HCS-Field-R&S V1.1 Training Materials(March.4,2016)

www.huawei.com

Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved.

HCS-Field-R&S

Training Program

Overview

Copyright © 2016 Huawei Technologies Co., Ltd. All rights reserved. Page 2

Preface

A field specialist certification which is developed specially for

channel partners can demonstrate one has the ability to

understand and master Huawei products, solutions, relevant

service and process thoroughly and the ability to construct,

maintain and optimize Huawei products and solutions.

Comparing to the career certification, the field specialist

certification focuses more product features, operation and

maintenance, including standards and skills.

HCS-Field-R&S: Huawei Routing & Switching Field Specialist.


Huawei Training & Certification

Architecture

IP

CT

IT

Vertical Industries

Capability Library and IT Learning Platform

Expert

Professional

Associate

Career Certification

Routing & Switching

Wireless

Transmission

UC&C

VC

Cloud

Storage & Server

……

BASIS

For ICT Practitioners

Associate

Professional

Expert

For Channel Partners

Sales specialist

Solution specialist

Field specialist

Multi industry-

specific capability

development

solutions


Huawei Certifications for IP

NetworkingOSS

Routing &

SwitchingWLAN Security

Sales Specialist HCS-Sales-IP

Pre-sales

SpecialistHCS-Pre-sales-IP Network(Datacom)

HCS-Pre-sales-IP

Network(Security)

Solution

SpecialistHCS-Solution-IP

Field Specialist HCS-Field-NMS HCS-Field-R&SHCS-Field-

WLAN

HCIE HCIE-R&S HCIE-WLAN HCIE-Security

HCNP HCNP-R&S HCNP-WLAN HCNP-Security

HCNA HCNA-R&S HCNA-WLAN HCNA-Security


Courses Overview

Date Training Contents Methods

1

AM

Huawei Box Switches IntroductionHuawei Chassis Switches Introduction

S12700 Agile Switches Introduction

Lecture

PM

AR G3 Routers Product IntroductionHuawei NE Series Routers Introduction

Migration from IOS to VRP

Lecture

2

AM

Huawei Datacom Products Routine MaintenanceHuawei Datacom Products Troubleshooting

Lecture

PM

Huawei Datacom Products Software UpgradeS Series Chassis Switches ISSU Feature Introduction

Lecture

Lab Exercise

3

AM

Huawei Datacom Products Security Features and ApplicationAR Firewall Features and Application

Lecture

PM

Lab Guide for Huawei Datacom Products Security Features and Application

Lab Guide for AR Firewall Features and Application

Lab Exercise

4

AM

Huawei Datacom Products AAA Features and ApplicationLab Guide for Huawei Datacom Products AAA Features and

Application

Lecture

Lab Exercise

PM

Huawei Switches iStack Features and ApplicationHuawei Switches CSS Features and Application

Lecture

Lab Exercise

5

AM

Huawei Datacom Products NTP Features and ApplicationHuawei Datacom Products NQA Features and Application

Lecture

Lab Exercise

PM

Huawei Datacom Products LLDP Features and ApplicationHuawei Datacom Products SNMP Features and Application

Lecture

Lab Exercise

Products Introduction

Operation &

Maintenance

Security Features

Management Features


Changes in the content

Products

Introduct

ion

Huawei NE Series Routers IntroductionAR G3 Routers Product IntroductionHuawei Chassis Switches IntroductionHuawei Box Switches IntroductionHuawei eSight Enterprise NMS Introduction

Operatio

n &

Mainten

ance

Huawei Routers & Switches Routine Maintenance

Huawei Routers & Switches emergency Management

Huawei Routers & Switches Software Upgrade

Huawei Routers & Switches ISSU Feature Introduction

High

Availabili

ty

Huawei Routers & Switches BFD Features and

Configuration

Huawei Routers & Switches Smart-Link Features and

Configuration

Huawei Switches SEP Features and Configuration

Huawei Switches DLDP Features and Configuration

Security

Features

Huawei Routers & Switches Security Features and

Configuration

Huawei Switches Access Security Features and

Configuration

Huawei Routers & Switches Firewall Features and

Configuration

Manage

ment

Features

Huawei Routers & Switches User Management

Features and Configuration

Huawei Routers & Switches SNMP Network

Management Features and Configuration

Huawei Switches iStack & CSS Features and

Configuration

Huawei Routers & Switches LLDP Features and

Configuration

Products

Introductio

n

Huawei Box Switches IntroductionHuawei Chassis Switches IntroductionS12700 Agile Switches IntroductionAR G3 Routers Product IntroductionHuawei NE Series Routers IntroductionMigration from IOS to VRP

Operation

&

Maintenan

ce

Huawei Datacom Products Routine Maintenance

Huawei Datacom Products Troubleshooting

Huawei Datacom Products Software Upgrade

S Series Chassis Switches ISSU Feature Introduction

Security

Features

Huawei Datacom Products Security Features and ApplicationAR Firewall Features and Application

Manageme

nt Features

Huawei Datacom Products AAA Features and ApplicationHuawei Switches iStack Features and Application

Huawei Switches CSS Features and Application

Huawei Datacom Products NTP Features and ApplicationHuawei Datacom Products NQA Features and ApplicationHuawei Datacom Products LLDP Features and ApplicationHuawei Datacom Products SNMP Features and Application

Delete

New

Update

Old Version New Version


Changes in the detail

Learning recommendations

for each course

Consolidate what you learn

Broaden and deepen knowledge

Optional tasks added in the lab guide

Allows students do more practices

The multimedia contains not only the lectures, but also practice

demonstrations


Learning suggestions

Study the multimedia courses seriously

http://learning.huawei.com/en/

Make full use of the product documentation

The most authoritative materials

Use eNSP to do more practices

eNSP: the simulator

Take the exams (on Prometric)

Exam Code: H20-211

HedEx Lite


Q & A

Your questions or advices

[email protected]

www.huawei.com

Thank you

Thank you

S2700 Series switches are L2 switches, and all the downlink ports are 100M;

S3700 series switches are L3 switches, and all the downlink ports are 100M;

S5700-LI series switches are L2 switches, S5700-SI/EI/HI series are L3 switches, all the

S5700 series switches downlink ports are 1000M;

S6700 series are L3 switches, and all the downlink ports are 10000M.

S2700 and S3700 can support to V1R6 software version, and the others can support to

higher software version, now is V2R1.

A: Switch.

B: Product series. "37" indicates the S3700 series.

C: Maximum number of interfaces.

NOTE:

The number of interfaces on an S3700 can be 26, 28, or 52, depending on the

device model.

D: Uplink interface type:

P: A device has optical interfaces.

X: The product has fixed 10GE uplink ports.

TP: A device has combo interfaces supporting optical and electrical interfaces.

C: A device supports interface cards. There can be two or four uplink interfaces on

an interface subcard.

E: Power over Ethernet (PoE).

NOTE: If this letter is not displayed, PoE is not supported.

F: Software version type:

LI: lightweight version

EI: enhanced version, supporting enhanced features

SI: standard version, supporting basic features

HI: advanced version, supporting high-performance Operation, Administration, and

Maintenance (OAM) and built-in real-time clock (RTC)

G: Downlink interface type. The value 24S indicates that 24 downlink interfaces of the

S3700-52P-EI-24S are optical interfaces.

NOTE: If this letter is not displayed, all downlink interfaces are electrical interfaces.

H: Powering mode:

AC: alternating current power

DC: direct current power

I: The device has monitoring interfaces.

S2700 positioned for the access layer of enterprise network.

S3700 positioned for the access layer or aggregation layer of enterprise network.

S5700 positioned for the access layer or aggregation layer of enterprise network.

The Quidway S6700 Series series Ethernet switches (hereinafter referred to as the

S6700) provide the access, aggregation, and data transport functions. They are

developed by Huawei to meet the requirements for reliable access and high-quality

transmission of multiple services on the enterprise network and the data center

network.

SX7 series switches provide large capacity, high port density, and cost-effective

Forwarding performance capabilities. In addition, the SX7 swithes provide multi-

service access capabilities, excellent extensibility, quality of service (QoS)

guarantee, powerful multicast replication, and carrier-class security, and can be

used to build ring topologies of high

The S2700 Ethernet switches adopt an integrated hardware platform. An S2700 consists

of the chassis, power supply unit, fan, switch control unit (SCU), and interface subcard.

The width of an S2700 complies with industry standards, and the S2700 can be installed in

an IEC297 cabinet or an ETSI cabinet.

The S2700 is 1 U (1 U = 44.45 mm) high. S2700-26TP-SI/EI are 442.0 mm x 220.0 mm x

43.6 mm (width x depth x height).

on the left of S2726TP-EI panel is the power supply module, the middle part is the SCU

board. S2726TP-SI/EI support AC and DC power supply.

SCU board has one Console port, 24 10/100BASE-T Ethernet ports and 2 Gigabit Combo

ports(10/100/1000BASE-T+100/1000BASE-X).

The S3700 is 1 U (1 U = 44.45 mm) high.

The dimensions of S3700-28TP-EI-MC-AC, S3700-28TP-SI-AC, S3700-28TP-EI-AC, S3700-

28TP-SI-DC, S3700-28TP-EI-DC, S3700-26C-HI, S3700-28TP-EI-24S-AC, S3700-52P-SI-AC,

S3700-52P-EI-DC or S3700-52P-EI-AC are 442.0 mm x 220.0 mm x 43.6 mm (width x

depth x height).

The dimensions of S3700-52P-EI-24S-AC, S3700-52P-EI-24S-DC, S3700-52P-EI-48S-AC,

S3700-52P-EI-48S-DC, S3700-28TP-PWR-EI or S3700-52P-PWR-EI are 442.0 mm×420.0

mm× 43.6 mm (width x depth x height).

The S5700 is 1 U (1 U = 44.45 mm) high.

The dimensions of S5700-24TP-SI-AC, S5700-24TP-SI-DC, S5700-28C-HI or S5700-28C-HI-

24S are 442.0 mm x 220.0 mm x 43.6 mm (width x depth x height).

The dimensions of S5700-6TP-LI-AC are 250.0 mm × 180.0 mm × 43.6 mm (width x

depth x height).

The dimensions of an S5700 switch except S5700-24TP-SI-AC, S5700-24TP-SI-DC, S5700-

28C-HI, S5700-28C-HI-24S and S5700-6TP-LI-AC are 442.0 mm x 420.0 mm x 43.6 mm

(width x depth x height).

The S5700-LI-BAT has the following advantages:

In the event of a mains power failure the battery can power the switch, so services

will not be interrupted.

Compared with switches using external power supply units, the S5700-LI-BAT

occupies less space and is easier to install.

Intelligent power management, long standby time.

Battery LAN switches on the entire network can be managed centrally using a web

system, facilitating network operation and maintenance. As the battery lifetime is

predictable, you do not need to replace batteries periodically, reducing hardware

costs.

The internal battery provides alarm and voltage/current protection functions as

well as overtemperature protection, which enhance reliability.

The S5700&S5710 Series Ethernet switch (hereinafter referred to as the S5700) provide

the access, aggregation, and data transport functions. They are developed by Huawei to

meet the requirements for reliable access and high-quality transmission of multiple services

on the enterprise network.

S5710-108C-PWR-HI is the powerful huawei fixed switch, the height is 2U, it could be

Small & Medium Enterprise Core. There are 3 highlights, 1. It’s designed very compact, the

link could be up to 40G, 2. Full MPLS solution could support as a Branch core of an

enterprise, 3.Integrated AC could support BYOD solution.

S5720-HI Series Agile Fixed Switches

Fully programmable, energy-efficient Gbit/s access switches for building high-

density, agile Ethernet networks.

Innovative virtualization technology and specialized electronics greatly simplify

management of converged, wired and wireless networks, provide more granular

quality monitoring and error recovery, and enable rapid provisioning of new

services and network features.

Available in 24-port and 48-port models with 10 GE uplink ports enabling

comprehensive services processing capabilities.

S5720-EI Series Next-Generation Enhanced Gigabit Switches

Advanced technology in a resilient Gbit/s switch for reliable, easy-to-manage

access or aggregation in enterprise campus networks. 10 GE uplink ports enable

comprehensive service-processing capabilities, and intelligent iStack technology

provides easy scalability.

Based on Huawei’s next-generation, high-performance processors and Versatile

Routing Platform (VRP), the S5720-EI switches provide larger table sizes and higher

hardware-based processing capabilities than similar switches; the mature IPv6

technologies provide a smooth migration path from IPv4 to IPv6.

Choose from a broad range of fixed-port switches in 24-port and 48-port

configurations to meet your precise requirements for wired and optical

networking.

S5720-SI Series Next-generation Standard Gigabit Ethernet Switches

The S5720-SI series are next-generation standard gigabit Layer 3 Ethernet switches

with high-performance hardware, providing high-density GE, and 10 GE uplink

interfaces. With extensive service features and IPv6 forwarding capabilities, the

S5720-SI can be used as access or aggregation switches on campus networks or

access switches in data centers. Integrating many advanced reliability, security, and

energy saving technologies, they are simple and convenient to install and maintain

to reduce customers’ OAM costs.

The chassis of the is 1 U (1 U = 44.45 mm) high and its dimensions are 442.0 mm x 420.0

mm x 43.6 mm (width x depth x height).

S6720 Series Next-Generation Enhanced 10 GE Switches

The industry's highest-performing fixed switches, the S6720 series provides 24/48

full line-speed 10 GE ports, which are scalable to 6 x QSFP+ full line-speed ports.

The S6720 supports long-distance stacking with up to 480 Gbit/s bidirectional

stack bandwidth. It also supports 1+1 backup of AC and DC power modules that

can be installed on the same device.

These switches offer various service features, supports comprehensive security

policies and QoS capabilities, and are best suited for data center servers and the

core campus network.

Functions

The G2S provides two 1000M SFP optical interfaces to implement data access and

line-speed switching.

The S3700HI SCU powers on or off the G2S, detects whether the G2S is installed

or not, and manages PHY chips and optical interfaces on the G2S. The G2S works

with the entire system to provide enhanced service features such as OAM and BFD.

Applications

The G2S can be inserted into the front subcard slot of the S3700HI and is hot

swappable.

The E2XX can be inserted into the front subcard slot of the S5700-28C-EI, S5700-52C-EI,

S5700-28C-EI-24S, S5700-28C-SI, S5700-52C-SI, S5700-28C-PWR-EI, or S5700-52C-PWR-

EI. The E2XX is not hot swappable.

The E2XY can be inserted into the front subcard slot of the S5700-28C-EI, S5700-52C-EI,

S5700-28C-EI-24S, S5700-28C-SI, S5700-52C-SI, S5700-28C-PWR-EI, or S5700-52C-PWR-

EI. The E2XY is not hot swappable.

The E4XY can be inserted into the front subcard slot of the S5700-28C-SI, S5700-52C-SI,

S5700-28C-EI, S5700-52C-EI, S5700-28C-PWR-EI, S5700-52C-PWR-EI or S5700-28C-EI-

24S. The E4XY is not hot swappable.

The E4GF can be inserted into the front subcard slot of the S5700-28C-EI, S5700-52C-EI,

S5700-28C-EI-24S, S5700-28C-PWR-EI, or S5700-52C-PWR-EI.

The E4GFA can be inserted into the front subcard slot of the S5700-28C-SI, or S5700-52C-

SI.

The E4GF or E4GFA is not hot swappable.

These three sub-cards can install into S5710 series switches, and can support hot plug-in.

The fans can work in the intelligent mode or forcible mode.

In the intelligent mode, the fans start to operate only when the ambient temperature goes

higher than a specified value.

Only S5700-28C-HI and S5700-28C-HI-24S support the 170 W DC power supply unit.

PoE provides power for terminals such as IP phones, access points (APs), portable device

chargers, point-of-sale (POS) machines, cameras, and data collectors. These terminals are

powered when they access the network, so the indoor power supply systems are not

required. Complying with IEEE 802.3af and IEEE 802.3at, the PoE SX7 is able to remotely

provide power for the devices of different vendors. IEEE 802.3af supports a maximum of

15.4 W power and IEEE 802.3at supports a maximum of 30 W power.

The PoE function transmits power together with data to terminals over cables or transmits

power without data over idle lines. The SX7 can transmit power together with data at a

rate of up to 1000 Mbit/s.

S6700 series switches use the 500W PoE power module, in this situation the power

module can only provide power for the device, cannot provide PoE function.

Functions

RPS1800 is a redundant power supply unit for a switch when the internal power supply

unit of the switch fails.

RPS1800 provides the following functions:

Clears the power-off risk when the internal power supply unit of a switch fails.

Provides power backup for a maximum of six network devices, and can take over

power supply for one device when its internal power supply unit fails.

Stops power supply when the faulty internal power of the switch recovers.

Connects to two 800 W swappable 48 V power supply units.

Provides 800 W PoE for two switches concurrently after software configuration.

Supports the setting of port priorities.

Applications

RPS1800 can provide power supply for S5700-28P-LI-AC, S5700-28P-LI-DC,

S5700-52P-LI-AC, S5700-52P-LI-DC, S5700S-28P-LI-AC, S5700S-52P-LI-AC,

S5700-28P-PWR-LI-AC, and S5700-52P-PWR-LI-AC.

The following requirements must be met to implement stacking:

All the member switches belong to the same series. The EI series and SI series

cannot form a stack.

All the member switches are connected by using stack cables and stack modules.

The stack rear subcard cannot be used together with the E4GF/E4GFA or E4XY

front subcard.

The ETPC can be inserted into the S5700-24TP-SI-AC, S5700-24TP-SI-DC, S5700-48TP-SI-

AC, S5700-48TP-SI-DC, S5700-28C-EI, S5700-52C-EI, S5700-28C-EI-24S, S5700-28C-SI,

S5700-52C-SI, S5700-24TP-PWR-SI, S5700-48TP-PWR-SI, S5700-28C-PWR-EI, or S5700-

52C-PWR-EI for stacking.

The ETPB can be inserted into the S5700-28C-EI, S5700-52C-EI, S5700-28C-EI-24S, S5700-

28C-SI, S5700-52C-SI, S5700-28C-PWR-EI, or S5700-52C-PWR-EI for interface extension.

The ETPB extended rear subcard must be used together with the E4GF/E4GFA or E4XY

front subcard to provide four SFP GE interfaces or SFP+ 10GE interfaces.

When the S5700EI or S5700SI is equipped with ETPC:

If the E4XY front subcard is used, only ports 1 and 3 are available.

If the E4GFA or E4GF front subcard is used, only ports 1 and 2 are available.

S2700/3700/5700/6700 is integrated with HTTP Server. When HTTP Server is enabled, the

switch can be accessed through various web browsers.

It is difficult to provide power supply to many AP devices like WiFi or camaras.

Switches can be configured of different power levels(250w and 500w) POE power supply

to support POE(Power Over Ethernet) function, so that remote PD(eg,IP phone, WLAN AP,

Security, Bluetooth AP) will be provided -48V DC power supply through the twisted pair.

Merging the separate worlds of video conferencing and video streaming

Affordably creating high-quality video communications

Managing, tracking, and securing video content throughout the enterprise

Delivering video content in real-time and on demand to various target audiences

Switches that use service interfaces and switches that use stack cards cannot be combined

in a single stack. Switches from different series cannot be combined in a single stack.

Large capacity: The S7700/S6700/S5700of large capacity is used to ensure the rate of

1000M on floors.

High availability: VRRP is run on two core switches to realize the backup mode. Double

links are used to converge services at each floor to the core switches.

High security: The terminal needs to pass the RADIUS authentication before accessing the

network. The Eudemon is deployed at the edge of servers to ensure the security of

servers.

What is the meaning of each section of the switch’s name: S3728TP-PWR-EI?

S: Switch

37: Sub-Series

28: the maximum port quantity

TP: the upload ports support Combo

PWR: the device supports PoE

EI: the device is an enhanced instance, supports advanced features

The S-Series chassis switch provides powerful multicast functions, comprehensive QoS

guarantee, effective security management mechanisms, and carrier-class high reliability to

meet the requirements of high-end customers for multi-service support, high reliability,

large capacity, and modular design. With the switch, costs in network construction and

maintenance are lowered. Additionally, the S-Series chassis switch can be used as a core

switch or an aggregation switch for IP MANs and large campus networks.

The S-Series Chassis Switch is a next-generation high-end switch of Huawei. The switch

features large capacity, wire-speed forwarding, and high density and it is a future-proof

switch for MANs. The switch can be used as an aggregation switch or a core switch for

enterprise networks, campus networks, and data centers.

The S-Series Chassis Switch includes S7700/S9300/S9700.

The S-Series Chassis Switch are classified into the

S7703/S7706/S7712/S9303/S9306/S9312.

The S-Series Chassis Switch uses a fully distributed architecture and the latest

hardware forwarding engine technology. The services supported by all the ports

can be forwarded at wire speed, including IPv4 services, MPLS services, and Layer

2 forwarding services. The switch can use ACLs to forward packets at wire speed.

The S-Series Chassis Switch supports wire-speed forwarding of multicast packets.

The hardware implements 2-level multicast replication: The SFU replicates multicast

packets to the LPU. Then the forwarding engine of the LPU replicates the multicast

packets to the ports on the LPU.

The S7700/S9300 switch supports 2 Tbit/s switching capacity and various high-

density boards to meet requirements for the large capacity and high-density ports

of core and convergence layer devices. The switch can meet the increasing

bandwidth requirements and maximally reduce investments.

SXX03's switching capacity:

Adopting the full mesh architecture, the SXX03 provides 16 Gbit/s bandwidth in

each HIG group, that is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between

each slot and the backplane supports eight HIG groups; therefore, the total

bandwidth for each slot is 128 Gbit/s.

There is no switching fabric unit in the full mesh architecture. The switching

capability is 720 Gbit/s, that is, 120 Gbit/s x 2 x 3 (3 LPUs).

SXX06/SXX12's switching capacity:

Adopting the switching fabric architecture, the switch provides 16 Gbit/s bandwidth

in each HIG group, that is, 4 x 5 Gbit/s x 8/10 (8B/10B code). The channel between

each slot and the switching fabric unit supports four HIG groups (an active SRU and

a standby SRU); therefore, the total bandwidth for each slot is 64 Gbit/s. Each

12x10G LPU slot supports eight HIG groups; therefore, the total bandwidth is 128

Gbit/s. (Only two 12x10G LPUs of the S7712/S9312 support wire-speed

forwarding.)

The maximum switching capability of the switch is 2048 Gbit/s, that is, 16 Gbit/s x

16 (ports) x 1 (switching fabric unit) x 2 (bidirectional) x 4 (SRUs).

S9700 Series Switch is design for integrated multi-service network architecture, It is a high-

end intelligent terabit routing switch.

S9700 provides 16x10GE ports inter-board wire speed switching, and supports

40GE/100GE standards in the future.

The S7700 and S9300 have the same power supply system, The output capability of single

AC power module is 800W(Input 220V), so 2+2 hot standby can provide 1600W max. The

output power is 400W when input volt is 110V.

S7700 and S9300 support PoE, and S9700 don't.

S9700 supports 2200W AC power supply.

The fan trays, AC power supplies, DC power supplies, LPUs, cables, and cabinet handles

can be used by all types of the switch. The handles can be removed from the cabinet.

The SXX12 and the SXX06 shared the monitoring boards and control boards of the same

type.

The fan tray support either of the following two configurations:

Low-cost single fan mode

Highly reliable fan tray mode. Each fan tray supports two overlapping fans.

PWR1 and PWR2 belong to Area A. PWR3 and PWR4 belong to Area B. Area A and Area B

work in backup mode. PWR1 and PWR2 work in load balancing mode, and PWR3 and

PWR4 also work in load balancing mode.

The SXX12 supports the DC power supply and the AC power supply.

When the DC power supply is used, the S7712/S9312 supports 1+1 DC power

supplies, achieving a maximum power of 1600 W. Area A and Area B each is

configured with a DC power module. The filler panels are installed in other slots of

Area A and Area B. For example:

DC power modules are installed on PWR1 and PWR3, and filler panels are

installed on PWR2 and PWR4.







When the AC power supply is used, the S7712/S9312 supports 1+1 or 2+2 AC power

supplies.

When 1+1 220 V AC is selected, the maximum power of the S7712/S9312 is 800

W. This 1+1 configuration can be used if the S7712/S9312 has a few LPUs and the

total power consumption of the device is less than 800 W. Area A and Area B each

is configured with an AC power module. The filler panels are installed in other slots

of Area A and Area B. For example:

AC power modules are installed on PWR1 and PWR3, and filler panels are








When 2+2 220V AC is selected, the maximum power of the S7712 is 1600 W. Four

AC power supplies are configured in Area A and area B. PWR1 to PWR4 slots are all

equipped with AC power modules.

The S7712/S9312 does not support the configuration of 110 V AC power supplies.


S9712 do not support PoE, the PoE power area are revered; S7712/S9312 support

PoE LPU, PoE power modules are installed in this area.







configured with a DC power module. The filler panels are installed in other slots of

Area A and Area B. For example:









When the AC power supply is used, the S7706/S9306 supports 1+1 or 2+2 AC

power supplies.

When 1+1 220 V AC is selected, the maximum power of the S7706/S9306 is 800

W. Area A and Area B each is configured with an AC power module. The filler

panels are installed in other slots of Area A and Area B. For example:









When the 2+2 110 V AC is selected, the S7706//S9306 provides the power of 400

W. AC power modules in 1+1 mode cannot meet requirements for power supply.

To meet the power requirements, the S7706//S9306 must use 2+2 mode for 110 V

AC power supplies. PWR1 to PWR4 slots are all equipped with AC power modules.


S9706 do not support PoE, the PoE power area are revered; S7706/S9306 support PoE LPU,

PoE power modules are installed in this area.







configured with a DC power module.

When the AC power supply is used, the S7703/S9303 supports 1+1 or 2+2 AC

power supplies.

When the 1+1 220 V AC is selected, the maximum power of the

S7703/S9303 is 800 W. Area A and Area B each is configured with an AC

power module.

When the 1+1 110 V AC is selected, the S7703/S9303 provides the power

of 400 W. The entire power of the S7703 is less than 400 W; therefore,

you can configure AC power modules in 1+1 mode when the voltage is

110 V.


S9703 do not support PoE, the PoE power area are revered; S7703/S9303 support PoE

LPU, PoE power modules are installed in this area.

CBUS: control bus; PP: packet processor

The SXX06 and the SXX12 use the same system architecture. The hardware structure is

divided into three planes: data plane, control plane, and management plane. The three

planes are separated from each other. The data plane is exclusively used for transmitting

service data. The data plane is physically divided into several star HIG planes. The control

plane is exclusively used for transmitting protocol data, such as the data of routing

protocols. The control plane transmits data by way of dedicated channels. The

management plane is exclusively used for managing devices. The management plane uses

the CANBUS and independent power supply system.

At the core of the SXX06 and the SXX12 is the SRUA. The SRUA is responsible for data

forwarding and control protocol processing. The SRUAs work in hot standby mode. In

addition, the switching fabric unit supports load balancing mode.

The CMU is the centralized management unit. It monitors and manages the fans, power

supplies, external trunk nodes, and POE power supplies. The CMUs support hot standby.

CBUS: control bus; PP: packet processor

The SXX03 uses the full mesh structure. The hardware structure is divided into three

planes: data plane, control plane, and management plane. The three planes are separated

from each other. The data plane is exclusively used for transmitting service data. The data

plane uses the mesh topology and is physically divided into several HIG planes. The control

plane is exclusively used for transmitting protocol data, such as the data of routing

protocols. The control plane transmits data by way of dedicated outband channels. The

management plane is exclusively used for managing devices. The management plane uses

the CANBUS and independent power supply system.

