Showing posts with label S3700. Show all posts
Showing posts with label S3700. Show all posts

Thursday, June 30, 2016

After receiving an ICMP Request packet, a switch does not send it to the ICMP protocol stack but directly returns an ICMP Reply message. This process is called fast ICMPM reply. Switches cannot accurately calculate the delay or jitter of ping packets that require high real-time performance. The protocol stack adds the sending and receiving timestamps to ping packets. The packets need to enqueue frequently between the protocol stack and hardware. This task switching cannot ensure real-time performance of timestamps. In versions earlier than V100R006, fast ICMP reply is a common task. When a switch processes a large volume of service traffic, the reply delay is long due to task switching. In V100R006 and later versions, fast ICMP reply is a super task with a high priority. In most cases, the reply delay is about 1 ms. The actual delay depends on the CPU usage and is shorter than 100 ms. NOTE: By default, box switches have fast ICMP reply enabled in all versions.

The default aging time of ARP entries is 20 minutes. You can run the arp expire-time command to change the aging time.
You can also change the number of ARP probes by running the arp detect-times command. The default number of ARP probes is 3.
When the aging time of an ARP entry expires, the device sends a probe packet to the corresponding IP address every 5 seconds. If the device does not receive any response after the specified number of probes, it deletes the ARP entry.
For example, the aging time of ARP entries is set to 60s and the number of ARP probes is set to 6.
After 60s since an ARP entry is generated, the device sends an ARP probe every 5s. If the device does not receive any response after sending six probes, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is (60 + 6 x 5) = 90s.
NOTE:
For V100R002 version, the S2700/S3700/S5700/S6700 supports the 1/2 probe time and 3/4 probe time. The numbers of probes on the two time points are both 3 and cannot be changed. For example, if the aging time is 20 minutes (1200s) and the number of ARP probes is 6, the SS2700/S3700/S5700/S6700 sends three ARP probes at an interval of 5s after 10 minutes. After 15 minutes, the S2700/S3700/S5700/S6700 also sends three ARP probes at an interval of 5s. After 20 minutes, the S2700/S3700/S5700/S6700 sends six ARP probes at an interval of 5s. If the S2700/S3700/S5700/S6700 does not receive any response, it deletes the ARP entry.


More blog:

Why Automatical configuration backup cannot work on S5700

Posted by at No comments:
Labels: , , ,

Wednesday, April 13, 2016

What Is the Working Temperature of the Switch? S2700

S2700

The temperature range of the S2700 is as follows:
  • Operating temperature:
    • S2710-52P-PWR-SI and S2700-52P-PWR-EI: 0°C to +50°C
    • Others: -5°C to +50°C
  • Storage temperature: -40°C to +70°C

S3700

The temperature range of the S3700-SI and S3700-EI is as follows:
  • Operating temperature: 0°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S3700-HI is as follows:
  • Operating temperature: -5°C to +55°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
  • When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

S5700

The temperature range of the S5710-C-LI, S5700-SI and S5700-EI is as follows:
  • Operating temperature: 0°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S5700-LI, S5700S-LI, and S5710-EI is as follows:
  • Operating temperature:
    • The operating temperature of the S5700-10P-PWR-LI-AC, S5700-28X-LI-24S-AC, S5700-28X-LI-24S-DC, S5701-28X-LI-24S-AC, S5700-52X-LI-48CS-AC, S5700S-28X-LI-AC, S5700S-52X-LI-AC, and S5700-10P-LI-AC is 0°C to +45°C at an altitude between 0 m and 1800 m.
    • Others: 0°C to +50°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
The temperature range of the S5700-HI is as follows:
  • Operating temperature: -5°C to +55°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S5710-X-LI, S5720-SI, S5720S-SI, S5720-EI, S5710-HI, and S5720-HI is as follows:
  • Operating temperature: 0°C to +45°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
  • When the S5700-HI has the 40 km or longer transmission distance SFP+ module installed, the operating temperature range is -5°C to +50°C.
  • When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

S6700

The temperature range of the S6700-EI is as follows:
  • Operating temperature: -5°C to +50°C
  • Storage temperature: -40°C to +70°C
The temperature range of the S6720-EI is as follows:
  • Operating temperature: 0°C to +45°C (altitude 0 to 1800 m)
  • Storage temperature: -40°C to +70°C
NOTE:
When the S6700-EI has the 40 km or longer transmission distance SFP+ module installed, the operating temperature range is -5°C to +45°C.
When the altitude is between 1800 m and 5000 m, the operating temperature reduces 1°C every time the altitude increases 220 m.

