for a match. If a VLAN which is
registered by GVRP however, it must also register on the port,
otherwise the VLAN ID will not exist in the VLAN permit list, and
the corresponding VLAN frame cannot be forwarded from the
port.
Page463
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page464
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As an access port, a packet is sent to another device in the form
of an untagged frame, as a trunk port it can send out untagged
frame only in when the trunk VLAN ID is the same as the frame
VLANID. In other cases, it sends frames as tagged. Hybrid
VLANs can be used to effectively control the VLAN tagging
process. For example, a device connected to the switch cannot
support VLANs, but the ports still can be used to isolated the
devices.
Hybrid ports can flexibly control the VLAN tag. In this example, if
the VLAN ID of frame is 3, then forward it according to the
forwarding mode of trunk port. If it is 4, remove tag 4 and then
forward it.

Page465
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If a Hybrid port is only configured to allow untagged VLAN
forwarding, the port will take on the same role as an access port.
If a port is configured to support only tagged VLANs, it will have
the same function as a trunk port.
If a switch port is configured with a PVID that is both tagged and
supports untagged VLANS for example VLAN2 on Ethernet0/1, it
is capable of communicating with other hybrid ports that support
the same untagged VLANS, as opposed to ports such as 0/3,
which only supports VLAN3. The configuration above thus shows
how it is possible to implement isolation between port 0/1 and
port 0/3, but still allow both to communicate with the host
connected to port 0/24.

Page466
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To configure access and trunk ports on SWA and SWB, it is
necessary to create VLAN 2 on SWB, and allow VLAN 2 to
traverse the two ports of SWB, to allow PC1 and PC2 to
communicate with each other. SWB will not connect to any users,
it is a transitional switch; in large-scale networks, there may be
many transitional switches for which the configuration and
management is difficult. The manager only cares about the user
intercommunication control, for example, after new user joins the
network, the manager should configure the access port which
connects the new user and make the port as part of a certain
VLAN group.
If the transition switch can automatically implement
intercommunication among logical group members, it will save
cost for network maintenance. GVRP can implement this function.
After all the switches are enabled with GVRP functionality, VLAN
configuration on the edge switches can transmit to the whole
network though GVRP, and automatically implement
configuration of VLANs on each port.
Page467
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The command gvrp is used to enable GVRP on a switch. The
command undo gvrp can be used to disable it. The GVRP
protocol is disabled by default. In the system view, the command
GVRP is used to enable or disable GVRP for all ports, whereas
the command GVRP will enable or disable GVRP on a
particular port when used at the interface as shown in the
example.
Note:
Before enabling port based GVRP, GVRP must be enabled at
the system view first. If GVRP is in disabled status at the system
level, GVRP will also disabled on all ports, and the user will not
able to change the status of the port based GVRP.
GVRP should be enabled and disabled on the trunk port. After
Enabling GVRP on Trunk port, switch is not allowed to change
trunk port to any other port type.
Page468
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. How many port types does a Huawei switch support?
Answer: A Huawei switch can support three port types, they are
access, trunk and hybrid port types.
2. Must a frame be tagged when sent from a trunk port to peer
devices?
Answer: In general, a frame is tagged, but if the VLAN ID is the
same as the PVID of the trunk, the tag will be removed and
forwarded in the form of an untagged frame.
Page469
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1
Page470
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
2
Page471
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
3
Page472
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
4
Page473
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
5
VLANs create and isolate layer-2 broadcasts domains, therefore
isolating the traffic of different VLANs. This results in users being
unable to sustain communication when associated with different
VLANs.

Page474
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
6
Flows between different VLANs cannot directly cross VLAN
boundaries, and so the ability to route traffic is needed to allow
the forwarding of packets from one VLAN to another.
Hosts of different VLANS are assigned as entities of different
networks. When a default gateway been configured on a host
local for a given VLAN, any communication destined for hosts
that are not associated with the same VLAN will automatically
forward traffic to the default gateway which shall in turn route
traffic between VLANS.

Page475
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
7
One of the methods to solve VLAN intercommunication is to
assign a separate physical interface for each VLAN. The traffic
from different VLANs can be forwarded between these physical
interfaces and routed. This method will enable
intercommunication between VLANs, however as the number of
VLANs increase, so does the number of router interfaces needed.
Such solutions would result in higher costs and a poor network
design. Some VLANs do not have a need to forward traffic to
other VLANs frequently which leads to further waste, therefore
this method is not generally suited to solving the problem of
VLAN intercommunication.

Page476
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
8
To resolve the physical interface limitation problem, a method of
trunking is implemented using only a single physical interface on
the router and a single port on the switch. One single Ethernet
interface on the router can support all VLAN gateways and bear
all VLAN traffic through the creation of sub-interfaces.
As shown above, only a single physical router Ethernet interface
is being used, but is supporting three sub-interfaces as default
gateways for each of the three VLANs. Each frame will contain a
VLAN tag used to identify which VLAN it belongs to. When users
in VLAN100 need to communicate with users in another VLAN,
the user only needs to forward the frame to the default gateway,
the default gateway will modify the VLAN tag of the data frame
and then route it to the VLAN on which the destination host .

Page477
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
9
The third option for VLAN routing is through the use of a layer-3
switch. A layer-3 switch effectively integrates the functionality of a
layer-2 switch and a layer-3 routing, therefore combines the
advantages of advantages of both. The limitation lies mainly in
the cost of such devices due to its extended functionality.

Page478
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
10
Huawei supports layer-3 switching through the means of switch
and route processing units, or SRU, and may support multiple
SRU boards for redundancy. All the routable packets are sent by
the forwarding engine to the SRU board for processing. The SRU
board also broadcasts and filters packets and executes routing
policies. The SRU will support VLAN switching, default VLANs as
well as other more advanced VLAN technologies including Q-in-
Q and dynamic VLAN allocation based on MAC addressing. The
example above reflects how a layer-3 switch can be used
associate VLAN gateways directly with VLAN interfaces within a
single device.
Page479
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
11
Page480
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
12
In this example two VLANs are present, VLAN100 and VLAN200.
A host in VLAN100 wishes to forward traffic to a host in
VLAN200. Each VLAN is part of a separate broadcast domain
and therefore as different network. Each host has been assigned
a network host address respective to the VLAN it belongs to, and
the gateway address for the network. The forwarding of traffic
requires VLAN trunking to support multiple VLANs over a single
physical link and sub interface configuration for the layer 3 router.
How is this achieved?











Page481
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
13
//create VLAN100
[SWA]vlan 100
//configure ethernet 0/1 belonging to VLAN100
[SWA-vlan100]port ethernet 0/1
//create VLAN200
[SWA]vlan 200
//configure ethernet 0/2 belonging to VLAN200
[SWA-vlan200]port ethernet 0/2
//enter into interface view
[SWA]interface ethernet 0/24
//configure port type as Trunk
[SWA-Ethernet0/24]port link-type trunk
//permit all VLAN to pass
[SWA-Ethernet0/24]port trunk allow-pass vlan all

Page482
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
14
Using the control-vid command, you can specify the mappings
between the control VLAN and the Ethernet sub-interface to
differentiate termination sub-interfaces of the same main
interface. Using the undo control-vid command, you can
remove the mappings between the control VLAN and Ethernet
sub-interfaces. By default, no mapping between a control VLAN
and an Ethernet sub-interface is specified. The dot1q-
termination indicates that the encapsulation mode of a sub-
interface is dot1q. This mode applies to single-tagged packets
(as opposed to dual tagged packets used in Q-in-Q
configuration).
Using the arp broadcast enable command, you can enable the
ARP broadcast function on a sub-interface for VLAN tag
termination. Using the undo arp broadcast enable command,
you can disable the ARP broadcast function on a sub-interface
for VLAN tag termination. By default, the ARP broadcast function
is disabled on sub-interfaces for VLAN tag termination.
Page483
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
15
Connectivity between the hosts of different VLANs can be
verified through means such as the ping command. If the host
192.168.10.10 in VLAN100 can ping host 192.168.20.20 in VLAN
200, it indicates that the configuration is correct.

Page484
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
16
On the layer-3 switch (SWA) port 1 and port 2 represent a local
network that has been logically segmented through the
implementation of VLANs. The hosts via port 1 have been
assigned to VLAN 100 and hosts via port 2 to VLAN 200. The
hosts of VLAN 100 and VLAN 200 are able to support the
forwarding of traffic between VLANs 100 & 200 through SWA.
The example demonstrates how a single host from each VLAN
would be configured to support this forwarding of traffic.

Page485
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
17
When a layer-3 switch needs to communicate with devices at the
network layer, a logical interface can be created, namely, a
VLANIF interface. A VLANIF interface is a network layer interface
and can be configured with an IP address. The layer-3 switch
then uses the VLANIF interface to communicate with devices at
the network layer. The IP address that is assigned to each
VLANIF is recognised as the gateway address by the respective
VLAN hosts. The command interface vlanif <vlan-id>
specifies the ID of the VLAN that a VLANIF interface belongs to.
The value of the vlan-id is an integer that ranges from 1 to 4094.
Page486
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
18
In the same way that is was possible to verify VLAN routing
using a layer-3 router, it is also possible to verify connectivity
between hosts of different VLANs supported by a layer-3 switch.
If host 192.168.10.10 in VLAN100 is able to successfully ping
host 192.168.20.20 in VLAN 200, it indicates that the
configuration is correct.
Page487
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
19
1.What is the purpose of VLAN routing?
Answer: The main advantage of VLANs is to isolate broadcast
domains, but it is often the case that traffic must flow between
these broadcast domains. VLAN routing is used to resolve this
problem by facilitating communication between broadcast
domains.
2.What methods can be used to implement VLAN routing?
Answer: Ordinary layer-2 switches are only able to support
communication within a single VLAN (broadcast) domain. The
flow of VLAN traffic between broadcast domains is achievable
through the configuration of VLAN routing on reachable layer-3
device. It is therefore possible to achieve VLAN routing through
the following methods. Communication through a router
connected to the network can achieve VLAN routing, using either
a single physical interface for each VLAN, or more suitably
through the implementation of multiple sub-interfaces on a single
physical interface. A layer-3 switch can also be used to
implement VLAN routing, through the configuration of a layer-3
VLAN interface for each VLAN.

Page488
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page489
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page490
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page491
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page492
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A switch forwards data frames based on the MAC address table.
The MAC address table specifies the mapping between
destination MAC addresses and destination ports.
1: Assume that PCA sends a data frame to PCB. The destination
MAC address of this data frame is set to the MAC address of
PCB, namely, 00-0D-56-BF-88-20.
When SWA receives this frame, it searches the MAC address
table. According to the entries in the MAC address table, SWA
forwards the data frame through port E0/3.
The switch does not make any modification to the data frame
before forwarding it. If the switch receives a broadcast frame or a
frame whose MAC address wasn't included in the MAC address
table, it forwards the frame to all ports.
2: When SWB searches the MAC address table, it will use the
information stored to make forwarding decisions. In the example,
SWB forwards a frame through port E0/6. No modification is
made to the data frame.
3: When PCB receives the frame, it will search through the MAC
address table to find that the destination MAC address is its own
MAC address. PCB will then process this data frame and send
the de-encapsulated data to the upper layer protocol.

Page493
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If a switch receives a broadcast data frame from a port, the
switch forwards the data frame to all other ports. In addition,
does not make any modification to the data frame before
forwarding it. Therefore, if a loop exists in the network, the
broadcast frames are forwarded in the network infinitely, thus
causing the broadcast storm.

Page494
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A switch forwards data frames based on the MAC address table,
but the MAC address table is empty when the switch is started.
Therefore, the switch needs to learn the MAC address table.
A switch learns the MAC address table based on the mapping
between the source address of the received data frame and the
receiving port.
1: Assume that PCA sends a data frame to PCB. The destination
address of the frame is the MAC address of PCB, namely, 00-
0D-56-BF-88-20. The source address is the MAC address of
PCA, namely 00-0D-56-BF-88-10. When SWA receives the data
frame, it checks the source address of the frame and adds
mapping between the source address and receiving port to the
MAC address table. Thus, the mapping between the destination
address and
destination port is recorded in the table.
2: When SWB receives this frame, it also adds the mapping
between the source address and receiving port to the MAC
address table as a MAC address entry.
3: When PCB receives the frame, it processes this frame.

Page495
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A switch generates a MAC address entry according to the source
address and receiving port of the received data frame.
PCA sends a data frame. Assume that the destination MAC
address of the data frame does not exist in any MAC address
table of the switches in the network. When SWA receives this
data frame, it generates a MAC address entry, in which the MAC
address 00-0D-56-BF-88-10 maps port E0/2.
Because the MAC address table of SWA does not contain any
entry with this destination MAC address, SWA forwards the data
frame to E0/3 and E0/4.
The MAC address table of SWB also does not contain any entry
with this destination MAC address. So, after SWB receives the
data frame on E0/5, it forwards the frame to SWA through E0/6.
After SWA receives this data frame on E0/4, it deletes the
previous entry with this address and generates a new entry. In
the new entry, MAC address 00-0D-56-BF-88-10 maps port E0/4.
In this case, the MAC address table is unstable and wrong
entries are generated.

Page496
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page497
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The main function of STP (Spanning Tree Protocol) is to avoid
switching loops where redundant links are present in the network.
As the figure of this slide shows, a ring is composed of SWA,
SWB and SWC, which may cause problems such as broadcast
storms. After the spanning tree protocol is enabled, calculations
cause the network to converge resulting in the interfaces
performing various operational roles including the blocking of one
or more ports in order to remove the possibility of any loop
occurred. In this example, it is assumed that port E0/2 of SWB is
blocked to remove the loop.

Page498
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After the port E0/2 of SWB is blocked, there is no loop in the
network.