The SXX03 is integrated with an equipment management module. The module monitors

and manages the fans, power supplies, external trunk nodes, and POE power supplies.

The SRU integrates the control and switching functions and provides the control plane,

management plane, and switching plane for the system.

The control plane provides a variety of functions such as protocol processing,

service processing, route calculation, forwarding control, service scheduling, traffic

statistics, and system security.

The management plane is responsible for system monitoring, environment

monitoring, log and alarm processing, system loading, and system upgrade.

The switching plane provides high-speed and non-blocking data channels to

implement service switching between service modules.

The SRU consists of the following functional modules physically:

Control module: Functions as the control and management plane for the SRUA and

the entire system to implement protocol processing, route calculation, forwarding

control, system management, and system security.

Switching module: Functions as the service switching plane, providing high-speed

service channels to implement service switching.

Local clock module: Provides the working clock for the chips of the control

module, switching module, and equipment management and monitoring module.

Equipment management and monitoring module: Provides the CBUS module to

monitor the SRUA and manage the CBUS modules on the LPUs.

Power supply module: Provides power supplies for the SRUA, Flexible Service Unit

(FSU), and clock pinch board.

FSU: Provides enhanced services such as centralized forwarding, network quality

analysis (NQA), Ethernet operation, administration and maintenance (OAM), and

NetFlow. It is an optional value-added service module.

Clock pinch board: Provides the stratum-3 clock and synchronous Ethernet clock

and supports IEEE 1588v2. It is an optional clock module.

SRUD is used by S9706/S9712

With the switch capability of 1920Gbps

Integrated with EOAM based on hardware and BFD detection engine.

SRUD includes the control plane, management plane, and switching plane.

The FSU provides the following functions:

Supports hot swapping with a full-height subcard structure.

Implements Ethernet OAM to ensure security of the CPU on the SRU.

Tags a timestamp on NQA packets.

NQA measures the performance of different protocols running on the

network. ISPs can collect the operation statistics of networks in real time,

including the total delay of the HTTP, delay in TCP connection, delay in

DNS resolution, delay in FTP connection, and error ratio in DNS resolution.

NQA enables ISPs to monitor network QoS in real time and locate and

diagnose faults when the faults have occurred on the network.

Supports PCIE endpoint.

Forwards 64K MAC address entries centrally.

Monitors board environment such as the board temperature.

Supports the saving and query of model information of the board.

Usage Scenario

The FSU is installed on the subcard slot on the SRU.

The FSU is an optional subcard on the SRU of the SXX12 and SXX06, and can be

removed and installed flexibly.

Users can choose to install the FSU based on service requirements, which improves

the flexibility and scalability of services.

The CMU consists of the following modules:

Equipment management module: Sends port control signals for equipment management.

Panel port module: Manages the external PoE power supply and passive devices.

Backplane port module: Sends all port signals on the backplane to control the power

supply, fans, and active/standby state of SRU.

Usage Scenario

The CMU applies to the SXX12 or SXX06. There are two CMU slots on the subrack, one

for the active CMU and the other for the standby CMU. You can configure one or two

CMUs as required.

The switch uses the independent monitoring unit and adopts the CBUS as the monitoring

channel. The CBUS uses the integrated ASIC to complete a variety of tasks, including

detecting the board temperature, checking clocks, monitoring and controlling voltage,

controlling power-on and power-off of boards, and supporting JTAG loading. The switch

provides intelligent power management and fan speed adjustment. On the SXX03, the

CMU is integrated on the MCUA and no independent slot is provided. The functions of the

CMU of the SXX03 are the same as those of the CMUs of the SXX12 and SXX06.

The CBUS is a device management bus and also an outband management platform, which

is separated from services. If the CBUS is powered off or reset, services are not interrupted

but certain system functions may be affected, for example, board power and temperature

monitoring. If a board is faulty, the CBUS is not affected.

The SXX03 provides the following ports:

Console port: Supports local configuration management of the SXX03.

10/100Base-TX port: Used for software upgrade or connection to the NMS.

MON port: Connected to external trunk nodes to monitor the equipment

environment, for example, door access control and water.

RS485 port: Connected to the external POE power supply.

The MCU of the SXX03 provides the following functions:

Runs routing protocols. All routing packets are sent by the forwarding engine to

the MCU for processing. The MCU processes routing packets, updates routing

entries, and delivers the forwarding table to the forwarding engine. The MCU also

broadcasts and filters routing packets, and downloads routing policies from the

policy server.

Runs the signaling protocol. In MPLS application, the MCU runs the MPLS signaling

protocol to process call requests, perform admission control, and establish and

maintain label switched paths (LSPs).

Provides outband communication channels between boards. The MCU integrates

LAN switch modules to process outband communication. The LAN switch modules

work in backup mode.

Provides high-precision stratum-3 clocks and synchronous Ethernet IEEE1588

clocks. These clocks ensure synchronization of ports and transmission clocks

between LPUs.

Monitors system operation. The MCU collects operation data of different units

periodically. Based on the running status of the units, the MCU generates the

control information. The control information helps check availability of boards,

control the running status of the switching fabric, perform port switching, reset the

forwarding engine, and increase fan speeds.

Implements data configuration. The MCU stores the configuration data, startup file,

accounting data, upgrade software, and running logs of the SXX03. The MCU

provides a CF card to store data files.

Works in 1+1 backup mode to improve reliability. The active and standby MCUs

monitor the status of each other. When the active MCU fails, the standby MCU

takes over all services of the active MCU to ensure the normal running of the

system.

The FSUA provides the following functions:

Enhancing Ethernet OAM and BFD

Ensuring security of the CPU on the SRU and limiting the rate of packets sent to

the CPU

Storing and querying the board information

Each VSTSA provides four 16G electrical interfaces to implement data access and line-

speed switching. The switches connected through the interfaces on the VSTSA belong to a

switching domain and are considered as a device. Users can manage all the switches in a

stack on the master switch.

We must pay attention that a kind of LPU may can be used in S9700/S9300/S7700, but

one specific board only suit for certain chassis.

For example, all of S9700/S9300/S7700 support 48-port GE electrical LPU, but the

one which we use in S9700 cannot be used in S9300 and S7700.

Some specific LPU only can be used in certain chassis.

G48SBC0 only can be used in S9300 and S9700.

G48VA only can be used in S7700/S9300, and should be installed in the chassis

which support PoE.

X08SED only can be used in S9700

WMNPA can be used in S9700

The WMNPA provides two subcard slots. Subcards can be inserted into one WMNPA.

The switching and routing engines, power modules, CMUs, and fan modules of the S-

Series Chassis Switch are all in 1+1 or N+N redundancy backup mode. They are all hot-

swappable.

The fan tray of the S-Series Chassis Switch supports double layers of fans for redundancy

backup, thereby improving the system reliability.

The DLDP protocol can detect the link status of fibers or twist pairs. If a unidirectional fault

has occurred, DLDP automatically shuts down the related port or requests the

administrator to shut down the port.

DLDP can be associated with RRPP or SmartLink to carry out protection switchover.

Ethernet OAM is short for Ethernet Operation, Administration and Maintenance.

The functions of Ethernet OAM are as follows:

Fault management

Ethernet OAM detects the network connectivity by sending detection packets at a

scheduled time or through manual triggering.

Ethernet OAM can locate faults on the Ethernet by using methods similar to the

Packet Internet Groper (ping) and traceroute on IP networks.

Ethernet OAM works with a protection switching protocol so that a protection

switchover can be triggered once a link fault is detected. This method ensures that

service interruption lasts 50 ms or less.

Performance management

Performance management is used to measure the packet loss ratio, delay, and jitter during

the transmission of packets. It also collects statistics on various types of packets.

Performance management is usually implemented at the user access points. By using

performance management tools, an ISP can monitor the network running status and

locate faults through an NMS. The ISP can then check whether the forwarding capacity of

the network complies with the Service Level Agreement (SLA) signed with users.

The S-Series Chassis Switch provides 32K OAM sessions that are bound to the specific

port, user, and service, ensuring fast fault detection and location.

The 3.3 ms detection interval ensures fast switchover within 50 ms.

The S-Series Chassis Switch provides 32K OAM sessions that are bound to the specific port,

user, and service, ensuring fast fault detection and location.

The 3.3 ms detection interval ensures fast switchover within 50 ms.

The S-Series Chassis Switch uses an advanced heat dissipation architecture. The left-to-rear

ventilation path when working in tandem with efficient heat dissipation management and

cabling management can increase the number of use lines and reduce the cabinet depth

by 200 mm while not affecting the system's heat dissipation. The S-Series Chassis Switch

reduces the required equipment room space by up to 25% compared with traditional

switches.

An energy-efficient air conditioning system is critical to the energy-saving of the entire

equipment room.

The S-Series Chassis Switch is designed with multiple innovated and patented heat

dissipation technologies, such as monitoring over key components, zone-based fan

control, intelligent fuzzy fan speed adjustment, and left-to-rear ventilation path. The

unique technologies improve the heat dissipation efficiency and enable the S-Series Chassis

Switch to work at 45°C for a long time.

It is estimated that the 45°C working temperature reduces the energy consumption for

air conditioning by up to 39% than at the 24°C working temperature.

Using the fuzzy fan speed adjustment algorithm, the S-Series Chassis Switch reduces noise

by 5 dB and decreases energy consumption by 4% compared with similar products.

The SXX06 and SXX12 have different fan zones.

The rotation speeds of the fans in each fan zone can be adjusted based on the LPU load.

The adjustment can maximally reduce electricity consumption.

If there is no LPU in a fan zone, the rotation speeds of the fans in the zone are reduced to

the minimum value (now the minimum value can be less than 2 W). This reduces power

consumption and noise and extends the service life of fans.

The S-Series Chassis Switch supports a wide range of LPU power, from 40 W to 250 W,

and possibly 350 W in the future. The zone-based fan speed adjustment can increase the

rotation speeds of the high-power LPUs while maintaining the low rotation speeds of

other LPUs. This approach reduces energy consumption and noise.

In traditional switches, all components are in full working state even when service traffic is

low, resulting in much waste of energy. In the S-Series Chassis Switch, energy

consumption is dynamically managed based on service traffic changes. This approach

reduces energy consumption by up to 8%.

The S-Series Chassis Switch can function as a core switch in enterprise campus networks.

The S-Series Chassis Switch provides powerful switching capabilities and support multiple

Layer 3 protocols. The S-Series Chassis Switch also features easy service rollouts and

simplified management.

The S-Series Chassis Switch provides high-density 10GE ports and a large number of GE

ports for aggregation and access. The S-Series Chassis Switch , firewalls, and service load-

balancing servers combine to create a powerful Internet data center (IDC).

What models do the S-Series Chassis Switch provide?

The S-Series Chassis Switch provides three series: S7700, S9300, and S9700, each

series has 3 model: SXX03, SXX06, SXX12

What are the S-Series Chassis Switch slot and board types?

The S-Series Chassis Switch provides a broad range of boards, such as SRU, MCU,

CMU, and LPU. For details about the boards, see the slides therein.

How does the S-Series Chassis Switch ensure high reliability?

The S-Series Chassis Switch ensures high reliability from both hardware and

software. As for hardware, the S-Series Chassis Switch supports redundancy

backup for all major components, such as control boards, power modules, and fan

modules. In terms of software, the switch provides a rich set of features, such as

SSO, separation between the control plane and the forwarding plane, and

hardware Ethernet OAM.

Why an agile network is required? Let's look at the IP network history. A network is used

to transmit information data. Service and application development determines network

development.

IP network technology development falls into the following four phases:

Initial phase: Typical services are mainly text services similar to Email and Telnet. Networks

are mainly used by specialists. There are low requirements for network bandwidth and

real-timeness. The networks only need to provide basic connection functions. Typical

network devices include Ethernet hubs and software forwarding routers.

Popularity phase: Starting from 1995, Netscape browser promotes Internet popularity.

Internet users increase sharply, services are diversified, text services become web services,

download services become popular, and network traffic increase rapidly. The network

scale, bandwidth, and performance problems are major problems in this phase. Layer 2/3

switches and hardware forwarding routers are used.

Multi-service phase: Starting from 2000, IP services are of major concern. The IP network

is required to transmit voice, video, and leased line services. Many new network

technologies are used, including MPLS/TE, QoS, BFD, fast switching, and NSF/NSR/ISSU.

Multi-service transmission needs to be ensured, and there are requirements for network

quality of real-time services, reliability, and service isolation.

In recent years, new services emerge increasing. A large number of new services and

technologies propose more requirements. These services including cloud computing,

WLAN, mobile office, social media, HD video, big data, and IOT. The next-generation

network needs to face challenges brought by these new services and solve existing

problems on the live network.

The service trends are as follows:

1 Terminal mobility: Terminals are not fixed.

2 Resource cloud: Resources including computing and storage resources are integrated into

the cloud to improve resource use efficiency. Resource cloud greatly improves IT efficiency,

and reduces costs including investment costs and O&M costs. Computing and storage

resources can be dynamically allocated. Network resources need to be dynamic to meet fast

deployment requirements in the cloud era.

3 Network real-timeness: Social media includes many real-time services. Voice, video, and

future cloud desktop services are migrated to networks. In addition to data service

transmission, the network needs to consider the impact of real-time and interactive services.

4 Fast-changing network requirements and rapid increase of traffic, functions, and nodes:

Network scalability is required to meet fast-changing network requirements.

Network problems are as follows:

1 Network resources are statically configured, and cannot respond to dynamic services, for

example, dynamic allocation of computing resources, VM migration, and mobile terminal

position change.

2 The IP network is unaware of service experience. Smooth service experience cannot be

ensured.

3 The fault location efficiency is low. When faults occur and cannot be rectified automatically,

faulty points cannot be accurately located in a short time.

4 Borderless security problems involve egress security and security at any position and on any

device. In particular, as mobility develops, there may be attack points elsewhere.

5 The response is slow. Functions on network devices, especially Ethernet switches, are

hardware-defined. New components are required to support new functions. The response time

cannot meet requirements of software-defined service development.

The S12700 comes in two different models: S12704, S12708, and S12712.

The S12704 supports a maximum of 4 LPUs and 2 SFUs.



Note：S12704 only has two SFU slots.

The ET1D2MPUA000 is the main control unit for the S12708 and S12712. It provides the

control plane and management plane for the entire system and reserves a slot for clock

daughter card.

The ET1D2MPUA000 consists of the following functional modules:

Control module: functions as the control and management plane for the

ET1D2MPUA000 and the entire system, implementing protocol processing, route

calculation, forwarding control, system management, and system security.

Local clock module: provides the working clock for the chips of the control module,

and device management and monitoring module on the ET1D2MPUA000.

Device management and monitoring module: provides functions of a controller area

network (CAN) bus module to monitor the ET1D2MPUA000 and manage the CAN

bus modules of LPUs.

Power supply module: provides power supply for the ET1D2MPUA000.

Value-added service module: provides value-added services such as operation,

administration and maintenance (OAM) and bidirectional forwarding detection

(BFD).

SFUs of the S12700 include:

ET1D2SFUA000: S12708/S12712, Switch Fabric Unit A

ET1D2SFUC000: S12708, Switch Fabric Unit C

ET1D2SFUD000: S12708/S12712, Switch Fabric Unit D

S12700 fully configured with SFUAs provides a maximum of 160 Gbit/s slot

bandwidth

S12700 fully configured with SFUCs provides a maximum of 480 Gbit/s slot

bandwidth

S12700 fully configured with SFUDs provides a maximum of 640 Gbit/s slot

bandwidth

The ET1D2SFU provides the data plane for the entire system. The data plane provides

high-speed and non-blocking data channels for service switching between service

modules.

The EH1D200CMU00 consists of the following modules:

Device management module: sends interface control signals for device

management.

Backplane interface module: provides management channels for power modules,

fan modules, and communication channels between the active and standby

EH1D200CMU00 cards.

Note: 2,200W DC and 2,200W AC power supplies cannot be used together in a chassis.

Customer Requirements & Challenges

Wireless network deployed on wired network. Two networks cost a lot and require

two management platforms, plus double workload

Higher QoS requirements with the increase of popular cloud desktop, video

conferencing, and VoIP services

Unified authentication and management for wired and wireless users , user policies

delivered to access devices automatically; no manual configuration


Wired and wireless convergence: converged network for wired and wireless; simple

management and fast forwarding for thousands of Aps

Fine-grained user management: unified authentication and effective policy control

for various terminals in different areas

Advanced network technology: network devices must be programmable, support

SDN, adapt to next-generation development


Increasing requirements for high bandwidth, high reliability, large routing table,

large ARP table, and intelligent O&M in campus network

Schools connect to the education network through VPNs, sharing teaching

information

Wired and wireless networks must be converged to provide wireless coverage in

every classroom

A wide-coverage education network and an education resource and management

platform need to be built to realize interactive class, online lesson requesting, online

discuss, and , e-schoolbag applications. The education MAN is facing challenges of

high bandwidth, high reliability, large routing table, large ARP table, and intelligent

O&M.


Data center: S12700 used as small enterprise's data center; reliability is critical

Virtualized DC: network resource allocation on-demand; network bandwidth, traffic

burst tolerance, and scalability are important

Common data centers: mainly download and access data services; most traffic in a

data center is north-south

S12700 Series Switches Positioning

core switches designed for next-generation campus networks

Huawei AR G3 series enterprise routers (AR G3) are next generation routers dedicated for

enterprise customers. The AR G3 all-in-one router series integrates multiple services

including; routing, switching, 3G, WLAN, voice, and security functions in one device.

These features combine to deliver industry leading performance and extensibility, meeting

customer requirements for a robust, reliable and flexible solution

for enterprise-grade network deployments. Due to strict adherence to industry standards,

the AR G3 router series are easily integrated into existing networks, accelerating multi-

service network deployment while preserving existing network infrastructure investments.

ARs are located between an internal network and a public network. The deployment of

various network services over ARs reduces costs in enterprise network construction and

long-term operation & maintenance (O&M).

AR routers use a multi-core CPU and non-blocking switching structure to provide industry-

leading system performance.

Dual-Mode Fiber/Copper Network, Supporting Wired and Wireless Access

AR routers provide a unified communication solution for enterprise customers. It uses the

Open Service Platform (OSP) to interconnect with third-party IT systems. Customers,

agents, third-party vendors, and manufacturers can develop unified communication

systems.

Enterprise-class voice communication is flexible and efficient because the AR2200 voice

features integrate with data networks.

While delivering enterprise-class network services, AR routers provide robust network

security. The comprehensive security solution includes user access control, packet

detection, and active attack defense.

Intelligent Service Deployment, Simplified Network and Device Management.

Those models with “V” stand for supporting voice, Those models with “W” stand for

supporting WIFI, Those models with “G” stand for supporting 3G upstream. AR2200 series

and AR3200 series support voice function only when equipped with the DSP module.

To provide voice services for POTS users on AR1200, AR2200 , and AR3200 series routers,

4FXS/1FXO board is required.

To provide voice services for ISDN users on AR1200, AR2200 , and AR3200 series routers,

2BST board is required.

The AR150 and AR200 share the same simple logical architecture, which is consist of CPU

and LSW(Switching module).

The CPU is responsible for complex calculation, it is directly connected to the WAN

interface, and to the LSW with a GE bus.

LSW is responsible for forwarding the L2 and L3 Ethernet traffics.

The AR 1200/2200/3200 has more complex logical architecture.

Bus interface is reserved for the pluggable cards on each slot.

Different to the AR150&160&200, the switching fabric is added to AR1200/2200/3200,

which greatly enhances the performance.

In V2R1C00, the SRU40 is installed only on the AR2240, and the SRU80 is installed only on

the AR3260.

In V2R1C01 and later versions, the SRU40 and SRU80 can be installed both on the AR2240

and AR3260.

In V2R3C00and later versions, the SRU40, SRU60 and SRU80 can be installed both on the

AR2240 and AR3260.

The SRU40, SRU60, and SRU80 panels are identical except for having different silkscreen.

The SRU must be installed on the AR2240 and AR3260. You can install one SRU. Two

SRUs can be installed on the router.

Two SIC slots can be combined into one WSIC slot by removing the guide rail.

The two SIC slots and the WSIC slot below them can be combined into one XSIC slot by

removing the guide rail.

Two XSIC slots can be combined into one EXSIC slot by removing the guide rail.

Slots can be combined into one, but one slot cannot be divided into multiple slots.

After two slots are combined into one, the slot ID is the larger one between the original

two slots.

In V200R002C00, a WSIC card can be inserted into an XSIC slot with a special component.

The WSIC card is in the lower side of the slot and uses the XSIC slot ID as its own slot ID.

The AR2201-48FE and AR2202-48FE have no slot for pluggable subcards, so they do not

support subcards.

Slots can be combined into one, but one slot cannot be divided into multiple slots.

The number of the new merged slot equals to the larger one of the former slots’.

1/2: indicates one or two interfaces.

E1: indicates E1 interfaces.

T1: indicates T1 interfaces.

M: indicates multiflex trunks.

PRI: indicate ISDN primary rate interfaces.

VE1: indicates voice E1 interfaces.

1CPOS-155M (1-Port Channelized POS Interface Card):1: indicates one interface. C:

indicates channelized interface. POS: is short for Packet Over SDH/SONET. 155M: indicates

a rate of 155 Mbit/s.

The 3G-HSPA+7 is a 3G access SIC card. It can function as the primary or backup link of an

enterprise to connect to the Internet and transmit voice, video, and data services.

The 3G-EVDO is a CDMA2000 network access module, It is installed in a SIC slot to

provide high-speed wireless data transmission, enabling enterprise users to connect to

CDMA2000 networks.

The 1LTE-L is a wireless high-speed WAN access module, It is installed in a SIC slot to

provide high-speed wireless data transmission, enabling enterprise users to connect to

Long Term Evolution (LTE) networks.

Only a list of USB 3G Modems are supported, you can contact Huawei TAC to get the

latest list.

The 8FE1GE can be installed in the WSIC slots of the AR1200, AR2200, and AR3260. On

the AR1200 and AR2204, two SIC slots are combined into one WSIC slot.

The 24GE can be installed into the XSIC slot on the AR2220, AR2240, and AR3260. On the

AR2220, two WSIC slots are combined into one XSIC slot.

An FXS interface is a simulated subscriber line interface and provides access to AT0 loop

trunk of the analog phone, fax, and telephone exchange.

An FXO interface is a loop trunk interface and provides access to the telephone exchange

by using regular subscriber lines.

The 2BST is the ISDN module on the AR routers and provides two ISDN S/T interfaces,

which transmit voice service.

The 2BST implements the ISDN BRI function and provides the bandwidth of two B

channels and one D channel:

B channel: provides 64 kbit/s bandwidth and transmits voice service.

D channel: is a signaling channel and provides 16 kbit/s bandwidth.

The total bandwidth of two B channels and one D channel is 144 kbit/s.

The S/T interface on the 2BST provides a rate of 192 kbit/s, including 144 kbit/s for data

transmission and 48 kbit/s for maintenance information transmission.

Only power modules of the same power can be used on an AR router.

Powering off the AR router before removing and reinstalling power modules.

To power off an AR router, power off all its power modules.

If a single fan failed, the device will be overheated and its performance is then affected.

When this occurs, replace the entire fan module immediately.

A network cable subtends devices, enables a device to communication with other network

devices, and allows users to locally or remotely maintain the device.

The appearances of the single-mode optical fiber and the multimode optical fiber are the

same, but their colors are different. The single-mode optical fiber is yellow, and the multi-

mode optical fiber is orange.

The optical transmitting module of the multi-transverse mode is connected to the

multimode fiber.

The optical transmitting module of the single-longitudinal mode or multi-longitudinal

mode is connected to the single mode fiber.

E1 trunk cables are classified into 75-ohm unbalanced coaxial cables and 120-ohm

balanced twisted pair cables. The connectors of the cables are as follows:

75-ohm unbalanced coaxial cable (DB9 to BNC):

One end provides a DB9 connector.

The other end provides two BNC connectors.

120-ohm balanced twisted pair cable (DB9 to RJ45):

One end provides a DB9 connector.

The other end provides an RJ45 connector.

A T1 trunk cable is a 100-ohm balanced twisted pair cable. Its appearance is the same as

the appearance of an E1 120-ohm balanced twisted pair cable.

The connectors of a 4G.SHDSL cable are as follows:

An RJ45 connector on the local end

Four RJ11 connector on the network side

A console cable connects the console port of the device to the serial port of an operation

terminal to transmit configuration data. A shielded cable or an unshielded cable can be

used according to the onsite situation.

A console cable connects the device and terminal as follows:

The 8-pin RJ45 connector is inserted into the console port of the device.

The DB9 male connector is connected to an operation terminal, which is usually a PC.

L2 traffics between LAN interfaces are forwarded through LSW.

L3 traffics between LAN interfaces, or between LAN and WAN interfaces are forwarded

through both LSW and CPU.

L2 traffics between LAN interfaces are forwarded through LSW.

L3 traffics between LAN interfaces, or between LAN and WAN interfaces are forwarded

through LSW, switching fabric and CPU.

Ethernet LAN-Ethernet LAN Layer 2 (in a subcard): only through LSW

Ethernet LAN-Ethernet LAN Layer 3 (in a subcard): through LSW and Fabric

Ethernet LAN-fixed Ethernet WAN2 Layer 3 (in a subcard): through LSW, Fabric and CPU

Enterprise-class voice communication is flexible and efficient, as the AR voice features

integrate with data networks.

Basic voice functions are provided by the built-in PBX, SIP server, and SIP access gateway

Value-added voice services include multi-party communication, IVR automatic connection,

ring-backtone, parallel ringing, sequential ringing, one number link you (ONLY), bill

management, and subscriber management.

Intelligent call routing enables exceptional voice service reliability.

The AR routers can be connected with the NGN/IMS/PBX/terminal of major vendors.

The Quality of Experience (QoE) feature monitors voice service quality in real time.

Jitter buffer, echo cancellation, and packet loss compensation combine to deliver a

superior user experience

Only SRU80 with TM card supports Hardware-based QoS, all model can support H - QoS

While delivering enterprise-class network services, the AR router provides robust network

security. Comprehensive security solutions include user access control, packet detection,

and active attack defense.

The built-in firewall is the first line of defense.

Port authentication technologies include 802.1x authentication, MAC address

authentication, and

portal authentication.

User and device authentication methods include RADIUS and HWTACACS.

VPN technologies include IPSec VPN, GRE VPN, DSVPN, L2TP VPN and SSL VPN.

Application:

AR G3 enterprise router can be applied to the enterprise headquarters and branch

egress gateway to provide a cost-efficient, highly reliable, and easy-to-deploy

interconnection solution.

Benefits:

The AR integrates routing, switching, voice, security, and WLAN functions. You need

to deploy only one device at the egress to meet multi-service requirements, which

reduces the TCO and protects investments.

The AR supports high-density voice card 32FXS and high-density Ethernet card 24GE

to connect many voice and data terminals.

The AR provides built-in AC, leading in industry. It provides cost-efficient WLAN

access solution without deploying extra cards.

The AR supports dual SRUs and hot standby, ensuring nonstop service transmission.

The AR G3 routers function as the egress routers of enterprise branches and provide

flexible access methods to support remote network connections.

An AR G3 meets various access requirements, including leased line, Ethernet, xDSL, 3G,

and WLAN. This saves deployment and maintenance costs and provides a large value to

customers.

