Access Control List ACL

There are five types of ACLs on Huawei devices. Taking CX600 into consideration there are:

1. Basic ACL (number ranges from 2000 to 2999) classifies packets based on a source address
2. Advanced ACL (number ranges from 3000 to 3999) source address, destination address, source port number, destination port number, and protocol type
3. Interface-based ACL (number ranges from 1000 to 1999) classifies packets based on the interface from which the packets are received
4. Ethernet Frame Header ACL (number ranges from 4000 to 4099) classifies packets based on source and destination MAC addresses
5. User ACL (number ranges from 6000 to 9999) classifies packets based on user groups.

The rules order depends on rule ID and rule matching order. There are two matching orders:

• Configuration order – ACL rules are matched based on their configuration order. Rules IDs can be configured by user or generated by system automatically according to ACL step. By default the system generates 5 as the first rule ID. So the next rule ID will be 10, 15 and so on. Anytime you can configure rule ID manually, for example rule 1 and this rule will be placed before 5. You do not have to delete the whole ACL. Each time you can delete a specific rule without deleting the whole ACL.

• Automatic order – the most precise rule is taking as the first. This is implemented through the comparison of wildcard masks. The system assigns rule IDs automatically.

The default action defined in the ACL rule is deny.

Actually an ACL is used to classify packets. It is not used itself for packets filtering, but we can use it with conjunction with some other functions, such as policy-based routing, firewall and in traffic classification to filter packets.

A simple example of using ACL is to limit incoming calls for VTY user interfaces:

#
acl number 2500
 rule 5 permit source 172.16.10.0 0.0.0.255
#
user-interface vty 0 4
 acl 2500 inbound
#
<labnario>dis acl 2500
Basic ACL 2500, 1 rule
Acl's step is 5
 rule 5 permit source 172.16.3.0 0.0.0.255

Policy-based routing PBR

Let’s assume that we have topology like this:

What we have to do is to force router CX_1 to choose interface G7/5/0 and next hop 10.0.2.2 to forward traffic from source IP 5.5.5.5 to destination IP 15.15.15.15. Rest of traffic should go through interface G7/5/7.

Configure IP addresses based on this topology.

Use OSPF protocol to ensure communication in tested network. Let’s take CX_1 as an example:

#
ospf 1 router-id 6.6.6.6
 area 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.2.0 0.0.0.3
  network 10.0.0.0 0.0.0.3
  network 6.6.6.6 0.0.0.0
#

Configure OSPF for the remaining routers.

Increase OSPF cost of one of the links between CX_1 and CX_2 to exclude load-balancing:

#
interface GigabitEthernet7/5/0
 ospf cost 100
#

Display routing-table of AR29 to check if all necessary subnets are available through OSPF (display ip routing-table).

Configure ACL on CX_1 which permits IP source 5.5.5.5 to send packets to destination IP 15.15.15.15:

[CX_1]acl number 3000
[CX_1-acl-3000}rule 5 permit ip source 5.5.5.5 0 destination 15.15.15.15 0

Configure traffic classifier and traffic behavior for classified packets:

#
traffic classifier labnario
 if-match acl 3000
#
traffic behavior labnario
 redirect ip-nexthop 10.0.2.2 interface GigabitEthernet7/5/0
#

Configure traffic policy and assign it to interface G7/5/5 as inbound:

#
traffic policy labnario
 statistics enable
 classifier labnario behavior labnario
#
interface GigabitEthernet7/5/5
 traffic-policy labnario inbound
#

Let’s check now what the result of such traffic policy is. On AR29 router we can use tracert command to check how traffic is going to 15.15.15.15.

<AR29>tracert -a 5.5.5.5 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 4 ms  2 ms  7 ms
2   10.0.2.2 3 ms  4 ms  5 ms

As we can see traffic policy is working correctly choosing 10.0.2.2 as the IP next hop.

Now we can try the same but without source IP 5.5.5.5:

<AR29>tracert 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 3 ms  1 ms  1 ms
2   10.0.1.2 3 ms  2 ms  2 ms

We can see that policy-based routing is working properly for traffic classified in ACL 3000. Rest of traffic is choosing a route based on IP routing table.

We can also check statistics for this traffic policy. We can use ping for such purposes. Use ping from AR29 and check statistics on CX_1:

<AR29>ping -a 5.5.5.5 -c 100 -m 100 15.15.15.15
<CX_1>display traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                19                      2,640
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 0                        288
<AR29>ping -c 100 -m 100 15.15.15.15
<CX_1>dis traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                               126                     13,956
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 3                      2,648

You can also configure policy-based routing in MPLS L3VPN to allow some IP traffic (based on ACL) from one VPN to be redirected to another VPN. Maybe I will show you such configuration in the future.

Any questions or comments are welcome.

What is NQA?