Temperature Display

The display environment command (changed into display temperaturein V200R005 and later versions) displays the monitoring temperature, which is the highest temperature in the device but not the actual ambient temperature.
If no alarm is generated, the device is working normally and the temperature is within the allowed range.
NOTE:
You can run the temperature threshold command to set the threshold for the alarm temperature. You can run the display environment command (changed into display temperaturein V200R005 and later versions) to view the threshold for the alarm temperature and the current temperature.
Posted by at No comments:
Labels: , , ,

Friday, April 8, 2016

Huawei AR series enterprise routers Introduction

HuaweiAR series enterprise routers Introduction

AR series enterprise routers (ARs) include AR150, AR160, AR200, AR1200, AR2200, and AR3200. They are the next-generation routing and gateway devices, which provide the routing, switching, wireless, voice, and security functions.

Application Scenarios
 The ARs are located between an enterprise network and a public network, functioning as the only ingress and egress for data transmitted between the two networks. The deployment of various network services over the ARs reduces operation & maintenance (O&M) costs as well as those associated with establishing an enterprise network. You can select ARs of different specifications as egress gateways based on the user quantity of an enterprise.

Hardware Extensibility
The ARs provide the highest port density in the industry and flexible slot combination, allowing enterprise customers to connect to LAN, WAN, or wireless networks. The ARs provide the most economical enterprise network solutions.
The ARs support flexible slot combination. For example, two SIC slots can be combined into a wide SIC (WSIC) slot, two SIC slots and one WSIC slot below can be combined into one XSIC slot by removing guide rails, and two multiple-function slots (MFSs) can be combined into an SRU slots by removing the guide rail between them.
Note: AR Series Enterprise Routers are class A products. Customers should take preventative measures as the operating devices may cause radio interference.


More related:

How to Troubleshoot Synchronous Ethernet Clocks For Huawei SDH

3G service not pass in STM-1 due to SNCP problem

Posted by at No comments:
Labels: ,

Thursday, April 7, 2016

Basic Configuration on the Device at First Login for Huawei Switches

Huawei Switches Basic Configuration:  How to first login the device on console port or mini USB port.
Here, we will describe how to configure the time and date, device name, management IP address, and the user level and authentication mode for Telnet users at first login through the console port or mini USB port. This configuration apply to all the Huawei switches, such as the popular switch: Huawei S5700,S3700, S2700…

Procedure


1 Set the time and date on the device.

Run:
system-view
The system view is displayed.

Run:
clock timezone time-zone-name { add | minus } offset
The time zone is set.

By default, the system uses the Coordinated Universal Time (UTC) time zone.
add: adds the specified time zone offset to the UTC. That is, the sum of the default UTC time zone and offset equals the time zone specified by time-zone-name.
minus: subtracts the specified time zone offset from the UTC. That is, the remainder obtained by subtracting offset from the default UTC time zone equals the time zone specified by time-zone-name.

Run:
quit
Return to the system view.

Run:
clock datetime HH:MM:SS YYYY-MM-DD
The current time and date are set.
If the time zone is not set, the time set using this command is considered as the UTC time. Before setting the current time, you are advised to confirm the current zone and set the correct time zone offset.

Run:
system-view
The system view is displayed.

Run:
clock daylight-saving-time time-zone-name one-year start-time start-date end-time end-date offset
Or clock daylight-saving-time time-zone-name repeating start-time { { first | second | third | fourth | last } weekday month | start-date1 } end-time { { first | second | third | fourth | last } weekday month | end-date1 } offset [ start-year [ end-year ] ]
Daylight saving time (DST) is set.
By default, DST is not configured.

NOTE:
If you configure periodic DST, the combination of the DST start time and end time can be any of the following: date+date, day of the week+day of the week, date+day of the week, and day of the week+date.
When DST is used, you can run the clock timezone time-zone-name { add | minus } offset command to set the time zone. The time zone in the output of the display clock command is, however, the name of the DST time zone. When DST ends, the system displays the original time zone.

2, Set the device name and management IP address.

Run:
sysname host-name
The device name is set.
By default, the device name is HUAWEI.
When the network management tool needs to obtain the network element (NE) name of a device, you can run the sys-netid command to set an NE name for the device.

