Is it worth to pass Huawei certification exams?

Maybe some of you will say “yes, it is”.

Maybe some of you will be sceptical.

For those who want to know more about Huawei certification I am sending a link to official Huawei website.

For those who want to read more news about Huawei certification I can recommend an interview by IT Certification Master.

What is your opinion about Huawei certification? Have you had any experience with Huawei certification track?

Be invited to express your opinion. Any comments are appreciated.

For sure it is worth to talk 🙂

If you want to look into packets sent or received by a router, and there is no possible to display them by command, the simplest and fastest way is to use mirroring. Unfortunately, in case of AR routers, you have to go on-site to connect packets’ analyser (for example Wireshark). Comparing to NE routers, AR routers do not support remote mirroring.

There are two types of mirroring on AR routers:

• port mirroring

Port mirroring is to copy all packets from mirroring port to another port, which is called monitor port. Monitor port is that where a monitoring device is connected to. AR routers support local port mirroring for inbound and outbound direction.

• traffic mirroring

Traffic mirroring is to copy specified packets, by QoS policy, to a specific destination and send them to an interface for analysis. Traffic mirroring is supported on AR29 and AR49 routers.

Example of port mirroring configuration (system-view):

Create a local mirroring group:

[labnario] mirroring-group 1 local

Configure mirroring port (source port):

[labnario] mirroring-group 1 mirroring-port ethernet 1/2 inbound

Finally configure monitor port for local mirroring group:

[labnario] mirroring-group 1 monitor-port ethernet 1/1

Connect packets’ analyser to ethernet 1/1 and capture packets.

You can also configure port mirroring in interface view. The result is the same.

Example of traffic mirroring configuration:

Let’s assume that we have a host, with IP 10.255.1.10, connected to interface ethernet 1/2 of AR29 router. What we want to do is to monitor all packets being received from this host. As monitor port we will use interface ethernet 1/3.

Create ACL to permit all packets from source IP address 10.255.1.10:

[labnario] acl number 2100
[labnario-acl-basic-2100] rule permit source 10.255.1.10 0

Configure traffic classifier that match ACL 2100:

[labnario] traffic classifier mirroring
[labnario-classifier-mirroring] if-match acl 2100

Configure traffic behavior that mirrors traffic to interface ethernet 1/3:

[labnario] traffic behavior mirroring
[labnario-behavior-mirroring] mirror-to interface ethernet 1/3

Bind traffic classifier with traffic behavior to create qos policy and apply this policy to ethernet 1/2 as inbound:

[labnario] qos policy mirroring
[labnario-qospolicy-mirroring] classifier mirroring behavior mirroring
[labnario-qospolicy-mirroring] quit
[labnario] interface ethernet 1/2
[labnario-Ethernet1/2] qos apply policy mirroring inbound

Connect packets’ analyser to ethernet 1/3 and capture packets.

Access Control List ACL

There are five types of ACLs on Huawei devices. Taking CX600 into consideration there are:

1. Basic ACL (number ranges from 2000 to 2999) classifies packets based on a source address
2. Advanced ACL (number ranges from 3000 to 3999) source address, destination address, source port number, destination port number, and protocol type
3. Interface-based ACL (number ranges from 1000 to 1999) classifies packets based on the interface from which the packets are received
4. Ethernet Frame Header ACL (number ranges from 4000 to 4099) classifies packets based on source and destination MAC addresses
5. User ACL (number ranges from 6000 to 9999) classifies packets based on user groups.

The rules order depends on rule ID and rule matching order. There are two matching orders:

• Configuration order – ACL rules are matched based on their configuration order. Rules IDs can be configured by user or generated by system automatically according to ACL step. By default the system generates 5 as the first rule ID. So the next rule ID will be 10, 15 and so on. Anytime you can configure rule ID manually, for example rule 1 and this rule will be placed before 5. You do not have to delete the whole ACL. Each time you can delete a specific rule without deleting the whole ACL.

