HCIA-HNTD Intermediate Training Materials V2.2.pdf

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
 1、e-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
 If you have the HCNA/HCNP certificate：You can access Huawei Career Certification and Basic Technology e-Learning
courses.
 If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
 Methods to get the HCIE e-Learning privilege: Please associate HCIE certificate information with your Huawei account, and
email the account to Learning@huawei.com to apply for HCIE e-Learning privilege.
 2、 Training Material Download
 Content: Huawei product training material and Huawei career certification training material.
 Method：Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
 3、 Priorityto participate in Huawei Online Open Class (LVC)
 The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
Storage and so on, which are conducted by Huawei professional instructors.
 4、Learning Tools:
 eNSP ：Simulate single Router&Switch device and large network.
 WLAN Planner ：Network planning tools for WLAN AP products.
 In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
share exam experiences with others or be acquainted with Huawei Products.
 Statement:
This material is for personal use only, and can not be used by any individualor organization for any commercial purposes.
M
ore Learning
Resources: http://learning.huawei.com
/en

Huawei Certification
HCNA-HNTD
INTERMEDIATE
Huawei Networking Technology and Device
Huawei Technologies Co.,Ltd.
M
ore Learning
/en

Copyright © Huawei Technologies Co., Ltd. 2016.
All rights reserved.
Huawei owns all copyrights, except for references to other parties. No part of this
document may be reproduced or transmitted in any form or by any means without
prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co.,
Ltd.
All other trademarks and trade names mentioned in this document are the property
of their respective holders.
Notice
The information in this manual is subject to change without notice. Every effort has
been made in the preparation of this manual to ensure accuracy of the contents, but
all statements, information, and recommendations in this manual do not constitute
the warranty of any kind, express or implied.
Huawei Certification
HCNA-HNTD
Huawei Networking Technology and Device
Intermediate
Version 2.2
M
ore Learning
/en

Huawei Certification System
Relying on its strong technical and professional training and certification system
and in accordance with customers of different ICT technology levels, Huawei
certification is committed to providing customers with authentic, professional
certification, and addresses the need for the development of quality engineers that
are capable of supporting Enterprise networks in the face of an ever changing ICT
industry. The Huawei certification portfolio for routing and switching (R&S) is
comprised of three levels to support and validate the growth and value of customer
skills and knowledge in routing and switching technologies.
The Huawei Certified Network Associate (HCNA) certification level validates the
skills and knowledge of IP network engineers to implement and support small to
medium-sized enterprise networks. The HCNA certification provides a rich
foundation of skills and knowledge for the establishment of such enterprise
networks, along with the capability to implement services and features within
existing enterprise networks, to effectively support true industry operations.
HCNA certification covers fundamentals skills for TCP/IP, routing, switching and
related IP network technologies, together with Huawei data communications
products, and skills for versatile routing platform (VRP) operation and management.
The Huawei Certified Network Professional (HCNP-R&S) certification is aimed at
enterprise network engineers involved in design and maintenance, as well as
professionals who wish to develop an in depth knowledge of routing, switching,
network efficiency and optimization technologies. HCNP-R&S consists of three
units including Implementing Enterprise Routing and Switching Network (IERS),
Improving Enterprise Network Performance (IENP), and Implementing Enterprise
Network Engineering Project (IEEP), which includes advanced IPv4 routing and
switching technology principles, network security, high availability and QoS, as well
as application of the covered technologies in Huawei products.
The Huawei Certified Internet Expert (HCIE-R&S) certification is designed to imbue
engineers with a variety of IP network technologies and proficiency in maintenance,
for the diagnosis and troubleshooting of Huawei products, to equip engineers with
in-depth competency in the planning, design and optimization of large-scale IP
networks.
M
ore Learning
/en

M
ore Learning
/en

Foreword
Outline
The HNTD guide contains content relating to the HCNA certification, for development of
engineers who wish to prepare for the HCNA-HNTD examination or familiarize with TCP/IP
technologies and protocols, as well as LAN, WAN technologies and products, including VRP.
Content
The book contains a total of five modules, introducing technologies for enhancing enterprise
networks for business application, and introduces solutions for link layer operations, WAN, IP
security, network management, and IPv6 technologies as well as guidelines for configuration
and implementation using VRP.
Module 1 introduces link layer features and services, including link aggregation solutions,
VLAN and GVRP, for the enhancement of link layer efficiency within the enterprise network.
Module 2 outlines the basic principles of technologies for Wide Area Networks (WAN)
including HDLC, PPP, Frame Relay, PPPoE and NAT, with VRP configuration for the
implementation of effective WAN solutions.
Module 3 addresses the need for security in the enterprise network and reflects on R&S
based security solutions, and subsequent VRP application for protection of the enterprise
network against internal and external threats.
Module 4 describes solutions for real-time management of enterprise networks through
effective operation and maintenance (O&M) solutions as well as a detailed understanding of
SNMP as the underlying management protocol. The module introduces the eSight network
management system, through which engineers will establish comprehensive skills for
implementing enterprise network management solutions.
Module 5 addresses the evolution of the enterprise network towards IPv6, and introduces the
principle features, routing technologies and applications for IPv6 networks on Huawei routers
and switches, from which engineers will establish a foundation for building and maintaining
IPv6 technologies in the enterprise network.
M
ore Learning
/en

Contents
Advanced Enterprise Solutions Overview.................................................................................1
Link Aggregation ......................................................................................................................13
VLAN Principles........................................................................................................................26
GARP and GVRP .......................................................................................................................55
VLAN Routing...........................................................................................................................72
Wireless LAN Overview ...........................................................................................................86
Principle and Configuration of HDLC and PPP ........................................................................97
Frame Relay Principles...........................................................................................................125
Principle and Configuration of PPPoE...................................................................................141
Network Address Translation................................................................................................161
Establishing Enterprise RAN Solutions..................................................................................181
Access Control Lists................................................................................................................195
AAA.........................................................................................................................................209
Securing Data with IPSec VPN...............................................................................................221
Generic Routing Encapsulation .............................................................................................240
Simple Network Management Protocol ...............................................................................257
eSight Network Management Solutions...............................................................................271
Introducing IPv6 Networks....................................................................................................284
IPv6 Routing Technologies ....................................................................................................304
IPv6 Application Services-DHCPv6 ........................................................................................320
M
ore Learning
/en

1／335
M
ore Learning
/en

2／335
M
ore Learning
/en

3／335
M
ore Learning
/en

The establishment of local and internetwork connectivity through TCP/IP
protocols represents the foundation of the enterprise network, however does
not represent a complete solution to enabling an enterprise network to be
business ready. As an enterprise grows, so do the requirements for the
network on which it is supported. This includes the implementation of effective
network designs capable of supporting an expanding business where user
density may grow in a short period of time, where operations as a mobile
office may constantly be required, where growing technological requirements
need to be smoothly facilitated, and the traffic generated is managed efficiently
without disruption to base network operations.
It is therefore imperative that a clear understanding be built of how solutions
can be applied to establish an enterprise network capable of supporting ever
changing industry needs. An enterprise network can be logically divided into
five areas, including a core network, data center, DMZ, enterprise edge, and
operations and maintenance (O&M). Huawei’s campus network solution
focuses on the core network zone. The core network implements a three-layer
architecture consisting of a core, aggregation, and access layer.
This three-layer architecture has advantages in providing a multi-layer design
for which each layer performs specific functions, and establishes a stable
topology, to simplify network expansion and maintenance, with a modular
design facilitating fault allocation. Network topology changes in one
department can be isolated to avoid affecting other departments.
Huawei enterprise networks must be capable of providing solutions for a
variety of scenarios, such as dense user access, mobile office, VoIP,
videoconference and video surveillance, access from outside the campus
4／335
M
ore Learning
/en

network, and all-round network security.
Huawei enterprise solutions therefore must meet customer requirements on network
performance, scalability, reliability, security, and manageability, whilst also simplifying network
construction.
5／335
M
ore Learning
/en

The enterprise network is required to be capable of establishing connectivity
via a multitude of telecom service provider networks, building on an ever
growing requirement for support of integrated and converged networks. In
taking advantage of the ubiquitous nature of IP, it is important that the
enterprise network be capable of supporting all services necessary in
enterprise based industries to provide access to internal resources through
any type of device, at any time and in any location.
6／335
M
ore Learning
/en

Maintaining efficiency of operation in an enterprise network requires that traffic
flow is greatly optimized and redundancy is implemented to ensure that in the
case of any device or link failure, isolation of users and resources will not
occur. A two-node redundant design is implemented as part of enterprise
network design to enhance network reliability, however a balance is required
to be maintained, since too many redundant nodes are difficult to maintain and
increase overall organizational expenditure.
7／335
M
ore Learning
/en

Network security plays an ever increasing role in the enterprise network. The
initial development of TCP/IP was never done so with the issue of security in
mind, and therefore security implementations have gradually been introduced
to combat ever growing threats to IP networks. Security threats are capable of
originating both from inside and outside of the enterprise network and
therefore solutions to tackle both types of security threats have become
prominent. Huawei network security solutions have grown to cover terminal
security management, service security control, and network attack defense.
8／335
M
ore Learning
/en

The growth of intelligent network designs help to facilitate operations and
maintenance (O&M) for which Huawei network solutions provide means for
intelligent power consumption management, intelligent fast network
deployment, and intelligent network maintenance.
9／335
M
ore Learning
/en

As the industry continues to evolve, new next generation enterprise solutions
are introduced including the prominence of cloud technology providing cloud
service solutions to infrastructure, platforms, software etc, to meet the needs
of each customer. Along with this is the need for support of enterprise built
data centers and infrastructure designs allowing for constant expansion in
order to keep up with the growing number of services required by customers.
This involves the realization of technologies such as virtualization and storage
solutions that continue to play an aggressive role in ensuring that the
enterprise industry’s expansion into the cloud is facilitated on all service levels.
10／335
M
ore Learning
/en

1. The DMZ represents a location that is part of the enterprise network,
however the DMZ exists within a location that allows the services to be
accessed from both an external location and internally, without allowing
external users permission to access locations associated with internal
users. This provides a level of security that ensures data never flows
between internal and external user locations.
2. The core provides a means for high speed forwarding of traffic between
different locations in the enterprise network and to external locations
beyond the enterprise network. As such the devices used in the core must
be capable of supporting higher performance in terms of processing and
forwarding capacity.
11／335
M
ore Learning
/en

12／335
M
ore Learning
/en

13／335
M
ore Learning
/en

14／335
M
ore Learning
/en

15／335
M
ore Learning
/en

Link aggregation refers to the implementation of a trunk link that acts as a
direct point-to-point link, between two devices such as peering routers,
switches, or a router and switch combination at each end of the link. The link
aggregation comprises of links that are considered members of an Ethernet
trunk, and build an association which allows the physical links to operate as a
single logical link. The link aggregation feature supports high availability by
allowing the physical link of a member interface to switch traffic to another
member link in the event that a particular interface fails. In aggregating the
links, the bandwidth of a trunk interface is combined, equaling the sum of the
bandwidth of all member interfaces, to enable an effective bandwidth increase
for traffic over the logical link. Link aggregation can also implement load
balancing on a trunk interface. This enables the trunk interface to disperse
traffic among its member interfaces, and then transmit the traffic over the
member links to the same destination, thus minimizing the likelihood of
network congestion.
16／335
M
ore Learning
/en

Link aggregation is often applied in areas of the enterprise network where high
speed connectivity and the potential for congestion is likely to occur. This
generally equates to the core network where responsibility for high speed
switching resides, and where traffic from all parts of the enterprise network
generally congregates before being forwarded to destinations either in other
parts of the network, or remote destinations beyond the boundaries of the
enterprise network. The example demonstrates how core switches (SWA &
SWB) support link aggregation over member links that interconnect the two
core switch devices, as a means of ensuring that congestion does not build at
a critical point in the network.
17／335
M
ore Learning
/en

Link aggregation supports two modes of implementation, a manual load
balancing mode and static LACP mode. In load balancing mode, member
interfaces are manually added to a link aggregation group (LAG). All of the
interfaces configured with load balancing are set in a forwarding state. The
AR2200 can perform load balancing based on destination MAC addresses,
source MAC addresses, exclusive-OR of the source and destination MAC
addresses, source IP addresses, destination IP addresses, or Exclusive-OR of
source and destination IP addresses. The manual load balancing mode does
not use the Link Aggregation Control Protocol (LACP), therefore the AR2200
can use this mode if the peer device does not support LACP.
In static LACP mode, devices at two ends of a link negotiate aggregation
parameters by exchanging LACP packets. After the negotiation is complete,
the two devices determine the active interface and the inactive interface. In
this mode, it is necessary to manually create an Eth-Trunk and add members
to it. LACP negotiation determines which interfaces are active and which ones
are inactive. The static LACP mode is also referred to as M:N mode, where M
signifies the active member links which forward data in a load balancing mode,
and N represents those links inactive but providing redundancy. If an active
link fails, data forwarding is switched to the backup link with the highest
priority, and the status of the backup link changes to active. In static LACP
mode, some links may function as backup links, whereas all member
interfaces work in a forwarding state in manual load balancing mode, and
represents the main difference between the two modes.
18／335
M
ore Learning
/en

As a logical interface for binding multiple physical interfaces and relaying
upper-layer data, a trunk interface must ensure that all parameters of the
physical interfaces (member interfaces) on both ends of the trunk link be
consistent. This includes the number of physical interfaces, the transmission
rates and duplex modes of the physical interfaces, and the traffic-control
modes of the physical interfaces, for which it should be noted that member
interfaces can be layer 2 or layer 3 interfaces. Where the interface speed is
not consistent, it is still possible for the trunk link to operate, however the
interfaces operating at a lower rate are likely to experience loss of frames.
In addition, the sequence of the data flow must be unchanged. A data flow can
be considered as a group of frames with the same MAC address and IP
address. For example, the telnet or FTP connection between two devices can
be considered as a data flow. If the trunk interface is not configured, frames
that belong to a data flow can still reach their destination in the correct order
because data flows are transmitted over a single physical link. When the trunk
technology is used, multiple physical links are bound to the same trunk link,
and frames are transmitted along these physical links. If the first frame is
transmitted over one physical link, and the second frame is transmitted over
another physical link, it is possible that the second frame may reach the
destination earlier than the first frame.
To prevent the disorder of frames, a frame forwarding mechanism is used to
ensure that frames in the same data flow reach the destination in the correct
sequence. This mechanism differentiates data flows based on their MAC
addresses or IP addresses. In this manner, frames belonging to the same data
flow are transmitted over the same physical link. After the frame forwarding
19／335
M
ore Learning
/en

mechanism is used, frames are transmitted based on the following rules:
Frames with the same source MAC addresses are transmitted over the same physical link.
Frames with the same destination MAC addresses are transmitted over the same physical link.
Frames with the same source IP addresses are transmitted over the same physical link.
Frames with the same destination IP addresses are transmitted over the same physical link.
Frames with the same source and destination MAC addresses are transmitted over the same
physical link.
Frames with the same source and destination IP addresses are transmitted over the same
physical link.
20／335
M
ore Learning
/en

Establishment of Link Aggregation is achieved using the interface Eth-trunk
<trunk-id> command. This command creates an Eth-Trunk interface and
allows for the Eth-Trunk interface view to be accessed. The trunk-id is a value
used to uniquely identify the Eth-trunk, and can be any integer value from 0
through to 63. If the specified Eth-Trunk already exists, it is possible to directly
enter the Eth-Trunk interface view by using the interface Eth-trunk command.
An Eth-Trunk can only be deleted if the Eth-Trunk does not contain any
member interfaces. When adding an interface to an Eth-Trunk, member
interfaces of a layer 2 Eth-Trunk must be layer 2 interfaces, and member
interfaces of a layer 3 Eth-Trunk must be layer 3 interfaces. An Eth-Trunk can
support a maximum of eight member interfaces. A member interface cannot
have any service or static MAC address configured. Interfaces added to an
Eth-Trunk should be hybrid interfaces (the default interface type). An Eth-
Trunk interface cannot have other Eth-Trunk interfaces as member interfaces.
An Ethernet interface can be added to only one Eth-trunk interface.
To add the Ethernet interface to another Eth-trunk, the Ethernet interface must
be deleted from the current Eth-Trunk first. Member interfaces of an Eth-trunk
must be the same type, for example, a Fast Ethernet interface and a Gigabit
Ethernet interface cannot be added to the same Eth-trunk interface. The peer
interface directly connected to a member interface of the local Eth-Trunk must
also be added to an Eth-Trunk, otherwise the two ends cannot communicate.
When member interfaces have different rates, the interfaces with lower rates
may become congested and packet loss may occur. After an interface is
added to an Eth-Trunk, MAC address learning is performed by the Eth-Trunk
rather than the member interfaces.
21／335
M
ore Learning
/en

In order to configure layer 3 Link Aggregation on an Ethernet trunk link, it is
necessary to transition the trunk from layer 2 to layer 3 using the undo
portswitch command under the Eth-trunk logical interface. Once the undo
portswitch command has been performed, an IP address can be assigned to
the logical interface and the physical member interfaces that are to be
associated with the Ethernet trunk link can be added.
22／335
M
ore Learning
/en

Using the display interface eth-trunk <trunk-id> command it is possible to
confirm the successful implementation of Link Aggregation between the two
peering devices. The command can also be used to collect traffic statistics
and locate faults on the interface.
The current state of the Eth-trunk is set to UP, signaling that the interface is
operating normally. Where the interface shows as down, this signals that an
error has occurred at the physical layer, whereas an administratively down
error reflects that the shutdown command has be used on the interface. The
specific error in the event of a failure can be discovered by verifying the status
of the ports, for which all ports are expected to show an UP status. Load
balancing is supported when the weight of all links is considered equal.
23／335
M
ore Learning
/en

