Time to read
We have been using Huawei equipment in the public cloud product for a long time. We recently added the CloudEngine 6865 model to operation, and when adding new devices, the idea came up to share some kind of checklist or collection of basic settings with examples.
There are many similar instructions on the web for users of Cisco equipment. However, there are few such articles for Huawei and sometimes you have to look for information in the documentation or collect it from several articles. We hope it will be useful, let’s go!
In the article we will describe the following points:
Table of Contents
Huawei Static Routing
Static Route is a manual simple route configuration. In Huawei Routers, Static Routing is similar to the other platforms like Cisco Static Routing, Nokia Static Routing etc.
The concept is simple:
You can download this configuration on Huawei eNSP Labs Page.
Huawei Static Route Configuration Example
Here, we will show Huawei Static Route Configuration on the below topology.
As you can see, we have two routers and two different networks that the other end router do not know. So, with Static Route Configuration, we will show “how to reach that far network” to each router. We will configure firstly Router 1 and then Router 2.
On Router 1, we will do one of the below Huawei Static Routing Configurations. These three configurations are the same. It is up to your configuration behavior.
Topology in attachment.
VID Type Ports
————————————————— ——————————
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) GE0/0/4(U)
GE0/0/5(U) GE0/0/6(D) GE0/0/7(U) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(U) GE0/0/22(U) GE0/0/23(D) GE0/0/24(D)
XGE0/0/1(D) XGE0/0/2(D) XGE0/0/3(D) XGE0/0/4(D)
VID Status Property MAC-LRN Statistics Description
————————————————— ——————————
1 enable default enable disable VLAN 0001
Interface IP Address/Mask Physical Protocol
NULL0 unassigned up up(s)
Vlanif1 192.168.14.14/24 up up
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.14.0/24 Direct 0 0 D 192.168.14.14 Vlanif1
192.168.14.14/32 Direct 0 0 D 127.0.0.1 Vlanif1
Let’s look at a specific example. Let’s say we have a Huawei S5720-52X-PWR-SI-AC switch in our hands (140-150 thousand rubles at the time of writing), which we want to configure as an access-level piece of hardware to a large office. What tasks will be assigned to us? 1. We will connect to the distribution layer using the aggregated interface LACP;2. We use voice VLAN on access ports to connect computers and telephonies with one port; 3. We will display network printers and other MFPs in a separate VLAN; 4. We will connect Wi-Fi points with a trunk with PVID management VLAN; 5. To avoid problems, let’s run DHCP snooping in all VLANs.
Go to configuration mode:
Let’s give the switch a name so as not to get confused later, like access-sw01:
Now we need to understand that we will use voice VLAN, our phones will receive information via the LLDP or CDP protocol, so later we will enable compatibility with this proprietary Cisco protocol. In the meantime, let’s enable LLDP globally.
Let’s immediately enable DHCP Snooping, and before that directly DHCP:
Let’s create a management VLAN, let it be 100:
And enable DHCP Snooping in it:
Now let’s exit the VLAN configuration tree.
Immediately assign the access level, everything is similar to the cisco:
And set up remote access for our user:
Let’s remove the option to request a password change (it prompts you to change the password after a certain time):
Now enable SSH on the device:
And immediately create SSH keys:
Activate SSH access on lines:
Set up the switch management interface. We decided that it will be VLAN 100, it remains to assign it an IP:
And configure the default gateway:
Now let’s start setting up the uplink. As we remember, you need to raise the aggregated interface using the LACP protocol. For them, we use 10Gbit interfaces that are available on this switch. Huawei calls it Ether-Trunk, let’s go set it up:
Now let’s say which ports will be included in the aggregated interface, a couple is enough for us:
Set the protocol for its operation:
The interface is configured, now let’s configure it in accordance with the task. It looks into the kernel, so it will be a trunk with all available vlans and a proxy for DHCP Snooping:
Uplink is set up, let’s go to custom ports. Ports 1-46 will be for users, so we will configure voice and acces VLANs on them.
