Huawei learning documents

Source: Internet
Author: User
Tags hmac sha1

Snmp-server community pubic ro
Snmp-server community private ro
ID of the snmp-server switch, which can be found by command.
IP address of the snmp-server Management Platform
3550 series password cracking >>>
Press the mode key on the front panel of the switch.
Enter flash_init for initialization.
Enter del flash: config. text to delete the configuration
Enter boot and restart to break the password.>
Self-built NAT, debugging successful, haha
[Router] dis nat trans
** Total 3 NAT items, 3 in hash list, 0 in extended-list
Pro GlobalAddr GlobalPort InsideAddr InsidePort DestAddr DestPort
6 192.168.34.50 12420 10.0.0.2 1473 207.46.108.89 1863
17 192.168.34.50 12432 10.0.0.2 4004 202.104.129.2528000
6 192.168.34.50 12464 10.0.0.2 1468 207.46.107.99 1863
[Router] dis cur
Now create configuration...
Current configuration
!
Version 1.74:
Local-user cisco service-type ppp password simple cisco
Local-user lover service-type administrator password simple cisco
Nat address-group 192.168.34.50 192.168.34.51 1
Firewall enable
Aaa-enable
Aaa accounting-scheme optional // if the correct billing response is not received from the AAA Server, the user is still allowed to access the network.
!
Acl 10 match-order config
Rule normal permit source any
!
Interface Aux0
Async mode flow
Link-protocol ppp
!
Interface Ethernet0
Ip address 192.168.34.51 255.255.255.0
Nat outbound 10 address-group 1
!
Interface Ethernet1
Ip address 10.0.0.1 255.0.0.0
!
Interface Serial0
Link-protocol ppp
!
Interface Serial1
Link-protocol ppp
!
Quit
Ip route-static 0.0.0.0 0.0.0.0 192.168.34.1 preference 60
!
Return
Notes on Huawei learning Manual
Interface or sub-interface, undo interface s0.1 Delete sub-interface
Reset interface counters interface
By default, the Ethernet IP package supports enternet 2,
Speed10/100/negotiation
Deplex full/half
Bandrate/bandwidth Cisco synchronous interface is 64000bps by default, asynchronous is 9600bps
Clock
By default, the serial port is Dceclk, that is, the clock is provided to the DTE, restoring to Dteclk1/2/3/4
Flow control (software/handware/none) [inbond/outbond]
Loopback
Interface s0 # loopback
Physical-mode (sync/async) sets the same asynchronous serial port
Controler e1
Channel set (logical interface number 1-30) timesolt range (0-31)
(Router-e1-0) frame-format crc4/no crc4 set ce1/pri four-bit redundancy compared to the test Bit
Router-e1-0 # loopback in the logic port set the internal self-loop and external echo, the Protocol state is down is normal, used to detect the state of the link and Interface
Ppp MP
Link-protocal ppp
Ppp authenatication-mode (chap/pap)
Ppp pap password xxxx
Display pppoe-client session
Isdn:
Display isdn active-channel
PPTP is a wide-area network interface.
L2TP enable // enable VPDN on the router
Allow l2tp Marshal-templete (templete number) [remote-name]
Display l2tp session/tunnel
Huawei supports L2TP, Cisco supports PPTP, L2TP,
L2TP match-order {dnis-domain} // search for the L2TP group based on the called number, and then search for the group based on the domain name
Set the maximum number of sessions in l2tp session-limit 1000
The l2tp-group group-number is used to create an l2tP group.
Example:
Router # l2tp-group 1
Router-l2tp1 # mandatory-chap // enforces chap to authenticate client identities.
Start l2tp {ip/peer ip} {domain-name} {dnis/phone number} {fullname/full name}
Tunnel authentication enable l2tp tunnel verification
Tunnel password
Tunnel name
Gre
Interface tunnel 0
Router-tunnel0 source ip
Router-tunnel0 destination ip
Gre checksum // The plus check key allows the check key. Off by default
Gre key-number
Gre sequence-sequence rams datagram requires serial number Synchronization
IP Network Layer
The ip address ppp-negotiate command is used to allow ip address negotiation. When a remote IP is configured on the peer vro to obtain the local ip address, g is generally used to provide a dynamic ip address by the ISP.
Ip address unnummbered
Ports that encapsulate PPP, HDLC, FRAMERELAY, and tunnel can use IP addresses of other Ethernet ports.
Example: interface s0
Ip add unnumbered
Interface s1
Ip add ppp-negotiate
Used to configure the IP addresses that can borrow other interfaces. Encapsulated PPP, HDLC, FRAMERELAY, SLIPC, and tunnel ports
Router-s0 # remote address 10.0.0.1 configure IP for peer
Router-e0 # vlan-type dot1q vid 1 specified port added to VLAN 1
Dhcp enable
Dhcp server ip-pool-name
Dhcp server forbidden-ip low-ip high-ip
Network 192.168.1.0 255.255.255.0 dhpc address pool 0
Gateway-list gateway
Dns-list DNS settings
Domain-name mydomainname.com indicates the suffix domain name assigned to the client
Dis dhcp server static
Display dhcp server expired displays unused IP addresses
Display dhcp server ip-in-use display IP addresses used
Disp dhcp server tree
Reset dhcp
Router-dhcp0 # domain-name mydomain.com.cn
Bind the ip address to the mac address.
# Static-bind ip-address 10.1.1.1 mask 255.255.255.0
# Static-bind mac-address 00-00-0e-3f-03-05
The router acl 101
A router-acl-1 # rule permit source
Interface e0 # nat outbound 101 interface
Or:
Nat address-group x. x-x.x.x.x abc
Interface s0 # nat outbound 101 address-group abc
Adds an association between the access control list and the interface.
Interface e0
Use port-based PAT to associate an intranet IP address with a port of an Internet IP address >>>>>>
[Router-Serial0] nat server global 192.168.0.4 inside 10.0.0.2 ftp tcp
Userlog nat (flow-begin) (acl number)
You can enable the log if the log is disabled due to lack of time.
Info-center enable
Info-center console send to control port
Userlog nat
Info morinitor
Info syslog
The default priority of static-route reference 60 is 60.
Vpdn (Virtual Private Network)
Small and medium-sized enterprises use PSTN, ISDN, and dial-up to provide access services for mobile office staff. VPDN tunnel protocols include PPTP, L2F, and L2TP.
LAC: L2TP access concentrator // L2TP access concentrator.
LNS: L2TP network server // L2TP network server.
Step for L2TP troubleshooting:
1. Check the interconnectivity between the LAC and LNS
2. Check whether the VPDN user can pass the test on the LAC side.
3. Check whether the LAC side initiates an L2TP tunnel connection.
4. Check whether the LNS receives the connection.
5. Check the route information of the LNS user.
Ospf
Types:
The Router-LSA is generated by each vro. It describes the link status and cost of the vro and is transferred to the entire region. type = 1.
Network-LSA, generated by DR, describes the link status of the CIDR Block and transmits it to the entire region type = 2.
Net-Summary-LSA, generated by the ABR, describes the route to a CIDR Block in the region and transmits it to the relevant region type = 3.
Asbr-Summary-LSA, generated by the ABR, describes the route to the ASBR and transmitted to the relevant region type = 4
AS-External-LSA, generated by ASBR, describes the route to the outside of the AS, transmitted to the whole AS (excluding STUB region) type = 5
The tree structure does not produce loops.
DR and BDR are only required for broadcasting and NBMA, and are not required for other purposes.
Import-route protocal (cost | type | tag | route-policy) Currently direct, static, rip, is-is, bgp
The abr-summary ip-add mask-ip area id defines the aggregation network segment. By default, aggregation is not performed on it, and the aggregation is only performed on the ABR.
Vlink-peer router-id {hello | ...}
Stub Configuration:
Stub {no-summary}
If a zone is planned to be a stub region, all the vrouters in the zone must be configured. If no-summary parameter is set, the third type notification of summary between zones on the abr will be filtered out, route further reduced.
Default-cost value is used in the stub area. configured on the abr, it refers to the default route overhead sent to the stub area.
The stub region cannot have aSBr and cannot use import-route to resend the route.
Ospf network-type (broadcast | nbma | p2mp | p2p)
When the link layer is PPP and HDLC is encapsulated, It is nbma when P2P or frame-relay \ x.25 is used. Point-to-point must be changed to p2tp.
