Tag Archives: Huawei switch

Let’s go ahead with QinQ technology. In the last post you had the opportunity to know basic QinQ tunneling on Huawei switches. The QinQ tunnel attaches the same outer tag to all the frames entering the Layer 2 QinQ interface.

In this lab I would like to attach different outer tags, to the frames entering the Layer 2 QinQ interface, according to different inner tags. It is useful when packets are going to be differentiated in a provider’s network. Why? Because of service type, user’s application etc.

In this case we have 1 enterprise network with branch office located in another city. Customer network is divided into 2 VLANs to differentiate existing services. Our task is to transparently transmit packets, through ISP network, paying attantion to not allowing traffic between VLAN10 and VLAN20.

Selective QinQ topology

In traditional 802.1Q protocol, service provider should assign different VLAN IDs to users of different VLANs. The numer of VLANs is limited to 4094 IDs. In addition, different users cannot use the same VLAN ID.

A simple method to solve this is to implement QinQ. The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to a packet with an 802.1Q tag. In this manner, services from the private VLAN can be transparently transmitted through the public network. The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a local area networks.

QinQ tunneling on Huawei switches

Let’s assume that we have two enteprise networks. Each enterprise has two branch offices, located in different cities. As an ISP, we cannot force these enterprises to use different VLAN planning. In our case, both use VLAN 10 and our task is to transparently transmitt traffic, through ISP network, between remote offices.

What we want to achieve is to ensure communication between remote offices of each enterprise and to block communication between Enterprise_1 and Enterprise_2. We can use basic QinQ tunneling in this case. It adds the same outer VLAN tag to all the frames entering a Layer 2 port.

NAP is a Huawei proprietary protocol, which implements remote configuration in Layer 3 networks. It allows to log into an unconfigured device from a directly connected device. It is very simple and can be really helpful, when implementing new devices. NAP establishes a temporary neighbor relationship between configured and unconfigured devices. Both must be directly connected through a physical link. When NAP relationship is established, telnet can be done to the unconfigured device.

NAP relationship can be established in two different ways:

• Automatically – using IP addresses allocated by the system
• Statically – using IP addresses allocated by the administrator.

NAP cannot be used on interfaces, configured with commands affecting the IP address configuration or IP packet forwarding, such as commands related to VPNs or Ethernet trunks.

How to use NAP? Let’s assume that we have two switches as in the picture below:

SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-authentication. That means that a password (called a community string) is sent in a clear text between a network management station and managed devices. Both SNMPv1 and v2c are subject to packet sniffing because they do not implement encryption. Security has been the biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts, operation and configuration you can find at “SNMPv2c configuration on Huawei devices“.

What if we want SNMP to be used over a public network?

SNMPv3 can be implemented. It provides important security features, which are not available in both SNMPv1 and v2c:

• Confidentiality – encryption of packets to prevent snooping by an unauthorized source
• Integrity – to ensure that a packet has not been tampered while in transit using optional packet reply protection
• Authentication – to verify that a packet comes from a valid source.

How to protect Huawei switches against ARP flood attack?

DoS attack is an attempt to make a network resources unavailable to its intended users. There are several different types of DoS attacks, but most of them rely on spoofing and flooding techniques. Some of these attacks can be hard to defend against, because DoS packets may look exactly like normal packets.

One common method of attack involves saturating the target device with a flood of request packets, so that this device cannot respond to a legitimate traffic or responds so slowly, as to be unavailable.

Attackers often use ARP protocol to attack network devices, because it is easy to use and has no security mechanisms built in. Flooding a network device with ARP request packets can lead to insufficient CPU resources to process other services, when processing a large number of ARP packets. To protect the device, ARP rate limiting mechanism can be used. On Huawei switches this feature can be implemented in the following ways:

• Limiting the rate of ARP packets globally, in a VLAN or on an interface
• Limiting the rate of ARP packets based on the source MAC address
• Limiting the rate of ARP packets based on the source IP address