Run:
interface interface-type interface-number
The interface view is displayed.
In addition to the management interface on the device, you can also assign the management IP address to Layer 3 interfaces such as VLANIF interfaces on the device.

Run:
ip address ip-address { mask | mask-length }
The management IP address is assigned.
NOTE:
The management IP address is used to maintain and manage the device. Configure the IP address and routes based on the network plan to ensure that the routes between the terminal and device are reachable.

3 Set the user level and authentication mode for Telnet users.

Run:
telnet [ ipv6 ] server enable
The Telnet server is enabled.
By default, the Telnet server is disabled.

Run:
user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.

Run:
protocol inbound { all | telnet }
he VTY user interface is configured to support the Telnet protocol.
By default, a VTY user interface supports the SSH protocol.

Run:
user privilege level level
The Telnet user level is set.
By default, users who log in through the VTY user interface can access commands at level 0.

Run:
authentication-mode aaa
The authentication mode for Telnet users is set to AAA authentication.
By default, no authentication mode is configured for the VTY user interface.
NOTE:
The system provides three authentication modes: AAA authentication, password authentication, and non-authentication modes. AAA authentication requires both the user name and password, and is therefore more secure than password authentication. Non-authentication mode is not recommended because it cannot ensure system security. This section describes how to configure AAA authentication..

Run:
aaa
The AAA view is displayed.

Run:
local-user user-name password irreversible-cipher password
The user name and password for login through Telnet are configured.
The value of password can be a plain-text string of 8 to 128 characters or a cipher-text string of 68 characters.
A too simple password may cause a potential security risk. To enhance the security strength, the password entered in plain text must contain at least two of the following: uppercase letters, lowercase letters, digits, and special characters. In addition, the password cannot be the same as the user name or the mirror user name.

Run:
local-user user-name service-type telnet
The login mode is set to Telnet.

4, Save the configuration.

After basic configuration is complete, you are advised to save the configuration. If the configuration is lost, the connection and configuration for the first login must be performed again.

Run:
return
Return to the user view.

Run:
save
The configuration is saved.

More related:

Huawei Low-end Switches Boot Upgrade For BOOTROM

Posted by at No comments:
Labels: , , ,

Tuesday, April 5, 2016

SSM and Huawei will deploy the eLTE broadband access network in Poland

Here is an example for configuring local attack defense, this configuration can be applied for all the huawei switches, such as Huawei S2700, Huawei S3700Huawei S5700

Networking Requirements

As shown in Figure 1, users on different network segments access the Internet through the Huawei Switch. Because a large number of users connect to the Switch, the CPU of Switch will receive a lot of protocol packets. If malicious users send a lot of attack packets to the Switch, the CPU usage will increase to affect services. The network administrator has the following requirements:
  • The network administrator wants to monitor CPU status. When the CPU is attacked, the Switch can promptly notify the administrator and take measures to protect the CPU.
  • When the Switch receives a lot of ARP Request packets, the CPU usage of the Switch greatly increases. The administrator wants to reduce the CPU usage to avoid impact on services.
  • Users on Net1 often initiate attacks, so the administrator wants to reject the access of Net1 users.
  • The administrator wants to upload files to the Switch through FTP, so data transmission between the administrator’s computer and Switch must be reliable and stable.
Figure 1 Networking diagram of local attack defense

networking-diagram-of-local-attack-defense

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure attack source tracing, alarms, and punishment so that the device can send an alarm to the administrator when detecting an attack source and automatically take punishment actions.
  2. Set the protocol rate threshold so that the Switch can limit the rate of protocol packets based on ports and record a log. (Port attack defense is enabled by default, so it does not need to be enabled again.)
  3. Set the CPCAR for ARP Request packets to limit the rate of ARP Request packets sent to the CPU. This reduces impact of ARP Request packets on the CPU.
  4. Add Net1 users to the blacklist to reject their access.
  5. Set the rate limit for the FTP packets sent to the CPU to ensure reliability and stability of data transmission between administrator’s computer and Switch. (ALP is enabled for FTP by default, so it does not need to be enabled again.)

