Tag Archives: Huawei AR1200

Let’s imagine that we have a simple topology like below:

Configure subinterfaces on both AR routers for VLAN tag termination:

[R1]interface GigabitEthernet 0/0/0.100
[R1-GigabitEthernet0/0/0.100]ip address 10.0.0.1 24
[R1-GigabitEthernet0/0/0.100]dot1q termination vid 100

[R2]int GigabitEthernet 0/0/0.100
[R2-GigabitEthernet0/0/0.100]ip address 10.0.0.2 24
[R2-GigabitEthernet0/0/0.100]dot1q termination vid 100

Try to ping IP address of neighboring router:

[R1]ping 10.0.0.2
  PING 10.0.0.2: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 10.0.0.2 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

If you want to recall how to configure GRE, just look at GRE on Huawei routers.

You can return to IPSec configuration, reading IPSec on Huawei AR router.

Today, I’m going to put them together and try to configure GRE over IPSec.

Based on the topology below, configure IP adresses and OSPF protocol to ensure connectivity between all routers (omitted here).

Configure tunnel interface on labnario_1 and labnario_3:

[labnario_1]interface Tunnel0/0/0
[labnario_1-Tunnel0/0/0] ip address 10.0.0.1 255.255.255.0 
[labnario_1-Tunnel0/0/0] tunnel-protocol gre
[labnario_1-Tunnel0/0/0] source 150.0.0.1
[labnario_1-Tunnel0/0/0] destination 160.0.0.1

Some time ago I wrote about interface policy-based routing PBR. Today I will show you example of local PBR configuration on Huawei AR routers. Local PBR allows you to forward packets through different interfaces or to different hops. Unlike interface PBR, local PBR is used for locally generated packets and classifies packets based on source addresses or packet lengths.

Let’s look at the topology and configure as follows:

1. Locally generated ICMP packets (with the size of 70-1300 bytes) will be sent to next hop IP address 172.16.0.2.
2. Locally generated ICMP packets (with the size of 1301-1500 bytes) will be sent to outbound interface GE0/0/1.

Configure IP addresses and static routes to ensure connectivity between loopback interfaces of both routers:

A short NAT (Network Address Translation) description based on AR1200 documentation:

Huawei AR1200 supports the following NAT features: static NAT, port address translation (PAT), internal server, NAT Application Level Gateway (ALG), NAT filtering, NAT mapping, Easy IP, twice NAT, and NAT multi-instance.

Let’s assume that a large number of packets are sent to CPU of a device. What will happen if most of these packets are malicious attack packets? CPU usage will become high, what can bring to services’ deterioration. In extreme cases it can lead the device to reboot. We can minimize an impact of the attack on network services, providing the local attack defense function. When such attack occurs, this function ensures non-stop service transmission.

Attack Defense Policy Supported by AR routers:

CPU attack defense:

• The device uses blacklists to filters invalid packets sent to the CPU
• The device limits the rate of packets sent to the CPU based on the protocol type
• The device schedules packets sent to the CPU based on priorities of protocol packets
• The device uniformly limits the rate of packets with the same priority sent to the CPU and randomly discards the excess packets to protect the CPU
• ALP is enabled to protect HTTP, FTP and BGP sessions. Packets matching characteristics of the sessions are sent at a high rate, that’s why session-related services are ensured.