• Automatic order – the most precise rule is taking as the first. This is implemented through the comparison of wildcard masks. The system assigns rule IDs automatically.

The default action defined in the ACL rule is deny.

Actually an ACL is used to classify packets. It is not used itself for packets filtering, but we can use it with conjunction with some other functions, such as policy-based routing, firewall and in traffic classification to filter packets.

A simple example of using ACL is to limit incoming calls for VTY user interfaces:

#
acl number 2500
 rule 5 permit source 172.16.10.0 0.0.0.255
#
user-interface vty 0 4
 acl 2500 inbound
#
<labnario>dis acl 2500
Basic ACL 2500, 1 rule
Acl's step is 5
 rule 5 permit source 172.16.3.0 0.0.0.255

Policy-based routing PBR

Let’s assume that we have topology like this:

What we have to do is to force router CX_1 to choose interface G7/5/0 and next hop 10.0.2.2 to forward traffic from source IP 5.5.5.5 to destination IP 15.15.15.15. Rest of traffic should go through interface G7/5/7.

Configure IP addresses based on this topology.

Use OSPF protocol to ensure communication in tested network. Let’s take CX_1 as an example:

#
ospf 1 router-id 6.6.6.6
 area 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.2.0 0.0.0.3
  network 10.0.0.0 0.0.0.3
  network 6.6.6.6 0.0.0.0
#

Configure OSPF for the remaining routers.

Increase OSPF cost of one of the links between CX_1 and CX_2 to exclude load-balancing:

#
interface GigabitEthernet7/5/0
 ospf cost 100
#

Display routing-table of AR29 to check if all necessary subnets are available through OSPF (display ip routing-table).

Configure ACL on CX_1 which permits IP source 5.5.5.5 to send packets to destination IP 15.15.15.15:

[CX_1]acl number 3000
[CX_1-acl-3000}rule 5 permit ip source 5.5.5.5 0 destination 15.15.15.15 0

Configure traffic classifier and traffic behavior for classified packets:

#
traffic classifier labnario
 if-match acl 3000
#
traffic behavior labnario
 redirect ip-nexthop 10.0.2.2 interface GigabitEthernet7/5/0
#

Configure traffic policy and assign it to interface G7/5/5 as inbound:

#
traffic policy labnario
 statistics enable
 classifier labnario behavior labnario
#
interface GigabitEthernet7/5/5
 traffic-policy labnario inbound
#

Let’s check now what the result of such traffic policy is. On AR29 router we can use tracert command to check how traffic is going to 15.15.15.15.

<AR29>tracert -a 5.5.5.5 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 4 ms  2 ms  7 ms
2   10.0.2.2 3 ms  4 ms  5 ms

As we can see traffic policy is working correctly choosing 10.0.2.2 as the IP next hop.

Now we can try the same but without source IP 5.5.5.5:

<AR29>tracert 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 3 ms  1 ms  1 ms
2   10.0.1.2 3 ms  2 ms  2 ms

We can see that policy-based routing is working properly for traffic classified in ACL 3000. Rest of traffic is choosing a route based on IP routing table.

We can also check statistics for this traffic policy. We can use ping for such purposes. Use ping from AR29 and check statistics on CX_1:

<AR29>ping -a 5.5.5.5 -c 100 -m 100 15.15.15.15
<CX_1>display traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                19                      2,640
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 0                        288
<AR29>ping -c 100 -m 100 15.15.15.15
<CX_1>dis traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                               126                     13,956
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 3                      2,648

You can also configure policy-based routing in MPLS L3VPN to allow some IP traffic (based on ACL) from one VPN to be redirected to another VPN. Maybe I will show you such configuration in the future.

Any questions or comments are welcome.

What is NQA?

It is a feature that functions above link layer to measure performance of protocols running at the network layer, transport layer and application layer. It is useful to monitor network and locate faults occurring in the network. NQA can accurately test the network and collect statistics as well. You can configure and display NQA statistics through CLI but, as NQA is fully supported by Huawei NMS, you can also do this in GUI.

