Labnario Huawei From Scratch

As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.

BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:

<labnario_sw>system-view 
[labnario_sw]interface Ethernet 0/0/1
[labnario_sw-Ethernet0/0/1]stp edged-port enable 
[labnario_sw-Ethernet0/0/1]quit
[labnario_sw]stp bpdu-protection

When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:

May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l)[4]:This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!

[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1
#
interface Ethernet0/0/1
 shutdown
 stp edged-port enable

[labnario_sw-Ethernet0/0/1]dis int eth0/0/1
Ethernet0/0/1 current state : Administratively DOWN
Line protocol current state : DOWN

Based on the release notes of eNSP:

New features:

• supports TAB key switch when filling IP address of SimPC
• provides one key register function of AR_Base.

Modified features:

• improves the stability when starting AR
• reduces memory usage of AR
• fixes distribution service for AR
• fixes the dysfunction of MPLS L3VPN.

A new Huawei Enterprise Network Simulation Platform has been released.

Download, test and enjoy!

Let’s keep going and try to configure ISIS route aggregation based on the following topology:

If you want to recall how to configure ISIS adjacency on Huawei routers, just go to ‘ISIS on Huawei routers‘.

To avoid DIS election, configure all physical interfaces as ISIS point-to-point (p2p) links (Router 1 as an example):

[1-Ethernet0/0/8]isis circuit-type p2p

[1]dis isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Eth0/0/8        003         Up                 Down         1497 L1/L2 -- 
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Loop100         002         Up                 Down         1500 L1/L2 -- 

ISIS is a link-state IGP protocol. It gathers routing information from adjacent neighbors and uses the SPF algorithm to determine the best paths to destinations.

I wouldn’t like to focus on the theory because you can find it in many sources.

Let’s configure ISIS protocol based on the following topology:

Configure IP addresses of physical and loopback interfaces on all routers (it is omitted here):

I have busy time now and a frequency of updating my blog is not such as I would expect. Sorry for that. I hope it should be better soon.

But today I would like to ask you a simple riddle.

Let’s assume that we have S9300 switch and a fragment of its configuration:

#
observe-port 1 interface Ethernet0/0/1
#
acl number 3000
rule 5 deny ip source 89.168.24.0 0.0.0.255
rule 10 deny ip source 91.10.10.0 0.0.0.255
rule 15 permit ip
#
traffic classifier riddle operator and
if-match acl 3000
#
traffic behavior riddle
mirroring to observe-port 1
statistic enable
#
traffic policy riddle
classifier riddle behavior riddle
#
interface Ethernet0/0/10
traffic-policy riddle inbound