Friday , December 27 2024

STP attack and Root Protection feature on Huawei switches

Spanning Tree protocol is a loop prevention mechanism in a bridged LAN. Every STP topology has its own root bridge, which determines how STP topology is calculated. The role of the root bridge is to act as a reference point in the network, so that all other switches can determine, how far each of their ports is from the root bridge. The port, which has the lowest path cost, is placed into a forwarding state. All other ports, that can lead to the root bridge, are blocked. Ports in the switching topology, which lead away from the Root Bridge, remain forwarding. You can recall STP operations reading the following article: “Multiple Spanning Tree Protocol on Huawei switch“.

How does the root bridge election process work?

The root bridge for each STP instance is determined by the bridge ID. The bridge ID consists of a configurable bridge priority and the MAC address of the bridge:

[Huawei]display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge         :32768.4c1f-ccd4-1c03

In this example the bridge ID is 32768.4c1f-ccd4-1c03, where:

  • 32768 is the bridge priority
  • 4c1f-ccd4-1c03 is the MAC address of the bridge.

The bridge with the lowest bridge ID is elected as the root bridge. If the bridge priorities are equal, or if the bridge priority is not configured, the bridge with the lowest MAC address is elected the root bridge.

How to change the bridge priority on Huawei switch?

[Huawei]stp priority ?
  INTEGER  Bridge priority, in steps of 4096

A predefined macro can be also used to change bridge priority:

[Huawei]stp root ?
  primary    Primary root switch
  secondary  Secondary root switch

The same macro, when changing bridge priority in particular STP instance:

[Huawei]stp instance 1 root ?
  primary    Primary root switch
  secondary  Secondary root switch

The first option changes priority to 0, the second to 4096. Default bridge priority equals to 32768.

Any switch can be a root bridge in a network. But the most optimal forwarding topology places the root bridge at a specific predetermined location. Let’s take the following example:

 

Aggregation switch AGG-SW1 was elected as the root bridge and AGG-SW2 as the secondary root bridge, in case of AGG-SW1’s failure. STP topology was built as expected, fast speed links are used to forward traffic between devices.

Even if the root bridge was configured with priority 0, every switch in this network, with priority 0 and a lower MAC address, can be elected as a new root bridge. Let’s imagine a situation, where someone connects additional switch, or just a software-based bridge application lunched on a PC with dual NICs and lower bridge ID, like below:

 

Our PC was elected as a new root bridge for this VLAN. STP topology was changed and now, low-speed access links are used to forward traffic between aggregation switches. If more data flow via the aggregation link in that VLAN, than this link can accommodate, the drop of some frames occur. As a result, network performance can be affected.

To prevent this from happening, STP Root Protection can be used on interfaces, which should not receive superior BPDUs. These interfaces usually are located on an administrative boundary. In our case, Root Protection feature should be enabled on interfaces as in the picture below:

To enable Root Protection on Huawei switch, use command:

[Huawei]int GigabitEthernet 0/0/1	
[Huawei-GigabitEthernet0/0/1]stp root-protection

Remember, that root protection takes effect only on designated ports.

Read More »

Huawei eNSP – news

We have waited for a new version of Huawei eNSP simulator since February 1st, 2013.

And we have finally got it.

Quite new and fresh V100R002C00B110 version.

New look … new devices … new connections …

Possibility to add interface cards in a graphic way …

 

One button to open all command lines …

New features supported: NAT, firewall, IPSec, SSLVPN etc.

Just click on the first picture and download it.

Enjoy!

Read More »

from Huawei CLI – lock and send

Today a few words about 2 simple but useful commands: lock and send.

LOCK – prevents unauthorized users from operating on the current terminal interface

SEND – enables the system to transfer messages between user interfaces

Let’s look how they work on Huawei S5700 switch.

LOCK
<labnario>lock
Enter Password:
Confirm Password:

 Info: The terminal is locked. 

Enter Password:

<labnario>

SEND
<labnario>send ?
  INTEGER  Specify a user terminal interface and configure it
  all            All user terminal interfaces
  console        Primary user terminal interface
  vty            The virtual user terminal interface

<labnario>send all

Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
Give me your "LIKE" on Facebook!!!
Warning: Send the message? [Y/N]:y


<labnario>
Info: Receive a message from con0: Give me your "LIKE" on Facebook!!!
<labnario>

Read More »

how to upgrade stacked S5300 switches

When a single switch is upgraded, services are interrupted about 3 minutes. This time increases when a stack is upgraded. Methods of upgrading the system software of S5300 and S6300 are the same. We can focus on Huawei S5300 switch as an example. Let’s assume we have 2 switches in the stack.

<labnario> display stack
Stack topology type: Ring
Stack system MAC: 80fb-06b1-69eb
MAC switch delay time: 10 min
Stack reserved vlanid : 100
Slot#     role        Mac address      Priority   Device type
------    ----        --------------   ------     -------
    0     Master      80fb-06b1-69eb   100        S5352C-EI
    1     Standby     80fb-06ab-f6e3   120        S5352C-EI

At first you have to check a space of flash memory of the switch. If there is no enough space in the flash to fit a new system software, just delete the old (current) system software, for both Master and Member switches:

<labnario> delete /unreserved flash:/S5300EI-V100R005C00SPC100.cc
Info:This is Next startup system software.If you delete it,there is no software to reboot successfully!Confirm to delete the file? [Y/N]:y
Warning: The contents of file flash:/S5300EI-V100R005C00SPC100.cc cannot be recycled. Continue? [Y/N]:y
Info: Deleting file flash:/S5300EI-V100R005C00SPC100.cc...
Deleting file permanently from flash will take a long time if needed................succeeded.
<labnario> delete /unreserved slot1#flash:/S5300EI-V100R005C00SPC100.cc
Info:This is Next startup system software.If you delete it,there is no software to reboot successfully!Confirm to delete the file? [Y/N]:y
Warning: The contents of file slot1#flash:/S5300EI-V100R005C00SPC100.cc cannot be recycled. Continue? [Y/N]:y
Info: Deleting file slot1#flash:/S5300EI-V100R005C00SPC100.cc...
Deleting file permanently from flash will take a long time if needed................succeeded.

Upload a new software to Master switch. If you do not remember how to do this, just go to upgrade of huawei’s S5300 switch.

Specify the uploaded software as the next startup software. As you can see the new software is copied to Member switch automatically. You have an answer now, why upgrading time of stack switches increases, comparing to a single device.

<labnario> startup system-software S5300EI-V200R001C00SPC300.CC all
Warning: Basic BOOTROM will be upgraded. Continue?(Y/N)[N]: y
BOOTROM begin to be upgraded ! please wait for a moment

Info: BOOTROM UPGRADE OK
Info: Succeeded in setting the software for booting system on 0.
100%  complete\
Info: Copied file flash:/S5300EI-V200R001C00SPC300.cc to slot1#flash:/S5300EI-V200R001C00SPC300.cc...Done.
Info: Succeeded in setting the software for booting system on 0.
Info: Succeeded in setting the software for booting system on 1.

Restart the switch:

<labnario> reboot
Info: The system is now comparing the configuration, please wait.
Warning: All the configuration will be saved to the configuration file for the next startup:flash:/vrpcfg.zip, Continue?[Y/N]:n
Now saving the current configuration to the slot 0.
Info: Save the configuration successfully.
Now saving the current configuration to the slot 1.
Info: Save the configuration successfully.
System will reboot! Continue?[Y/N]:      y

Info: system is rebooting, please wait…
----End

Read More »

Huawei AR1200 NAT configuration

A short NAT (Network Address Translation) description based on AR1200 documentation:

Huawei AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance.

  • Static NAT

The number of private addresses is equal to the number of public addresses, so it does not save pull of public addresses.

  • PAT

Maps a public address to multiple private addresses.

  • Internal Server

Hosts in the public network can access an internal server.

  • Easy IP

Takes a public IP address of the interface as the source address after NAT is performed.

  • Twice NAT

Translates both the source and destination addresses. Using in the scenario where IP addresses of hosts on private and public networks overlap.

  • NAT multi-instance

Allows users on private networks to access the public network and allows users in different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network. Supports association between VPNs and NAT server, and allows users on the public network to access hosts in the VPNs. This function is applicable when IP addresses of multiple VPNs overlap.

Let’s try to configure NAT based on the below topology:

  1. Users from LAN 10.0.20.0/24 can access internet using a pull of public addresses.
  2. Users from LAN 172.16.10.0/24 can access internet using a public IP of WAN interface.
  3. Users from internet can access internal FTP server 192.168.1.10.

Configure IP addresses and default routing based on the above topology:

labnario
#
interface Vlanif100
 ip address 10.0.20.2 255.255.255.0
#
interface Vlanif200
 ip address 172.16.10.2 255.255.255.0
#
interface Ethernet0/0/0
 portswitch
 port link-type access
 port default vlan 100
#
interface Ethernet0/0/1
 portswitch
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 192.168.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 201.120.4.2

internet
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.2 255.255.255.0

Configure outbound NAT on labnario router for hosts in both LANs:

[labnario]acl number 2000
[labnario-acl-basic-2000] rule 5 permit source 10.0.20.0 0.0.0.255

[labnario]acl number 2500
[labnario-acl-basic-2500] rule 5 permit source 172.16.10.0 0.0.0.255

[labnario]nat address-group 1 201.120.4.100 201.120.4.110

[labnario]interface GigabitEthernet 0/0/0
[labnario-GigabitEthernet0/0/0]nat outbound 2000 address-group 1 no-pat
[labnario-GigabitEthernet0/0/0]nat outbound 2500
[labnario-GigabitEthernet0/0/0]display this
#
interface GigabitEthernet0/0/0
 ip address 201.120.4.1 255.255.255.0
 nat outbound 2000 address-group 1 no-pat 
 nat outbound 2500

No-pat indicates one-to-one NAT, that is, only the IP address is translated and the port number is not translated.

Configure NAT server on labnario router to let external users to have FTP access to internal FTP server:

[labnario-GigabitEthernet0/0/0]nat server protocol tcp global 201.120.4.10 ftp inside 192.16.1.10 ftp

Enable the NAT ALG function for FTP packets:

[labnario]nat alg ftp enable

[labnario]display nat alg 

NAT Application Level Gateway Information:
----------------------------------
  Application            Status
----------------------------------
  dns                    Disabled
  ftp                    Enabled
  rtsp                   Disabled
  sip                    Disabled
----------------------------------

After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT server. The application protocol cannot work without the NAT ALG function.

Let’s check if our NAT is configured properly:

[labnario]display nat outbound 
 NAT Outbound Information:
 --------------------------------------------------------------------------
 Interface                     Acl     Address-group/IP/Interface      Type
 --------------------------------------------------------------------------
 GigabitEthernet0/0/0         2000                              1    no-pat
 GigabitEthernet0/0/0         2500                    201.120.4.1    easyip
 --------------------------------------------------------------------------
  Total : 2

[labnario]dis nat server

  Nat Server Information:
  Interface  : GigabitEthernet0/0/0
    Global IP/Port     : 201.120.4.10/21(ftp)
   Inside IP/Port     : 192.16.1.10/21(ftp)
    Protocol : 6(tcp)   
    VPN instance-name  : ----                            
    Acl number         : ----
    Description : ----

  Total :    1

Unfortunately, even NAT commands are supported by eNSP simulator, it does not mean that NAT is supported as a whole. Internal hosts cannot communicate with internet and internal FTP server is not available for public users as well. But this is what I wanted to show you. You can check this NAT configuration on real devices. It should work properly.

Read More »