Most of Huawei devices support NQA but configuration can vary a little bit between NE routers, AR routers and switches. Of course we can perform more advanced test on carrier class devices. In this post we will focus on CLI and use CX600 router as an example.

NQA tests supported by CX600:

• • ICMP test
  • DHCP test
  • FTP test
  • HTTP test
  • DNS test
  • Traceroute test
  • SNMP test
  • TCP test
  • UDP test
  • ICMP Jitter test
  • UDP Jitter test
  • LSP Ping test
  • LSP Traceroute test
  • LSP Jitter test

• MTrace test
• MPing test
• PWE3 Ping test
• PWE3 Trace test
• MAC Ping test
• MACTunnel Ping test
• VPLS MAC Ping
• VPLS MAC Trace
• ICMP Jitter test
• Path Jitter test
• Path MTU test
• Ittertest based on the mechanism that the LPU sends packets
• ICMP Jitter test based on the mechanism that the LPU sends packets
• VPLS Mping test
• VPLS Mtrace test

Let’s configure a few examples. Below our testing topology:

To ensure communication between loopback interfaces use static or dynamic routing protocols. In this case static routing has been configured on both routers. We will use CX_1 as NQA client:

[CX_1]ip route-static 172.16.200.2 255.255.255.255 10.100.200.2

NQA ICMP test 

[CX_1]nqa test-instance labnario ICMP
 test-type icmp
 destination-address ipv4 172.16.200.2
 source-address ipv4 172.16.200.1

Please use “start” command to start the test.

You can display results of ICMP test by the command:

[CX_1]dis nqa results test-instance labnario ICMP

 NQA entry(labnario, ICMP) :testflag is inactive ,testtype is icmp
  1 . Test 1 result   The test is finished
   Send operation times: 3              Receive response times: 3
   Completion:success                   RTD OverThresholds number: 0
   Attempts number:1                    Drop operation number:0
   Disconnect operation number:0        Operation timeout number:0
   System busy operation number:0       Connection fail number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   Destination ip address:172.16.200.2
   Min/Max/Average Completion Time: 1/7/4
   Sum/Square-Sum  Completion Time: 14/86
   Last Good Probe Time: 2012-01-30 14:59:03.7
   Lost packet ratio: 0 %

By default, the command output shows the results of the latest five tests.

NQA trace test

[CX-1]nqa test-instance labnario trace
 test-type trace
 destination-address ipv4 172.16.200.2
 source-address ipv4 172.16.200.1
 start now

[CX-1]dis nqa results test-instance labnario trace

 NQA entry(labnario, trace) :testflag is inactive ,testtype is trace
  1 . Test 1 result   The test is finished
   Completion:success                   Attempts number:1
   Disconnect operation number:0        Operation timeout number:0
   System busy operation number:0       Connection fail number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   Drop operation number:0
   Last good path Time:2012-01-30 15:06:55.3
   1 . Hop 1
    Send operation times: 3              Receive response times: 3
    Min/Max/Average Completion Time: 3/10/6
    Sum/Square-Sum  Completion Time: 18/134
    RTD OverThresholds number: 0
    Last Good Probe Time: 2012-01-30 15:06:55.3
    Destination ip address:10.100.200.2
    Lost packet ratio: 0 %

NQA Jitter test

First configure CX_2 router as NQA server:

[CX_2]nqa-server udpecho 172.16.200.2 9000

Configure NQA test on CX_1:

[CX_1]nqa test-instance labnario jitter
 test-type jitter
 destination-address ipv4 172.16.200.2
 destination-port 9000
 start now

