Friday , March 29 2024
Home / Tag Archives: Huawei switch (page 2)

Tag Archives: Huawei switch

ACL matching order on Huawei device

The first what a device has to do is to check if the ACL exists. If it does, the device matches packets against rules, according to the rule ID. We can configure rule IDs manually or they are automatically allocated. In case of automatically allocated rules, there is a certain space between two rule IDs. The size of the space depends on ACL step. By default it is 5 but we can change it by command. In this manner, we can add a rule before the first rule or between rules. ACL rules are displayed in ascending order of rule IDs, not in the order of configuration.

ACL rules can be arranged in two modes: configuration and auto.

In the configuration mode (default mode), we decide which rule should be first, which second and so on and so forth. In this mode, the device matches rules in ascending order of rule IDs. Anytime we can configure an additional rule with smaller rule ID. In such case, later configured rule may be matched earlier. We make such a decision, not the system.

In the auto mode, unlike in the configuration mode, the system automatically allocates rule IDs. We don’t have possibility to specify rule ID. The most precise rule is placed at the beginning of ACL.

When can we use it?

Read More »

port security on Huawei switches

How to prevent unauthorized users from connecting their PCs to an enterprise network? How to prevent employees from connecting unauthorized devices to a LAN or moving their computers without permission?

Port Security is a Layer 2 feature, which can be enabled on an interface, to prevent devices with untrusted MAC address, from accessing a switch interface. When enabled, MAC address of the device connected to the port, is dynamically learned by the switch and stored in a memory (by default it is not aged out). Only this MAC address is then allowed to forward traffic over switch port (only one trusted MAC is allowed by default). Every different MAC address will cause the port to go into one of the following states:

  • Protect – packets coming from untrusted MAC address will be dropped,
  • Restrict – packets coming from untrusted MAC address will be dropped and SNMP trap message will be generated (default behavior),
  • Shutdown – port will be put into shutdown state.

Let’s configure  port security feature on a switch port and see, how it works.

<labnarioSW1>sys
Enter system view, return user view with Ctrl+Z.
[labnarioSW1]interface gi0/0/1
[labnarioSW1-GigabitEthernet0/0/1]port link-type access
[labnarioSW1-GigabitEthernet0/0/1]port-security enable

Read More »

from Huawei CLI – ping mac …, trace mac …

Huawei devices support generic MAC (GMAC) ping and trace on Layer 2 networks. Network administrators can use GMAC ping and trace functions to detect Layer 2 network faults, without configuring CFM.

ping mac mac-address vlan vlan-id [ interface interface-type interface-number | -c count | -s packetsize |-t timeout | -p priority-value ]

GMAC ping works at the same manner like 802.1ag MAC ping. It uses the Loopback Message and Loopback Reply (LBM/LBR) and is similar to ICMP ping function. GMAC ping can be used without configuring the MD (Maintenance Domain), MA (Maintenance Association), or MEP (Maintenance association End Point) on the source device, intermediate device, and destination device, as it is required when using 802.1ag. You only need to enable the GMAC function on the intermediate device. Therefore, GMAC ping is applicable to part of or a whole network without reference to MD, MA, and MEP configurations.

trace mac mac-address vlan vlan-id [ interface interface-type interface-number | -t timeout ] *

GMAC trace works at the same manner like 802.1ag MAC trace and uses Link Trace Message/Reply (LTR/LTM), so its function is similar to “trace route”. But GMAC trace can be implemented without configuring the MD, MA, or MEP on the source device, intermediate device, and the destination device. All the intermediate devices can respond with an LTR. Therefore, GMAC trace is applicable to part of or a whole network without reference to MD, MA, and MEP configurations.

Read More »

error-down auto-recovery on Huawei switches

Some of you may know Cisco’s err-disable recovery feature, which allows to automatically bring a port from err-disable back to UP state. Huawei switches have similar functionality, which is called error-down auto-recovery.

There are five reasons a port can enter into error-down state:

  • BPDU protection
  • EFM threshold
  • EFM remote failure
  • Auto defend
  • Link flapping
  • MAC address flapping

Let’s take a look, how this feature works, in a network running STP, when BPDU protection is the reason that a port goes into DOWN state. If you are not familiar with BPDU protection feature, read my previous article “Protecting STP on Huawei switches”.

I have configured STP BPDU protection on the Ethernet 0/0/1 interface of labnarioSW1 switch as follows:

[labnarioSW1]int e0/0/1
[labnarioSW1-Ethernet0/0/1]stp edged-port enable
[labnarioSW1]stp bpdu-protection

Read More »