Friday , December 27 2024

Huawei eNSP – news

A new version of Huawei Enterprise Network Simulator eNSP was launched few days ago.

What new can we find?

  • Added FTP, HTTP and DNS client and server terminals;
  • Added a function supporting IPv6 to simulate PC.

Besides, a few bugs have been solved.

All details you can find at Huawei Support.

Read More »

GRE on Huawei routers

Generic Routing Encapsulation (GRE) is introduced to encapsulate packets. Then these packets can be transmitted over an IPv4 network. GRE provides a mechanism to encapsulate packets of one protocol into packets of another protocol. This allows packets to be transmitted over heterogeneous networks. GRE also provides tunnels to transparently transmit VPN packets. When a device receives a packet that needs to be encapsulated and routed, it adds a GRE header to the packet and encapsulates it into another protocol such as IP. The packet is then forwarded by the IP protocol.

Let’s try to configure GRE tunnel between labnario_1 and labnario_3. All packets sent from PC_1 to PC_2, and vice versa, will be transmitted through the GRE tunnel.

Assure communication between routers in the network. It is omitted here.

Create a tunnel interface with tunnel-protocol as GRE on both labnario_1 and labnario_3 routers. Assign IP address of tunnel interface and IP addresses of tunnel’s source and destination:

[labnario_1]interface Tunnel 0/0/0
[labnario_1-Tunnel0/0/0]ip address 10.0.0.1 255.255.255.0
[labnario_1-Tunnel0/0/0] tunnel-protocol gre
[labnario_1-Tunnel0/0/0] source 150.0.0.1
[labnario_1-Tunnel0/0/0] destination 160.0.0.1

[labnario_3]interface Tunnel 0/0/0
[labnario_3-Tunnel0/0/0]ip address 10.0.0.2 255.255.255.0
[labnario_3-Tunnel0/0/0] tunnel-protocol gre
[labnario_3-Tunnel0/0/0] source 160.0.0.1
[labnario_3-Tunnel0/0/0] destination 150.0.0.1

Configure static routing on labnario_1 and labnario_3 to PC_2 and PC_1 respectively, with GRE tunnel as outbound interface. This ensures that all traffic directed to those PCs will be going through GRE tunnel interface.

[labnario_1]ip route-static 172.16.10.0 255.255.255.0 Tunnel0/0/0

[labnario_3]ip route-static 172.16.0.0 255.255.255.0 Tunnel0/0/0

Check routing tables of both routers:

[labnario_1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 10       

Destination/Mask    Proto   Pre  Cost  Flags NextHop         Interface

       10.0.0.0/24  Direct  0    0       D   10.0.0.1        Tunnel0/0/0
       10.0.0.1/32  Direct  0    0       D   127.0.0.1       Tunnel0/0/0
      127.0.0.0/8   Direct  0    0       D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0       D   127.0.0.1       InLoopBack0
      150.0.0.0/24  Direct  0    0       D   150.0.0.1       GigabitEthernet0/0/0
      150.0.0.1/32  Direct  0    0       D   127.0.0.1       GigabitEthernet0/0/0
      160.0.0.0/24  OSPF    10   2       D   150.0.0.2       GigabitEthernet0/0/0
     172.16.0.0/24  Direct  0    0       D   172.16.0.2      Ethernet0/0/0
     172.16.0.2/32  Direct  0    0       D   127.0.0.1       Ethernet0/0/0
    172.16.10.0/24  Static  60   0       D   10.0.0.1        Tunnel0/0/0