It is a feature that functions above link layer to measure performance of protocols running at the network layer, transport layer and application layer. It is useful to monitor network and locate faults occurring in the network. NQA can accurately test the network and collect statistics as well. You can configure and display NQA statistics through CLI but, as NQA is fully supported by Huawei NMS, you can also do this in GUI.

Most of Huawei devices support NQA but configuration can vary a little bit between NE routers, AR routers and switches. Of course we can perform more advanced test on carrier class devices. In this post we will focus on CLI and use CX600 router as an example.

NQA tests supported by CX600:

• • ICMP test
  • DHCP test
  • FTP test
  • HTTP test
  • DNS test
  • Traceroute test
  • SNMP test
  • TCP test
  • UDP test
  • ICMP Jitter test
  • UDP Jitter test
  • LSP Ping test
  • LSP Traceroute test
  • LSP Jitter test

• MTrace test
• MPing test
• PWE3 Ping test
• PWE3 Trace test
• MAC Ping test
• MACTunnel Ping test
• VPLS MAC Ping
• VPLS MAC Trace
• ICMP Jitter test
• Path Jitter test
• Path MTU test
• Ittertest based on the mechanism that the LPU sends packets
• ICMP Jitter test based on the mechanism that the LPU sends packets
• VPLS Mping test
• VPLS Mtrace test

Let’s configure a few examples. Below our testing topology:

To ensure communication between loopback interfaces use static or dynamic routing protocols. In this case static routing has been configured on both routers. We will use CX_1 as NQA client:

[CX_1]ip route-static 172.16.200.2 255.255.255.255 10.100.200.2

NQA ICMP test 

[CX_1]nqa test-instance labnario ICMP
 test-type icmp
 destination-address ipv4 172.16.200.2
 source-address ipv4 172.16.200.1

Please use “start” command to start the test.

You can display results of ICMP test by the command:

[CX_1]dis nqa results test-instance labnario ICMP

 NQA entry(labnario, ICMP) :testflag is inactive ,testtype is icmp
  1 . Test 1 result   The test is finished
   Send operation times: 3              Receive response times: 3
   Completion:success                   RTD OverThresholds number: 0
   Attempts number:1                    Drop operation number:0
   Disconnect operation number:0        Operation timeout number:0
   System busy operation number:0       Connection fail number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   Destination ip address:172.16.200.2
   Min/Max/Average Completion Time: 1/7/4
   Sum/Square-Sum  Completion Time: 14/86
   Last Good Probe Time: 2012-01-30 14:59:03.7
   Lost packet ratio: 0 %

By default, the command output shows the results of the latest five tests.

NQA trace test

[CX-1]nqa test-instance labnario trace
 test-type trace
 destination-address ipv4 172.16.200.2
 source-address ipv4 172.16.200.1
 start now

[CX-1]dis nqa results test-instance labnario trace

 NQA entry(labnario, trace) :testflag is inactive ,testtype is trace
  1 . Test 1 result   The test is finished
   Completion:success                   Attempts number:1
   Disconnect operation number:0        Operation timeout number:0
   System busy operation number:0       Connection fail number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   Drop operation number:0
   Last good path Time:2012-01-30 15:06:55.3
   1 . Hop 1
    Send operation times: 3              Receive response times: 3
    Min/Max/Average Completion Time: 3/10/6
    Sum/Square-Sum  Completion Time: 18/134
    RTD OverThresholds number: 0
    Last Good Probe Time: 2012-01-30 15:06:55.3
    Destination ip address:10.100.200.2
    Lost packet ratio: 0 %

NQA Jitter test

First configure CX_2 router as NQA server:

[CX_2]nqa-server udpecho 172.16.200.2 9000

Configure NQA test on CX_1:

[CX_1]nqa test-instance labnario jitter
 test-type jitter
 destination-address ipv4 172.16.200.2
 destination-port 9000
 start now