Debuging ospf {event | packet [ack | dd | hello | request | update] | isa | spf}
Default import-route cost default value for introducing external routes
Default import-route type 1/2 is similar to CISCO e1/e2,
Dis ospf area/error/database/
Display ospf ase external route display
Dis ospf interface
Copy xmodem: flash: c3500
 
Network Storage and minicomputers and network devices are my future development goals.
HP, EMC, IBM, VERITAS,
Dns: external device, directly connected to the server
Nas: a file system cannot be directly connected to a server with an independent IP address,
Sun: Optical Fiber FC + SUN, fast, data-centric, network-oriented storage structure, using a scalable network topology to connect servers and storage devices, data storage and management are concentrated in a relatively independent private network to provide data storage services for servers.
The new ip sun technology backs up the IP address of NAS and the FC of SUN in a 10 km remote location.
ISICI is an INTERNET Protocol network standard for BLOCK Transmission over Ethernet. It is a SCSI instruction set that can be run at the upper layer of the IP protocol for hardware devices, it can run the SCSI protocol on an IP network so that it can select routes over the Ethernet.
ILM (imformation lifecycle Management) lifecycle Management, that is, effective Management of information generation, using a complete life process such as extinction, stores different types of information at different costs. HP, IBM, and VERITAS propose their own ILM.
Smb, SUN, EMC
Line assurance 1. Master-slave backup: for example, if the Wan is backed up through the strip, load balancing: use several links as the CHANNAL GROUP
Area Division
Authentication: The vrotelnet has four remote configurations: telnet, consal, snmp, and modem.
Access Control: hierarchical protection. users with different levels of permissions are not allowed.
Five elements refer to: source IP address, target IP address, Protocol Number, original port number, and target port number.
Information Hiding: NAT
Data Encryption and anti-counterfeiting: Technology: Data Encryption to prevent transmission from being intercepted
Anti-counterfeit: digital signature. The message is obtained, modified, and then transmitted during transmission. The receiver identifies the message and discards the modified part.
IPSEC
Ip routing policy and introduction
Purpose:
1. Means of filtering route information,
2. Only some information is sent when route information is published.
3. Only some information is received when receiving route information.
4. When routing is introduced, information that meets specific conditions is introduced to support equivalent routing.
5. Set the route attributes introduced by the Routing Protocol
Five filters related to policies
Routing policy)
Access list (access_list)
Prefix list)
A prefix-list is identified by the list name and may be divided into several parts. The matching sequence of these parts is specified by the serial number. In each part, you can specify a matching range in the format of a network prefix. In the matching process, the relationship between different parts of different sequences is or. Route information fund-raising matches each part. Using a certain part of the information means filtering through the prefix-list.
Autonomous System Path access list (aspath-list)
It is only used for BGP.
Group attribute list (community-list)
Several attacks on the network:
Packet Analysis
IP Address Spoofing
Port Scan
Denial of Service
Distributed Denial of service (DDOS)
Application Layer attacks, such as Trojans
AAA authentication, authorization, and accounting. It is based on the user name and password, while the firewall ACL for packet filtering is IP-based.
It is mainly used for user code pulling, verification, authorization, and fee recording.
IPSEC/IKE
IPSEC: (ip security) is a group of open protocols. A specific communication party passes encryption and data source verification at the IP layer, to ensure the privacy, integrity, and authenticity of data packets transmitted over the INTERNET. These two security protocols are implemented through AH and ESP.
IKE: internat Key Exchange Protocol, used by both parties to negotiate and establish a security alliance for exchange. IKE defines the methods for both parties to perform identity authentication, negotiate encryption algorithms, and generate shared session keys.
The radius protocol is used between the AAA Server and the network device.
Services supported by AAA: PPP, EXEC, FTP // pix are http, ftp, and verified during telnet.
Verification: user name and password. Package ppp pap, CHAP, EXEC user authentication, FTP user authentication.
Databases with less than 50 users are created on the local router. More than 50 users are created on the radius.