[labnario_3]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 10       

Destination/Mask    Proto   Pre  Cost   Flags NextHop         Interface

       10.0.0.0/24  Direct  0    0        D   10.0.0.2        Tunnel0/0/0
       10.0.0.2/32  Direct  0    0        D   127.0.0.1       Tunnel0/0/0
      127.0.0.0/8   Direct  0    0        D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0        D   127.0.0.1       InLoopBack0
      150.0.0.0/24  OSPF    10   2        D   160.0.0.2       GigabitEthernet0/0/1
      160.0.0.0/24  Direct  0    0        D   160.0.0.1       GigabitEthernet0/0/1
      160.0.0.1/32  Direct  0    0        D   127.0.0.1       GigabitEthernet0/0/1
     172.16.0.0/24  Static  60   0        D   10.0.0.2        Tunnel0/0/0
    172.16.10.0/24  Direct  0    0        D   172.16.10.2     Ethernet0/0/0
    172.16.10.2/32  Direct  0    0        D   127.0.0.1       Ethernet0/0/0

Let’s check if traffic is going through GRE tunnel:

PC_1>ping 172.16.10.1 -t

Ping 172.16.10.1: 32 data bytes, Press Ctrl_C to break
From 172.16.10.1: bytes=32 seq=1 ttl=126 time=31 ms
From 172.16.10.1: bytes=32 seq=2 ttl=126 time=78 ms
From 172.16.10.1: bytes=32 seq=3 ttl=126 time=78 ms
From 172.16.10.1: bytes=32 seq=4 ttl=126 time=63 ms
From 172.16.10.1: bytes=32 seq=5 ttl=126 time=94 ms
From 172.16.10.1: bytes=32 seq=6 ttl=126 time=78 ms
From 172.16.10.1: bytes=32 seq=7 ttl=126 time=62 ms
From 172.16.10.1: bytes=32 seq=8 ttl=126 time=32 ms
From 172.16.10.1: bytes=32 seq=9 ttl=126 time=93 ms
From 172.16.10.1: bytes=32 seq=10 ttl=126 time=78 ms

--- 172.16.10.1 ping statistics ---
  10 packet(s) transmitted
  10 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/67/94 ms

[labnario_1]display interface Tunnel 0/0/0
Tunnel0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-01-28 13:22:16 UTC-08:00
Description:
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.0.1/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.0.0.1 (GigabitEthernet0/0/0), destination 160.0.0.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Current system time: 2013-01-28 13:22:59-08:00
    300 seconds input rate 0 bits/sec, 0 packets/sec
    300 seconds output rate 0 bits/sec, 0 packets/sec
    49 seconds input rate 136 bits/sec, 0 packets/sec
    49 seconds output rate 136 bits/sec, 0 packets/sec
    10 packets input,  840 bytes
    0 input error
    10 packets output,  840 bytes
    0 output error
    Input:
      Unicast: 0 packets, Multicast: 0 packets
    Output:
      Unicast: 10 packets, Multicast: 0 packets
    Input bandwidth utilization  : --
    Output bandwidth utilization : --

Use debugging for GRE verification:

<labnario_1>debugging tunnel ?
  all        All debugging functions
  control    Control debugging function
  error      Error debugging function
  keepalive  GRE keepalive debugging function
  packet     Packet debugging function
  timer      Timer debugging function

<labnario_3>debugging tunnel all 
<labnario_3>t m
Info: Current terminal monitor is on.
<labnario_3>t d
Info: Current terminal debugging is on.

Jan 28 2013 12:25:04.340.3-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: Tunnel0/0/0-Out:GRE/IP encapsulated 150.0.0.1->160.0.0.1(len = 84).
Jan 28 2013 12:25:04.340.4-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: GRE Transmit: Transmit packets through IP output sucessfully.
Jan 28 2013 12:25:04.400.1-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD:GRE-Input: Src(160.0.0.1)/dest(150.0.0.1), length = 84.
Jan 28 2013 12:25:04.400.2-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: Get packet without checksum.
Jan 28 2013 12:25:04.400.3-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: Tunnel0/0/0-In: GRE decapsulated IP source(172.16.10.1)/destination(172.16.0.1)(len = 60).
Jan 28 2013 12:25:04.400.4-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: Put packets into IP queue sucessfully.
Jan 28 2013 12:25:05.400.1-08:00 labnario_1 TUNNEL/7/debug:GRE_FWD: GRE-Encapsulation: Mbuf length = 60 from Tunnel0/0/0 out.

