< Home

Example for Configuring a Small-Sized Campus Network

Networking Requirements

In an enterprise, intranet users in departments A and B can communicate with each other and access the Internet.

As shown in Figure 1, on a small-sized campus network, S2700 switches are typically deployed as access switches (such as ACC1) at the access layer, S6700 switches as core switches (such as CORE) at the core layer, and AR routers as egress routers (such as Router).

The access switches are connected to the core switch through Eth-Trunks to ensure reliability.

A VLAN is assigned to each department and services are transmitted between departments at Layer 3 through VLANIF interfaces of the switch CORE.

The core switch functions as a DHCP server to allocate IP addresses to users in the campus.

The DHCP snooping function is configured on access switches to prevent intranet users from connecting to unauthorized routers to obtain IP addresses. The IPSG function is configured to prevent intranet users from changing their IP addresses.

Figure 1 Networking diagram of a small-sized campus network

Data Planning

Table 1 Data plan

Operation

Item

Data

Description

Configuring the management IP address

IP address of the management interface

10.10.1.1/24

This IP address is used for users to log in to the switch through the management interface.

Configuring interfaces and VLANs

Eth-Trunk working mode

Static Link Aggregation Control Protocol (LACP) mode

Eth-Trunks work in manual load balancing mode or static LACP mode.

Interface type

Interfaces connected to switches are configured as trunk interfaces and interfaces connected to PCs are configured as access interfaces.

A trunk interface is typically used to connect to a switch.

An access interface is typically used to connect to a PC.

A hybrid interface can connect to either a switch or a PC.

VLAN ID

ACC1: VLAN 10

ACC2: VLAN 20

CORE: VLANs 100, 10, and 20

The default VLAN of a switch is VLAN 1.

To isolate departments A and B at Layer 2, add department A to VLAN 10 and department B to VLAN 20.

The switch CORE connects to the egress router through VLANIF 100.

Configuring DHCP

DHCP server

CORE

The DHCP server is deployed on the core switch.

Address pool

VLAN 10: VLANIF 10

VLAN 20: VLANIF 20

Terminals in department A obtain IP addresses from the address pool on VLANIF 10.

Terminals in department B obtain IP addresses from the address pool on VLANIF 20.

Configuring routes on the core switch

IP routes

VLANIF 100: 10.10.100.1/24

VLANIF 10: 10.10.10.1/24

VLANIF 20: 10.10.20.1/24

The IP address of VLANIF 100 is used for the switch CORE to connect to the egress router and for the internal network to communicate with the Internet.

On the core switch, configure a default route and set the next-hop IP address to the IP address of the egress router.

After the IP addresses of VLANIF 10 and VLANIF 20 are configured on the switch CORE, departments A and B can communicate through the switch.

Configuring the egress router

IP address of the public network interface

Ethernet0/0/1: 1.1.1.2/30

Ethernet0/0/1 connects the egress router to the Internet.

IP address of the public network gateway

1.1.1.1/30

It is the IP address of the carrier's device connected to the egress router. On the egress router, configure a default route to this IP address for forwarding network traffic to the Internet.

DNS server address

2.2.2.2

The DNS server resolves a domain name into an IP address.

IP address of an intranet interface

Ethernet0/0/2: 10.10.100.2/24

Ethernet0/0/2 connects the egress router to the intranet.

Configuring DHCP snooping and IPSG

Trusted port

Eth-Trunk 1

N/A

Configuration Roadmap

The configuration roadmap is as follows:

  1. Log in to switches.
  2. Configure the interfaces and VLANs on access switches.
  3. Configure the interfaces and VLAN on the core switch.
  4. Configure the DHCP server on the core switch.
  5. Configure routes on the core switch.
  6. Configure the egress router.
  7. Configure DHCP snooping and IPSG on access switches.
  8. Save the configuration.

Procedure

  1. Log in to a switch.

    A switch using factory settings can be logged in to through the web system for the first time. The following uses the switch CORE as an example to describe how to log in to a switch through the web system for the first time. The login methods of switches ACC1 and ACC2 are similar to that of the switch CORE.

    The switch that does not have the MODE button and does not use factory settings cannot be logged in to through the web system for the first time. However, subsequent logins through the web system are supported. For details, see Web System Login.

    1. Connect the switch to a PC.

      Connect the PC to any Ethernet interface (except the management interface) of the switch.

