No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Device to Obtain Forwarded Packet Headers

Configuring a Device to Obtain Forwarded Packet Headers

This section describes how to configure a device to obtain forwarded packet headers.

Usage Scenario

If you notice that voice or video quality deteriorates during network maintenance, configure the devices to obtain forwarded packet header based on specified filter criteria. Then analyze the obtained packet headers to locate network faults.

Before using an access control list (ACL) as filter criteria, you must create it. For details about ACL configurations, see the chapter "ACL Configuration" in the NE20E Configuration Guide - IP Services.

Pre-configuration Tasks

Before configuring a device to obtain forwarded packet headers, complete the following tasks:

  • Configure link layer protocol parameters for interfaces to ensure that the link layer protocol on the interfaces is Up.
  • Create an ACL.

Procedure

  • (Optional) Configure an ACL rule.

    NOTE:

    After an ACL rule is configured, the packet headers that match the ACL rule can be obtained.

    With the packet header getting function, packet headers are processed as follows:
    • If packets match the ACL rule with the permit action, the packet headers are obtained.
    • If packets match the ACL rule with the deny action, the packet headers are dropped and are not forwarded, which causes service interruptions.
    • If packets match no ACL rule, the packet headers are not obtained but forwarded.
    • If an ACL rule that does not really exist or an ACL in which no rule is defined applies to a list, the packet headers to be sent to the CPU are not obtained but forwarded.
    • If packets match an ACL rule, the vpn-instance vpn-instance-name parameter configured in the rule does not take effect.

    • Configuring a Basic ACL

      1. Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]

        A basic ACL is created and the view of the basic ACL is displayed.

      2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        A rule for the basic ACL is configured.

    • Configuring an Advanced ACL

      1. Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]

        An advanced ACL is created and the view of the advanced ACL is displayed.

      2. Configuring rules for the advanced ACL.
        1. For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        2. For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        3. For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

        4. For other protocols, Run rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    • Configuring a Layer 2 ACL

      1. Run acl { name link-acl-name { link | [ link ] number link-acl-number } | [ number ] link-acl-number } [ match-order { config | auto } ]

        A Layer 2 ACL is created and the view of the Layer 2 ACL is displayed.

      2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ type type [ type-mask ] | source-mac source-mac [ source-mac-mask ] | destination-mac dest-mac [ dest-mac-mask ] | 8021p 8021p | cvlan-8021p cvlan-8021p | time-range time-name ] *

        A rule for the Layer 2 ACL is configured.

    • Configuring an MPLS-based ACL

      1. Run acl { name mpls-acl-name { mpls | [ mpls ] number mpls-acl-number } | [ number ] mpls-acl-number }

        An MPLS-based ACL is created and the view of the MPLS-based ACL is displayed.

      2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ exp { exp-value | any } &<1-4> | label { label-value | any } &<1-4> | ttl { { lt | eq | gt } ttl-value | range ttl-value1 ttl-value2 | any } &<1-3> ] *

        A rule for the MPLS-based ACL is configured.

    • Configuring a Basic ACL6

      1. Run acl ipv6 { name basic-acl6-name { basic | [ basic ] number basic-acl6-number } | [ number ] basic-acl6-number } [ match-order { config | auto } ]

        A basic ACL6 is created and the view of the basic ACL6 is displayed.

      2. Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment | source { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        A rule for the basic ACL6 is configured.

    • Configuring an Advanced ACL6

      1. Run acl ipv6 { name advance-acl6-name [ advance | [ advance ] number advance-acl6-number ] | [ number ] advance-acl6-number } [ match-order { config | auto } ]

        An advanced ACL6 is created and the view of the advanced ACL6 is displayed.

      2. Configuring an Advanced ACL6

        1. For TCP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        2. For UDP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | destination-port operator port | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | source-port operator port | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        3. For ICMP protocol, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | icmp6-type { icmp6-type-name | icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

        4. For other protocols, Run rule [ rule-id ] [ name rule-name ] { permit | deny } { protocol | gre | ipv6 | ipv6-ah | ipv6-esp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } | fragment | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

  • Run capture-packet forwarding

    The device is enabled to obtain forwarded packet headers.

    NOTE:
    • The timeout time (time-value) and number of obtained packet headers (packet-number) are set for a packet header obtaining instance. If the specified timeout time expires or if the device obtains the specified number of packets, packet header obtaining ends.
    • To control the rate at which a device obtains forwarded packet headers, set the cir parameter in the car command to restrict a packet header forwarding bandwidth. The default value of the cir parameter is 2 Mbit/s. A larger value of the cir parameter indicates a higher packet header forwarding bandwidth and a higher packet header obtaining rate.

    • When configuring parameters for a packet header obtaining instance, set the parameter values based on the traffic volume on the target interface. If the interface receives many packets, specify a small value for time-value and a large value for packet-number. If the interface receives only a few packets, specify a large value for time-value and a small value for packet-number.

    Enabling the function of obtaining forwarded packet headers affects device forwarding performance. Therefore, exercise caution when you enable the device to obtain forwarded packet headers.

Result

  • Run the display capture-packet config-state command to check the configuration of getting forwarded packet headers. The configuration includes the packet header getting index and packet header getting file name.

  • Run the display capture-packet file file-name command to check information about the packet header getting file.

  • Run the display capture-packet information [ instance-id instance-id [ from begin-packet-number [ to end-packet-number ] ] [ format-cap ] [ verbose ] ] command to check information about the packet head getting instance.