Packet capture output from interface GE0/0/0 of labnario_1:

Final configs:

sysname labnario_1
#
interface Ethernet0/0/0
 ip address 172.16.0.2 255.255.255.0
#
interface GigabitEthernet0/0/0
 ip address 150.0.0.1 255.255.255.0
#
interface Tunnel0/0/0
 ip address 10.0.0.1 255.255.255.0
 tunnel-protocol gre
 source 150.0.0.1
 destination 160.0.0.1
#
ospf 1
 area 0.0.0.0
  network 150.0.0.0 0.0.0.255
#
ip route-static 172.16.10.0 255.255.255.0 Tunnel0/0/0

sysname labnario_2
#
interface GigabitEthernet0/0/0
 ip address 150.0.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 160.0.0.2 255.255.255.0
#
ospf 1
 area 0.0.0.0
  network 150.0.0.0 0.0.0.255
  network 160.0.0.0 0.0.0.255

sysname labnario_3
#
interface Ethernet0/0/0
 ip address 172.16.10.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 160.0.0.1 255.255.255.0
#
interface Tunnel0/0/0
 ip address 10.0.0.2 255.255.255.0
 tunnel-protocol gre
 source 160.0.0.1
 destination 150.0.0.1
#
ospf 1
 area 0.0.0.0
  network 160.0.0.0 0.0.0.255
#
ip route-static 172.16.0.0 255.255.255.0 Tunnel0/0/0

Read More »

DHCP Relay Agent configuration in Huawei CLI

When PCs are in a different subnet than a DHCP server installed, DHCP Relay Agent can be used to forward DHCP requests from PCs to DHCP server. How to configure DHCP Relay Agent using Huawei CLI?

Let’s assume that we have the following topology:

We want our PC to acquire its IP address from the DHCP server configured on the labnarioR1 router. To do so, labnarioR2 should be configured as a DHCP Relay Agent to forward DHCP Requests and Offers between server and clients.

First, DHCP server should be configured. LabnarioR1 router will be configured to offer DHCP service for PC.

<labnarioR1>system-view 
Enter system view, return user view with Ctrl+Z.
[labnarioR1] dhcp enable
[labnarioR1] ip pool 1
[labnarioR1-ip-pool-1] gateway-list 172.16.1.1
[labnarioR1-ip-pool-1] network 172.16.1.0 mask 255.255.255.0
[labnarioR1-ip-pool-1] dns-list 150.100.15.1 150.100.15.2
[labnarioR1-ip-pool-1] domain-name labnario.com
[labnarioR1-ip-pool-1] quit
[labnarioR1]interface Ethernet0/0/0
[labnarioR1-Ethernet0/0/0]dhcp select global

If we want our labnarioR1 router to be able to forward DHCP packets to the PC, static route pointing labnarioR2 should be added:

[labnarioR1] ip route-static 172.16.1.0 255.255.255.0 150.100.12.2

Now labnarioR2 router can be configured to act as a DHCP Relay Agent for 172.16.1.0/24 subnet. Do not forget to enable DHCP service! This step is required on both DHCP Server and Relay.

[labnarioR2]dhcp enable
[labnarioR2-dhcp-server-group-1]quit
[labnarioR2]interface Ethernet0/0/1
[labnarioR2-Ethernet0/0/1] dhcp select relay
[labnarioR2-Ethernet0/0/1] dhcp relay server-ip 150.100.12.1

Let’s check if our PC can acquire IP address:

PC>ipconfig -r

Discover...
Request...
IP: 172.16.1.254
Subnet Mask: 255.255.255.0
Gateway: 172.16.1.1

PC>ipconfig

IPv4 address......................: 172.16.1.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 172.16.1.1
Physical address..................: 00-0B-09-CF-EB-58
DNS server........................: 150.100.15.1
                                    150.100.15.2

As you see, our DHCP Relay Agent works fine.

