[Branch_Router] vlan batch 10 20 99 [Branch_Router] interface GigabitEthernet 0/0/1 [Branch_Router-GigabitEthernet0/0/1] port link-type access [Branch_Router-GigabitEthernet0/0/1] port default vlan 10 [Branch_Router] interface Vlanif 10 [Branch_Router-Vlanif10] ip address 192.168.10.1 255.255.255.0 [Branch_Router-Vlanif10] dhcp select interface This configuration activates DHCP on the Data VLAN, automatically leasing IP addresses to connected workstations. The branch must communicate securely with headquarters. The AR651 supports IPSec IKEv2.
[Branch_Router] ike proposal 5 [Branch_Router-ike-proposal-5] encryption-algorithm aes-cbc-256 [Branch_Router-ike-proposal-5] authentication-algorithm sha256 [Branch_Router] ike peer HQ v1 [Branch_Router-ike-peer-HQ] pre-shared-key cipher SecureKey@2024 [Branch_Router-ike-peer-HQ] remote-address 203.0.113.10 [Branch_Router] ipsec proposal huawei_proposal [Branch_Router-ipsec-proposal-huawei_proposal] esp authentication-algorithm sha256 [Branch_Router] ipsec policy Branch_to_HQ 1 isakmp [Branch_Router-ipsec-policy-isakmp-Branch_to_HQ-1] security acl 3000 [Branch_Router-ipsec-policy-isakmp-Branch_to_HQ-1] ike-peer HQ [Branch_Router-ipsec-policy-isakmp-Branch_to_HQ-1] proposal huawei_proposal [Branch_Router] interface GigabitEthernet 0/0/0 [Branch_Router-GigabitEthernet0/0/0] ipsec policy Branch_to_HQ This establishes an encrypted tunnel, ensuring data privacy over the public internet. The AR651’s hardware supports HQoS (Hierarchical QoS). To prioritize voice traffic (SIP/RTP), classify and mark packets:
[Branch_Router] interface GigabitEthernet 0/0/0 [Branch_Router-GigabitEthernet0/0/0] ip address dhcp-alloc [Branch_Router-GigabitEthernet0/0/0] nat outbound 2000 [Branch_Router-GigabitEthernet0/0/0] quit [Branch_Router] acl number 2000 [Branch_Router-acl-basic-2000] rule 5 permit source 192.168.0.0 0.0.255.255 The AR651 often includes two SIM slots. To configure APN (Access Point Name) for cellular: huawei ar651 configuration guide
<Huawei> system-view [Huawei] sysname Branch_Router [Branch_Router] undo info-center enable [Branch_Router] aaa [Branch_Router-aaa] local-user admin password cipher Huawei@123 [Branch_Router-aaa] local-user admin privilege level 15 [Branch_Router-aaa] local-user admin service-type terminal ssh Disabling info-center during initial configuration prevents log flooding, while changing the default username from admin to a custom name (or at least a strong password) is non-negotiable. The AR651 excels at hybrid WAN. Typically, you configure an Ethernet WAN (e.g., GE0/0/0) and a 4G LTE backup (Cellular 0/0/0).
It is mandatory to execute:
[Branch_Router] acl number 3000 [Branch_Router-acl-adv-3000] rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
[Branch_Router] interface Cellular 0/0/0 [Branch_Router-Cellular0/0/0] apn-profile default [Branch_Router-Cellular0/0/0] dialer number *99# (or your carrier's code) [Branch_Router-Cellular0/0/0] modem auto-recovery [Branch_Router-Cellular0/0/0] quit Implement track-based static routes to fail over automatically. A primary default route via Ethernet (preference 60) and a backup via Cellular (preference 100) ensures zero-touch redundancy. The AR651 provides multiple Layer 2 Gigabit ports. For security, segment traffic into VLANs (e.g., VLAN 10 for Data, VLAN 20 for Voice, VLAN 99 for Management). To configure APN (Access Point Name) for cellular:
Introduction In the modern enterprise network, the boundary between the local LAN and the wide area network (WAN) is no longer a simple threshold. It is a dynamic space requiring routing, security, and deep packet inspection. Huawei’s AR651 enterprise router, part of the Agile Series, is designed to occupy this critical space. As a converged access device, the AR651 supports 3G/4G LTE, Ethernet WAN, and VPN acceleration, making it a staple for branch offices and Industrial Internet of Things (IIoT) deployments. This essay provides a structured technical guide to configuring the AR651, moving from initial access to advanced security policies, using Huawei’s proprietary Versatile Routing Platform (VRP). Phase 1: Initial Access and Basic Hardening Before any data flows, the administrator must establish a console connection. The AR651 defaults to a baud rate of 9600. Using a terminal emulator (e.g., PuTTY or SecureCRT), the user enters the initial AAA authentication framework.