Configuring RADIUS Attribute Translation

The Huawei ME60 can communicate with RADIUS servers from different vendors through the RADIUS attribute translation function.

Run:
system-view
The system view is displayed.
Run:
radius-server group group-name
The RADIUS server group view is displayed.
Run:
radius-server attribute translate
RADIUS attribute translation is enabled.
Run:
radius-attribute translate extend src-attr-description dest-attr-description{ access-accept | { access-request | account } * }
RADIUS attribute translation is configured.


NOTE:
You can configure translation of up to 64 attributes on the ME60-X3

Configuration Example of the RADIUS Authentication

The Huawei MA5680T    is interconnected with the RADIUS server through the RADIUS protocol to implement authentication.

Configure the authentication scheme.

Configure authentication scheme newscheme (users are authenticated through RADIUS).

huawei(config)#aaa

huawei(config-aaa)#authentication-scheme newscheme

huawei(config-aaa-authen-newscheme)#authentication-mode radius

huawei(config-aaa-authen-newscheme)#quit

huawei(config-aaa)#quit

Configure the RADIUS protocol.

Create RADIUS server template template1. RADIUS server 10.10.66.66 functions as the primary authentication server, and RADIUS server 10.10.66.67 functions as the secondary authentication.

huawei(config)#radius-server template template1

 Note: Create a new server template

huawei(config-radius-template1)#radius-server authentication 10.10.66.66 1812

huawei(config-radius-template1)#radius-server authentication 10.10.66.67 1812 secondary

huawei(config-radius-template1)#quit

Create a domain.

Create domain isp1.

huawei(config)#aaa

huawei(config-aaa)#domain isp1

  Info: Create a new domain 

Reference the authentication scheme.

You can reference an authentication scheme in a domain only after the authentication scheme is created.

huawei(config-aaa-domain-isp1)#authentication-scheme newscheme

Reference the RADIUS server template.

You can reference a RADIUS server template in a domain only after the RADIUS server template is created.

huawei(config-aaa  MA5680T    -domain-isp1)#radius-server template1

huawei(config-aaa-domain-isp1)#quit

Configuration Example of the IPv4 Static Route

This topic describes how to manually add the IPv4 static route to implement the interconnection between MA5683T  /MA5600

Configure the IP address of the Layer 3 interface.

The configurations for the three MA5600T/MA5603T devices are the same. The configuration of the MA5600T/MA5603T is considered as an example.

huawei(config)#vlan 2 smart

huawei(config)#port vlan 2 0/19 0

huawei(config)#interface vlanif 2

huawei(config-if-vlanif2)#ip address 1.1.1.2 24

huawei(config-if-vlanif2)#ip address 1.1.2.1 24 sub

huawei(config-if-vlanif2)#quit

Configure IPv4 static routes.

Configure an IPv4 static route for MA5600T/MA5603T_A.

huawei(config)#ip route-static 1.1.5.0 255.255.255.0 1.1.2.2

huawei(config)#ip route-static 1.1.4.0 255.255.255.0 1.1.2.2

Configure an IPv4 static route for MA5600T/MA5603T_B.

huawei(config)#ip route-static 1.1.5.0 255.255.255.0 1.1.3.1

huawei(config)#ip route-static 1.1.1.0 255.255.255.0 1.1.3.1

Configure IPv4 static routes for MA5600T/MA5603T_C.

huawei(config)#ip route-static 1.1.1.0 255.255.255.0 1.1.2.1

huawei(config)#ip route-static 1.1.4.0 255.255.255.0 1.1.3.2

Configure the host gateways.

Configure the default gateway of Host A to 1.1.1.2.

Configure the default gateway of Host B to 1.1.4.2.

Configure the default gateway of Host C to 1.1.5.2.

