No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN V200R019C00 Typical Configuration Examples
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Attack Detection

Example for Configuring Attack Detection

Service Requirements

Enterprise users can access the network through WLANs, which is the basic requirement of mobile office. Furthermore, users' services are not affected during roaming in the coverage area.

To ensure network stability and security, network administrators can configure attack detection and dynamic blacklist to prevent flood attacks and brute force PSK cracking. Detected attack devices are added to the dynamic blacklist, and packets from them are discarded, preventing attacks.

Networking Requirements

  • AC networking mode: Layer 2 networking in bypass mode
  • DHCP deployment mode:
    • The AC functions as a DHCP server to assign IP addresses to APs.
    • The aggregation switch (SwitchB) functions as a DHCP server to assign IP addresses to STAs.
  • Service data forwarding mode: tunnel forwarding
Figure 4-68 Networking for configuring attack detection

Data Planning

Table 4-73 AC data planning

Item

Data

Management VLAN for APs

VLAN 100

Service VLAN for STAs

VLAN 101

DHCP server

The AC functions as a DHCP server to assign IP addresses to APs.

SwitchB functions as a DHCP server to assign IP addresses to STAs. The default gateway address of STAs is 10.23.101.2.

IP address pool for APs

10.23.100.2-10.23.100.254/24

IP address pool for STAs

10.23.101.3-10.23.101.254/24

AC's source interface address

VLANIF 100: 10.23.100.1/24

AP group
  • Name: ap-group1
  • Referenced profiles: VAP profile wlan-net, regulatory domain profile default, WIDS profile wlan-wids, and AP system profile wlan-system
  • Attack detection type of the AP radio: brute force PSK cracking attack detection for WPA2-PSK authentication and flood attack detection

Regulatory domain profile
  • Name: default
  • Country code: China

SSID profile
  • Name: wlan-net
  • SSID name: wlan-net

Security profile
  • Name: wlan-net
  • Security policy: WPA-WPA2+PSK+AES
  • Password: a1234567

VAP profile
  • Name: wlan-net
  • Forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profiles: SSID profile wlan-net and security profile wlan-net

WIDS profile
  • Name: wlan-wids
  • Interval for brute force PSK cracking attack detection: 70s
  • Quiet time for brute force PSK cracking attack detection: 700s
  • Maximum number of key negotiation failures allowed within a brute force PSK cracking attack detection period: 25
  • Flood attack detection interval: 70s
  • Quiet time for flood attack detection: 700s
  • Flood attack detection threshold: 350
  • Dynamic blacklist: enabled

AP system profile
  • Name: wlan-system
  • Aging time of a dynamic blacklist: 200s

Configuration Roadmap

  1. Configure basic WLAN services to ensure that users can access the WLAN.

  2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and flood attack detection so that WLAN devices can detect attack devices.

  3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist and to reject packets from these devices within the aging time of the dynamic blacklist.

Configuration Notes

  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is not configured and direct forwarding is used, a large number of unnecessary broadcast packets may be generated in the VLAN, blocking the network and degrading user experience.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only packets from the management VLAN are transmitted between the AC and APs. Packets from the service VLAN are not allowed between the AC and APs.

Procedure

  1. Configure the network devices.

    # Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is VLAN 100.
    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
    # Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN 101.
    <HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
    # Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to 10.23.101.2/24.
    <Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit

  2. Configure the AC to communicate with the network devices.

    If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to management VLAN 100.

    # Add GE0/0/1 on the AC to VLAN 100 and VLAN 101.
    <HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit

  3. Configure the DHCP servers to assign IP addresses to APs and STAs.

    # On the AC, configure VLANIF 100 to assign IP addresses to APs.
    [AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
    # On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default gateway address of STAs to 10.23.101.2.
    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit

  4. Configure an AP to go online.

    # Create an AP group to which the APs with the same configuration can be added.
    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.
    [AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
    # Configure the AC's source interface.

    In V200R021C00 and later versions, when the CAPWAP source interface or source address is configured, the system checks whether security-related configurations exist, including the PSK for DTLS encryption, PSK for DTLS encryption between ACs, user name and password for logging in to the AP, and password for logging in to the global offline management VAP, the configuration can be successful only when both of them exist. Otherwise, the system prompts you to complete the configuration first.

    [AC] capwap source interface vlanif 100
Set the DTLS PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the DTLS inter-controller PSK(contains 6-32 plain-text characters, or 48 or 68 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):******

Set the user name for FIT APs(contains 4-31 plain-text characters, which can only include letters, digits and underlines. And the first character must be a letter):admin

Set the password for FIT APs(plain-text password of 8-128 characters or cipher-text password of 48-188 characters that must be a combination of at least three of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********

Set the global temporary-management psk(contains 8-63 plain-text characters, or 48-108 cipher-text characters that must be a combination of at least two of the following: lowercase letters a to z, uppercase letters A to Z, digits, and special characters):********
    # Enable the function of establishing CAPWAP DTLS sessions in none authentication mode. (V200R021C00 and later versions)
    [AC] capwap dtls no-auth enable

    From V200R021C00, DTLS encryption is enabled for CAPWAP control tunnels on the AC by default. After this function is enabled, an AP will fail to go online when it is added. In this case, you need to enable CAPWAP DTLS non-authentication for the AP so that the AP can obtain a security credential. After the AP goes online, disable this function to prevent unauthorized APs from going online.

    # Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's deployment location, so that you can know where the AP is deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.

    The default AP authentication mode is MAC address authentication. If the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

    In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency band.

