Labnario - Huawei From Scratch

from Huawei CLI – lock and send

10 Apr, 2013 Command Line 0

Today a few words about 2 simple but useful commands: lock and send.

LOCK – prevents unauthorized users from operating on the current terminal interface

SEND – enables the system to transfer messages between user interfaces

Let’s look how they work on Huawei S5700 switch.

LOCK

<labnario>lock
Enter Password:
Confirm Password:

 Info: The terminal is locked. 

Enter Password:

<labnario>

how to upgrade stacked S5300 switches

5 Apr, 2013 How To 0

When a single switch is upgraded, services are interrupted about 3 minutes. This time increases when a stack is upgraded. Methods of upgrading the system software of S5300 and S6300 are the same. We can focus on Huawei S5300 switch as an example. Let’s assume we have 2 switches in the stack.

<labnario> display stack
Stack topology type: Ring
Stack system MAC: 80fb-06b1-69eb
MAC switch delay time: 10 min
Stack reserved vlanid : 100
Slot#     role        Mac address      Priority   Device type
------    ----        --------------   ------     -------
    0     Master      80fb-06b1-69eb   100        S5352C-EI
    1     Standby     80fb-06ab-f6e3   120        S5352C-EI

At first you have to check a space of flash memory of the switch. If there is no enough space in the flash to fit a new system software, just delete the old (current) system software, for both Master and Member switches:

Huawei AR1200 NAT configuration

3 Apr, 2013 IP Services 0

A short NAT (Network Address Translation) description based on AR1200 documentation:

Huawei AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance.

local attack defense on Huawei AR routers

29 Mar, 2013 Security 0

Let’s assume that a large number of packets are sent to CPU of a device. What will happen if most of these packets are malicious attack packets? CPU usage will become high, what can bring to services’ deterioration. In extreme cases it can lead the device to reboot. We can minimize an impact of the attack on network services, providing the local attack defense function. When such attack occurs, this function ensures non-stop service transmission.

Attack Defense Policy Supported by AR routers:

CPU attack defense:

The device uses blacklists to filters invalid packets sent to the CPU
The device limits the rate of packets sent to the CPU based on the protocol type
The device schedules packets sent to the CPU based on priorities of protocol packets
The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU
ALP is enabled to protect HTTP, FTP and BGP sessions. Packets matching characteristics of the sessions are sent at a high rate, that’s why session-related services are ensured.

equivalent of Cisco Private Vlan —> Huawei MUX Vlan

27 Mar, 2013 Ethernet 0

Do you know the Private VLAN feature from Cisco switches? The same feature exists on Huawei switches and is called the MUX VLAN.

How does this feature work?

MUX VLAN allows isolating Layer2 traffic of different interfaces in the same VLAN, and still allowing access to common resources.

Look at the topology below. Let’s assume that we want to configure our labnariosw switch, so that:

hosts in VLAN10 should be able to ping each other and ping server in VLAN30
hosts in VLAN20 should be able to ping server in VLAN30 but not each other
hosts in VLAN10 should not be able to ping hosts in VLAN20.