Save the data.

huawei#save

Configuration example of MA5600T/MA5603T_A.

vlan 2 smart

port vlan 2 0/19 0

interface vlanif 2

ip address 1.1.1.2 24

ip address 1.1.2.1 24 sub

quit

ip route-static 1.1.5.0 255.255.255.0 1.1.2.2

ip route-static 1.1.4.0 255.255.255.0 1.1.2.2

Configuring Spatial Multicast

Only the NE80E/40E-X8 and ME60  /NE40E-X8    support spatial multicast.

Run:

system-view

The system view is displayed.

Run:

spatial-multicast

The spatial multicast view is displayed

Run:

spatial-multicast slot slot-id1 [ to slot-id2 ]

Spatial multicast is enabled on the board that resides in the specified slot.

Run:

spatial-multicast { p2mp-te | mldp } bandwidth bandwidth-value

The spatial multicast bandwidth is configured for P2MP traffic to implement load balancing.

Run:

commit

The configuration is committed.

Configuration Example of the RADIUS Authentication

The MA5600 is interconnected with the RADIUS server through the RADIUS protocol to implement authentication.

Configure the authentication scheme.

Configure authentication scheme newscheme (users are authenticated through RADIUS).

huawei(config)#aaa

huawei(config-aaa)#authentication-scheme newscheme

huawei(config-aaa-authen-newscheme)#authentication-mode radius

huawei(config-aaa-authen-newscheme)#quit

huawei(config-aaa)#quit

Configure the RADIUS protocol.

Create RADIUS server template template1. RADIUS server 10.10.66.66 functions as the primary authentication server, and RADIUS server 10.10.66.67 functions as the secondary authentication.

huawei(config)#radius-server template template1

 Note: Create a new server template

huawei(config-radius-template1)#radius-server authentication 10.10.66.66 1812

huawei(config-radius-template1)#radius-server authentication 10.10.66.67 1812 secondary

huawei(config-radius-template1)#quit

Create a domain.

Create domain isp1.

hawei(config)#aaa

huawei(config-aaa)#domain isp1

  Info: Create a new domain 

Reference the authentication scheme.

You can reference an authentication scheme in a domain only after the authentication scheme is created.

huawei(config-aaa-domain-isp1)#authentication-scheme newscheme

Reference the RADIUS server template.

You can reference a RADIUS server template in a domain only after the RADIUS server template is created.

huawei(config-aaa-domain-isp1)#radius-server template1

huawei(config-aaa  MA5600T  -domain-isp1)#quit

Configuring huawei MA5600

Configure MA5683T   the IP address of the L3 interface.

huawei(config)#vlan 2 smart

huawei(config)#port vlan 2 0/7 0

huawei(config)#interface vlanif 2

huawei(config-if-vlanif2)#ip address 10.0.0.2 24

huawei(config-if-vlanif2)#quit

Configure the ACL.

huawei(config)#acl 2000

huawei(config-acl-basic-2000)#rule deny source 30.0.0.0 255.255.255.0

huawei(config-acl-basic-2000)#rule permit source any

huawei(config-acl-basic-2000)#quit

Enable OSPF and specify the area id to which the interface belongs.

huawei(config)#ospf

huawei(config-ospf-1)#area 0

huawei(config-ospf-1-area-0.0.0.0)#network 10.0.0.0 0.0.0.255

huawei(config-ospf-1-area-0.0.0.0)#quit

huawei(config-ospf-1)#quit

Configure the OSPF router ID.

huawei(config)#router id 2.2.2.2

Filter imported routes.

huawei(config)#ospf

uawei(config-ospf-1)#filter-policy 2000 import

huawei(config-ospf-1)#quit

Save the data.

huawei(config  MA5600   )#save

Configuring Local Flow Mirroring

LS-S2326TP-EI-AC   does not support flow mirroring.

Create a VLAN on the Switch and add interfaces to the VLAN in trunk mode.