This setting is different from Cisco. We transfer the port to hybrid, after which we assign the voice VLAN and throw it there as tagged.
We saw the untagged vlan in the same place and indicate the corresponding pvid.
Our port is purely client-side, so let’s disable STP
Port 47 will be configured for printers, just the necessary vlan access:
We will configure port 48 for a Wi-Fi point, and several SSIDs will hang on it, we will configure it as a trunk. The point needs to be managed, so you need to add a Management VLAN there:
In general, the initial setup is completed. Exit system view with Ctrl+Z and save:
And a couple of useful commands:
Hello, Habr! Huawei blog is back!
The next issue of the column «Advice to engineers» is on the air.
And today, our guest is the honored switch of China, the owner of the honorary title «A worthy replacement for the Cisco 2960S-24-PWR model», the leader of the Huawei line in terms of «functionality / price» ratio — the switch Huawei S5720-52X-PWR-SI V2R9SPC500.
Brief dossier on our hero:
48GE PoE+, 4*10GE ports.
The SI version supports L3 routing, including RIP and OSPF.
Software version V200R009C00SPC500.
PSU power 500W, 370 available for PoE.
Stacking is possible via 1/10GE Uplinks.
10GE interfaces support almost any transceiver, including SNR.
Management via web interface and CLI (telnet, ssh v2), SNMP v2c/v3, centralized via eSight is supported.
And today we will talk about our experience of using the S5720 as an access switch for connecting workstations and IP phones.
Initially, we laid down a certain redundancy, because for this task, a cheaper line of S5700-LI switches is sufficient, but with an eye to future use, this particular model was taken, and it justified itself — by the end of testing, routing was unexpectedly needed.
But, let’s get to the point — what did you find out about the S5720 and check in practice?
First experience. V LAN
Created VLANs for the office network and for phones. Configured «trunks» and user ports. LLDP enabled.
For Voice VLAN operation, ports are configured in hybrid mode. Yealink I P-phones have the ability to receive settings via LLDP, which we successfully used.
After configuration, user traffic remained in the office network, while voice traffic moved to the Voice VLAN. At the same time, additional configuration of phones and workstations was not required, which is very convenient during migration.
Enabling LLDP allows you to allocate PoE according to the requirements of the connected device and saves the power budget of the switch.
There were no questions when setting up routing — everything works. Basic routing settings:
router id 192.168.30.4
#
ospf1
area 0.0.0.0
network 10.0.50.0 0.0.0.255
#
interface Vlanif50
mtu 9198
ospf timer hello 1
ospf timer dead 3
Peer authentication was not checked. In order to speed up convergence, non-standard timings (the so-called «LAN-based design») were configured. ASA5512 has been successfully used as the «neighbor» — it works.
Second experience. Security
As protection against the most common types of threats, we have configured DHCP snooping, IP Source Guard, ARP security — all together this allows you to avoid some types of attacks that are most common in the office network, including unintentional ones.
It’s no secret that it becomes a headache for administrators to have an illegal DHCP server appearing on the network. D HCP snooping is designed to solve this problem, because. distribution of addresses in this case is possible only from a trusted port, on the rest it is blocked.
Based on DHCP snooping, IP Source Guard and ARP security functions work to protect against IP and MAC address spoofing. The bottom line here is that work is possible only with an address received via DHCP, and the “port-IP-MAC” bundle is created and checked automatically.
This setting will save us if someone wants to use someone else’s IP-MAC, or organize an attack like a MITM attack («Man-in-the-Middle»).
The third type of possible threats are attacks on STP. Here, as a protection, BPDU filtering is enabled on user ports (that is, no STP frames are sent to or received from the user).
In addition, the appearance of extraneous stp bpdu-protection BPDUs is monitored, which is possible when another switch is connected or an attack on stp root.
The activated option «stp edge-port enable» excludes the port from the STP calculation, reducing the convergence time and the load on the switch.
