Example for Configuring ACU2 and NGFW on Switches

Created: Feb 28, 2019 14:12:44 18 0 0 0

When a switch on the live network has both ACU2 and NGFW configured, redirection needs to be configured to ensure correct forwarding for the upstream and downstream traffic of STAs. In addition, the wireless traffic entering and leaving the switch must be processed according to the policies configured on NGFW.

Configuration Notes

On the NGFW side, two fixed internal Ethernet interfaces are GE1/0/0 and GE1/0/1. On the switch side, the internal Ethernet interface numbers depend on the slot ID of the NGFW module. For example, when the NGFW module is installed in slot 1, the interface numbers are XGE1/0/0 and XGE1/0/1.

On the ACU2 side, two fixed internal Ethernet interfaces are XGE0/0/1 and XGE0/0/2. On the switch side, the internal Ethernet interface numbers depend on the slot ID of the ACU2. For example, when the ACU2 is installed in slot 2, the interface numbers are XGE2/0/0 and XGE2/0/1.

Table 1-26 lists the products and versions to which this configuration example is applicable.
Table 1-26  Applicable products and versions
Product ModelSoftware Version

S7700&S9700

V200R007 and V200R008
ACU2V200R005C10 and V200R005C20
NGFW moduleV100R001C10 and later versions

Networking Requirements

Two switches are located on the network shown in Figure 1-29Switch_1 has NGFW and ACU2 configured. Traffic policies are configured on NGFW.

The customer wants to use ACU2 to manage the wireless network, providing stable wireless service to STAs.

Figure 1-29  Configuring ACU2 and NGFW on switches 
imgDownload?uuid=641c19b83e3e479c90553bd

Data Plan

Table 1-27Table 1-28, and Table 1-29 provide the data plan.
Table 1-27  Eth-Trunk
Device

Interface Number

Member Interfaces

Switch_2

Eth-trunk0

XGE0/0/1

XGE0/0/2

Switch_1

Eth-trunk0

XGE3/0/2

XGE3/0/3

Eth-trunk1

XGE2/0/0

XGE2/0/1

ACU2_1

Eth-trunk1

XGE0/0/1

XGE0/0/2

Table 1-28  VLAN

Device

Data

Remarks

Switch_2

Eth-trunk0: transparently transmits the packets from VLAN 42.

Connected to Switch_1.

GE0/0/1: VLAN 42

Connected to AP.

Switch_1

Eth-trunk0: transparently transmits the packets from VLAN 42.

Connected to Switch_2.

Eth-trunk1: transparently transmits the packets from VLAN 42, VLAN 428.

Connected to ACU2_1.

XGE1/0/0: transparently transmits the packets from VLAN 428.

Connected to NGFW_1.

XGE1/0/1: transparently transmits the packets from VLAN 428.

Connected to NGFW_1.

XGE3/0/1: transparently transmits the packets from VLAN 428.

Connected to an upper-layer device.

ACU2_1

Eth-trunk1: transparently transmits the packets from VLAN 42, VLAN 428.

Connected to Switch_1.

NGFW_1

XGE1/0/0: transparently transmits the packets from VLAN 428.

Connected to Switch_1.

XGE1/0/1: transparently transmits the packets from VLAN 428.

Connected to Switch_1.

Table 1-29  IP Addresses

Device

Data

Remarks

ACU2_1

VLANIF428: 172.16.29.1/24

Configure VLANIF 428 to assign IP addresses to STAs.

VLANIF42: 172.18.255.240/24

Configure VLANIF 42 as the CAPWAP source address.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure Eth-Trunk on each switch and add interfaces to VLANs. Configure the interfaces connecting Switch_2 to the DHCP server and AP to implement network connectivity.

  2. Implement connections between ACU2 and Switch_1.

  3. Implement connections between NGFW and Switch_1.

  4. Configure wireless service on ACU2. Wireless service traffic is forwarded through tunnels, and ACU2_1 functions as a DHCP server to assign IP addresses to APs and STAs.

  5. Configure traffic policies on each interface of Switch_1 and Switch_2 to ensure that STAs can successfully go online. The configurations include:
    • Configure a redirection policy for the inbound traffic on Eth-Trunk 1, which is the internal interface between switch and ACU2, to redirect the upstream wireless traffic to XGE1/0/1, which is the internal interface between switch and NGFW. When traffic is forwarded from NGFW to XGE1/0/0, the traffic matches the inbound redirection policy again, and is forwarded to upstream interface XGE3/0/1.
    • Configure a redirection policy for the inbound traffic on XGE3/0/1 to redirect the downstream wireless traffic to XGE1/0/0, which is the internal interface between switch and NGFW. When traffic is forwarded from NGFW to XGE1/0/1, the traffic matches the inbound redirection policy again, and is forwarded to Eth-Trunk 0, which is the internal interface between switch and ACU2.

Procedure

  1. Configure Eth-Trunks between Switch_1 and Switch_2.

    # Configure Switch_1.

    <HUAWEI> system-view[HUAWEI] sysname Switch_1[Switch_1] vlan batch 42 428[Switch_1] interface Eth-Trunk 0[Switch_1-Eth-Trunk0] port link-type trunk[Switch_1-Eth-Trunk0] port trunk allow-pass vlan 42[Switch_1-Eth-Trunk0] quit[Switch_1] interface XGigabitEthernet 3/0/2[Switch_1-XGigabitEthernet3/0/2] eth-trunk 0[Switch_1-XGigabitEthernet3/0/2] quit[Switch_1] interface XGigabitEthernet 3/0/3[Switch_1-XGigabitEthernet3/0/3] eth-trunk 0[Switch_1-XGigabitEthernet3/0/3] quit

    # Configure the connection between Switch_1 and upper-layer device.

    [Switch_1] interface XGigabitEthernet 3/0/1[Switch_1-XGigabitEthernet0/0/1] port link-type trunk[Switch_1-XGigabitEthernet0/0/1] port trunk allow-pass vlan 428[Switch_1-XGigabitEthernet0/0/1] quit

    # Configure Eth-trunk0 between Switch_2 and Switch_1.

    <HUAWEI> system-view[HUAWEI] sysname Switch_2[Switch_2] vlan batch 42 428[Switch_2] interface Eth-Trunk 0[Switch_2-Eth-Trunk0] port link-type trunk[Switch_2-Eth-Trunk0] port trunk allow-pass vlan 42[Switch_2-Eth-Trunk0] quit[Switch_2] interface XGigabitEthernet 0/0/1[Switch_2-XGigabitEthernet0/0/1] eth-trunk 0[Switch_2-XGigabitEthernet0/0/1] quit[Switch_2] interface XGigabitEthernet 0/0/2[Switch_2-XGigabitEthernet0/0/2] eth-trunk 0[Switch_2-XGigabitEthernet0/0/2] quit

    # Configure the interfaces between Switch_2 and AP.

    [Switch_2] interface GigabitEthernet 0/0/1[Switch_2-GigabitEthernet0/0/1] port link-type trunk[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 42[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 42[Switch_2-GigabitEthernet0/0/1] quit

  2. Configure Eth-Trunks between Switch_1 and ACU2.

    # Configure Switch_1.

    [Switch_1] interface Eth-Trunk 1[Switch_1-Eth-Trunk1] port link-type trunk[Switch_1-Eth-Trunk1] port trunk allow-pass vlan 42 428[Switch_1-Eth-Trunk1] quit[Switch_1] interface XGigabitEthernet 2/0/0 //Switch_1 connects to ACU2 through XGE2/0/0 and XGE2/0/1. The first digit 2 indicates that ACU2 is installed in slot 2 on Switch_1.
    [Switch_1-XGigabitEthernet2/0/0] eth-trunk 1[Switch_1-XGigabitEthernet2/0/0] quit[Switch_1] interface XGigabitEthernet 2/0/1[Switch_1-XGigabitEthernet2/0/1] eth-trunk 1[Switch_1-XGigabitEthernet2/0/1] quit

    # Configure ACU2_1 on Switch_1.

    <HUAWEI> system-view[HUAWEI] sysname ACU2_1[ACU2_1] vlan batch 42 428[ACU2_1] interface eth-trunk 1[ACU2_1-Eth-Trunk1] port link-type trunk[ACU2_1-Eth-Trunk1] port trunk allow-pass vlan 42 428[ACU2_1-Eth-Trunk1] quit[ACU2_1] interface XGigabitEthernet0/0/1[ACU2_1-XGigabitEthernet0/0/0] eth-trunk 1[ACU2_1-XGigabitEthernet0/0/0] quit[ACU2_1] interface XGigabitEthernet0/0/2[ACU2_1-XGigabitEthernet0/0/1] eth-trunk 1[ACU2_1-XGigabitEthernet0/0/1] quit

  3. Configure the interfaces connecting Switch_1 to NGFW.

    # Configure Switch_1.

    [Switch_1] interface XGigabitEthernet 1/0/0[Switch_1-XGigabitEthernet1/0/0] port link-type trunk[Switch_1-XGigabitEthernet1/0/0] mac-address learning disable[Switch_1-XGigabitEthernet1/0/0] port trunk allow-pass vlan 428[Switch_1-XGigabitEthernet1/0/0] stp disable[Switch_1-XGigabitEthernet1/0/0] carrier up-hold-time 10000[Switch_1-XGigabitEthernet1/0/0] am isolate XGigabitEthernet1/0/1[Switch_1-XGigabitEthernet1/0/0] quit[Switch_1] interface XGigabitEthernet 1/0/1[Switch_1-XGigabitEthernet1/0/1] port link-type trunk[Switch_1-XGigabitEthernet1/0/1] mac-address learning disable[Switch_1-XGigabitEthernet1/0/1] port trunk allow-pass vlan 428[Switch_1-XGigabitEthernet1/0/1] stp disable[Switch_1-XGigabitEthernet1/0/1] carrier up-hold-time 10000[Switch_1-XGigabitEthernet1/0/1] am isolate XGigabitEthernet1/0/0[Switch_1-XGigabitEthernet1/0/1] quit

    Configure NGFW_1 on Switch_1.

    <HUAWEI> system-view[HUAWEI] sysname NGFW_1[NGFW_1] vlan batch 428[NGFW_1] interface GigabitEthernet1/0/0[NGFW_1-GigabitEthernet1/0/0] portswitch[NGFW_1-GigabitEthernet1/0/0] port link-type trunk[NGFW_1-GigabitEthernet1/0/0] undo port trunk permit vlan 1[NGFW_1-GigabitEthernet1/0/0] port trunk permit vlan 428[NGFW_1-GigabitEthernet1/0/0] quit[NGFW_1] interface GigabitEthernet1/0/1[NGFW_1-GigabitEthernet1/0/1] portswitch[NGFW_1-GigabitEthernet1/0/1] port link-type trunk[NGFW_1-GigabitEthernet1/0/1] undo port trunk permit vlan 1[NGFW_1-GigabitEthernet1/0/1] port trunk permit vlan 428[NGFW_1-GigabitEthernet1/0/1] quit[NGFW_1] pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1  //Add the two interfaces into an interface group. Traffic entering an interface is sent out through a fixed interface, without the need of looking up the routing or MAC address table.

    # Add the interfaces on NGFW_1 to the security zone.

    [NGFW_1] firewall zone trust[NGFW_1-zone-trust] add interface GigabitEthernet1/0/1[NGFW_1-zone-trust] quit[NGFW_1] firewall zone untrust[NGFW_1-zone-untrust] add interface GigabitEthernet1/0/0[NGFW_1-zone-untrust] quit
    # Configure an IPSec policy.
    imgDownload?uuid=e9466fae0eb74ec18f4f21d NOTE:
    To facilitate verification, all packets within VLAN 428 are allowed in this example. Modify the IPSec policy after verification if necessary.
    [NGFW_1] security-policy[NGFW_1-policy-security] rule name policy1[NGFW_1-policy-security-rule-policy1] source-zone trust[NGFW_1-policy-security-rule-policy1] destination-zone untrust[NGFW_1-policy-security-rule-policy1] action permit[NGFW_1-policy-security-rule-policy1] quit[NGFW_1-policy-security] rule name policy2[NGFW_1-policy-security-rule-policy2] source-zone untrust[NGFW_1-policy-security-rule-policy2] destination-zone trust[NGFW_1-policy-security-rule-policy2] action permit[NGFW_1-policy-security-rule-policy2] quit[NGFW_1-policy-security] quit

  4. Configure wireless service on ACU2.

    # Configure ACU2_1 to assign IP addresses to APs and STAs.

    [ACU2_1] dhcp enable[ACU2_1] interface Vlanif42[ACU2_1-Vlanif42] ip address 172.18.255.240 255.255.255.0[ACU2_1-Vlanif42] dhcp select interface[ACU2_1-Vlanif42] quit[ACU2_1] interface Vlanif428[ACU2_1-Vlanif428] ip address 172.16.29.1 255.255.255.0[ACU2_1-Vlanif428] dhcp select interface[ACU2_1-Vlanif428] quit

    # Configure the country code.

    [ACU2_1] wlan ac-global country-code cnWarning: Modifying the country code will clear channel configurations of the AP radio using the country code and reset the AP. If the new country code does not support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y

    # Configure the AC ID and carrier ID.

    [ACU2_1] wlan ac-global ac id 1 carrier id otherWarning: Modify the carrier ID or AC ID may cause all of the AP offline, continue?[Y/N]:y

    # Configure the source interface on ACU2_1.

    [ACU2_1] capwap source interface vlanif42  

    # Configure basic WLAN services.

    [ACU2_1] wlan[ACU2_1-wlan-view] ap-auth-mode mac-auth[ACU2_1-wlan-view] ap id 1 type-id 19 mac 9c37-f48c-0c40[ACU2_1-wlan-ap-0] quit[ACU2_1-wlan-view] ap-region id 0[ACU2_1-wlan-ap-region-0] quit[ACU2_1-wlan-view] ap id 1[ACU2_1-wlan-ap-1] region-id 0[ACU2_1-wlan-ap-1] quit[ACU2_1-wlan-view] wmm-profile name wmm id 1[ACU2_1-wlan-wmm-prof-wmm] quit[ACU2_1-wlan-view] radio-profile name radio id 1[ACU2_1-wlan-radio-prof-radio] wmm-profile name wmm[ACU2_1-wlan-radio-prof-radio] quit[ACU2_1-wlan-view] quit[ACU2_1] interface wlan-ess 1[ACU2_1-Wlan-Ess1] port hybrid pvid vlan 428[ACU2_1-Wlan-Ess1] port hybrid untagged vlan 428[ACU2_1-Wlan-Ess1] quit[ACU2_1] wlan[ACU2_1-wlan-view] security-profile name security id 1[ACU2_1-wlan-sec-prof-security] quit[ACU2_1-wlan-view] traffic-profile name traffic id 1[ACU2_1-wlan-traffic-prof-traffic] quit[ACU2_1-wlan-view] service-set name huawei id 1[ACU2_1-wlan-service-set-huawei] ssid huawei[ACU2_1-wlan-service-set-huawei] wlan-ess 1[ACU2_1-wlan-service-set-huawei] security-profile name security[ACU2_1-wlan-service-set-huawei] traffic-profile name traffic[ACU2_1-wlan--huawei] service-vlan 428[ACU2_1-wlan-service-set-huawei] forward-mode tunnel[ACU2_1-wlan-service-set-huawei] quit[ACU2_1-wlan-view] ap 1 radio 0[ACU2_1-wlan-radio-0/0] radio-profile name radio[ACU2_1-wlan-radio-0/0] service-set name huawei[ACU2_1-wlan-radio-0/0] quit[ACU2_1-wlan-view] commit ap 1[ACU2_1-wlan-view] quit

  5. Configure traffic policies on each interface of Switch_1.

    # Configure a traffic classifier.

    [Switch_1] traffic classifier service_vlan operator or precedence 50[Switch_1-classifier-service_vlan] if-match vlan-id 428  //Configure a traffic classifier to match wireless service VLAN.
    [Switch_1-classifier-service_vlan] quit

    # Configure a traffic behavior.

    [Switch_1] traffic behavior Redirect_to_XGE3/0/1[Switch_1-behavior-Redirect_to_XGE3/0/1] permit[Switch_1-behavior-Redirect_to_XGE3/0/1] redirect interface XGigabitEthernet3/0/1[Switch_1-behavior-Redirect_to_XGE3/0/1] quit[Switch_1] traffic behavior Redirect_to_ETH1[Switch_1-behavior-Redirect_to_ETH1] permit[Switch_1-behavior-Redirect_to_ETH1] redirect interface Eth-Trunk1[Switch_1-behavior-Redirect_to_ETH1] quit[Switch_1] traffic behavior Redirect_to_XGE1/0/0[Switch_1-behavior-Redirect_to_XGE1/0/0] permit[Switch_1-behavior-Redirect_to_XGE1/0/0] redirect interface XGigabitEthernet1/0/0[Switch_1-behavior-Redirect_to_XGE1/0/0] quit[Switch_1] traffic behavior Redirect_to_XGE1/0/1[Switch_1-behavior-Redirect_to_XGE1/0/1] permit[Switch_1-behavior-Redirect_to_XGE1/0/1] redirect interface XGigabitEthernet1/0/1[Switch_1-behavior-Redirect_to_XGE1/0/1] quit

    # Configure traffic policies.

    [Switch_1] traffic policy Redirect_to_XGE3/0/1 match-order config[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] classifier service_vlan behavior Redirect_to_XGE3/0/1[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] quit[Switch_1]traffic policy Redirect_to_ETH1 match-order config[Switch_1-trafficpolicy-Redirect_to_ETH1] classifier service_vlan behavior Redirect_to_ETH1[Switch_1-trafficpolicy-Redirect_to_ETH1] quit[Switch_1] traffic policy Redirect_to_XGE1/0/0 match-order config[Switch_1-trafficpolicy-Redirect_to_XGE1/0/0] classifier service_vlan behavior Redirect_to_XGE1/0/0[Switch_1-trafficpolicy-Redirect_to_XGE1/0/0] quit[Switch_1]traffic policy Redirect_to_XGE1/0/1 match-order config[Switch_1-trafficpolicy-Redirect_to_XGE1/0/1] classifier service_vlan behavior Redirect_to_XGE1/0/1[Switch_1-trafficpolicy-Redirect_to_XGE1/0/1] quit

    # Apply a traffic policy to Eth-Trunk 1.

    [Switch_1] interface Eth-Trunk1[Switch_1-Eth-Trunk1] traffic-policy Redirect_to_XGE1/0/1 inbound  //Redirect wireless service traffic forwarded by ACU2 to XGE1/0/1 of Switch_1. This interface connects to GE1/0/1 of NGFW_1.
    [Switch_1-Eth-Trunk1] quit

    # Apply a traffic policy to XGE1/0/0.

    [Switch_1] interface XGigabitEthernet 1/0/0[Switch_1-XGigabitEthernet1/0/0] traffic-policy Redirect_to_XGE3/0/1 inbound  //Redirect the wireless traffic forwarded by NGFW to XGE3/0/1.
    [Switch_1-XGigabitEthernet1/0/0] quit

    # Apply a traffic policy to XGE3/0/1.

    [Switch_1] interface XGigabitEthernet 3/0/1[Switch_1-Eth-Trunk0] traffic-policy Redirect_to_XGE1/0/0 inbound  //Redirect downstream wireless traffic to XGE1/0/0 of Switch_1. This interface connects to GE1/0/0 of NGFW_1.
    [Switch_1-Eth-Trunk0] quit

    # Apply a traffic policy to XGE1/0/1.

    [Switch_1] interface XGigabitEthernet 1/0/1[Switch_1-XGigabitEthernet1/0/1] traffic-policy Redirect_to_ETH1 inbound  //Redirect wireless service traffic forwarded by NGFW to Eth-Trunk1 of Switch_1. This interface connects to Eth-Trunk1 of ACU2_1.
    [Switch_1-XGigabitEthernet1/0/1] quit

  6. Verify the configuration.

    # Check the configurations on Switch_1.

    <Switch_1> display deviceS7703's Device status:
    Slot  Sub Type         Online    Power      Register       Status     Role
    -------------------------------------------------------------------------------
    1     -   ET1D2FW00S00 Present   PowerOn    Registered     Normal     NA
    2     -   ACU2         Present   PowerOn    Registered     Normal     NA
    3     -   ES0D0X4UXA00 Present   PowerOn    Registered     Normal     NA
    4     -   ES0D00MCUA00 Present   PowerOn    Registered     Normal     Master
    PWR1  -   -            Present   PowerOn    Registered     Normal     NA
    FAN1  -   -            Present   PowerOn    Registered     Normal     NA

    # Check that the Eth-Trunk 1 status between ACU2 and Switch_1 is normal.

    <ACU2_1> display interface brief | include upPHY: Physical
    *down: administratively down
    (l): loopback
    (s): spoofing
    (b): BFD down
    (e): ETHOAM down
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
    Eth-Trunk1                  up    up        0.01%  0.01%          0          0
      XGigabitEthernet0/0/1     up    up        0.01%  0.01%          0          0
      XGigabitEthernet0/0/2     up    up           0%     0%          0          0

    # After an AP is powered on, check that the AP status is normal.

    <ACU2_1> display ap all
      All AP information:
      Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
      Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
      ------------------------------------------------------------------------------
      AP    AP               AP              Profile   AP              AP
                                             /Region
      ID    Type             MAC             ID        State           Sysname
      ------------------------------------------------------------------------------
      1     AP6010DN-AGN     9c37-f48c-0c40    0/0     normal          ap-1
      ------------------------------------------------------------------------------
      Total number: 1,printed: 1

    # Check that the STAs are online.

    <ACU2_1> display access-user
     ----------------------------------------------------------------------------------------------- 
     UserID Username                       IP address                MAC            Status 
     -----------------------------------------------------------------------------------------------
     68     986cf56f7e20                   172.16.29.254               986c-f56f-7e20 Success 
     -----------------------------------------------------------------------------------------------
     Total: 1, printed: 1

    # Check that traffic statistics on each interface of Switch_1 are correct.

    <Switch_1> display interface Eth-Trunk0Eth-Trunk0 current state : UP
    Line protocol current state : UP
    Description: to Core
    Switch Port, Link-type : trunk(configured),
    PVID :    1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current BW: 40G, The Maximum Frame Length is 9216
    IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
    Current system time: 2016-03-12 17:16
    Last 300 seconds input rate 5128 bits/sec, 5 packets/sec
    Last 300 seconds output rate 7184 bits/sec, 6 packets/sec
    Input:  996134 packets, 122502357 bytes
      Unicast:                     871023,  Multicast:                       17723
      Broadcast:                   107988,  Jumbo:                               0
      Discard:                          0,  Pause:                               0
      Frames:                           0
    
      Total Error:                      0
      CRC:                              0,  Giants:                              0
      Jabbers:                          0,  Fragments:                           0
      Runts:                            0,  DropEvents:                          0
      Alignments:                       0,  Symbols:                             0
      Ignoreds:                         0,  Frames:                              0
    
    Output:  1085606 packets, 134379838 bytes
      Unicast:                     309565,  Multicast:                      343925
      Broadcast:                   432116,  Jumbo:                               0
      Discard:                          0,  Pause:                               0
    
      Total Error:                      0
      Collisions:                       0,  ExcessiveCollisions:                 0
      Late Collisions:                  0,  Deferreds:                           0
      Buffers Purged:                   0
    
        Input bandwidth utilization  :    0%
        Output bandwidth utilization :    0%
    -----------------------------------------------------
    PortName                      Status      Weight
    -----------------------------------------------------
    XGigabitEthernet3/0/2         UP          1
    XGigabitEthernet3/0/3         UP          1
    -----------------------------------------------------
    The Number of Ports in Trunk : 2
    The Number of UP Ports in Trunk : 2
    <Switch_1> display interface Eth-Trunk1Eth-Trunk0 current state : UP
    Line protocol current state : UP
    Description: to ACU_1 Slot2
    Switch Port, Link-type : trunk(configured),
    PVID :    1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current BW: 40G, The Maximum Frame Length is 9216
    IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
    Current system time: 2016-03-12 17:16
    Last 300 seconds input rate 5608 bits/sec, 4 packets/sec
    Last 300 seconds output rate 6480 bits/sec, 4 packets/sec
    Input:  1046610 packets, 131462045 bytes
      Unicast:                     568448,  Multicast:                       41189
      Broadcast:                   433973,  Jumbo:                             333
      Discard:                          0,  Pause:                               0
      Frames:                           0
    
      Total Error:                      0
      CRC:                              0,  Giants:                              0
      Jabbers:                          0,  Fragments:                           0
      Runts:                            0,  DropEvents:                          0
      Alignments:                       0,  Symbols:                             0
      Ignoreds:                         0,  Frames:                              0
    
    Output:  1603637 packets, 226275601 bytes
      Unicast:                    1114078,  Multicast:                      381346
      Broadcast:                   108213,  Jumbo:                               0
      Discard:                          0,  Pause:                               0
    
      Total Error:                      0
      Collisions:                       0,  ExcessiveCollisions:                 0
      Late Collisions:                  0,  Deferreds:                           0
      Buffers Purged:                   0
    
        Input bandwidth utilization  :    0%
        Output bandwidth utilization :    0%
    -----------------------------------------------------
    PortName                      Status      Weight
    -----------------------------------------------------
    XGigabitEthernet2/0/0         UP          1
    XGigabitEthernet2/0/1         UP          1
    -----------------------------------------------------
    The Number of Ports in Trunk : 2
    The Number of UP Ports in Trunk : 2

Configuration Files

  • Switch_1 configuration file

    #
    sysname Switch_1
    #
    vlan batch  42 428 
    #
    traffic classifier service_vlan operator or precedence 50
     if-match vlan-id 428
    #
    traffic behavior Redirect_to_XGE3/0/1
     permit
     redirect interface XGigabitEthernet3/0/1
    traffic behavior Redirect_to_ETH1
     permit
     redirect interface Eth-Trunk1
    traffic behavior Redirect_to_XGE1/0/0
     permit
     redirect interface XGigabitEthernet1/0/0
    traffic behavior Redirect_to_XGE1/0/1
     permit
     redirect interface XGigabitEthernet1/0/1
    #
    traffic policy Redirect_to_XGE3/0/1 match-order config
     classifier service_vlan behavior Redirect_to_XGE3/0/1
    traffic policy Redirect_to_ETH1 match-order config
     classifier service_vlan behavior Redirect_to_ETH1
    traffic policy Redirect_to_XGE1/0/0 match-order config
     classifier service_vlan behavior Redirect_to_XGE1/0/0
    traffic policy Redirect_to_XGE1/0/1 match-order config
     classifier service_vlan behavior Redirect_to_XGE1/0/1
    #
    interface Eth-Trunk0
     description to Core
     port link-type trunk
     port trunk allow-pass vlan 42
    #
    interface Eth-Trunk1
     description to ACU_1 Slot2
     port link-type trunk
     port trunk allow-pass vlan 42 428
     traffic-policy Redirect_to_XGE1/0/1 inbound
    #
    interface XGigabitEthernet1/0/0
     port link-type trunk
     mac-address learning disable
     port trunk allow-pass vlan 428
     stp disable
     traffic-policy Redirect_to_XGE3/0/1 inbound
     carrier up-hold-time 10000
     am isolate XGigabitEthernet1/0/1
    #
    interface XGigabitEthernet1/0/1
     port link-type trunk
     mac-address learning disable
     port trunk allow-pass vlan 428
     stp disable
     traffic-policy Redirect_to_ETH1 inbound
     carrier up-hold-time 10000
     am isolate XGigabitEthernet1/0/0
    #
    interface XGigabitEthernet2/0/0
     eth-trunk 1
    #
    interface XGigabitEthernet2/0/1
     eth-trunk 1
    #
    interface XGigabitEthernet3/0/1
     port link-type trunk
     port trunk allow-pass vlan 428
     traffic-policy Redirect_to_XGE1/0/0 inbound 
     
    #interface XGigabitEthernet3/0/2
     eth-trunk 0
    #
    interface XGigabitEthernet3/0/3
     eth-trunk 0
    #
    return
  • Switch_2 configuration file

    #
    sysname Switch_2
    #
    vlan batch 42
    #
    interface Eth-Trunk0
     port link-type trunk
     port trunk allow-pass vlan 42
    #
    interface XGigabitEthernet0/0/1
     eth-trunk 0
    #
    interface XGigabitEthernet0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port type pvid vlan 42
     port type allow vlan 42
    #
    return
  • ACU2_1 configuration file

    #
     sysname ACU2_1
    #
    vlan batch 42 428 
    #
    wlan ac-global carrier id other ac id 1
    #
    dhcp enable
    #
    interface Vlanif42
     ip address 172.18.255.240 255.255.255.0
     dhcp select interface
    #
    interface Vlanif428
     ip address 172.16.29.1 255.255.255.0
     dhcp select interface
    #
    interface Eth-Trunk1
     port link-type trunk
     port trunk allow-pass vlan 42
    #
    interface XGigabitEthernet0/0/1
     eth-trunk 1
    #
    interface XGigabitEthernet0/0/2
     eth-trunk 1
    #
    interface Wlan-Ess1
     port hybrid pvid vlan 428
     port hybrid untagged vlan 428
    #
    capwap source interface vlanif42
    #
    wlan
     ap-region id 0
     ap-auth-mode mac-auth
     ap id 1 type-id 19 mac 9c37-f48c-0c40 sn 21023585619WF6000564
        region-id 0
     wmm-profile name wmm id 1
     traffic-profile name traffic id 1
     security-profile name security id 1
     service-set name huawei id 1
      forward-mode tunnel
      wlan-ess 1
      ssid huawei
      traffic-profile id 1
      security-profile id 1
      service-vlan 428
     radio-profile name radio id 1
      wmm-profile id 1
     ap 1 radio 0
      radio-profile id 1
      service-set id 1 wlan 1
    #
    return
  • NGFW_1 configuration file
    #
     sysname NGFW_1
    #
     vlan batch 428
    #
     pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1
    #
    interface GigabitEthernet1/0/0
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 428
    #
    interface GigabitEthernet1/0/1
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 428
    #
    firewall zone trust
     set priority 85 
     add interface GigabitEthernet1/0/1
    #
    firewall zone untrust
     set priority 5
     add interface GigabitEthernet1/0/0
    #
    security-policy
     rule name policy1
      source-zone trust
      destination-zone untrust
      action permit
     rule name policy2
      source-zone untrust
      destination-zone trust
      action permit
    #
    return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top