Example for Configuring a Layer 2 Switch to Work with a Router for Internet Access
Layer 2 Switch
Layer 2 switches perform only Layer 2 forwarding instead of Layer 3 forwarding. That is, Layer 2 switches support only Layer 2 switches instead of Layer 3 features such as routing.
Layer 2 switches are typically deployed at the access layer and cannot function as gateways of users.
Configuration Notes
Switch configurations used in this example apply to all versions of all S series switches.
This example uses router configurations of AR3600 V200R007C00SPCc00. For other router configurations, see the corresponding documentation.
Networking Requirements
In Figure 1, a company has multiple departments that belong to different network segments, and each department needs to access the Internet. It is required that users access the Internet through the Layer 2 switch and router and that the router function as the gateway of users.
Configuration Roadmap
The configuration roadmap is as follows:
Configure interface-based VLAN assignment on the switch for Layer 2 forwarding.
Configure the router as the gateway of users to implement Layer 3 forwarding across network segments through sub-interfaces or VLANIF interfaces.
Configure the router as the DHCP server to assign IP addresses to users.
Configure the NAT function on the router to enable intranet users to access the Internet.
Procedure
- Configure the switch.
# Configure the interfaces connected to users.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 3 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access //Set the link type of the interface to access. [Switch-GigabitEthernet0/0/2] port default vlan 2 //Add the interface to VLAN 2. [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 3 [Switch-GigabitEthernet0/0/3] quit
# Configure the interface connected to the router.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3 //Configure the interface as a trunk interface to transparently transmit packets from VLAN 2 and VLAN 3. [Switch-GigabitEthernet0/0/1] quit
- Configure the router.
Two methods are available to configure a router: one is to configure sub-interfaces and the other is to configure VLANIF interfaces.
Configure the router to terminate VLAN tags through sub-interfaces to implement Layer 3 forwarding across network segments.
# Configure sub-interfaces for VLAN tag termination.
<Huawei> system-view [Huawei] sysname Router [Router] vlan batch 2 3 [Router] interface gigabitethernet 0/0/1.1 [Router-GigabitEthernet0/0/1.1] dot1q termination vid 2 [Router-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24 [Router-GigabitEthernet0/0/1.1] arp broadcast enable //By default, ARP broadcast on a VLAN tag termination sub-interface is disabled on AR routers in a version earlier than V200R003C01 and enabled in V200R003C01 and later versions. [Router-GigabitEthernet0/0/1.1] quit [Router] interface gigabitethernet 0/0/1.2 [Router-GigabitEthernet0/0/1.2] dot1q termination vid 3 [Router-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24 [Router-GigabitEthernet0/0/1.2] arp broadcast enable [Router-GigabitEthernet0/0/1.2] quit# Configure the DHCP function to assign IP addresses to intranet users and specify the DNS server address.
[Router] dhcp enable [Router] interface gigabitethernet 0/0/1.1 [Router-GigabitEthernet0/0/1.1] dhcp select interface //DHCP uses an interface address pool to assign IP addresses to intranet users. [Router-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list 114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list address needs to be configured based on the DNS assigned to a carrier. [Router-GigabitEthernet0/0/1.1] quit [Router] interface gigabitethernet 0/0/1.2 [Router-GigabitEthernet0/0/1.2] dhcp select interface [Router-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5 [Router-GigabitEthernet0/0/1.2] quit
# Configure a public network interface IP address and a static route.
[Router] interface gigabitethernet 0/0/2 [Router-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0 //Configure an IP address 200.0.0.2 for GE0/0/2 connected to the public network. [Router-GigabitEthernet0/0/2] quit [Router] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next hop pointing to the public IP address 200.0.0.1.
# Configure the NAT function to enable intranet users to access the Internet.
[Router] acl number 2001 [Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of outgoing packets on GE0/0/2. [Router-acl-basic-2001] quit [Router] interface gigabitethernet 0/0/2 [Router-GigabitEthernet0/0/2] nat outbound 2001 [Router-GigabitEthernet0/0/2] quit
Configure VLANIF interfaces on the router to implement Layer 3 forwarding across network segments.
# Configure VLANIF interfaces.
<Huawei> system-view [Huawei] sysname Router [Router] vlan batch 2 3 [Router] interface gigabitethernet 0/0/1 [Router-GigabitEthernet0/0/1] portswitch //Change the Ethernet interface from Layer 3 mode to Layer 2 mode. If it has worked in Layer 2 mode, skip this step. [Router-GigabitEthernet0/0/1] port link-type trunk [Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3 [Router-GigabitEthernet0/0/1] quit [Router] interface vlanif 2 [Router-vlanif2] ip address 192.168.1.1 24 //Configure the IP address of VLANIF2 as the gateway address of PC1. [Router-vlanif2] quit [Router] interface vlanif 3 [Router-vlanif3] ip address 192.168.2.1 24 //Configure the IP address of VLANIF3 as the gateway address of PC2. [Router-vlanif3] quit
# Configure the DHCP function to assign IP addresses to intranet users and specify the DNS server address.
[Router] dhcp enable [Router] interface vlanif 2 [Router-Vlanif2] dhcp select interface [Router-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list 114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list address needs to be configured based on the DNS assigned to a carrier. [Router-Vlanif2] quit [Router] interface vlanif 3 [Router-Vlanif3] dhcp select interface [Router-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5 [Router-Vlanif3] quit# Configure a public network interface IP address and a static route.
[Router] interface gigabitethernet 0/0/2 [Router-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0 [Router-GigabitEthernet0/0/2] quit [Router] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next hop pointing to the public IP address 200.0.0.1.# Configure the NAT function to enable intranet users to access the Internet.
[Router] acl number 2001 [Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of outgoing packets on GE0/0/2. [Router-acl-basic-2001] quit [Router] interface gigabitethernet 0/0/2 [Router-GigabitEthernet0/0/2] nat outbound 2001 [Router-GigabitEthernet0/0/2] quit
- Check the configuration.
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for PC1, and configure an IP address 192.168.2.2/24 and a gateway address 192.168.2.1 for PC2.
Configure an IP address 200.0.0.1/24 and a gateway address 200.0.0.2 for external network.
After the configurations are complete, PC1 and PC2 can ping the external network IP address 200.0.0.1/24 and access the Internet.
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 2 to 3 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 3 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2 # interface GigabitEthernet0/0/3 port link-type access port default vlan 3 # return
- Router configuration file (used when the router performs Layer
3 forwarding through sub-interfaces)
# sysname Router # vlan batch 2 to 3 # dhcp enable # acl number 2001 rule 5 permit source 192.168.0.0 0.0.255.255 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/1.1 dot1q termination vid 2 ip address 192.168.1.1 255.255.255.0 arp broadcast enable dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 # interface GigabitEthernet0/0/1.2 dot1q termination vid 3 ip address 192.168.2.1 255.255.255.0 arp broadcast enable dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 # interface GigabitEthernet0/0/2 ip address 200.0.0.2 255.255.255.0 nat outbound 2001 # ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 # return
- Router configuration file (used when the router performs Layer
3 forwarding through VLANIF interfaces)
# sysname Router # vlan batch 2 to 3 # dhcp enable # acl number 2001 rule 5 permit source 192.168.0.0 0.0.255.255 # interface Vlanif2 ip address 192.168.1.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 # interface Vlanif3 ip address 192.168.2.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 # interface GigabitEthernet0/0/1 portswitch port link-type trunk port trunk allow-pass vlan 2 to 3 # interface GigabitEthernet0/0/2 ip address 200.0.0.2 255.255.255.0 nat outbound 2001 # ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 # return