How to verify DHCP Relay Agent operation?

[labnarioR2]display dhcp statistics 
Input: total 687 packets, discarded 0 packets
  Bootp request           :          0,  Bootp reply             :          0 
  Discover                :        678,  Offer                   :          3 
  Request                 :          3,  Ack                     :          3 
  Release                 :          0,  Nak                     :          0 
  Decline                 :          0,  Inform                  :          0 

Output: total 12 packets, discarded 0 packets

As you see above, there are DHCP Request and Offer counters, which can be helpful during DHCP troubleshooting.

Below DHCP Relay configuration summary command:

[labnarioR2]display dhcp relay all 
 DHCP relay agent running information of interface Ethernet0/0/1 :
 Server IP address [01] : 150.100.12.1
 Gateway address in use : 172.16.1.1

For debugging use the following commands:

<labnarioR2>debugging dhcp relay packet 
<labnarioR2>debugging dhcp relay event
<labnarioR2>terminal debugging
<labnarioR2>terminal monitor

Look at the debugging output. It shows packet exchange between DHCP client and server. Great commands when troubleshooting DHCP Relay Agent.

<labnarioR2>
Jan 24 2013 15:45:52.710.1-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DH
CP DISCOVER message from interface Ethernet0/0/1.(sip:0.0.0.0, dip:255.255.255.2
55, vpn:0) 
Jan 24 2013 15:45:52.710.2-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Relay packe
t to server 150.100.12.1. 
Jan 24 2013 15:45:52.740.2-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DH
CP OFFER message from interface Ethernet0/0/0.(sip:150.100.12.1, dip:172.16.1.1,
 vpn:0) 
Jan 24 2013 15:45:52.740.3-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Unicast DHC
P OFFER to client. (Chaddr=000b-09cf-eb58, Ciaddr=172.16.1.254) 
Jan 24 2013 15:45:55.200.1-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DH
CP REQUEST message from interface Ethernet0/0/1.(sip:0.0.0.0, dip:255.255.255.25
5, vpn:0)
Jan 24 2013 15:45:55.200.2-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Relay packe
t to server 150.100.12.1. 
Jan 24 2013 15:45:55.210.3-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Receives DH
CP ACK message from interface Ethernet0/0/0.(sip:150.100.12.1, dip:172.16.1.1, v
pn:0) 
Jan 24 2013 15:45:55.210.4-08:00 labnarioR2 DHCP/7/DEBUG:[dhcpr-pkt]:Unicast DHC
P ACK to client. (Chaddr=000b-09cf-eb58, Ciaddr=172.16.1.254)

Some time ago I wrote about DHCP configuration. Just go to Huawei AR19/29/49 router DHCP configuration to read more.

Final configuration:

sysname labnarioR1
#
dhcp enable
#
ip pool 1
 gateway-list 172.16.1.1
 network 172.16.1.0 mask 255.255.255.0
 dns-list 150.100.15.1 150.100.15.2
 domain-name labnario.com
#
interface Ethernet0/0/0
 ip address 150.100.12.1 255.255.255.0
 dhcp select global
#
ip route-static 172.16.1.0 255.255.255.0 150.100.12.2
#
return

sysname labnarioR2
#
dhcp enable
#
interface Ethernet0/0/1
 ip address 172.16.1.1 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 150.100.12.1
#
return

Read More »

VRRP on Huawei router

Virtual Router Redundancy Protocol (VRRP) combines a group of routing devices on a LAN into a backup group that functions as a virtual router. From the host perspective in the LAN, it only needs the IP address of the virtual router rather than the IP address of a specific device in the backup group. Virtual IP address must be set as a default gateway for the host in the LAN. VRRP dynamically associates the virtual router with a physical device that transmits services. When the device fails, the second device is selected to handover traffic. The switchover should be transparent to users, allowing the internal and external networks to communicate without interruption. It, of course, depends on configured services. Most sensitive services need higher reliability and VRRP itself is not enough. But I will mention about it later in the post.

