Saturday , November 18 2017

IPSec on Huawei AR router

How to secure communication between two sites connected to the Internet?

Use Site-to-Site IPsec VPN tunnel between two Huawei routers. IPsec VPN is an open standard protocol suite, defined by the IETF in the following RFCs: 2401, 2402-2412, 2451. IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

How to configure IPsec VPN using Huawei CLI?

Let’s assume that we have two sites, Site1 and Site2. Both sites have PCs connected to the LAN network, PC1 and PC2 respectively. The sites are connected through WAN network (in our case labnarioR2 router simulates WAN). We want to secure communication between PC1 and PC2. To do so, we have to configure IPSec VPN tunnel between both sites. In our case tunnel will be established between labnarioR1 and labnarioR3 routers. Both routers will be responsible for data encryption and decryption using specified algorithms.

Read More »

Huawei’s equivalent of Cisco’s ‘logging synchronous’

If a router wants you to know something, it wants you to know right now!

Let’s look what will happen if you are entering a long command and the device wants you to be informed about a link’s failure:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2
Jan 15 2013 11:04:18-08:00 Huawei %%01PHY/1/PHY(l)[5]:    GigabitEthernet0/0/0:
change status to down
Jan 15 2013 11:04:18-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[6]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the DOWN state.
^
Error:Incomplete command found at '^' position.

When you click ‘Enter’ you will have to write the command once again. It is frustrating for all network administrators.

Unfortunately we cannot change it, like on Cisco’s devices, by ‘logging synchronous‘ command.

Read More »

BGP peering with loopback interfaces

Read More »

how does BGP select routes

When there are multiple routes to the same destination, BGP (Border Getaway Protocol)  on Huawei devices:

  • Prefers the route with the largest PreVal. PrefVal is a Huawei-specific parameter. It is valid only on the device where it is configured.
  • Prefers the route with the highest Local_Pref.
  • Prefers a locally originated route. A locally originated route takes precedence over a route learned from a peer.
  • Prefers the aggregated route. The preference of an aggregated route is higher than a non-aggregated route.
  • Prefers the local route that is manually aggregated. The preference of the local route that is manually aggregated is higher than that of automatically aggregated.
  • Prefers the local route that is imported by using network command. The preference of the route that is imported by using the network command is higher than that imported by  import-route command.
  • Prefers the route with the shortest AS_Path.
  • Compares Origin attributes, and selects routes whose origin types are IGP, EGP, and Incomplete respectively.
  • Prefers the route with the smallest MED.
  • Prefers the routes learned from EBGP. The preference of an EBGP route is higher than an IBGP.
  • Prefers the route of an IGP with the lawest metric in an AS. If load balancing is configured and there are multiple external routes with the same AS_Path, load balancing is performed according to the number of configured routes.
  • Prefers the route with the shortest Cluster_List.
  • Prefers the route with the smallest Originator_ID.
  • Prefers the route advertised by the router with the smallest router ID.
  • Compares IP addresses of its peers, and prefers the route that is learnt from the peer with the smallest IP address.
  • Read More »