1. A Fast Ethernet interface and a Gigabit Ethernet interface cannot be
added to the same Eth-trunk interface, any attempt to establish member
links of different types will result in an error specifying that the trunk has
added a member of another port-type. It should be noted that the S5700
series switch supports Gigabit Ethernet interfaces only, however this
behavior can be applied to other models including the S3700 switch.
2. Only the LACP mode is capable of supporting backup member links and
therefore should be used if backup links are required.
24／335
M
ore Learning
/en

25／335
M
ore Learning
/en

26／335
M
ore Learning
/en

27／335
M
ore Learning
/en

28／335
M
ore Learning
/en

As local networks expand, traffic increases and broadcasts become more
common. There are no real boundaries within such an expanding network,
causing interrupts and growing traffic utilization to occur. Traditionally, the
alternative option was to implement a layer three device within the local
network to generate broadcast domains, however in doing so additional
expense was incurred and the forwarding behavior of such devices did not
provide as efficient throughput as found with switches, leading to bottlenecks
at transit points between broadcast domains.
29／335
M
ore Learning
/en

The principle of VLAN technology was introduced that enabled traffic isolation
at the data link layer. VLAN technology has the added advantage of traffic
isolation without the limitation of physical boundaries. Users can be physically
dispersed but still be associated as part of a single broadcast domain, logically
isolating users from other user groups at the data link layer. Today VLAN
technology is applied as a solution to a variety of challenges.
30／335
M
ore Learning
/en

VLAN frames are identified using a tag header which is inserted into the
Ethernet frame as a means of distinguishing a frame associated with one
VLAN from frames of another. The VLAN tag format contains a Tag Protocol
Identifier (TPID) and associated Tag Control Information (TCI). The TPID is
used to identify the frame as a tagged frame, which currently only refers to the
IEEE 802.1Q tag format, for which a value of 0x8100 is used to identify this
format. The TCI contains fields that are associated with the tag format type.
The Priority Code Point (PCP) is a form of traffic classification field that is
used to differentiate one form of traffic from another so as to prioritize traffic
generally based on a classification such as voice, video, data etc. This is
represented by a three bit value allowing a range from 0-7, and can be
understood based on general 802.1p class of service (CoS) principles. The
Drop Eligibility Indicator (DEI) represents a single bit value that exists in either
a True of False state to determine the eligibility of a frame for discarding in the
event of congestion.
The VLAN ID indicates the VLAN with which the frame is associated,
represented as a 12 bit value. VLAN ID values range from 0x000 through to
0xFFF and for which the two upper and lower values are reserved, allowing
4094 possible VLAN Combinations. Huawei VRP implementation of VLANs
uses VLAN 1 as the default VLAN (PVID) as based on IEEE802.1Q standards.
31／335
M
ore Learning
/en

VLAN links can be classified into two types, an access link type and a trunk
link type. The access link refers to the link between an end system and a
switch device participating in VLAN tagging, the link between host terminals
and switches are all access links. A trunk link refers to the link over which
VLAN tagged frames are likely to be carried. The links between switches are
generally understood to be trunk links.
32／335
M
ore Learning
/en

Each interface of a device participating in VLAN tagging will be associated
with a VLAN. The default VLAN for the interface is recognized as the Port
VLAN ID (PVID). This value determines the behavior that is applied to any
frames being received or transmitted over the interface.
33／335
M
ore Learning
/en

Access ports associate with access links, and frames that are received will be
assigned a VLAN tag that is equal to the Port VLAN ID (PVID) of the interface.
Frames being transmitted from an interface will typically remove the VLAN tag
before forwarding to an end system that is not VLAN aware. If the tag and the
PVID vary however, the frame will not be forwarded and therefore discarded.
In the example a frame (untagged) is forwarded to the interface of the switch,
which can be understood to forward to all other destinations.
Upon receiving the frame, the switch will associate the frame with VLAN 10
based on the PVID of the interface. The switch is able to identify at the port
interface the PVID and make a decision as to whether the frame can be
forwarded. In the case of Host C the PVID matches the VLAN ID in the VLAN
tag, for which the tag is removed and the frame forwarded. For Host B
however the frame and the PVID differ, and therefore the frame is restricted
from being forwarded to this destination.
34／335
M
ore Learning
/en

For trunk ports that are associated with trunk links, the Port VLAN ID (PVID)
will identify which VLAN frames are required to carry a VLAN tag before
forwarding, and which are not. The example demonstrates a trunk interface
assigned with a PVID of 10, for which it should be assumed that all VLANs are
permitted to traverse the trunk link. Only frames associated with VLAN 10 will
be forwarded without the VLAN tag, based on the PVID. For all other VLAN
frames, a VLAN tag must be included with the frame and be permitted by the
port before the frame can be transmitted over the trunk link. Frames
associated with VLAN 20 are carried as tagged frames over the trunk link.
35／335
M
ore Learning
/en

Hybrid represents the default port type for Huawei devices supporting VLAN
operation and provides a means of managing the tag switching process
associated for all interfaces. Each port can be considered as either a tagged
port or an untagged port. Ports which operate as access ports (untagged) and
ports which operate as trunk ports (tagged).
Ports which are considered untagged will generally receive untagged frames
from end systems, and be responsible for adding a tag to the frame based on
the Port VLAN ID (PVID) of the port. One of the key differences is in the hybrid
port’s ability to selectively perform the removal of VLAN tags from frames that
differ from the PVID of the port interface. In the example, Host D is connected
to a port which specifies a Port VLAN ID of 20, whilst at the same time is
configured to allow for the removal of the tag from frames received from VLAN
10, thereby allowing Host D to receive traffic from both VLANs 10 & 20.
Hybrid Ports that are tagged will operate in a similar manner as a regular trunk
interface, however one major difference exists. VLAN frames that both match
the PVID and are permitted by the port will continue be tagged when
forwarded.
36／335
M
ore Learning
/en

VLAN assignment can be implemented based on one of five different methods,
including Port based, MAC based, IP Subnet based, Protocol based and
Policy based implementations. The port based method represents the default
and most common method for VLAN assignment. Using this method, VLANs
are classified based on the port numbers on a switching device. The network
administrator configures a Port VLAN ID (PVID), representing the default
VLAN ID for each port on the switching device. When a data frame reaches a
port, it is marked with the PVID if the data frame carries no VLAN tag and the
port is configured with a PVID. If the data frame carries a VLAN tag, the
switching device will not add a VLAN tag to the data frame even if the port is
configured with a PVID.
Using the MAC address assignment method, VLANs are classified based on
the MAC addresses of network interface cards (NICs). The network
administrator configures the mappings between MAC addresses and VLAN
IDs. In this case, when a switching device receives an untagged frame, it
searches the MAC-VLAN table for a VLAN tag to be added to the frame
according to the MAC address of the frame. For IP subnet based assignment,
upon receiving an untagged frame, the switching Device adds a VLAN tag to
the frame based on the IP address of the packet header.
Where VLAN classification is based on protocol, VLAN IDs are allocated to
packets received on an interface according to the protocol (suite) type and
encapsulation format of the packets. The network administrator configures the
mappings between types of protocols and VLAN IDs. The Policy based
assignment implements a combination of criteria for assignment of the VLAN
tag, including the IP subnet, port and MAC address, in which all criteria must
match before the VLAN is assigned.
37／335
M
ore Learning
/en

The implementation of VLANs begins with the creation of the VLAN on the
switch. The vlan<vlan-id> command is used to initially create the the VLAN on
the switch which can be understood to exist once the user enters the VLAN
view for the given vlan as demonstrated in the configuration example. The
VLAN ID ranges from 1 to 4094 and where it is necessary to create multiple
VLANs for a switch, the vlan batch <vlan-id1 to vlan-id2> command can be
used where contiguous VLAN ranges need to be created and vlan batch &<1-
4094> command used where “&’” represents a space between non-contiguous
VLAN ranges. All ports are associated with VLAN 1 as the default VLAN by
default, and therefore forwarding is unrestricted.
38／335
M
ore Learning
/en

Once the VLANs have been created, the creation can be verified using the
display vlan command. The command allows information about all VLANs to
be specified, and if no parameter is specified, brief information about all
VLANs is displayed. Additional parameters include display vlan <vlan-id>
verbose command, used to display detailed information about a specified
VLAN, including the ID, type, description, and status of the VLAN, status of the
traffic statistics function, interfaces in the VLAN, and mode in which the
interfaces are added to the VLAN. The display vlan <vlan-id> statistics
command, allows for the view of traffic statistics on interfaces for a specified
VLAN. The display vlan summary command, provides a summary of all
VLANs in the system.
39／335
M
ore Learning
/en

The configuration of the port link type is performed in the interface view for
each interface on a VLAN active switch. The default port link type on Huawei
switch devices is hybrid. The port link-type <type> command is used to
configure the port link type of the interface where the type can be set as
access, trunk or hybrid. A fourth QinQ option exists but is considered outside
of the scope of this course. It should also be noted that in the displayed
configuration if no port type is displayed, the default hybrid port link type is
configured. Prior to changing the interface type, it is also necessary to restore
the default VLAN configuration of the interface so that the interface belongs to
only the default VLAN 1.
40／335
M
ore Learning
/en