Let’s switch from theory to more practical things.

VRRP topology:

Assure communication between all elements in the network. It is omitted here.

Configure VRRP on labnario_1 and labnario_2. Set VRRP priority to 120 for labnario_1:

[labnario_1]interface Vlanif 100
[labnario_1-Vlanif100]ip address 10.0.0.10 255.255.255.0
[labnario_1-Vlanif100]vrrp vrid 100 virtual-ip 10.0.0.254
[labnario_1-Vlanif100]vrrp vrid 100 priority 120

[labnario_2]interface Vlanif 100
[labnario_2-Vlanif100]ip add 10.0.0.11 255.255.255.0
[labnario_2-Vlanif100]vrrp vrid 100 virtual-ip 10.0.0.254

[labnario_1]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Master       Vlanif100                Normal   10.0.0.254     
----------------------------------------------------------------
Total:1     Master:1     Backup:0     Non-active:0     

[labnario_2]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Backup       Vlanif100                Normal   10.0.0.254     
----------------------------------------------------------------
Total:1     Master:0     Backup:1     Non-active:0

Now we can check how traffic is going through our network:

PC>tracert 1.1.1.1
traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.0.0.10   16 ms  ping 1.1.1.1 -t
Ping 1.1.1.1: 32 data bytes, Press Ctrl_C to break
From 1.1.1.1: bytes=32 seq=1 ttl=254 time=62 ms
From 1.1.1.1: bytes=32 seq=2 ttl=254 time=47 ms
From 1.1.1.1: bytes=32 seq=3 ttl=254 time=140 ms
From 1.1.1.1: bytes=32 seq=4 ttl=254 time=31 ms
--- 1.1.1.1 ping statistics ---
  4 packet(s) transmitted
  4 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/70/140 ms

As we can see traffic is going through labnario_1, what confirms that VRRP is working in a proper way. Only Master can forward traffic to labnario_GW.

Let’s look at output of display vrrp command on both routers:

[labnario_1]display vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 12:42:53 UTC-08:00

[labnario_2]display vrrp
  Vlanif100 | Virtual Router 100
    State : Backup
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:32 UTC-08:00
    Last change time : 2013-01-22 12:42:53 UTC-08:00

Router labnario_1 is Master in VRRP group and it forwards traffic. Its config and running priority is 120. VRRP priority for labnario_2 is 100 by default.

Let’s simulate 2 cases:

  • Labnario_1 is broken. We can simulate it by making interface VlanIf100 DOWN.
  • Failure in LAN network by making interface Eth0/0/0 DOWN.

I was thinking how to show you that VRRP is working properly. Please look at this link. You will find exe file there with this simulation. You do not have to install anything. Just open the file. I did like that because WordPress does not allow to add such files directly.

VRRP switchover simulation

In both cases labnario_1 is initialize state. It means that there is no connection between VRRP routers. Labnario_2 is now Master in VRRP group.

What will happen if interface Ethernet0/0/1 goes into DOWN state?

Let’s shutdown interface Ethernet0/0/1 of labnario_1:

PC>tracert 1.1.1.1
traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.0.0.10   15 ms  16 ms  31 ms
 2  10.0.0.11   31 ms  32 ms  15 ms
 3  1.1.1.1   63 ms  46 ms  47 ms

Traffic is still directed to labnario_1, which is VRRP Master. There is no VRRP switchover because Ethernet0/0/1 is not in the LAN.

We can avoid such situation by tracking interface Ethernet 0/0/1 in VRRP of labnario_1 router. In case of Eth0/0/1 failure, switchover will be performed between labnario_1 and labnario_2 and labnario_2 will become VRRP Master. VRRP priority of labnario_2 will be reduced to 80.

Let’s configure interface tracking:

[labnario_1]int Vlanif  100
[labnario_1-Vlanif100]vrrp vrid 100 track interface Ethernet 0/0/1 reduced 40

[labnario_1]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Track IF : Ethernet0/0/1   Priority reduced : 40
    IF state : UP
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 13:46:34 UTC-08:00

Let’s shutdown interface Eth0/0/1 once again and check what will happen:

[labnario_1-Ethernet0/0/1]shutdown

[labnario_1-Ethernet0/0/1]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Backup
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.11
    PriorityRun : 80
    PriorityConfig : 120
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Track IF : Ethernet0/0/1   Priority reduced : 40
    IF state : DOWN
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 14:17:44 UTC-08:00

[labnario_2]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.11
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:32 UTC-08:00
    Last change time : 2013-01-22 14:17:45 UTC-08:00

How to make VRRP switchover faster?

You can configure BFD session between VRRP routers (on both routers) and track this BFD session in VRRP labnario_2 router. If LAN connection between both routers fails, BFD session will go DOWN, what will trigger VRRP switchover in milliseconds.

[labnario_1]bfd VRRP_test bind peer-ip 10.0.0.11 interface Vlanif 100
[labnario_1-bfd-session-VRRP_test]discriminator local 1
[labnario_1-bfd-session-VRRP_test]discriminator remote 2	
[labnario_1-bfd-session-VRRP_test]commit 

[labnario_2]bfd VRRP_test bind peer-ip 10.0.0.10 interface Vlanif 100	
[labnario_2-bfd-session-VRRP_test]discriminator local 2
[labnario_2-bfd-session-VRRP_test]discriminator remote 1
[labnario_2-bfd-session-VRRP_test]commit 

[labnario_2]dis bfd ses all
--------------------------------------------------------------------------------

Local Remote     PeerIpAddr      State     Type        InterfaceName            

--------------------------------------------------------------------------------
2     1          10.0.0.10       Up        S_IP_IF     Vlanif100                

--------------------------------------------------------------------------------

     Total UP/DOWN Session Number : 1/0

[labnario_2-Vlanif100]vrrp vrid 100 track bfd-session 2 increased 40

In case of LAN connection failure between both routers, VRRP priority of labnario_2 will increase to 140 and labnario_2 will become Master in VRRP group.

To assure communication between routers in VRRP group, it is recommended to add direct L2 connection between them. In practice we can use trunk or Eth-trunk interfaces. How to configure Eth-trunk interfaces you can find in link aggregation (EEE802.3ad) on Huawei S5700.

In case of Ethernet 0/0/0 of labnario_1 failure, labnario_1 keeps to be Master, because connection between VRRP routers is assured and traffic is going to labnario_2 and then to labnario_1 by Eth-trunk links.

Final configs:

sysname labnario_1
#
vlan batch 100
#
bfd
#
interface Vlanif100
 ip address 10.0.0.10 255.255.255.0
 vrrp vrid 100 virtual-ip 10.0.0.254
 vrrp vrid 100 priority 120
 vrrp vrid 100 track interface Ethernet0/0/1 reduced 40
#
interface Ethernet0/0/0
 portswitch
 port link-type access
 port default vlan 100
#
interface Ethernet0/0/1
 ip address 172.16.0.1 255.255.255.0
#
bfd VRRP_test bind peer-ip 10.0.0.11 interface Vlanif100
 discriminator local 1
 discriminator remote 2
 commit
#
ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
  network 172.16.0.0 0.0.0.255