The 100 Mbit/s Ethernet interfaces of an AR1220V and AR1220W (V2R1C01) support PoE

in compliance with IEEE 802.3af and 802.3at; therefore, the AR1220V and AR1220W

(V2R1C01) can provide power for powered devices (PDs), such as IP phones. An 802.3at

interface provides higher than 30 W power, ensuring power for large-power PDs.

The 8FE1GECombo and 24GE interface cards on the AR2200/AR3200 support inter-card

VLAN switching, spanning trees, link bundling, and Layer 2/Layer 3 data exchange.

The AR G3 provides a built-in PBX supporting the enterprise switchboard, IVR navigation,

and CDR query functions to enhance corporate image and improve enterprise

communication efficiency.

The AR G3 is located in a branch to provide the smart call routing function. When a fault

occurs on the WAN, the PSTN network is used as a backup for calls.

When the SIP server at the headquarters is unreachable, the built-in SIP server of the AR

G3 implements communication between the branch and the PSTN network. This ensures

reliability of voice services.

Note: Only the AR2200/AR3200 (V2R1C01) supports the preceding functions.

The AR G3 provides multiple security access functions such as GRE VPN tunnel and IPSec

VPN tunnel, implementing secure data access and transmission. The AR G3 implements

fast tunnel deployment and authentication for branches. Using a tunnel, partners can

access and share enterprise resources and users are authenticated and authorized.

As the PEs of an MPLS network, the AR G3 routers are located in the branches. Different

types of services are separated by MPLS L3VPN. The AR G3 implements flexible

deployment, fast distribution, and secure transmission of VPN services, and supports

enterprise service operation over networks.

The AR G3 complies with 3G standards including CDMA2000 EV-DO, WCDMA, and TD-

SCDMA, meeting wireless communication requirements between branches and the

headquarters.

Users can use a 3G USB card to deploy 3G services on the AR G3, saving service card slots.

In addition, the 3G data link can be used as a backup for wired link to protect the xDSL,

FE/GE, ISDN, and CPOS uplinks. The backup link improves network stability and reduces

network construction costs.

The AR G3 provides the NQA function to monitor 3G link quality, ensuring the SLA.

Answers:

ABCD

ACDE

Meanwhile, in order that you can study Huawei NE series routers in the round, we attach

some contents of Huawei NE20E-X6 introduction to the end of this course especially.

Huawei NetEngine20E-X6 High-end Service Router(hereinafter referred to as the NE20E-

X6) is a high performance router designed for the following custom, such as finance,

power, government, education, enterprise, carrier and so on by Huawei, in order to meet

the requirement for Carrier HA of carriers and enterprise aggregation and access network.

Huawei HUAWEI NetEngine40E Universal Service Router (hereinafter referred to as the

NE40E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone

networks. The NE40E is positioned as the edge or convergence router on the IP backbone

network.

This is the introduction of NE40E product family. All LPUs can be applied to NE40E-X16,

X8 or X3. The main difference between LPUs is forwarding capability.

The NE40E-X adopts a system architecture as shown in Figure above. In this architecture,

the data plane, management and control plane, and monitoring plane are separated. This

design helps to improve system reliability and facilitates separate upgrade of each plane.

MPU：Main Processing Unit

SFU：Switch Fabric Unit

LPU：Line Processing Unit

The SFU on the NE40E-X16 switches data for the entire system at wire speed of 640 Gbit/s

(320 Gbit/s for the upstream traffic and 320 Gbit/s for the downstream traffic). This

ensures a non-blocking switching network.

The NE40E-X16 has four SFUs working in 3+1 load balancing mode. The entire system

provides a switching capacity at wire speed of 2.56 Tbit/s.

The four SFUs load balance services at the same time. When one SFU is faulty or replaced,

the other three SFUs automatically take over its tasks to ensure normal running of services.

As shown in figure above, the NE40E-X16 backplane is divided into four areas, with each

area having two power inputs. These eight power inputs work in backup mode.

The NE40E-X16 supports either DC or AC power supply.

In a DC power supply system of the NE40E-X16, eight 70 A PEMs work in 4+4 backup

mode.

Figure above shows details on the DC power supply system:

Two -48V power inputs join on the board.

After the low-frequency filtering, the two -48 V power inputs for fans join inside the

fan module.

Each DC power input contains one -48 V power inputs and one RTN inputs. Two

separated RTN inputs join on the board.

The input AC power is converted into regulated DC power by an AC/DC converter. The

resulting DC power output is connected to the PEMs through external cables to supply

power for all boards and fan modules.

Two -48V power inputs are joined on the board.

After the low-frequency filtering, the two -48 V power inputs for fans are joined inside the

fan module.

The NE40E-X16 is divided into the upper chassis and the lower chassis, and draws air from

the front and exhausts air from the rear. The air intake vent on the upper chassis resides

above the board area on the front chassis; the air exhaust vent resides above the board

area on the rear chassis. The lower chassis and the upper chassis are opposites. In

addition, the upper chassis and the lower chassis have separate heat dissipation systems.

The middle area of the chassis is for SFU slots. The air intake vent of this area resides on

the left of the chassis. Two upper SFU slots in the area draw air from the left. When

flowing to the right, the air joins the air from the upper chassis. Two lower SFU slots in the

area draw air from the left. When flowing to the right, the air joins the air from the lower

chassis.

The NE40E-X16 has three air channels:

The upper and lower chassis have separate air channels that draw air from the front

and exhausts air from the rear. The air filters at the air intake vents are vertically

installed. The curved face, large area, and small windage resistance of the air filters

help to improve the heat dissipation efficiency. The two air filters on the upper and

lower chassis are the same.

The air channel in the SFU slot area is located on the left of the chassis. The air filter

adopts front access. The depth of the air filter is the same as that of an SFU and the

height of the air filter is four times the height of the an SFU.

SRU: Switch Router Unit

The SFU on the NE40E-X8 switches data for the entire system at wire speed of 480 Gbit/s

(240 Gbit/s for the upstream traffic and 240 Gbit/s for the downstream traffic). This

ensures a non-blocking switching network.

The NE40E-X8 has three SFUs working in 2+1 load balancing mode. The entire system

provides a switching capacity at wire speed of 1.44 Tbit/s.

The three SFUs load balance services at the same time. When one SFU is faulty or replaced,

the other two SFUs automatically take over its tasks to ensure normal running of services.

As shown in figure above, the NE40E-X8 backplane is divided into two areas, with each

area having two power inputs. These four power inputs work in backup mode.

The NE40E-X8 supports either DC or AC power supply.

In a DC power supply system of the NE40E-X8, four 70 A PEMs work in 2+2 backup mode.

The figure shows details on the DC power supply system:

Two -48 V power inputs join on the board.

After the low-frequency filtering, the two -48 V power inputs for fans join inside the

fan module.

Each DC power input contains one -48 V power input and one RTN input. Two

separated RTN inputs join on the board.

In the case of an AC power supply system, an AC power frame is placed outside the

chassis and installed with rectifier modules based on system power. The AC power frame

is then connected to the input terminals on the DC-PEMs to supply power for the system.

(In short, an external AC power frame is added to the DC power supply system to

constitute an AC power supply system.)

The heat dissipation system is responsible for dissipating heat for the entire system. The

heat generated by boards is dissipated through the heat dissipation system. In this

manner, the temperature of the components on boards are controlled within a normal

range, enabling the boards to work stably.

The heat dissipation system is composed of fan modules (one fan in each fan

module), fan control boards (FCBs), temperature sensors, air filters, air intake and

exhaust vents, and a system air channel.

When a single fan fails, the other fans automatically rotate at full speed. In this case,

the heat dissipation system enables the system to work in a short period of time at

ambient temperature of 40℃.

Temperature sensors, located on the air exhaust vent and boards, are used to

monitor the temperature of the components on boards and adjust the fan speed

through the command delivered by the SRU to control the temperature in a normal

range.

The power modules of the system have two fans of their own for independent heat

dissipation.

As the figure shown above, The NE40E-X8 draws air from the front and exhausts air from

the back. The air intake vent resides above the board area on the front chassis; the air

exhaust vent resides above the board area on the rear chassis.

The two fan modules of the NE40E-X8 are located side by side at the air exhaust vent, with

each module containing one fan. The entire system dissipates heat by drawing air, as

shown in figure above.

With full-mesh architecture, NE40E-X3 does not need a SFU.

Two AC power modules or two DC power modules work in 1+1 backup mode to improve

the reliability of power supply. The figure shows the diagram of the power supply system.

The NE40E-X3 draws in air from the left and exhausts air from the rear. The air intake vent

is located at the left side of the chassis and the air exhaust vent is located at the rear of

the chassis.

The fan module of the NE40E-X3 is located at the air exhaust vent. The system draws in air

for heat dissipation.

The control plane of the NE40E-X16 adopts MPU.

The following USB interface attributes are supported by MPU:

Supports the biggest USB fat32 format, and supports the memory available in the

market.

For security reasons not allowed to write USB storage device .

Updates automatically, insert the USB memory without any operating.

Highlights of the MPU

Two USB ports: supporting version downloading through USB devices and power

supply for USB devices

CF card with mass storage capacity (up to 1 GB)

Compatible with the design of disks

RJ-45/SMB connector: processing Stratum-3 clock and 1588 clock; supporting input

and output of 2MHz/2Mbps/1PPS clock signals

High performance multi-core CPU

The bandwidth of the control bus between the MPU and the LPU is increased to 1

Gbit/s.

Providing two 1G or 2.5G SFP interfaces for future expansion into clusters

The architecture is designed to be compatible with the SFU function on future MPUs.

The control plane of the NE40E is separated from the data plane and the monitoring plane.

The SRU is adopted on the NE40E-X8. The SRU integrates an SFU used for data switching.

The following USB interface attributes are supported by SRU:

Supports the biggest USB fat32 format, and supports the memory available in the

market.

For security reasons not allowed to write USB storage device .

Updates automatically, insert the USB memory without any operating.

Highlights of the SRU

Two USB ports: supporting version downloading through USB devices and power

supply for USB devices

CF card with mass storage capacity (up to 1 GB)

Compatible with the design of disks

RJ-45/SMB connector: processing Stratum-3 clock and 1588 clock; supporting input

and output of 2MHz/2Mbps/1PPS clock signals

High performance multi-core CPU

The bandwidth of the control bus between the SRU and the LPU is increased to 1

Gbit/s.

The MPU of the NE40E-X3 controls and manages the system and switches data. The MPUs

work in 1+1 backup mode. The MPU consists of the main control unit, system clock unit,

synchronous clock unit, and system maintenance unit. The functions of the MPU are

described from the following aspects.

A switching network is a key component of the NE40E and is responsible for switching

data between LPUs.

Switching Board comprises of CPU module, switching module.

Mainly responsible for switching data between LPUs.

NE40E-X16 has four SFUs that work in 3+1 load balancing mode.

NE40E-X8 support 2+1 load balancing mode

Indicators on panel include ACT indicator, RUN indicator and OFL indicator.

Extensive environment monitoring functions

Alarm detection of the smoke sensor :Supports the connection to the smoke sensor

through the panel to detect the alarm signals from the chassis or equipment room.

Detection of the ambient temperature :Supports the connection to the temperature

sensor through the panel to detect the temperature of the chassis or equipment

room.

Access control management :Detects whether access control is enabled through

magnetic inspection and reports the inspection signal to the device. The remote

unlocking function is reserved. You can instruct the CMU to enable or disable access

control through the remote control function.

Device alarm output :The CMU provides two-level alarm output signals.

Main contact point inspection :The CMU can provide six main contact points to

detect signal input and monitor whether the devices outside the chassis work

normally.

One 232 and 485 serial interface :Provides an RS-232 serial interface, which is

connected to the panel. You can use it to query or locate information about the

CMU. In addition, the CMU provides an R-485 serial port, which is connected to the

panel. You can connect an device to this interface. The interface supports full-duplex

mode.

As the Universal Service Router , NE40E-X series routers supply divers interfaces, such as

ethernet, POS, CPOS, E1 and so on.

Boards supplied by NE40E-X for universal service include following types:

LPUF(supply service interface matching corresponding FPIC )

LPUI

LPUS

SPU

Different specifications of the LPU board is mainly reflected in the QoS.

High-Queue LPUF-40：Full-service Flexible Linecard, 512K flow queues, supporting

features such as BRAS, 1588v2 and enhanced QoS, positioned on complicated service

aggregation: BRAS and SR/PE downlink, etc.. V6R3 version will provide new linecards on

LPUF-40, including 8-port 10GE oversubscribed card, 40-port GE electronic card and 4-

port 10G POS card. In addition, 40G enhanced HQoS and BRAS card will be available in

V6R3.

LPUF-40 provides two models: LPUF-40-A and LPUF-40-B

The LPUF-40-A supports all software features

the LPUF-40-B supports all software features except L3VPN, MVPN, and IPv6, and

can be upgraded to support all features of the LPUF-40-A through licenses

100G linecards include two types: High-Queue LPUF-100 and Medium-Queue LPUI-100.

LPUF-100 is Flexible Linecard and provide 512K flow queues, and support flexible

configuration of 10GE, GE, 10G POS and 40G POS. LPUI-100 is Integrated Ethernet

Linecard and provide 256K flow queues, and meet the requirement of different

networking.

100G linecards in V6R3 can provide 8*10GE, 10*10GE, 16*10GE oversubscribed, 96*GE,

8*10G POS, 2*40G POS and 1*100GE. In industry, the interface type of NE40E 100G

linecards is most abundant, and the port density of NE40E 100G linecards is highest.

Note：

Provided using 100G Board, we have to switch SFU board(and SRU board on NE40E-

X8) to another one with 200G, what’more, the 200G SFU board and corresponding

SRU board can’t be used together with 40G SFU, LPUA, LPUB, LPUG at the same

time；

The LPUI-100 can be used only on the NE40E-X16 and NE40E-X8

An SPUC implements the NetStream function and processes tunnel services related to GRE

and NAT and multicast VPNs.

An SPUC does not have any physical interfaces and can be inserted into any LPU slot.

3 running modes of SPUC：NetStream mode, Tunnel mode and NAT mode

NetStream mode

Under the NetStream mode, the SPUC board can implement centralized NetStream

mode.

Meanwhile, the centralized NetStream still applys License(NetStream License for

SPUC), and each SPUC board need one License.

Tunnel mode

Under the Tunnel mode, the following functions can be provided:

Centralized multicast VPN：If running the multicast VPN in SPUC boards, We need

to configurate the same number of MVPN License with SPUC amount.

Tunnel:SPUC board can provide centralized tunnel, including GRE tunnel and 4over6

tunnel currently。If running the tunnel in SPUC boards, We need to configurate the

same number of tunnel License with SPUC amount.

NAT mode

SPUC board support NAT, NAT License must form 1:1 with the SPUC.

GTL:Global Trotter License

The NE40E supports entire HQoS solutions, HUAWE is the only vendor that supports

HQoS, DS-TE and MPLS HQoS, the other vendors support one or two. Thus, HUAWEI can

provide a entire HQoS solution to meet kinds of scenarios of carrier-class services.

The main scenario of NE40E Router: Campus and IDC interconnection, Large branch

access, Key nodes of WAN.

Answers:

ABCD

A

Both IOS and VRP provide command line interface (CLI), and CLI is the main user interface

for both of them.

The Network Migration Tool can also translate H3C Comware commands.

Note:

To simplify the problem description, this course uses Telnet as an example to

describe the related technologies. Telnet and STelnet can be used to log in to the

device. Using Telnet or STelnetv1 has potential security risks. STelnetv2 is

recommended.

Maintenance is not just a technical issue, but also a management issue.

Routine maintenance requires less technical skills to the operators. With predefined

policies and procedures, the operators can perform routine maintenance easily.

The environment or the running condition includes the equipment room, power supply,

heat dissipation, etc. A device can work normally only after the running conditions are

met.

All Huawei Datacom Products (including routers, Ethernet switches and firewalls) use VRP

as the software platform. To maintain Huawei Datacom Products is mainly to maintain the

VRP.

The temperature and humidity requirement may be different for different products. For

example, the AR requires the ambient temperature in the equipment room should range

from 0°C to 40°C, and the ambient humidity in the equipment room should range from

5% RH to 90% RH.

Short-term operation means that the continuous working time does not exceed 48 hours

and the accumulated time per year does not exceed 15 days.

The cleaning of the equipment room or the ambient is closely related to the heat

dissipation of the devices.

Sundries in the equipment room may clog the outlet of the air channel of the device.

Too much dust covered on the air filter will also clog the outlet of the air channel.

Note: Telnet is insecure, Stelnet is suggested.

Sometimes a device needs a license to provide advanced functions. The user need to buy

the right license and active it on the device. And some of the license is time limited, so we

need to care about the license state.

Different devices use different local storage, and the prompts are different too.

For the dual MPU equipment, it is necessary to check both the master and the

backup MPU.

The display version command displays the version of the device.

The VRP version

The product version

The product model name

Uptime of the device or board

Other information


Note: there is no command for NE routers to display resetting information, because of its

complicated structure. If there is unexpected resetting occurs on NE routers, please

contact professional personnel to handle.

There are chapters in the product documentation to describe the alarms, logs and traps in

detail.

It is recommended to use a NMS (such as Huawei eSight) to gather the alarms, logs and

traps. A NMS will make the information gathering and analyzing easy.

The display reset-reason command displays the reason for board reset. It is used on the

devices that support modular cards.

Above is an example on S9706. We can see that Slot 5 has reset only once, Slot 5 has

reset 967 times. And we can see the reset reason.


The above commands applies to Ethernet or Gigabitethernet interface. Please refer to AR

or NE documentations for WAN interfaces (such as POS, E1…) maintenance commands.

The display interface brief command displays brief information about interfaces, including

the physical status, link layer protocol status, inbound and outbound bandwidth usage

within a certain period, and numbers of sent and received error packets. This information

helps locate faults on interfaces.

The check item of services are related to what services the network is providing.

The following just lists the commonly used items.


Why need to log all the information displayed?

Too much is displayed in one window, difficult to analyze. For example, if you use

the display logbuffer command to display the log buffer, there may be hundreds of

lines of information displayed. It is very difficult to lookup and analyze.

It is difficult to find key information in a terminal program. Many of the programs do

not provide search functions.

If you need help from others, you need to send some information to him or her. All

you typed in and all that displayed in the CLI is the best raw information.

In many organizations, what the operators did should be saved for auditing.

Therefore, logging all information displayed in the CLI is a good habit in maintenance.

The above shows the commonly used terminal programs SecureCRT and Hyper Terminal.

Both of them support to capture the information in a text file.

Answers:

ABC

C

Security statement：

For brief analysis, the course uses FTP as an example to describe corresponding

technologies. The device supports file transfer using FTP, TFTP and SFTP. FTP, TFTP,

and SFTPv1 have security risks, so SFTPv2 is recommended.

If you are a maintenance engineer, read the following precautions before doing your

work:

Check whether the fault is an emergency fault. If so, use the pre-defined

troubleshooting methods to recover the faulty module immediately and then restore

services.

Strictly conform to operation rules and industrial safety standards, ensuring

personnel and device safety.

Take electrostatic discharge (ESD) measures and wear an ESD wrist strap when

replacing or maintaining devices.

Record original information in detail when any problem arises during

troubleshooting.

Make records when performing important operations such as restarting the device

or erasing the database. Before performing important operations, confirm the

operation feasibility, back up data, and prepare emergency and security measures.

Only qualified personnel can perform important operations.

Some faults cause resource or money loss for customers, so maintenance engineers should

focus on how to prevent faults and quickly rectify faults. Backing up key data helps you

quickly locate and rectify faults. Back up key data as soon as possible when the network

runs properly.

The principle of troubleshooting is to locate and rectify a fault.

Generally, the troubleshooting process includes observing fault symptoms, collecting

information, analyzing problems, and locating the root cause. All possible causes of a fault

can be grouped into multiple cause sets, which helps you rectify faults.

The fault symptoms are different, but the root causes are technical issues.

For example, a user cannot access the Internet. Ping the gateway from the PC. The ping

operation fails. That is, a PC can not connect to its gateway.

If you have trouble locating the fault, collect fault information and send the information to

Huawei or Huawei agent for fault analysis.

Collect the following information:

Fault occurrence time, network topology (for example, location of the faulty device

on the network, and upstream and downstream devices connected to the faulty

device), operations triggering the fault, measures that you have taken and results,

symptom and influence of the fault (for example, on which ports services are

affected).

Name, version, current configurations, interfaces of the faulty device. For the

method of obtaining these information, see Collecting Diagnostic

Information and Common display Commands.

Logs generated when the fault occurs. For the method of obtaining the log

information, see Obtaining Logs and Alarms.

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/dc_s_troubleshooting_info_0003.html

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/dc_s_troubleshooting_cli_0005.html

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/dc_s_troubleshooting_info_0004.html

Executing this command requires a long time. You can press Ctrl+C to pause diagnosis

information display on screen.

It is recommended to save the information to a text file, and then transfer it to a PC

using FTP/TFTP.

When a large amount of diagnostic information is displayed, the CPU usage may be high

in a short period.

Therefore, do not use this command when the system is running properly. Running

the display diagnostic-information command simultaneously on multiple terminals

connected to the device is prohibited. This is because CPU usage of the device may

obviously increase and the device performance may be degraded.

When a device is faulty, collect logs and alarms on the device immediately. These logs and

alarms help you know what happened during device operation and where the fault

occurred.

Logs, including user logs and diagnostic logs, record user operations, system faults, and

system security.

The equipments supporting log file will periodically save files on the local storage device.

Taking Sx7 Chassis switches as an example: By default, the switch records all logs and

alarms in log files and saves log files in the logfile folder. The file name is *.log or *.dblg,

and the default file size is 8 MB. When the size of a log file exceeds 8 MB, the system

compresses the log file into a zip file and names the compressed file saving time.log.zip

or saving time.dblg.zip, for example, 2013-06-03.19-49-37.log.zip and 2013-09-11.10-54-

52.dblg.zip. The system then records logs and alarms in a new log file.

80% network faults are caused by simple reasons, for example, cable failures and incorrect

configurations.

Analyze problems from simple to complex. In the OSI model, analyze problems from the

physical layer first. Then analyze the data link layer and network layer.

If no fault occurs at the network layer, the transport layer will work properly. TCP/IP has

been running for dozens of years and is mature. Most application faults are caused by

application software.

Problem analysis depends on our knowledge and experience to some degree. Having a

good understanding of network protocols helps rapidly analyze and locate network faults.

Note: Before performing any operation, ensure that the operation has the minimal impact

on network services.

Highlights of HedEx

Supports quick, accurate, and comprehensive search.

Centrally manages Huawei product documents.

Convenient annotation function.

Convenient document feedback function.

Automatically recommends product documents.

One-click login to Huawei Support Website for Carriers or Enterprises.

Easy to manage various applications by Huawei.

Simple. Easy to use and no installation is required.

Knowledge base is where you learn and share experience. A large collection of cases and

technical articles is available. You are more than welcome to submit your own article to

share with others.

There are abundant cases to help you solve common issues and complete

installation or maintenance tasks quickly.

Support-E boasts Chinese and English technical communities, including many specialized

forums. Personal space is also supported.

All registered users can browse the forums and comments. Huawei engineers are

there to give you a real-time response.

When seeking for technical assistance, we must analyze the trouble first. Because we are

on site, we are the ones who are the most familiar with the troubles.

If we contact others for help without our own analysis, we can not provide enough

information at once, time may be wasted for gathering information again and again.

If we contact others for help after gathering enough information and necessary analysis,

we can provide enough information at once, and time will be saved.

For different region, Huawei provides different hotline telephone number or Email, you can

find the details at the following web page: Home page > Contact Us > Aftersale Support

http://support.huawei.com/enterprise/NewsReadAction.action?contentId=NEWS100

0000563

If a network fault occurs after a configuration operation, it does not mean that the fault is

caused by the configuration.

Analyzing the problem and finding out the root cause must be done before deciding

whether to recover the configuration.

The compare configuration compares whether the current configurations are identical with

the next startup configuration file.

Note: only the first different will be displayed each time. You need to run it several

times to make sure there is no difference between the running and the saved

configuration.

The configuration can be recovered only when there is the backup configuration file, so

back up the configuration before any configuration modification.

Answers:

ABCD

ABCD

The hardware is the foundation of a device. The basis functions of a device are determined

by its hardware. But the device’s hardware features cannot be manifested without its

software.

When designing a product, venders often choose the more advanced hardware

architecture, and then keep updating the software to improve and optimize the products

features.

Products manufactured years ago might not support IPv6, but most of them can support

IPv6 by upgrading the system software to a updated version.

The new software version will be compatible with older hardware, but the new hardware

is generally not compatible with the old software version.

This course only introduce Online upgrade, Installing Software Patch and Using the

BootRom

Before the software upgrade, necessary preparations must be done.

First of all, Assess the feasibility of the upgrade, confirm that the upgrade is

necessary.

Then, Obtain version software and related documents through official channels.

Then, Work out an upgrade scheme, including the rollback scheme.

At last, the upgrade can be put into operation.

For the stability of business, if not necessary, software upgrade is not recommended.

A variety of risks exist during upgrading, be sure to do full assessment and risk aversion

preparation.

Upgrading the running device may affect business, the operability is not only confined in a

technical level.

Huawei official website: http://enterprise.huawei.com

Huawei Technologies Support Center: 400-822-9999

Both technology and business are considered to risk assessment. And the risk control

measures are also considered.

If you can not circumvent the risk, you should seek product support, and should not risk

operating.

The operability of the upgrade is weather the upgrade is operable when technical

conditions are satisfied.

Various factors are considered to assess the operability of the upgrade: the user's business,

operations personnel, maintenance habits, the operator's level of technology, technical

support, and etc.

You can find the version software on Huawei enterprise website: software>enterprise

networking. A set of release documentations will be provided for every software (including

patch). Generally, they are:

Upgrade guide. Generally, the upgrade steps are similar for all Huawei Datacom

products, but there may be some exceptions. Read the upgrade guide before

upgrading carefully.

Command, alarm and MIB delta information, which describes the changes in

command, alarm and MIB.

Feature delta information, which describes the changes of the product features.

Release notes, which describes the compatibility and the unreserved issues.

When analyzing the risks of upgrade, the command, alarm and MIB delta information, the

feature delta information and the release notes should be read.

Upgrade time and the operating window

Upgrade time arrangement is determined by the urgency of the problem, under

non-emergency circumstances, enough time should be set aside for full preparation;

The operating window is determined by the user business interruption time that is

tolerable, the time must be greater than the upgrade operation time, and a certain

amount of troubleshooting time should be considered.

Objects to be upgraded and the upgrade method

How many devices should be upgraded? Where are they located? What the version

are they are currently running? Is this version can be upgraded to the new version

directly? Can we operate remotely or locally? ...

The choice of upgrade method is closely related to the upgrade objects.

Closely related to the choice of upgrade and the upgrade object. Generally, we use

the online upgrade of the command line.

The upgrade operator and technical support

Who will execute the upgrade operation? Is this operator prepared with technical

skills and experience?

Assess the associated risks of the upgrade, contact the technical support staff in

advance, if necessary, set up a technical group for the upgrade.

Verification Method

The verification contains two aspects: before and after the upgrade:

Before the upgrade, make sure what the exact problem is and no other problems

exist.

After the upgrade, make sure that the exact problem is solved and no new problem is

introduced.