Page499
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Another feature of STP is link backup:
If some problems occur along the active path, the blocked
interface could be made active, so as to resume the connectivity
of the network through the redundant link. Thus the loop between
switches is usually used for redundancy. STP remove the logical
loop in the network through blocking of port(s), but the physical
links are not changed. In the previous example, it is mentioned
that the port E0/20 of SWB is blocked to remove the loop. If
another port is down ( for example, the port E0/20 of SWC), STP
could recover the blocked port through convergence, to make it
possible forward packets again.
Page500
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The basic idea of STP is quite simple. If the network could
develop like a tree, the loop will be prevented. Thus, STP defines
some concepts, including Root Bridge, Root Port, Designated
Port, Path Cost, etc. The purpose is to cut out redundant loop
through constructing a tree, and implementing link backup and
path optimization at the same time. The algorithm used to
construct the tree is the spanning tree algorithm.
In order to calculate the spanning tree, relative information and
parameters need to be exchanged between switches. These
information and parameters are encapsulated in the BPDU
(Bridge Protocol Data Unit), and transmitted between switches.
The following tasks are done through the exchange of BPDU
between bridges:
1. Select a bridge as the root bridge among all bridges;
2. Calculate the shortest path from the current bridge to the root
bridge;
3. For every shared network segment, select the bridge nearest
to the root bridge as the designated bridge, responsible for the
data forwarding of this network segment;
4. For every bridge, select a root port.
5. Select the designated port besides the root port.

Page501
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To calculate the spanning tree, switches need to exchange
information and parameters. The information and parameters are
encapsulated in the
Configuration Bridge Protocol Data Unit (BPDU) and transmitted
between switches.
In a broad sense, a BPDU refers to a data unit used to exchange
information between switches. The configuration BPDU is one
type of the BPDU.
Calculation of the spanning tree starts from election of the root
bridge. The root bridge is elected based on the bridge identifier.
A bridge identifier consists of a 2-byte bridge priority and a 6-byte
MAC address. The bridge priority is configurable. The value
ranges from 0 to 65535 and the default value is 32768.
In the network, the switch with the smallest identifier becomes
the root bridge. The system first compares the priority. If the
switches have the same priority, the system compares their MAC
addresses. The switch with the smallest MAC address is elected
first.
In this example, the three switches have the same priority. SWA
has the smallest MAC address, so SWA is elected as the root
bridge.

Page502
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
STP elects a root port for each non-root bridge. Each port of a
switch has a port cost parameter. The port cost refers the cost
for sending the data from this port, namely the cost of the
outgoing port. STP considers that no cost is needed for receiving
the data on a port. The port cost depends on the bandwidth of
the port. The higher the bandwidth is, the smaller the port cost
will be. On the VRP, the cost of a 100M port with half duplex is
200, the cost of a 100M port with full duplex is 199.
Multiple paths may exist between a non-root bridge and a root
bridge. The cost of a path is the total cost of all outgoing ports on
this path.
A root port is a local port on the path with the least cost from a
non-root bridge to the root bridge. The cost of this path is
referred to as the root path cost. If multiple root ports exist, the
system compares the identifiers of the upstream switches.
The port whose upstream switch has the smallest identifier is
elected. If the upstream switches have the same bri dge identifier,
the system compares the identifier of the upstream ports. The
port whose upstream port has the smallest identifier is elected.
The port identifier consists of a 1-byte port priority and a 1-byte
port number.
Page503
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The port priority is configurable. The default value is 128.
In this example, we assume that all ports are 100 M ports and
their cost values are all 200.

Page504
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
STP elects the designated port for each network segment. The
designated port forwards the data transmitted between the root
bridge and this network segment. The switch where the
designated port is located is called the designated switch.
When electing the designated port and designated bridge for a
network segment, STP compares the root path cost of the switch
on which the port is connected to this network segment. If the
switches have the same root path cost, STP compares their
bridge identifiers. The port on the switch with the smallest
identifier has the highest priority. If their identifiers are also the
same, STP compares the identifiers of the ports connected to the
network segment. The port with the smallest identifier has the
highest priority.
On the root bridge, all ports are the designated ports of the
connected network segments. Therefore, the designated ports of
LANA and LANB are both on SWA.
LAND and LANE are both connected to the port of only one
switch, and the connected ports are designated port for LAND
and LANE respectively.
LANC is connected to the ports of two switches and the two
switches have the same root path cost. Therefore, the identifiers
Page505
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
of the switches are compared. SWB has a smaller identifier
(because its MAC address is smaller), so the designated port for
LANC is on SWB.
The port that is neither the root port nor the designated port is
called the alternate port. The alternate port does not forward data
and is in Blocking state.
Page506
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
STP defines three roles for the STP-enabled port that works
normally on the physical layer and data link layer. The root port
and designated port are in Forwarding state. The port that is not
enabled is called the Disabled port.

Page507
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After enabled, a port switches to Listening state and begins to
calculate the spanning tree. After the calculation, if the port is set
to the alternate port, the port state changes to Blocking. If the
port is set to the root port or designated port, the port state
switches from Listening to Learning after a period of forward
delay. After another period of forward delay, the port state
switches from Learning to Forwarding, and the port can forward
data frames.

Page508
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After enabled, a port switches to Listening state and begins to
calculate the spanning tree. After the calculation, if the port is set
to the alternate port, the port state changes
to Blocking. If the port is set to the root port or designated port,
the port state switches from Listening to Learning after a period
of forward delay. After another period of forward delay, the port
state switches from Learning to Forwarding, and the port can
forward data frames.
1:The port is elected as the designated port or root port.
2: The port is elected as the alternate port.
3: The port waits a period of the forward delay. By default, the
forward delay is 15 seconds.
When a port is disabled, it switches to Disabled state. Before
switching from non-Forwarding state to Forwarding sate, a port
needs to wait two times as along as the forward delay . Thus, the
potential risk of temporary loop is avoided.

Page509
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page510
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This figure shows the physical topology. The priority of SWA is
4096; the priority of SWB is 8192; the priority of SWC is 32678.
Therefore, SWA becomes the root bridge and SWB becomes the
designated switch of LANC.

Page511
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
stp { enable | disable }
The stp command is used to enable or disable STP on a switch
or on a port. By default, STP is enabled on the switch.
stp mode { stp | rstp | mstp }
The stp mode command is used to set the STP working mode
on a switch. By default, the working mode of the switch is MSTP.
RTSP and MSTP will be described in later courses. This course
only describe STP.
stp priority priority
priority: specifies the priority of a switch. The value ranges from 0
to 61440, with the step of 4096. That is, 16 priority values are
available for a switch, for example, 0, 4096, 8192, and so on.
The stp priority command is used to set the bridge priority. By
default, the bridge priority is 32768.

Page512
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In the global information, the root bridge identifier is different
from the identifier of this switch. It indicates that this switch is a
non-root switch.

Page513
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The STP port information output indicates that:
The port state is Forwarding.
The port is the root port.
The default port priority is 128.
The identifier of the designated port of the network segment
connected to this port is 0.4c1f-cc45-aacc, which identifies
SWA.

Page514
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page515
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When the port role and state changes, temporary loops may be
formed. In this example, SWA is the root bridge initially. Among
all switches, only SWD has an alternate port E0/2 and the port is
in a non-Forwarding state. Assume that the priority of SWC is
changed so that SWC becomes the new root switch. In this case,
E0/2 of SWD will become the new root port and switch to a
Forwarding state. E0/1 of SWD will become the new designated
port and switch to a Forwarding state. E0/2 of SWB should
become the new alternate port and switch to a non-forwarding
state. If E0/2 of SWD switches from a non-Forwarding state to a
Forwarding state before E0/2 of SWB switches from a
Forwarding state to a non-Forwarding state, a temporary loop is
formed in the network. To avoid temporary loops, a port (for
example, E0/1 of SWC) must wait enough time before switching
from anon-Forwarding state to a Forwarding state. Therefore, the
ports that need to switch to a non-Forwarding state have enough
time to calculate the spanning tree and switch to a non-
Forwarding state.

Page516
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In STP, for a port, the transition from a blocking state to a
forwarding state will take the period at least two times the
Forward Delay, which is not suitable for many applications.
RSTP (Rapid Spanning Tree Protocol) resolves this problem
through the following mechanism:
1. Allocating two port roles, an Alternate Port and a Backup Port
for root port and designated root, for fast state transition. When
the root port is invalid, the Alternate Port will become the new
root port and switch to a forwarding state without delay; when the
designated port is invalid, the Backup Port will become the new
designated port and switch to a forwarding state without delay.
2. In the point to point link only connecting two switch ports,
following a one way handshake to the downstream bridge, the
designated port could change to a forwarding state without time
delay. If more than three bridges are connected by the shared
link, the downstream bridge will not respond to the handshake
request sent from upstream designated port; only after two times
Forward Delay would it change to a forwarding state.
3. The port is defined as an Edge Port if it is connected with a
terminal directly instead of other bridges, the Edge Port could
enter a forwarding state without any time delay. However, it

Page517
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
should be configured manually since the bridge cannot identify
whether the port is directly connected with the terminal or not.
Page518
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In STP all VLANs in a LAN will generally share the same
spanning tree, therefore load balancing cannot be implemented
between VLANs. It is possible that packets of some VLANs
cannot be forwarded. As this slide shows, both of SWB and SWC
connect with users of VLAN10 and VLAN20. The link between
SWB and SWA and that between SWA and SWC allow VLAN10
and VLAN20 to pass. Other links only allow VLAN10 to pass. If
the port E0/20 is blocked, the VLAN20 users of SWB can only
use the link between SWB and SWC to communicate with SWC.
However, this link only allows VLAN10 to pass, thus a failure in
communication occurs.

Page519
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In order to solve the second problem, MSTP (Multiple Spanning
Tree Protocol) is put forward. MSTP is a newer protocol defined
by IEEE under 802.1Q-2005 which introduces the concept of
Instances. Simply speaking, STP/RSTP is port based, while
MSTP based on instances. An instance is a collection of multiple
VLANs under a single converged spanning tree. Through binding
multiple VLANs into a single instance, the communication cost
and network resources could be saved. In MSTP, the topology
calculation of every instance is independent. Load balancing
could be implemented in these instances. In use, multiple VLANs
with the same topology could be mapped to the same instance.

Page520
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
How does STP converge to prevent switching loops in the
network?
STP elects a root bridge, and then elects a root port for each
non-root switch and elects a designated port for each network
segment. The ports that are neither the root port nor the
designated port are set to be in Blocking state.
How does STP resolve the problem of temporary loops?
Before switching from a non-Forwarding state to a Forwarding
state, a port needs to wait twice the forward delay period. This
ensures that other switches have enough time to calculate the
spanning tree.

Page521
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page522
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page523
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page524
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example:
There is only one router RTA in the LAN, which is used as the
gateway by all the PCs, therefore there is no redundancy
provided.
If RTA fail, all PCs in the network will be unable to reach external
networks. In other words, there is a single point failure within this
kind of network, resulting in a high chance of isolation from
external networks.
Page525
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRRP is designed to provide a virtual router on a LAN.
In this case:
There are two routers (RTA and RTB) on this LAN, RTA has
physical IP address 10.1.1.251/24; RTB has physical IP address
10.1.1.252/24. RTA and RTB are configured to be associated
with the same Virtual Router. This Virtual Router has a virtual IP
address 10.1.1.254. All the PCs on this LAN can use the virtual
IP address 10.1.1.254 as the default gateway, regardless of the
physical IP addresses of the two routers. VRRP elects one router
from the VRRP routers as the Master, and the Master processes
all the packets sent to the virtual IP address. If the Master is fails,
VRRP elects a new Master from other VRRP routers.

Page526
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A Virtual Router is identified by both Virtual Router ID and
associated Virtual IP Address. Multiple Virtual Routers could be
configured on the same interface. A Virtual Router ID (VRID) is
the identifier of a Virtual Router. Configurable item in the range 1-
255 (decimal). The Virtual Router IDs configured on all the VRRP
routers of the same virtual group must be the same. A Virtual
Router can be associated with more than one Virtual IP
Addresses. However, the Virtual IP Addresses configured for the
VRRP routers of the same Virtual Router should be the same. If
VRRP routers with the same VRIDs but different virtual IP
addresses; or reversely, with same IP address but different
VRIDs, in VRRP, they are regarded as different Virtual Routers.

Page527
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Master: The VRRP router that is assuming the responsibility of
forwarding packets sent to the IP address(es) associated with
the virtual router, and answering ARP requests for these IP
addresses.
Backup: The set of VRRP routers available to assume forwarding
responsibility for a virtual router if the current Master fails.
The election of Master is based on the value of Priority. For the
same interface, different Priority values could be assigned to
different associated virtual routers.

Page528
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Config Priority: The configured Priority, the default value is 100.
Run Priority: The Priority used when the protocol is running;
usually it is the same as Config Priority.
The Priority is in the range of 0-255. The value 255 is reserved
for the IP address owner, and the VRRP packet with Priority 0 is
used to trigger the immediate changeover from Backup to Master.
In this case: he priority of RTA is 100, which is lower than the
priority 200 of RTB, RTB will be the Master while RTA is the
Backup.

Page529
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this case:
There is a VRRP router that has the virtual router's IP address(es)
as real interface address(es). Such a router is called the IP
Address Owner.

Page530
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
No matter what the Config Priority is, the Run Priority of IP
address owner is always 255. The IP address owner is always
the Master. Although the configured priority value of RTB is
higher than that of RTA, the RTB is still the Backup, since its Run
Priority is lower than that of RTA. Hence, when it comes to the
election of the Master, the contributing factor is the value of Run
Priority instead of Config Priority.

Page531
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this case:
There are two routers in this LAN, RTA and RTB. A single Virtual
Router is to be configured, with VRID 1 and Virtual IP Address
10.1.1.254. The Priority of RTB is to be configured as 200, and
that of RTA as 100, so as to make RTB the Master.

Page532
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The VRRP is configured under the interface view.
vrrp vrid virtual-router-ID virtual-ip virtual-address
undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]
virtual-router-IDThe identifier of Virtual Router, in the range of
1-255.
virtual-addressVirtual IP address.
By default, if the Priority of the virtual router is not designated,
the default value is 100.