sysname labnario_2
#
vlan batch 100
#
bfd
#
interface Vlanif100
 ip address 10.0.0.11 255.255.255.0
 vrrp vrid 100 virtual-ip 10.0.0.254
 vrrp vrid 100 track bfd-session 2
#
interface Ethernet0/0/0
 portswitch
 port hybrid pvid vlan 100
#
interface Ethernet0/0/1
 ip address 172.16.1.1 255.255.255.0
#
bfd VRRP_test bind peer-ip 10.0.0.10 interface Vlanif100
 discriminator local 2
 discriminator remote 1
 commit
#
ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
  network 172.16.1.0 0.0.0.255

sysname labnario_GW
#
interface Ethernet0/0/0
 ip address 172.16.0.2 255.255.255.0
#
interface Ethernet0/0/1
 ip address 172.16.1.2 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 172.16.0.0 0.0.0.255
  network 172.16.1.0 0.0.0.255

Read More »

IPSec on Huawei AR router

How to secure communication between two sites connected to the Internet?

Use Site-to-Site IPsec VPN tunnel between two Huawei routers. IPsec VPN is an open standard protocol suite, defined by the IETF in the following RFCs: 2401, 2402-2412, 2451. IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

How to configure IPsec VPN using Huawei CLI?

Let’s assume that we have two sites, Site1 and Site2. Both sites have PCs connected to the LAN network, PC1 and PC2 respectively. The sites are connected through WAN network (in our case labnarioR2 router simulates WAN). We want to secure communication between PC1 and PC2. To do so, we have to configure IPSec VPN tunnel between both sites. In our case tunnel will be established between labnarioR1 and labnarioR3 routers. Both routers will be responsible for data encryption and decryption using specified algorithms.

To secure IPSec tunnel, I will use:

  • shared key between labnarioR1 and labnarioR3 routers
  • ESP protocol for security algorithms negotiation
  • SHA1 for authentication and 3DES for encryption
  • IKE for key exchange and SA establishment.

Traffic encryption/decryption will be done on both, labnarioR1 and labnarioR3 routers. So I have to configure those two routers, to be able to establish IPsec VPN tunnel. LabnarioR2 router simulates WAN cloud. It has nothing to do with IPSec.

Do not forget to provide IP connectivity between routers and PCs. This is omitted here.

I want to encrypt IP traffic travelling between LAN networks 10.1.1.0/24 and 172.16.1.0/24. To do so, I need to match this traffic using ACL on labnarioR1 and labnarioR3:

[labnarioR1]acl 3000
[labnarioR1-acl-adv-3000]rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

[labnarioR3]acl 3000
[labnarioR3-acl-adv-3000]rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Now I can configure IPSec proposal and define the following parameters:

  • Packet encapsulation format (tunnel or transport, I will use tunnel as this is site-to-site model)
  • Security protocol (I will use ESP)
  • Encryption and authentication algorithms (as mentioned above, SHA1 and 3DES respectively).
[labnarioR1]ipsec proposal PROPOSAL1
[labnarioR1-ipsec-proposal-PROPOSAL1]encapsulation-mode tunnel
[labnarioR1-ipsec-proposal-PROPOSAL1]transform esp
[labnarioR1-ipsec-proposal-PROPOSAL1]esp authentication-algorithm sha1
[labnarioR1-ipsec-proposal-PROPOSAL1]esp encryption-algorithm 3des

To define IKE peer:

[labnarioR1]ike peer PEER-LABNARIOR3 V1	
[labnarioR1-ike-peer-PEER-LABNARIOR3]pre-shared-key simple LaBnArIoKeY
[labnarioR1-ike-peer-PEER-LABNARIOR3]remote-address 150.100.23.3

Now I can define IPSec policy:

[labnarioR1]ipsec policy POLICY1 10 isakmp 	
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]proposal PROPOSAL1
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]security acl 3000
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]ike-peer PEER-LABNARIOR3

To attach IPSec policy to my WAN interface:

[labnarioR1]int Ethernet0/0/0
[labnarioR1-Ethernet0/0/0]ipsec policy POLICY1

The same configuration should be done on labnarioR3 router:

#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR1 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.12.1
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR1
 proposal PROPOSAL1
#
interface Ethernet0/0/1
 ip address 150.100.23.3 255.255.255.0
 ipsec policy POLICY1

To bring IPsec VPN tunnel up, IP traffic should be generated between PC1 and PC2. To do so, just ping PC2 from PC1 or vice versa. Let’s verify if our tunnel is up.