Quidway # aaa enalbe
Quidway # aaa authentication-scheme login default radius local
# Aaa accounting-scheme optional
Serial0 # ppp authentication-mode pap scheme default
Radius server 129.7.66.68
Radius server 129.7.66.66 accouting-port 0 backup and billing server
Radius server 129.7.66.67 authentication-port 0 backup verification server.
Radius shared-key this-is-my-secret
Radius retry 2
Radius timer response-timeout 5
The shared key with the RADISU server is this-is-my-secret. The maximum number of retransmissions is 2, with an interval of 5 seconds.
First, the user information is obtained from various services (ppp, ftp, exec) and sent to AAA for verification. If the authentication succeeds, the authentication information and authorization information are sent to the router, the vro provides the corresponding services to the user and starts billing with RADIUS.
Display aaa
Debug radius primitive original, observe AAA request and Result
Debug radius event
Aaa server/client vro is client
AAA is the authentication port of UDP 1812, and 1813 is the billing port.
As a security protocol, the security of RADIUS is also considered. The client and server share the key and use the MD5 Algorithm to digitally sign the package, verifying the correctness of the signature can prevent other hosts on the network from impersonating a vro or RADIUS server, and the user password is also encrypted.
Gre: in fact, it is a bearer protocol. It provides a mechanism for encapsulating a Protocol packet in another Protocol packet, enabling the packet to be transmitted in a heterogeneous network, the channel for transmission of heterogeneous packets is called tunnel.
The GRE Protocol Number is 47. After the system receives a data packet to be encapsulated and routed, it is called a payload. It is first encapsulated by GRE and then called a GRE packet, the packet is then encapsulated in the IP packet, and then the IP layer is responsible for FORWARDING the packet completely (FORWARDING ).
IP/IPX is the passenger protocol. IP is the transport protocol, and GRE is the encapsulation protocol.
Link Layer
IP
GRE
IP/IPX
Payload
Configuration command:
Interface tunnel number
Tunnel0: real interface address of source ip
Tunnel0: the actual peer interface address of the destination ip.
Tunnel0: ip add virtual IP
DEBUG command: display tunnel 0
IPSEC/IKE
IPSEC: (ip security) is a group of open protocols. A specific communication party passes encryption and data source verification at the IP layer, to ensure the privacy, integrity, and authenticity of data packets transmitted over the INTERNET. These two security protocols are implemented through AH and ESP. ESP: 50 and AH: 51
AH: provides data source verification and data integrity verification
ESP: In addition to data source verification and data integrity verification, it also provides encryption functions.
IPSEC: tunnel and transport are available. In Tunnel mode, the user's entire IP data packet is used to calculate the AH and ESP headers. The AH or ESP headers and encrypted user data are encapsulated in a new IP data packet; in the transfer mode, only the transport layer data is used to calculate the AH and ESP headers. AH, ESP, and encrypted transport layer data are rotated behind the Source IP header.
AH: The Message Authentication Header protocol provides data source verification and data integrity and anti-replay. algorithms include MD5 and SHA1. AH inserts a standard IP address header and uses the hash algorithm to protect data packets.
ESP: Packet Security encapsulation protocol, which encrypts user data to be protected and then encapsulates it into a standard IP packet. optional encryption algorithms include DES and 3DES.
IKE: internat Key Exchange Protocol, used by both parties to negotiate and establish a security alliance for exchange. IKE defines the methods for both parties to perform identity authentication, negotiate encryption algorithms, and generate shared session keys.
Data Stream:
Security Alliance (SA): security services provided by the data stream are implemented through the security alliance SA, which includes protocols, algorithms, keys, and other content. It determines how to process IP packets. A sa is a one-way logical connection between two IPSEC systems. The input and output data streams are processed by the input and output security alliances. Security Alliance is uniquely identified by a triple (security parameter index SPI, IP Destination Address, Security Protocol Number (AH or ESP. The security alliance can be manually configured and automatically negotiated ). Manual means to manually configure some parameters at both ends, and establish security alliances after Parameter Matching and collaboration between the two ends. Automatic negotiation is generated and maintained through IKE.
SPI: security parameter index
Is a 32-bit bitrate value, which is carried in each IPSEC packet. SPI, IP destination address, and security protocol number are combined. When IKE automatically negotiates, the SPI value is randomly generated.
A triple.