Page533
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The VRID and Virtual IP Address should be the same as is
configured on RTA.
vrrp vrid virtual-router-ID priority priority-value
undo vrrp vrid virtual-router-ID priority
virtual-router-IDThe identifier of Virtual Router, in the range of
1-255.
priority-valueThe value of Priority, with configured range from 1
to 254.
When configuring the priority, the VRID should be specified.
Different virtual routers can be configured with different priority
values.
Page534
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this case:
There are two routers in the LAN. Two Virtual Routers are to be
configured. One of them is with VRID 1 and Virtual IP Address
10.1.1.100; the other with VRID 2 and Virtual IP Address
10.1.1.200. Configuring the Priority of Virtual Router 1 as 200 on
RTA while 100 on RTB, so that in Virtual router 1, RTA is the
Master. Configuring the Priority of Virtual Router 2 as 200 on
RTB while 100 on RTA, so that in Virtual router 2, RTB is the
Master.
Hence, RTA is the Master of Virtual Router 1 and the Backup of
Virtual Router 2; RTB is the Master of Virtual Router 2 and the
Backup of Virtual Router 1. In the LAN, PCs can use different
Virtual IP addresses as the default gateway, so as to implement
traffic sharing.

Page535
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On RTA, configuring two Virtual Routers as followings:
Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 200;
Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 100
(default).

Page536
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On RTB, configuring two Virtual Routers as followings:
Virtual Router 1: Virtual IP address 10.1.1.100, Priority as 100
(default);
Virtual Router 2: Virtual IP address 10.1.1.200, Priority as 200.

Page537
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
VRRP can track upstream interfaces. In this case:
RTB is the Master Router. If the interface Ethernet 1/0 (WAN
interface) of RTB is down, we hope RTA to be the new Master
immediately. VRP supports such function by configuring RTB to
enable the Virtual Router tracking interface Ethernet 1/0. If the
interface Ethernet 1/0 is down, the Priority of the Virtual Router
would be reduced by a configured value to be a new value lower
than that of RTA. Hence, RTA will be the new Master Router
automatically. If the interface E1/0 of RTB recovers and works
properly, the priority of RTB will come back to the original value,
and RTB will be the Master again.

Page538
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The configuration of RTA is the same as the configuration of
single Virtual Router.
By default, the Priority is 100.


















Page539
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
By configuring the Priority as 200, RTB is the Master. Configuring
tracking interface Ethernet 1/0 on RTB. If interface Ethernet 1/0
is down, the Priority is reduced by 150, and the new Priority is 50.
Hence, RTA will be the new Master.

Page540
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This is the VRRP States if the tracked interface is down. On RTB,
although the Configured Priority is 200, the Running Priority is
reduced to 50. Hence, RTA will become the Master.

Page541
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This chapter covers the following points:
1. Why is VRRP needed?
Because the single gateway cannot provide any redundancy, it is
of very poor availability.
2. What is VRRP
The result of running VRRP is to provide a virtual router in the
LAN.
3. How can a virtual router be identified?
It can be identified by the VRID and the Virtual IP address(es)
associated.
4. How is the Master elected?
The election of Master is based on the Priority of the Virtual
Router.
5. What are the priority values?
The value of Priority is 255 indicating the current router is the
Virtual IP address owner.
The value of Priority is 0 indicating the device stop taking part of
the backup group.
Page542
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
6. How is a Single Virtual Router configured?
Configuring a Virtual Router, Virtual IP address and the value of
Priority.
7. How are Multiple Virtual Routers configured?
Configuring multiple Virtual Routers. For different Virtual Routers,
different routers are made as the Master through proper
configuration of the value of Priority.
8. How does the tracking of an up-link interface support VRRP
operation?
Through configuring the VRRP router so as to make the priority
value change along with the state of a tracked interface should it
fail.

Page543
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 4
WAN
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page547
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page548
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page549
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page550
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The HDLC drafted by the ISO is a bit-based communication
protocol. The basic unit transmitted by HDLC is the frame. The
most outstanding feature is that the data may not be the
specified set of character . Any bit flows can be transmitted
transparently.
In the 1970s, IBM put forward the bit-oriented synchronous data
link control (SDLC). Then, ANSI and ISO adopted and developed
the SDLC, and also put forward their own standards: Advanced
Data Communication Control Procedure (ADCCP) of ANSI and
HDLC of ISO.
As a bit-based protocol, the HDLC protocol has the following
features:
1. The protocol is independent of any set of characters .
2. Packets can be transmitted transparently. The 0-bit insert
method for transparent transmission can be implemented based
on hardware.
3. The full-duplex communication can be implemented. Data can
be transmitted continuously without waiting. The data
transmission on the link is highly efficient.
4. All the frames adopt CRC check. The frames are numbered.
Page551
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Thus no frame is lost or received repeatedly. The transmission
reliability is high.
5. The transmission control is separated from processing, which
makes HDLC flexible and controllable.
All of the protocols in the standard HDLC protocol suite run on
the synchronous serial lines.


Page552
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
An HDLC frame consists of the flag field (F), the address field (A),
the control field (C), the information field (I), and the sequence
number field (FCS).
Flag field (F)
The flag field is in the 01111110 format. The two flag fields
indicate the start and the end of a frame. The flag field can also
be used as the filling character between frames.
Address field (A)
The address field carries the address information.
Control field (C)
The control field forms the commands and the responses to
monitor and control the link. The main node or the combination
node of the sender uses the control field to request the slave
node or the combination node to perform the specified operation.
The slave node uses this field to respond to the commands and
report the completed operations or the change of status.
Information field (I)
The information field can be any binary bit string. The length of
the string is not limited. The upper limit of the string length
depends on the FCS field or the cache capacity of the
communication node. The commonly used length is 1000-2000
bytes.
The lower limit can be 0, namely, no information field. The
Page553
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
supervisory frame, however, cannot have the information field.
Sequence number field (FCS)
The FCS field contains 16 bits. It is used to verify the entire
frame between the two flag fields.


Page554
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The HDLC frame is classified into the information frame (I frame),
the supervisory frame (S frame), and the unnumbered frame (U
frame).
Information frame (I frame)
The I frame transmits the valid information or data.
Supervisory (S frame)
The S frame controls errors and traffic. If the first two bits of the
control field in a frame are 10, it is an S frame. The S frame
does not contain the information bit. It contains only 6 bytes,
namely, 48 bits.
Unnumbered frame (U frame)
The U frame is used to establish, delete, and control the link.

Page555
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page556
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The HDLC configuration on the serial link is simple. The user
only needs to configure HDLC in the interface view, and then
configure the IP address. The link-protocol hdlc command
configures the link-layer protocol for the encapsulation on the
interface to be HDLC.
NOTE: The encapsulation modes on the two interfaces of the
communication nodes must be the same. The default
encapsulation protocol on the serial interface of the
VRP based routers is PPP. When the VRP-based routers are
interconnected with the devices of other vendors, make sure that
the encapsulation modes are the same.

Page557
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After configuration is complete, the user can use ping to check
whether the configuration is correct. If the two nodes can send
and receive ping packets, the configuration is deemed successful;
otherwise, check whether the configuration on the corresponding
interfaces is accurate.

Page558
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As is shown in the figure above, RouterA and RouterB are
connected through the serial interface. HDLC runs on the
interfaces. Interface S0/0/1 on Router A borrows the IP address
of the local loopback interface. The IP address of the loopback
interface adopts the 32-bit mask. The ip address unnumbered
interface LoopBack 0 command configures interface S0/0/1 to
borrow the IP address of interface loopback 0. The ip route-
static 10.1.1.0 24 Serial 0/0/1 command configures the static
route. The egress of the static route to network 10.1.1.0 is
Serial0/0/1. For the configuration of the static route, refer to the
routing module.

Page559
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The display ip interface brief command displays the IP
addresses of the interfaces. In this example, you can see that
Serail0/0/1 and Loopback0 use the same IP address. If the
interface does not borrow the IP address of another interface, a
message is displayed to remind you of the IP addresses conflict.
In this example, however, Serial0/0/1 borrows the IP address of
Loopback0, so the IP addresses are not in conflict.

Page560
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
We can use PING to test the connectivity between the two
routers. If the test succeeds, it verifies that the router
configuration is correct, otherwise it will be necessary to check
whether the corresponding interface configuration match.
Page561
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. What is HDLC?
High-level Data Link Control, HDLC, is a bit-based link-layer
protocol. The protocols of the HDLC protocol suite run on
synchronous serial links.
2. The HDLC frame structure is comprised of which fields?
An HDLC frame consists of the flag field (F), address field (A),
control field (C), information field (I), and a sequence number
field (FCS).

Page562
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page563
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page564
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page565
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page566
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PPP is placed in the data link layer of the TCP/IP stack. It is the
most popular point-to-point link layer protocol. PPP is used to
encapsulate and transmit IP packets on the serial link, ATM link,
and SDH link.

Page567
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PPP consists of three components, namely, data encapsulation
method, Link Control Protocol (LCP) , and Network Control
Protocol (NCP) . The datagram encapsulation method defines
how to encapsulate multi-protocol packets.
To be adapted to various link types, PPP defines LCP. LCP can
test the link environment (for example, whether a loop is
generated) and negotiate link parameters (for example, the
maximum length of the packet and the type of the authentication
protocol) . Compared with other link layer protocols, PPP can
provide authentication. The two ends of the link can negotiate the
authentication protocol to be used and implement the
authentication. The session can be established only after the
authentication succeeds. With this feature, PPP can be used by
ISP to receive the access of dispersive subscribers.
PPP defines a group of NCP protocols. Each protocol matches a
network layer protocol. The NCP protocol is used to negotiate
the parameters like IP addresses. For example, IPCP negotiates
IP control parameters, and IPXCP negotiates IPX control
parameters.

Page568
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The encapsulation method of PPP data frame is used for
differentiating the packets of each upper layer protocol. The
encapsulation format of PPP contains only three fields.
Protocol: This field contains two bytes. It identifies the type of
protocol encapsulated in the PPP frame, for example, IP, LCP,
and NCP. The common values are shown in the above figure.
Information: This field contains the data encapsulated in PPP, for
example, LCP data, NCP data, and network-layer packets. The
length of this field is variable.
Padding: This field is used for filling in the information field.
The total length of the Padding and Information fields is the
maximum receive unit (MRU) of PPP. The default value of
MRU is 1500 bytes.
If the Information field is shorter than MRU, PPP fills in the
Padding field to reach the length of MRU to make the
transmission convenient. But the padding is not mandatory. That
is to say, the Padding field is optional.

Page569
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PPP frames cannot be transmitted directly on the link. Additional
encapsulation modes and control mechanisms must be used
depending on the types of the links. The PPP frames transmitted
on the serial link must comply with HDLC.
Flag: indicates the start bit or the end bit of the frame. The value
is 01111110.
Address: indicates the IP address. It is all 1s. Because PPP is
a point-to-point protocol, it does not need the addressing
mechanism. The address of all 1s represents the receiver end.
Control: indicates the control field. HDLC can use this field to
transmit data and control packets orderly. In PPP, the value of
this field is 0x03, which indicates that the data is transmitted in
countless mode. This is a simple working mechanism.

Page570
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The basic configuration of PPP on the serial link is simple.
Configure PPP encapsulation interface view, and then configure
the IP address. The link-protocol ppp command is used to
configure the link layer protocol of the interface as PPP.

Page571
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page572
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This table lists four types of LCP packets used to negotiate link-
layer parameters.
Configure-RequestThe first packet during the link-layer
negotiation process, indicating the beginning of link-layer
parameter negotiation of the two ends.
Configure-AckAfter receiving the Configure-Request packet
sent by the peer, if the values of negotiated parameters are
acceptable, this packet is used for acknowledgement.
Configure-NakAfter receiving the Configure-Request packet
sent by the peer, if the values of the negotiated parameters are
not acceptable, this packet is used for reply, carrying the locally
acceptable parameters.
Configure-RejectAfter receiving the Configure-Request
packet sent by the peer, if the values of the negotiated
parameters cannot be identified, this packet is used for reply
carrying the parameters not identified.
Page573
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As is shown in the figure above, RTA and RTB are connected
through the serial link and they run PPP. When the physical layer
link is up, RTA and RTB negotiate the link parameters through
LCP. In this example, RTA sends an LCP packet. RTA sends a
Configure-Request packet to RTB. The packet contains the link
layer parameters configured on RTA. After RTB receives the
Configure-Request packet, it returns a Configure-Ack packet to
RTA if RTB can identify the parameters in the packet and the
parameter values are acceptable.
If RTA does not receive the Configure-Ack packet, it will re-sends
the Configure-Request packet every three seconds. If RTA still
dose not receive the Configure -Ack packet after it sends 10
Configure-Request packets, RTA considers RTB failed and stops
sending the Configure-Request packet.
NOTE: If the above process has finished it only indicates that
RTB considers the link parameters on RTA acceptable. RTB still
needs to send the Configure-Request packet to RTA to let RTA
check whether the parameters on RTB are acceptable.

Page574
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After RTB receives the Configure-Request packet sent by RTA,
RTB checks the parameters contained in the packet. If RTB can
identify the link layer parameters but finds that some or any of
the parameter values cannot be accepted, RTB returns a
Configure-Nak packet to RTA.
This Configure-Nak packet contains only the unacceptable
parameters. The values (or value ranges) of these parameters
are changed into the values that can be accepted by RTB.
After receiving the Configure-Nak packet, RTA modifies the
parameter values locally according to the parameter values in
the packet, and then re-sends a Configure-Request packet.
After five negotiations, if the values still cannot be accepted, the
parameters are forbidden without further negotiation.

Page575
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After RTB receives the Configure-Request packet sent by RTA,
RTB checks the parameters contained in the packet. If RTB
cannot identify some or any of the link layer parameters in the
packet, RTB returns a Configure-Reject packet to RTA. The
Configure-Reject packet contains only the unidentified
parameters.
After receiving the Configure-Reject packet, RTA re-sends a
Configure-Request packet to RTB. This packet does not contain
the unidentified parameters.

