That was to be expected. Poland is out of Euro Cup. The only thing we can do is to come back to the real world :).

Today I will show you how to use ACLs and traffic policies for packets’ lost troubleshooting in a network.

Huawei ACL and traffic policy configuration

Let’s assume that we have such topology:

What we have to do is to check end-to-end connectivity between CE and R2 Loopback100 interface, to find where packets are being lost.

• Configure routing protocol to ensure communication between all devices. R1 configuration as an example:

#
interface GigabitEthernet3/0/0
 undo shutdown
 ip address 10.0.0.1 255.255.255.252
#
interface GigabitEthernet1/0/9
 undo shutdown
 ip address 172.16.0.1 255.255.255.252
#
interface LoopBack100
 ip address 1.1.1.1 255.255.255.255
#
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.3
  network 1.1.1.1 0.0.0.0
  network 172.16.0.0 0.0.0.3
#

• Configure ACL that permits ICMP traffic from CE to R2 Loopback100 IP address and from R2 to CE (the same ACL for R1 and R2):

#
acl number 3000
 rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
 rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
#

• Configure traffic policy that permits traffic matched by the ACL (the same for R1 and R2):

#
traffic classifier labnario operator or
 if-match acl 3000
#
traffic behavior labnario
#
traffic policy labnario
 statistics enable
 classifier labnario behavior labnario
#

Notice that default behaviour for the traffic is to permit (default parameters are not displayed in configuration). Remember to use “statistics enable” command to be able to display traffic policy statistics.

• Assign this traffic policy to all interfaces on the path between CE and R2 (for both inbound and outbound direction):

R1:

#
interface GigabitEthernet1/0/9
 undo shutdown
 ip address 172.16.0.1 255.255.255.252
 traffic-policy labnario inbound 
 traffic-policy labnario outbound
#
interface GigabitEthernet3/0/0
 undo shutdown
 ip address 10.0.0.1 255.255.255.252
 traffic-policy labnario inbound 
 traffic-policy labnario outbound

R2:

#
interface GigabitEthernet3/0/0
 undo shutdown
 ip address 10.0.0.2 255.255.255.252
 traffic-policy labnario inbound   
 traffic-policy labnario outbound

• Ping from CE to R2 Loopback100 IP address:

<CE>ping -c 100 -t 100 2.2.2.2
  PING 2.2.2.2: 56  data bytes, press CTRL_C to break
    Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=254 time=15 ms
    Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=254 time=10 ms
    Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=254 time=10 ms
    .
    .
    .
    Reply from 2.2.2.2: bytes=56 Sequence=100 ttl=254 time=21 ms

  --- 2.2.2.2 ping statistics ---
    100 packet(s) transmitted
    100 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 9/12/52 ms

• Display traffic policy statistics for all interfaces on the path between CE and R2 (for inbound and outbound):

R1:

<R1>display traffic policy statistics interface GigabitEthernet 1/0/9 inbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet1/0/9
Traffic policy inbound: labnario
Traffic policy applied at 2012-06-20 10:31:42
Statistics enabled at 2012-06-20 10:31:42
Statistics last cleared: 2012-06-20 11:42:42
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps

<R1>display traffic policy statistics interface GigabitEthernet 1/0/9 outbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet1/0/9
Traffic policy outbound: labnario
Traffic policy applied at 2012-06-20 10:31:45
Statistics enabled at 2012-06-20 10:31:45
Statistics last cleared: 2012-06-20 11:42:45
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps

<R1>display traffic policy statistics interface GigabitEthernet 3/0/0 inbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet3/0/0
Traffic policy inbound: labnario
Traffic policy applied at 2012-06-19 14:02:40
Statistics enabled at 2012-06-19 14:02:40
Statistics last cleared: 2012-06-20 11:43:40
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps

<R1>display traffic policy statistics interface GigabitEthernet 3/0/0 outbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet3/0/0
Traffic policy outbound: labnario
Traffic policy applied at 2012-06-19 14:02:43
Statistics enabled at 2012-06-19 14:02:43
Statistics last cleared: 2012-06-20 11:43:36
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps

R2:

<R2>display traffic policy statistics interface GigabitEthernet 3/0/0 inbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet3/0/0
Traffic policy inbound: labnario
Traffic policy applied at 2000-01-01 00:32:07
Statistics enabled at 2000-01-01 00:49:04
Statistics last cleared: 2000-01-01 23:20:42
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps

<R2>display traffic policy statistics interface GigabitEthernet 3/0/0 outbound verbose rule-based
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet3/0/0
Traffic policy outbound: labnario
Traffic policy applied at 2000-01-01 01:41:43
Statistics enabled at 2000-01-01 01:41:43
Statistics last cleared: 2000-01-01 23:20:39
Rule number: 5 IPv4, 0 IPv6
Current status: OK!

Classifier: labnario operator or
 if-match ACL 3000
  rule 5 permit icmp source 172.16.0.0 0.0.0.3 destination 2.2.2.2 0
    0 bytes, 0 packets
    Last 30 seconds rate 0 pps, 0 bps
  rule 10 permit icmp source 2.2.2.2 0 destination 172.16.0.0 0.0.0.3
    10,200 bytes, 100 packets
    Last 30 seconds rate 0 pps, 0 bps

As you can see from these outputs, packets are not being lost in the network. In case of any network problem you can use a similar traffic policy to find where packets are being lost. Of course this is one of the examples of using traffic policy. You can, for instance, use it to catch packets classified based on DSCP, 802.1p etc. I can say I use it very often in a routine work, not only for troubleshooting but also in another applications.

This example was done based on NE40E V600R001SPC800 software. Traffic policy configuration can vary depending on the devices and software you use.

24 – the default number of lines on one screen

<NE40E> display current-configuration
#
 sysname NE40E
#
 super password level 1 simple huawei1
 super password level 3 simple huawei
 super password level 15 simple labnario
#
 FTP server enable
 FTP acl 2000
#
 info-center source BFD channel 1 log level informational
 info-center loghost source GigabitEthernet0/0/0
 info-center loghost 172.16.20.90 facility local4
#
 vlan batch 31 to 32 98 100
#
 hotkey CTRL_U "display ip interface brief"
#
 undo cluster enable
#
snmp-agent trap type base-trap
#
 load-balance ip-enhance all
  ---- More ----

How to change it?

[NE40E]user-interface vty 0 4
[NE40E-ui-vty0-4]screen-length 0

The value is an integer ranging from 0 to 512. 0 indicates the split screen is disabled (it is useful when you want to use scripts).

If you want to change screen length only for the current terminal, use temporary option in the above command. It is valid only for the active user interface till the user leaves.

[NE40E]user-interface vty 0 4
[NE40E-ui-vty0-4]screen-length 60 temporary
Info: The configuration takes effect on the current user terminal interface only.

As you probably know there are five types of OSFP packets:

All these packets, except Hellos, are sent only between adjacent routers.

LSA types

There are 5 common LSA types:

• Router-LSA and Network-LSA calculate intra-area routes describing detailed link state information.
• Network-Summary-LSA calculates inter-area routes describing brief routing information instead of link state information
• ASBR-Summary-LSA describes how to reach ASBR
• AS-External-LSA describes how to reach destinations outside AS.

LSA header:

What we have to remember is that LS Type, Link State ID and Advertising Router together uniquely identify LSA, what will be shown later in this post.

Below you can see LSA header in Router-LSA (as an example):

Key fields of OSPF Router-LSA:

Key fields of OSPF Network-LSA:

Notice that different OSPF packets contain different parts of LSA information:

• DD – LSA header information
• LSR – LS type, LS ID and advertising router
• LSU – Complete LSA information
• LSAck – LSA header information.

Having information described in this post you will be able to calculate OSPF intra-area routes. Each router calculates the SPT using itself as the root. In the first stage only links between routers and transit networks are considered. Then, in the second stage, stub networks are added to the tree as leaves.

display this

Very useful and very often used command on Huawei’s devices. You can use it in any view. Any time you configure something, you can use it to check what you have configured. If you set parameters, that are the same with the default ones, these parameters will not be displayed. Anyway “display current-configuration” does not also show the default parameters.

Example 1 (interface view):

[NE-GigabitEthernet1/0/1]display this
#
interface GigabitEthernet1/0/1
 description test
 undo shutdown
 ip address 10.1.1.1 255.255.255.252
 isis enable 1
 isis circuit-type p2p
 isis circuit-level level-2
 isis cost 100
 isis bfd enable
 mpls
 mpls te
 mpls rsvp-te
 mpls rsvp-te hello
#
return

Example 2 (isis view):

[NE-isis-1]display this
#
isis 1
 graceful-restart
 is-level level-2
 cost-style wide
 flash-flood level-2
 network-entity 49.0310.0100.0125.5025.00
 is-name labnario
 traffic-eng level-2
 log-peer-change
 set-overload on-startup
#
return

Example 3 (vpn-instance view):

[NE-vpn-instance-labnario]display this
#
ip vpn-instance labnario
 description test
 route-distinguisher 10.1.255.24:100
 vpn-target 10.1.255.24:100 export-extcommunity
 vpn-target 10.1.255.24:100 import-extcommunity
#
return

Example 4 (aaa view):

[NE-aaa]display this
#
aaa
 local-user labnario password cipher &EU15O"Q3/;Q=^Q`MAF4
 local-user labnario service-type ftp terminal telnet ssh
 local-user labnario level 15
 local-user labnario ftp-directory cfcard:/
 authentication-scheme default
  authentication-mode  local  radius
 authentication-scheme default0
 authentication-scheme default1
 #
 authorization-scheme default
 #
 accounting-scheme default
 accounting-scheme default0
 accounting-scheme default1
 #
 domain default
 domain default0
 domain default1
 #
#
return

Example 5 (ACL view):

[NE-acl-adv-3003]display this
#
acl number 3003
 rule 10 permit ip destination 172.10.1.41 0
#
return

In the era of ethernet transport technology we cannot forget about older, but still widely used ATM and FR technologies. Taking OSPF into consideration, it classifies networks based on link layers protocols. That’s why we have such terms like:

• broadcast
• non-broadcast multiple access NBMA
• point-to-mulitpoint P2MP
• point-to-point P2P.

Broadcast

Ethernet technology is a typical example of broadcast network where a transmitted packet is multiplied by ethernet switch and copies of this packet are transmitted to all end points. In this scenario OSPF Hello, LSU (link state update) and LSAck (link state acknowledgement) packets are transmitted in multicast mode. DD (database description) packets and LSR (link state request) packets are transmitted in unicast mode. OSPF routers in broadcast network elect designated router (DR) and backup designated router (BDR). Only DR and BDR form adjacencies with all non-designated OSFP routers. 224.0.0.5 and 224.0.0.6 are multicast IP addresses reserved for all OSFP routers and OSFP designated routers respectively.

NBMA

ATM and Frame Relay are typical examples of NBMA networks. NBMA simulates broadcast network. It must be full meshed and every router in the segment must be configured with IP address of each of its neighbours. In NBMA networks all OSPF packets are transmitted in unicast mode. DR and BDR routers are elected as well.

Point-to-multipoint

The common practice is to change non-full meshed NBMA network to a P2MP network. Non-full meshed FR network is P2MP network example.

A P2MP network, unlike full meshed NBMA networks, is a collection of point-to-point networks. As this is P2P, DR and BDR are not needed. OSPF network type must be manually configured because the network is not fully meshed. Inverse ARP should be configured on an interface. Hello packets are transmitted in mulitcast mode through the mulicast IP address 224.0.0.5. Other OSPF packets are transmitted in unicast mode.

Point-to-point

In this type of networks, OSPF protocol packets, such as Hello, DD, LSR, LSU and LSAck packets, are transmitted in multicast mode using 224.0.0.5 multicast address. As this is a link between exactly two points, each packet sent from one router have only one recipient on the local link.

Command to change network type on Huawei router for a specific interface:

[labnario-GigabitEthernet1/0/0]ospf network-type { broadcast | nbma | p2mp | p2p }

Command to set IP addresses for adjacent routers on an NBMA network:

[labnario] ospf 100
[labnario-ospf-100] peer 1.1.1.1