    2. Enter the initial configuration mode.

      Press and hold down the MODE button for 6 seconds or longer. When all indicators are steady green, the switch enters the initial configuration mode.

      In the initial configuration mode, the system sets the switch's IP address to 192.168.1.253/24 and sets the level of the default user admin to 15 by default.

    3. Configure an IP address for the PC.

      To ensure that the switch and PC are reachable, configure an IP address that is on the same network segment as the switch's default IP address for the PC.

    4. Log in to the switch through the web system.

      Open a browser on the PC, enter https://192.168.1.253 in the address box, and press Enter. The web system login page is displayed, as shown in Figure 2. Enter the default user name admin and password admin@huawei.com, and select the system language. Click GO or press Enter. The web system configuration page is displayed.

      Figure 2 First login page of the web system

      To log in to a switch through the web system for the first time, you must use Microsoft Edge, Internet Explorer 10.0, Internet Explorer 11.0, Firefox61.0 to Firefox66.0, and Google Chrome 64.0 to 73.0. If a browser or browser patch is not in the specified range, the web page may not be properly displayed. Upgrade the browser and browser patch.

    5. Configure the switch.

      On the web configuration page, perform the following operations in the Basic Setting area:
      • Set Management IP Address to 10.10.1.1 and Mask to 24(255.255.255.0).
      • Enter admin@huawei.com in the Old Password text box.
      • Enter a new password in WEB User Password and Confirm Password text boxes.
      • Select 15 from the WEB User Level drop-down list box.
      The configuration is shown in Figure 3. Click Apply.
      Figure 3 Initial configuration

      The configured management IP address and 192.168.1.253/24 are not on the same network segment, so you cannot log in to the switch through the web system after exiting the first login page. Therefore, the IP address of the PC needs to be configured again to ensure that the switch and PC are reachable.

  2. Configure interfaces and VLANs on access switches (ACC1 is used as an example here, and the configuration on ACC2 is similar).

    • Configure Eth-Trunk 1 that connects ACC1 to CORE to transparently transmit packets from the VLAN of department A.
      1. Choose Configuration > Basic Services > Interface Settings, and click Connect to Switch in the Select Task area.
      2. Select GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to be configured.
      3. Select Enable link aggregation in the Configure Interface area, and set parameters, as shown in Figure 4.
        • Interface Status: ON
        • Eth-Trunk: 1
        • Eth-Trunk Mode: Static LACP
        • Allowed VLANs: 10
        • Default VLAN: 1
        • Auto VLAN Creation: ON
        Figure 4 Configuring Eth-Trunk 1 that connects ACC1 to CORE

      4. Click Apply. In the dialog box that is displayed, click OK.
    • Configure interfaces of ACC1 connected to users and add users to a VLAN.
      1. Choose Configuration > Basic Services > Interface Settings, and click Connect to PC in the Select Task area.
      2. Select Ethernet0/0/2 and Ethernet0/0/3 to be configured.
      3. Set parameters in the Configure Interface area, as shown in Figure 5.
        • Interface Status: ON
        • Default VLAN: 10
        • Port Isolation: OFF
        • Port Security: OFF
        • Loopback Detection: OFF
        • Trust Priority: None
        Figure 5 Configuring interfaces of ACC1 connected to users

      4. Click Apply. In the dialog box that is displayed, click OK.
    • Configure edge ports and the BPDU protection function.
      1. Choose Configuration > Advanced Services > STP > STP Summary. The STP Summary tab page is displayed.
      2. Enable BPDU protection in the STP Global Setting area, as shown in Figure 6. Click Apply.
        Figure 6 Enabling the BPDU protection function

      3. Select Ethernet0/0/2 and Ethernet0/0/3 to be configured in the Interface Status area, and click Enable Edge Port, as shown in Figure 7.
        Figure 7 Configuring edge ports

  3. Configure the interfaces and VLAN on the core switch.

    • Configure downlink interfaces of the core switch. (The following uses the configuration of Eth-Trunk 1 that connects CORE to ACC1 as an example, and the configuration for connecting to ACC2 is similar.)
      1. Choose Configuration > Basic Services > Interface Settings > Service Interface Setting, and click Connect to Switch in the Select Task area.
      2. Select GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to be configured.
      3. Select Enable link aggregation in the Configure Interface area, and set parameters, as shown in Figure 8.
        • Interface Status: ON
        • Eth-Trunk: 1
        • Eth-Trunk Mode: Static LACP
        • Allowed VLANs: 10
        • Default VLAN: 1
        • Auto VLAN Creation: ON
        Figure 8 Configuring Eth-Trunk 1 that connects CORE to ACC1