Page576
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On the VRP platform, MRU is represented by MTU configured on
the interface. The PPP authentication protocols widely used are
PAP and CHAP (will be described in the following chapters). The
two ends of a PPP link can authenticate each other using
different authentication protocols. The authenticated party,
however, must support the authentication protocol used by the
peer and the authentication information such as user name and
password should be configured correctly.
LCP uses magic number to detect abnormal cases such as loop.
A magic number is generated randomly. The random mechanism
has to guarantee that the two ends generate the magic numbers.
After one end receives the Configure-Request packet, it
compares the magic number contained in the packet with the
local magic number. If the two numbers are different, it indicates
that no loop occurs on the link, and the receiver end sends a
Configure-Ack packet (other parameters are also agreed),
indicating the magic number is agreed. If the packets sent later
contain the magic numbers, the magic numbers are set to the
negotiated one, and LCP does not generate new magic numbers
any more.
If the magic number in the Configure-Request packet is the same
Page577
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
as the local magic number, the receiver end sends a Configure-
Nak packet, which contains a new magic number. Then, LCP
sends a new Configure-Request packet with a mew magic
number whether the received Configure-Nak packet contains the
same magic number or not . If loop occurs on the link, this
process is repeated continuously. If there is no loop, the packet
interaction is restored.


Page578
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If the authentication fails or the administrator closes the
connection manually, LCP will stop the connection.
LCP stop connections by using the Terminate-Request and
Terminate-Ack packets. The Terminate-Request packet is used
for the peer to request stop the connection. If one end receives a
Terminate-Request packet, LCP must return a Terminate-Ack
packet to confirm the closure of connection.
If the sender does not receive the Terminate-Ack packet, it will
re-sends the Terminate-Request packet every three seconds. If
the sender still fails to receive the Terminate-Ack packet after it
sends two request packets, it considers the peer failed and will
close the connection.

Page579
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
After establishing a connection, LCP detects the status of the link
by using the Echo-Request and Echo-Reply packets. After
receiving an Echo-Request packet, it returns an Echo-Reply
packet to tell that the link status is normal. On the VRP platform,
an Echo-Request packet is sent every 10 seconds.

Page580
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page581
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PAP is the Password Authentication Protocol. It is used for
passwords authentication.
The configuration of PAP contains two steps:
1. Enable PAP authentication on the authenticator; create a PPP
user.
2. Configure the user name and password for PAP authentication
on the authenticated party.
local-user huawei password simple hello
This command is used for the creation of a local user, of which
the user name is huawei and the password is hello. Key word
simple indicates that the password is plain text in the
configuration file. If the key word is cipher, it indicates that the
password is cipher text in the configuration file.
local-user huawei service-type ppp
This command is used for configuring user huawei as a PPP
user.
ppp authentication-mode pap
This command is used for enabling PAP authentication on the
authenticator. That is, request the peer to use PAP authentication.

Page582
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
ppp pap local-user huawei password simple hello
This command is used for configuring the user name and
password for PAP authentication on the authenticated party.

Page583
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The working process of PAP authentication is simple. After LCP
negotiation, the authenticator requests the peer to use PAP
authentication. The peer sends the user name and password in
plain text through the Authenticate-Request packet to the
authenticator. In this example, the user name is huawei and the
password is hello.
After receiving the user name and password, the authenticator
checks whether the information is correct in the local database. If
the information is correct, it returns an Authenticate-Ack packet;
otherwise, it returns an Authenticate-Nak packet, indicating
failure of the authentication.

Page584
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
CHAP is the Challenge Handshake Authentication Protocol. It is
an authentication method that sends password information in
cipher text. Compared with PAP,
CHAP is more secure.
local-user huawei password cipher hello
This command is used for creating a local user, of which the user
name is huawei and the password is hello. Key word cipher
indicates that the password information is displayed in cipher text
in the configuration file.
local-user huawei service-type ppp
This command is used for configuring user huawei as a PPP
user.
ppp authentication-mode chap
This command is used for enabling CHAP authentication on the
authenticator. That is, request the peer to use CHAP
authentication.
ppp chap user huawei
This command is used for configuring the user name for CHAP
authentication to be huawei on the peer.

Page585
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
ppp chap password simple hello
This command is used for configuring the password for CHAP
authentication to be hello on the peer.

Page586
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The CHAP authentication contains three interaction phases. To
match the request packet and response packet, the packet
carries the Identifier field. All the packets in one authentication
process use the same identifier.
After the LCP negotiation, the authenticator sends a Challenge
packet to the peer. The packet contains the Identifier field and
the Challenge character string which is generated randomly. This
Identifier will be used by the consequent packet of the same
authentication process.
After the peer receives the Challenge packet, it encrypts the
packet. The encryption formula is MD5{ Identifier + password +
Challenge }. The character string consisting of Identifier,
password, and Challenge undergoes the MD5 calculation. Then,
a 16-byte digest is generated. The digest and the CHAP user
name configured on the port are encapsulated in the Response
packet and sent back to the authenticator. In this example, after
the encryption, the digest information and user name huawei are
sent to the authenticator.
After the authenticator receives the Response packet sent by the
peer, it searches the local database for the challenge message
matching the user name.

Page587
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Then, the authenticator encrypts the password. The encryption
calculation is the same as that used by the peer. Then, the
authenticator compares the digest information with that
encapsulated in the Response packet. If they are the same, the
authentication succeeds; otherwise, the authentication fails.
As this shown in the previous process, CHAP sends the
password in cipher text instead of plain text, hence the security is
enhanced greatly.

Page588
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page589
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
PPP defines a group of NCP protocols. Each protocol matches a
network layer protocol. The NCP protocol negotiates the network
layer parameters. For example, IPCP is used for negotiating and
controlling IP parameters, and MPLSCP is used for negotiating
and MPLS parameters. This course discusses only IPCP.

Page590
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
IPCP uses the same negotiation mechanism and packet type as
LCP, but IPCP does not invoke LCP. This is the same as LCP in
terms of working procedure, packet and so on. There are two
types of IP address negotiation methods: static configuration and
dynamic configuration.
As it is shown in the figure, the IP addresses on the two ends are
10.1.1.1/30 and 10.1.1.2/30. The two IP addresses are in
network segment 10.1.1.0/30.
The negotiation process for the static configuration of IP
addresses is as follows:
1. The two ends send the Configure-Request packets, which
contain the local IP address.
2. After receiving the Configure-Request packet, the two ends
check the IP address contained in the packet. If the IP address is
a valid unicast IP address and it is different from that configured
locally (no confliction), it indicates that the peer can use this IP
address and the local end returns a Configure-Ack packet.

Page591
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As it is shown in the routing table, the IP address of the peer on
the PPP link is a 32-bit host address. The reason is that by
sending information through IPCP, the two ends of the PPP link
can know the IP address of the peer.

















Page592
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As is shown in the figure above, RTA asks the peer to allocate an
IP address, and RTB uses static IP address 10.1.1.2/30. RTB
enables the function to allocate IP address for the peer,
allocating IP address 10.1.1.1 for RTA.
The process of the dynamic negotiation of dynamic IP address is
as follows:
RTA sends a Configure-Request packet to RTB. The packet
contains IP address 0.0.0.0, which indicates a request for an IP
address allocating . After RTB receives the Configure-Request
packet, it considers IP address 0.0.0.0 invalid and returns a
Configure-Nak packet containing IP address 10.1.1.1; After RTA
receives the Configure-Nak packet, it updates the local IP
address and re-sends a Configure-Request packet, which
contains IP address 10.1.1.1; When RTB receives the Configure-
Request packet, it considers the IP address contained in the
packet valid and returns a Configure-Ack packet.
At the same time, RTB sends a Configure-Request packet to
RTA, which means that RTB requests to use IP address 10.1.1.2.
If RTA considers the IP address valid, it will return a Configure-
Ack packet.

Page593
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The VRP platform supports IP address negotiation in PPP.
ip address ppp-negotiate
This command is used for enabling the function of requesting the
peer to allocate IP addresses.
remote address 10.1.1.1
This command is used for enabling the function of allocating IP
addresses to the peer. In this example, IP address 10.1.1.1 is
allocated to the peer.
Note: The IP address obtained through negotiation is a 32-bit
host address. The route of the corresponding network segment
will not be generated in the routing table.

Page594
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
What are the components in PPP?
PPP has three components, namely, data encapsulation method,
LCP and NCP.
Which packets can be used for negotiating link parameters in
LCP?
Configure-RequestThe first packet during the link-layer
negotiation process, indicating the beginning of link-layer
parameter negotiation of the two ends.
Configure-AckAfter receiving the Configure-Request packet
sent by the peer, if the values of negotiated parameters are
acceptable, this packet is used for responsing.
Configure-NakAfter receiving the Configure-Request packet
sent by the peer, if the values of negotiated parameters are not
acceptable, this packet is used for responsing, carrying the
locally acceptable parameters.
Configure-RejectAfter receiving the Configure-Request
packet sent by the peer, if the values of negotiated parameters
cannot be identified, this packet is used for responsing, carrying
the parameters not identified.
How many packet exchanges are necessary for CHAP?
Page595
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Three. Sending of user name and password in cipher text.
What do the main IPCP parameters negotiate?
IP address.

Page596
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page597
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page598
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page599
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page600
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The FR technology is a fast packet switching technology that
transmits and switches data units in a simplified manner when
compared to X.25. The FR adopts a virtual circuit based behavior,
transmitting data through logical links, rather than physical links.
Multiple logical links can be multiplexed on one physical link. The
bandwidth can therefore be multiplexed and dynamically
allocated. This facilitates the transmission of data for multiple
users and multiple rates. The network resource is fully used. As
shown in the figure above, the virtual circuit is used so that the
network resource is fully utilized. Frame Relay has the features
of high throughput and low delay. It is applicable to the service
that has burst traffic.
FR simplifies the layer-3 function of X.25, however does not
support retransmission when an error occurs.
Page601
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Frame Relay is found at the second layer of the OSI model. It is
a simplified way to transmit and switch data units at the data link
layer. FR realizes the functions of the physical layer and the link
layer. The functions such as traffic control and error checking are
realized by the intelligent terminal. Hence the protocol between
nodes is simplified. FR can transmit various routing protocols.
The packets of the routing protocols are encapsulated in the FR
data frame, as shown in the figure above.
Page602
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
FR has the following features:
The FR technology is used for transmitting data service. Data is
transmitted as frames. FR is a fast packet switching technology,
which is connection-oriented. FR transmits data over the logical
links, rather than physical links. Multiple logical links can be
multiplexed on one physical link. Bandwidth can be multiplexed
and dynamically allocated.
The simplified X.25 protocol realizes statistics multiplexing, frame
transparent transmission, and error detection on the data link
layer, but does not support retransmission. The FR protocol
simplifies the layer-3 function of X.25. It simplifies the processing
on network nodes and improves the information processing
efficiency. The 2-layer structure consisting of physical layer and
data link layer is adopted. Only the core subset of the data link
layer is kept. The mechanisms like frame numbering, traffic
control, response, and monitor are not required. The cost of
switches is reduced, and the network throughput is improved,
and the delay in communication is reduced. The access rate of
FR users is between 64 Kbit/s and 2 Mbit/s.
A mechanism is provided to manage bandwidth and prevent
congestion. The user can fully use the reserved bandwidth,
Page603
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
namely, the committed information rate (CIR). The burst data of
the user can occupy the unreserved bandwidth. Thus the
network resource is fully used.
Similar to packet switching, FR adopts the connection-oriented
switching technology. It can provide the SVC and PVC services.
In the current FR network, only the PVC service is used.
Switching unit-The length of the frame is longer than the length
of the packet. The maximum length of the frame is at least 1600
bytes. It is used for encapsulating the data of LAN.


Page604
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The above figure shows the FR network model. The model
consists of the DTE and the FR switching fabric.
The FR switching fabric consists of a group of DCE. The LANs
on the two ends are interconnected through the FR network. The
data of the LAN is transmitted through the PVC.
The terms related to the FR network are as follows:
Data Terminal Equipment (DTE): refers to the user-side device.
Data Circuit-terminating Equipment (DCE): refers to the
switching equipment on the network, like FR switch. The DTE
and the DCE are directly connected. The DCE is connected to a
port on the switch. Multiple connections are set up between
multiple switches. The links between the DTE are established, as
shown in the figure above.
Data Link Connection Identifier (DLCI): identifies the link
interface. Every link on the FR network uses a DLCI. The FR is a
connection-oriented technology. Before communication starts, a
link must be established between the devices. The link between
the DTE is called virtual circuit. The virtual circuit of the FR is
classified into PVC and SVC. The PVC is widely used in FR.

Page605
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A Frame Relay (FR) network provides data communication
between user devices (such as routers and hosts).
According to different functions, FR devices and interfaces can
be divided into the following three types:
The user device is called Data Terminal Equipment (DTE). The
interfaces on the DTE are called DTE interfaces.
The device that provides access for DTE is called Data Circuit-
terminating Equipment (DCE). The interfaces on the DCE
devices are called DCE interfaces or Network-to-Network
Interfaces (NNIs) interfaces. The interfaces that connect the DTE
and the DCE are User-to-Network Interfaces (UNIs).
The interface between the FR switches are NNIs. In practice,
the DTE interface can be connected only with the DCE interface;
the NNI interface can be connected only with the NNI interface.
Page606
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The FR is a connection-oriented technology. Before
communication starts, a link must be established between the
devices. The link between the DTE is called virtual circuit.
The virtual circuit of FR is classified into PVC and SVC. The PVC
is widely used in FR.
Permanent Virtual Circuit (PVC): refers to the fixed virtual
circuit provided for users. Once the link is established, it will
always be valid; unless the administrator deletes it manually. The
PVC transmits frequent and stable data between two ends
frequently and stably.
Switched Virtual Circuit (SVC): refers to the virtual circuit
automatically allocated by protocol. After communication
completes, the virtual circuit can be deleted by the local
equipment or switch. The burst data is often transmitted through
the SVC.

Page607
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
FR is a statistical multiplexing protocol. One physical link can
provide multiple virtual links. Each virtual link is identified by the
DLCI. The address field in the FR frame can identify the virtual
link that FR frame belongs to.
The DLCI is applied to the local interface and the peer interface
that is directly connected to the local interface. It is not used
globally. That is, in the FR network, a DLCI on different physical
interfaces may identify multiple virtual links. The user interface
on a FR network supports up to 1024 virtual circuits. The value of
the DLCI that can be used by users ranges from 16 to 1007. The
virtual circuit is connection-oriented, so different local DLCIs are
connected to different peer devices. The local DLCI can be
considered as the FR address of the peer device. The FR
network is public facility. It is often provided by the telecom
service provider. Users can also establish a FR network by using
private switches. No matter which method is used, the provider
of the FR network allocates the DLCI to the PVCs that are used
by the users routers. Some DLCI numbers represent special
functions. For example, DLCI 0 and DLCI 1023 are used by only
the LMI protocol.
Address mapping of FR is to associate the protocol address of

Page608
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
the peer device with the FR address (local DLCI) of the peer
device so that the upper layer protocol can find the peer device
through the protocol address of the peer device. FR is mainly
used to carry the IP protocol. Before the device sends the IP
packet, the DLCI matching the next hop address must be known
. The device can find the DLCI by searching the mapping table.
Address mapping can be configured manually or dynamically
maintained by the protocol.
Page609
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Local Management Interface (LMI): monitors the status of the
PVC. The system supports three kinds of LMI protocol: Q.933
Annex A of ITU-T, T1.617 Annex D of ANSI, and the non-
standard compatible protocol. The nonstandard compatible
protocol is used for interconnecting a device with the devices of
other vendors.
The working method of LMI is : DTE sends ak Status Enquiry
packet at a interval to query the status of the virtual circuit. When
the DCE receives the packet, it sends a Status packet to notify
DTE of the status of all the virtual circuits on the current
interface.
The PVC status of the DTE-side devices depends on the DCE-
side devices. The PVC status of the DCE-side devices depends
on the network. If two network devices are directly connected,
the PVC status of the DCE-side devices is set by the
administrator.
Page610
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The FR network can connect the disparate networks. The
network architecture may be full-meshed, partial-meshed, or star.
In terms of cost, the star structure is the best as it limits the
number of PVCs required. A central node is connected to the
distributed nodes by using multiple PVCs on one interface. This
architecture is applicable to the company where the
headquarters needs to be connected to multiple branches. The
disadvantage of this architecture is that the disparate nodes can
communicate only through the central node.
In the full-meshed structure, all the nodes are interconnected
through PVCs. Any two nodes can communicate directly without
passing other nodes. The reliability of such a architecture is high.
If one PVC fails, the data can be transmitted through another.
The disadvantage of such architecture is that a great number of
PVCs are required. If one node is added to the network, many
new PVCs need to be added.
In the partial-meshed structure, some nodes are connected
directly. The default FR network architecture is non-broadcast
multi-access (NBMA). That is to say, although the nodes in the
FR network can communicate with each other, the FR network
does not support broadcasts. If a node receives routing

Page611
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
information, it recreates the packet and then sends the
duplicated packet carrying the routing information to other nodes.
Page612
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Address mapping of FR associates the protocol address of the
peering device with the local DLCI, so that frame relay can
identify the PVC that should be used in order to reach a given
destination.
It should be noted that the mapping table is based on a logical
interface. The logical interface has its own mapping table. The
key in the mapping table is the relationship between the peer
protocol address and the local DLCI.
Page613
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The inverse ARP protocol is used for resolving the network
address of a peer over a virtual circuit, with support for both IP
and IPX addressing. If the protocol address of the peer is known,
the inverse ARP protocol can locally generate a mapping
relationship between the peer network address and the DLCI
(MAP). The address mapping therefore need not be configured
manually.
The process is as follows:
When a new virtual circuit is found (the local interface is already
configured with the protocol address), the inverse ARP protocol
sends an Inverse ARP request packet to the peer. The packet
contains the local protocol address. When the peer receives the
request, it obtains the local protocol address, and generates a
mapping relationship. At the same time, the inverse ARP protocol
sends a response packet and generates the mapping locally.
It should be noted that:
1. If the static mapping relationship is configured manually, the
Inverse ARP protocol does not send the request packet to the
peer, no matter whether the peer's address is in the static
mapping is correct or not.

Page614
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
2. After receiving the inverse ARP request packet, the dynamic
mapping cannot be generated if the receiver discovers that
the peer protocol address is the same as the network address
in the local mapping table.
3. The multiprotocol host responds only to the protocol address
that is the same as the protocol address in the request packet.
4. The multiprotocol host applies addresses for all the protocol
addresses on each interface.

Page615
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As is shown in the figure above, Router A is connected to three
routers, Router B, Router C, and Router D, through interface S0.
If three DLCIs are mapped to three routers over S0, then the
route update information on S0 is not sent out through S0. The
distance vector routing protocol implements split horizon. The
router cannot forward the route update information out through
the interface on which the information was received. As shown,
Router B advertizes the routing information to Router A. The split
horizon mechanism results in Router A being unable to forward
to Router C and Router D through interface S0. There are two
ways to resolve this problem, one is to connect multiple
neighboring nodes through multiple physical interfaces. This
method requires that the router have multiple physical interfaces,
which results in increased cost to support the additional physical
node interfaces. Another method is to implement sub-interfaces.
In this manner, a single physical interface is configured with
multiple logical interfaces. Each sub-interface has its own
network address, and operated like an independent physical
interface. It is also possible to disable the split horizon feature,
but doing so will increase the possibility of routing loops being
generated.
Page616
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The split horizon problem can be solved by configuration of sub-
interfaces. One physical interface can support multiple logical
sub-interfaces. Each sub-interface can be connected to the peer
router through one or many DLCIs over a FR network.
The logical sub-interfaces are defined on the serial link. The sub-
interfaces are connected to the peer router through one or more
DLCIs. After a DLCI is configured on the sub-interface, the
mapping between the addressing of the destination end and the
DLCI should be generated.
As is shown in the figure above, the physical serial interface S0
on Router A, the DLCI of S0.1 is mapped to Router B, the DLCI
of S0.2 is mapped to Router C, and the DLCI of S0.3 is mapped
to Router D.
The sub-interfaces in FR are classified into two types:
Point-to-point sub-interface: connects to a single remote node.
Each sub-interface is configured with one PVC. The peer can be
found without the static address mapping. Therefore, the peer
address is determined when the sub-interface is configured on
the PVC.
Point-to-multipoint sub-interface: connects multiple remote nodes.
Page617
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
One sub-interface is configured with multiple PVCs. Each PVC is
mapped to the connected remote protocol address. Thus, the
PVC can be connected to the corresponding remote end. The
address mapping must be configured manually or set up through
the inverse ARP protocol.
Before creating the FR sub-interface, the user should configure
the interface to use FR as the link-layer protocol. The default
sub-interface type is p2mp.


Page618
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page619
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RTA and RTB are connected by a serial link. The IP address
planning is as shown in the above figure. The link-layer protocol
is FR. The configuration of FR in this example is similar to the
configuration in the preceding example. The difference is that the
mapping between the interface network address and the FR
address is generated by the inverse ARP protocol.
The fr inarp [ ip [ dlci-number ] ] command enables the
dynamic address mapping. In VRP, the dynamic address
mapping is enabled on the FR interface by default. So this step is
optional.
Page620
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The display fr interface command displays the information
about the FR interfaces, the operation mode of the FR interfaces,
and the physical status and protocol status of the FR interfaces.
The display interface Serial 0 command displays the
information about the interfaces, including the physical status
and protocol status of the interfaces, the IP address, the link-
layer encapsulation mode, and the LMI type.
Page621
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
RTA and RTB are connected by a serial link. The IP address
planning is as shown in the above figure. The link-layer protocol
is FR.
The link-protocol fr command encapsulates the link-layer
protocol into FR. By default, the link-layer protocol is
encapsulated into PPP. When the FR protocol is encapsulated,
the encapsulation format is IETF by default.
ietf: indicates the standard IETF encapsulation, which complies
with the RFC 1490. It is the default encapsulation format.
nonstandard: indicates the encapsulation format of the
nonstandard compatible protocol.
The fr interface-type command sets the FR interface type.
dte, dce, and nni: indicates the three types of the FR interfaces.
In FR, the two parties of the communication are at the user side
and the network side respectively. The user-side party is called
DTE. The network-side party is called DCE.
In the FR network, the interfaces between the FR switches are
NNI interfaces. The corresponding interfaces adopt the NNI
mode. If the devices are used for FR switching, the interfaces
should work in NNI mode or DCE mode.
Page622
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The fr dlci command configures the virtual circuit for the FR
interface. The IP address 10.1.1.1 30 command configures the
IP address for the interface.
The fr map ip command adds a mapping relationship between
the FR address and the DLCI static address. ip-address:
indicates the IP address of the peer.
ip-mask: indicates the subnet mask. The format of the subnet
mask is X.X.X.X. X is an integer ranging from 0 to 255. dlci-
number: indicates the number of the local virtual circuit. The
value ranges from 16 to 1007.

Page623
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The display fr map-info command displays the mapping
between the protocol address and the FR address.
In this example, RTA displays the information showing that the
address mapped to DLCI 200 is 10.1.1.2, the network address
and FR address of RTB. The local interface S0 on RTA works in
DCE mode.
Page624
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using ping to check FR configuration and interfaces
reachability.
Page625
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In this example, the router functions as the FR switch. The PVC
is configured manually.
Page626
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Configuration of RTD is similar to those of RTA. It needs to
Configure data link protocol, interface type and IP address.
Page627
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Using the display fr map-info command, you can view the FR
address mapping table.
[RTA]dis fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 100, IP INARP 10.1.1.2, Serial0
create time = 2007/06/04 17:34:59, status = ACTIVE
encapsulation = ietf, vlink = 20, broadcast
It is possible to verify the PVC is operational from the active
state.
<RTA>ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=31 ms


Page628
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
1. How many modes does the FR interface have?
Three, DTE, DCE, and NNI. In FR, the user-side is called DTE
and the network-side party is called DCE. In the FR network, the
interfaces between the FR switches are NNI interfaces. The
corresponding interfaces adopt the NNI mode. If the devices are
used for FR switching, the interfaces should work in NNI mode or
DCE mode.
2. Whats the meaning of FR DLCI?
The DLCI identifies the data links. All the virtual circuits are
identified by the DLCIs. The DLCI is applied to the local interface
and the peer interface that is directly connected to the local
interface. It is not used globally. That is, in the FR network, a
DLCI on different physical interfaces may identify multiple virtual
links.
3. How to establish a virtual circuit?
In the FR network, the DTE are interconnected with through
virtual circuits. The virtual circuit can be set up in PVC or SVC
mode. PVC mode is commonly adopted.
Page629
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 5
Network Security
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page633
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page634
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page635
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page636
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In a practical sense, a firewall acts as a separator, and also an
analyzer, to supervise any activity between an internal and
external network, and assist in assuring the security of the
internal network is maintained.
The firewall can be in the form of a series of hardware devices or
supported software within a given device.
The firewall can be divided into several parts, some parts
implement other function besides the function of a firewall.
Firewall is the accumulation of hardware, software and control
policies, where the control policy can be divided into two kinds:
1. Strict policy highly secure but may disrupt many services
due to non-reviewed policy restrictions.
2. Loose policyprovides much freedom to users however may
leave many security holes in the network if good policy
management has not been applied.
Commonly firewalls will take on a more secure policy and assess
policy for additional permissions on a case by case basis should
additional policy restrictions need to be relinquished. However
this can take some effort due to a series of security review
processes that are often necessary to ensure the permission for
release of restrictions does not threaten the integrity of the
internal network to external threats.

Page637
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
With the development of firewall technology, the function of
firewall is more and more diverse, seen from the technology
development aspect, variations have formed and can be
classified into three kinds: packet filtering, proxy and state
detection. At present, the more popular type is the state
detection firewall.

Page638
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Packet filtering firewall:
Packet filtering technology utilizes special rules predefined to
filter packets. The firewall obtains source IP address, destination
IP address, source TCP/UDP port, destination TCP/UDP port
and protocol number of data packet, compare partial or overall
information above with the rule to filter the data packet through
the firewall. The defined rule application is done according to the
features of the IP packet, the elements mentioned above can be
used to define the condition that allows the packet to pass
through the firewall.

The feature of packet filtering firewall is that it is simple, but lacks
flexibility, additionally packet filtering firewall will implement policy
detection on every data packet, which affects the performance of
a firewall.

Page639
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Proxy firewall:
Proxy firewall regards itself as a intermediary node of service
access; for a client node, it represents a server; for a server, it
represents the client. A proxy firewall provides high security, but
the cost is also high. It is hard to develop a corresponding proxy
service for every application, so a proxy firewall can not support
an abundance of services, it can only provide proxy service for
some applications such as HTTP services, Proxy etc.

Page640
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
State detection firewall:
State detection technology is an advanced communication
filtering technology. State detection is used to detect protocol
information of the application layer and supervise the protocol
state of connection-oriented application layer. Through detecting
the state of TCP/UDP based connection, a firewall can
dynamically determine whether the packet can pass through the
firewall or not. The firewall will maintain a session item that takes
five-element group (source/destination IP address,
source/destination port number, protocol number) as Key values;
for the received data packet, the firewall can match the session
item to determine which is legal and which is illegal.
As shown in the figure above, for Telnet access, when TCP
completes the three-way handshake, the firewall will create a
session item based on this five-element group. When a telnet
response packet of user A passes through firewall, only the
packet that matches the session item can be permitted to pass
through the firewall, the Telnet response packet of other users
will be blocked by firewall. Session item can be changed if the
TCP protocol state changes,
Page641
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
before completion of three-handshake, illegal packet can not
pass through the firewall. After telnet session finishing, the
session item will be deleted immediately, the spurious illegal
telnet packet remains unable to pass through the firewall.