[CX_1]dis nqa results test-instance labnario jitter

 NQA entry(labnario, jitter) :testflag is inactive ,testtype is jitter
  1 . Test 1 result   The test is finished
   SendProbe:60                         ResponseProbe:60
   Completion:success                   RTD OverThresholds number:0
   OWD OverThresholds SD number:0       OWD OverThresholds DS number:0
   Min/Max/Avg/Sum RTT:1/20/2/117       RTT  Square Sum:699
   NumOfRTT:60                          Drop operation number:0
   Operation sequence errors number:0   RTT Stats errors number:0
   System busy operation number:0       Operation timeout number:0
   Min Positive SD:1                    Min Positive DS:1
   Max Positive SD:10                   Max Positive DS:13
   Positive SD Number:9                 Positive DS Number:21
   Positive SD Sum:60                   Positive DS Sum:72
   Positive SD Square Sum:482           Positive DS Square Sum:584
   Min Negative SD:1                    Min Negative DS:1
   Max Negative SD:14                   Max Negative DS:11
   Negative SD Number:9                 Negative DS Number:22
   Negative SD Sum:50                   Negative DS Sum:83
   Negative SD Square Sum:454           Negative DS Square Sum:641
   Min Delay SD:0                       Min Delay DS:0
   Avg Delay SD:0                       Avg Delay DS:0
   Max Delay SD:10                      Max Delay DS:9
   Delay SD Square Sum:161              Delay DS Square Sum:112
   Packet Loss SD:0                     Packet Loss DS:0
   Packet Loss Unknown:0                Average of Jitter:4
   Average of Jitter SD:6               Average of Jitter DS:3
   jitter out value:0.1145833           jitter in value:0.1614583
   NumberOfOWD:60                       Packet Loss Ratio: 0%
   OWD SD Sum:39                        OWD DS Sum:18
   ICPIF value: 0                       MOS-CQ value: 0
   TimeStamp unit: ms

Additional useful commands:

• agetime – configures the aging time of an NQA test, by default 0 means test in not aged
• clear-records – clears all historical statistics and test results
• datasize – sets the size of the test packet, by default 0 and the test packet is then constructed with 100 bytes
• fail-percent – sets the percentage of failed probes, if the number of failed probe exceeds this value, the test is considered as failing.
• frequency – sets the interval for the automatic test, by default not configured, means the test is performed ones
• interval – sets the interval for sending NQA test packets, by default 20 milliseconds for jitter tests, 4 seconds for all other tests
• probe-count – sets the probe times in the NQA test, by default 3
• restart – restarts an NQA test
• send-trap – configures conditions for sending trap messages
• stop – stops a test.

Of course you can do all tests you want and check NQA functionality to confirm that it would be useful feature in your network.

Please be invite to ask questions and express your opinions.

reset recycle-bin

Sometimes new engineers, not familiar with Huawei devices, complain that there is not enough space in flash to upload a new software by FTP. The reason of it is that files from flash haven’t been deleted permanently from the memory. They use “delete name of file” command to delete files. Actually this command causes that deleted file is moved to recycle bin and “dir” command does not display it in flash, but it still occupies memory of flash. To display all files stored in flash you should use “dir /all” command.

<labnario>dir
Directory of flash:/
1  -rw-     12017319  Jan 19 2012 17:30:51   labnario.bin
2  -rw-     12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
3  -rw-         9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 7843 KB free)

Look what will happen if we use “delete labnario.bin” command:

<labnario>delete labnario.bin
Delete flash:/labnario.bin?[Y/N]:y
...
%Delete file flash:/labnario.bin...Done.

As you can see below, even the file has been deleted, it is still occupying memory of flash:

<labnario>dir
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 7843 KB free)

<labnario>dir /all
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg
3  -rw-  12017319  Jan 19 2012 17:30:51   [labnario.bin]

 31877 KB total ( 7843 KB free)

Below two ways how to delete this file permanently:

reset recycle-bin

<labnario>reset recycle-bin
Clear flash:/~/labnario.bin ?[Y/N]:y
Clearing files from flash may take a long time. Please wait...
.......
%Cleared file flash:/~/labnario.bin.

delete /unreserved …

<labnario>delete /unreserved labnario.bin
The contents cannot be restored!!! Delete flash:/labnario.bin?[Y/N]:y
Deleting a file permanently will take a long time. Please wait...
.....
%Delete file flash:/labnario.bin...Done.

And now what the result is:

<labnario>dir /all
Directory of flash:/
1  -rw-  12017553  Aug 12 2008 18:02:39   ar28-vrp340-r0201p20.bin
2  -rw-      9018  Dec 05 2011 16:22:11   config.cfg

31877 KB total ( 19860 KB free)

The file has been deleted successfully 🙂

Let’s assume that we have a topology like in the picture:

1. IP addresses of ETH 0/1 and ETH 0/2 on Router A are 172.16.1.128/25 and 172.16.1.1/25 respectively.
2. Router B (dhcp client) obtains static IP address, gateway address and DNS server address from DHCP server (router A). A MAC address of interface ETH 0/0 of router B is 0800-6902-01FC.
3. DHCP server assigns IP addresses to clients in subnet 172.16.1.0/24 subnetted to 172.16.1.1/25 and 172.16.1.128/25.
4. DNS server address and WINS server address are 172.16.1.10/25 and 172.16.1.200/25 respectively.
5. For subnet 172.16.1.128/25 configure DNS server address, WINS server address, gateway address and address lease duration for 6 days and 6 hours.
6. For subnet 172.16.1.1/25 configure DNS server address, gateway address and address lease duration for 10 days.

DHCP configuration

Assign IP addresses to interfaces of router A:

[RouterA] interface ethernet 0/1
[RouterA-Ethernet0/1] ip address 172.16.1.128 25
[RouterA-Ethernet0/1]quit
[RouterA] interface ethernet 0/2
[RouterA-Ethernet0/2] ip address 172.16.1.1 25

Configure DHCP server:

[RouterA] dhcp enable

Create DHCP address pool 1 with configured static binding, DNS and gateway addresses:

[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] static-bind ip-address 172.16.1.150
[RouterA-dhcp-pool-1] static-bind mac-address 0800-6902-01FC
[RouterA-dhcp-pool-1] dns-list 172.16.1.10
[RouterA-dhcp-pool-1] gateway-list 172.16.1.254

Exclude IP addresses of gateways, DNS and WINS servers from dynamic allocation:

[RouterA] dhcp server forbidden-ip 172.16.1.10
[RouterA] dhcp server forbidden-ip 172.16.1.200
[RouterA] dhcp server forbidden-ip 172.16.1.126
[RouterA] dhcp server forbidden-ip 172.16.1.254

Configure DHCP address pool 2 with address range and DNS server address:

[RouterA] dhcp server ip-pool 2
[RouterA-dhcp-pool-2] network 172.16.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-2] dns-list 172.16.1.10

Configure DHCP address pool 3 with address range, gateway and lease duration (DNS address is inherited from ip-pool 2):

[RouterA] dhcp server ip-pool 3
[RouterA-dhcp-pool-3] network 172.16.1.1 mask 255.255.255.128
[RouterA-dhcp-pool-3] expired day 10
[RouterA-dhcp-pool-3] gateway-list 172.16.1.126

Configure DHCP address pool 4 with address range, WINS server address, gateway and lease duration (DNS address is inherited from ip-pool 2):

[RouterA] dhcp server ip-pool 4
[RouterA-dhcp-pool-4] network 172.16.1.128 mask 255.255.255.128
[RouterA-dhcp-pool-4] expired day 6 hour 6
[RouterA-dhcp-pool-4] gateway-list 172.16.1.254
[RouterA-dhcp-pool-4] nbns-list 172.16.1.200

After the whole configuration is completed Router B gets 172.16.1.150 IP address from DHCP server. All remaining DHCP clients obtain IP addresses and other network parameters from either 172.16.1.1/25 or 172.16.1.128/25 networks (depends on subnet which they reside in). Display dhcp server ip-in-use command shows IP addresses assigned to DHCP clients.

IP address allocation sequence:

• The IP address manually bound to the client’s MAC address or ID
• The IP address that was ever assigned to the client
• The IP address designated by the Option 50 field in a DHCP-DISCOVER message
• The first assignable IP address found in an extended or a common address pool
• The IP address that was a conflict or passed its lease duration

To make it easy to maintain Huawei’s device it is recommended to configure proper time. You can do it manually or configure NTP protocol to force the device to use reference time from external servers. I will also show you how to configure header for login information and how to execute the specified batch file.

Setting of time zone:

clock timezone time-zone-name { add | minus } offset

Let’s take Poland time zone as an example.

<NE40E>clock timezone labnario add 1

 Setting of daylight-saving-time:

clock daylight-saving-time time-zone-name repeating start-time { { { first | second | third | fourth | last } weekday month } | start-date } end-time { { { first | second | third | fourth | last } weekday month } | end-date } offset

Using the “clock daylight-saving-time” command, you can configure the name, start time and end time of the daylight saving time. Taking Poland as an exapmple we add 1 hour during summer time:

<NE40E>clock daylight-saving-time labnario repeating 02:00 last Sun Mar 03:00 last Sun Oct 01:00

Setting of actual time:

<NE40E>clock datetime 18:00 2011-11-03

You can display clock information using “display clock” command.

NTP external servers:

If you want to use external NTP servers, for time synchronization, you can configure them in the following way:

[NE40E]ntp-service unicast-server x.x.x.x source-interface interface name
[NE40E]ntp-service unicast-server y.y.y.y source-interface interface name

You can display status of NTP using “display ntp-service status” command.

I only showed you basic NTP configuration. More details you can find in specific product documentation.

Header login configuration:

You can configure header login information in the 2 ways:

As a text:

[NE40E]header login information "
Info:The banner text supports 220 characters max, including the start and the end character.If you want to enter more than this, use banner file instead.
Input banner text, and quit with the character '"':
****************************************

Authorised access only
This system is the property of LABNARIO
Disconnect IMMEDIATELY if you are not an authorised user!

****************************************
"
[NE40E]

Using a file stored in CF card:

[NE40E]header login file labnario.txt

Execute name.bat

Sometimes, instead of putting many commands in CLI, it is easier and faster to use batch file. You can create such batch (suffixed with “.bat”) file with a set of commands inside and then upload it to CF card by FTP. Then you can use “execute name.bat” command to start the file.