Rollback Scheme

The risks must be fully considered, once the upgrade did not achieve the desired

goal, the rollback scheme should be applied.

The rollback and upgrade operation steps are roughly the same, just set the startup

version to the old.

Backing up the configuration and license

Configuration file, license file, and some other files need to be backed up.

Some kind of device is lack of storage space, they can only keep one version

software. Before we delete the old version file, we’d better backup the old file to a

PC.

Uploading new version files to the device

Files can be transfer to the device via FTP, TFTP or a USB drive.

If the old configuration is not compatible with the new version software, a

compatible new configuration should be transferred as well.

Specifying the next startup system software

Use command “startup system-software” to specify the next startup system

software.

(Optional) Use command “startup saved-configuration” to specify the next startup

configuration.

Restarting the device

Use command “reboot” to restart the device.

The restart of the device will cause business interrupt, ask the business owner for a

confirmation of permission before “reboot”.

Verifying the upgrade

Check if the software version is updated.

Check if the problem is solved.

This course takes S3700 switch as an example to introduce the steps of upgrade using CLI.

First, save current configuration to the device.

In this example, we use the device as the ftp client. The device has been configured to

communicate with the ftp server normally. And the ftp server has user/password

configured, provides the related files.

Use binary mode to transfer files, or errors may occur.

Use command “get” to download the version files from the ftp server.(upload for the PC’s

view)

You can rename the file when “get” the file.

When a new system software is specified to be the startup file, the device will

automatically prompt “will the BootRom be upgrade?”. Generally, we choose yes to

upgrade the BootRom immediately, or the BootRom will be upgraded when the device

start next time.

If a new configuration is needed, Use command “startup saved-configuration” to specify

the next startup configuration.

Use command “reboot” to restart the device. The device will prompt to save the

configuration. Choose “Y” to save the current configuration, or “N” to keep the old.

Notice: Ask for a permission before restart the device.

After the device restarted, use command “display version” to check if the device is running

the new software version.

At the same time, check if the problem has been solved and no new problem is

introduced.

Checking the Installing Environment

Generally, a hot patch is developed based on a specific basic version. Before

installing a patch, make sure the device is running the specific version, or errors may

occur.

Uploading the Patch File

The file can be transferred via ftp or tftp.

Loading the Patch File

Use command to load the patch file.

Verifying the Installation

After installation, please check if the patch works right.

And make sure the problem has been solved.

Some patches are developed based on another patch, so check the patch information as

well as the basic version.

Use command “patch delete all” to delete the patch that not needed.

In this example, we use the device as the ftp client, and the PC as the ftp server. Use

command “get” on the device to download the patch file.

Notice: Use binary mode to transfer files.

Use command “patch load”, you can activate a patch in the one-click mode. That is, load,

activate, and run a patch.

Use command “display patch-information” to query the patch’s working status.

At the same time, check if the problem has been solved.

The BootRom menu is the most basic operation options of a device, as the BIOS of a PC.

We use the BootRom to upgrade often because that the device has been unable to start

properly. At this time, the business has been interrupted, and we do not have to concern

more about the business.

Entering the BootRom menu

At the beginning of the device’s starting, the Console CLI will prompt: “Press Ctrl+B

to enter the BootRom menu”

Configuring network parameters

Some basic network parameters can be configured using the BootRom menu, so the

device can connect to the ftp or tftp server to transfer files.

A variety of methods can be used to transfer files: Xmodem(Console), FTP, or TFTP.

Considering the transfer speed, we generally choose FTP or TFTP.

Uploading the version file

Upload the version file to the device with the method chosen.

Rebooting the device

Select the reboot option in the menu.

Verifying the upgrade

Check the version number.

Check the business.

At the beginning of the device’s starting, the Console CLI will prompt: “Press Ctrl+B to

enter the BootRom menu”.

Press Ctrl+B before the countdown timer expires, and then enter the password. Different

devices may have different passwords. The default password of S3700 switch is “huawei”.

Follow the menu options to modify network parameters. In this example, we choose ftp as

the transfer protocol.

If the device has a management Ethernet port, then use this port for transfer, if not, use a

simple Ethernet port. In this example, we use Ethernet 1/0/1.

The device must connect to the server first, and the server must be configured in advance.

On the other hand, there must be enough storage space for the new version files on the

device.

You can enter the Filesystem Submenu(the 5th option of the main menu)to operate

the files on the device.

FILESYSTEM SUBMENU

1. Erase Flash

2. Format flash

3. Delete file from Flash

4. Rename file from Flash

5. Display Flash files

6. Return to main menu

It is recommended to display files first, and then decide which file should be deleted.

It is not recommended to erase or format the storage device.

Different devices may use different storage media, maybe a flash, maybe a CF card.

Setting up the startup parameters

The boot device

The startup system software

The configuration file

The patches

And so on

Rebooting the device

The device will not reboot automatically, we must reboot the device under the main

menu.

Remember to check version information and the business status after upgrade.

Answers:

ABCD

C

Note:




recommended.

To simplify the problem description, this course uses FTP as an example to describe

the related technologies. The device can transfer files through FTP, TFTP, and

SFTPv1. Using FTP and TFTP or SFTPv1 has potential security risks. SFTPv2 is

recommended.

The software upgrade is used to revise bugs of devices, and expand the capacity and

features.

On most networks, upgrading system software of a device requires the device to restart.

The device restart interrupts service operation and traffic forwarding. Setting up multiple

equal-cost paths can relieve the impact of system software upgrade on services. Services

can be switched to the backup paths during an upgrade. This method requires the

network configuration to be modified, which increases error probability and upgrade time.

In addition, traffic may concentrate on one path after traffic switching and then be

interrupted due to congestion.

For the S series chassis switches, the traditional upgrade always requires a complete

reboot, which brings 15 to 25 minutes of service interruption. While, the ISSU can reduce

the interruption time to 2 minutes.

ISSU is a mechanism that reduces service forwarding interruption time when the system

software is being upgraded or rolled back. This mechanism reduces the traffic interruption

time and improves service reliability during system software upgrade.

On hardware, ISSU requires 2 MPUs (or SRUs) on the device.

On software, not all version support ISSU, you need to check the product documentation

to confirm whether the device support.

There are some differences between product series, and this course discusses ISSU feature

on S series chassis switches.

The system checks whether ISSU conditions are met. Two ISSU modes are available, but

currently, lossy ISSU is supported.

If one of the LPUs does not support ISSU, it will be marked as fast-reboot (then reboots

automatically or manually), the ISSU will continue.

As shown above, ISSU on switches goes through four phases:

ISSU check: The system checks whether ISSU conditions are met and restarts the

standby MPU using the new system software.

ISSU start: The system backs up data between the master MPU and standby MPU.

ISSU switchover: The standby MPU becomes the new master MPU.

ISSU confirm: The old master MPU restarts using the new system software and

becomes the new standby MPU after the restart.

Before the ISSU confirm phase, you can use the ISSU abort function to abort ISSU and roll

back the system to the old version.

ISSU provides the version rollback mechanism to allow the system to return to the old

version. This mechanism reduces version upgrade risks.

The uploading configuration user FTP is omitted in this course.

NOTE: when the software file is uploaded on the master MPU, it must be copied to the

backup MPU.

The issu precheck command enables the system to perform in-service software upgrade

(ISSU) precheck. This helps determine whether ISSU can be performed.

Before an ISSU upgrade, run this command to perform an ISSU precheck and

determine whether the current system resources (software version, number of VTY

users, and memory space on the cards) and card type support ISSU. If the current

software version does not support ISSU or there are more than one VTY user in the

system, the system stops the precheck and the ISSUupgrade cannot be performed. If

an SPU or WAN card is used or a card does not have sufficient memory space, this

card does not respond to the ISSU instructions and must be upgraded by resetting

it.

The ISSU precheck hardly affect system operation and can be performed at any time

except in an ISSU process.

Different from issu check, the issu precheck command only checks whether the current

system resources and card type support ISSU. The displayed upgrade type in the check

resource may not be the final upgrade type used on the cards. The final upgrade type will

be displayed in the check result after you run the issu check command.

The issu timer rollback command sets the ISSU rollback timer value. The default value is

120 minutes.

After the system enters the ISSU check phase, the ISSU rollback timer is automatically

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/issu_check.html


activated. If the timer expires in different situations, the system uses different processing

methods:

If the timer expires before the standby MPU restarts using the new version, the

system considers that you abort ISSU and exits ISSU.

If the timer expires after the standby MPU restarts using the new version and before

the ISSU plane is successfully switched, the system considers that you abort ISSU, the

standby MPU rolls back to the old version, and then the system aborts ISSU.

If the timer expires after the ISSU plane is successfully switched, the system extends

the upgrade time and considers that ISSU is successful by default.

Before the ISSU plane is switched, you can run the issu timer rollback command to reset

the ISSU rollback timer value. In ISSU confirm phase, if ISSU is confirmed successful, the

ISSU rollback timer is automatically disabled.

The issu check command enables the system to enter the ISSU phase and perform ISSU

check. The ISSU check affects the system in the following aspects:

The standby MPU restarts using the new version and becomes the new master MPU.

Entering the system view is prohibited.

The ISSU rollback timer is activated. You can adjust the ISSU rollback timer value

during ISSU. If the timer expires before ISSU is complete, ISSU may fail and then the

system will roll back to the old version.

Before the ISSU check phase ends, you can press Ctrl+C to abort ISSU. Then the system

continues ISSU check until ISSU check finishes. You cannot continue ISSU but only run

the issu abort command to exit ISSU.

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/issu_abort.html

The issu start command starts ISSU. The issu check command must be used to enable

the system to perform ISSU check before using the issu start command.

After the system starts ISSU, you can press Ctrl+C to abort ISSU. Then the system aborts

ISSU. You cannot continue to switch the ISSU plane but only run the issu abort command

to exit ISSU.


http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/issu_abort.html

The issu switchover command configures the system to switch the ISSU plane.

The ISSU plane switchover will interrupt a Telnet connection for 30s. Wait for 30s and

then press Enter to re-log in to the device for ISSU.

After you run the issu confirm command to confirm ISSU and restart the old master MPU

using the new version, check the status of the master MPU and standby MPU again. Then

you can find that the new master MPU is in Master state because the hardware switchover

has completed.

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/issu_confirm.html

The issu confirm command confirms ISSU after the ISSU plane is successfully switched so

that the old master MPU restarts using the new version. The issu switchover command

must have been used to switch the ISSU plane. After the issu confirm command is

executed, the new system software is specified as the software for the next startup. The

ISSU is complete.

NOTE: the commands above are executed on the new master MPU (the former backup

MPU).

http://support.huawei.com/ehedex/pages/DOC100002143431187093/03/DOC100002143431187093/03/resources/dc/issu_switchover.html

Answers:

ABC

ABC

Confidentiality

Confidentiality is to prevent the disclosure of information to unauthorized individuals

or systems.

Integrity

Integrity means that data cannot be modified undetectably.

Availability

Availability means that the information must be available when it is needed. High

availability systems aim to remain available at all times, preventing service

disruptions due to power outages, hardware failures, and system upgrades. Ensuring

availability also involves preventing denial-of-service attacks.

Controllability

Controllability refers to the implementation of information and information systems

security monitoring and management, to prevent the illegal use of information and

information systems

Non-Repudiation

In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It

also implies that one party of a transaction cannot deny having received a

transaction nor can the other party deny having sent a transaction.

Electronic commerce uses technology such as digital signatures and public key

encryption to establish authenticity and non-repudiation.

Information Security and Network Security are seemingly the same, but they different in

reality.

The differences are:

From the perspective of the ultimate goal:

Information Security: The protection of confidentiality, integrity, availability,

controllability, and Non-repudiation of the information in transmission, storage and

use.

Network Security: The protection of network resources that support the

transmission, storage and use of information, including devices and cables.

From the perspective of the content:

Information security not only includes network security, but also includes computer

system security, application security, and a variety of security management

(personnel, technology, operations management).

Information Security is a very large system, and Network Security is only a part of it.

The security feature of network devices is a part of network security.

Different devices from different vendors may share the same security features like AAA

and 802.1X, or each may has its own security features, like local attack defense features.

This course mainly introduces the unique security features of Huawei devices, including

ACL, Traffic Suppression, Local Attack Defense, and IP Address Spoofing.

ACLs are used to identify the packets that need to be filtered. After identifying the

packets, the ACL permits or denies the passage of the packets based on a certain policy

created by the set of rules.

ACLs configured on a devece can be referenced by function modules, such as the Policy-

based routing (PBR), route filtering, QoS, device security, firewall, and IPSec modules.

Different devices may support different types of ACL, but most of them support Basic ACL,

Advanced ACL and Layer 2 ACL, and the range of number is the same.

In addition to the classification above, ACLs can also be classified to ACL4 and ACL6, by IP

version. Or numbered ACL and named ACL by Naming mode.

An ACL can consist of multiple deny and permit statements. Each statement describes a

rule. These rules may overlap, that is, one rule contains another rule but the two rules are

not completely the same. The matching order of ACL rules determines the priorities of ACL

rules to be matched with a packet.

The automatic order works more complicated.

Basic ACL4 rules

The rule that defines the smallest source IP address range is matched first. A greater

number of 0 bits in the wildcard mask indicates a smaller source IP address range.

The rule that is configured first is matched first if the source IP address ranges are

the same.

Advanced ACL4 rules

The rule that defines the protocol type is matched first.

The rule that defines the smallest source IP address range is matched first if the

protocol types are the same. A greater number of 0 bits in the wildcard mask

indicates a smaller source IP address range.

The rule that defines the smallest destination IP address range is matched first if the

protocol types and source IP address ranges are the same. A greater number of 0

bits in the wildcard mask indicates a smaller destination IP address range.

The rule that defines the smallest Layer 4 port number (TCP/UDP port number) range

is matched first if the protocol types, source IP address ranges, and destination IP

address ranges are the same.

The rule that is configured first is matched first if the preceding ranges are the same.

Layer 2 ACL rules:

The rule that defines the smallest source MAC address range is matched first. A

greater number of 1 bits in the mask indicates a smaller source MAC address range.

The rule that defines the smallest destination MAC address range is matched first if

the source MAC address ranges are the same. A greater number of 1 bits in the mask

indicates a smaller destination MAC address range.

The rule that is configured first is matched first if the source and destination MAC

address ranges are the same.

If the number of a named ACL is not specified, the device automatically allocates a number

to the named ACL. The following situations are involved:

If only the type of a named ACL is specified, the number of the named ACL allocated

by the device is the maximum value of the named ACL of the type.

If the number and the type of a named ACL are not specified, the device considers

the named ACL as the advanced ACL and allocates the maximum value to the

named ACL.

The device does not allocate the number to a named ACL repeatedly.

Rule-id can be specified manually by user or automatically by the device. If the rule ID is

not specified, the device allocates an ID to the new rule. The rule IDs are sorted in

ascending order. The device automatically allocates IDs according to the step. The step

value is set by using the step command. The default step value is 5. With this step value,

the device creates ACL rules with IDs being 5, 10, 15, and so on. This parameter is valid

only when ACL rules are matched in configuration mode.

Time-range is a user-defined parameter that limits the time that the rules take effect.

Many parameters can be configured under the advanced ACL view, protocol(IP, TCP, UDP,

ICMP……), port number, flags and etc. Refer the product manual for detail.

Compared to basic ACL and advanced ACLs, Layer 2 ACL and user-defined ACL less use,

but they can meet the application requirements under certain conditions. User-defined

ACL also enhance the flexibility of the device.

The course only introduces how to configure ACL for packet-filter.

There are two segments of network, and the interoperability of the devices has been

verified. The configuration requirements are:

Hosts 192.168.10.2~7 can access Internet, and can not be access by the hosts in

192.168.20.0/24 segment;

All the hosts in 192.168.10.0/24 segment can not access Internet, except

192.168.10.2~7, all hosts can access 192.168.20.0/24 segment;

All the hosts in 192.168.20.0/24 segment can not access Internet.

Different devices may have different ways to filer packet, but ACL will be applied to all.

The Sx7 Switches provide “traffic-filter” command to refer ACL directly.

The AR G3 routers apply ACL between different security domains.

Switches and routers apply ACL to define traffic-classifiers, and bind them to permit

or deny behaviors.

Using the traffic-filter command, you can configure packet filtering based on the ACL

rule.

The traffic-filter command can be used globally, under the VLAN view, or under the

interface view, but only the inbound direction can be configured.

When a Layer 2 Ethernet interface on the device receives broadcast packets, multicast

packets, or unknown unicast packets it forwards these packets to other Layer 2 Ethernet

interfaces in the same VLAN. If there are a large number of such packets, the interface

bandwidth is used and performance of the device is diminished. To resolve the problem,

suppress these packets to ensure that the rate of these packets stays within the desired

range.

Generally, LAN switches support traffic suppression, and routers support traffic

suppression only when a LAN module is applied.

In addition to traffic suppression, the Sx7 switches also support storm control functions.

The commands above can be configured under the interface view or VLAN view, different

parameters can be carried depending on the different product models and views.

For example, the AR G3 routers only support suppression based on packet rate, but the

Sx7 switches also support suppression based on the percentage of interface bandwidth.

And the S7700 switch can refer the CAR template to suppress under the VLAN view.

If the value of min-rate-value is specified, the interface enter the forwarding state when

the rate of receiving packets on the interface is smaller than the value of min-rate-value in

the interval for detecting storms.

If the value of max-rate-value is specified, storm control is performed on an interface

when the rate of receiving packets on the interface is greater than the value of max-rate-

value in the interval for detecting storms.

Block means the interface will block packets, and shutdown means the interface will

shutdown the interface, and when the interface is shut down, it can only be enabled

manually.

Using the storm-control enable command, you can enable the function of recording logs

or reporting traps during storm control.

By default, the interval for detecting storms is 5s.

For security concerns, configure traffic suppression on VLAN 10 and VLAN 20, configure

storm-control on Ethernet 0/0/48 of SWA.

Suppress broadcast traffic in VLAN 10 in 1000kbps.

Control multicast traffic in 10000pps on Ethernet 0/0/48, when the multicast exceed

10000pps, block the interface. The interface restores the normal forwarding state

when the traffic falls below the lower threshold, set as 1000pps.

The detecting interval is 10 seconds.

Enable storm-control logs.

Notice: Traffic Suppression and Storm-Control can not be configured under the same view.

Use display flow-suppression interface command to view the configuration of the

specified interface where traffic suppression is enabled.

Use display storm-control command to view the configuration of the specified interface

where storm-control is enabled.

With the development and wide application of the network, users poses higher

requirement for security of the network and network devices. On the network, a large

number of packets including the malicious attack packets are sent to the Central

Processing Unit (CPU). These packets cause high CPU usage, degrade the system

performance, and affect service provisioning. The malicious packets that aim at attacking

the CPU busy the CPU in processing the attack packets during a long period. Therefore,

other normal services are interrupted and even the system fails.

To protect the CPU and enable the CPU to process and respond to normal services, the

packets to be sent to the CPU need to be limited. For example, filtering and classifying

packets to be sent to the CPU, limiting the number of such packets and their rate, and

setting the priority of such packets. Packets that do not conform to certain rules are

directly discarded to ensure that the CPU can process normal services.

The local attack defense feature of the device is specially designed for packets directing at

the CPU and mainly used to protect the device from attacks and ensure that the existing

services run normally upon attacks.

The device supports four-level security mechanisms to ensure security:

Level 1: The device filters invalid packets sent to the CPU by using blacklists.

Level 2: The device limits the rate of packets sent to the CPU based on the protocol

type to prevent excess packets of a protocol from being sent to the CPU.

Level 3: The device schedules packets sent to the CPU based on the protocol priority

to ensure that packets with higher protocol priorities are processed first.

Level 4: The device uniformly limits the rate of packets and randomly discards the

packets that exceed the rate limit to protect the CPU.

Attack Source Tracing contains four phases:

Analyze packets based on users and ports. Users are identified by MAC addresses;

ports are identified by physical port numbers and VLAN IDs (including inner VLAN

IDs).

Count the number of received packets based on protocols and MAC addresses (or

port information).

When the number of packets exceeds the threshold, the system considers that an

attack occurs.

When detecting an attack, the system reports a log and a trap, or carries out

Punishment. The current Punishment action is Deny.

Different device may support different features, refer product manuals for detail.

Configure Local Attack Defense on SWA:

Users on 192.168.10.0/24 often attack the network and are added to the blacklist.

In this manner, they cannot access the network.

Set the CAR for sending ARP Request packets to the CPU to prevent attacks of ARP

Request packets.

Set the CIR for sending FTP packets to the CPU when FTP connections are set up.

To complete the configuration, the following data is needed:

Name of the attack defense policy: test1;

IDs of the blacklist: 1;

ACL rule and number: 2001;

Rate of sending ARP Requests packets to the CPU: 128kbps;

Rate limit of sending FTP packets to the CPU when FTP connection is set up:

128kbps.

Using the cpu-defend policy command, you can create an attack defense policy and

enter the attack defense policy view.

Using the blacklist command, you can configure an ACL-based blacklist.

Using the car command, you can set the rate of sending packets to the CPU.

Using the linkup-car command, you can set the CIR and CBS to limit the rate of protocol

packets after a protocol connection is set up.

Using the cpu-defend-policy command, you can enable the attack defense policy.

Using the display cpu-defend configuration command, you can view the CAR

configuration.

Using the display cpu-defend-policy command, you can view information about the

attack defense policy.

As shown above, if Attacker fakes User’s IP address to access networks, then User can not

normally access the networks, or the data sent to User may be received by Attacker.

If Attacker query SWA with a source IP of RTA or Internet, SWA will continue to response

to the request that does not exist, and network resources are wasted.

To defend against such an attack, Huawei device provides IP source guard and Unicast

Reverse Path Forwarding (URPF).

Before the device forwards an IP packet, it compares the source IP address, source MAC

address, interface number, and VLAN ID in the IP packet with entries in the binding table.

If a binding entry is matched, the device considers the IP packet as a valid packet and

forwards the IP packet. Otherwise, the device considers the IP packet as an attack packet

and discards the IP packet.

As shown above, SWA bind User’s IP address, MAC address and Access port, if all the

items in the binding table match, then the switch forward the packet. If Attacker fakes IP

address or MAC address or both, it can access networks neither.

Before a packet is forwarded, URPF obtains the source address and inbound interface of

the packet. URPF then compares the retrieved interface with the inbound interface. If they

mismatch, URPF considers the source address as a spoofing address and discards the

packet. This allows URPF to effectively protect a device against malicious attacks by

blocking packets from bogus source addresses.

As shown above, URPF is enabled on SWA. Attacker requests SWA with a fake sources

address 100.99.98.97, SWA will check the routing table for the address 100.99.98.97,

and find it is mismatch the interface which receives the packet, and SWA will discard the

packets.

IP Source Trail is a function added to IP source guard. When the host is under attack,

configure IP Source Trail on the device connected to the host, then the attack source can

be traced.

The device supports the following types of URPF check modes:

Strict check: Packets can pass the check only when the FIB table of the device has a

corresponding routing entry with the destination address being the source address

of the packet and the inbound interface of the packets matches the outbound

interface in the routing entry. Unmatched packets are discarded.

Loose check: A packet can pass the check as long as the FIB table of the device has

a routing entry with the destination address being the source address of the packet.

Different device support different features, refer the product manuals for detail.

All hosts connect to SWA obtains IP address by DHCP, except PC1;

PC1’IP address is: 192.168.10.2/24, MAC address is 1-1-1;

Configure IP Source Guard on SWA, apply static bind check to PC1, and dynamic check of

DHCP-Snooping for the others.

The IP address, MAC address and interface are all included in the binding table.

Monitor Ethernet 0/0/1, alarm when over the thresholds 50.

For large amount of hosts, we preferred to configure IP Source Guard on VLANs, which

reduces lots of command scripts.

Using the ip source check user-bind enable command, you can enable the IP source

guard function on an interface or in a VLAN to check the received IP packets.

Using the ip source check user-bind check-item command, you can configure the items

to be checked in IP packet checking.

Under interface view, IP address, MAC address and VLAN are checked by default.

Under VLAN view, IP address, MAC address and interface are checked by default.

Using the user-bind static command, you can configure a static user binding entry.

Using the ip source check user-bind alarm enable command, you can enable the alarm

function for checking the received IP packets.

Using the ip source check user-bind alarm threshold command, you can set the alarm

threshold for checking the received IP packets.

There may be some IP source address attack from the network connected to Ethernet

0/0/1 of SWA.

Configure URPF on RTA, default route is allowed.

By default, the URPF check function is enabled globally, but the URPF check function is

disabled on an interface.

Strict: Indicates URPF strict check. A packet is forwarded only when the source address of

the packets exists in the FIB table and the outgoing interface of the matching entry is the

same as the incoming interface of the packet.

Loose: Indicates URPF loose check. When the source address of a packet exists in the FIB

table, the packet is forwarded according to URPF regardless of whether the outgoing

interface of the matching entry is the same as the incoming interface of the packet.

URPF determines the mode for processing a default route by specifying allow-default-

route.

When the allow-default-route parameter is not specified and the source address of

packets does not exist in the FIB table, the packets are discarded in URPF strict or

loose check mode even if a corresponding default route is found.

When the allow-default-route parameter is specified and the source address of

packets does not exist in the FIB table,

Packets pass the URPF check and are forwarded in URPF strict check mode if

the outgoing interface of a default route is the same as the incoming interface

of the packets. packets are discarded if the outgoing interface of a default

route is different from the incoming interface of the packets.

Packets pass the URPF check and are forwarded in URPF loose check mode

regardless of whether the outgoing interface of a default route is the same as

the incoming interface of the packets.

Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based network

scanning attacks using a series of methods such as strict ARP learning, dynamic ARP

inspection (DAI), ARP anti-spoofing, and rate limit on ARP packets.

The following ARP attack modes are commonly used on networks:

ARP flood attack: ARP flood attacks, also called denial of service (DoS) attacks, occur

in the following scenarios:

System resources are consumed when the device processes ARP packets and

maintains ARP entries. To ensure that ARP entries can be queried efficiently, a

maximum number of ARP entries is set on the device. Attackers send a large

number of bogus ARP packets with variable source IP addresses to the device.

In this case, APR entries on the device are exhausted and the device cannot

generate ARP entries for ARP packets from authorized users. Consequently,

communication is interrupted.

When attackers scan hosts on the local network segment or other network

segments, the attackers send many IP packets with irresolvable destination IP

addresses to attack the device. As a result, the device triggers many ARP Miss

messages, generates a large number of temporary ARP entries, and broadcasts

ARP Request packets to resolve the destination IP addresses, leading to

Central Processing Unit (CPU) overload.

ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The

devices then modify ARP entries, causing communication failures.

ARP attacks cause the following problems:

Network connections are unstable and communication is interrupted, leading to

economic loss.

Attackers initiate ARP spoofing attacks to intercept user packets to obtain accounts

and passwords of systems such as the game, online bank, and file server, leading to

losses.

All the above functions are advised to be enabled on the gateway.

The VLANIF interface replicates ARP Request packets in each sub-VLAN when learning ARP

entries. If a large number of sub-VLANs are configured for the super-VLAN, the device

generates a large number of ARP Request packets. As a result, the CPU is busy processing

ARP Request packets, and other services are affected. To prevent this problem, limit the

rate of ARP packets on the VLANIF interface of a super-VLAN.

There are optional commands for the globally or on an interface rate limit on ARP packets:

The arp anti-attack rate-limit alarm enable command enables the alarm function

for ARP packets discarded when the rate of ARP packets exceeds the limit.