Session identifies a complete connection, a complete
connection is composed of five elements (source address,
destination address, source port, destination port, protocol
number). When a three-way handshake of TCP is completed, the
firewall will create a complete session item, the session item can
be used to supervise the state transition of a session.

Page642
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As shown in the figure above, in the security system, firewall is
analogous to a door, it can prevent people from entering, but it
can not prevent malicious attacks from people that have
permission to enter the network or are located internally. An
access control system can prevent people with low priority from
doing work which exceeds their authority, but it can not prevent
people with high priority from malicious actions. It also cannot
prevent people with low priority from obtaining high priority
through illegal behavior. Intrusion detection system (IDS) is a
unique device to identify whether the system is safe or not
according to the data and behavior mode, it is the second
security door following the firewall. There is a classical
comparison: firewall corresponds a security system of a
community, it will audit all the people who go through the
gateway. But it cannot audit the people inside the community or
with legal identity. IDS can supervise the internal community.
IDS is analogous to a security camera of a network, it can
capture and record all the data; at the same time ,it is also an
intelligent camera, it can analyze and abstract doubtful and
abnormal network data with the intelligence to
Page643
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Penetrate disguised data and identify the actual content. The
advanced IDS can beat back, terminate connection and close
path automatically to regulate illegal behavior.
There are other technologies in security system besides those
mentioned, for example, identity authentication technology, ACL
packet filtering, special user system access, protection to special
source linked servers through reinforced and installed immunity
systems, discovery of system holes and patching through
scanning software; transmission of encrypted data or use of VPN
technology to transmit, so as to guarantee the security (often end
to end). Supervisory system operation through a security
management center, and operational event logging and threat
detection using alarms and threat response processes.


Page644
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Firewall strictly manages access from external networks into the
internal network. The access from the internal network to
external network is relatively loose in comparison. Firewall can
not renew operation software periodically as other virus software,
so the defense provided to new generated safety menace is
sometimes not enough.
If depth detection function is configured, the firewall will detect
the partial content of a data packet, which will also increase the
forwarding delay time and affect forwarding performance.
Firewall cannot provide detection to encrypted packets or other
packets transmitted in VPN tunnels that passes through the
firewall.
Page645
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page646
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
With the rapid development of the Internet, a growing number of
enterprises have begun to speed up development by taking
advantages of network services. It has become a concern of
enterprises to protect their intranet in an open network
environment. Huawei delivers the self-developed USG series
unified security gateway products for large- and medium-sized
enterprises. With 150 Mbit/s to 8 Gbit/s processing capabilities,
these products provide cost-effective security solutions for large-
and medium-sized networks.
USG unified security gateways are based on a high-performance
hardware platform and advanced software architecture. They are
equipped with high-performance or multi-core CPUs to provide
line-rate packet processing, data forwarding, and anti-attack
functions.
USG unified security gateways provide rich interface functions,
including fixed ports such as GE/FE and console ports, and
general expansion slots for mini interface cards (MICs), and
expansion slots for flexible interface modules (FICs). The
expansion slots support GE/FE, ADSL2+, WiFi, 3G, and E1/CE1
interface cards,
Page647
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
for flexible selection according to the network environments of
customers. In addition, the strong software scalability allows for
cost-effective network upgrade and capacity expansion.

Page648
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page649
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page650
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page651
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page652
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The USG devices are used on the enterprise headquarters
network, egress gateways of various branches, and security
gateways of regional offices and remote sites.
Providing firewall and UTM functions to ensure intranet security.
Providing rich VPN functions to ensure communication security.
Providing 3G and WiFi functions for easy networking.
Page653
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Q: How many variations of firewall are there, and what features
do they support?
A: Firewalls represent three variations: packet filtering, proxy and
state detection. Packet filtering firewall utilizes special rule
defined before (source/destination IP address, source/destination
TCP/IP port and protocol number) to filter packets. Proxy
firewalls are regarded as middle node of service access; for a
client node, it represents a server and for a server, it represents
the client. State detection is used to detect protocol information
of the application layer and supervise the protocol state of
connection-oriented application layer. Through detecting the
state of TCP/UDP based connection, a firewall can dynamically
determine whether the packet can pass through the firewall or
not.

Q: Which models make up the USG firewall series?
A: it includes: 2100, 2200 and 5120.
Page654
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page655
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page656
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page657
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page658
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A zone is an important firewall security concept. Firewalls is are
generally located at the boundary of a network, and so allows
different networks to be represented part of alternative zones.
The firewall adds interfaces into zones and enables security
detection between zones (called a security policy). It can be used
to filter the data flowing through different zones. The common
methods used for security detection includes ACL based
detection and application state detection.
USG firewall has four reserved security Zones:
Untrusted zone: A low-level security zone, the security priority
assigned is 5.
DMZ: A mid-level security zone, the security priority assigned is
50.
Trust Zone: A high-level security zone, the security priority
assigned is 85.
Local Zone: The highest-level security zone, the security priority
assigned is 100.
If necessary, users can configure new security zones and define
the security priority. With exception to the Local zone, before
using any other zones, the security zone should be associated
with the firewall interfaces, achieved by adding the interface of
firewall into a security zone. The interface can only be added into
only one zone. The interface can be a physical or logical
interface. Adding an interface to a zone means that the network
connected to the interface belongs to the zone, the interface


Page659
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
itself belongs to the local zone.Association of security zones
and networks should obey the following rules: internal networks
should belong to Zone with a higher priority; external networks
should belong to zones with a lower priority; some network that can
provide conditioned services for external users should belong to
the DMZ.
The purpose of defining security priority is to distinguish the
direction of data flow amongst security zones, whether inbound
or outbound.

Page660
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When the data flow is forwarded between security zones, the
firewall security detection mechanisms will spring into action, in
particular the security policy of the firewall implemented between
zones to manage traffic flow for example between the untrusted
zone and trusted zone. Different security policies can be
implemented between different zones for example, packet
filtering policy, state filtering policy and so on.

There are two directions of data flow between zones:
Inbound: In which the data flow is transmitted from a zone with a
low priority to a zone with a high priority.
Outbound: In which the data flow is transmitted from a zone with
a high priority to a zone with a low priority.
Any two security zones cannot operate the same priority; the
interfaces in the same Zone can forward packets directly without
filtering, thus nullifying the zone defenses. An interface is unable
to forward packets before it is added into a zone.

Page661
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This example introduces how a security zone is created and how
to configure the priority and apply an interface to the created
zone.
[USG2100] firewall zone name userzone
// creates a security zone named userzone, the system can
support up to 16 zones in total, including the default 4 zones.
[USG2100-zone-userzone] set priority 60
//configures the priority, with a range from 1 to 100, any two
zones can not use the same priority, the priority of default 4
zones cannot be modified.
[USG2100-zone-userzone] add interface Ethernet 0/0/1
//adds an interface to a zone, one zone can support 1024
interfaces at most.

Command [USG2100]display zone userzone can be used to
display related information for a given security zone.

Page662
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This example introduces how to configure security policy
between zones. When data flows between security zones, the
security detection mechanism will initialize. Generally, data from
an untrusted zone can not enter a trusted zone, unless permitted
explicitly. After applying the configuration displayed, data from an
untrusted zone can forward to a trusted Zone.
Page663
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page664
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
USG firewall can work in three modes: route mode, transparent
mode and composite mode.
If the USG firewall connects to the external network at layer 3
(meaning an IP address has been configured on the external
interface), it is regarded that the firewall is operating in route
mode. As shown in the figure above, when the USG firewall is
located between an internal network and an external network,
the three interfaces on the firewall that connect to internal
network, external network and the DMZ area should be
configured with IP addresses as part of different network
segments. The topology would recognize the firewall as
corresponding to the operation of a router. When adopting route
mode, it can complete ACL packet filtering, ASPF (status based
packet filtering) dynamic filtering and NAT functionality. However,
when using route mode the network topology should be modified
(the users on the internal network should change the gateway of
the end system, the router should change the route configuration
and so on).
Page665
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If the USG firewall connects externally at layer 2 (an IP address
is not configured on the interface), the firewall is considered to be
operating in transparent mode. If the USG firewall adopts the
transparent mode, the firewall only needs to be inserted into the
network as bridge, the greatest advantage is that it is not
necessary to modify any configuration; the firewall functions as a
switch, and the internal network and external network must
remain in the same subnet. At present, the USG firewall can not
support STP, so the usage of firewall should be done with care
so as to avoid layer 2 loops in the network. In this mode, the
firewall will not only forward packets like a switch, but also
analyze the packet.

Page666
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
If USG firewall has not only interface which is working in route
mode (interface has IP address ) but also supports an interface
which is working in transparent mode (interface has no IP
address), then the firewall is considered to be working in
composite mode. This kind of mode is the mix of transparent
mode and route mode, at present, it is only used in special
applications of transparent mode to provide dual device hot
backup.
The IP address should be configured for the interface which has
VRRP (Virtual Router Redundancy Protocol) function enabled.
The other interfaces do not require an IP address, furthermore
the internal network and external network must be in the same
subnet.
Page667
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page668
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
A firewall must provide the ability to control the network data flow,
so as to guarantee security, QoS requirement and constituting
policy. ACL (Access Control Lists) are one of the methods that
can be used to control data flow. An ACL is a series of ordered
rules composed of permit or deny statements. These rules
describe data packet through parameters such as the source
address, destination address, port number and protocol. An ACL
can be applied in the following situations:

1, Packet filtering as part of the network security protection
mechanism. Packet filtering is used between two networks with
different priorities to control the data flow of a network (inbound
and outbound). When a firewall forwards the data packet, it will
first detect packet header (i.e: source address/destination
address, source port/destination port and upper-layer protocol),
and then compare with configured rules. According to the result
of the comparison, it can determine whether to forward the
packet or to discard the packet. To implement packet filtering, a
series of filtering rules are needed. It is possible to adopt an ACL
to define filtering rule, and then apply the ACL to filter between
the firewall zones, so as to implement packet filtering.

Page669
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
2, NAT (Network Address Translation) is the process used to
translate the IP address in a data packet header to another IP
address. It mainly implements this function so that the internal
network (using a private IP addressing) can forward traffic to the
external network (using public IP addressing). In the actual
application, it is hoped that some internal hosts (supporting
private IP addresses) can access the external network or Internet,
while other internal hosts can not. It is implemented through
association of the ACL and NAT address pool, meaning only data
packets that satisfy the ACL rule can translate addresses, so as
to control the range of address translation.
An ACL can also be applied to other scenarios involving IPSec,
QoS and routing policies.


Page670
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
The firewall defines an ACL based on a numeral value. On USG
300/500/1000, an ACL can be divided into three kinds: basic ACL
(20002999), advanced ACL (30003999), and firewall ACL
(50005499). Users can choose ACL according to the
requirement in order to define different data flows.

The data flow defined by the three kinds of ACL is different: basic
ACL only uses source address to define data flow; advanced
ACL uses source address, destination address, source port
number, destination port number and protocol number to define
data flow. The firewall ACL uses source address, destination
address and destination port number to define data flow.

Page671
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
One ACL can be composed of multiple ACL rules that include key
word permit or deny.
Use command acl [ number ] acl-number [ vpn-instance vpn-
instance-name ] in system view to create an ACL.
[ number ] acl-number can define one ACL. For basic ACL, the
range is 20002999; for advanced ACL, the range is 3000
3999; for a firewall ACL, the range is 50005499.
vpn-instance refers to the creation of a firewall ACL rule.
After enter basic ACL view, the command rule [ rule-id ]
{ permit | deny }
[ source { source-address source-wildcard | any } ] [ time-range
time-name ] can be used to create basic ACL rule:
rule-id is the number for each ACL rule, it is an optional
parameter. When defining the ACL rule, if the ACL defines a
number that already exists, the newly defined rule overwrite the
old one. If it does not exist, it will create a new rule. If an ACL
number is not appointed, and an ACL rule is defined, the system
will automatically assign a number to the ACL rule.

Page672
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Permit and deny means the applied action when a match occurs.
permit will implement NAT or security policy detection on the
data packet and allow accordingly. deny is opposite, it will not
implement corresponding detection on a packet that is not in
accordance with the conditions set in the ACL.
source { source-address source-wildcard | any } indicates
source address of an ACL rule
time-range time-name indicates the time at which an ACL will
take effect.
After enter advanced ACL view, the command rule [ rule-id ]
{ permit |deny } protocol [ source { source-address source-
wildcard | any } ] [ destination{ dest-address dest-mask | any } ]
[ source-port operator port1 [ port2 ] ][ destination-port
operator port1 [ port2 ] ] [ icmp-type { icmp-type icmp-code |
icmp-message } ] [ precedence precedence ] [ tos tos ] [ time-
range timename ] can be used to create an advanced ACL rule:
the usage of the key word and parameter is the same with those
in basic ACL rules.
protocol uses name or number to indicate protocol type of IP
carrier.
An advanced ACL can filter multiple protocols, for example: TCP .
UDPICMPIP and so on. The IP packet is used to transmit
TCP and UDP, if we choose to filter IP protocols in protocol field,
it means to permit or refuse all the IP transmission based
protocol, like ICMP message, TCP messages or UDP messages;
if we only plan to discard packets of specific protocols and permit
other packets to pass, then we must appoint those specific
protocols.
destination { dest-address dest-wildcard | any } indicates the
layer three destination of an ACL rule.
icmp-type indicates message type and code information of an
ICMP packet, it can take effect only when the ICMP protocol
packet type parameter is defined. If it is not configured, it means
any ICMP packet can match.
Page673
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
source-port is used to indicate the layer four source port, it
can take effect only when the source port is defined. If it is not
indicated, it means any packet from any source port can match.
destination-port is used to indicate the layer four destination
port, it can take effect only when the destination port it defined. If
it is not indicated, it means a packet for any destination port can
match.
Precedence: An optional parameter, in which a data packet can
be filtered according to priority, the range is 07 number or
name.
tos: An optional parameter, that allows a data packet to be
filtered according to the service type. The range is 015 number
or name.
One firewall can include multiple ACL groups. When a packet
matches an ACL rule, it should obey the following rule: when
matching an ACL rule, the firewall ACL has priority over an
advanced ACL, an advanced ACL has priority over a basic ACL.
In firewall ACL, advanced ACL and basic ACL types, the ACL
with the smaller acl-number will be matched first. In the same
ACL rule group, rule with smaller rule-id has priority over others.
Once the data flow has matched an ACL successfully, it will not
continue to look for further matches. A firewall will implement
other operations on data flow according to the ACL rule.