LIFE TIME)
Time-based or traffic-based limits (each transmission of a certain number of bytes of information to be updated)
Security Policy: (crypto map)
Manually configure the user to specify the security measures to be taken for the data stream.
Security proposal (Transform Mode) Conversion Method
IKE: Internet Key Exchange protocol, which is an IPSEC signaling protocol. It provides automatic SA negotiation and management for IPSEC, greatly reducing the IPSEC configuration and maintenance work. IKE does not directly transmit keys on the network, but finally calculates the keys shared by both parties through a series of data exchanges, and third-party interceptions do not produce a real key, IKE has a self-protection mechanism that allows you to securely distribute keys and authenticate identities on insecure networks.
Data Verification involves two concepts:
1. ensure data integrity
2. Identity Protection, authentication, and confirmation of the identity of both parties. Identity data is encrypted after the key is generated. It protects identity data.
DH exchange and key distribution:
Is a public key algorithm. The communication parties calculate the shared key through some data without sending the key.
IKE exchange process:
SA exchange, key exchange, ID exchange, and authentication. IKE is in two stages. The first stage is the establishment of ike sa, master mode.
The second stage is the fast mode. IPSEC negotiation is completed under the protection of ike sa.
IPSEC configuration command:
1. Create an encrypted access control list
2. Define the security proposal Quidway] ipsec proposal name
Quidway-ike-proposal-10] encryption-algorithm [des-3des] encryption
Quidway-ike-proposal-10] authentication-method [pre-share]
Quidway-ike-proposal-10] authentication-algorithm [md5/sha] Selection algorithm
Quidway-ike-proposal-10] dh {group1 \ group2}
A quidway-ike-proposal-10] sa duration seconds
Quidway] ike pre-shared-key remote-address
Quidway] ike sa keepalive-timer [interval \ timeout] seconds
3. Define the security protocol Quidway-crypto-transform-trans
Encapsulation mode: encapsulation-mode transport/tunnel
Select security protocol: transform {ah-new | esp-new | ah-esp-new}
Ah-new authentication-algorithm {md5-hmac-96 | sha1-hmac-96}
Esp-new authentication-algorithm {md5-hmac-96 | sha1-hmac-96}
Esp-new encryption-algorithm {3des | des .....}
4. Create a security policy
Ipsec policy name sequence-number [manual | isakmp]
Quidway-ipsec-policy-policy1-10] security acl access-list-number reference access Control list
Tunnel remote add
Proposal proposal1 (2, 3, 4) References security proposal
5. Application on interfaces
A quidway-serial0] ipsec policy-name
QOS: Service Quality
Objective: To avoid and manage IP network congestion
Reduces IP Packet Loss Rate
Control IP network traffic
Providing dedicated bandwidth for specific users or specific businesses
Support real-time services on IP Networks
BEST-EFFORT-service (BEST-EFFORT service model): mainly implements technology FIFO
Intergrate service (Integrated service Model) can request a specific QOS service from the network through signaling. The network reserves resources within the scope of the traffic parameter description to meet the request.
Differentiated service (Differentiated service model): When the network is congested, traffic control and forwarding are performed differently based on different service levels of the service to solve the congestion problem.
RSVP: the first standard QOS signaling protocol. It dynamically establishes end-to-end QOS and allows applications to dynamically apply for network bandwidth. RSVP is not a routing protocol. Instead, it reserves resources for packet requests based on the packet stream path specified by the routing protocol. When the path changes, it will adjust the route according to the new route, and apply for reserved resources on the new path. RSVP only transmits QOS requests between nodes in the network. Instead of implementing these QOS requirements, RSVP uses other technologies such as WFQ. after receiving the request, the network node compares the resource request with the existing resources of the network to determine whether the request is accepted. You can set different priorities for each resource request. In this way, when a resource request with a higher priority is insufficient network resources, it can seize resources with a lower priority.
Disadvantages of RSVP:
All end-to-end devices are required to support this protocol.
Network units save status information for each application, with poor scalability
The packet overhead of the Protocol is large because the packet status information is exchanged cyclically.
It is not suitable for applications in large networks.