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y  
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-0] quit
    # After the AP is powered on, run the display ap all command to check the AP state. If the State field is displayed as nor, the AP goes online successfully.
    [AC-wlan-view] display ap all
Total AP information:
nor  : normal          [1]
Extra information:
P  : insufficient power supply
--------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime      ExtraInfo
--------------------------------------------------------------------------------------------------
0    60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN        nor   0   10S         -
--------------------------------------------------------------------------------------------------
Total: 1
    # Disable the function of establishing CAPWAP DTLS sessions in non-authentication mode. (V200R021C00 and later versions)
    [AC-wlan-view] quit
[AC] undo capwap dtls no-auth enable
[AC] wlan

  5. Configure WLAN service parameters.

    # Create security profile wlan-net and configure a security policy in the profile.

    In this example, the security policy is set to WPA-WPA2+PSK+AES and the password to a1234567. In actual situations, the security policy must be configured according to service requirements.

    [AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
    # Create SSID profile wlan-net and set the SSID name to wlan-net.
    [AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
    # Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.
    [AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
    # Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of the AP.
    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit

  6. Set the channels and power for AP radios.

    Automatic channel and power calibration functions are enabled by default. The manual channel and power configurations take effect only when these two functions are disabled. The settings of the AP channel and power in this example are for reference only. You need to configure the AP channel and power based on the actual country code and network planning.

    # Disable automatic channel and power calibration functions of radio 0, and configure the channel and power for radio 0.
    [AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
    # Disable automatic channel and power calibration functions of radio 1, and configure the channel and power for radio 1.
    [AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y 
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit

  7. Configure attack detection.

    # Enable brute force PSK cracking attack detection for WPA2-PSK authentication and flood attack detection.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit

    # Create the WIDS profile wlan-wids.

    [AC-wlan-view] wids-profile name wlan-wids

    # Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication, the maximum number of key negotiation failures allowed within the detection period to 25, and quiet time to 700s.

    [AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700

    # Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to 350, and quiet time to 700s.

    [AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700

  8. Configure the dynamic blacklist function.

    # Enable the dynamic blacklist function.

    [AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable
[AC-wlan-wids-prof-wlan-wids] quit

    # Create AP system profile wlan-system, and set the aging time of the dynamic blacklist to 200s.

    [AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit

  9. Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit

  10. Verify the configuration.

    After the configurations are complete, run the display wlan ids attack-detected all command to view detected attack devices.

    [AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detected attack type
CH: Channel number
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  wiv: Weak IV detected
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame      eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address     AT     CH   RSSI(dBm)  Last detected time     #AP
-------------------------------------------------------------------------------
000b-c002-9c81  pbr    165  -87        2014-11-20/15:51:13    1
0024-2376-03e9  pbr    165  -84        2014-11-20/15:51:13    1
0046-4b74-691f  act    165  -67        2014-11-20/15:51:13    1
-------------------------------------------------------------------------------
Total: 3, printed: 3

    The display wlan dynamic-blacklist all command displays information about attack devices in the dynamic blacklist.

    [AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame            asr: Association request
aur: Authentication request  daf: Deauthentication frame
dar: Disassociation request  eapl: EAPOL logoff frame
pbr: Probe request           rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address       Last detected time    Reason   #AP   LAT
-------------------------------------------------------------------------------
000b-c002-9c81    2014-11-20/16:15:53   pbr      1     100
0024-2376-03e9    2014-11-20/16:15:53   pbr      1     100
0046-4b74-691f    2014-11-20/16:15:53   act      1     100
-------------------------------------------------------------------------------
Total: 3, printed: 3

Configuration Files

  • SwitchA configuration file

    #
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk pvid vlan 100
 port trunk allow-pass vlan 100
 port-isolate enable group 1
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

  • SwitchB configuration file

    #
sysname SwitchB
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
 dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

  • Router configuration file

    #
sysname Router
#
vlan batch 101
#
interface Vlanif101
 ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk allow-pass vlan 101
#
return

  • AC configuration file

    #
 sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
 security-profile name wlan-net
  security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
 ssid-profile name wlan-net
  ssid wlan-net
 vap-profile name wlan-net
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-net
  security-profile wlan-net
 regulatory-domain-profile name default
 wids-profile name wlan-wids
  flood-detect interval 70
  flood-detect threshold 350
  flood-detect quiet-time 700
  brute-force-detect interval 70
  brute-force-detect threshold 25
  brute-force-detect quiet-time 700
  dynamic-blacklist enable
 ap-system-profile name wlan-system
  dynamic-blacklist aging-time 200
 ap-group name ap-group1
  ap-system-profile wlan-system
  radio 0
   vap-profile wlan-net wlan 1
   wids attack detect enable flood
   wids attack detect enable wpa2-psk
  radio 1
   vap-profile wlan-net wlan 1
   wids attack detect enable flood
   wids attack detect enable wpa2-psk
 ap-system-profile name wlan-system
  dynamic-blacklist aging-time 200
 ap-group name ap-group1
  ap-system-profile wlan-system
  wids-profile wlan-wids
  radio 0
   vap-profile wlan-net wlan 1
   wids attack detect enable flood
   wids attack detect enable wpa2-psk
  radio 1
   vap-profile wlan-net wlan 1
   wids attack detect enable flood
   wids attack detect enable wpa2-psk
 ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
  ap-name area_1
  ap-group ap-group1
  radio 0
   channel 20mhz 6
   eirp 127
   calibrate auto-channel-select disable    calibrate auto-txpower-select disable
  radio 1
   channel 20mhz 149
   eirp 127
   calibrate auto-channel-select disable    calibrate auto-txpower-select disable
#
return
Translation
简体中文
Download
Updated: 2021-11-18

Document ID: EDOC1100096116

Views: 366035

Downloads: 2538

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :