Sunday , March 25 2018

VRRP on Huawei router

Virtual Router Redundancy Protocol (VRRP) combines a group of routing devices on a LAN into a backup group that functions as a virtual router. From the host perspective in the LAN, it only needs the IP address of the virtual router rather than the IP address of a specific device in the backup group. Virtual IP address must be set as a default gateway for the host in the LAN. VRRP dynamically associates the virtual router with a physical device that transmits services. When the device fails, the second device is selected to handover traffic. The switchover should be transparent to users, allowing the internal and external networks to communicate without interruption. It, of course, depends on configured services. Most sensitive services need higher reliability and VRRP itself is not enough. But I will mention about it later in the post.

Let’s switch from theory to more practical things.

VRRP topology:

Assure communication between all elements in the network. It is omitted here.

Read More »

IPSec on Huawei AR router

How to secure communication between two sites connected to the Internet?

Use Site-to-Site IPsec VPN tunnel between two Huawei routers. IPsec VPN is an open standard protocol suite, defined by the IETF in the following RFCs: 2401, 2402-2412, 2451. IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

How to configure IPsec VPN using Huawei CLI?

Let’s assume that we have two sites, Site1 and Site2. Both sites have PCs connected to the LAN network, PC1 and PC2 respectively. The sites are connected through WAN network (in our case labnarioR2 router simulates WAN). We want to secure communication between PC1 and PC2. To do so, we have to configure IPSec VPN tunnel between both sites. In our case tunnel will be established between labnarioR1 and labnarioR3 routers. Both routers will be responsible for data encryption and decryption using specified algorithms.

Read More »

Huawei’s equivalent of Cisco’s ‘logging synchronous’

If a router wants you to know something, it wants you to know right now!

Let’s look what will happen if you are entering a long command and the device wants you to be informed about a link’s failure:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source destination
Jan 15 2013 11:04:18-08:00 Huawei %%01PHY/1/PHY(l)[5]:    GigabitEthernet0/0/0:
change status to down
Jan 15 2013 11:04:18-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[6]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the DOWN state.
Error:Incomplete command found at '^' position.

When you click ‘Enter’ you will have to write the command once again. It is frustrating for all network administrators.

Unfortunately we cannot change it, like on Cisco’s devices, by ‘logging synchronous‘ command.

Read More »

BGP peering with loopback interfaces

Read More »