The arp anti-attack rate-limit alarm threshold command sets the alarm threshold

of ARP packets discarded when the rate of ARP packets exceeds the limit. The

default value is 100.

If a host sends a large number of IP packets with unresolvable destination IP addresses to

attack a device, that is, if the device has a route to the destination IP address of a packet

but has no ARP entry matching the next hop of the route, the device triggers a large

number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the

master control board for processing. The device generates a large number of temporary

ARP entries and sends many ARP Request packets to the network, consuming a large

number of CPU and bandwidth resources.

More optional commands for the globally rate limit:

The arp-miss anti-attack rate-limit alarm enable command enables the alarm

function for ARP Miss messages discarded when the rate of ARP Miss messages

exceeds the limit.

The arp-miss anti-attack rate-limit alarm threshold command sets the alarm

threshold for ARP Miss messages discarded when the rate of ARP Miss packets

exceeds the limit. The default value is 100.

The arp-fake expire-time command sets the aging time of temporary ARP entries. The

default value is 1 second.

The arp learning strict (system view) command enables strict ARP learning.

The arp learning strict (interface view) command enables strict ARP learning the

interface. This command can be used only on Layer 3 interfaces. There are 3 parameters:

force-enable: Indicates that strict ARP learning is enabled.

force-disable: Indicates that strict ARP learning is disabled.

Trust: Indicates that the configuration of strict ARP learning is the same as the

global configuration.

The configuration on an interface takes precedence over the global configuration.

Strict ARP learning function can also used to prevent ARP spoofing attack.

The interface view (NOT VLANIF) includes: GE interface view, GE sub-interface view,

Ethernet interface view, Ethernet sub-interface view, Eth-Trunk interface view, Eth-Trunk

sub-interface view, VE interface view, or port group view.

The arp-limit command sets the maximum number of ARP entries that an interface can

dynamically learn. By default, the maximum number of ARP entries that an interface can

dynamically learn is the same as the number of ARP entries supported by the device.

Different products may have different maximum value, please refer to the product

documentation.

It is advised to configure the maximum value according to the amount of the devices

(always terminal devices, such as PC) under an interface or a VLAN.

All the above functions are advised to be enabled on the gateway. The ARP packet

validity check function is also advised to be enabled on the access devices.

The DAI function is available only for DHCP snooping scenarios.

In addition to all the above, the Strict ARP learning function is also used to defense against

ARP Spoofing attacks.

To defend against ARP address spoofing attacks, configure ARP entry fixing. The fixed-mac, fixed-

all, and send-ack modes are applicable to different scenarios and are mutually exclusive:

fixed-mac mode: When receiving an ARP packet, the device discards the packet if the MAC

address does not match that in the corresponding ARP entry. If the MAC address in the ARP

packet matches that in the corresponding ARP entry while the interface number or VLAN ID

does not match that in the ARP entry, the device updates the interface number or VLAN ID in

the ARP entry. This mode applies to networks where user MAC addresses are unchanged but

user access locations often change. When a user connects to a different interface on the

device, the device updates interface information in the ARP entry of the user timely.

fixed-all mode: When the MAC address, interface number, and VLAN ID of an ARP packet

match those in the corresponding ARP entry, the device updates other information about the

ARP entry. This mode applies to networks where user MAC addresses and user access

locations are fixed.

send-ack mode: When the device receives an ARP packet with a changed MAC address,

interface number, or VLAN ID, it does not immediately update the corresponding ARP entry.

Instead, the device sends a unicast ARP Request packet to the user with the IP address

mapped to the original MAC address in the ARP entry, and then determines whether to

change the MAC address, VLAN ID, or interface number in the ARP entry depending on the

response from the user. This mode applies to networks where user MAC addresses and user

access locations often change.

You can configure ARP entry fixing globally. If ARP entry fixing is enabled globally, all interfaces

have this function enabled by default.

DAI is short for Dynamic ARP inspection. This function is available only for DHCP snooping

scenarios.

The following commands are optional for the interface-based scenario.

The arp anti-attack check user-bind alarm enable command enables the alarm

function for ARP packets discarded by DAI.

The arp anti-attack check user-bind alarm threshold command sets the alarm

threshold for ARP packets discarded by DAI. The default value is 100.

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The

gateway considers that a gateway collision occurs when a received ARP packet meets

either of the following conditions:

The source IP address in the ARP packet is the same as the IP address of the VLANIF

interface matching the physical inbound interface of the packet.

The source IP address in the ARP packet is the virtual IP address of the inbound

interface but the source MAC address in the ARP packet is not the virtual MAC

address of the Virtual Router Redundancy Protocol (VRRP) group.

The device generates an ARP anti-collision entry and discards the received packets with the

same source MAC address and VLAN ID in a specified period. This function prevents ARP

packets with the bogus gateway address from being broadcast in a VLAN.

The arp gratuitous-arp send enable command enables gratuitous ARP packet sending.

The arp gratuitous-arp send interval command sets the interval for sending gratuitous

ARP packets. The default value is 90 seconds.

This function defends against attacks from bogus ARP packets in which the source and

destination MAC addresses are different from those in the Ethernet frame header.

This function enables the gateway to check the MAC address consistency in an ARP packet

before ARP learning. If the source and destination MAC addresses in an ARP packet are

different from those in the Ethernet frame header, the device discards the packet as an

attack. If the source and destination MAC addresses in an ARP packet are the same as

those in the Ethernet frame header, the device performs ARP learning.

After receiving an ARP packet, the device checks validity of the ARP packet, including:

Packet length

Validity of the source and destination MAC addresses in the ARP packet

ARP Request type and ARP Reply type

MAC address length

IP address length

Whether the ARP packet is an Ethernet frame

The arp validate command can be used to configure the device to check whether the

source MAC address in an ARP packet is the same as that in the Ethernet frame header.

This command is different from the arp anti-attack packet-check sender-

mac command.

The arp validate command configures ARP packet validity check only on a physical

interface. The arp anti-attack packet-check sender-mac command configures

ARP packet validity check globally.

The arp validate command checks whether the source and destination MAC

addresses in an ARP packet are the same as those in the Ethernet frame header.

The arp anti-attack packet-check sender-mac command checks whether the

source MAC address in an ARP packet is the same as that in the Ethernet frame

header.

http://support.huawei.com/ehedex/pages/DOC1000032949DEC1122X/02/DOC1000032949DEC1122X/02/resources/dc/arp_validate.html



When there are a large number of DHCP users, the device needs to learn many ARP entries

and age them. This affects device performance.

ARP learning triggered by DHCP prevents this problem on the gateway. When the DHCP

server allocates an IP address for a user, the gateway generates an ARP entry for the user

based on the DHCP ACK packet received on the VLANIF interface.

Answers:

ABCD

ABC (To create a static ARP entry, a interface number is not specified.)

The AR G3 router divides zones based on service requirements and controls

communication between departments.

In the following slides, the router icon is replaced by the firewall icon to highlight security

functions.

Zone is used in firewall. The firewall is often located at the network boundary and uses

zones to represent networks. The firewall adds the interface to the zone and implements

security check between zones, filtering traffic passing through different zones. The security

check is often based on ACLs and the application layer status.

For AR G3 series routers,the zone amount which one router can support lies on its specific

type. For instance, AR150 series,AR160 series,AR200 series,AR1200 series and AR220x

series products support 16 configurable zones;AR2220 series and AR3200 with

SRU40/SRUC board or SRU60 board suport 64 configurable zones;AR3200 with

SRU80/SRUF board support 128 configurable zones,and AR3200 with SRU200 board or

SRU400board support 1024 configurable zones.There is only one zone by default,namely

local zone with the highest priority, and others zones must be created manually.

Association between zones and networks must comply with the following principles:

Internal networks must be arranged in high-security zones,such as Trust Zone;

External networks must be arranged in low-security zones,such as Untrust Zone;

Networks which provide limited service for external networks must be arranged in

medium-security demilitarized zones ,such as the Demilitarized Zone (DMZ).

The security check is triggered on the AR G3 router only when data is transmitted between

zones. The security check of the AR G3 router is implemented based on interzones, for

example, an interzone between an Untrust zone and a Trust zone. Different interzones

have different security policies, such as the packet filtering policy and status filtering

policy.

Data is transmitted through an interzone in two directions:

An incoming packet refers to a packet sent from a low-priority zone to a high-

priority zone.

An outgoing packet refers to a packet sent from a high-priority zone to a low-

priority zone.

Note:

The priorities of zones must be different.

Packets in the same zone from different interfaces are directly forwarded.

The AR G3 router is located between the internal network and external network. On the

firewall, interfaces connected to the internal network, external network, and demilitarized

zone (DMZ) must be on different network segments. In addition, the network topology

needs to be changed. In this case, the firewall functions as a router. After the routing

mode is enabled, ACL-based packet filtering, ASPF filtering, and NAT functions can be

used.

Session is the basis of the stateful firewall. A session table is created on the firewall when

packets pass through the firewall. The session table uses the quintuple as the Key value,

that is, source IP address, destination IP address, source port, destination port, and

protocol number. The firewall provides a higher security for high-priority zones by

establishing a dynamic session table.

AR G3 Firewall Configuration Procedure：

Create a zone: set the priority for the zone based on security requirements

Add the interface to the zone: specify the zone for the interface

Configure the firewall function in the interzone

(Optional) Configure interzone ACL-based packet filtering

(Optional) Configure the aging time of the firewall session table

firewall zone zone-name command creates a zone

priority security-priority command sets the priority for a zone

Under Interface View, zone zone-name command adds an interface to a zone

firewall interzone zone-name1 zone-name2 command creates an interzone

Under interzone view, firewall enable command enables the firewall function in an

interzone

Under interzone view, packet-filter { acl-number | default { deny | permit } } { inbound |

outbound } command configures packet filtering in an interzone.

firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-

media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value command sets the

timeout interval of each entry in the session table

The dynamic session table is a resource. To prevent the resource from being exhausted,

the session table on the firewall has an aging time, which is set based on applications.

Session entries are aged when no packet is transmitted in the session within a specified

duration.

The display firewall session aging-time command displays the aging time of the

firewall session table. This value is the same as the Time To Live (TTL) value in the

display firewall session table verbose command output.

Different protocols have different default aging times, in seconds.

You can change the aging time. For example, you can change the aging time of ICMP

packets to 15 seconds.

Blacklist is a way to filter packets based on source IP addresses. Compared with ACL-based

packet filtering, the blacklist uses simpler matching zones to implement high-speed packet

filtering. The packets from certain IP addresses can be filtered out. The AR G3 router can

add or delete IP addresses to the blacklist dynamically. By determining packet behaviors,

the firewall detects a potential attack from an IP address. The firewall adds the IP address

to the blacklist so that packets from the attacker can be filtered out and discarded.

Blacklist features:

Filtering packets based on the source IP addresses

Simple and efficient

Dynamic addition and deletion

Notice:the Whitelist just can be created manually

firewall blacklist enable command enables the blacklist function

firewall blacklist source-address [vpn-instance vpn-instance-name] [expire-time interval ]

If the expire-time internal parameter is used, blacklist entries will be automatically deleted

after a specified aging time. The packets with corresponding IP addresses will not be

filtered.

If the parameter is not used, the entry will never be aged.

The value of expire time ranges from 1 to 1000, in minutes.

The entries configured with the aging time are not written into the configuration file, but

can be viewed by using the display firewall blacklist command.

enable: displays the operation status of the blacklist.

item source-address: displays the entries in the blacklist. source-address specifies the IP

address of the entry.

Description:The display firewall blacklist command displays the operation status and entry

information about the blacklist. The [sour-address] parameter displays information about

blacklist entries. If the IP address is not specified, the command displays brief information

about all the blacklist entries. If the IP address is specified, the command displays detailed

information about the specified blacklist entry.

Notice：Whitelist configuration don’t need an enable action

display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | dynamic |

static | vpn-instance vpn-instance-name } command adds an entry to the blacklist

Port mapping creates and maintains a system-defined and user-defined port identification

table for each type of application protocol.

The AR G3 router supports host port identification based on basic ACLs. Host port

identification is based on user-defined port numbers and application protocols created for

certain type of packets. For example, the TCP packet sent to the host on the network

segment 10.110.0.0 through port 8080 is identified as an HTTP packet. The range of the

hosts can be specified by a basic ACL.

The ACL used for host port identification and packet filtering differs in the following

aspects:

The packet filtering firewall only permits the packets to be transmitted from

specified source addresses to a specified destination addresses.

In host port identification, a basic ACL can define the hosts by matching source or

destination IP addresses of the packets.

Port mapping applies to service-sensitive features such as application specific

packet filter (ASPF) and Network Address Translation (NAT).

port-mapping { dns | ftp | http | sip | rtsp | pptp } port port-number acl acl-number

command configures the mappings between ports and application-layer protocols

Parameter:

application-name: specifies the name of an application, which can be DNS, HTTP,

SIP, RTSP, PPTP or FTP.

port-number: specifies the number of a port. It ranges from 0 to 65535.

acl-number: specifies the number of a basic ACL. It ranges from 2000 to 2999.

Description:

The port-mapping command matches the port numbers with application layer

protocols.

The AR G3 router supports host port identification based a basic ACL. Host port

identification based on basic ACLs uses user-defined port numbers and application

protocols to identify packets sent to specific hosts. The range of the hosts can be

specified by the basic ACL.

display port-mapping [ dns | ftp | http | rtsp | sip | port port-number | pptp ] command

displays mappings between the specified application-layer protocols and ports

ASPF maintains the connection status information in the data structure of the session table

and maintains access rules of sessions based on the connection status information. ASPF

saves important connection status information that cannot be saved by ACLs. The firewall

detects each packet in data flows and ensures that the packet status and the packet meet

user-defined security policies. The firewall dynamically permits or rejects packets based on

the connection status information. When a session is terminated, session entries are

deleted and the session in the firewall is ended.

ASPF can intelligently detect three handshakes of TCP and handshakes for connection

removal. The system rejects the packets of incomplete TCP handshake connections.

UDP is a connectionless protocol. ASPF is a connection-oriented protocol. ASPF detects the

source and destination IP addresses and port number of a UDP packet, and checks

whether a connection exists by checking whether the UDP packet is similar to other UDP

packets in a time range.

In common scenarios, the ACL-based IP packet filtering technology is used. This

technology is simple, but lacks flexibility. In scenarios where multiple applications are used,

the ACL-based IP packet filtering technology cannot protect networks. For example, it is

difficult to configure the firewall for the multi-channel protocol that uses FTP for

communication.

ASPF enables Eudemon series firewalls to support application of multiple data connection

protocols over one control connection. In addition, ASPF facilitates enforcement of various

security policies in the scenarios where multiple applications are used. Most multimedia

application protocols (for example, SIP and FTP) use designated interfaces to initialize

control connections and then dynamically select interfaces to transmit data. The interfaces

to be selected are random. Some applications may occupy multiple interfaces. The packet

filtering firewall only blocks application transmission on a single channel to protect internal

networks against attacks. That is, it only blocks applications using fixed interfaces. This

introduces security risks to a network. ASPF monitors the interface used by each connection

of each application, opens a proper channel to allow session data to pass through the

firewall, and closes the channel upon session termination. In this manner, ASPF implements

access control on the applications using dynamic interfaces.

hsb-service service-index command creates an HSB service

Under HSB service view: service-ip-port local-ip local-ip-address peer-ip peer-ip-address

local-data-port local-port peer-data-port peer-port command configures IP addresses and

port numbers for an HSB service

hsb-group group-index command creates an HSB group

Under HSB group view：bind-service service-index command binds an HSB service to an

HSB group

hsb-service-type firewall hsb-group group-index command enables the firewall HSB

function and binds the firewall to an HSB group

Under HSB group view：hsb enable commend enables HSB for an HSB group

Completing configuration above, implement display hsb-group group-index commend,

display HSB group information in RTA and RTB. The detail in Router A and Router B is

shown in this slide.

The AR G3 router supports the following types of logs:

NAT log

A NAT log includes the following information: source address, source port, destination

address, and destination port of a flow, start and end time of the flow, and status of the

flow. The log identifies flows where NAT is performed based on translated Attack defense

log

When a large number of attacks occur, the AR G3 router uses the queue mechanism to

provide alarm logs. The AR G3 router generates alarms in Syslog mode, including the

attack source (the source address) and attack type.

Traffic monitoring log

Based on zones and IP addresses, the AR G3 router monitors traffic to check whether the

rate or number of connections exceeds the upper or lower limit.

If the rate or number of connections exceeds the upper limit, the AR G3 router will trigger

and record alarm logs.

If the rate or number of connections exceeds the lower limit, the AR G3 router will trigger

alarms.

Blacklist log

The AR G3 router adds the source IP address of an unauthorized user detected to the

blacklist and generates a blacklist log. The log records the host address and the reason of

adding the host to the blacklist.

Traffic statistics

The log records the traffic statistics to learn the firewall operation status. The traffic

statistics include the total number of connections, number of current connections and split

connections, peak traffic volume, and number of discarded packets. The log also records

the number of attack packets so that you can learn attack events.

The AR G3 router generates a small number of logs for attack defense, traffic

monitoring, and blacklist and address binding. Therefore, the router outputs logs in

the text file in Syslog mode. The log information must be managed and redirected

by the VRP information center, displayed on the terminal screen, or stored and

analyzed by the log collection server.

The AR G3 router generates a large number of logs for NAT/ASPF, so logs are

output in binary mode. The AR G3 router outputs logs directly to the log collection

server for storage and analysis. The information center module on the AR G3 router

does not participate in this process. The logs are transmitted more efficiently in

binary mode than in Syslog mode.

On the AR G3 router, Ethernet 1/0/0 is configured in the trust zone, Ethernet 2/0/0 is

configured in the untrust zone, and Ethernet 2/0/1 is configured in the DMZ. The firewall

outputs the attack defense log to the host.

info-center enable commend enable the information center

info-center loghost ip-address [ channel { channel-number | channel-name } | facility local-

number | { language language-name | binary [ port ] } | { vpn-instance vpn-instance-name |

public-net } ] commend configurate output the log information to log server

firewall log binary-log host host-ip-address host-port source source-ip-address source-port

[ vpn-instance vpn-instance-name ] command can set parameters of a binary log server,

including the IP addresses and port numbers of the binary log server and the peer device

communicating with the log server.

Answers:

AD

ABCD

Note:




recommended.

Authentication, Authorization, and Accounting (AAA) is a network security management

mechanism used for user authentication, authorization, and accounting.

Authentication: authenticates remote users and checks whether the user is valid.

Authorization: authorizes a user to use specific services. For example, when a user

logs in to the server, the administrator grants the right to users to access and print

files in the server.

Accounting: records all the operations performed by a user and the service type,

start time, and data traffic.

To obtain the right to access certain networks or to use certain network resources, a user

needs to set up a connection with the NAS over a network. In this case, the NAS

authenticates the user and coordinates the connection. The NAS delivers authentication,

authorization, and accounting information to an AAA server (a RADIUS server or an

HWTACACS server).The RADIUS and HWTACACS protocols define user information

exchanged between the NAS and the AAA server.

There are multiple servers in the AAA architecture. Users can determine the servers that

perform authentication, authorization, and accounting. For example, the HWTACACS

server can be used for authentication and authorization, and the RADIUS server for

accounting.

Users can use one or two security services provided by AAA. For example, if a company

only needs to authenticate employees that access certain network resources, only an

authentication server is needed. If the company also needs to record operations performed

by employees, an additional accounting server is needed.

Huawei Datacom Product uses the RADIUS protocol and the HWTACACS protocol to

implemente AAA. RADIUS is the most commonly used protocol.

When only a small number of access users need to be authenticated and authorized,

deploying an independent AAA server may increase the workload of a network

administrator.

Huawei routers and switches support local authentication. You can maintain a small user

information database on Huawei routers and switches to authenticate and authorize

access users.

Some devices also support local accounting for access users. However, most devices do

not support local accounting because the accounting information is too large to maintain.

RADIUS was originally an AAA protocol designed for dial-in user access. As access modes

become diversified, RADIUS is applicable to more access modes, such as Ethernet access

and ADSL access. RADIUS authenticates and authorizes users to provide access services,

and performs accounting to collect and record usage information about network

resources.

The RADIUS protocol defines the RADIUS packet format and message transmission

mechanism, and specifies UDP as the transmission layer protocol of RADIUS packets. UDP

port 1812 is used as the authentication port and port 1813 as the accounting port.

Client/Server model

Client: The RADIUS client runs on the NAS. It transmits user information to the

specified RADIUS server and processes responses from the RADIUS server. For

example, the RADIUS server accepts or rejects user access requests.

Server: The RADIUS server runs on the core computer or workstation and maintains

information relavant to user authentication and network service access. It receives

connection requests, authenticates users, and returns the processing results to the

clients.

The RADIUS server maintains three databases:

User: stores user information, such as user names, passwords, protocols, and IP

addresses.

Client: stores information about the RADIUS client, such as the shared key and the IP

address of the access device.

Dictionary: stores RADIUS attributes and attribute description.

Security and Authentication Mechanism

The RADIUS client and server exchange authentication messages using a shared key.

The shared key cannot be transmitted on the network, which enhances security. In

addition, to protect the user password from theft on an insecure network, the

password is encrypted during transmission.

The RADIUS server authenticates users in multiple modes, such as PPP-based PAP and

CHAP authentication. Besides, the RADIUS server can be used as the RADIUS client to

communicate with other RADIUS authentication servers and forward RADIUS

authentication and accounting packets.

The message interaction procedure is as follows:

A user sends a request packet containing the user name and password to the

RADIUS client.

The RADIUS client sends an Access-Request packet, including the user name and

password, to the RADIUS server. The password is encrypted using the MD5

algorithm through a shared key.

The RADIUS server authenticates the user name and password. If authentication

succeeds, the RADIUS server sends a RADIUS Access-Accept packet to the RADIUS

client. If authentication fails, the RADIUS server sends a RADIUS Access-Reject

packet to the RADIUS server. The RADIUS Access-Accept packet contains

authorization information.

The RADIUS client permits or rejects the user according to the authentication result.

If the user is permitted, the RADIUS client sends an accounting-start packet to the

RADIUS server.

The RADIUS server sends a response packet to the RADIUS client and starts

accounting.

The user starts to access network resources.

The user requests to disconnect from the network. The RADIUS client sends an

accounting-stop packet to the RADIUS server.

The RADIUS server sends a response packet to the RADIUS client and stops

accounting.

The user ends accessing network resources.

RADIUS messages are transmitted in User Datagram Protocol (UDP) packets. RADIUS

ensures reliability of information exchanged between the RADIUS server and client by

using the timer, retransmission mechanism, and secondary server. RADIUS integrates

authentication and authorization. Each field is described as follows:

(1) Code field: indicates the type of the RADIUS packet. The field is 1 byte long. The value

of the Code field is described as follows:

1. Access-Request packets are sent from the client to the server. The server determines

whether to connect to the user. The Access-Request packet must carry the User-Name

attribute. NAS-IP-Address, User-Password, NAS-Port are optional in the Access-Request

packet.

2. Access-Accept packets are sent from the server to the client. If all the Attribute

values in the Access-Request packet are accepted (authentication succeeds), the type of

this packet is transmitted.

3. Access-Reject packets are sent from the server to the client. If any Attribute value in

the Access-Request packet is rejected (authentication fails), the type of this packet is

transmitted.

4. Accounting-Request packets are sent from the client to the server, requesting

accounting start or stop. The value of the Acct-Status-Type attribute in the packet

distinguishes whether to start or stop accounting.

5. Accounting-Response packets are sent from the server to the client. The server

notifies the client that it has received the Accounting-Request packet and recorded the

accounting information.

(2) Identifier field: used to map the request packet and the response packet and detect the

request packet retransmitted within a certain period. The field is 1 byte long. The request

packet and response packet of the same type have the same Identifier value.

(3) Length field: indicates the length of a RADIUS packet, including Code, Identifier, Length,

Authenticator, and Attribute. The value ranges from 20 to 4096. The field is 2 bytes long.

Bytes outside the range of the Length field are treated as padding and are ignored. If the

length of a received packet is smaller than the value of the Length field, the packet will be

discarded.

(4) Authenticator field: used to check the response packet of the RADIUS server and encrypt

the password. The field is 16 bytes long. Authenticator has two types: Request

Authenticator and Response Authenticator.

(5) Attribute field: see the next page.

The commonly-used RADIUS attributes, such as the user name, password, and NAS-IP are

defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2868.

Different RADIUS packets have different attributes. For example, the user name is only

used in authentication request packets and accounting request packets.

As shown in the figure, the sub-attribute encapsulated in attribute 26 packet includes the

following four fields:

Vendor-ID: indicates the vendor ID. The leftmost byte is 0. For the code of the other

3 bytes, see RFC 1700. The Vendor-ID of Huawei is 2011.

Vendor-Type: indicates the sub-attribute type.

Vendor-Length: indicates the sub-attribute length.

Vendor-Data: indicates the sub-attribute content.

The display radius-attribute command displays RADIUS attributes supported by the device.

Attributes names starting with "HW" are Huawei proprietary attributes.

HWTACACS is used to authenticate and authorize terminal users that need to log in to

Huawei Datacom Product, and record operations performed by terminal users. As the

HWTACACS client, Huawei Datacom Product sends the user name and password to the

HWTACACS server for authentication. If authentication succeeds, the user can log in to the

device. The HWTACACS server will record user operations on Huawei Datacom Product.

The Telnet user is used as an example to describe HWTACACS authentication,

authorization, and accounting. The message exchange procedure is as follows:

1. A Telnet user sends a login request packet to the device.

2. The HWTACACS client sends an authentication-start packet to the HWTACACS

server after receiving the request packet.

3. The HWTACACS server sends an authentication response packet and requests the

user name.

4. The HWTACACS client requests the user name from the user after receiving the

authentication response packet.

5. The user enters the user name.

6. The HWTACACS client sends an authentication packet containing the user name to

the HWTACACS server.

7. The HWTACACS server sends an authentication response packet and requests the

password.

8. The HWTACACS client requests the password from the user after receiving the

authentication response packet.

9. The user enters the password. Note: Telnet is an insecure protocol, Stelnet is

suggested.

The message exchange procedure is as follows (Continued):

10. The HWTACACS client sends an authentication packet containing the password to

the HWTACACS server.

11. The HWTACACS server sends an authentication response packet, indicating that the

user has been authenticated.

12. The HWTACACS client sends an authorization request packet to the HWTACACS

server.

13. The HWTACACS server sends an authorization response packet, indicating that the

user is authorized.

14. The HWTACACS client receives the authorization response packet and displays the

login page.

15. The HWTACACS client sends an accounting-start request packet to the HWTACACS

server.

16. The HWTACACS server sends an accounting response packet, indicating that the

accounting response packet has been received.

17. The user requests to tear down the connection.

18. The HWTACACS client sends an accounting-stop request packet to the HWTACACS

server.

19. The HWTACACS server sends an accounting-stop packet, indicating that the

accounting-stop packet has been received.

By default, HWTACACS packets are encrypted and transmitted and the packet headers are

in plain text.

Major Version: has a fixed value of 0xc.

Minor Version: is 0x0 by default. In some cases, it needs to be set to 0x1 for compatibility.

Type indicates the packet type. The options are as follows:

0x01 (Authentication)

0x02 (Authorization)

0x03 (Accounting)

Seq_no: indicates the sequence number of the current HWTACACS session. In an

HWTACACS session, the first packet, whose sequence number is 1, is initiated by the

client. The first packet returned by the server has a sequence number of 2. The sequence

number increases by packets. Packets sent from the client to the server have odd sequence

numbers, and packets sent from the server to the client have even sequence numbers.

When the sequence number reaches the upper limit, the HWTACACS session will be re-

created.

Flag Some functions can be enabled by setting different flag bits. For example, when the

value of Flags is 0x01, the packet is not encrypted. When the value is 0x04, multiple

HWTACACS can share one TCP connection.

Session_ID: The ID of the HWTACACS session is a random number.

Length indicates the length of an HWTACACS packet, excluding the header.

Both the HWTACACS protocol and the RADIUS protocol implement authentication,

authorization, and accounting. They have the following similarities: 1. Adopt the

client/server model. 2. Encrypt the user information by a shared key. 3. Have good

flexibility and extensibility.

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption, and

is more suitable for security control.

A Huawei device can manage users based on their domains. The default authorization,

RADIUS/HWTACACS template, and authentication and accounting schemes can be

configured in a domain.

Authentication, authorization, and accounting are implemented by applying the

authentication scheme, authorization scheme, and accounting scheme to a domain, so you

must preconfigure the authentication scheme, authorization scheme, and accounting

scheme in the AAA view.

The device supports the combination of local, RADIUS, and HWTACACS authentication,

authorization, and accounting. For example, the device provides local authentication, local

authorization, and RADIUS accounting. In practice, the following schemes are used

separately:

Local authentication and authorization: If users need to be authenticated or

authorized but no RADIUS server or HWTACACS server is deployed on the network,

use local authentication and authorization. Local authentication and authorization

feature fast processing and low operation cost, whereas the amount of information

that can be stored is limited by the device hardware capacity. Local authentication

and authorization are often used for administrators.

RADIUS authentication and accounting: RADIUS protects a network from

unauthorized access, which is often used on the networks demanding high security

and remote user access control.

HWTACACS authentication, authorization, and accounting: HWTACACS protects a

network from unauthorized access and supports command-line authorization.

Compared with RADIUS, HWTACACS is more reliable in transmission and encryption,

and is more suitable for security control.

Local authentication is often used when there are few users and no accounting

requirements. In this case, the AAA server does not need to be deployed, reducing the

workload of the network administrator.

By default, the administrator uses AAA schemes in the domain default_admin, that is, local

authentication, local authorization, and non-accounting.

You can check the local authentication configuration by logging in to 127.0.0.1 through

Telnet.

The command output shows that the user level of VTY 0 user is set to level 3.

There is one administrator on the server. The user name is admin@admin and the

password is huawei.

You can configure authentication and accounting functions on multiple servers to load

balance server resources.

You can configure the secondary authentication server and accounting server to ensure

nonstop service transmission when the primary authentication server and accounting

server fail.

The RADIUS server template, authentication scheme, and accounting scheme can be

associated with the domain. You can deploy AAA flexibly based on networking. For

example, you can use local authentication and RADIUS accounting.

The configuation in the VTY user view is the same as local authentication, and is not

mentioned here.

The display radius-server configuration command can be used to display the RADIUS

server template configuration. This command also displays some default parameters.

You can choose RADIUS server software as required.

ClearBox is used as an example to describe the RADIUS server configuration. The

parameters are as follows:

RADIUS client (NAS-IP)

Shared key

User name and password

The configuration procedure is as follows:

Install the RADIUS client.

Configure the IP address and key of the RADIUS client.

Add and configure users. If the user name without the domain name is configured

on the device, the user name must carry a domain name.

Huawei Datacom Product sends an accounting request packet to the RADIUS server. If

Huawei Datacom Product receives a response, the RADIUS server is working properly. The

RADIUS server checks the user name and password during accounting.

There are two administrators on the server:

Administrator 1: user name monitor@admin, password huawei, and level 1.

Administrator 2: user name admin@admin, password huawei, and level 3.

Unlike RADIUS, authentication and authorization in HWTACACS are independent, so the

authentication server and the authorization server are specified separately.

In the command output:

HWTACACS authentication is separated from HWTACACS authorization, so

authentication and authorization servers must be configured separately.

HWTACACS authentication, authorization, and accounting share the same TCP port.

RADIUS and HWTACACS have the similar domain configuration.

Most configurations of the HWTACACS server are the same as those of the RADIUS server.

The following configurations also need to be configured on the HWTACACS server:

HWTACACS client (NAS-IP)

Shared key

User name and password

The HWTACACS server needs to grant default user levels to different users.

If there are a small number of devices, use local authentication so that you do not need to

deploy the AAA server.

On large-scale intranets, local authentication cannot meet management requirements.

Large-scale intranets have the following device management requirements:

On the intranet where a large number of devices need to be managed, if local

authentication is used, you need to configure local users for each device. The

workload is heavy.

Generally, multiple administrators manage devices. If local authentication is used,

the workload of the administrator will be multiplied.

Security: The administrator is required to change the password periodically. If local

authentication is used, it is difficult to manage passwords.

Information about user access authentication will be described in the Network Access

Control (NAC) course.

Answers:

ABC

BD

Currently, two types of communication devices are available on the network: box devices

and chassis devices.

Box devices are cost-effective, but do not support high availability and uninterrupted

service protection. So box devices cannot be used at the core layer, at the

aggregation layer, or in data centers. In complex networking environment, because

box devices have low scalability, you have to maintain more network devices and

change the original networking structure when adding new devices.

Chassis devices have advantages such as high availability, high performance, and

high port density. Therefore, chassis devices are often used at the core layer, at the

aggregation layer, and in data centers. Compared with box devices, chassis devices

have disadvantages such as high initial investment and high single port cost.

The iStack technology combines the advantages of both box devices and chassis devices. It

virtualizes multiple devices supporting the stacking function into one logical device. This

logical device has advantages like cost-effectiveness of box devices and high scalability and

reliability of chassis devices.

The iStack function has the following advantages:

High reliability: Redundancy backup is implemented between member switches in a

stack. In addition, a stack supports inter-chassis link aggregation to implement inter-

chassis link backup.

Powerful network scalability: You can increase ports, bandwidth, and processing

capacity of a stack by simply adding member switches to the stack.

Simplified configuration and management: After a stack is set up, multiple physical

devices are virtualized into one logical device. You can log in to the stack through any

member device to configure and manage all the member devices in a unified manner.

Switch roles: Each switch in a stack is a member switch. Member switches are classified

into the following roles:

Master switch: The master switch manages the entire stack. A stack has only one

master switch.

Standby switch: The standby switch is the backup to the master switch. A stack has

only one standby switch.

Slave switch: In a stack, all member switches except the master switch are slave

switches. The standby switch is also a slave switch.

Stack ID: A stack ID, also called a member ID, is used to identify and manage member

switches in a stack. All member switches in a stack have a unique stack ID.

Stack priority: The stack priority is an attribute of member switches, which helps determine

the role of member switches in role election. A larger priority value indicates a higher

priority. The member switch with a higher stack priority has a higher probability of

becoming the master switch.

Physical member interface: Switches connect to each other to form a stack using physical

member interfaces. Physical member interfaces forward service packets and stack protocol

packets between member switches.

Stack interface: A stack interface is a logical interface that is bound to physical member

interfaces to implement the stacking function. Each member switch has two stack

interfaces, which are named Stack-Portn/1 and Stack-Portn/2. n specifies the stack ID of the

member switch.

A stack contains multiple member switches, each of which has a role. During the setup of

a stack, member switches exchange packets to elect the master, standby, and slave

switches. The master switch collects member information, calculates the stack topology,

and synchronizes the stack topology to all the other member switches.

The rules for electing the master switch are as follows. Start from the first rule until the

master switch is elected.

The switch that has started is preferred over the switch that is starting.

The switch with higher stack priority is preferred.

The switch with a smaller MAC address is preferred.

When the master and slave switches use different software versions, slave switches

synchronize the software version with the master switch, restarts, and then joins the stack.

Before a stack is set up, each switch is an independent entity and has its own IP address.

You need to manage the switches separately. After the stack is set up, the switches in the

stack form a logical entity, and you can use a single IP address to manage and maintain

the switches uniformly. The IP address and MAC address of the stack is the IP address and

MAC address of the master switch when the stack is set up.

On a single switch that does not join any stack, the interface number is in the format

0/subcard ID/interface sequence number. After the switch joins a stack, the interface

number is in the format stack ID/subcard ID/interface sequence number. For example,

when a switch does not join a stack, the interface number is GigabitEthernet0/0/1; when

the switch joins a stack, the interface number is GigabitEthernet2/0/1 if the stack ID is 2.

A ring topology is more reliable than a chain topology. When a link fault occurs in the

chain topology, the stack splits. When a link fault occurs in the ring topology, a chain

topology is formed, which prevents stack services from being affected.

During stack maintenance, the master device collects new topologies, and takes different

actions when a new member device is added to the stack.

If the newly added device is not in a stack (for example, it has the stacking function

configured and then is powered off, connected to the stack using a stack cable, and

powered on for startup), the device is elected as the slave device, and the master

and standby devices in the stack remain unchanged.

If the new device has been in a stack (for example, it has the stacking function

configured and then is connected to the existing stack using a stack cable), the two

stacks are merged.

When the two stacks are merged, the master switches of the two stacks will automatically

choose a better switch as the master switch of the new stack. The stack in which the new

master switch locates keeps unchanged and the services in the stack are not affected. All

switches in the other stack will restart and be added to the new stack. The master switch

synchronizes its configurations with these switches. Services in this stack are interrupted.

You can remove a member switch from a stack. The stack may be affected differently

depending on member switch roles:

If the master switch leaves the stack, the standby switch becomes the new master

switch, updates the stack topology, and specifies a new standby switch.

If the standby switch leaves the stack, the master switch updates the stack topology

and specifies a new standby switch.

If a slave switch leaves the stack, the master switch updates the stack topology.

After a stack is set up, the standby switch becomes the master switch, if the master switch

is faulty or leaves the iStack. Then the new master switch specifies a new standby switch

and synchronizes data with the standby switch.

After a stack is set up for the first time, the MAC address of the master switch is the

stack MAC address. When the master switch is faulty or leaves the stack, the MAC

address of the new master switch becomes the stack MAC address if the function

that delays the stack MAC address switchover is disabled. By default, the function

that delays the stack MAC address switchover is enabled, and the delay time is 10

minutes.

When the master switch is faulty or leaves the stack, the new master switch changes

the stack MAC address to its own MAC address if the previous master switch does

not rejoin the stack before the MAC address switchover timer expires. If the previous

master switch rejoins the stack before the MAC address switchover timer expires,

the switch becomes a slave switch and the stack MAC address remains unchanged.

In this case, the stack MAC address is the MAC address of a slave switch.

When a slave switch leaves a stack, the master switch changes the stack MAC

address to its own MAC address, if the MAC address of the leaving switch is the

same as the stack MAC address and the leaving switch does not rejoin the stack

before the MAC address switchover timer expires.

As shown in the figure, a stack splits into multiple stacks when some member switches are

removed from the running stack with power-on or when multiple nodes on the stack cable

fail. A stack may split into multiple stacks with the same configurations, which causes

conflicts of IP addresses and MAC addresses.

When a stack splits, two stacks with the same IP address and MAC address exist on the

network. That is, a dual-active scenario occurs. To improve system availability after a stack

splits, a mechanism is required to detect a dual-active scenario and take recovery action.

When a stack splits, two stacks with the same IP address and MAC address exist on the

network. That is, a dual-active scenario occurs. To improve system availability after a stack

splits, a mechanism is required to detect a dual-active scenario and take recovery action.

Dual-active detection (DAD) is a method to detect a dual-active scenario and take recovery

action, ensuring network stability.

DAD in direct mode

DAD is performed between member switches in a stack using a dedicated direct

link.

DAD in relay mode

DAD is configured on the inter-chassis Eth-Trunk in a stack, and DAD in relay mode

is configured on the proxy device.

After a stack splits into multiple stacks, the stacks exchange DAD packets on the DAD link.

The stack compares information in the received packet with local information. The rules

for electing the master stack are the same as the rules for electing the master switch. If a

stack is elected as the master stack, the switches in the stack remain in the Active state

and continues forwarding service packets. If a stack is elected as the standby stack, the

switches in the stack enter the Recovery state, shuts down all its service interfaces except

those excluded from shutdown, and stops forwarding service packets.

Stack interface: A stack interface is a logical interface that is bound to physical member

interfaces to implement the stacking function. Each member switch has two stack

interfaces, which are named Stack-Portn/1 and Stack-Portn/2. n specifies the stack ID of the

member switch.

As the development of technology, both the hardware and software of Huawei Box

Switches are continuously upgrading. The iStack features may be change as the version

upgrades.

In addition, after a stack is set up, some features may be affected. For example, the N:1

VLAN Mapping feature is not available for a stack.

Before configuring a stack, complete the following task:

Confirming that the switches support the stacking function and starting the devices

The stack enable command enables the stacking function on a device.

You need to perform this step only when a stack is connected using stack card

connection. If a stack is connected using service interface connection, skip this step.

In a stack connected using stack card connection, you can configure commands only

when a stack card is inserted.

Only S5700EI and S5700SI support this command.

By default, the stacking function is disabled.

After enabling or disabling the stacking function on a device, restart the device to

make the configuration take effect.

As the network size rapidly increases, the number of access interfaces provided by an

access switch needs to be increased, and the network must be easy to manage and

maintain. However, a single access switch cannot meet these requirements.

The configuration on S5700LI is used as an example.

The stack port enable command configures service interfaces as physical member

interfaces. After a service interface is configured as a physical member interface, the

service configuration on the interface becomes invalid.

On the S5700LI, only the last four service interfaces can be configured as physical

member interfaces.

On the S5710EI, only the last four service interfaces can be configured as physical

member interfaces. This number can be increased by installing a subcard. The

ES5D21X02S00 can be installed to allow four more interfaces to be configured as

physical member interfaces.

On the S6700EI, only four or eight service interfaces with contiguous IDs can be

configured as physical member interfaces. The last ID of the service interfaces that

can be added to the same stack interface must be a multiple of four, for example,

interfaces with IDs from 1 to 4, 5 to 8, or 1 to 8 can be added to the same stack

interface but interfaces with IDs from 2 to 5 or 3 to 6 cannot.

The interface stack-port command displays the stack interface view. Each member

switch has two stack interfaces, which are named Stack-Portn/1 and Stack-

Portn/2. n specifies the stack ID of a member switch. After the interface stack-

port command displays the view of a stack interface, you can configure attributes for the

stack interface.

Only S5700LI, S5710EI, and S6700EI support this command.。

The stack slot priority command sets the stack priority of a member switch in a stack.

By default, the stack priority of a member switch is 100.

A larger priority value indicates a higher priority. The possibility that a switch is

selected as the master switch is greater.

In a stack connected using stack card connection, enable the iStack function before

running the command.

The stack slot renumber command changes the stack ID of a specified member switch in

a stack.

After the stack ID is configured, the configuration takes effect only after the device

restarts.

In a stack connected using stack card connection, enable the iStack function before

running the command.

The display stack command displays information about the member switches in a stack.

Stack topology type:

Link: chain topology

Ring: ring topology

MAC switch delay time: MAC address switchover time of the stack. You can run this stack

timer mac-address switch-delay command to set the MAC address switchover time of

the stack.

Stack reserved vlanid: Stack reserved VLAN.

slot#: Stack ID of the member switch.

Role: Member switch role:

Master: master switch

Standby: standby switch

Slave: slave switch

Mac address: MAC address of the member switch.

Priority: Stack priority.

Device Type: Device model of the member switch.

Answers:

BD

The CSS function has the following advantages:

High reliability

Redundancy backup is implemented between member switches in a CSS. In

addition, a CSS supports inter-chassis link aggregation to implement inter-chassis

link backup.

Powerful network scalability

You can increase ports, bandwidth, and processing capacity of a CSS by simply

adding member switches to the CSS.

Simplified configuration and management

After a CSS is set up, multiple physical devices are virtualized into one logical device.

You can log in to the CSS through any member device to configure and manage all

the member devices in a unified manner.

CSS technology development has experienced two stages.

Traditional CSS: consists of two CSS connection modes, namely, clustering through CSS

cards on the MPUs and service port connection. The traditional CSS is supported by the

S7700 and S9700.

Cluster Switch System Generation 2 (CSS2): This technology sets up a CSS by connecting

CSS cards on switch fabric units (SFUs). In addition to the existing features, CSS2 supports

1+N backup of MPUs. CSS2 is supported by the S12700.

Compared with the traditional CSS, CSS2 has the following advantages:

Clustering through CSS cards on the SFUs Compared with the service port connection

mode, control packets and data packets of a cluster only need to be forwarded once by

the SFUs and do not go through service cards. CSS2 minimizes impact of software failures,

reduces risks of service interruption caused by service cards, and also significantly shortens

the transmission latency. Compared with the CSS connection mode through CSS cards on

MPUs, this mode allows for simpler cable connections and faster system startup because

the SFUs and MPUs start up simultaneously.

1+N backup of MPUs in a cluster A dual-chassis CSS can work normally as long as one

MPU in any chassis is running normally. Compared with the service port connection mode,

in which each chassis must have at least one MPU working normally, CSS2 is more

reliable. Compared with the CSS connection mode through CSS cards on MPUs, in which

each chassis must have two MPUs installed, CSS2 is more flexible.

Roles of member switches

Each switch in a CSS is a member switch. Each CSS member switch plays one of the

following roles:

Master switch: A master switch manages the CSS. A CSS has only one master

switch.

Standby switch: The standby switch is the backup to the master switch. When the

master switch becomes faulty, the standby switch takes over the master role. A CSS

has only one standby switch.

CSS ID

CSS IDs are used to identify and manage member switches in a CSS. Each member

switch has a unique CSS ID.

CSS Priority

The CSS priority of a member switch determines the role of the member switch in

role election. A larger value indicates a higher priority and higher probability that the

member switch is elected as the master switch.

After a CSS is set up, member switches send competition packets to each other to elect

the master switch. A switch is elected as the master switch to manage the CSS. The other

switch becomes the standby switch.

The rules for electing the master switch among S series switches are as follows. Start from

the first rule until the master switch is elected.

The switch that has started is preferred over the switch that is starting.

The switch with higher CSS priority is preferred.

The switch with a smaller MAC address is preferred.

The switch with a smaller CSS ID is preferred.

When the master and standby switches use different software versions, standby switches

synchronize the software version with the master switch, restarts, and then joins the CSS.

After the CSS is set up, on the control plane, the active SRU of the master switch

becomes the active SRU of the CSS and manages the CSS. The active SRU of the standby

switch becomes the standby SRU of the CSS and plays a standby role in CSS management.

The standby SRUs of the master switch and the standby switch are candidate standby

SRUs of the CSS,

Before a CSS is set up, each switch is an independent entity and has its own IP address.

You need to manage the switches separately. After the CSS is set up, the switches in the

CSS form a logical entity, and you can use a single IP address to manage and maintain the

switches uniformly. The IP address and MAC address of the CSS is the IP address and MAC

address of the master switch when the CSS is set up for the first time.

After a CSS is set up, all member switches function as one logical switch on the network,

and the master switch manages the resources of all remember switches. You can log in to

the CSS through a service interface on an LPU, the management interface or the serial

interface on the active SRU to manage and maintain the CSS.

On a single switch that does not join any CSS, the interface number is in the format slot

ID/subcard ID/interface sequence number. After the switch joins a CSS, the interface

number is in the format CSS ID/slot ID/subcard ID/interface sequence number. For

example, when a switch does not join a CSS, the interface number

is GigabitEthernet1/0/1; when the switch joins a CSS, the interface number

is GigabitEthernet2/1/0/1 if the CSS ID is 2.

Different from the service traffic forwarded on a single switch, the service traffic

forwarded between two switches of the CSS needs to pass through the switching fabric

twice. Similar to the single switch, the CSS also processes the packet content in both

inbound direction and outbound direction.

Two switches form a CSS. To ensure reliable traffic transmission, an inter-chassis Eth-

Trunk interface is configured as the outbound interface of traffic. Data from a downstream

switch enters the CSS from the Eth-Trunk interface and is forwarded preferentially through

the local upstream Eth-Trunk to an upstream switch.

When a member interface in the Eth-Trunk fails, traffic can be transmitted between

devices through CSS links. This ensures reliable data transmission.

After you enable the CSS function and restart the device immediately, the system adds file

name extension .bak to the previous configuration file.

If the original file name extension of the configuration file is .cfg, the file name

extension of the backup configuration file is .cfg.bak.

If the original file name extension of the configuration file is .zip, the file name

extension of the backup configuration file is .zip.bak.

If you want to restore the original configuration after disabling the CSS function, change

the extension of the backup configuration file and specify the file as the configuration file

for next startup. Then restart the device to restore the original configuration.

Automatic configuration file backup prevents configuration loss caused by incorrect

operations. It is recommended that you save the configuration manually when upgrading

the system software and adjusting the network.

After the active/standby switchover is performed on SRUs on the master switch or standby

switch, the roles of the switch and SRU changes as follows:

When an active/standby switchover is performed on the two SRUs of the master

switch:

The standby switch becomes the master switch, and the previous standby

SRU of the CSS becomes the new active SRU of the CSS.

The master switch becomes the standby switch.

The previous active SRU of the CSS restarts. The candidate standby SRUs of

the previous master switch becomes the standby SRU of the CSS and

synchronizes data from the new active SRU of the CSS.

When an active/standby switchover is performed on the two SRUs of the standby

switch:

The master switch and the standby switch do not change their roles.

The active SRU of the standby switch (the previous standby SRU of the CSS)

restarts. The candidate standby SRUs of the CSS becomes the standby SRU of

the CSS and synchronizes data from the active SRU of the CSS.

Clustering through CSS cards on the MPUs: Inter-chassis unicast packets are forwarded

along the following path: SFU on the MPU of the local chassis > CSS card on the local

chassis > cluster cable > SFU on the MPU of the peer chassis > LPU on the peer chassis >

the corresponding port.

Service port connection mode: Inter-chassis unicast packets are forwarded in a similar

manner as in clustering through CSS cards on the MPUs. Packets are forwarded through

the SFUs of both the local and peer chassis before they reach the corresponding port.

Clustering through CSS cards on the SFUs: Inter-chassis unicast packets are forwarded

along the following path: SFU of the local chassis > CSS card on the local chassis > cluster

cable > SFU of the peer chassis > LPU on the peer chassis > the corresponding port.

Compared with clustering through CSS cards on the MPUs and the service port connection

mode, clustering through CSS cards on the SFUs forwards packets through the SFUs

directly without the need to send packets to the MPUs. In addition, the S12700 provides

an independent monitoring/power supply plane1 which ensures that LPUs can function

normally and data packets can be forwarded uninterruptedly when all MPUs in either

chassis are faulty or removed. If all MPUs of the master switch are faulty or removed, a

master/standby switchover is triggered. The S12700 cluster can run normally even when

the standby chassis has no MPU installed. During this process, the cluster sends an alarm

every 30 minutes, indicating that the standby chassis has no MPU installed. The alarm ID

and name are CSSM_1.3.6.1.4.1.2011.5.25.183.3.3.2.16 and hwCssStandbyError. You

can only run the display commands but cannot use the configuration commands when the

standby chassis has no MPU installed. You are advised to install an MPU to the standby

chassis to improve the system reliability.

In the CSS system, if the MPU fails to receive the heartbeat packet from the LPU within 20

seconds, the possible causes are as follows:

All CSS cards are unavailable or reset.

All CSS cards are Down.

One of the two switches is disabled from being CSSed.

Two MPUs of the standby switch are reset using management devices.

If the two switches run normally after the CSS splits, they use the same IP address and

same MAC address to communicate with other devices on the network because their

global configurations are the same. This causes conflicts of IP addresses and MAC

addresses and faults on the entire network. To rectify these faults, use Multi-Active

Detection.

When a CSS splits, two CSS (enabled with CSS) with the same IP address and MAC

address exist on the network. That is, a Multi-Active scenario occurs. To improve system

availability after a CSS splits, a mechanism is required to detect a Multi-Active scenario

and take recovery action.

Multi-Active detection (MAD) is a method to detect a Multi-Active scenario and take

recovery action, ensuring network stability.

MAD in direct mode

MAD is performed between member switches in a CSS using a dedicated direct link.

MAD in relay mode

MAD is configured on the inter-chassis Eth-Trunk in a CSS, and MAD in relay mode

is configured on the proxy device.

After a CSS splits into multiple CSSs, the CSSs exchange MAD competition packets on the

MAD link. The CSS compares information in the received packet with local competition

information. The rules for electing the CSS master are the same as the rules for electing

the master switch. If the switch in the CSS is elected as the master switch, the switch

remains in Active state and continues forwarding service packets. If the switch in the CSS

is elected as the standby switch, the switch shuts down all its service interfaces except

those excluded from shutdown, enters the Recovery state, and stops forwarding service

packets.

After the CSS link recovers, the switch in Recovery state restarts and restores all the

blocked service interfaces, and the CSS recovers.

CSS fast upgrade provides a non-stop traffic forwarding mechanism when the software of

member devices is being upgraded. This minimizes the upgrade impact on services.

When fast upgrade is performed, the standby switch restarts with the new version and

completes the upgrade. Data is forwarded by the master switch. If the upgrade fails, the

standby switch restarts and rolls back to the previous version. After completing the

upgrade, the standby switch becomes the master switch and transmits data. The previous

master switch restarts with the new version and becomes the standby switch after the

upgrade as shown in the figure.

Devices need to be dual-homed to the CSS and the CSS is configured to preferentially

forward local traffic. Otherwise, data transmission may be interrupted.

When fast upgrade is performed, the cluster will sends an alarm, indicating that the

standby chassis has no MPU installed.That’s ok.

There are two type of port in Service port connection:

Physical member port:

A physical member port is a service port used to set up a cluster link between

CSS member switches. Physical member ports forward service packets or CSS

protocol packets between member switches.

Logical CSS port:

A logical CSS port is bound to physical member ports for CSS connection. Each

CSS member switch supports two logical CSS ports.

Pay attention to the following points:

S9703 and S7703 do not support CSS;

S9706 and S9712 can form a CSS;

S7706 and S7712 can form a CSS.

For details of Software and Hardware Requirements of a CSS, see the product document.

The numbers in red in this figure are sequence numbers of labels. You must connect all the

ports in full meshed mode based on the sequence numbers.

Each CSS card provides eight SFP+ ports. Ports numbered from 1 to 4 belong to one

group, and ports numbered 5 to 8 belong to the other group. Ports in one group can be

randomly connected to any port in the corresponding group and at least one port in a

group must be connected. Full meshed connection is recommended.


Service ports are connected in two ways according to link distribution:

1+0 networking: Each member switch has one logical CSS port and connects to

another member switch through the physical member ports located on the same

service card.

1+1 networking: Each member switch has two logical CSS ports, and physical

member ports of the logical CSS ports are located on two service cards. Cluster links

on the two service cards implement link redundancy.


The two chassis must be connected by one cluster cable at least.

It is recommended that you connect the same number of cluster cables to the CSS cards (if

not, the total cluster bandwidth will be affected) and connect CSS ports on the two

member switches based on port numbers.

It is recommended that you connect the same number of cluster cables to the CSS cards (if

not, the total cluster bandwidth will be affected) and connect CSS ports on the two

member switches based on port numbers.

If the SFU model used in the member switches is ET1D2SFUD000, it is recommended that

the number of cluster cables connected to each CSS card be an even number.