      4. Click Apply. In the dialog box that is displayed, click OK.
    • Configure VLANIF interfaces for departments A and B to communicate with each other.
      1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
      2. Click 10 in the VLAN ID column. The Modify VLAN dialog box is displayed.
      3. Click Create VLANIF, set IPv4 address to 10.10.10.1, and set Mask to 24. Use the same method to configure VLANIF 20, as shown in Figure 9 and Figure 10. Click OK.
        Figure 9 Configuring VLANIF 10

        Figure 10 Configuring VLANIF 20

    • Configure uplink interfaces and VLANIF interfaces of the core switch for communication between the campus network and the Internet.
      1. Choose Configuration > Basic Services > VLAN to access the VLAN configuration page.
      2. Click Create. In the Create VLAN dialog box, set parameters, as shown in Figure 11.
        • VLAN ID: 100
        • Select Create VLANIF
        • IPv4 address: 10.10.100.1
        • Mask: 24
        • Add Interface: GigabitEthernet0/0/20
        Figure 11 Configuring VLAN 100

      3. Click OK.

  4. Configure the DHCP server on the core switch.

    Configure the DHCP server on CORE to assign IP address to users in departments A (VLAN 10) and B (VLAN 20).

    1. Choose Configuration > Basic Services > DHCP > DHCP Address Pool. On the DHCP configuration page, set DHCP status to ON.
    2. Click Create. In the Create DHCP Address Pool dialog box, set parameters, as shown in Figure 12. Click OK. Users in department A then can obtain IP addresses from the interface address pool on VLANIF 10.

      • Address pool type: Interface address pool
      • Select Interface: Vlanif10
      Figure 12 Configuring users in department A to obtain IP addresses from an interface address pool

    3. Use the same method to configure users in department B to obtain IP addresses from the interface address pool on VLANIF 20. The parameter settings are shown in Figure 13.

      Figure 13 Configuring users in department B to obtain IP addresses from an interface address pool

  5. Configure routes on the core switch.
    1. Choose Configuration > Basic Services > Static Routes > IPv4 Static Routes. The IPv4 Static Routes tab page is displayed.
    2. Click Add and set the parameters, as shown in Figure 14.

      • Destination IP Address: 0.0.0.0
      • Destination IP Address Mask: 0.0.0.0
      • Next Hop Address: 10.10.100.2
      Figure 14 Configuring routes on the core switch

    3. Click .
  6. Configure an egress router. (The following uses an AR router in V200R009C00 as an example. For details about how to log in to the web system of an AR router, see the corresponding documentation.)

    Before configuring the egress router, you need the following data: IP address of the public network interface (1.1.1.2/30), IP address of the public network gateway (1.1.1.1), and DNS server address (2.2.2.2). These parameters are provided by carriers when the broadband service is applied. The data used in this example is for reference only.

    • Configure IP addresses of the intranet and public network interfaces on the egress router.
      1. Choose WAN Access > Ethernet Interface. The Ethernet Interface tab page is displayed.
      2. In the Ethernet Interface List area, click in the Ethernet0/0/1 column. The Modify Ethernet Interface dialog box is displayed.
      3. Set parameters, as shown in Figure 15. Click OK. The IP address of the public network interface is configured.
        • Select IPv4.
        • Connection mode: Static
        • IP address: 1.1.1.2
        • Subnet mask: 255.255.255.252
        Figure 15 Configuring an IP address for the public network interface

      4. Use the same method to configure an IP address for the intranet interface. The parameter settings are shown in Figure 16.
        Figure 16 Configuring an IP address for the intranet interface

    • Configure an ACL that allows users to connect to the Internet.
      1. Choose Security > ACL > Basic ACL Setting. The Basic ACL Setting tab page is displayed.
      2. Click Create. The Create Basic ACL Setting dialog box is displayed.
      3. Set parameters, as shown in Figure 17. Click OK. The basic ACL is created.
        • ACL name: acl2000
        • Type: IPv4
        Figure 17 Creating a basic ACL

      4. Click Add rules in the acl2000 column, and set parameters, as shown in Figure 18. Click .

        ACL Rule ID

        Action

        Source IP Address/Prefix Length (Wildcard)