# Add Ethernet 0/0/1, Ethernet 0/0/3, and Ethernet 0/0/5 to the same VLAN in trunk mode.

The following takes the configuration of Ethernet 0/0/1 as an example. The configurations

of Ethernet 0/0/3 and Ethernet 0/0/5 are the same as the configuration of Ethernet 0/0/1 and

are not mentioned here.

<Switch> system-view

[Switch] vlan 10

[Switch-vlan10] quit

[Switch] interface ethernet 0/0/1

[Switch-Ethernet0/0/1] port link-type trunk

[Switch-Ethernet0/0/1] port trunk allow-pass vlan 10

[Switch-Ethernet0/0/1] quit

2. Configure an observing port.

# Set Ethernet 0/0/24 as the observing port.

[Switch] observe-port 1 interface ethernet 0/0/24

3. # Create a traffic classifier.

# Create traffic classifier c1 and set the traffic classification rule that only the packets with

the 802.1p priority as 6 can be matched.

[Switch] traffic classifier c1

[Switch-classifier-c1] if-match 8021p 6

[Switch-classifier-c1] quit

4. # Create a traffic behavior.

# Create traffic behavior b1 and configure flow mirroring in the traffic behavior.

[Switch] traffic behavior b1

[Switch-behavior-b1] mirroring to observe-port 1

[Switch-behavior-b1] quit

5. Create a traffic policy.

# Create a traffic policy and bind traffic classifier c1 to traffic behavior b1.

[Switch] traffic policy p1

[Switch-trafficpolicy-p1] classifier c1 behavior b1

[Switch-trafficpolicy-p1] quit

6. Apply the traffic policy and enable the interface to trust the 802.1p priority of packets.

# Apply traffic policy p1 to Ethernet 0/0/1 and Ethernet 0/0/5, and enable Ethernet 0/0/1

and Ethernet 0/0/5 to trust the 802.1p priority of packets.

[Switch] interface ethernet 0/0/1

[Switch-Ethernet0/0/1] traffic-policy p1 inbound

[Switch-Ethernet0/0/1] trust 8021p

[Switch-Ethernet0/0/1] quit

[Switch]interface ethernet 0/0/5

[Switch-Ethernet0/0/5] traffic-policy p1 inbound

[Switch-Ethernet0/0/5] trust 8021p

[Switch-Ethernet0/0/5] quit

7. Verify the configuration.

# Run the display port-mirroring command. You can check the observing port.

[Switch] display port-mirroring

Stream-mirror:

----------------------------------------------------------------------

Behavior Direction Observe-port

----------------------------------------------------------------------

b1 - Ethernet0/0/24

----------------------------------------------------------------------

# Run the display traffic policy interface command. You can check the traffic policy

applied to Ethernet 0/0/1 and Ethernet 0/0/5.

[Switch] display traffic policy interface

Interface: Ethernet0/0/1

Direction: Inbound

Policy: p1

Classifier: c1

Operator: AND

Rule(s) :

if-match 8021p 6

Behavior: b1

Mirroring to observe-port 1

Interface: Ethernet0/0/5

Direction: Inbound

Policy: p1

Classifier: c1

Operator: AND

Rule(s) :

if-match 8021p 6

Behavior: b1

Mirroring to LS-S2326TP-SI-AC  observe-port 1

Configuring the Multicast Mode NTP

MA5680T  _S uses the local clock as the master NTP clock on stratum 2 and works in the multicast mode NTP, sends multicast clock synchronization packets periodically through IP address 10.10.10.10/24 of the L3 interface of VLAN 2, and is enabled with the NTP authentication function (the ID of the MD5 authentication key is set to 10, the key is set to BetterKey, and the authentication key is declared to be reliable); MA5600_C functions as the NTP client, listens to the multicast packets sent from the server through IP address 10.10.10.20/24 of the L3 interface of VLAN 2, and synchronizes with the clock on the multicast server. To perform these configurations, do as follows:

On MA5600_S:

huawei(config)#ntp-service authentication enable

huawei(config)#ntp-service authentication-keyid 10 authentication-mode md5 BetterKey

huawei(config)#ntp-service reliable authentication-keyid 10

huawei(config)#ntp-service refclock-master 2

huawei(config)#vlan 2 standard

huawei(config)#port vlan 2 0/7 0

huawei(config)#interface vlanif 2

huawei(config-if-vlanif2)#ip address 10.10.10.10 24

huawei(config-if-vlanif2)#ntp-service multicast-server

huawei(config-if-vlanif2)#quit

On MA5600_C:

huawei(config)#vlan 2 standard

huawei(config)#port vlan 2 0/7 0

huawei(config)#interface vlanif 2

huawei(config-if-vlanif2)#ip address 10.10.10.20 24

huawei(config-if-vlanif2)#ntp-service multicast-client

huawei(config-if  MA5683T  -vlanif2)#quit

Communication problems about super-vlan VLAN

Yesterday, a Huawei S3328TP-EI    configuration are imported into S3700-28TP-SI

Edition

<Quidway> dis version

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.70 (S3700 V100R005C01SPC100)

Copyright (C) 2000-2011 HUAWEI TECH CO., LTD

Quidway S3700-28TP-SI-AC Routing Switch uptime is 0 week, 0 day, 0 hour, 8 minutes

VLAN is not found then delete configuration restart completely according to the Handbook on the instance configuration to the discovery is the original S3300 under super-vlan a arp-proxy enable command

But in the original S3300 VLAN is Ping this is why different versions or what other reasons

Today in the Ensp also did the experiment also found. ENSP does not support it is what reason

[Huawei]dis cu

sysname Huawei

vlan batch 10 to 60 1000

cluster enable

ntdp enable

ndp enable

drop illegal-mac alarm

dhcp enable

diffserv domain default

drop-profile default

vlan 1000

 aggregate-vlan

 access-vlan 10 20 30 40 50 60

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password simple admin

 local-user admin service-type http

interface Vlanif1

interface Vlanif1000

 ip address 192.168.1.1 255.255.255.0

 arp-proxy inner-sub-vlan-proxy enable

 dhcp select interface

interface MEth0/0/1

interface Ethernet0/0/1

 port link-type access

 port default vlan 10

interface Ethernet0/0/2

 port link-type access

 port default vlan 20

interface Ethernet0/0/3

 port link-type access

 port default vlan 30

interface Ethernet0/0/4

 port link-type access

 port default vlan 40

interface Ethernet0/0/5

 port link-type access

 port default vlan 50

interface Ethernet0/0/6

 port link-type access

 port default vlan 60

interface Ethernet0/0/7

interface Ethernet0/0/8

interface Ethernet0/0/9

interface Ethernet0/0/10

interface S3328TP-EI-AC   Ethernet0/0/1

Configuring the GE/FE Optical/Electrical Interface

Generally, the Huawei ME60    sets an Ethernet interface to an optical or electrical interface based on the interface module's type. If the ME60 cannot identify an interface module, you need to manually set the interface to the optical or electrical mode.

Run:

system-view

The system view is displayed.

Run:

interface { ethernet | gigabitethernet } interface-number

The Ethernet interface view is displayed.

Run:

port-type { copper | fiber-100 | fiber-1000 }

The interface type is set.

NOTE:

When an SFP module is being replaced, the configurations such as the loopback test, interface speed, auto-negotiation mode, and duplex mode on the interface are all restored to default ones. You need to reconfigure them on the interface.

After the port-type command is run, the configurations such as the loopback test, interface speed, auto-negotiation mode, and duplex mode on the interface are all restored to default ones. You need to reconfigure them on the interface.

The parameter copper can be configured in the port-type command only when an optical/electrical SFP module is installed.

fiber-100 cannot be set for interfaces on the ME60   24-Port 1000Base-X-SFP Flexible Card E(BP51-E) subcard.