S12700 and S9700 use the same CSS Card：EH1D2VS08000.

As the network scale rapidly increases, a core switch cannot satisfy data forwarding

requirements. The data forwarding capability needs to be doubled while the return on

investment (ROI) is maximized. In addition, network reliability needs to be improved

through redundancy backup to manage and maintain the network easily.

Configure the CSS ID, CSS priority, and connection mode of a switch to form a CSS.

Configure a CSS interface to forward data packets between member switches.

Multiple physical member interfaces can be added to a CSS interface to improve the

bandwidth and reliability of a CSS link.

Enable the CSS function on switches to make the configuration take effect and set up a

CSS successfully. Use CSS cables or optical fibers to connect CSS interfaces on devices and

restart the devices.

The set css priority command sets the CSS priority of a member switch in a CSS.

By default, the CSS priority of a member switch is 1.

After setting a CSS priority, restart the switch to make the configuration take effect.

If you do not specify chassis chassis-id in the command, the command takes effect

only on the master switch.

The set css mode command configures the CSS connection mode of devices.

By default, CSS card connection is used.

After the CSS connection mode is changed, the configuration takes effect only after

the device is restarted.

The two connection modes cannot be used at the same time and cannot be

switched dynamically.

When devices have SRUA/SRUBs installed, both connection modes can be used.

When devices have SRUDs installed, only service interface connection is supported

and this command is not supported.

The interface css-port command configures a CSS interface and displays the CSS

interface view.

port-id specifies the ID of a CSS interface.

The value is in the format of CSS ID/CSS interface sequence number.

The CSS ID and CSS interface sequence number can only be 1 or 2.

Only a CSS connected through service interface connection supports this command.

You can configure a maximum of two CSS interfaces on a device.

If a CSS interface is canceled, all physical member interfaces added to the CSS interface

will be deleted. If all the CSS interfaces are canceled, a CSS splits.

A CSS interface maps a board. Physical member interfaces on two boards cannot be

added to the same CSS interface.

A CSS interface can be connected to one only CSS interface but not two CSS interfaces.

Before running the undo interface css-port command to cancel a CSS interface, run

the shutdown interface command to shut down all the physical member interfaces of

the CSS interface.

The port interface enable command configures a specified interface as a physical member

interface, and adds the physical member interface to a CSS interface.

If a service interface is configured as a physical member interface, the interface is used

for only CSS communication but not service transmission.

Only a CSS connected through service interface connection supports this command.

Interfaces on a board can only be added to one CSS interface.

To restore a physical member interface as a service interface, run the shutdown

interface command in the CSS interface view and then run the undo port interface

enable command.

The css enable command enables the CSS function on a device.

After running the css enable or undo css enable command, restart the device

immediately to make the configuration take effect. Otherwise, the configuration does

not take effect and you need to run the command again.

You can use the css enable command only when the CSS function is disabled.

You can use the undo css enable command only when the CSS function is enabled.

If you do not specify the chassis chassis-id parameter in the undo css

enable command, the CSS function is disabled only on the master switch.

If you use the all keyword in the undo css enable command, the CSS function is

disabled on both the master and standby switches. If the configuration fails on one

switch, the CSS function fails to be disabled on the two switches.

The set css id command sets the frame ID of a member switch in a CSS.

When setting up a CSS, run the set css id command to set different frame IDs for

the two member switches. The frame IDs of the two switches in a CSS must be 1

and 2; otherwise, the CSS cannot be set up.

After setting a frame ID, restart the switch to make the configuration take effect.

If you do not specify chassis chassis-id in the command, the command takes effect

only on the master switch.

Enable switch: Whether the CSS function is enabled:

On: enabled

Off: disabled

CSS master force: Whether the local switch is specified as the master switch in the CSS. To

specify the master switch, run the css master force command.

CSS status: Status of the device in the CSS

single: The device is the only member switch of the CSS.

master: The device is the master switch.

backup: The device is the standby switch.

unknown: The status of the device is unknown.

CSS mode: CSS connection mode

lpu: service interface connection

css-card: CSS card connection

When the CSS splits because of a CSS link fault and there are two CSSs with the same

configuration on the network, you can use MAD to reduce the impact of a CSS split on

the network.

The mad detect mode direct command configures Multi-Active detection (MAD) in

direct mode on an interface.

After MAD in direct mode is configured on an interface, the interface is blocked and

service forwarding is affected. Disabling MAD in direct mode on an interface

restores the forwarding function on the interface. If a loop exists on the network, a

broadcast store occurs.

The display mad command displays the Multi-Active detection (MAD) configuration.

Multi-Active direct detection enabled: MAD in direct mode is configured.

Multi-Active relay detection enabled: MAD in relay mode is configured.

Multi-Active relay interfaces configured: Interface on which the relay function is

configured.

Current MAD status

Detect: The CSS is running properly.

Recovery: In a Multi-Active scenario, the switch that fails master switch

election enters the Recovery state and blocks all of its service interfaces except

those excluded from shutdown.

Multi-Active direct detect interfaces configured: Interface on which MAD in direct

mode is configured.

Multi-Active relay detect interfaces configured: Interface on which MAD in relay

mode is configured.

Excluded ports(configurable): Interfaces excluded from shutdown.

Excluded ports(can not be configured): Default interfaces excluded from shutdown.

After a CSS is divided because of a link failure, configuration collision between two CSSs

occurs. MAD can be used to detect a Multi-Active scenario caused by CSS division and

take recovery action, ensuring network stability.

The mad detect mode relay command configures Multi-Active detection (MAD) in relay

mode on an interface.

This command is run under Eth-Trunk interface view.

The mad relay command enables the relay function on a specified interface of a proxy

device.

In MAD in relay mode, you need to use the mad relay command to configure the

relay function on a specified Eth-Trunk interface of a proxy device. Member

interfaces of the Eth-Trunk interface forward MAD packets to each other so that

member switches can exchange MAD packets.

When higher uplink bandwidth is required, you can connect a new member switch to the

original one using cluster cables so that the two switches set up a CSS. Then bundle

physical links of the member switches into a link aggregation group to increase the uplink

bandwidth.

Downstream switches connect to the CSS through inter-chassis Eth-Trunks. This

networking implements redundancy between devices and links, enhancing network

reliability.

Two switches are virtualized into a logical switch. This simplified network does not require

MSTP or VRRP, so network configuration is much simpler. Inter-chassis link aggregation

also speeds up network convergence and improves network reliability.

Long-distance clustering enables switches far from each other to form a CSS, users on

each floor of two buildings connect to the aggregation switches through respective

corridor switches. The aggregation switches connect users to the external network. The

aggregation switches in the two buildings can be connected using cluster cables to form a

CSS. The two aggregation switches then work like one device, simplifying the network

structure. The device management and maintenance costs are therefore reduced. In

addition, two links to the external network are available to users in each building, which

greatly improves service reliability.

Answers:

False. S9703 does not support CSS.

False. When a device enters the CSS state, it automatically backs up the previous

configuration file.

NTP is evolved from the Time Protocol and the ICMP Timestamp message but is specifically

designed to maintain accuracy and robustness.

NTPv1 puts forward complete NTP rules and algorithms for the first time, but it does

not support authentication and control messages.

NTPv2 supports authentication and control messages.

NTPv3 uses correctness principles and improves clock selection and filter algorithms,

and it is widely used.

NTPv3 only applies to an IPv4 network. As IPv6 develops and network security

requirements grow, NTPv4 is produced. NTPv4, an extension of NTPv3, is

compatible with NTPv3.

NTPv4 applies to both IPv4 and IPv6 networks.

NTPv4 provides a complete encryption and authentication system so it is more

secure than NTPv3.

As network topologies become increasingly complex, clock synchronization becomes more

important for devices on the entire network. If a system clock is modified manually by

network administrators, the workload is heavy and the modification is error-prone, which

affects clock precision. NTP is formulated as a networking protocol for clock

synchronization between devices on a network.

NTP applies to the following situations where all the clocks of the devices on a network

need to be consistent: In network management, analysis of logs or debugging messages

collected from different routers requires time for reference.

An accounting system requires that the clocks of all the devices be consistent.

When several systems work together to process a complicated event, they have to

refer to the same clock to ensure a correct execution order.

Incremental backup between a backup server and clients requires that their clocks

be synchronized.

Some applications need to obtain the time in which a user logs in a system and a

document is modified.

Presuming that:

Before the clocks of RouterA and RouterB are synchronized, the clock of RouterA is

10:00:00 a.m. and the clock of RouterB is 11:00:00 a.m.

RouterB acts as an NTP time server, and RouterA must synchronize its clock with

that of RouterB.

It takes one second to unidirectionally transmit an NTP message between RouterA

and RouterB.

Both RouterA and RouterB take one second to process an NTP message.

The process of synchronizing the system clock is as follows:

RouterA sends an NTP message to RouterB. The message carries an initial

timestamp, 10:00:00 a.m. (T1), indicating the time when it leaves RouterA.

When the NTP message reaches RouterB, RouterB adds the timestamp 11: 00:01

a.m. (T2) to the NTP message, indicting the time when RouterB receives the

message.

When the NTP message leaves RouterB, RouterB adds the transmit timestamp

11:00:02 a.m. (T3) to the NTP message, indicating the time when the message

leaves RouterB.

When RouterA receives this response message, it adds a new receive timestamp,

10:00:03 a.m. (T4).

NOTE:

The preceding example is only a brief description of the operating principle of NTP.

In fact, NTP uses the standard algorithms in RFC 1305 to ensure the precision of

clock synchronization.

In a synchronization subnet, the primary time server sends time information to other

secondary time servers using the NTP protocol. The secondary time servers then

synchronize their clocks with the primary time server. These servers are hierarchically

connected, and each level of the hierarchy is called a stratum and assigned a layer number.

For example, the primary time server is a stratum 1 server, the secondary time servers are

stratum 2 servers, and following strata can be obtained by analogy. A larger clock stratum

indicates lower precision.

The NTP network architecture involves the following concepts:

Synchronization subnet consists of the primary time server, secondary time servers,

clients, and interconnecting transmission paths.

Primary time server directly synchronizes its clock with a standard reference clock

using a cable or radio. The standard reference clock is usually a radio clock or the

Global Positioning System (GPS).

Secondary time server synchronizes its clock with the primary time server or other

secondary time servers on the network. A secondary time server transmits the time

information to other hosts on a LAN through NTP.

Stratum is a hierarchical standard for clock synchronization. It represents precision of

a clock. The value of a stratum ranges from 1 to 16. A smaller value indicates higher

precision. The value 1 indicates the highest clock precision, and 16 indicates that the

clock is not synchronized.

Under normal circumstances, the primary time server and the secondary time servers in a

synchronization subnet are arranged in a hierarchical-master-slave structure. In this

structure, the primary time server is located at the root, and the secondary time servers are

arranged close to leaf nodes. As their strata increase, the precision decreases accordingly.

The extent to which the precision of the secondary time servers decreases depends on

stability of network paths and the local clock.

NOTE: When the synchronization subnet has multiple primary time servers, the optimal

server can be selected using an algorithm.

Such a design ensures that:

When faults occur in one or more primary/secondary time servers or network paths

interconnecting them, the synchronization subnet will automatically be

reconstructed into another hierarchical-master-slave structure to obtain the most

precise and reliable time.

When all primary time servers in the synchronization subnet become invalid, a

standby primary time server runs.

When all primary time servers in the synchronization subnet become invalid, other

secondary time servers are synchronized among themselves. These secondary time servers

become independent of the synchronization subnet and automatically run at the last

determined time and frequency. When a router with a stable oscillator becomes

independent of the synchronization subnet for an extended period of time, its timing error

can be kept less than several milliseconds in a day because of highly precise calculations.

A device on the network can synchronize its clock in the following manners.

Synchronizing with the local clock: The local clock is used as the reference clock.

Synchronizing with another device on the network: This device is used as an NTP

clock server to provide a reference clock for the local clock.

If both manners are configured, the device selects an optimal clock source by comparing

the clocks determined in the two manners. The clock of a lower stratum is preferred.

You can select an appropriate operating mode as required. When an IP address of the NTP

server or peer device cannot be determined or a large number of devices require

synchronization on a network, the broadcast or multicast mode can be used for clock

synchronization. In server and peer mode, the devices synchronize their clocks with a

specified server or peer, which increases clock reliability.

The unicast server/client mode runs on a higher stratum on a synchronous subnet. In this

mode, devices need to obtain the IP address of the server in advance.

Client: A host running in client mode (client for short) periodically sends packets to

the server. The Mode field in the packets is set to 3, indicating that the packets are

coming from a client. After receiving a reply packet, the client filters and selects

clock signals, and synchronizes its clock with the server that provides the optimal

clock. A client does not check the reachability and stratum of the server. Usually, a

host running in this mode is a workstation on a network. It synchronizes its clock

with the clock of a server but does not change the clock of the server.

Server: A host running in server mode (server for short) receives the packets from

clients and responds to the packets received. The Mode field in reply packets is set

to 4, indicating that the packets are coming from a server. Usually, the host running

in server mode is a clock server on a network. It provides synchronization

information for clients but does not change its own clock.

During and after the restart, the host operating in client mode periodically sends NTP

request messages to the host operating in server mode. After receiving the NTP request

message, the server swaps the position of destination IP address and source IP address,

and the source port number and destination port number, fills in the necessary

information, and sends the message to the client. The server does not need to retain state

information when the client sends the request message. The client freely adjusts the

interval for sending NTP request messages according to the local conditions.

In symmetric peer mode, the symmetric active peer initiates an NTP packet with the Mode

field set to 3 (the client mode), and the symmetric passive peer responds with an NTP

packet with the Mode field set to 4 (the server mode). This interaction creates a network

delay so that devices at both ends enter the symmetric peer mode.

Symmetric active peer: A host that functions as a symmetric active peer sends

packets periodically. The value of the Mode field in a packet is set to 1. This

indicates that the packet is sent by a symmetric active peer, without considering

whether its symmetric peer is reachable and which stratum its symmetric peer is on.

The symmetric active peer can provide time information about the local clock for its

symmetric peer, or synchronize the time information about the local clock based on

that of the symmetric peer clock.

Symmetric passive peer: A host that functions as a symmetric passive peer receives

packets from the symmetric active peer and sends reply packets. The value of the

Mode field in a reply packet is set to 2. This indicates that the packer is sent by a

symmetric passive peer. The symmetric passive peer can provide time information

about the local clock for its symmetric peer, or synchronize the time information

about the local clock based on that of the symmetric peer clock.

The prerequisite for having a host run in symmetric passive mode is that: The host receives

an NTP packet from a symmetric peer running in symmetric active peer mode. The

symmetric active peer has a stratum lower than or equal to that of the host, and is

reachable from the local host.

The broadcast mode is applied to the high speed network that has multiple workstations

and does not require high accuracy. In a typical scenario, one or more clock servers on the

network periodically send broadcast packets to the workstations. The delay of packet

transmission in a LAN is at the milliseconds level.

Broadcast server: A host that runs in broadcast mode sends clock synchronization

packets to the broadcast address 255.255.255.255 periodically. The value of the

Mode field in a packet is set to 5. This indicates that the packet is sent by a host that

runs in broadcast mode, without considering whether its peer is reachable and

which stratum its peer is on. The host running in broadcast mode is usually a clock

server running high-speed broadcast media on the network, which provides

synchronization information for all of its peers but does not alter the clock of its

own.

Broadcast client: The client listens to the clock synchronization packets sent from

the server. When the client receives the first clock synchronization packet, the client

and server exchange NTP packets whose values of Mode fields are 3 (sent by the

client) and the NTP packets whose values of Mode fields are 4 (sent by the server).

In this process, the client enables the server/client mode for a short time to

exchange information with the remote server. This allows the client to obtain the

network delay between the client and the server. Then, the client returns the

broadcast mode, and continues to sense the incoming clock synchronization packets

to synchronize the local clock.

Multicast mode is useful when there are large numbers of clients distributed in a network.

This normally results in large number of NTP packets in the network. In the multicast

mode, a single NTP multicast packet can potentially reach all the clients on the network

and reduce the control traffic on the network.

Multicast server: A server running in multicast mode sends clock synchronization

packets to a multicast address periodically. The value of the Mode field in a packet is

set to 5. This indicates that the packet is sent by a host that runs in multicast mode.

The host running in multicast mode is usually a clock server running high-speed

broadcast media on the network, which provides synchronization information for all

of its peers but does not alter the clock of its own.

Multicast client: The client listens to the multicast packets from the server. When the

client receives the first broadcast packet, the client and server exchange NTP packets

whose values of Mode fields are 3 (sent by the client) and the NTP packets whose

values of Mode fields are 4 (sent by the server). In this process, the client enables the

server/client mode for a short time to exchange information with the remote server.

This allows the client to obtain the network delay between the client and the server.

Then, the client returns the multicast mode, and continues to sense the incoming

multicast packets to synchronize the local clock.

Manycast mode is applied to a small set of servers scattered over the network. Clients can

discover and synchronize to the closest manycast server. Manycast can especially be used

where the identity of the server is not fixed and a change of server does not require

reconfiguration of all the clients in the network.

Manycast server: The manycast server continuously listens to the packets. If a server

can be synchronized, the server returns a packet (the Mode field is set to 4) by using

the unicast address of the client as the destination address.

Manycast client: The client in manycast mode periodically sends request packets (the

Mode field is set to 3) to an IPv4/IPv6 multicast address. After receiving a reply

packet, the client filters and selects clock signals, and synchronizes its clock with the

server that provides the optimal clock.

To prevent the client from constantly sending NTP request packets to the manycast server

and reduce the load of the server, the NTP protocol defines a minimum number of

connections. In manycast mode, the client records the number of connections established

every time it synchronizes clock with the server. The minimum number of connections is

the minimum number of connections called during a synchronization process. If the

number of connections called by the client reaches the minimum number during

subsequent synchronization processes and the synchronization is completed, the client

considers that the synchronization is completed. After that, the client sends a packet every

time a timeout period expires to maintain the connection. The NTP protocol uses the time

to live (TTL) mechanism to ensure that the client can successfully synchronize with the

server. Every time the client sends an NTP packet, the TTL of the packet increases (the initial

value as 1) until the minimum number of connections is reached or the TTL value reaches

the upper limit. If the TTL reaches the upper limit or the number of connections called by

the client reaches the minimum number, but connections called by the client still cannot

complete the synchronizing process, the client stops data transmission in a timeout period

to eliminate all connections. Then the client repeats the preceding process.

If a source address from which NTP packets are sent is specified on the server, the address

must be the same as the server IP address configured on the client. Otherwise, the client

cannot process the NTP packets sent by the server, resulting in failed clock

synchronization.

Only after the clock on the server is synchronized, the server can function as a clock server

to which other devices can be synchronized.

Access Authority

A device provides access authority, which is simpler and more secure, to protect a local

clock.

NTP access control is implemented based on an access control list (ACL). NTP supports five

levels of access authority, and a corresponding ACL rule can be specified for each level. If

an NTP access request hits the ACL rule for a level of access authority, they are successfully

matched and the access request enjoys the access authority at this level.

When an NTP access request reaches the local end, the access request is successively

matched with the access authority from the maximum one to the minimum one. The first

successfully matched access authority takes effect. The matching order is as follows:

peer: indicating the maximum access authority. A time request may be made for the

local clock and a control query may be performed on the local clock. The local clock

can also be synchronized to a remote server.

server: indicating that a time request may be made for the local clock and a control

query may be performed on the local clock, but the local clock cannot be

synchronized with the clock of the remote server.

synchronization: indicating that only a time request can be made for the local clock.

1. query: indicating the minimum access authority. Only a control query can be

performed on the local clock.

2. limited: taking effect only when the KoD function is enabled. The rate of incoming

packets is controlled and the kiss code is sent after the KoD function is enabled.

KOD

The Kiss-o'-Death (KOD) is a brand new access control technology put forward by NTPv4,

and the KOD is mainly used for a server to provide information, such as a status report and

access control, for a client.

After the KOD is enabled on the server, the server sends the kiss code DENY or the kiss

code RATE to the client according to the operating status of the system.

When receiving the kiss code DENY, the client terminates all connections with the

server, and stops sending packets to the server.

When receiving the kiss code RATE, the client immediately shortens a poll interval

with the server. Every time the kiss code RATE is received after the first shortening

operation, the poll interval is further shortened

Authentication

The NTP authentication function can be enabled on networks demanding high security.

Different keys may be configured in different operating modes.

When a user enables the NTP authentication function in a certain NTP operating mode, the

system records the key ID in this operating mode.

Sending process

The system determines whether authentication is required in this operating mode. If

authentication is not required, the system directly sends a packet. If authentication is

required, the system encrypts the packet using the key ID and an encryption

algorithm and sends it.

Receiving process

After receiving a packet, the system determines whether the packet needs to be

authenticated. If the packet does not need to be authenticated, the system directly

performs subsequent processing on the packet. If the packet needs to be

authenticated, the system authenticates the packet using the key ID and a decryption

algorithm. If the authentication fails, the system directly discards the packet. If the

authentication succeeds, the system processes the received packet.

Configuration Roadmap

As is required by the user, the NTP protocol is used to synchronize clocks. The

configuration roadmap is as follows:

1. Configure RouterA as the primary time server.

2. The NTP unicast server/client mode is used to synchronize the clocks of RouterA

and RouterB. RouterA functions as the server, and RouterB functions as the client.

3. The NTP unicast server/client mode is used to synchronize the clocks of RouterB,

RouterC, and RouterD. RouterB functions as the server, while RouterC and RouterD

function as the clients.

4. RouterA and RouterB are connected through the network, which is not secure, so

that the NTP authentication function is enabled.

Configure IP addresses, and configure reachable routes between any two of RouterA,

RouterB, RouterC, and RouterD.

ntp-service refclock-master [ ip-address ] [ stratum ]. The ntp-service refclock-master

command sets the local clock to be the NTP primary clock that provides the synchronizing

time for other devices.。

The ntp-service authentication enable command enables identity authentication for

NTP.

ntp-service authentication-keyid key-id authentication-mode md5 password. The

ntp-service authentication-keyid command sets NTP authentication key.

You can configure multiple keys for each device. After the NTP authentication key is

configured, you need to set the key to reliable using the ntp-service reliable

authentication-keyid command. If you do not set the key to reliable, the NTP key does

not take effect.

Currently, the device supports only the MD5 key authentication algorithm.

You can configure a maximum of 1024 keys for each device.

If the NTP authentication key is a reliable key, it automatically becomes unreliable when

you delete the key. You do not need to run the undo ntp-service reliable

authentication-keyid command.

http://localhost:7890/pages/DEC1122X/02/DEC1122X/02/resources/dc/ntp-service_reliable_authentication-keyid.html

http://localhost:7890/pages/DEC1122X/02/DEC1122X/02/resources/dc/ntp-service_reliable_authentication-keyid.html

ntp-service unicast-server ip-address [ version number | authentication-keyid key-id |

maxpoll max-number | minpoll min-number | source-interface interface-type interface-

number | vpn-instance vpn-instance-name | preference ] *

The ntp-service unicast-server command configures the NTP server mode.

The display ntp-service status command displays the status of NTP.

Check the NTP status of RouterA, and you can find that the clock status is "synchronized",

indicating that the synchronization is complete. The stratum of the clock is 2, RouterA is

the primary time server.

Check the NTP status of RouterB, and you can find that the clock status is "synchronized",

indicating that the synchronization is complete. The stratum of the clock is 3, which is one

stratum lower than that of the clock of the server RouterA.

Check the NTP status of RouterC and RouterD, and you can find that the clock status is

"synchronized", indicating that the synchronization is complete. The stratum of the clock is

4, which is one stratum lower than that of the clock of the server RouterB.

Answer：

ABCDE

To visualize the quality of network services and allow users to check whether the quality of

network services meets requirements, the following measures must be taken:

Collect data on network devices to describe the quality of network services.

Deploy probe devices to monitor the quality of network services.

The preceding measures require devices to provide statistical parameters such as the delay,

jitter, and packet loss ratio and require dedicated probe devices. These requirements

increase investments on devices.

NQA can precisely test the network operating status and output statistics without using

dedicated probe devices, effectively saving costs.

NQA measures the performance of different protocols running on the network. It allows

you to collect network operation indexes in real time, such as the total HTTP connection

delay, TCP connection delay, DNS resolution delay, file transmission rate, FTP connection

delay, and DNS resolution error ratio.

Compared with NQA, the Ping program obtains only limited information though it can also

monitor the quality of network services. The following are differences between NQA and

Ping.

Functions Comparisons

NQA is the extended and enhanced version of Ping.

The Ping program can test only the round-trip time (RTT) of a packet and the

reachability of the destination. A client sends an Internet Control Message Protocol

(ICMP) Echo Request message to a remote client, expecting an ICMP Echo packet.

Besides testing the round-trip time (RTT) of ICMP packets, NQA can detect whether

network services, such as TCP, UDP, DHCP, FTP, HTTP, SNMP, DNS, Traceroute, and

LSP Ping/Traceroute, are enabled. In addition, NQA can test the response time of

each service and the network jitter through Jitter tests.

Configuration Comparisons

Run the ping command on the Console to test the reachability of a specified IP

address. The RTT or timeout period of every packet is also displayed in real time.

To display the statistics, you can run the command on the NQA client.

BFD is an international standardized technology, the mainstream network vendors have all

been achieved interoperability, while NQA is an independent R&D technology. They all

have its own advantages.

NQA and BFD all provides test results for other modules so that other modules can take

measures according to test results.

Network quality analysis (NQA) is a feature that the system provides to monitor network

quality of service (QoS) in real time and to locate and diagnose network faults.

Independent of the hardware, NQA functions on the link layer to measure the

performance of protocols running at the network layer, transport layer, and application

layer.

Constructing a test instance

NQA requires two test ends, an NQA client and an NQA server (or called the source

and destination). The NQA client (or the source) initiates an NQA test. You can

configure test instances through command lines or the NMS. Then NQA places the

test instances into test queues for scheduling.

Starting a test instance

When starting an NQA test instance, you can choose to start the test instance

immediately, at a specified time, or after a delay. A test packet is generated based

on the type of a test instance when the timer expires. If the size of the generated

test packet is smaller than the minimum size of a protocol packet, the test packet is

generated and sent out with the minimum size of the protocol packet.

Processing a test instance

After a test instance starts, the protocol-related running status can be collected

according to response packets. The client adds a timestamp to a test packet based

on the local system time before sending the packet to the server. After receiving the

test packet, the server sends a response packet to the client. The client then adds a

timestamp to the received response packet based on the current local system time.

This helps the client calculate the round-trip time (RTT) of the test packet based on

the two timestamps.

NOTE: In a jitter test instance, both the client and server add a timestamp to the sent and

received packets based on the local system time. In this manner, the client can calculate the

jitter value.

You can view the test results to learn about the network operating status and service

quality.

The source then can calculate the time for communication between the source and the

destination by subtracting the time the source sends the ICMP Echo Request packet from

the time the source receives the ICMP Echo Reply packet. The calculated data can reflect

the network operating status.

The ICMP test results and historical records are collected in test instances. You can run

commands to view the test results and historical records.

The process of an ICMP test:

1. The source (RouterA) constructs an ICMP Echo Request packet and sends it to the

destination (RouterB).

2. After receiving the ICMP Echo Request packet, the destination (RouterB) responds

the source (RouterA) with an ICMP Echo Reply packet.

An NQA trace test detects the forwarding path between the source and the destination

and collects statistics about each device along the forwarding path.

According to the ICMP packet received from each hop, the source obtains information

about the forwarding path from the source to the destination and statistics about each

device along the forwarding path. These statistics can reflect the forwarding path status.

The process of a trace test:：

1. The source constructs a UDP packet, with the TTL as 1, and sends the packet to the

destination.

2. After the first-hop router receives the UDP packet, it checks the TTL field and finds

that the TTL decreases to 0. Then RouterB returns an ICMP Time Exceeded packet.

3. After the source receives the ICMP Time Exceeded packet, it obtains the IP address

of the first-hop router and reconstructs a UDP packet, with the TTL as 2.

4. After the second-hop router receives the UDP packet, it checks the TTL field and

finds that the TTL decreases to 0. Then Router returns an ICMP Time Exceeded

packet.

5. The preceding process is repeated until the packet reaches the destination, which

then returns an ICMP Port Unreachable packet to the source.

In this example, the process is 1-2-3-5.

Through the DHCP test, you can get the time taken by the client to obtain its IP address

from the DHCP server. After the test is complete, the leased IP address is released. In the

DHCP test, you need to configure the source interface that sends the discovery packet to

the NQA server.

The process of a DHCP test:

1. The client broadcasts a DHCP Discovery packet through the interface that needs to

obtain an IP address to query a DHCP server. The Discovery packet is broadcast to

the network segment where the interface resides.

2. After receiving the Discovery packet, the DHCP server returns a DHCP Offer packet

carrying its own IP address, to the client.

3. The client broadcasts a DHCP Request packet to the network segment where the

interface resides. The Request packet contains the IP address of the DHCP server.

4. After receiving the Request packet, the DHCP server returns a DHCP ACK packet

carrying an IP address assigned to the interface.

After receiving the DHCP ACK packet, the client calculates the time taken to obtain

an IP address from the DHCP server by subtracting the time the client sends the

Discovery packet from the time the client receives the ACK packet.

A DHCP test only uses an interface to send DHCP packets and releases the DHCP lease

after obtaining an IP address for the interface. Therefore, the DHCP test does not consume

address resources of the DHCP server. The interface used in a DHCP server must be in Up

state.

The DHCP test results and historical records are collected in test instances. You can run


FTP tests are performed to obtain the time taken for the FTP client to set up a connection

with the FTP server and the time spent on packet transmission. To set up the connection

with the FTP server, you must first enter the IP address, user name, and password on the

FTP client. In FTP tests, you can perform the Put operation on a specified file and specify

the file size. In the Get operation, the time for downloading the file is recorded, whereas in

the Put operation, the time for uploading the file is recorded.

FTP test, based on TCP, is used to test the speed of downloading file from FTP server or

uploading file to FTP server. FTP test provides response time of two stages:

Control connection time: the time for the client setting up “three-way handshake”

with the FTP server and exchanging signaling.

Data connection time: the time for the client downloading specific file from FTP

server or uploading specific file to FTP server.

In an FTP test, the following data can be calculated based on the information in the

packets received by the client:

Minimum, maximum, and average time taken to set up a control connection

Minimum, maximum, and average time taken to set up a data connection

The FTP test results and historical records are collected in test instances. You can run


DNS tests are used to check whether the client can set up a DNS connection with the DNS

server and collect the time taken to respond to a DNS request packet. In DNS tests,

domain names are resolved into IP addresses. In addition, the time taken to set up a DNS

connection and return the response packet is recorded.

DNS test provides the speed of resolving the specific domain name into IP address. The

process of a DNS test:

1. The DNS client sends a DNS Query packet to the DNS server, requesting the server

to resolve a specified DNS name.

2. After receiving the Query packet, the DNS server constructs a Response packet and

sends it to the client.

3. After receiving the Response packet, the client calculates the difference between

the time the client sends the Query packet and the time the client receives the

Response packet to obtain the time taken to resolve the DNS name. This can reflect

DNS protocol performance on the network.

A DNS test only simulates the DNS resolution process but not saves the mapping between

domain names and IP addresses.

The DNS test results and historical records are collected in test instances. You can run


An NQA HTTP test obtains the responding speed in three phases:

DNS resolution: You can obtain the DNS resolution time, the period from when the

client (RouterA) sends a DNS packet to the resolver to resolve the name of the HTTP

server to an IP address to the time when the client receives a DNS resolution packet

containing the IP address.

TCP connection setup: You can obtain the time taken to set up a TCP connection

between the client and the HTTP server through three-way handshake.

TCP transaction: You can obtain the transaction time, the period from the time the

client sends a Get or Post packet to the HTTP server to the time the client receives a

response packet from the HTTP server.

NOTE: You can also obtain the time taken for the HTTP client to set up a connection with

the HTTP server and the time of packet transmission by directly entering the IP address of

the HTTP server.

In an HTTP test, the following data can be calculated based on the information in the

packets received by the client:

Minimum, maximum, and total time of DNS resolution

Minimum, maximum, and total time taken to set up a TCP connection

Minimum, maximum, and total HTTP transaction time

In TCP tests, you must configure the TCP service on the NQA server. The client then

originates a test to the specified IP address and port of the server. This test is used to

collect the time taken to set up a TCP connection.

TCP test provides the speed of three-way handshake between the client and TCP Server.

The process of a TCP test:

1. The client sends TCP SYN packet to TCP Server requesting a TCP connection.

2. Upon receiving the request, the TCP Server responds with a TCP SYN ACK packet.

3. The client receives the packet and sends an ACK packet as reply to set up

connection.

The process of a UDP test:

1. The source constructs a UDP packet and sends it to the destination.

2. After receiving the UDP packet, the destination returns the packet to the source.

After receiving the UDP packet, the source calculates the time taken for communication

between the source and the destination by subtracting the time the source sends the UDP

packet from the time the source receives the UDP packet. This can reflect network UDP

performance.

In SNMP tests, SNMPv1, SNMPv2c, and SNMPv3 packets are sent to the SNMP agent

simultaneously to query the status of the managed device. The agent returns an SNMP

response packet of a certain version. That is, if SNMPv1 is enabled on the agent, an

SNMPv1 response packet is returned. You can calculate the interval from the time a query

packet is sent to the time a response packet is received, based on the timestamp carried in

the packets.

SNMP test provides the speed of communication between the client and SNMP Agent. The

process of an SNMP test:

1. The source sends a request packet to the SNMP agent to obtain the system time.

2. After receiving the request packet, the SNMP agent queries the system time,

constructs a reply packet, and sends it to the source.

After receiving the reply packet, the source calculates the time taken for

communication between the source and the SNMP agent by subtracting the time

the source sends the request packet from the time the source receives the reply

packet. This can reflect network SNMP performance.

Jitter Tests

In Jitter tests, the sender periodically sends packets to the remote end, with every

packet being marked with a timestamp. After receiving a packet, the remote end

also marks the packet with a timestamp based on the local system time and returns

the packet to the sender. The sender then calculates the jitter time based on the

timestamp carried in the received packet. Jitter tests support the sending of a

maximum of 3000 packets continuously to simulate voice traffic. You can adjust the

number of packets to be sent through Licenses.

The process of a UDP jitter test:

The source sends packets to the destination at a specified interval.

After receiving a packet, the destination adds a timestamp to the packet and sends

it back to the source.

After receiving the returned packet, the source calculates the jitter by subtracting

the interval at which the source sends two consecutive packets from the interval at

which the destination receives the two consecutive packets.

The following data can be calculated based on information in the packets received by the

source:

Maximum, minimum, and average jitter of the packets from the source to the

destination and from the destination to the source.

Maximum unidirectional delay from the source to the destination or from the

destination to the source.

Networking Requirements

As shown in the figure, RouterA functions as an NQA client to test whether RouterB

is reachable.


Perform the NQA ICMP test function to test whether the packet sent by RouterA can

reach RouterB.

Perform the NQA ICMP test to obtain the RTT of the packet.

Key configuration commands

nqa test-instance admin-name test-name , The nqa command creates an NQA test instance

and enters the NQA view.

test-type { dhcp | dns | ftp | http | icmp | jitter | lspping | lsptrace | snmp | tcp | trace |

udp }, The test-type command configures the test type for an NQA test instance.

destination-address { ipv4 ipv4-address | ipv6 ipv6-address }, The destination-address

command specifies the destination address of an NQA test instance.

The start command sets the start mode and end mode for an NQA test instance. The start

now command performs a test instance immediately.

NQA test results cannot be displayed automatically on the terminal. To view NQA test

results, run the display nqa results command. NQA test results cannot be displayed

automatically on the terminal. To view NQA test results, run the display nqa results

command.

If no test instance is specified, the test result of the test instance is displayed in the

corresponding test instance view, and the test result of all test instances is displayed in the

system view or other views irrelevant to test instances. If a test instance is specified, the

test result of only this test instance is displayed.

The display nqa results collection command is used to display the statistics on

accumulative results. At present, only the jitter test supports the query of accumulated

results.

Output information discription

Send operation times—Number of sent packets.

Receive response times—Number of received response packets.

Attempts number—Test times.

Min/Max/Average Completion Time—Minimum/Maximum/Average time taken to

complete the test.

Sum/Square-Sum Completion Time—Sum and square sum of the time taken to

complete the test.


As shown in the figure, the performance of the FTP download function needs to be

checked.


Configure RouterA as an NQA client.

Configure RouterB as the FTP server. Log in to the FTP server using user name user1

and password Helloword@6789 to download file test.txt.

Create and start an FTP test instance on RouterA to check whether RouterA can set

up a connection with the FTP server and to obtain duration for downloading the file

from the FTP server.

Key Configuration Command

The ftp server enable command enables the FTP server function to allow FTP users

to log in to the FTP server.

The aaa command displays the Authentication, Authorization, and Accounting

(AAA) view.

The local-user command creates a local user and sets parameters of the local user.

The ftp-operation command sets the operation mode for an NQA FTP test instance. The

ftp-operation command can be used to specify the FTP operation mode as put or get. A

connection with the FTP server is set up using the IP address, the user name, and the

password of the FTP server, and the time to set up FTP connection is recorded.

The ftp-username command sets the user name for logging in to the FTP server in an FTP

test instance.

The ftp-password command sets a password for logging in to the FTP server in an NQA

FTP test instance.

The ftp-filename command configures the file name and file path for an NQA FTP test

instance.

NOTE:

During the FTP test, select a file of a small size. If the file is too large, the test may

fail because of timeout.

The file download operation cannot save the file to the local file system, but only

count the time taken to download the file. The system releases the memory

immediately after obtaining the data.

Output Information Description

SendProbe Number of sent probes.

ResponseProbe Number of received response probes.

CtrlConnTime Min/Max/Average Minimum, maximum, and average time

taken to set up a control connection

DataConnTime Min/Max/Average Minimum, maximum, and average time

taken to set up a data connection


As shown in the figure, a UDP Jitter test needs to be performed to obtain the jitter

time of transmitting a packet from RouterA to RouterC.


Configure RouterA as an NQA client and configure RouterC as an NQA server.

Configure the monitoring service type and port number on the NQA server.

Create a UDP Jitter test instance on the NQA client.

Key Configuration commands

nqa-server udpecho [ vpn-instance vpn-instance-name ]{ ip-address | ipv6 ipv6-

address } port-number, The monitoring IP address and port number of the UDP

server are configured. The nqa-server udpecho command configures the IP

address and port number for the UDP server in an NQA test.

UDP packets are transmitted in a jitter test. The test is used to obtain the packet

delay, jitter, and packet loss ratio by comparing timestamps in the request and

response packets. A UDP server needs to be configured for an NQA test to respond

to probe packets. If the client and the server are connected through a VPN, you

need to specify the VPN instance name.

The destination-port command configures the destination port number for an NQA

test.

The following data can be calculated based on information in the packets received by the

source:

Maximum, minimum, and average jitter of the packets from the source to the

destination and from the destination to the source.

Maximum unidirectional delay from the source to the destination or from the

destination to the source.

Output Information Description

Min/Max/Avg/Sum RTT--Minimum/Maximum/Average/Sum of the RTT.

RTT Square Sum— RTT square sum of the probes.

Min Positive SD—Minimum positive jitter from the source to the destination.

Min Positive DS—Minimum positive jitter from the destination to the source.

Positive SD Number—Number of the positive jitter from the source to the

destination.

Positive SD Sum——Sum of the positive jitter from the source to the destination.

Positive SD Square Sum——Square sum of the positive jitter from the source to

the destination.

You may often encounter such problems as intermittent network disconnections, failure to

access websites, slow Internet access, and slow file downloading. When this occurs, you

need to collect statistics about the device to locate the faults. These statistics need to be

provided by the device. As shown in the figure, users in different places connect to each

other over a VPN network. However, users reflect that the network is disconnected

intermittently and the network connection is slow.

You can deploy NQA on PEs to analyze network quality. Perform an ICMP test between

the PEs and CEs to check the continuity of the network. After confirming that the network

is correctly connected, perform a jitter test to measure the network jitter. Then perform

the same tests between the PEs. Analyze the test data and the faults that users encounter

for fault location.

The service level agreement (SLA) is a service agreement between a service provider and a

customer to ensure the service performance and reliability under specified costs.

NQA Overview—advantages of NQA, compare NQA with ping, BFD

NQA Principles and Implementation

NQA Execution Process

Implementation of NQA Tests

NQA Configuration Examples—configuration roadmap and key configuration command

NQA Typical Applications—Performing Network Diagnosis, Learning About Network

Service Quality and Associated with eSight SLA Component

Answer：ACD

Answer：ABD

CDP (Cisco Discovery Protocol) is similar to LLDP, but it is the Cisco proprietary link layer

discovery protocol.

An NMS must be capable of managing multiple network devices with diverse functions

and complex configurations. Most NMSs can detect Layer 3 network topologies, but they

cannot detect detailed Layer 2 topologies or detect configuration conflicts. A standard

protocol is required to exchange Layer 2 information between network devices.

The LLDP protocol provides a standard link-layer discovery method. Layer 2 information

obtained from LLDP allows the NMS to detect the topology of neighboring devices, and

display paths between clients, switches, routers, application servers, and network servers.

The NMS can also detect configuration conflicts between network devices and identify

causes of network failures. Enterprise users can use an NMS to monitor the link status on

devices running LLDP and quickly locate network faults.

LLDP is implemented as follows:

The LLDP module uses an LLDP agent to interact with the Physical Topology MIB,

Entity MIB, Interfaces MIB, and other MIBs to update the LLDP local system MIB and

LLDP local organizationally defined extended MIB.

The LLDP agent encapsulates local device information in LLDP frames and sends the

LLDP frames to remote devices.

After receiving LLDP frames from remote devices, the LLDP agent updates the LLDP

remote system MIB and LLDP remote organizationally defined extended MIB.

By exchanging LLDP frames with remote devices, the local device can obtain

information about remote devices, including remote interfaces connected to the

local device and MAC addresses of remote devices.

The LLDP local system MIB stores local device information, including the device ID, port ID,

system name, system description, port description, and management address.

The LLDP remote system MIB stores neighbor information, including the device ID, port ID,

system name, system description, port description, and management address of each

neighbor.

An LLDP frame is an Ethernet frame encapsulated with an LLDP data unit (LLDPDU).

An LLDPDU contains local device information and is encapsulated in an LLDP frame. Each

LLDPDU consists of several information elements known as TLVs that each includes Type,

Length, and Value fields. The local device encapsulates its local information in TLVs,

constructs an LLDPDU with several TLVs, and encapsulates the LLDPDU in the data field of

an LLDP frame.

LLDPDUs can encapsulate basic TLVs, TLVs defined by IEEE 802.1 working groups, TLVs

defined by IEEE 802.3 working groups, and Media Endpoint Discovery (MED) TLVs. Basic

TLVs are used for basic device management. The TLVs defined by IEEE 802.1 and IEEE

802.3 working groups, and MED TLVs defined by other organizations are used for

enhanced device management functions. A device determines whether to encapsulate

organizationally specific TLVs.

MED TLVs are related to voice over IP (VoIP) applications and provide functions such as

basic configuration, network policy configuration, address management, and directory

management. These TLVs meet the requirements of voice device manufacturers for cost

efficiency, easy deployment, and easy management. Use of these TLVs allows the

deployment of voice devices on Ethernet network. This brings great convenience for

manufacturers, sellers, and users of voice devices.

Additionally, in the Data Center Network scenario, DCBX TLV is introduced. Neighboring

nodes on data center networks use the Data Center Bridging Exchange (DCBX) protocol to

exchange and negotiate DCB information so that they have the same DCB information.

This prevents packet loss on the data center network. DCBX encapsulates DCB information

in DCBX TLVs and uses LLDP frames to exchange DCB information between neighboring

nodes.

LLDP frame transmission

After LLDP is enabled on a device, the device periodically sends LLDP frames to

neighbors. When the local configuration changes, the device sends LLDP frames to

notify neighbors of the changes. To reduce the number of LLDP frames sent when

the local information changes frequently, the device waits for a period before

sending the next LLDP frame.

The device starts fast transmission of LLDP frames in the following scenarios: when it

receives an LLDP frame with device information not in its MIB (a new neighbor is

discovered), when LLDP is enabled, or a when port transitions from Down to Up

state. When fast transmission starts, the local device sends LLDP frames at 1-second

intervals. After a specified number of LLDP frames have been sent at this interval,

the device reverts the previous transmission interval.

LLDP frame reception

An LLDP-capable device checks the validity of received LLDP frames and the TLVs in

those frames. When determining that an LLDP frame and its TLVs are valid, the local

device saves neighbor information and sets the aging time of neighbor information

on the local device to the TTL value carried in the received LLDPDU. If the TTL value

carried in the received LLDPDU is 0, the neighbor information ages out immediately.

CDP refers to Cisco Discovery Protocol and is the Cisco proprietary link layer discovery

protocol.

The lldp enable command enables LLDP globally.

LLDP can be enabled in the system view and the interface view.

After LLDP is enabled in the system view, all interfaces are enabled with LLDP.

After LLDP is disabled in the system view, all LLDP settings are restored to the

default settings except the setting of LLDP trap. Therefore, LLDP is also disabled on

all interfaces.

An interface can send and receive LLDP packets only after LLDP is enabled in both

the system view and the interface view.

After LLDP is disabled globally, the commands for enabling and disabling LLDP on an

interface do not take effect.

The display lldp neighbor brief command displays brief information about neighbors of

the device.

The lldp compliance cdp receive command enables CDP-compatible LLDP on an

interface.

The lldp compliance cdp txrx command enables an interface to exchange information

with CDP-capable devices.

The display cdp neighbor brief command displays brief information about CDP

neighbors of the device.

Answers:

ABCD

ABC

Communication between the manager and the agent process in two ways:

1. The manager request agent, ask a specific parameter values.((For example: How

many unreachable ICMP port appear?))

2. Agency initiative to report the manager there some important events occur.(For

example: a connection dropped)

Of course, It can also change agent values.(For example: The default IP TTL value is

changed to 64)

These operations, please four kinds of operations is a simple request - response mode (that

is, the management process to issue requests, the proxy process response response)

SNMP is built on the basis of the TCP / IP application layer protocols. SNMP NMS, provides

a simple command set, in accordance with the rules of the BER (Basic an Encoding the

Rules Basic Encoding Rules) form packets using UDP communication between the NMS

and the managed device.

Version version number.

Community Group Name field.

SNMP PDUs: SNMP PDU (Protocol Data Unit), the SNMP protocol data unit, the

SNMP payload.

SNMP UDP protocol, the first three requests issued by the management process operating

on UDP port 161 UDP port 162 Trap operation of the proxy process to issue.

Trap does not belong to the basic operation of the network management side of the

managed devices, it is the spontaneous behavior of the managed devices.

Device-side due to the trigger condition is met by the Agent to send traps to the NMS in

the network client workstation, to inform the equipment side. NMS from the receiving

agent to send Trap messages on UDP port 162, so that network managers will be able to

timely processing network. Such as the status change of the interface, the device side will

be sent to the network-side traps, network managers will be analyzed according to the

specific situation to make further processing.

Configuring Basic SNMPv2c Functions

Predecessors

Before completing the basic functions of configuration SNMPv2c, complete the following

tasks:

Configure the router's IP address

Routing protocols are configured to make up between the router and NM Station

Steps

(Optional)Run: snmp-agent，enableSNMP Agent function.

By default, the SNMP agent function is disabled. By executing the snmp-agent

command with any parameter enables the SNMP agent function.

Run: snmp-agent sys-info version v2c，the SNMP version is set to SNMPv2c.

By default, SNMPv1, SNMPv2c, and SNMPv3 are enabled.

Run: snmp-agent community { read | write } community-name [ mib-view view-name | acl

acl-number ] ，the community name is configured for the device. Meanwhile , provided

configuring mib-view view-name or acl acl-number ，restrict management rights of the

NMS.。

The community name will be saved in encrypted format in the configuration file.

After the read-and-write community name is set, the NMS with this name has the

right of the ViewDefault view (OID: 1.3.6.1). To change the access right of the NMS ,

you can set mib-view view-name or acl acl-number。

If configure mib-view view-name，you should run snmp-agent mib-view { excluded |

included } view-name oid-tree to create a MIB View，and restrict the access right of

the NMS.

If configure acl acl-number，you should set an ACL first，and restrict the access right

of the NMS.

(Optional)Run: snmp-agent mib-view view-name { exclude | include } subtree-name [ mask

mask ]，a MIB view is created, and manageable MIB objects are specified. By default, an

NMS has right to access the objects in the ViewDefault view.

If both the include and exclude parameters are configured for MIB objects that have

an inclusion relationship, whether to include or exclude the lowest MIB object will be

determined by the parameter configured for the lowest MIB object. For example, the

snmpV2, snmpModules, and snmpUsmMIB objects are from top down in the MIB

table. If the exclude parameter is configured for snmpUsmMIB objects and include is

configured for snmpV2, snmpUsmMIB objects will still be excluded.

Run: snmp-agent target-host trap-paramsname paramsname v2c securityname

securityname [ binding-private-value ] [ private-netmanager ]， parameters for

sending trap messages are set.

Run: snmp-agent target-host trap-hostname hostname address { ipv4-addr [ udp-port udp-

portid ] [ public-net | vpn-instance vpn-instance-name ] | ipv6 ipv6-addr [ udp-port udp-

portid ] } trap-paramsname paramsname，the destination host for receiving trap messages

and error codes is specified.

Note the following when running the command:

The default destination UDP port number is 162. To ensure secure communication

between the NMS and managed devices, run the udp-port command to change the

UDP port number to a non-well-known port number.

If trap messages sent from the managed device to the NMS need to be transmitted

over a public network, the parameter public-net needs to be configured. If trap

messages sent from the managed device to the NMS need to be transmitted over a

private network, the parameter vpn-instance vpn-instance-name needs to be

configured to specify a VPN that will take over the transmission task.

(Optional)Run: snmp-agent trap enable，the trap function is enabled for all modules.

Notice：For VRP，the alarm information generated by interface-name-change、port

、standard need to enable by runing snmp-agent trap enable.

(Optional) Run: snmp-agent trap source interface-type interface-number，sets the source

interface from which traps are sent.

The source interface that sends traps must have an IP address; otherwise, the

commands will fail to take effect. To ensure device security, it is recommended that

you set the source IP address to the local loopback address.

The source interface in traps on the device must be the same as the source interface

specified on the NM station. Otherwise, the NM station cannot receive traps.

Configuring Basic SNMPv2c Functions

Predecessors

Before completing the basic functions of configuration SNMPv2c, complete the following

tasks:

Configure the switch's IP address

Routing protocols are configured to make up between the switch and NM Station

Steps

(Optional) Run: snmp-agent，enabel the SNMP Agent function.

By default, the SNMP agent function is disabled. By executing the snmp-agent

command with any parameter enables the SNMP agent function.

Run: snmp-agent sys-info version v2c The SNMP version is set to SNMPv2c.

By default, SNMPv3 is enabled.

Run:snmp-agent community { read | write } { community-name | cipher community-name }

[ mib-view view-name | acl acl-number ] The community name is configured for the device.

Meanwhile , provided configuring mib-view view-name 或 acl acl-number ， restrict

management rights of the NMS.

Set cipher community-name , the community name will be saved in encrypted

format in the configuration file.

(Optional) Run:snmp-agent community complexity-check disable , the complexity

check of a community name is disabled.

(Optional) Run:snmp-agent trap enable，the trap function is enabled for all modules.

Notice：For VRP，the alarm information generated by interface-name-change、port

、standard need to enable by runing snmp-agent trap enable.

Run: snmp-agent target-host trap address udp-domain ip-address [ udp-port portnumber ] [

vpn-instance vpn-intance-name ] params securityname security-string [ v1 | v2c | v3 [

authentication | privacy ] ]，configure a destination IP address for the traps and error codes

sent from the device.

Note the following when running the command:

The default destination UDP port number is 162. To ensure secure communication

between the NMS and managed devices, run the udp-port command to change the

UDP port number to a non-well-known port number.

The parameter securityname identifies devices that send traps on the NMS.

If the NMS and managed device are both Huawei products, the parameter private-

netmanager can be configured to add more information to trap messages, such as

the alarm type, alarm serial number, and alarm sending time. The information will

help you locate and solve problems more quickly.

If trap messages sent from the managed device to the NMS need to be transmitted

over a public network, the parameter public-net needs to be configured. If trap

messages sent from the managed device to the NMS need to be transmitted over a

private network, the parameter vpn-instance vpn-instance-name needs to be

configured to specify a VPN that will take over the transmission task.

(Optional) Run: snmp-agent trap source interface-type interface-number，sets the source

interface from which traps are sent.

The source interface that sends traps must have an IP address; otherwise, the

commands will fail to take effect. To ensure device security, it is recommended that

you set the source IP address to the local loopback address.

The source interface in traps on the device must be the same as the source interface

specified on the NM station. Otherwise, the NM station cannot receive traps.

Note: Considering device security ， router or switch with different version has

requirements for community name complexity sometimes , such as default minimum

length of a community name or at least two kinds of characters included in a community

name.

SNMP parameters：

SNMP version: Currently, the SNMPv1, SNMPv2c, and SNMPv3 versions are

supported. The SNMPv3 version is applied in the scenario requiring high parameter

security level.

Read community: The read community name for eSight to send a read request to an

NE. The read operation is available when the read community name is the same as

that acknowledged by the NE.

Write community: The write community name for eSight to send a write request to

an NE. The write operation is available when the write community name is the same

as that acknowledged by the NE.

Timeout interval(s): The time when eSight waits for a response for an operation

request.

Resending times: The maximum number of times for eSight to resend an operation

requests when eSight configures SNMP parameters for an NE in the case that the

timer expires. If the actual number of times exceeds this value, operation fails.

NE port: SNMP communication port of the NE.

If you configure simple network management protocol (SNMP) parameters for an

NE, click Save Protocol Template to save the settings as an SNMP parameter

configuration template. If you need to configure SNMP parameters again, click Select

Protocol Template to select the saved protocol template to apply.

Discovering devices automatically by network segment

Users set the SNMP parameters，search for devices in batches by network segment.

eSight then adds the discovered devices automatically.

On eSight, the topology view displays the NE status and links between NEs. With topology

management, it is easy to visualize the architecture and determine the running status of all

Nes.

The network management system able to operate and control the equipments. For

example: the port of the device enable / disable

Through the SNMP protocol, equipment alarm initiative reported to the network

management system(NMS), the NMS received and displayed the alarms.

Answer：ABC

Documents

HCS-Field-R&S V1.1 Training Materials(March.4,2016)