A combination of stp bpdu-protection and stp edge-port enable, similar to Cisco spanning-tree portfast.
Actually, configuration examples:
interface GigabitEthernet0/0/1
port link-type hybrid
voice vlan 4 enable
port hybrid pvid vlan 2
port hybrid tagged vlan 4
port hybrid untagged vlan 2
stp root protection
stp bpdu-filter enable
stp edged-port enable
trust dscp
stp instance 0 root primary
stp bpdu protection
The third experience. Administration
The administrative part has been configured, which includes NTP, SNMP, AAA, Radius.
It turned out that you can activate up to 16 VTY lines, while the default is only 5.
And, in fact, some administration conveniences.
What else is important to note?
To access via SSH, it is necessary to add exactly SSH users, except for the user in the AAA section.
RSA keys have already been generated, but if you changed the name and domain on the switch, we recommend that you regenerate the keys.
By default, ssh v1 is disabled, but you can enable it if needed (although we don’t recommend doing this).
We also managed to set up admin authentication via Radius.
Fourth experience. Replacing the device certificate with a valid one
“To the heap”, we decided to replace the factory, self-signed certificate with a valid one (fortunately, we have our own valid certificate for signing).
Certificate import is only possible from CLI.
Faced with the fact that the keys and the certificate must be separate, despite the fact that the «pfx» format allows you to export the private key as part of the certificate.
Moreover, if you are trying to import a chain of certificates, then the device certificate must be written first, and then all the others (for example, intermediate CAs).
With standard export to pem, CA certificates go first in the file and only the device certificate at the end.
For the import to work, the certificate files on the device must be placed in the security folder on the flash. This folder does not exist by default, you need to create it.
We present to your attention a step-by-step algorithm:
1. Generate a certificate on an external CA.
2. Export the certificate or chain and private key separately.
3. If this is a chain, open the certificate file with notepad and move the last block (device certificate) to the beginning of the file, save.
4. On the Switch, create the mkdir flash:/security folder
5. Place the certificate file and key tftp 192.168.0.1 chain-servercert.pem /security/chain-servercert.pem into the folder
After that, according to the instructions, create a policy and import it.
To apply the policy, you need to restart the https server, but it is not restarted separately. Therefore, it is necessary to restart the entire web service.
http server disable
http server enable
As a result, the export was successful, and the web interface uses a valid certificate.
Summing up
As a result — a few numbers and conclusions:
P.S. See you in the next issues, gentlemen Engineers!
First connection
Connecting to the switch via the console interface
By default, Huawei switches come with no presets. Without a configuration file in the switch’s memory, the ZTP (Zero Touch Provisioning) protocol starts when it is turned on. We will not describe this mechanism in detail, we only note that it is convenient when working with a large number of devices or for remote configuration. An overview of ZTP can be viewed on the manufacturer’s website.
For initial setup without using ZTP, a console connection is required.
Connection parameters (quite standard)
Transmission rate: 9600Data bit (B): 8Parity bit: NoneStop bit (S): 1Flow control mode: None
After connecting, you will see a request to set a password for the console connection.
Set password for console connection
Just enter a password, confirm it and you’re done! You can then change the password and other authentication parameters on the console port using the following commands:
Password change example
Access setting
VLAN 1 interface address setting example:
You can first explicitly create a Vlan and assign a name to it, for example:
There is a little life hack in terms of naming — write the names of logical structures in capital letters (ACL, Route-map, sometimes VLAN names) to make it easier to find them in the configuration file. You can use it 😉
So, we have a VLAN, now we “land” it on some port. For the option described in the example, this is not necessary, because. all switch ports are in VLAN 1 by default. If we want to configure a port in another VLAN, use the appropriate commands:
Port setting in access mode: Port setting in trunk mode:
We figured out the interface settings. Let’s move on to the SSH configuration. We give only the required set of commands:
Assign a name to the switchGenerate keysConfigure the VTY interfaceCreate a local user «client001» and set up password authentication for itActivate the SSH service on the switchFinal touch: configure the service-tupe for user client001
Setting completed. If you did everything right, then you can connect to the switch via the local network and continue working.