DiffServ: first, perform different service classification on the edge of the network and add different QOS tags (coloring ). The classification can be based on the layer-4, layer-3, and layer-3 information of the packet, such as the source IP, destination IP, source MAC, destination MAC, TCP, or UTP port number. Then, in the network, process each Hop Based on the coloring result.
DifferServ: There are several technical implementations:
CAR: classifies messages based on their information, and uses Precedence (the top 3 bits of TOS can be divided into eight categories or DSCP (the top 6 bits of TOS) for coloring, the CAR also performs traffic measurement and monitoring.
GTS: Performs Traffic Shaping on specified services or all services through network nodes to meet the expected traffic indicators.
Queue mechanism: Uses queue technologies such as FIFO, PQ, CQ, and WFQ to manage network congestion and schedule packets of different services according to the policies specified by users.
Congestion avoidance: WRED is used to predict network congestion and discard TCP packets randomly.
Generally, packets are colored at network boundaries. In the network, the colored results are used as the basis for processing such as column scheduling and traffic shaping.
CAR (committed access rate): agreed access rate
The CAR uses the token bucket algorithm to control traffic. When a CAR is used for traffic monitoring, the message configured as conform is generally sent, and the EXCEED packet is discarded.
Command:
Qos carl-index {precedence-value | mac-address}
Qos car {inbound \ outbound} {any \ acl-index \ carl rjl-index} cir eonnitted-rate cbs burst-size ebs exceess-burst-size conform action exceed action
Acl: Packets matching the access list
Carl: match the packets in the promised access rate list.
Cir: normal traffic at 8k-155Mbps
Ebs: the size of the allowed burst data blocks. The value ranges from 0 to 155 m, and the Unit is bits.
Conform Action: For data packets that comply with the traffic conventions, you can use:
Continue
Discard:
After Remark-prec-continue xxxxx sets the priority of the data packet, it is handed over to the next qos car command for processing.
Remark-prec-pass xxxxx is sent directly after the priority is reset for the data packet.
Pass directly.
Exceed action indicates that when the data traffic does not meet the traffic limit, the data packet is taken. Note: A total of 100 car policies can be applied on an interface (inbound or outbound. Before applying a policy, disable the fast forward feature.
Instance:
Quidway] qos carl 1 precedence 3
Qos carl 2 precedence 5
Quidway-ethernet0] qos car inbound any cir 800000 cbs 150000 ebs 0 conform remark prec-continue 5 execeed discard
Quidway-serial1] qos car inbound any cir 800000 cbs 150000 ebs 0 conformremark-pree continue 3 exceed discard
Quidway-serial0] qos car outbound carl1 cir 800000 cbs 150000 ebs 0 conform pass exceed discard
Quidway-serial] qos car outbound carl 2 cir 800000 cbs 150000 ebs 0 conform pass exceed discard
GTS configuration command:
Configure Integer Parameters for a certain type of stream
Qos gts acl-index cir committed-rate [cbs burst-size [ebs excess-burst-size] [queue length]
Configure Integer Parameters for all streams
Qos gts any cir committed-rate [cbs burst-size [ebs excess-burst-size [queue parameters]
The default length of queue length is 50.
LR physical interface speed limit (line rate, LR)
On a physical interface, the total rate of messages sent by the interface is limited (for all traffic, while GTS and CAR are only suitable for IP packets .)
LR configuration command:
Qos LR cir committed-rate [cbs burst-size [ebs excess burst-size]
By default, the burst-size is twice that of committed.
The queue is used to implement network congestion. FIFO, PQ, CQ, WFQ
Priority queueing priority queue:
Instance:
Quidway] acl 1
Quidway-acl-1] rule permit ip source 10.0.0.0 0.20.255.255
Quidway] qos pql 1 protocol ip acl 1 queue top
Quidway] qos pql 1 inbound-interface serial 1 queue bottom
Quidway] qos pql 1 default-queue middle
Quidway] qos pql 1 queue top queue-length 10
// Define the queue length as: top 20
Middle 40
Normal 60
Bottom 80
Quidway-serial0] qos pq pql 1
Disadvantages: PQ is the absolute priority of a message with a higher priority. This ensures that key services are given priority, but when the speed of a packet with a higher priority is always greater than the speed of the interface, messages with lower priority will never be sent. You can use CQ to customize the queue. You can configure the bandwidth proportion of the queue, and round-robin and scheduling based on the priority. This situation can be avoided. CQ can classify packets and distribute them to a queue in CQ by category. For each queue, it can specify the proportion of packets in the queue to the interface bandwidth, in this way, we can get reasonable bandwidth for different service packets, so as to ensure that key services do not have the bandwidth for non-key services.