The association of a port with a created VLAN can be achieved using two
configuration methods, the first of those is to enter the VLAN view and
configure the interface to be associated with the VLAN using the port
<interface> command. The second means of assigning ports to VLANs
involves accessing the interface view for the interface to be added to a VLAN
and implement the command port default <vlan-id> where the vlan-id refers to
the VLAN to which the port is to be added.
41／335
M
ore Learning
/en

The display vlan command can be used to verify the changes made to the
configuration and confirm the association of port interfaces with the VLANs to
which the ports have been assigned. In the display example port interfaces
Gigabit Ethernet 0/0/5 and Gigabit Ethernet 0/0/7 can be identified as being
associated with VLANs 2 and 3 respectively. The UT value identifies that the
port is considered untagged either through assigning of the port link type as an
access port or as an untagged hybrid port. The current state of the link can
also be determined as either up (U) or down (D).
42／335
M
ore Learning
/en

The assigning of the port link type of trunk interfaces enables the trunk to
support the forwarding of VLAN frames for multiple VLANs between switches,
however in order for frames to be carried over the trunk interface, permissions
must be applied. The port trunk allow-pass vlan <vlan-id> command is used to
set the permission for each VLAN, where vlan-id refers to the VLANs to be
permitted. It is also necessary that the PVID for the trunk interface be included
in the command to enable untagged traffic to be carried over the trunk link.
The example demonstrates the changing of the default Port VLAN ID (PVID)
for the interface to 10 and the applying of permission for VLANs 2 and 3 over
the trunk link. In this case, any frames associated with VLAN 10 will not be
carried over the trunk even though VLAN 10 is now the default VLAN for the
trunk port. The command port trunk allow-pass vlan all can be used to allow all
VLANs to traverse the trunk link.
43／335
M
ore Learning
/en

The changes to the VLAN permissions can again be monitored through the
display vlan command, for which the application of VLANs over the trunk link
are reflected. The TG value identifies that VLANs have been associated with a
tagged interface either over a trunk or tagged hybrid port interface. In the
display example, VLANs 2 and 3 have been given permission to traverse the
tagged interface Gigabit Ethernet 0/0/1, an interface that is currently active.
44／335
M
ore Learning
/en

Hybrid port configuration represents the default port type on switch port
interfaces and therefore the command port link-type hybrid is generally only
necessary when converting the port link type from an access or a trunk port
link type. Each port however may require to be associated with a default Port
VLAN ID (PVID) over which frames are required to be either tagged or
untagged. The port hybrid pvid vlan <vlan-id> command enables the default
PVID to be assigned on a port by port basis following which it is also
necessary to associate the forwarding behavior for a given port.
For ports that are to operate as access ports, this is achieved using the port
hybrid untagged vlan<vlan-id> command. It should be clearly noted that the
use of this command multiple times under the same interface view shall result
in the interface being associated with all VLANs specified, with the associated
VLAN frames being untagged before forwarding. The undo port hybrid vlan
command can be used restore the default VLAN setting of VLAN1 and return
to the default untagged mode.
45／335
M
ore Learning
/en

For ports that are to operate as trunk ports, the port hybrid tagged vlan <vlan-
id> command is used. It should be clearly noted that the use of this command
multiple times under the same interface view shall result in the interface being
associated with all VLANs specified, with the associated VLAN frames being
tagged before forwarding. In the example the hybrid port interface Gigabit
Ethernet 0/0/1 is expected to tag all frames that are associated with VLANs 2
and 3 before such frames are forwarded over the interface.
46／335
M
ore Learning
/en

Through the display vlan command, the results of the tagged and untagged
hybrid port configuration can be verified. Interface Gigabit Ethernet 0/0/7 has
been established as a VLAN 2 untagged interface, while interface Gigabit
Ethernet 0/0/5 has been established as an untagged interface associated with
VLAN 3. In terms of both VLAN 2 and VLAN 3, frames associated with either
VLAN will be carried as a tagged frame over interface Gigabit Ethernet 0/0/1.
47／335
M
ore Learning
/en

Switch port interfaces can use the port hybrid untagged vlan <vlan-id> [to
<vlan-id>] command to apply the untagged behavior on a port interface for
multiple VLANs in a single batch command. This behavior enables hybrid
interfaces to permit the untagged forwarding of traffic from multiple VLANs to a
given end system. All traffic forwarded from the end system is associated with
the PVID assigned to the port and tagged respectively.
48／335
M
ore Learning
/en

The command port hybrid untagged vlan 2 to 3 on interface Gigabit Ethernet
0/0/4 results in the interface applying untagged behavior to both VLAN 2 and
VLAN 3. This means that any traffic forwarded from a host associated with
either VLAN, to an end system associated with interface Gigabit Ethernet
0/0/4, can be successfully received.
49／335
M
ore Learning
/en

The growth of IP convergence has seen the integration of multiple
technologies that allows High Speed Internet (HSI) services, Voice over IP
(VoIP) services, and Internet Protocol Television (IPTV) services to be
transmitted over a common Ethernet & TCP/IP network. These technologies
originate from networks consisting of different forms of behavior. VoIP
originates from circuit switched network technologies that involve the
establishment of a fixed circuit between the source and destination, over
which a dedicated path is created, ensuring that voice signals arrive with little
delay and in a first-in-first-out signal order.
High Speed Internet operates in a packet switched network involving
contention, and packet forwarding with no guarantee of orderly delivery for
which packet re-sequencing is often necessary. Guaranteeing that
technologies originating from a circuit switched network concept are capable
of functioning over packet switched networks has brought about new
challenges. This challenge focuses on ensuring that the services are capable
of differentiating voice data from other data. The solution involves VoIP traffic
being isolated through different VLANs and being assigned a higher priority to
ensure voice quality throughput. Special voice VLANs can be configured on
the switch, which allows the switch to assign a pre-configured VLAN ID and a
higher priority to VoIP traffic.
50／335
M
ore Learning
/en

Configuration of the voice VLAN involves the configuring of a specified VLAN
using the voice-vlan <vlan-id> enable command. The voice VLAN can be
associated with any VLAN between 2 and 4094. The voice-vlan mode <mode>
command specifies the working mode, by which a port interface is added to a
voice VLAN. This is set by default to occur automatically however can be also
achieved manually. The voice-vlan mac-address <mac-address> mask
<mask> command allows voice packets originating from an IP phone to be
identified and associated with the voice VLAN, based on the Organizationally
Unique Identifier (OUI), to ultimately allow a higher priority to be given to voice
traffic.
51／335
M
ore Learning
/en

The display voice-vlan status command allows voice VLAN information to be
viewed, including the status, security mode, aging time, and the interface on
which the voice VLAN function is enabled. The status determines whether the
voice VLAN is currently enabled or disabled. The security-mode can exist in
one of two modes, either normal or security. The normal mode allows the
interface enabled with voice VLAN to transmit both voice data and service
data, but remains vulnerable to attacks by invalid packets. It is generally used
when multiple services (HSI, VoIP, and IPTV) are transmitted to a Layer 2
network through one interface, and the interface transmits both voice data and
service data. The security mode applied on an interface enabled with voice
VLAN checks whether the source MAC address of each packet that enters the
voice VLAN matches the OUI. It is applied where the voice VLAN interface
transmits ONLY voice data. The security mode can protect the voice VLAN
against the attacks by invalid packets, however checking packets occupies
certain system resources.
The Legacy option determines whether the interface can communicate with
voice devices of other vendors, where an enabled interface permits this
communication. The Add-Mode determines the working mode of the voice
VLAN. In auto voice VLAN mode, an interface can be automatically added to
the voice VLAN after the voice VLAN function is enabled on the interface, and
adds the interface connected to a voice device to the voice VLAN if the source
MAC address of packets sent from the voice device matches the OUI. The
interface is automatically deleted if the interface does not receive any voice
data packets from the voice device within the aging time. In manual voice
VLAN mode, an interface must be added to the voice VLAN manually after the
voice VLAN function is enabled on the interface.
52／335
M
ore Learning
/en

1. The PVID on a trunk link defines only the tagging behavior that will be
applied at the trunk interface. If the port trunk allow-pass vlan 2 3
command is used, only frames associated with VLAN 2 and VLAN 3 will
be forwarded over the trunk link.
2. An access port configured with a PVID of 2 will tag all received untagged
frames with a VLAN 2 tag. This will be used by the switch to determine
whether a frame can be forwarded via other access interfaces or carried
over a trunk link.
53／335
M
ore Learning
/en

54／335
M
ore Learning
/en

55／335
M
ore Learning
/en

56／335
M
ore Learning
/en

57／335
M
ore Learning
/en

The Generic Attribute Registration Protocol (GARP) is the architecture on
which the registration, deregistration and propagation of attributes between
switches is enabled. GARP is not an entity in itself but instead is employed by
GARP applications such as GVRP to provide a shell on which the rules for
operation are supported. Interfaces that are associated with GARP
applications are considered to be GARP participants.
The primary application for GARP exists in allowing greater efficiency in the
management of multiple switches in medium to large networks. In general the
maintenance of multiple switches can become a huge burden on
administrators when system configuration details for example need to be
manually applied to each active switch. GARP helps to automate this process
for any applications that are able to employ this capability. GARP generally
relies on the spanning tree protocol to define an active topology for
propagation, however the GVRP protocol can run only in the realm of the
Common and Internal Spanning Tree (CIST).
58／335
M
ore Learning
/en

PDUs are sent from a GARP participant and use multicast MAC address 01-
80-C2-00-00-21 as the destination MAC address. When a device receives a
packet from a GARP participant, the device identifies the packet according to
the destination MAC address of the packet and sends the packet to the
corresponding GARP participant (such as GVRP). GARP uses messages
within the PDU to define attributes that are identified based on an attribute
type field and an attribute list.
The list contains multiple attributes for the specific attribute type and each
attribute is described through attribute length, event and value fields. The
length of the attribute can be anywhere from 2 to 255 bytes, the value
specifies a particular value for the attribute and the event may be one of a
number of specific events that the GARP supports represented by a value.
These events include, 0: LeaveAll event, 1: JoinEmpty event, 2: JoinIn event,
3: LeaveEmpty event, 4: LeaveIn event, and 5: Empty event.
59／335
M
ore Learning
/en

When a GARP participant expects other devices to register its attributes, it
sends Join messages to other devices. When a GARP participant receives a
Join message from another participant, or is statically configured with
attributes, it sends Join messages to other devices to allow the devices to
register the new attributes. Join messages are classified into JoinEmpty
messages and JoinIn messages. JoinEmpty are used to declare an
unregistered attribute, whereas JoinIn messages are used to declare a
registered attribute.
60／335
M
ore Learning
/en

Leave messages are used when a GARP participant expects other devices to
deregister its attributes, it sends Leave messages to other devices. When the
GARP participant receives a Leave message from another participant or some
of its attributes are statically deregistered, it also sends Leave messages to
other devices. Leave messages are classified into LeaveEmpty messages and
LeaveIn messages. LeaveEmpty messages are used to deregister an
unregistered attribute, whereas LeaveIn messages will deregister a registered
attribute.
61／335
M
ore Learning
/en

Leave All messages are applied when a GARP participant when the
participant wishes to request other GARP participants deregister all the
attributes of the sender.
The Join, Leave, and Leave All messages are used to control registration and
deregistration of attributes. Through GARP messages, all attributes that need
to be registered are sent to all GARP-enabled devices on the same LAN.
62／335
M
ore Learning
/en

GVRP is an application of GARP, and based on the working mechanism of
GARP, GVRP maintains dynamic VLAN registration information in a device
and propagates the registration information to other devices.
After GVRP is enabled on the switch, it can receive VLAN registration
information from other devices, and dynamically update local VLAN
registration information. VLAN registration information includes which VLAN
members are on the VLAN and through which interfaces their packets can be
sent to the switch. The switch can also send the local VLAN registration
information to other devices. Through exchanging VLAN registration
information, all devices on the same LAN maintain the same VLAN
information. The VLAN registration information transmitted through GVRP
contains both static local registration information that is manually configured
and dynamic registration information from other devices.
63／335
M
ore Learning
/en

Registration can be achieved either statically or dynamically for a VLAN within
the device. A manually configured VLAN is a static VLAN, and a VLAN
created through GVRP is a dynamic VLAN. They way in which registration is
performed is dependant on the registration mode that has been configured.
There are three registration modes that can be set, which includes normal,
fixed and forbidden registration modes.
64／335
M
ore Learning
/en

In the normal registration mode, the GVRP interface can dynamically register
and deregister VLANs, and transmit both dynamic VLAN registration
information and static VLAN registration information.
65／335
M
ore Learning
/en

In the fixed mode, the GVRP interface is restricted from dynamically
registering and deregistering VLANs and can transmit only the static
registration information. If the registration mode of a trunk interface is set to
fixed, the interface allows only the manually configured VLANs to pass, even if
it is configured to allow all VLANs to pass.
66／335
M
ore Learning
/en

In the forbidden mode, the GVRP interface is disabled from dynamically
registering and deregistering VLANs and can transmit only information about
VLAN 1. If the registration mode of a trunk interface is set to forbidden, the
interface allows only VLAN 1 to pass even if it is configured to allow all VLANs
to pass.
67／335
M
ore Learning
/en

The configuration of GVRP relies on the protocol attribute being firstly enabled
in the system-view before it can be applied at an interface-view. The
command gvrp is used to enable GVRP on the device. Once an interface has
been configured to operate as part of the VLAN, GVRP can be applied to the
interface using the gvrp command at the interface-view. The registration mode
can also be applied using the gvrp registration <mode> command where the
mode may be either normal, fixed, or forbidden. The registration mode is set
as normal by default.
68／335
M
ore Learning
/en

Verifying the configuration for GVRP involves entering the display gvrp status
command. This will simply identify whether GVRP has been enabled on the
device. The display gvrp statistics command can provide a little more
information regarding the configuration for each interface (participant) that is
currently active in GVRP. From the example, it is possible to identify the
current status of GVRP on the interface and also the registration type that has
been defined in relation to the interface.
69／335
M
ore Learning
/en

1. The normal registration mode is used by default.
2. The ports for the links between each of the devices supporting GVRP
must be established as VLAN trunk ports in order to allow the VLAN
information to be propagated.
70／335
M
ore Learning
/en

71／335
M
ore Learning
/en

72／335
M
ore Learning
/en

73／335
M
ore Learning
/en

74／335
M
ore Learning
/en

The general principle of VLAN implementation is to isolate networks as a
means of minimizing the size of the existing broadcast domain, however in
doing so, many users are cut off from other users within other VLAN domains
and require that layer three (IP) communication be established in order for
those broadcast domains to re-establish communication through reachable
routes. The implementation of a layer three switch offers an ideal means for
supporting VLAN routing whilst reducing operating costs. One of the
constraints however of VLAN routing is the need for strict IP address
management.
Generally however the VLAN routing principle is applicable to small scale
networks on which users belong to different network segments and IP
addresses of users are seldom changed.
75／335
M
ore Learning
/en

After VLANs are configured, the hosts in different VLANs are unable to directly
communicate with each other at Layer 2. It is therefore necessary to facilitate
the communication through the creation of routes between VLANs. There are
generally two main methods via which this is achieved, the first relies on the
implementation of a router connected to the layer 2 switch. VLAN
communication is then routed through the router before being forwarded to the
intended destination. This may be over separate physical links, which leads to
port wastage and extra link utilization, or via the same physical interface as
shown in the example.
The second method relies on the use of a layer 3 switch that is capable of
performing the operation of both the switch and the router in one single device
as a more cost effective mechanism.
76／335
M
ore Learning
/en

In order to allow communication over a single trunk interface, it is necessary to
logically segment the physical link using sub-interfaces. Each sub-interface
represents a logical link for the forwarding of VLAN traffic before being routed
by the router via other logical sub-interfaces to other VLAN destinations. Each
sub-interface must be assigned an IP address in the same network segment
as the VLAN that it is created for as well as 802.1Q encapsulation to allow for
VLAN association as traffic is routed between VLANs.
It is also necessary to configure the type of the Ethernet port of the switch that
connects to the router as either a Trunk or Hybrid link type, and allow frames
of the associated VLANs (VLAN 2 & VLAN 3 in this case) to pass.
77／335
M
ore Learning
/en

The trunk link between the switch and the router must be established for
support of traffic for multiple VLANs, through the port link-type trunk or port
link-type hybrid command as well as the port trunk allow-pass vlan 2 3 or port
hybrid vlan 2 3 command respectively. Once the trunk is established, the
VLAN sub-interfaces must be implemented to allow the logical forwarding of
traffic between VLANs over the trunk link.
78／335
M
ore Learning
/en

The sub-interface on a router is defined in the interface view using the
interface <interface-type interface-number.sub-interface number> command
where the sub-interface number represents the logical interface channel within
the physical interface. The command dot1q termination vid <vlan-id> is used
to perform two specific functions. Where a port receives a VLAN packet, it will
initially remove the VLAN tag from the frame and forward this packet via layer
three routing.
For packets being sent out, the port adds a tag to the frame before sending it
out, in accordance with the respective VLAN and IP settings for the router’s
logical interface. Finally the arp-broadcast enable command is applied to each
logical interface. This is necessary as the capability for ARP to broadcast on
sub-interfaces is not enabled by default. If ARP broadcasts remain disabled on
the sub-interface, the router will directly discard packets. The route to the sub-
interface generally is considered as a blackhole route in these cases since the
packet is effectively lost without a trace. If ARP broadcasts are enabled on the
sub-interface, the system is able to construct a tagged ARP broadcast packet
and send the packet from the sub-interface.
79／335
M
ore Learning
/en

Following the configuration of VLAN routing between VLAN 2 and VLAN 3, the
ping application can be used to verify reachability. The example demonstrates
how Host A (192.168.2.2) in VLAN 2 is capable of reaching Host B
(192.168.3.2) in VLAN 3. The TTL reflects that the packet has traversed the
router to reach the destination in VLAN 2.
80／335
M
ore Learning
/en

The implementation of L3 switches brings about benefits to the process of
VLAN routing that are not possible through the use of a router. One of those
features is the ability to forward VLAN traffic with very little delay due to
support of what is known as line speed forwarding as a result of bottom layer
ASIC chips that allow traffic to be forwarded based on hardware rather than
software. Along with this is the fact that a single device is used with no trunk
link that may otherwise face congestion under heavy traffic loads. VLAN
routing when using a layer 3 switch relies on the implementation of VLAN
interfaces (VLANIF). If multiple users on a network belong to different VLANs,
each VLAN requires a VLANIF that acts as the VLAN gateway and so must
associate with an IP address relevant to the network of the VLAN. If a large
number of VLANs exist however, this can tally up to a large number of IP
addresses being required to support each VLANIF, as well as the hosts that
are part of the VLAN with which the VLANIF is associated. Through the
VLANIF, routing between different VLANs can be supported.
81／335
M
ore Learning
/en

Configuration of VLAN routing on a switch operating at layer 3 requires that
the VLANs be initially created and the interfaces be assigned to those
respective VLANS. The configuration follows the principles for configuration of
VLANs covered as part of the VLAN principles. This involves defining the port
link-type for each port and the PVID that is associated with each port interface.
82／335
M
ore Learning
/en

Configuration of VLAN routing is implemented by creating VLAN interfaces
that are to operate as gateway interfaces for each VLAN within the layer 3
switch. Entering the VLANIF view is achieved via the interface vlanif <vlan-id>
command, where the vlan-id refers to the associated VLAN. The IP address
for the interface should be in the same network segment as the hosts. This IP
address shall represent the gateway for the hosts and support the inter-VLAN
communication.
83／335
M
ore Learning
/en

1. The dot1q termination vid <vlan-id> command is used to perform two
specific functions. Where a port receives a VLAN packet, it will initially
remove the VLAN tag from the frame and forward this packet via layer 3
routing. For packets being sent out, the port adds a tag to the packet
before sending it out, in accordance with the respective VLAN and IP
settings for the routers logical interface.
2. The switch must be configured to allow frames carried over the
switch/router medium to be tagged, either through the use of the trunk
command or using tagged hybrid interfaces. Additionally the VLAN traffic
must be permitted over this link using the port trunk allow-pass vlan
<vlan> or port hybrid tagged vlan <vlan> command.
84／335
M
ore Learning
/en

85／335
M
ore Learning
/en

86／335
M
ore Learning
/en

87／335
M
ore Learning
/en

88／335
M
ore Learning
/en

The Wireless Local Area Network (WLAN) is seen as a rapidly developing
future network technology, to which many enterprise networks are gradually
transitioning towards, with the expectation that wired Ethernet networks used
today as the primary network infrastructure in nearly all enterprise businesses
will eventually be superseded by WLAN solutions, and provide reliable
ubiquitous access.
Recent evolutions in technology have introduced a need for change in the way
in which enterprise industries operate, as a wave of tablet computing and
smart mobile device usage paves the way for Bring Your Own Device (BYOD)
solutions, in which users enhance their work capability through personal
devices, for which in most cases, wired Ethernet connectivity is not supported.
Additionally, many new challenges are faced by wireless networks in terms of
supporting a greater density of devices in the enterprise network as well as
providing media based (voice & video) support without signal loss or periodic
connection outages, and providing non-intrusive security to users.
Wireless networks continue to play a secondary role to wired networks but
with the constant push to change the way enterprise networks support users, it
is expected that WLAN will continue to play an increasingly dominant role
throughout all enterprise industries.
89／335
M
ore Learning
/en

The evolution of enterprise networks involving WLAN have undergone three
general phases since the 1980’s, from fixed office, to supporting early mobile
office solutions through the use of standalone access points (AP) that provided
only limited coverage and mobility for users, to a more centralized form of
WLAN involving management of multiple (thin) AP clients by a central
controller.
Standards growth has also enabled the support of different services initially
supporting only data throughput, however as the capacity of the Ethernet
wired network continues to develop, it is generally expected that the WLAN be
capable of supporting the same services. The capacity to support services
such as real time traffic for voice and video require increasing amounts of
bandwidth to which new 802.11 standards are developed to support,
absorbing an increasingly larger amount of the 2.4GHz spectrum in order to
do so.
With the introduction of BYOD, new challenges to WLAN are faced to ensure
density of devices are supported with suitable bandwidth and connection
reliability for supported applications, whilst defending the enterprise network
against malicious entities including spyware and malware.
90／335
M
ore Learning
/en

IEEE 802.11 represents the working group that supports the development of
all Wireless LAN standards, originating in 1997 with initial standards that
worked within a 2.4GHz range and relatively low frequency rates of up to
2Mbps. The evolution of standards saw the introduction of the 802.11a and
802.11b standards which operated under the 5GHz and 2.4GHz signal bands
respectively.
Each of these standards provides a variation in signal range, and due to
increased signal fading in the 5GHz signal band, strong adaptation has been
towards 2.4GHz which generally provides a greater range of transmission, as
such allowing for the deployment of fewer access points (AP) over a broader
range.
Over time however the 2.4GHz band has become increasingly crowded,
making interference ever more likely where transmission is concerned. In
addition, an increased rate requires a larger portion of the frequency spectrum
for which it has become increasingly difficult to accommodate, for within the
2.4GHz band. This has seen in recent years a transition to a less crowded
5GHz band where frequency ranges for higher rates can be accommodated,
at the cost however of the transmission range, resulting from attenuation that
naturally affects the 5GHz band.
91／335
M
ore Learning
/en

Wireless network deployment solutions over existing Ethernet networks
commonly apply a two-layer architecture that is capable of meeting customer
requirements, with minimal impact to the physical structure of the enterprise
campus.
Access Controllers (AC) are deployed at the core layer of the network and
operate, in what is known as bypass mode, as a general practice. This means
that access controllers that manage the access points are not directly
connected to each AP that they manage, mainly to allow for a wireless
network overlay to be achieved whilst minimizing physical change to the
existing enterprise network architecture.
92／335
M
ore Learning
/en

Each Access Point (AP) within a wireless local area network is designed to
provide a level of coverage that encompasses the surrounding area of the
established enterprise campus. A single AP is considered to have a finite
range that may vary depending on a number of factors and objects that are
capable of interfering with the general signal range, through imposing greater
attenuation to, or refraction of signals.
Wireless coverage is generally extended therefore by implementing multiple
AP that operate as cells, with overlapping cell ranges to allow users to
effectively hop between each AP as the user becomes mobile within the area
in which coverage is provided. Any good wireless deployment should allow for
complete coverage over an entire campus with eradication of any grey areas
or black spots where WLAN coverage may suddenly be lost.
Another important factor involving wireless coverage is the issue of security.
Unlike wired Ethernet connections, the scope of a wireless networks may
extend beyond the physical boundaries of the building or site in which the
network is intended, allowing for potential access to resources from unknown
external users without authority, therefore imposing a great risk to the integrity
of the network.
93／335
M
ore Learning
/en

Multiple security mechanisms have been devised for maintaining the overall
integrity of the wireless enterprise. The implementation of perimeter security
as a means of protecting 802.11 networks from threats such as
implementation of unauthorized APs and users, ad-hoc networks, and denial
of service (DoS) attacks is an example of a typical wireless solution.
A wireless intrusion detection system (WIDS) can be used to detect
unauthorized users and APs. A wireless intrusion prevention system (WIPS)
can protect an enterprise network against unauthorized access by wireless
network devices such as a rogue AP.
User access security is another common solution where link authentication,
access authentication, and data encryption are used as forms of Network
Access Control (NAC) to ensure validity and security of user access on
wireless networks, essentially managing user access based on defined
permissions. Service security is another feature that may also be implemented
to protect service data of authorized users from being intercepted by
unauthorized users during transmission.
94／335
M
ore Learning
/en

1. A growing majority of employees require mobility within an enterprise
network as part of daily work procedures, whether for meetings or
collaboration, which fixed line networks generally limit. Adoption of WLAN
allows for greater mobility and also flexibility in the number of users
connecting to the enterprise network.
2. With flexibility of access comes a greater need for security to monitor user
access and prevent sensitive information being accessed from within the
network. As a greater number of employees begin to rely on personal
devices and connect to the enterprise network over the WLAN, the
potential for viruses, malware and spyware amongst others, becomes a
greater potential threat to the network as a whole.
As the need to support a growing number of services and users, greater
bandwidth is required which translates to a larger wireless spectrum
requiring to be adopted by standards. The 5GHz bandwidth has begun to
take a prominent role in newer standards due to spectrum limitations in
the 2.4GHz range, which results in a shorter range in AP signal
transmissions for future standards.
95／335
M
ore Learning
/en

96／335
M
ore Learning
/en

97／335
M
ore Learning
/en

98／335
M
ore Learning
/en

99／335
M
ore Learning
/en

Serial connections represent a form of legacy technology that has commonly
been used for the support of Wide Area Network (WAN) transmissions. The
transmission of data as electrical signals over a serial link again requires a
form of signaling to control the sending and receiving of frames as found with
Ethernet. Serial connections define two forms of signaling that may be used
for synchronization of transmissions, known as Asynchronous and
Synchronous communication. Asynchronous signaling works on the principle
of sending additional bits referred to as start and stop bits with each byte or
frame to allow the receiving node to be aware of the incoming frame, and thus
periodically reset the timing between frames to ensure that the rates between
transmission and reception are maintained. The start bit is always represented
as a 0 bit value while the stop bit represents a 1 bit value. One of the main
concerns with this signaling method is the additional overhead as a result for
each frame delivered, with the start and stop bits representing a large
percentage of the frame overall. This method however is commonly
associated with technologies such as Asynchronous Transfer Mode (ATM), a
form of cell switching technology that generates fixed sized frames (cells) of
53 bytes as a means of supporting lower jitter through minimizing queue
processing times, making it ideal for real time communication such as voice,
but has begun to make way for newer technologies such as MPLS switching
and due to the loss of its advantage over the frame processing speeds that are
now possible with routers and switches.
Synchronous serial connections rely on a clocking mechanism between the
peering devices in which one side (DCE) provides the clocking to synchronize
communication. This clocking is maintained through the carrying of clocking
information between the sender and receiver as part of the data signal.
100／335
M
ore Learning
/en

The High-level Data Link Control (HDLC) is a bit-oriented data link protocol
that is capable of supporting both synchronous and asynchronous data
transmissions. A complete HDLC frame consists of the Flag fields that are
used to mark the start and end of a HDLC frame, often as 01111110, or
01111111 when a frame is to be suddenly aborted and discarded. An address
field supports multipoint situations where one or multiple secondary terminals
communicate with a primary terminal in a multipoint (multidrop) topology
known as unbalanced connections, as opposed to the more commonly applied
balanced (point to point) connections. The control field defines the frame type
as either information, supervisory or unnumbered, and frame check sequence
(FCS) field for ensuring the integrity of the frame.
Of the control field frame types, only the information frame type is supported
by Huawei ARG3 series routers and is used to carry data. The information
frame type carries send N(S) and receive N(R) sequence numbers, as well as
Poll and Final bits (P/F) for communicating status between primary and
secondary stations. Supervisory frame types in HDLC are used for error and
flow control and unnumbered frame types are used to manage link
establishment for example between primary and secondary stations.
101／335
M
ore Learning
/en

Establishment of HDLC as the link layer protocol over serial connections
requires simply that the link protocol be assigned using the link-protocol hdlc
command under the interface view for the serial interface that is set to use the
protocol. The configuration of the link protocol must be performed on both
peering interfaces that are connected to the point-to-point network before
communication can be achieved.
102／335
M
ore Learning
/en

When an interface has no IP address, it cannot generate routes or forward
packets. The IP address unnumbered mechanism allows an interface without
an IP address to borrow an IP address from another interface. The IP address
unnumbered mechanism effectively enables the conservation of IP addresses,
and does not require that an interface occupy an exclusive IP address all of
the time. It is recommended that the interface that is assigned as the interface
from which the unnumbered IP address is borrowed be a loopback interface
since this type of interface is more likely to be always active and as such
supply an available address.
When using an unnumbered address, a static route or dynamic routing
protocol should be configured so that the interface borrowing the IP address
can generate a route between the devices. If a dynamic routing protocol is
used, the length of the learned route mask must be longer than that of the
lender's IP address mask, because ARG3 series routers use the longest
match rule when searching for routes. If a static route is used and the IP
address of the lender uses a 32-bit mask, the length of the static route mask
must be shorter than 32 bits. If a static route is used and the IP address of the
lender uses a mask less than 32 bits, the length of the static route mask must
be longer than that of the lender's IP address mask.
103／335
M
ore Learning
/en

Through the display ip interface brief command, a summary of the address
assignment is output. In the event of assigning an unnumbered address, the
address value will display as being present on multiple interfaces, showing
that the IP address has been successfully borrowed from the logical loopback
interface for use on the physical serial interface.
104／335
M
ore Learning
/en

The Point-to-Point Protocol (PPP) is a data link layer protocol that
encapsulates and transmits network layer packets over point-to-point (P2P)
links. PPP supports point-to-point data transmission over full-duplex
synchronous and asynchronous links.
PPP is built upon the Serial Line Internet Protocol (SLIP). PPP supports both
synchronous and asynchronous links, whereas other data link layer protocols
such as Frame Relay (FR) support only synchronous links. PPP is an
extensible protocol, facilitating the extension of not only IP but also other
protocols and is capable of supporting the negotiation of link layer attributes.
PPP supports multiple Network Control Protocols (NCP) such as the IP
Control Protocol (IPCP) and Internetwork Packet Exchange Control Protocol
(IPXCP) to negotiate the different network layer attributes. PPP provides the
Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP) for network security authentication. PPP has
no retransmission mechanism, reducing the network cost and speeding up
packet transmission.
105／335
M
ore Learning
/en

PPP encapsulation provides for multiplexing of different network-layer
protocols simultaneously over the same link however in today’s networks, the
capability of PPP requires generally an IP only solution. The versatility of PPP
to accommodate a variety of environments is well supported through Link
Control Protocol (LCP). In order to establish communications over a point-to-
point link, each end of the PPP link must first send LCP packets to configure
and test the data link. More specifically LCP is used to negotiate and establish
agreement for encapsulation format options, manage the MRU of packets,
detect a looped-back link through magic numbers and determine errors in
terms of parameter misconfigurations, as well as terminate an established link.
Peer authentication on the link, and determination of when a link is functioning
properly and when it is failing represent other optional facilities that are
provided by LCP.
After the link has been established and optional facilities have been negotiated
as required by the LCP component of PPP, NCP packets must then be sent to
choose and configure one or more network-layer protocols. Typical IP based
Network Control Protocols enable features such as address configuration
(IPCP), and (van Jacobson) compressed TCP/IP.
106／335
M
ore Learning
/en

This initiation and termination of a PPP link begins and ends with the dead
phase. When two communicating devices detect that the physical link between
them is activated (for example, carrier signals are detected on the physical
link), PPP will transition from the Dead phase into the Establish phase. In the
Establish phase, the two devices perform an LCP negotiation to negotiate the
working mode as either single-link (SP) or multi-link (MP), the Maximum
Receive Unit (MRU), authentication mode etc.
If the authentication mode is defined, the optional Authenticate phase will be
initiated. PPP provides two password authentication modes: PAP
authentication and CHAP authentication. Two CHAP authentication modes are
available: unidirectional CHAP authentication and bidirectional CHAP
authentication. In unidirectional CHAP authentication, the device on one end
functions as the authenticating device, and the device on the other end
functions as the authenticated device. In bidirectional CHAP authentication,
each device functions as both the authenticating device and authenticated
device. In practice however, only unidirectional CHAP authentication is used.
Following successful authentication, the Network phase initiates, through
which NCP negotiation is performed to select and configure a network protocol
and to negotiate network-layer.
Parameters. Each NCP may be in an Opened or Closed state at any time.
After an NCP enters the Opened state, network-layer data can be transmitted
over the PPP link.
PPP can terminate a link at any time. A link can be terminated manually by an
administrator, or be terminated due to the loss of carrier, an authentication
failure, or other causes.
107／335
M
ore Learning
/en

PPP generally adopts a HDLC like frame architecture for the transmission
over serial connections. Flag fields are adopted to denote the start and the
end of a PPP frame which is identifiable from the binary sequence 01111110
(0x7E). The address field, although present, is not applied to PPP as is the
case with HDLC and therefore must always contain a 11111111 (0xFF) value,
which represents an ‘All-Stations’ address. The control field is also fixed with a
value of 00000011 (0x03) representing the unnumbered information
command.
The frame check sequence (FCS) is generally a 16 bit value used to maintain
the integrity of the PPP frame. PPP additionally defines a 8 or 16 bit protocol
field that identifies the datagram encapsulated in the Information field of the
packet. Typical examples may include 0xc021 for Link Control Protocol,
0xc023 for Password Authentication Protocol, and 0xc223 for the Challenge
Handshake Authentication Protocol. The Information field contains the
datagram for the protocol specified in the Protocol field.
The maximum length for the Information field, (not including the Protocol field),
is defined by the Maximum Receive Unit (MRU), which defaults to 1500 bytes.
Where the value 0xc021 is implemented, communicating devices negotiate by
exchanging LCP packets to establish a PPP link.
The LCP packet format carries a code type field that references various
packet types during PPP negotiation, for which common examples include
Configure-Request (0x01), Configure-Ack (0x02), Terminate-Request (0x05)
etc. The Data field carries various supporting type/length/value (TLV) options
for negotation, including MRU, authentication protocols etc.
108／335
M
ore Learning
/en