# Run the display capture-packet config-state command to view the configuration of obtaining forwarded packet headers. For example:

<HUAWEI> display capture-packet config-state
Capture-Packet Index 2
Type        : forwarding
Interface   : GigabitEthernet0/1/1
Direction   : inbound
ACL         : 2001
File Name   : cfcard:/capture_fwd_GigabitEthernet3.0.1_2012-05-03-14-15-42.cap
Time-out    : 3600 seconds
Packet-num  : 900
Packet-len  : 62
BufferOnly  : disabled

# Run the display capture-packet file file-name command to view information about the packet header getting file. For example:

<HUAWEI> display capture-packet file cfcard:/capture_host_all_GigabitEthernet3.0.1_2012-05-03-14-01-01.cap
a1 b2 c3 d4 00 02 00 04 00 00 00 00 00 00 00 00
00 00 ff ff 00 00 00 01 4f a2 8f a3 00 01 c3 d1
00 00 00 3c 00 00 00 52 01 00 5e 00 00 05 38 ca
21 21 03 00 08 00 45 06 00 44 3b 04 00 00

# Run the display capture-packet information [ instance-id instance-id [ from begin-packet-number [ to end-packet-number ] ] [ format-cap ] [ verbose ] ] command to check information about the instance. For example:

<HUAWEI> display capture-packet information instance-id 7 from 1 to 3 verbose
 Total capture instance number is            1                                  
 Forward capture inbound instance number is  0                                  
 Forward capture outbound instance number is 0                                  
 Host capture instance number is             1                                  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -             
instance-id                               : 7                                   
instance status                           : stopped                             
instance total time length of set         : 200s                                
instance packet number of set             : 10                                  
instance file length of set               : 2M                                  
instance total memory size of set         : 1M                                  
instance capture packet number            : 7                                   
instance capture packet size              : 420B                                
instance saved packet number              : 7                                   
instance saved packet size                : 420B                                
instance deleted packet number            : 0                                   
instance deleted packet size              : 0B                                  
instance capture first packet time        : 2013-08-30 17:54:18                 
instance capture last packet time         : 2013-08-30 17:57:18                 
instance acl number/name                  : ---                                 
instance packet-num in memory             : <1-7>                               
instance remain time length be deleted    : 300s                                
instance saved packet device name         : 11#cfcard:/logfile/                 
instance save packet file name            : capture_host_all_GE1.0.0_2013-08-30-17-54-01.cap                                                                    
instance link type is                     : ethernet                            
instance interface name is                : GigabitEthernet0/1/0                
instance type is                          : local host                          
instance systemid is                      : all                                 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -             
packet NO        : 1                                                            
packet length is : 60                                                           
capture-time     : 2013-08-30 17:54:17                                          
  L2 Type: Ethernet                                                             
    Source mac   : 7054-f5e0-f831                                               
    Dest mac     : 0180-c200-000e                                               
    Ethernet type: 0x88cc                                                       
                                                                                
  L3 Type: unknow protocol                                                      
                                                                                
  L4 Type: 0                                                                    
    Source Port  : 0                                                            
    Dest Port    : 0                                                            
                                                                                
0000 01 80 c2 00 00 0e 70 54 f5 e0 f8 31 88 cc 02 07                            
0010 04 cc 53 b5 f2 ee 35 04 15 05 47 69 67 61 62 69                            
0020 74 45 74 68 65 72 6e 65 74 30 2f 32 2f 36 06 02                            
0030 00 78 0a 02 33 34 0c b5 48 75 61 77                                        
                                                                                
                                                                                
packet NO        : 2                                                            
packet length is : 60                                                           
capture-time     : 2013-08-30 17:54:47                                          
  L2 Type: Ethernet                                                             
    Source mac   : 7054-f5e0-f831                                               
    Dest mac     : 0180-c200-000e                                               
    Ethernet type: 0x88cc                                                       
                                                                                
  L3 Type: unknow protocol                                                      
                                                                                
  L4 Type: 0                                                                    
    Source Port  : 0                                                            
    Dest Port    : 0                                                            
                                                                                
0000 01 80 c2 00 00 0e 70 54 f5 e0 f8 31 88 cc 02 07                            
0010 04 cc 53 b5 f2 ee 35 04 15 05 47 69 67 61 62 69                            
0020 74 45 74 68 65 72 6e 65 74 30 2f 32 2f 36 06 02                            
0030 00 78 0a 02 33 34 0c b5 48 75 61 77                                        
                                                                                
                                                                                
packet NO        : 3                                                            
packet length is : 60                                                           
capture-time     : 2013-08-30 17:55:17                                          
  L2 Type: Ethernet                                                             
    Source mac   : 7054-f5e0-f831                                               
    Dest mac     : 0180-c200-000e                                               
    Ethernet type: 0x88cc                                                       
                                                                                
  L3 Type: unknow protocol                                                      
                                                                                
  L4 Type: 0                                                                    
    Source Port  : 0                                                            
    Dest Port    : 0                                                            
                                                                                
0000 01 80 c2 00 00 0e 70 54 f5 e0 f8 31 88 cc 02 07                            
0010 04 cc 53 b5 f2 ee 35 04 15 05 47 69 67 61 62 69                            
0020 74 45 74 68 65 72 6e 65 74 30 2f 32 2f 36 06 02                            
0030 00 78 0a 02 33 34 0c b5 48 75 61 77                                        
                                                                                

As shown in Figure 10-2, you can also use a special-purpose tool, such as wireshark, to display packet header information stored in a .cap file. The .cap file stores only less than 64-byte header information of each obtained packet header.

Figure 10-2 Packet header information displayed by the wireshark
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20058

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next