To display IKE security associations:

[labnarioR1]display ike sa 
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
       52    150.100.23.3    0     RD|ST                  2     
       28    150.100.23.3    0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

To display IPsec security associations:

[labnarioR1]display ipsec sa brief

Number of SAs:0
    Src address     Dst address        SPI    VPN  Protocol     Algorithm
-------------------------------------------------------------------------------
   150.100.23.3    150.100.12.1  641342674      0    ESP   E:3DES A:SHA1-96
   150.100.12.1    150.100.23.3  228173657      0    ESP   E:3DES A:SHA1-96

To check if traffic between PC1 and PC2 is travelling through VPN tunnel, check ACL matchings and IKE/IPsec packets statistics:

[labnarioR1]dis acl 3000
Advanced ACL 3000, 1 rule
ACL's step is 5
 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 (10
 times matched)

[labnarioR1]dis ike statistics v1 

----------------------------------------------------------

 IKE V1 statistics information
 Number of total peers                        : 18
 Number of policy peers                       : 1
 Number of profile peers                      : 17
 Number of proposals                          : 1
 Number of established V1 phase 1 SAs         : 1
 Number of established V1 phase 2 SAs         : 1
 Number of total V1 phase 1 SAs               : 1
 Number of total V1 phase 2 SAs               : 1
 Number of total SAs                          : 2
 Keep alive time                              : 0
 Keep alive interval                          : 0
 keepalive spi list                           : Disable
----------------------------------------------------------

[labnarioR1]dis ipsec statistics esp 
 Inpacket count            : 3435973836
 Inpacket auth count       : 3435973836
 Inpacket decap count      : 3435973836
 Outpacket count           : 3435973836
 Outpacket auth count      : 3435973836
 Outpacket encap count     : 3435973836
 Inpacket drop count       : 3435973836
 Outpacket drop count      : 3435973836
 BadAuthLen count          : 3435973836
 AuthFail count            : 3435973836
 PktDuplicateDrop count    : 3435973836
 PktSeqNoTooSmallDrop count: 3435973836
 PktInSAMissDrop count     : 3435973836

As you see, IPsec statistics look a little bit strange. This is because these commands were done on eNSP. It looks like IPsec is not working on eNSP even though there are all configuration and display commands. When tested on AR19 routers, everything was fine.

Debugging commands:

<labnarioR1>debugging ike ?
  all        All IKE debugging functions
  dpd        IKE debug for dpd
  error      Error debugging functions
  exchange   IKE exchange debugging functions
  message    IKE message debugging functions
  misc       All other debugging functions
  packet     IKE packet content debugging function
  sa         Security Association
  sysdep     Information with IPSec debugging functions
  task       IKE debug for main task entry
  transport  Transport debugging functions
  xauth      Information with IPSec debugging functions

<labnarioR1>debugging ipsec ?
  all     All switches
  hw      Hardware infomation
  misc    All other debugging function
  packet  Packet debugging function
  sa      SA debugging function

Final configs:

sysname labnarioR1
#
acl number 3000
 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR3 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.23.3
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR3
 proposal PROPOSAL1
#
interface Ethernet0/0/0
 ip address 150.100.12.1 255.255.255.0
 ipsec policy POLICY1

sysname labnarioR3
#
acl number 3000
 rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR1 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.12.1
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR1
 proposal PROPOSAL1
interface Ethernet0/0/1
 ip address 150.100.23.3 255.255.255.0
 ipsec policy POLICY1

Read More »