Page674
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page675
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
NAT is the process to transitioning individual IP addresses in IP
data packet headers to an alternative IP address. In the actual
application, NAT mainly implements the function to allow end
systems in a private network to forward traffic over the external
network.
Public IP address space is limited, and as the worlds networks
continue to grow, available public IP address ranges have been
completely absorbed. It is impossible to use the IPv4 address
scheme for to apply individual public IP addresses for all end
system devices. The solution has been until now to use private
IP addresses in internal enterprise networks and use public IP
addressing as an external interface to an internal network. The
private IP address cannot be used within the WAN domain, so if
users with private IP addresses need to access the public
network, addresses must be translated using NAT. It is possible
to use a small number of public address to represent such a
large number of private addresses (internal users).
Attacks to government and enterprise networks over public
networks has become increasingly frequent and complex. NAT
can effectively hide private IP addresses, implement security
precautions on the NAT egress routers which can reduce the
difficulty associated with effective security.
Page676
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
In some cases, two enterprise networks may need to combine
into a single network, however private address overlapping
commonly occurs. IP addressing schemes should be redesigned,
but it is hard to implement effectively in a short time without
causing downtime to users. Here, we can configure NAT on the
egress routers for the two internal networks. The egress routers
can act as a public interface between the two private networks.
Hosts of one internal network can translate private addresses a
public IP address in order to reach the external interface of the
other network. The NAT router of the receiving network can verify
the source and translate accordingly.

Page677
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Internet address distribution regulates that the following three
network address ranges are reserved as private address ranges.
10.0.0.0 - 10.255.255.255
172.16.0.0 -172.31.255.255
192.168.0.0-192.168.255.255
The three network addresses will not be distributed on Internet,
but they can be used as part of an internal enterprise (LAN). The
enterprise chooses proper network address range according to
foreseeable host quantity required. Different enterprises can
have the same internal network addressing. If a company does
not choose the network address above as an internal network
address, the routing table may endure some confusion. So when
constructing an internal LAN, it is recommended that one of the
network address schemes above should be used for internal
network addressing.
Public addressing is legal and IP addresses can be obtained
from Internet address distribution organization, most this means
application of public addressing from ISP as part of a typical
subscription package.
Page678
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
As referred before, when private IP address users wish to access
public address domains such as the Internet, they must translate
private addresses to public addresses through NAT.


Page679
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
When the Trust Zone establishes a connection to the Untrust
Zone and DMZ on the USG firewall, it will detect whether
corresponding data needs to implement NAT translation. If it is
needed, it will be completed at the egress of IP forwarding
interface, the source address of the packet (a private address) is
translated to a public address. At the ingress of the IP layer, the
reply packet destination address (public address) will be
translated to a private address.

As shown in the figure above, the USG firewall is located at a
private/public network boundary. When an internal PC A
(192.168.1.3) sends data packet1 to external server B
(202.120.10.2), the data packet will go through the firewall. The
NAT process will check the content of the packet header, it will
find that the packet is destined for an external network, and
translate private address 192.168.1.3 in the source address field
of packet 1 into public address 202.169.10.1. The packet can
then be sent with the translated address to external server B and
record the private to public address mapping in the NAT table.
External server B will send a reply packet (packet 2) to internal
PC A (the initial destination address is 202.169.10.1),

Page680
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
when the packet gets to the firewall, NAT will check the packet
and lookup record in the NAT table. The destination address will
be replaced by a private address 192.168.1.3 of the internal PC.
The NAT process referred above is transparent to end system
devices (for example, the PC A-D and server). For the external
server, it regards IP address of internal PC as 202.169.10.1, it is
totally unaware of the address 192.168.1.3. Therefore in this
manner, NAT is able to hide the private network of an
enterprise.


Page681
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
On USG firewall, there are two modes of address transition:
NO_PAT and NAPT.

NO_PAT: Individual private addresses correspond to individual
public addresses, it does not need to associate ports with
addresses in order to translate, and is straight forward to
implement. The disadvantage is that by corresponding a single
private address to a single public address, it does not solve the
shortage problem associated with public addressing. It does help
to map internal devices such as servers to allow direct mapping
which simplifies the ability for external devices to reach such
devices internally without knowing the associated internal
address, or having any means to bypass the firewall.

NAPT: It permits multiple private addresses to map to a single
public address. NAPT will map IP addresses and port numbers.
The data packet from different internal addresses can be
mapped to the same external address, but the port number in
each case or session will be different so as to distinguish
between the different internal hosts. As shown in the figure
above,

Page682
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
when four data packets with internal addresses reach the NAT
server, packet 1 and 2 are shown to be from the same internal
address but since the destination is different for the two packets,
there will be a different port number associated with each packet.
Packet 3 and 4 are from different internal addresses but have
same port number. Through NAT transition, the four packets are
transited to the same external address, but each packet has
different source port number, so the differentiation between the
four packets is maintained. When the reply packet gets to the
NAT server, the NAT server will also identify the packet according
to the destination address, and the port number of the reply
packet helps to forward packet to the right internal host. USG
adopts this mode by default. USG series of firewall supports
overlapping of IP addresses for outgoing interfaces and address
pools. USG supports regarding IP address of outbound interface
as translated source addresses (called Easy IP),
USG300/500/1000 however does not support this function.


Page683
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
NAT hides the structure of the internal network, and has the
capability to shield internal hosts, while at the same time it
makes it capable for external devices to access internal hosts,
for example, WWW server or FTP server. NAT can support
internal servers, for example, address 202.168.0.11 which can
be used as an external address for the Web server, or address
202.168.0.12 which can be used as the external address of
internally located FTP server.

NAT provides internal server function that external network can
access. As shown in the figure above, when user of external
network access internal server, NAT will translate public
destination IP addresses of packets into private destination IP
addresses of internal servers. For the reply packet of each
internal server, NAT can translate the source of reply packets to
public addresses.

NAT and NAPT can only translate header addresses of IP
packets and also the port information of TCP/UDP headers. For
some special protocol,
Page684
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
like ICMP and FTP, the data part of a packet may include an IP
address or port information, this content can not be translated by
NAT effectively, which will lead to problems. For example, one
FTP server that uses an internal IP address needs to send its IP
address to a peer when it establishes a session with an external
host. The address information is carried in the data part of the
packet, it can not be translated by NAT. When external network
host receives the private address and uses it, FTP server will
regard it as unreachable. The solution to solve this NAT problem
is through a special protocol ALG (Application Level Gateway) in
NAT implementation. ALG is a translation proxy of a special
application protocol, it alternates with NAT and uses NAT state
information to change special data that is encapsulated in data
part of an IP packet, it also completes other necessary work to
make the application protocol run in different ranges.

USG firewalls functions as a perfect address translation
application level gateway mechanism, it can support all kinds of
special application protocol, it is unnecessary to modify NAT
platform and has good extension.

At present, it has implemented ALG function of application
protocol for: DNS, FTP, H.323, HWCC, ICMP, ILS, MGCP (Media
Gateway Control Protocol), MSN , NetBIOS, PPTP , QQ, RAS
and SNP.


Page685
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
NAT combines NO-PAT mode and NAPT effectively on USG
firewall. If NAPT function is configured, in the process of address
transition, NAT will first translate private IP addresses into one
public IP address, and then choose another public IP address to
complete address translation. Address pool is the aggregation of
public IP addresses used for transition. Users should configure a
proper address pool according to the legal IP address quantity,
host quantity within internal network and actual applications.

USG firewall utilizes ACL to limit address translation. Only the
data packets that satisfy ACL can implement address translation,
which can control the range of address translations effectively
and allow the special host access to the external network.
Page686
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
This example introduces how NAT is configured on USG. As
shown in the figure above, firewall divides network into the
internal network Trust Zone, external Untrust Zone and DMZ.
The host with the private address in Trust Zone needs to access
the external network (Internet). The host with public address in
Untrust Zone needs to access the three servers of the DMZ.

Page687
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
[USG2100] nat address-group 1 202.168.0.10 202.168.0.20
//configure NAT address pool with series number 1, it includes
public address for NAT transition.
[USG2100]nat-policy interzone trust untrust outbound
//defining nat policy between two areas
[USG2100-nat-policy-interzone-trust-untrust-outbound]policy 1
[USG2100-nat-policy-interzone-trust-untrust-outbound-1]policy
source 192.168.0.0 mask 24
//Defining the range of source IP addresses to be enabled NAT
[USG2100-nat-policy-interzone-trust-untrust-outbound-
1]address-group 1 no-pat
//Binding address pool.
[USG2100-nat-policy-interzone-trust-untrust-outbound-1]action
source-nat
//Enable nat
Page688
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
[USG2100] nat server global 202.168.0.10 inside 192.168.1.100
[USG2100] nat server protocol tcp global 202.168.0.11 80 inside
192.168.1.101 8080
[USG2100] nat server protocol tcp global 202.168.0.12 1021
inside 192.168.1.102 ftp
//command nat server is used to define the mapping table of
the internal server. The three commands above define separately
that each user can access the internal server 192.168.1.100
through public address 202.168.0.10 is able to access the
internal server, 192.168.1.101:8080 through public address
202.168.0.11:80, is able to access the internal Web server, and
192.168.1.102 through public address 202.168.0.12:1021. is able
to access the internal FTP server.
[USG2100]policy interzone dmz untrust inbound

//defining filtering policy between two areas
[USG2100-policy-interzone-dmz-untrust-inbound]policy 1
[USG2100-policy-interzone-dmz-untrust-inbound-1]policy
destination 192.168.1.0 mask 24

Page689
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
//Defining the range of destination IP addresses matched with
filtering policies
[USG2100-policy-interzone-dmz-untrust-inbound-1]policy service
service-set ftp

//Defining the service-type matched with filtering policies
[USG2100-policy-interzone-dmz-untrust-inbound-1]action deny

Page690
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page691
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Page692
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
Q: Which operational modes does USG support?
A: Route mode, transparent mode and composite mode.

Q: What are the default USG security zones?
A: Trust Zone, Untrust Zone, DMZ and Local.

Q: What is the difference between a basic ACL and an advanced
ACL?
A: A basic ACL only uses the source address to define data flow,
whereas an advanced ACL uses source/destination address,
source/destination port and upper-layer protocol to define data
flow.

Q: Which forms of NAT does USG support?
A: NO-PAT, NAPT.

Page693
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Module 6
Product
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
To calculate the spanning tree, switches need to exchange
information and parameters. The information and parameters are
encapsulated in the
Configuration Bridge Protocol Data Unit (BPDU) and transmitted
between switches.
In a broad sense, a BPDU refers to a data unit used to exchange
information between switches. The configuration BPDU is one
type of the BPDU.
Calculation of the spanning tree starts from election of the root
bridge. The root bridge is elected based on the bridge identifier.
A bridge identifier consists of a 2-byte bridge priority and a 6-byte
MAC address. The bridge priority is configurable. The value
ranges from 0 to 65535 and the default value is 32768.
In the network, the switch with the smallest identifier becomes
the root bridge. The system first compares the priority. If the
switches have the same priority, the system compares their MAC
addresses. The switch with the smallest MAC address is elected
first.
In this example, the three switches have the same priority. SWA
has the smallest MAC address, so SWA is elected as the root
bridge.

Page502
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page697
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page698
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page699
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page700
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z Huawei HUAWEI NetEngine40E Universal Service Router
(hereinafter referred to as the NE40E) is a high-end router
with 10-Gbit/s interfaces designed for core and backbone
networks. The NE40E is positioned as the edge or
convergence router on the IP backbone network.


Page701
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page702
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z This is the introduction of NE40E product family. All LPUs can
be applied to NE40E-X16, X8 or X3. The main difference
between LPUs is forwarding capability.

Page703
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page704
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The NE40E-X adopts a system architecture as shown in
Figure above. In this architecture, the data plane,
management and control plane, and monitoring plane are
separated. This design helps to improve system reliability and
facilitates separate upgrade of each plane.
Page705
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page706
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page707
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The control plane of the NE40E-X16 adopts MPU.
z The following USB interface attributes are supported by MPU:
Supports the biggest USB fat32 format, and supports the
memory available in the market.
For security reasons not allowed to write USB storage
device .
Updates automatically, insert the USB memory without
any operating.
Page708
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The control plane of the NE40E is separated from the data
plane and the monitoring plane. The SRU is adopted on the
NE40E-X8. The SRU integrates an SFU used for data
switching.
z The following USB interface attributes are supported by SRU:
Supports the biggest USB fat32 format, and supports the
memory available in the market.
For security reasons not allowed to write USB storage
device .
Updates automatically, insert the USB memory without
any operating.
Page709
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The MPU of the NE40E-X3 controls and manages the system
and switches data. The MPUs work in 1+1 backup mode. The
MPU consists of the main control unit, switching unit, system
clock unit, synchronous clock unit, and system maintenance
unit. The functions of the MPU are described from the
following aspects.
Page710
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z A switching network is a key component of the NE40E and is
responsible for switching data between LPUs.
Page711
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page712
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page713
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z As shown in the figure, the Packet Forwarding Engine (PFE)
adopts a Network Processor (NP) or an Application Specific
Integrated Circuit (ASIC) to implement high-speed packet
routing. External memory types include Static Random Access
Memory (SRAM), Dynamic Random Access Memory (DRAM),
and Net Search Engine (NSE). The SRAM stores forwarding
entries; the DRAM stores packets; the NSE performs non-
linear searching.
z Data forwarding processes can be divided into upstream and
downstream processes based on the direction of the data
flow.
z Upstream process: The Physical Interface Card (PIC)
encapsulates packets to frames and then sends them to the
PFE. On the PFE of the inbound interface, the system
decapsulates the frames and identifies the packet types. It
then classifies traffic according to the QoS configurations on
the inbound interface. After traffic classification
Page714
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z , the system searches the Forwarding Information Base (FIB)
for the outbound interfaces and next hops of packets to be
forwarded. To forward an IPv4 unicast packet, for instance,
the system searches the FIB for the outbound interface and
next hop according to the destination IP address of the
packet. Finally, the system sends the packets containing
information about outbound interfaces and next hops to the
traffic management (TM) module.
z Downstream process: Information about packet types that
have been identified in the upstream process and about the
outbound interfaces is encapsulated through the link layer
protocol and the packets are stored in corresponding queues
for transmission. If an IPv4 packet whose outbound interface
is an Ethernet interface, the system needs to obtain the MAC
address of the next hop. Outgoing traffic is then classified
according to the QoS configurations on the outbound
interfaces. Finally, the system encapsulates the packets with
new Layer 2 headers on the outbound interfaces and sends
them to the PIC.