The value range is 0-16, the system is 0, and the default queue is 16.
The defined queue group must be applied on the interface. Only one queue group can be applied to one interface, and one queue group can be applied to multiple interfaces.
Instance:
Quidway] acl 1
] Rule permit ip source 10.10.0.0 0.0.255.255
Quidway] qos cql 1 protocol ip acl 1 queue 1 // The packet defined in Access Control List 1 is sent to CQ group 1 queue 1.
Quidway] qos cql 1 queue 1 queue-length 100 // The length of queue 1 is 100
Queue-serving 5000 // The number of bytes sent by each polling in queue 1 is 5000.
Quidway] qos cql 1 intbound-interface serial 1 queue 2 // enter the packet from interface S1 into CQ group 1 queue 2
Qos cql 1 queue 2 queue-length 90
Quidway-serial0] qos cq cql 1 // apply CQ group 1 to the serial port.
WFQ: weigth fair queue weighted fair queue
Principle: The weight is based on the value of precedence in the IP report to ensure fairness (bandwidth, latency ). WFQ classifies packets by streams, that is, the same five elements are a stream). Each stream is allocated to a queue, and the process is called a hash, the HASH algorithm is used to automatically complete the process of joining the queue. When going out, WFQ allocates different bandwidths of each stream based on the stream priority.
Command: qos wfq queue-length 64 (maximum number of packets in a queue by default) queue number 512 (total of packets)
When the packets of multiple TCP connections are discarded at the same time in the queue, multiple TCP connections enter slow start and congestion avoidance at the same time. This is called TCP global synchronization.
RED (random early detection) random early detection
WRED (Weighted random early detection) Weighted random early detection.
WRED:
1. Use the random discard policy to avoid TCP global synchronization caused by tail discard.
2. predict the Congestion Based on the current queue concentration
3. Define different discard policies based on their priorities, and define the upper and lower thresholds.
4. For Queues with different priorities, the longer the queue length, the higher the probability of discarding the queue.
Generally, WRED and WFQ are used together,
Instance:
Quidway-serial0] qos wfq // use the WFQ queue policy on the Interface
Quidway-serial0] qos wred // use the default WRED parameter.
QOS information monitoring and maintenance:
Display qos [car \ qts \ lr \ cq \ pq \ wfq \ wred] [interface type number] // QOS configuration and statistics of the interface.
Dis qos [cql \ pql] // displays the queue list of PQ and CQ.
Switch part:
Spanning Tree Protocol:
First, compare the configuration messages received by each port with their own configuration messages to get the configuration with a higher priority and change the configuration messages. The main tasks are as follows:
1. Select the root bridge ROOTID: the optimal configuration message ,,
2. Calculate the shortest overhead of the path to the root bridge: If you are not the root bridge, the overhead value rootpathcost is equal to the sum of the overhead value of the received optimal configuration message and the port overhead of the received configuration message.
3. Select the root port ROOTPORT. If you are using the root bridge, the root port is 0. Otherwise, it is generally the port that receives the optimal configuration message.
4. specified port: the port in the forwarding status on the generation tree except the root Port
5. After modifying the BPDU, the bridge sends the configuration message from the specified port.
If the bridge Port
The hello time bridge sends the configuration message periodically from the specified port using HELLO TIME
The configuration message saved on the message age \ max age port has a lifetime message age field, which increases progressively by time. When a configuration message with a shorter lifetime than itself is received, then, update your own configuration message. When no configuration message is received for a period of time and the maximum age is reached, the bridge considers the port to be in a link fault for troubleshooting. The bridge will discard the outdated configuration message and recalculate the Spanning Tree.
When will the blocked port receive the forwarded data (excluding the STP protocol packets) until a new situation triggers the re-computing of the Spanning Tree, for example, if another link is disconnected, or the port receives the updated configuration message.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.