As part of the LCP negotiation, a number of packet types are defined that
enable parameters to be agreed upon before a PPP data link is established. It
is necessary that the two communicating devices negotiate the link layer
attributes such as the MRU and authentication mode. In order to achieve this,
various packet types are communicated.
The Configure-Request packet type allows initiation of LCP negotiation
between peering devices and must be transmitted at such times. Any
Configure-Request packet type sent must be responded to, and may be done
so through one of a number of response packet types. Where every
configuration option received in a Configure-Request is recognizable and all
values are acceptable, a Configure-Ack packet type will be transmitted.
Where all received configuration options in the Configure-Request packet type
are recognized, but some values are not accepted, a Configure-Nak packet
type will be transmitted, and contain only the unaccepted configuration options
originally received in the Configure-Request packet type. A Configure-Reject
is used when certain configuration options received in a Configure-Request
are not recognizable, and thus are not accepted for negotiation.
109／335
M
ore Learning
/en

Some of the common configuration options that are negotiated and carried as
part of the LCP packet include the MRU, Authentication protocol supported by
the sending peer as well as the magic number.
The magic number provides a method to detect looped-back links and other
anomalies at the data link layer. In the case where a Configure-Request is
received containing a Magic-Number as a configuration option, the received
Magic-Number is used to compare multiple received Configure-Request
messages sent to the peer by comparison of the Magic-Number. If the two
Magic-Numbers of the received Configure-Request messages are different,
then the link is understood to be a non-looped-back link for which a Request-
Ack can be given in response. If the two Magic-Numbers are equal however,
then a possibility exists that the link is looped-back and that further checking
must be performed for this Configure-Request, and is done so by sending a
Configure-Nak to effectively request a different Magic-Number value.
110／335
M
ore Learning
/en

The sequence of events leading to the establishment of PPP between two
peers is initiated by the sending of a Configure-Request packet to the peering
device. Upon receiving this packet, the receiver must assess the configuration
options to determine the packet format to respond with. In the event that all
configuration options received are acceptable and recognized, the receiver will
reply with a Configure-Ack packet.
111／335
M
ore Learning
/en

Following the initial transmission of the Configure-Request as part of PPP
negotiation, it is also possible that a Configure-Nak be returned, in particular
where all configuration options are recognized, but some values are not
accepted. On reception of the Configure-Nak packet a new Configure-Request
is generated and sent, however the configuration options may generally be
modified to the specifications in the received Configure-Nak packet.
Multiple instances of a configuration option may be specified by the Configure-
Nak packet for which the peer is expected to select a single value to include in
the next Configure-Request packet.
112／335
M
ore Learning
/en

For PPP LCP negotiation in which one or multiple configuration options
received in a Configure-Request are unrecognized or considered not
acceptable for negotiation, a Configure-Reject packet is transmitted.
Reception of a valid Configure-Reject indicates that when a new Configure-
Request be sent, and any configuration options that are carried together with
the Configure-Reject packet must be removed from the configuration options
to be sent as part of the following Configure-Request packet.
113／335
M
ore Learning
/en

Establishment of PPP requires that the link layer protocol on the serial
interface be specified. For ARG3 series of routers, PPP is enabled by default
on the serial interface. In the event where the interface is currently not
supporting PPP, the link-protocol ppp command is used to enable PPP at the
data link layer. Confirmation of the change of encapsulation protocol will be
prompted, for which approval should be given as demonstrated in the
configuration example.
114／335
M
ore Learning
/en

The Password Authentication Protocol (PAP) is a two-way handshake
authentication protocol that transmits passwords in plain text. PAP
authentication is performed during initial link establishment. After the Link
Establishment phase is complete, the user name and password are repeatedly
sent by the peer to the authenticator until authentication is acknowledged or
the connection is terminated. PAP authentication effectively simulates login
operations in which plain text passwords are used to establish access to a
remote host. The authenticated device sends the local user name and
password to the authenticator. The authenticator checks the user name and
password of the authenticated device against a local user table and sends an
appropriate response to the authenticated device to confirm or reject
authentication.
115／335
M
ore Learning
/en

The Challenge Handshake Authentication Protocol (CHAP), is used to
periodically verify the identity of the peer using a three-way handshake. This is
done upon initial link establishment, and can be repeated periodically. The
distinguishing principle of CHAP lies in the protection given through avoiding
transmission of any password over the link, instead relying on a challenge and
response process that can only be successful if both authenticator and
authenticated devices are supporting a value referred to as a secret. An
algorithm such as MD5 is commonly used to hash any challenge and
response, to ensure the integrity of the value and the resulting hash value, and
is compared to a result generated by the authenticator. If both the response
and value that is created by the authenticator match, the authenticated peer is
approved.
116／335
M
ore Learning
/en

The IP Control Protocol (IPCP) is responsible for configuring, enabling, and
disabling the IP protocol modules on both ends of the point-to-point link. IPCP
uses the same packet exchange mechanism as the Link Control Protocol
(LCP). IPCP packets may not be exchanged until PPP has reached the
Network phase. IPCP packets received before this phase is reached are
expected to be silently discarded. The address negotiation configuration option
provides a way to negotiate the IP address to be used on the local end of the
link, for which a statically defined method allows the sender of the Configure-
Request to state which IP-address is desired. Upon configuration of the IP
address a Configure-Request message is sent containing the IP address
requested to be used, followed by a Configure-Ack from the peering device to
affirm that the IP address is accepted.
117／335
M
ore Learning
/en

A local device operating as a client and needing to be assigned an IP address
in the range of the remote device (server) must make a request for a valid
address by applying the ip address-ppp negotiate command on the physical
interface with which the client peers with the server. Through this method, a
client can retrieve a valid address. This is applicable in scenarios such a
where a client accesses the Internet through an Internet Server Provider (ISP)
network, and through which it can obtain an IP address from the ISP. An
address is proposed to the client upon receiving a configure request for which
no IP address has been defined. The PPP server (RTB) will respond with a
Configure-Nak which contains suggested IP address parameters for RTA. A
follow up Configure-Request message with a change to the IP addressing
enables the (NCP) IPCP to successfully establish network layer protocols.
118／335
M
ore Learning
/en

The establishment of PAP authentication requires that one peer operate as the
authenticator in order to authenticate an authenticated peer. The PPP PAP
authenticator is expected to define the authentication mode, a local user name
and password, and the service type. If a domain is defined to which the local
user belongs (as defined by AAA), the authentication domain is also expected
to be specified under the PAP authentication mode.
An authenticated peer requires that an authentication user name, and
authentication password be specified in relation to the username and
password set by the authenticator. The ppp pap local-user <username>
password { cipher | simple } <password> command is configured on the
authenticated device to achieve this.
119／335
M
ore Learning
/en

Through debugging commands which provide a real-time output of events in
relation to specific protocols, the authentication request process can be
viewed. As displayed in the example, a PAP authentication request is
performed to which authentication establishment is deemed successful.
120／335
M
ore Learning
/en

In CHAP authentication, the authenticated device sends only the user name to
the authenticating device. CHAP is understood to feature higher security since
passwords are not transmitted over the link, instead relying on hashed values
to provide challenges to the authenticated device based on the configured
password value on both peering devices. In its simplest form, CHAP may be
implemented based on local user assignments as with PAP, or may involve
more stringent forms of authentication and accounting achieved through AAA
and authentication/accounting servers.
As demonstrated, the configuration of CHAP based on locally defined users
requires limited configuration of local user parameters and the enablement of
PPP CHAP authentication mode on the authenticator device. Where domains
exist, the authenticator may also be required to define the domain being used
if different from the default domain.
121／335
M
ore Learning
/en

Debugging of the CHAP authentication processes displays the stages involved
with CHAP authentication, originating from listening on the interface for any
challenges being received following the LCP negotiation. In the event that a
challenge is sent, the authenticated device must provide a response for which
a hash value is generated, involving the set authentication parameters on the
authenticated peer (password), that the authenticator will promptly validate
and provide a success or failure response to.
122／335
M
ore Learning
/en

1. A Configure-Ack packet is required in order to allow the link layer to be
successfully established when using PPP as the link layer encapsulation
mode.
2. The Internet Protocol Control Protocol (IPCP) is used to negotiate the IP
protocol modules as part of the NCP negotiation process. This occurs
during the Network phase of PPP establishment.
123／335
M
ore Learning
/en

124／335
M
ore Learning
/en

125／335
M
ore Learning
/en

126／335
M
ore Learning
/en

127／335
M
ore Learning
/en

HCIA-HNTD Intermediate Training Materials V2.2.pdf

HCIA-HNTD Intermediate Training Materials V2.2.pdf

Recommended

Recommended

More Related Content

Similar to HCIA-HNTD Intermediate Training Materials V2.2.pdf

Similar to HCIA-HNTD Intermediate Training Materials V2.2.pdf (20)

More from RandyDookheran1

More from RandyDookheran1 (6)

Recently uploaded

Recently uploaded (20)

HCIA-HNTD Intermediate Training Materials V2.2.pdf