Page715
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page716
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page717
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page718
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page719
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page720
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The NE40E supports entire HQoS solutions, HUAWE is the
only vendor that supports HQoS, DS-TE and MPLS HQoS,
the other vendors support one or two. Thus, HUAWEI can
provide a entire HQoS solution to meet kinds of scenarios of
carrier-class services.
Page721
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page722
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The main scenario of NE40E Router: Campus and IDC
interconnection, Large branch access, Key nodes of WAN.
Page723
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z What is the difference between the control planes of NE40E-
X8 and NE40E-X16?
The control plane of the NE40E-X8 is separated from the
data plane and the monitoring plane. The SRU is
adopted on the NE40E-X8. The SRU integrates an SFU
used for data switching.
The control plane of the NE40-X16 is MPU, on which
doesnt integrate SFU.
z What is the difference between the SFUs of NE40E-X8 and
NE40E-X16?
The SFU on the NE40E-X8 switches data for the entire
system at wire speed of 480 Gbit/s (240 Gbit/s for the
upstream traffic and 240 Gbit/s for the downstream
traffic). This ensures a non-blocking switching network.
The NE40E-X8 has three SFUs working in 2+1 load
balancing mode. The entire system provides a switching
capacity at wire speed of 1.44 Tbit/s. The three SFUs
load balance services at the same time. When one SFU
is faulty or replaced, the other two SFUs automatically
take over its tasks to ensure normal running of services.
The SFU on the NE40E-X16 switches data for the entire
system at wire speed of 640 Gbit/s (320 Gbit/s for the
upstream traffic and 320 Gbit/s for the downstream
traffic). This ensures a non-blocking switching network.
The NE40E-X16 has four SFUs working in 3+1 load
balancing mode.
.The entire system provides a switching capacity at wire
speed of 2.56 Tbit/s. The four SFUs load balance services
at the same time. When one
Page724
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

SFU is faulty or replaced, the other three SFUs automatically

take over its tasks to ensure normal running of services.

Page725
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page726
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page727
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page728
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page729
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z Huawei routers have evolved for three generations. The first
generation routers use integrated single-core design, the
second generation routers integrated multi-core design, and
the third-generation routers distributed multi-core design.
z Huawei AR G3 series routers (AR G3 routers for short)
support multiple network access modes, including Ethernet,
PON, and 3G.
z The AR G3 routers are the next-generation routing and
gateway devices that provide routing, switching, wireless,
voice, and security services. The AR G3 routers include the
AR1200, AR2200, and AR3200 series routers.
Page730
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The AR G3 routers provide the highest port density in the
industry and flexible service interface card (SIC) slots,
allowing enterprise customers to connect to a LAN, WAN, or
wireless network. The AR G3 routers provide the most
economical enterprise network solutions.
z The AR G3 routers provide flexible slot combinations. Two
SIC slots can be combined into one WSIC slot, two WSIC
slots into one XSIC slot, and two XSIC slots into one EXSIC
slot.
z With extensible hardware design, the AR G3 routers allow
customers to choose SICs flexibly and to expand networks
economically.

Page731
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The AR G3 routers integrate various services of routers,
switches, and wireless devices, including voice, firewall, and
VPN.

Page732
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z Depending on telecom carriers' networks, users can access
these networks by using CE1/CT1, FE/GE, ADSL, G.SHDSL,
or Synchronization Agent (SA). The AR G3 routers provide
dual-uplink to ensure service reliability. These routers provide
the following services for access users:
Provide the security, routing, switching, VPN, and
wireless services to ensure secure, fast, and reliable
data packet forwarding.
Provide a variety of value-added services, including
DHCP, network address translation (NAT), domain name
system (DNS), and billing services.
Provide security control mechanisms, including
controlling access to internal networks and user rights, to
ensure the access security on the enterprise intranet and
isolate the departments of an enterprise.
Provide the attack defense function to protect user traffic
against attacks from the external and internal networks.
.Guarantee user-specific QoS and service-specific QoS
and flexibly allocate bandwidth for services as needed.

Page733
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The headquarters and branches use the AR G3 routers to
connect each other on the Internet. The enterprise establishes
a VPN and uses GRE/IPSec VPN tunnels to secure the data.
The employees on a business trip use IPSec VPN tunnels to
communicate with the headquarters.
z The AR G3 routers, located between the enterprise intranet
and the Internet, ensure information security on the entire
intranet and intranet LANs. Additionally, the AR G3 routers
provide network access control (NAC) to restrict the access
permissions of internal users. This ensures that only
authorized users can access the intranet.
z An enterprise can build a voice communication system over
the IP network, saving fees on internal communication. Within
the voice communication system, an AR G3 router can
function as an IP PBX or SIP access gateway (AG). In the
downlink direction, the router connects to POTS users (analog
phones or fax machines) and SIP user equipment (UE) users
(IP phones or PC software terminals) through FXS or Ethernet
interfaces. In the uplink direction, the router connects to the
PSTN through E1 or FXS interfaces or to the IP network
through Ethernet interfaces.



Page734
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The AR200 series routers apply to small-scale offices. They
integrate switching and routing functions. These routers
provide wireline LAN access and wireless AP access to users.
With them, users can access the Internet through Ethernet,
3G, or PPPoE.
z The AR1200 series routers feature powerful routing functions.
They provide multiple access modes, such as wireline LAN
and wireless AP. Additionally, these routers provide flexible
slots that allow users to install subcards to extend interfaces
and enrich functions.
z The AR2200 series routers feature powerful routing functions
and multiple access modes. They support a variety of
subcards to apply to different usage scenarios. Their slots can
be combined to achieve a higher port density. Among them,
the AR2240 is equipped with two main control boards and two
power supplies for redundancy backup. This redundancy
backup design improves the router usability and reliability.
Page735
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The AR3200 series routers have a large capacity. They
provide many flexible slots that allow users to install different
cards in different usage scenarios. Additionally, their slots can
be combined to provide a higher port density. To improve
system reliability, these routers are configured with two main
control boards and two power supplies for redundancy
backup.

Page736
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page737
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page738
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page739
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page740
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z Huawei has the most extensive enterprise switch families in
the industry, ranging from low-end, medium-range, to high-
end.
z The S1700, S2700, S3700, and S5700 switches are used at
the access layer of a campus network. The S1700 and S2700
provide Layer 2 FE access. The S3700 supports Layer 3 FE
access. The S5700 allows for Layer 3 GE access and has a
high port density. Additionally, the S5700 supports cluster
management and features high fault tolerance through the use
of stacking technology.
z The S5700, S7700, and S9300 are used at the convergence
layer of a campus network. These switches provide powerful
switching functions and have a high port density. They also
support a variety of cards to apply to different usage scenarios
where varying interfaces are required.
z The S5700, S6700, S9300, and S12700 are high-end
switches. These switches are used at the core layer of a
Page741
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z campus network. They also apply to the access and core
switching layers of a large-scale data center. With a high port
density and a variety of cards, these switches provide various
ports to meet different requirements.

Page742
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page743
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The SX7 series switches are intended for the enterprise
market. They provide Layer 2 and Layer 3 access and FE,
GE, and 10GE ports. Among these series switches, the ST-
level core switch7700 uses a distributed architecture and
provides up to 12 slots that allow users to install different
cards in various usage scenarios.

Page744
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page745
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page746
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page747
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page748
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page749
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page750
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page751
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page752
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page753
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z Principle
z S2700/3700/5700/6700 is integrated with internal HTTP
server, and can access the device in the switch three-layer
interface through a variety of WEB browse.
Page754
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The following requirements must be met to implement
stacking:
z All the member switches belong to the same series. The EI
series and SI series cannot form a stack.
z All the member switches are connected by using stack cables
and stack modules.
z The stack rear card cannot be used together with the
E4GF/E4GFA or E4XY front card.

Page755
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z If all the member switches meet the stack setup prerequisites,
the stack system is automatically created when these
switches are powered on.
z The master switch is selected as follows:
z The device that starts first becomes the master switch.
z If all the devices start at the same time, the one of the highest
priority becomes the master switch.
z If all the devices have the same priority and start at the same
time, the one with the smallest MAC address becomes the
master switch.
z The slave switch is selected as follows:
z The device that starts first among all the other devices
excluding the master switch becomes the slave switch.
z If all the other switches excluding the master switch start at

Page756
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z the same time, the master switch preferentially selects the
switch connected to its stack interface 1 as the standby
switch.
z If all the other switches excluding the master switch start at
the same time and no switch is connected to stack interface 1
on the master switch, the master switch selects the switch
connected to its stack interface 0 as the standby switch.



Page757
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The S7700 is a next generation switch of Huawei. It provides
large capacity, line-speed forwarding, and high density ports.
The S7700 is an important product for establishing the MANs
in the future. The S7700 can be used as an aggregation
switch or a core switch for enterprise networks, campus
networks, and data centers.
z The S7700s are classified into the S7703, S7706, and S7712.
z The S7700 is a high-end network product that provides wire-
speed FE, GE, and 10GE interfaces. The S7700 can function
as a core switch for enterprise networks, campus networks,
and data centers.

Page758
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The S7700s are classified into the S7703, S7706, and S7712.
The S7700 uses a fully distributed architecture and the
latest hardware forwarding engine technology. The
services supported by all the interfaces can be
forwarded at wire speed. These services include IPv4,
MPLS, and Layer 2 forwarding services. The S7700 can
also use ACLs to forward packets at wire speed.
The S7700 supports wire-speed forwarding of multicast
packets. The hardware implements 2-level multicast
replication:
The SFU replicates multicast packets to the LPU.
Then the forwarding engine of the LPU replicates the
multicast packets to the interfaces on the LPU.
The S7700 supports 2 Tbit/s switching capacity and
various high-density cards to meet the requirements for
Page759
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
the large capacity and high-density interfaces of core
and convergence layer devices. The S7700 can meet
the increasing bandwidth requirements and maximally
reduce investments.
z S7703's switching capacity:
z Adopting the full mesh architecture, the S7703 provides 16
Gbit/s bandwidth in each HIG group, that is, 4 x 5 Gbit/s x
8/10 (8B/10B code). The channel between each slot and the
backplane supports eight HIG groups; therefore, the total
bandwidth for each slot is 128 Gbit/s.
z There is no switching network unit in the full mesh
architecture. The switching capability is 720 Gbit/s, that is,
120 Gbit/s x 2 x 3 (3 LPUs).
z S7706/S7712's switching capacity:
z Adopting the switching network architecture, the S7706 or
S7712 provides 16 Gbit/s bandwidth in each HIG group, that
is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between
each slot and the backplane supports four HIG groups (an
active SRU and a standby SRU); therefore, the total
bandwidth for each slot is 64 Gbit/s. Each 12x10GE LPU slot
supports eight HIG groups; therefore, the total bandwidth is
128 Gbit/s. (Only two 12x10GE LPUs of the S7712 support
wire-speed forwarding.)
z The maximum switching capability of the S7706 or S7712 is
2048 Gbit/s, that is, 16 Gbit/s x 16 (ports) x 1 (switching
network unit) x 2 (bidirectional) x 4 SRUAs.


Page760
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page761
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z ISSU=In-service software upgrade.
Page762
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n

Page763
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z The figure on this slide shows a typical enterprise campus
network. Within this network, you can clearly see where
Huawei switches, routers, firewalls, servers and other IT
products are located. Actually, Huawei can provide a full range
of IT products and the most comprehensive network solutions
in the industry.
Page764
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
z 1. What is the positioning of AR G3
Deployment Position Between an internal network and a
public network .
Integrated access Data: FE/GE/EPON/GPON/three 3G
modes Voice: FXS and IP-PBX Switching: FE/GE
switching cards/MSTP/VLAN/Static port aggregationMPLS
VPN .
Security Enterprise-class firewall Integrated VPN access:
IPSec/GRE/MPLS.
z 2.What are the Characteristics of Huawei Switches for Enterprises

Seamless upgrading of port switching capacity.
Highly compatible software platform.
Universal platform and energy-efficient chips.
Page765
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
HCDA-HNTD



M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Confidential 1
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
1Comprehensive E-Learning Courses
ContentAll Huawei Career Certification E-Learning courses
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
2 Training Material Download
Content: Huawei product training material and Huawei career certification training material
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC)
ContentThe Huawei career certification training covering all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei professional instructors
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
eNSP (Enterprise Network Simulation Platform) is a graphical network simulation tool which is developed by
Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as
it possible, which makes the lab practice available and easy without any real device.
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
Huawei experts , share exam experiences with others or be acquainted with Huawei Products(
http://support.huawei.com/ecommunity/
M
o
r
e

L
e
a
r
n
i
n
g

R
e
s
o
u
r
c
e
s
:

h
t
t
p
:
/
/
l
e
a
r
n
i
n
g
.
h
u
a
w
e
i
.
c
o
m
/
e
n