[CX_1]dis nqa results test-instance labnario jitter

 NQA entry(labnario, jitter) :testflag is inactive ,testtype is jitter
  1 . Test 1 result   The test is finished
   SendProbe:60                         ResponseProbe:60
   Completion:success                   RTD OverThresholds number:0
   OWD OverThresholds SD number:0       OWD OverThresholds DS number:0
   Min/Max/Avg/Sum RTT:1/20/2/117       RTT  Square Sum:699
   NumOfRTT:60                          Drop operation number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   System busy operation number:0       Operation timeout number:0
   Min Positive SD:1                    Min Positive DS:1
   Max Positive SD:10                   Max Positive DS:13
   Positive SD Number:9                 Positive DS Number:21
   Positive SD Sum:60                   Positive DS Sum:72
   Positive SD Square Sum:482           Positive DS Square Sum:584
   Min Negative SD:1                    Min Negative DS:1
   Max Negative SD:14                   Max Negative DS:11
   Negative SD Number:9                 Negative DS Number:22
   Negative SD Sum:50                   Negative DS Sum:83
   Negative SD Square Sum:454           Negative DS Square Sum:641
   Min Delay SD:0                       Min Delay DS:0
   Avg Delay SD:0                       Avg Delay DS:0
   Max Delay SD:10                      Max Delay DS:9
   Delay SD Square Sum:161              Delay DS Square Sum:112
   Packet Loss SD:0                     Packet Loss DS:0
   Packet Loss Unknown:0                Average of Jitter:4
   Average of Jitter SD:6               Average of Jitter DS:3
   jitter out value:0.1145833           jitter in value:0.1614583
   NumberOfOWD:60                       Packet Loss Ratio: 0%
   OWD SD Sum:39                        OWD DS Sum:18
   ICPIF value: 0                       MOS-CQ value: 0
   TimeStamp unit: ms

Additional useful commands:

• agetime – configures the aging time of an NQA test, by default 0 means test in not aged
• clear-records – clears all historical statistics and test results
• datasize – sets the size of the test packet, by default 0 and the test packet is then constructed with 100 bytes
• fail-percent – sets the percentage of failed probes, if the number of failed probe exceeds this value, the test is considered as failing.
• frequency – sets the interval for the automatic test, by default not configured, means the test is performed ones
• interval – sets the interval for sending NQA test packets, by default 20 milliseconds for jitter tests, 4 seconds for all other tests
• probe-count – sets the probe times in the NQA test, by default 3
• restart – restarts an NQA test
• send-trap – configures conditions for sending trap messages
• stop – stops a test.

Of course you can do all tests you want and check NQA functionality to confirm that it would be useful feature in your network.

Please be invite to ask questions and express your opinions.

reset recycle-bin

Sometimes new engineers, not familiar with Huawei devices, complain that there is not enough space in flash to upload a new software by FTP. The reason of it is that files from flash haven’t been deleted permanently from the memory. They use “delete name of file” command to delete files. Actually this command causes that deleted file is moved to recycle bin and “dir” command does not display it in flash, but it still occupies memory of flash. To display all files stored in flash you should use “dir /all” command.

<labnario>dir
Directory of flash:/
1  -rw-     12017319  Jan 19 2012 17:30:51   labnario.bin
2  -rw-     12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
3  -rw-         9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 7843 KB free)

Look what will happen if we use “delete labnario.bin” command:

<labnario>delete labnario.bin
Delete flash:/labnario.bin?[Y/N]:y
...
%Delete file flash:/labnario.bin...Done.

As you can see below, even the file has been deleted, it is still occupying memory of flash:

<labnario>dir
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 7843 KB free)

<labnario>dir /all
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg
3  -rw-  12017319  Jan 19 2012 17:30:51   [labnario.bin]

 31877 KB total ( 7843 KB free)

Below two ways how to delete this file permanently:

reset recycle-bin

<labnario>reset recycle-bin
Clear flash:/~/labnario.bin ?[Y/N]:y
Clearing files from flash may take a long time. Please wait...
.......
%Cleared file flash:/~/labnario.bin.

delete /unreserved …

<labnario>delete /unreserved labnario.bin
The contents cannot be restored!!! Delete flash:/labnario.bin?[Y/N]:y
Deleting a file permanently will take a long time. Please wait...
.....
%Delete file flash:/labnario.bin...Done.

And now what the result is:

<labnario>dir /all
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 19860 KB free)

The file has been deleted successfully 🙂