Saturday , November 18 2017

ACL matching order on Huawei device

The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.

ACL rules can be arranged in two modes: configuration and auto.

In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.

In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.

When can we use it?

Read More »

port security on Huawei switches

How to prevent unauthorized users from connecting their PCs to an enterprise network? How to prevent employees from connecting unauthorized devices to a LAN or moving their computers without permission?

Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted MAC is allowed by default). Every different MAC address will cause the port to go into one of the following states:

  • Protect – packets coming from untrusted MAC address will be dropped,
  • Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap message will be generated (default behavior),
  • Shutdown – port will be put into shutdown state.

Let’s configure  port security feature on a switch port and see, how it works.

<labnarioSW1>sys
Enter system view, return user view with Ctrl+Z.
[labnarioSW1]interface gi0/0/1
[labnarioSW1-GigabitEthernet0/0/1]port link-type access
[labnarioSW1-GigabitEthernet0/0/1]port-security enable

Read More »

GRE over IPSec on Huawei AR routers

If you want to recall how to configure GRE, just look at GRE on Huawei routers.

You can return to IPSec configuration, reading IPSec on Huawei AR router.

Today, I’m going to put them together and try to configure GRE over IPSec.

Based on the topology below, configure IP adresses and OSPF protocol to ensure connectivity between all routers (omitted here).

Configure tunnel interface on labnario_1 and labnario_3:

[labnario_1]interface Tunnel0/0/0
[labnario_1-Tunnel0/0/0] ip address 10.0.0.1 255.255.255.0 
[labnario_1-Tunnel0/0/0] tunnel-protocol gre
[labnario_1-Tunnel0/0/0] source 150.0.0.1
[labnario_1-Tunnel0/0/0] destination 160.0.0.1

Read More »

from Huawei CLI – fixdisk

I’ve had only one case when I used this command and … full success.

Sometimes it can happen that the file system doesn’t work properly. When you run dir command, you can find the space, which usage status is unknown. The system prompts you that the file system should be restored. Then you can run fixdisk command to release the unknown space.

Notice that:

  • It is not recommended to use it when the file system works correctly.
  • It doesn’t help when physical medium is damaged.
  • Do not use it when CPU usage is high.
Lost chains in flash detected, please use fixdisk to recover them!
<labnario>fixdisk flash:
Fixdisk flash: will take long time if needed
%Fixdisk flash: completed.

Read More »