Procedure

  1. Configure the rule for filtering packets sent to the CPU.
# Define ACL rules.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.0 0.0.0.255
[Switch-acl-basic-2001] quit
  1. Configure an attack defense policy.
# Create an attack defense policy.
[Switch] cpu-defend policy policy1
# Configure attack source tracing.
[Switch-cpu-defend-policy-policy1] auto-defend enable
# Enable the alarm function for attack source tracing.
[Switch-cpu-defend-policy-policy1] auto-defend alarm enable
# Set the punishment action to discard.
NOTE:
Before configuring the punishment action, ensure that the device is attacked; otherwise, the punishment action may discard a lot of valid protocol packets.
[Switch-cpu-defend-policy-policy1] auto-defend action deny
# Set the rate threshold to 40 pps. (Port attack defense is enabled by default, so it does not need to be enabled again.)
[Switch-cpu-defend-policy-policy1] auto-port-defend protocol arp-request threshold 40
# Add the network-side interface GE0/0/1 to the whitelist so that the CPU can promptly process the packets from the network-side interface.
[Switch-cpu-defend-policy-policy1] auto-port-defend whitelist 1 interface gigabitethernet 0/0/1
# Set the CPCAR of ARP Request packets to 120 kbit/s.
[Switch-cpu-defend-policy-policy1] car packet-type arp-request cir 120
# Configure the blacklist for CPU attack defense.
[Switch-cpu-defend-policy-policy1] blacklist 1 acl 2001
# Set the CIR of FTP packets sent to the CPU to 5000 kbit/s.
[Switch-cpu-defend-policy-policy1] linkup-car packet-type ftp cir 5000
[Switch-cpu-defend-policy-policy1] quit
  1. Apply the attack defense policy globally.
4.             [Switch] cpu-defend-policy policy1 global
5.             [Switch] quit
  1. Verify the configuration.
# Display the configuration of attack source tracing.
<Switch> display auto-defend configuration
 ----------------------------------------------------------------------------
 Name  : policy1
 Related slot : <0>
 auto-defend                      : enable
 auto-defend attack-packet sample : 16
 auto-defend threshold            : 128 (pps)
 auto-defend alarm                : enable
 auto-defend alarm threshold      : 128 (pps)
 auto-defend trace-type           : source-mac source-ip source-portvlan
 auto-defend protocol             : arp icmp dhcp igmp ttl-expired tcp telnet
 auto-defend action               : deny (Expired time : 300 s)
 ----------------------------------------------------------------------------
# Display the configuration of port attack defense.
<Switch> display auto-port-defend configuration 
 ----------------------------------------------------------------------------
 Name  : policy1
 Related slot : 0
 Auto-port-defend                       : enable
 Auto-port-defend sample                : 5
 Auto-port-defend aging-time            : 300 second(s)
 Auto-port-defend arp-request threshold : 40 pps(enable)
 Auto-port-defend arp-reply threshold   : 30 pps(enable)
 Auto-port-defend dhcp threshold        : 30 pps(enable)
 Auto-port-defend icmp threshold        : 30 pps(enable)
 Auto-port-defend igmp threshold        : 60 pps(enable)
 Auto-port-defend ip-fragment threshold : 30 pps(enable)
--------------------------------------------------------------------------------
# Display the configuration of the attack defense policy.
<Switch> display cpu-defend policy policy1
 Related slot : <0>
 Configuration :
   Blacklist 1 ACL number : 2001
   Car packet-type arp-request : CIR(120)  CBS(22560)
   Linkup-car packet-type  ftp : CIR(5000)  CBS(940000)
# Display the CPCAR setting.
<Switch> display cpu-defend configuration packet-type arp-request
Car configurations on slot 0.
----------------------------------------------------------------------
Packet Name           Status   Cir(Kbps)   Cbs(Byte)  Queue  Port-Type
----------------------------------------------------------------------
arp-request       Enabled       120       22560    3       UNI          
----------------------------------------------------------------------

Configuration Files

Configuration file of the Switch
#
sysname Switch
#
acl number 2001
 rule 5 permit source 10.1.1.0 0.0.0.255
#
cpu-defend policy policy1
 blacklist 1 acl 2001
 car packet-type arp-request cir 120 cbs 22560
 linkup-car packet-type ftp cir 5000 cbs 940000
 auto-defend enable
 auto-defend alarm enable
 auto-defend action deny
 auto-port-defend protocol arp-request threshold 40
 auto-port-defend whitelist 1 interface GigabitEthernet0/0/1
#
cpu-defend-policy policy1 global
#
return


More blog:



Huawei Low-end Switches Boot Upgrade For BOOTROM














Posted by



at





No comments:
  


















Labels:
,

















        

      









Subscribe to:
Posts (Atom)