More details on setting up SSH can be found in the Huawei documentation — the first and second articles.
Setting the basic system settings
In this block, we will consider a small number of different command blocks for configuring the most popular features.
1. Set the system time and synchronize it via NTP.
The following commands can be used to set the time locally on the Switch:
Local time setting example
clock timezone MSK add 03:00:00clock datetime 10:10:00 2020-10-08
To synchronize time via NTP with the server, enter the following command:
Command example for NTP time synchronization
ntp unicast-server 88.212.196.95commit
2. To work with the switch, sometimes you need to configure at least one route — the default route or default route. The following command is used to create routes:
Example command for creating routes:
system-viewip route-static 0.0.0.0 0.0.0.0 192.168.0.1commit
3. Setting the operating mode of the Spanning-Tree protocol.
For the correct use of the new switch in the existing network, it is important to pay attention to the choice of the STP operating mode. Also, it would be nice to immediately set it up. We will not stop here for a long time, because. the topic is quite broad. Let’s describe only protocol operation modes:
system-viewstp mode mstpcommit
4. An example of setting up a switch port for connecting an end device.
Consider an example of configuring an acess port for traffic processing in VLAN10
Pay attention to the “stp edged-port enable” command — it allows you to speed up the process of transitioning the port to the forwarding state. However, this command should not be used on ports to which other switches are connected.
Also, the command “stp bpdu-filter enable” may be useful.5. An example of configuring a Port-Channel in LACP mode to connect to other switches or servers.
Do not forget about “commit” and then we are already working with the eth-trunk 1 interface. You can check the status of the aggregated link using the “display eth-trunk” command.
We have described the main points of configuring Huawei switches. Of course, you can dive deeper into the topic and a number of points are not described, but we tried to show the main, most popular commands for initial setup.
We hope that this “manual” will help you set up the switches a little faster. It will also be great if you write in the comments the commands that you think are missing in the article, but they can also simplify the configuration of the switches. Well, as usual, we will be happy to answer your questions.
Stacking setup (iStack)
After gaining access to the switches, you can configure the stack if necessary. Huawei CE uses iStack technology to combine multiple switches into a single logical device. The topology of the stack is a ring, i.e. It is recommended to use at least 2 ports on each switch. The number of ports depends on the desired communication speed of the switches in the stack.
When stacking, it is desirable to use uplinks, the speed of which is usually higher than that of ports for connecting end devices. Thus, you can get more bandwidth with fewer ports. Also, for most models there are restrictions on the use of gigabit ports for stacking. It is recommended to use at least 10G ports.
There are two setting options that are slightly different in the sequence of steps:
The sequence of actions for these options is as follows:
Sequence of steps for two switch stacking options
Let’s consider the second (longer) version of the stack setup. To do this, follow these steps:
3.1. Configuring the parameters we need 3.2 Configuring the stacking port interface (example) Warning: After the configuration is complete,1. The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with theport crc-statistics trigger error-down command if the configuration does not exist.
Next, you need to save the configuration and reboot the switch:
4. Disable stacking ports on the master switch (example)5. We configure the second switch in the stack by analogy with the first:
Set up ports for stacking. Note that even though the “stack member 1 renumber 2 inherit-config” command was issued, the member-id in the configuration is used with a value of “1” for SwitchB.
This happens because the member-id of the switch will be changed only after the reboot, and before it the switch still has a member-id equal to 1. The “inherit-config” parameter is just needed so that after rebooting the switch everything the stack settings are preserved for member 2, which will be the switch, because his member ID has been changed from value 1 to value 2.
6. Enable stacking ports on the master switch. It is important to have time to enable the ports before the reboot of Switch B is completed, because. if you turn them on after, switch B will go into reboot again.
8. Save the stack configuration with the “save” command. Setup completed.
Detailed information about iStack and an example of setting up iStack can also be viewed on the Huawei website.