        5

        Permit

        10.10.10.0/0.0.0.255

        10

        Permit

        10.10.20.0/0.0.0.255

        15

        Permit

        10.10.100.0/0.0.0.255
        Figure 18 Adding rules to a basic ACL

    • Configure NAT on the interface that connects to the public network so that intranet users can access the Internet.
      1. Choose IP Service > NAT > External Network Access. The External Network Access tab page is displayed.
      2. Click Create. The Create External Network Access dialog box is displayed.
      3. Set parameters, as shown in Figure 19. Click OK.
        • Interface name: Ethernet0/0/1
        • Translation mode: Easy IP
        • ACL name: acl2000
        Figure 19 Configuring external network access

    • Configure a specific route to the intranet and a default static route to the public network.
      1. Choose IP Service > Route > Static Route Configuration. The Static Route Configuration tab page is displayed.
      2. In the IPv4 Static Route Configuration Table area, click Create. The Create IPv4 Static Route Service dialog box is displayed.
      3. Set parameters, as shown in Figure 20. Click OK.

        Destination IP Address

        Subnet Mask

        Next Hop

        10.10.10.0

        255.255.255.0

        10.10.100.1

        10.10.20.0

        255.255.255.0

        10.10.100.1

        0.0.0.0

        0.0.0.0

        1.1.1.1
        Figure 20 Configuring a specific route to the intranet and a default static route to the public network

    • Configure the DNS server function.
      1. Choose IP Service > DNS. The DNS tab page is displayed.
      2. In the DNS Setting area, click Enabled for DNS proxy(IPv4), and click Apply.
      3. In the DNS Server Configuration List(IPv4 Address) area, click Create. The Create IPv4 DNS Server dialog box is displayed.
      4. Set DNS server IPv4 address to 2.2.2.2, as shown in Figure 21. Click OK.
        Figure 21 Configuring a DNS server

  7. Configure DHCP snooping and IPSG on access switches.

    After the DHCP function is configured, intranet users in departments can automatically obtain IP addresses. To prevent intranet users from connecting to an unauthorized router and enabling the DHCP function, configure the DHCP snooping function so that intranet valid users can connect to the Internet successfully. Additionally, to prevent intranet users from changing their IP addresses to attack the network, enable the IPSG function on access switches. ACC1 is used as an example.

    • Configure the DHCP snooping function.
      1. Choose Configuration > Security Services > IP Security > DHCP Snooping. The DHCP Snooping tab page is displayed.
      2. Set Global status to ON.
      3. Add Eth-Trunk1 to Trusted port, as shown in Figure 22. Click Apply.
        Figure 22 Configure a trusted port

      4. In the Interface List area, select Eth-Trunk1, Ethernet0/0/2, and Ethernet0/0/3, and click Enable, as shown in Figure 23. The DHCP snooping function is enabled on the interface that connects to the DHCP server and the interface that connects to terminals.
        Figure 23 Enabling the DHCP snooping function

    • Enable the IPSG function.
      1. Choose Configuration > Security Services > IP Security > IPSG. The IPSG tab page is displayed.
      2. Select Ethernet0/0/2 and Ethernet0/0/3 in the Select Interface area.
      3. Set parameters in the Configure IPSG area, as shown in Figure 24. Click Apply.
        • IPSG status: ON
        • IPSG matching option: IP, MAC, and VLAN
        Figure 24 Enabling the IPSG function

  8. Save the configuration.

    Click Save in the upper right corner. The system saves all configurations to the configuration file.

Service Verification

  1. Select two PCs in a department to perform a ping test to verify Layer 2 communication.

    Use department A as an example, and assume that the IP address obtained by PC2 through DHCP is 10.10.10.100. Figure 25 shows the test result.

    Figure 25 Verifying Layer 2 communication between users in a department

  2. Select one PC in each department to perform a ping test to verify Layer 3 communication through VLANIF interfaces.

    Users in departments A and B communicate with each other at Layer 3 through VLANIF interfaces of CORE. If the ping test between PC1 and PC3 succeeds, these two departments can communicate with each other at Layer 3 through VLANIF interfaces. The ping command is similar to that in the first step.

  3. Select one PC in each department to perform a ping test to a public IP address to check whether intranet users can access the Internet normally.

    Use department A as an example, and ping the IP address of the public network gateway (IP address of the carrier's device connected to the egress router) from PC1 to check whether intranet users can access the Internet. If the ping test succeeds, intranet users can access the Internet normally. The ping command is similar to that in the first step.

Parent Topic: Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >