No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Traditional Data Center Deployment Solution

Traditional Data Center Deployment Solution

Overview

Purpose

This document provides a detailed data center design for a level-1 bank branch, covering the network architecture, IP address and VLAN planning, routing design, security design, network reliability design, and network management system design for the data center. You can use this document as a reference for data center project implementation.

Typical Networking
Logic Architecture

The following figure shows the logical topology of the level-1 bank branch's data center network, which is divided into multiple areas depending on the functions provided.

The following describes the functional areas.

Area

Function and Positioning

Accessible To

Open platform area: OP

Provides access to running open systems, including the accounting system as well as other accounting relevant and irrelevant service systems. This area is a major business area for communication between production and office departments.

Clients and servers

Operation and management area: OM

Has servers deployed for system operations, monitoring, and maintenance. This area is responsible for network and system management and maintenance.

Only a few authorized maintenance users

Development and testing area: DT

Accommodates servers of systems that have not been put into use, including the hosts and open platform systems that are under development or testing.

Clients and servers

MAN/WAN access area (WN/MN)

Connects the level-1 bank branch to the head office and its data center, downstream level-2 branches and outlets, as well as offices, branches, and outlets in the local city. This area provides connections to the level-1 bank branch's LANs and subordinate branches.

ATM machines, POS machines, teller terminals, maintenance users, office terminals, and terminals in business centers

Local user access area: LU

Allows access of various user terminals.

Local maintenance users, local office terminals, and terminals in local business centers

DMZ Extranet: EP

Implements interconnection with business platforms of partners, major accounts, and agents through lines of carriers.

Partners, international branches, off-bank devices (3G/2G/PSTN), telephone banking systems, and customer service centers

The level-1 bank branch's data center network is logically divided into three layers: core, distribution, and access layers.

  • Core layer: high-speed Layer 3 switching backbone network. This layer is not directly connected to terminals or servers and does not provide functions that will affect high-speed switching performance, such as ACL.
  • Distribution layer: boundary of Layer 2 and Layer 3 networks, and boundary of functional areas. This layer connects to the core layer at Layer 3 and connects to the access layer at Layer 2. It provides the following functions:
    • Acts as a unified gateway for terminals and servers in the functional areas.
    • Summarizes routes within each functional area.
    • Implements intra-VLAN routing within each functional area.
    • Provides routing policies for communication between functional areas and the core layer.
    • Applies ACLs to control communication between systems within a functional area.
    • Has firewalls deployed to enforce access control between areas.
  • Access layer: connects to the distribution layer and consists of the following devices:
    • Access switch (AS)

      Provides Layer 2 access for servers and terminals and isolates users through VLANs.

    • Access router (AR)

      Provides access to the WAN and MAN networks, and functions as autonomous system boundary router (ASBR) to implement routing control.

Physical Architecture

The following figure shows the physical network connections of the level-1 bank branch's data center.

In the core switching area, two high-performance data center switches are deployed, and they are interconnected through 10GE bundled links to provide highly reliable, high-speed switching.

The switches in the core switching area and distribution layer are connected in square networking to implement redundancy of physical links, enhancing network reliability. The core switches and distribution switches are connected using bundled 10GE or GE links.

The distribution layer of each area has two high-performance switches deployed for traffic aggregation in the area. The two switches are interconnected using bundled 10GE or GE links depending on the line cards used in the switches. Access switches in each area are dual-homed to two distribution switches.

Firewalls are deployed in each area for access control. Firewalls are connected to distribution switches in bypass mode through bundled GE links The two firewalls in an area work in active/standby mode. If the active firewall fails, traffic can be switched to the standby firewall within a short time. If both firewalls fail, service traffic is switched to the bypass link without passing through the firewalls, ensuring nonstop data forwarding and service operations.

The two pairs of firewalls in the extranet area are connected to distribution switches, access switches, and access routers in square networking to enhance network reliability.

Products Used

Huawei CE12816, CE12808, and CE6800 switches are used at the core layer, distribution layer, and access layer, respectively. Huawei NE40E-X8 is used at the access layer as access router. Huawei USG5500 is used as firwall.

Network Architecture Design
Core Switching Area

The following figure shows the core switching area of the level-1 bank branch's data center.

The core layer connects to each functional area in the data center. Two high-performance CE12816 data center switches are deployed at the core layer, which are interconnected using an Eth-Trunk of two 10GE links to enhance connection reliability.

Product model:

Core switch (CS): Huawei CE12816

Open Platform Area

The following figure shows the open platform area of the level-1 bank branch's data center.

The distribution layer of the open platform area has two high-performance CE12808 data center switches, which use 2x10GE inter-card Eth-Trunk links to connect to each other and the upstream core switches. The CE6800 switches at the access layer are dual-homed to the CE12808 switches through GE links.

The egress of the area has firewalls deployed in bypass mode to ensure secure communication between the open platform area and other functional areas. The firewalls use 4xGE inter-card Eth-Trunk links for uplink and downlink connections.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access switch (AS): Huawei CE6800

Firewall: Huawei USG5500

Development and Testing Area

The following figure shows the development and testing area of the level-1 bank branch's data center.

The distribution layer of the development and testing area has two high-performance CE12808 data center switches, which use 2x10GE inter-card Eth-Trunk links to connect to each other and the upstream core switches. The CE6800 switches at the access layer are dual-homed to the CE12808 switches through GE links.

The egress of the area has firewalls deployed in bypass mode to ensure secure communication between the open platform area and other functional areas. The firewalls use 4xGE inter-card Eth-Trunk links for uplink and downlink connections.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access switch (AS): Huawei CE6800

Firewall: Huawei USG5500

Operation and Management Area

The following figure shows the operation and management area of the level-1 bank branch's data center.

This area is the network management and maintenance center of the level-1 bank branch. It collects running status data of managed systems and devices, monitors network and system status, issues management instructions, and detects system failures to help in troubleshooting.

The distribution layer of the operation and management area has two high-performance CE12808 data center switches, which use inter-card Eth-Trunk links of two GE optical interfaces to connect to each other and the upstream core switches. The CE6800 switches at the access layer are dual-homed to the CE12808 switches through GE links.

The egress of the area has firewalls deployed in bypass mode to ensure secure communication between the open platform area and other functional areas. The firewalls use inter-card Eth-Trunk links of two GE optical interfaces for uplink and downlink connections.

The following systems are deployed in this area:

Management server: uses the Simple Network Management Protocol (SNMP) to collect network and system running information and receive logs and alarms sent from various systems on the network. The management server summarizes and processes management information collected from the network, monitors running status of the data center network and systems, and generates network and system management reports.

Management platform: enables maintenance personnel to access the management server to diagnose and rectify faults of devices.

Security tools: guarantee system security. Security tools include RADIUS server, intrusion detection system (IDS) server, and antivirus server.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access switch (AS): Huawei CE6800

Firewall: Huawei USG5500

Local User Access Area

The following figure shows the local user access area of the level-1 bank branch's data center.

This area is designed to enable communication between various types of user terminals.

The distribution layer of the operation and management area has two high-performance CE12808 data center switches, which use inter-card Eth-Trunk links of two GE optical interfaces to connect to each other and the upstream core switches. The CE6800 switches at the access layer are dual-homed to the CE12808 switches through GE links.

The egress of the area has firewalls deployed in bypass mode to ensure secure communication between the open platform area and other functional areas. The firewalls use inter-card Eth-Trunk links of two GE optical interfaces for uplink and downlink connections.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access switch (AS): Huawei CE6800

Firewall: Huawei USG5500

MAN/WAN Access Area

The following figure shows the MAN/WAN area of the level-1 bank branch's data center.

This area connects upstream and downstream routers, and allows communication between access switches in the same city.

The distribution layer of this area has two high-performance CE12808 data center switches, which use inter-card Eth-Trunk links of two GE optical interfaces to connect to each other and the upstream core switches. The access routers connect to the distribution switches in dual-homing mode.

The MAN/WAN access area is only used for access to the WAN or MAN and has no servers, so no firewalls need to be deployed in this area. The offices and banking outlets in the same city or level-2 bank branches deploy the Unified Threat Management (UTM) system for security guarantee.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access router (AR): Huawei NE40E-X8

Extranet Area

The following figure shows the extranet area of the level-1 bank branch's data center.

The extranet area provides network connections to partners. To improve security of the area and prevent Internet users from directly accessing servers of the bank, a two-layer heterogeneous firewall architecture is used to partition the entire area into three security subareas of different security levels: extranet area, DMZ, and intranet area. The following table describes functions of the three security subareas.

Subarea

Function

Extranet area

Allows partners to connect to the network through private lines and translates private IP addresses of packets sent from partners into private IP addresses in the DMZ.

DMZ

Deploys front end servers for partners.

Intranet area

Deploys systems on the level-1 bank branch's data center network.

The access layer, distribution layer, and core layer of the extranet area provide different network functions, with ascending security levels. The following table describes devices in the extranet area.

Role

Function

Extranet router

To provide access for partners, two extranet routers connect to lines of different carriers. The primary line connects to the master router, and the backup line connects to the backup router, implementing link redundancy.

The routers' interfaces connected to the external firewalls run the Virtual Router Redundancy Protocol (VRRP). Generally, data flows are forwarded through the master router. If the master router fails, traffic will be switched to the backup router. VRRP enhances system reliability through redundancy and prevents single-point failures.

If routers are connected to links that do not support automatic link state detection, for example, ATM or MSTP links, configure a link failure detection protocol such as OAM or BFD on the interfaces. In this case, ensure that the remote ends also support the link failure detection protocol.

External firewall

Security policies need to be configured on the firewalls according to application requirements to implement logical isolation and security control between the extranet area and DMZ.

The two firewalls work in NAT mode and use the two-node redundancy HA architecture. Generally, one firewall works in active mode, and the other works in standby mode. If the active firewall fails, traffic can be quickly switched to the standby firewall, ensuring uninterrupted data forwarding and normal service operations.

Access switch

The switches connect to front end servers in the extranet and connect to each other through a 2xGE Eth-Trunk link to enhance reliability.

More access switches can be added to the extranet based on business requirements.

Internal firewall

Security policies need to be configured on firewalls according to application requirements to implement logical isolation and security control between the DMZ and intranet.

The two firewalls work in NAT mode and use the two-node redundancy HA architecture. Generally, one firewall works in active mode, and the other works in standby mode. If the active firewall fails, traffic can be quickly switched to the standby firewall, ensuring uninterrupted data forwarding and normal service operations.

Distribution switch

The switches connect the extranet to the LANs on the data center network.

The two switches are interconnected through two bundled links to enhance reliability.

Product models:

Core switch (CS): Huawei CE12816

Distribution switch (DS): Huawei CE12808

Access switch (AS): Huawei CE12808

Access router (AR): Huawei NE40E-X8

Firewall: Huawei USG5500

Firewall Deployment

The level-1 bank branch's data center network has firewalls deployed in the open platform area (OP), development and testing area (DT), local user access area (LU), and operation and management area (OM) to improve network security. Access control policies are configured on the firewalls to isolate different functional areas, control communication between the areas, and protect servers in these areas.

The firewalls are connected to distribution switches in bypass mode, as shown in the following figure.

  • The firewalls are deployed in the HA architecture and work in preemption mode. When both firewalls are running normally, FW1 acts as the active firewall, and FW2 acts as the standby firewall.
  • The two firewalls exchange heartbeat packets through two directly connected interfaces.
  • FW1 and FW2 are connected to the distribution switches in bypass mode.
  • Link aggregation is used between the firewalls and distribution switches. Two or four uplink interfaces of the active firewall FW1 are bundled into Eth-Trunk 1 and connected to DS1. Two or four downlink interfaces of FW1 are bundled into Eth-Trunk 2 and connected to DS1. The number of member interfaces in an Eth-Trunk is determined based on the requirements in the area. Two or four uplink interfaces of the standby firewall FW2 are bundled into Eth-Trunk 1 and connected to DS2. Two or four downlink interfaces of FW2 are bundled into Eth-Trunk 2 and connected to DS2.
  • The firewalls monitor the physical status of Eth-Trunk 1 and Eth-Trunk 2. If either Eth-Trunk interface fails, an active/standby switchover is triggered. Then FW2 becomes the active firewall, and FW1 becomes the standby firewall.
  • If both the two firewalls are faulty, manually switch data traffic to the bypass link so that the traffic does not pass through the firewalls. The bypass link is an independent link deployed between the uplink and downlink VRF instances.
  • The firewalls communicate with distribution switches using static routes and run the VRRP protocol.
  • Trusted and untrusted zones are defined on the firewalls, and security policies are configured based on application requires to implement isolation and security control between trusted and untrusted zones.

    Product models:

    Core switch (CS): Huawei CE12816

    Distribution switch (DS): Huawei CE12808

    Access switch (AS): Huawei CE6800

    Firewall: Huawei USG5500

Service Design and Configuration

System Configuration
Device Login Configuration

Users can log in to the device through a console port, Telnet, or STelnet to perform local or remote device maintenance. A user must use the console port to log in to the device for the first time. Telnet or STelnet can be used to implement remote management and maintenance.

The following describes how to log in to the device through the console port and STelnet.

  • Logging in to a device through a console port

    Before logging in to the device through a console port, complete the following tasks:

    1. Prepare a console cable.
    2. Install the terminal emulation software on the PC.
      NOTE:

      You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000) on the PC. If no built-in terminal emulation software is available, use the third-party terminal emulation software. For details, see the software user guide or online help.

    Procedure:

    Use the terminal simulation software to log in to the device through a console port.

    1. Insert a DB9 plug of a console cable delivered with the device into a 9-pin serial socket on a PC, and insert an RJ-45 connector into the console port of the device, as shown in the following figure.
      Figure 5-1 Connecting the PC to the device through the console port
    2. Start the terminal emulation software on the PC, establish a connection, and set the connected interface and communication parameters.
      NOTE:

      One PC may have multiple connection interfaces. Select the interface connected to the console cable. Usually, the interface COM1 is selected.

      You must set the communication parameters of the PC to be the same as the changed communication parameters of the serial interface, and reconnect the PC to the serial interface.

    3. Press Enter until the system asks you to enter the password. (During AAA authentication, the system asks you to enter the user name and password. The following information is for your reference only.)
      Login authentication
      
      
      Password:

      You can run commands to configure the device. Enter a question mark (?) whenever you need help.

  • Logging in to the device using STelnet

    Before logging in to the device through STelnet, complete the following tasks:

    1. Configure routes between a terminal and the device.
    2. Install the SSH client software on the terminal.

      Procedure:

    1. Configure the STelnet server functions and parameters.
      <HUAWEI> system-view
      [~HUAWEI] rsa local-key-pair create
      The key name will be: HUAWEI_Host
      The range of public key size is (512 ~ 2048).
      NOTE: Key pair generation will take a short while.
      Input the bits in the modulus [default = 2048] : 2048
      [*HUAWEI] stelnet server enable
      [*HUAWEI] commit
    2. Configure the SSH user login interface.
      [~HUAWEI] user-interface vty 0 4
      [~HUAWEI-ui-vty0-4] authentication-mode aaa
      [*HUAWEI-ui-vty0-4] protocol inbound ssh
      [*HUAWEI-ui-vty0-4] commit
      [~HUAWEI-ui-vty0-4] quit
    3. Configure an SSH user.

    You need to configure the authentication mode. The device supports the following authentication modes: RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all. The authentication modes are described as follows:

    password-rsa: The password and RSA authentication requirements must be met.

    password-dsa: The password and DSA authentication requirements must be met.

    password-ecc: The password and ECC authentication requirements must be met.

    all: The requirements of password, RSA, DSA, or ECC authentication are met.

    [~HUAWEI] ssh user client001
    [*HUAWEI] ssh user client001 authentication-type password
    [*HUAWEI] ssh user client001 service-type stelnet 
    [*HUAWEI] aaa
    [*HUAWEI-aaa] local-user client001 password irreversible-cipher Huawei@123
    [*HUAWEI-aaa] local-user client001 level 3
    [*HUAWEI-aaa] local-user client001 service-type ssh
    [*HUAWEI-aaa] quit
    [*HUAWEI] commit

    4. Log in to the device through STelnet.

    The PuTTY software is used as an example.

    # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type, as shown in the following figure.

    Figure 5-2 Logging in to the SSH server through PuTTY in password authentication mode

    # Click Open. Enter the user name and password as prompted, and press Enter. You have logged in to the SSH server. (The following information is for your reference only.)

    login as: client001
    Sent username "client001"
    client001@10.137.217.203's password:
    
    Warning: The initial password poses security risks.
    The password needs to be changed. Change now? [Y/N]: n
    
    Info: The max number of VTY users is 21, the number of current VTY users online is 2, and total number of terminal users online is 2.
          The current login time is 2012-08-04 20:09:11+00:00.
          First login successfully.
    <HUAWEI>

Device Naming Configuration

Devices in this project are named using letters and numbers to facilitate tier-1 branch data center network implementation and branch network O&M. The name format is field 1_field 2_field 3_nn.

Each field is described as follows according to the tier-1 branch data center network construction implementation objectives.

Field 1

Identifies the device installation position. For a tier-1 branch data center, the value is as follows:

Abbreviation of tier-1 branch area+ abbreviation of local area + bank level

In the format:

  1. Bank level

Data center: 0

Tier-1 branch: 1

Tier-2 branch: 2

Tier-3 branch: 3

Reserved: 4

Outlet: 5

Downstream ATM: 6

For example, a branch at Changjiang Road in Hefei, Anhui province can be identified as AHCJL3.

Field 2

Identifies a functional area. According to the network architecture of the tier-1 branch data center, areas are defined as follows:

  1. Core area: CO
  2. Open platform area: OP
  3. Development and testing area: DT
  4. Operation and management area: OM
  5. Local user access area: LU
  6. Extranet: EP
  7. MAN/WAN access area: WN

Field 3

Identifies device functions and is defined as follows according to the logical hierarchy of the tier-1 branch data center:

  1. Core switch: CS
  2. Aggregation switch: DS
  3. Access switch: AS
  4. WAN access router: AR
  5. Firewall: FW

nn

Number of network devices of the same application system in the same area: 01 to 99

For example, DS 1 in the open platform area of xx Branch is named XX1_OP_DS_01.

Common configuration:

<HUAWEI> system-view
[~HUAWEI] sysname XX1_OP_DS_01
[*HUAWEI] commit
Device Management Configuration

Device management configuration includes restarting a device and specifying system startup files for the next startup.

The recommended configuration is to specify startup files for the next startup.

  • Restarting a Device

    To make the specified system software and files take effect, restart the device after system startup configuration is complete. Devices can be restarted immediately or periodically.

    Example for restarting a device immediately:

    <HUAWEI> reboot

    Example for restarting a device periodically:

    <HUAWEI> schedule reboot at 22:00
    Warning: The current configuration will be saved to the next startup saved-configuration file. Continue? [Y/N]:y                
    Now saving the current configuration...                         
    Save the configuration successfully.                           
    Info: Reboot system at 22:00:00 2015/07/17 UTC (in 15 hours and 49 minutes).    
    Confirm? [Y/N]:y  
  • Specifying system startup files

    Specify the system software and configuration file for system startup so that the device will start with the specified software and initialize with the specified configuration file. If a new patch needs to be loaded during system startup, specify a patch file.

    Example for specifying the system software for the next startup:

    <HUAWEI> startup system-software basicsoft.cc slave-board

The optional parameter slave-board is valid only for switches with two MPUs.

Network Management Configuration

Network management is an important part in the standard configuration. Currently, SNMP is widely used for network management. SNMP includes three versions: SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 and SNMPv2c perform authentication using community names, resulting in security risks. SNMPv3 is recommended because it is more secure.

The following example configures a device to communicate with the NMS using SNMPv3.

  1. Enable the SNMP agent.
    <HUAWEI> system-view
    [~HUAWEI] snmp-agent
  2. Configure the SNMP version to SNMPv3.
    [*HUAWEI] snmp-agent sys-info version v3
    NOTE:

    You can configure the SNMP version according to your requirements while ensuring that the device and NMS use the same SNMP version. If they use different SNMP versions, the device cannot connect to the NMS.

  3. Configure user access rights.

    # Configure an ACL to allow only the packets with the source IP address 192.168.1.10 to pass through.

    [*HUAWEI] acl 2001
    [*HUAWEI-acl4-basic-2001] rule permit source 192.168.1.10 0.0.0.0
    [*HUAWEI-acl4-basic-2001] quit

    # Configure the MIB view as alliso and include the view iso.

    [*HUAWEI] snmp-agent mib-view include alliso iso
    NOTE:

    You are advised to configure user access rights according to your requirements.

  4. Set the SNMPv3 user group name to huawei_group, user name to huawei_user, and security level to privacy, and apply access control.
    [*HUAWEI] snmp-agent group v3 huawei_group privacy write-view alliso acl 2001
    [*HUAWEI] snmp-agent usm-user v3 huawei_user group huawei_group
    [*HUAWEI] snmp-agent usm-user v3 huawei_user authentication-mode sha
    Please configure the authentication password (8-255)
    Enter Password:               //Enter an authentication password.
    Confirm Password:             //Confirm the authentication password.
    [*HUAWEI] snmp-agent usm-user v3 huawei_user privacy-mode aes256
    Please configure the privacy password (8-255)
    Enter Password:               //Enter an encryption password.
    Confirm Password:             //Confirm the encryption password.
  5. Configure a trap host.
    [*HUAWEI] snmp-agent target-host trap address udp-domain 192.168.1.10 params securityname huawei_user v3 privacy
    [*HUAWEI] commit
Information Center Configuration

The operation and management area is the network management and maintenance center. It collects the device operating status. To monitor the device operating status and locate faults, you can send logs of devices to the management server in the maintenance and management area through the information center.

  1. Enable the information center.

    <HUAWEI> system-view
    [~HUAWEI] info-center enable
    [*HUAWEI] commit

  2. Configure the device to output logs to a log host.

    [~HUAWEI] info-center loghost 10.1.1.1
    [*HUAWEI] commit

NTP Configuration

An NTP clock source on a data center network provides clock signals for all network devices. All network devices in data centers synchronize their clocks with the NTP clock source.

Set the NTP working mode of all network devices to the unicast server/client mode, configure CS1 as the primary time server, and ensure that CS1 has synchronized its time with an authoritative clock (global positioning system). Configure CS2, DS, and AS as clients. To ensure security, you are advised to enable the NTP authentication function.

Configure the NTP master clock, and enable the NTP authentication and NTP server functions on CS1.

<CS1> system-view
[~CS1] ntp refclock-master 1
[*CS1] ntp authentication enable
[*CS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*CS1] ntp trusted authentication-keyid 42
[*CS1] undo ntp server disable
[*CS1] commit

Specify CS1 as the NTP server on DS1. The other configurations are similar.

<DS1> system-view
[~DS1] ntp authentication enable
[*DS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*DS1] ntp trusted authentication-keyid 42
[*DS1] ntp unicast-server 10.100.1.1 authentication-keyid 42
[*DS1] commit
Service Configuration
Interface Configuration

To ensure network reliability, physical interfaces comply with the following rules:

  • An interface uses the auto-negotiation mode by default.

    For example, the common configuration of a 10GE electrical interface is as follows:

    <HUAWEI> system-view
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] undo negotiation disable
    [*HUAWEI-10GE1/0/1] speed auto 100 1000 10000
    [*HUAWEI-10GE1/0/1] commit
  • The physical interface that is not in use must be in shutdown state.

    Common configuration:

    <HUAWEI> system-view
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] shutdown
    [*HUAWEI-10GE1/0/1] commit
  • An interface has link fault detection enabled.

    Common configuration:

    <HUAWEI> system-view
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] port crc-statistics trigger error-down
    [*HUAWEI-10GE1/0/1] commit
  • The interfaces that are used for device interconnection are enabled in descending order of interface number, and the interfaces that are used for terminal connections are enabled in ascending order of interface number.
VLAN Configuration

The network is divided into multiple areas based on service types. In each area, there are multiple types of application systems. Each service involves multiple sub-systems, which have different service characteristics, protocol types, QoS requirements (such as the delay and jitter), and security levels.

VLAN assignment needs to be configured to achieve the preceding network architecture. VLAN technology differentiates services to implement QoS. It also logically isolates services with different security levels, so that different security policies are enforced for different VLANs and applications to improve network security.

Here, interface-based VLAN assignment is used. The principles and notes of VLAN assignment are as follows:

  1. VLAN assignment principles
    • Assign VLANs for interconnection between areas. VLAN IDs are valid only within an area. A VLAN cannot span multiple areas.
    • Assign a VLAN range in each functional area, and assign VLANs to applications of different levels within the VLAN range in each area. Reserve some VLANs for expansion of different application systems in each area.
    • Define different VLAN ranges for different areas and assign different VLANs to different service systems. Locate servers of the same service system in the same VLAN and assign VLANs in ascending order of VLAN IDs. MAN and WAN users share VLANs with local users.
  1. VLAN configuration notes
    • In a functional area, all user VLANs are configured on ASs and DSs. AS-DS and DS-DS Eth-Trunk links allow packets from service VLANs in the local area to pass through.
    • An Eth-Trunk link cannot allow packets from all VLANs to pass through.
    • All Eth-Trunk links prevents packets from VLAN 1 from passing through.

The following table describes the VLAN design.

Table 5-1 VLAN design

No.

Function

VLAN ID

Remarks

1

Open platform area

200-399

-

2

Development and testing area

400-499

-

3

Operation and management area

500-599

-

4

Local user access area

850-949

Multiplexing by MAN and WAN users

5

Extranet

650-699

-

6

Network device interconnection

800-849

-

7

Network device management

600-649

-

8

Reserved

10-199, 700-799, and 950-1049

-

Configure AS-server links as access links and the AS-DS and DS-DS links as trunk links.

VLAN configuration (AS1 is used as an example):
<AS1> system-view
[~AS1] vlan batch 200
[*AS1] interface ge 1/0/1
[*AS1-GE1/0/1] port default vlan 200
[*AS1-GE1/0/1] quit
[*AS1] interface 10ge 1/0/11
[*AS1-10GE1/0/11] port link-type trunk
[*AS1-10GE1/0/11] port trunk allow-pass vlan 200
[*AS1-10GE1/0/11] undo port trunk allow-pass vlan 1
[*AS1-10GE1/0/11] quit
[*AS1] interface 10ge 1/0/12
[*AS1-10GE1/0/12] port link-type trunk
[*AS1-10GE1/0/12] port trunk allow-pass vlan 200
[*AS1-10GE1/0/12] undo port trunk allow-pass vlan 1
[*AS1-10GE1/0/12] quit
[*AS1] commit
IP Address Configuration

The IP address design for a new LAN of the branch data center should observe the following principles:

  • Use IPv4.
  • IP addresses of interconnected interfaces use a 29-bit subnet mask (255.255.255.248) to allow flexible network expansion and temporary deployment of test devices. One Class C address space offers 32 interconnected network segments of LANs.
  • Implement route summarization between the head office and branches.
  • The gateway address in a LAN uses the largest IP address on the local network segment. When VRRP or similar technologies are used, virtual addresses and actual addresses are allocated in descending order of IP address.
  • The management address (Loopback0) of a network device uses a 32-bit subnet mask (255.255.255.255), which is used as the ID of a routing protocol such as OSPF. Assign contiguous addresses on a network segment as management addresses of all network devices based on the network layers where they are located.
  • Assign IP addresses to devices in each area. Apply the IP address plan of an area to the downlink interfaces of aggregation switches in the area (including interconnection interfaces of the switches at the distribution layer) and access switches connected to the downlink interfaces. Apply the IP address plan of the core switching layer to core switches' interfaces connected to other areas. Apply the MAN/WAN IP address plan to DS switches' interfaces connected to WAN/MAN devices.

Common configuration:

<HUAWEI> system-view
[~HUAWEI] interface vlanif 201
[*HUAWEI-Vlanif201] ip address 10.1.0.1 255.255.255.0

STP Configuration

Loop prevention protocols are important on Layer 2 networks. It is recommended that STP and MSTP be used to eliminate loops.

Here, the MSTP configuration is used as an example. When service and reliability requirements are met, simplify configurations as much as possible to achieve easy deployment and maintenance.

A functional area in a data center is used as an example.

Role

MSTP Global Configuration

MSTP Port Configuration

DS1

  1. Configure the root bridge (which also functions as the default VRRP master).
  2. Configure TC protection.
  3. Configure root protection on the port connected to the AS.
  4. Configure BPDU protection (only after edge ports are configured).
  1. Disable MSTP on the ports connected to the CSs.
  2. If the DS is connected to a firewall working in routing mode, disable MSTP on the port connected to the firewall.
  3. Configure the port directly connected to a server as an edge port.

DS2

  1. Configure the secondary root bridge.
  2. Configure TC protection.
  3. Configure BPDU protection (only after edge ports are configured).
  1. Disable MSTP on the ports connected to the CSs.
  2. If the DS is connected to a firewall working in routing mode, disable MSTP on the port connected to the firewall.
  3. Configure the port directly connected to a server as an edge port.

AS

  1. Configure TC protection.
  2. Configure BPDU protection.
  1. Configure the port directly connected to a terminal such as a server as an edge port.

MSTP configuration points:

  1. Create MSTI 1 in MST region RG1 on DSs and ASs.
    DS1 is used as an example. The configurations of other switches are similar.
    <DS1> system-view
    [~DS1] stp region-configuration
    [~DS1-mst-region] region-name RG1
    [*DS1-mst-region] instance 1 vlan 200
    [*DS1-mst-region] quit
    [*DS1] commit
  2. Configure DS1 as the root bridge and DS2 as the secondary root bridge in MSTI 1.
    [~DS1] stp instance 1 root primary
    [*DS1] commit
    [~DS2] stp instance 1 root secondary
    [*DS2] commit
  3. Configure DS1 to use Huawei proprietary algorithm to calculate the path cost, and set the path cost of the blocked port to be larger than the default value in MSTI 1.
    [~DS1] stp pathcost-standard legacy
    [*DS1] commit
    [~DS2] stp pathcost-standard legacy
    [*DS2] commit
    [~AS1] stp pathcost-standard legacy
    [*AS1] interface 10ge 1/0/12
    [*AS1-10GE1/0/12] stp instance 1 cost 20000
    [*AS1-10GE1/0/12] quit
    [*AS1] commit
    [~AS2] stp pathcost-standard legacy
    [*AS2] interface 10ge 1/0/11
    [*AS2-10GE1/0/11] stp instance 1 cost 20000
    [*AS2-10GE1/0/11] quit
    [*AS2] commit
  4. Enable MSTP to prevent loops.
    DS1 is used as an example. The configurations of other switches are similar.
    [~DS1] stp enable
    [*DS1] commit
  5. Configure protection functions and configure the port connected to a server as an edge port.
    [~DS1] stp tc-protection
    [*DS1] interface 10ge 1/0/1
    [*DS1-10GE1/0/1] stp root-protection
    [*DS1-10GE1/0/1] quit
    [*DS1] interface 10ge 1/0/2
    [*DS1-10GE1/0/2] stp root-protection
    [*DS1-10GE1/0/2] quit
    [*DS1] commit
    [~DS2] stp tc-protection
    [*DS2] commit
    [~AS1] stp tc-protection
    [*AS1] interface ge 1/0/1
    [*AS1-GE1/0/1] stp edged-port enable
    [*AS1-GE1/0/1] quit
    [*AS1] stp bpdu-protection
    [*AS1] commit
    [~AS2] stp tc-protection
    [*AS2] interface ge 1/0/1
    [*AS2-GE1/0/1] stp edged-port enable
    [*AS2-GE1/0/1] quit
    [*AS2] stp bpdu-protection 
    [*AS2] commit
Reliability Configuration
VRRP Configuration

Generally, all hosts on a network are configured with the same default route that points to the egress gateway so that the hosts can communicate with external networks. When the egress gateway fails, the communication between the hosts and external networks is interrupted.

VRRP virtualizes multiple routing devices into one logical device and uses the IP address of the logical device as the default gateway address so that the routing devices can communicate with external networks. When the gateway fails, VRRP can select a new gateway to transmit data traffic, ensuring network reliability.

Different VLANs are created on DS1 and DS2, IP addresses are assigned to VLANIF interfaces, and VRRP is configured. Different VRRP virtual IP addresses are used as gateway addresses of server groups on ASs, and the Eth-Trunk between DS1 and DS2 allows packets from the VLANs to pass through. MSTP is deployed between ASs and DSs to eliminate loops, and the blocked point is configured on the link between the backup device and downlink switch. OSPF is configured on DSs and CSs to implement Layer 3 interworking.

VRRP configuration points:

  1. Create VRRP group 1 on DS1.
    <DS1> system-view
    [~DS1] interface vlanif 100
    [~DS1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
  2. Configure the priority of DS1 in the VRRP group.
    [*DS1-Vlanif100] vrrp vrid 1 priority 120
  3. Set the preemption delay of VRRP group 1 on DS1 to 20s.
    [*DS1-Vlanif100] vrrp vrid 1 preempt timer delay 20
  4. Set the interval for sending VRRP Advertisement packets of VRRP group 1 on DS1 to 2s.
    [*DS1-Vlanif100] vrrp vrid 1 timer advertise 2
    [*DS1-Vlanif100] commit
    [~DS1-Vlanif100] quit
  5. Create VRRP group 1 on DS2.
    <DS2> system-view
    [~DS2] interface vlanif 100
    [~DS2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
  6. Set the interval for sending VRRP Advertisement packets of VRRP group 1 on DS2 to 2s.
    [*DS2-Vlanif100] vrrp vrid 1 timer advertise 2
    [*DS2-Vlanif100] commit
    [~DS2-Vlanif100] quit
  7. To implement load balancing, configure two or more VRRP groups on an interface. The VRRP groups are differentiated using VRIDs.
    • Configure VRRP group 2 and parameters on DS1.
      [~DS1] interface vlanif 100
      [~DS1-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.112
      [*DS1-Vlanif100] vrrp vrid 2 timer advertise 2
      [*DS1-Vlanif100] commit
      [~DS1-Vlanif100] quit
    • Configure VRRP group 2 and parameters on DS2.
      [~DS2] interface vlanif 100
      [~DS2-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.112
      [*DS2-Vlanif100] vrrp vrid 2 priority 120
      [*DS2-Vlanif100] vrrp vrid 2 preempt timer delay 20
      [*DS2-Vlanif100] vrrp vrid 2 timer advertise 2
      [*DS2-Vlanif100] commit
      [~DS2-Vlanif100] quit
Smart Link Configuration

Smart Link is used in dual-homing networking to implement link redundancy.

Two uplinks constitute a backup link group. In a Smart link group, only the master interface is in active state, and the slave interface is in inactive state. When the active link in forwarding state fails, the Smart Link group blocks the master interface and switches the slave interface to the forwarding state.

For the tier-1 branch data center shown in the networking, each AS is dual-homed to two DSs, two uplinks (uplinks can constitute an Eth-Trunk link) join one Smart Link group, and the entire network is loop-free.

During topology calculation, ASs can use Smart Link to prevent loops without exchanging protocol packets with remote devices. The remote device needs to process Flush packets sent by an AS so that MAC address entries can be updated rapidly upon topology changes. Smart Link is a proprietary protocol. When DSs and ASs are devices of different vendors, DSs cannot update MAC address entries immediately because they cannot identify proprietary protocol packets. Servers continuously send various types of data packets, so such a problem has little impact. (There are differences between MAC address entry update mechanisms of technologies similar to Smart Link.)

Smart Link configuration points:

  1. Add two uplink interfaces to a Smart Link group.
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] stp disable
    [*HUAWEI-10GE1/0/1] commit
    [~HUAWEI-10GE1/0/1] quit
    [~HUAWEI] interface 10ge 1/0/2
    [~HUAWEI-10GE1/0/2] stp disable
    [*HUAWEI-10GE1/0/2] commit
    [~HUAWEI-10GE1/0/2] quit
    [~HUAWEI] smart-link group 1
    [*HUAWEI-smlk-group1] port 10ge 1/0/1 master
    [*HUAWEI-smlk-group1] port 10ge 1/0/2 slave
    [*HUAWEI-smlk-group1] commit
  2. Bind a protection instance to the Smart Link group.
    [~HUAWEI] smart-link group 1
    [*HUAWEI-smlk-group1] protected-vlan reference-instance 10
  3. Configure the device to send Flush packets.
    [*HUAWEI-smlk-group1] flush send control-vlan 200 password sha 123
    [*HUAWEI-smlk-group1] quit
    [*HUAWEI] commit
  4. Configure the device to receive Flush packets.
    For example, if AS1 is configured to send Flush packets, DS1 and DS2 need to be configured to receive Flush packets.
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] stp disable
    [*HUAWEI-10GE1/0/1] smart-link flush receive control-vlan 200 password sha 123
    [*HUAWEI-10GE1/0/1] commit
    [~HUAWEI-10GE1/0/1] quit
    [~HUAWEI] interface 10ge 1/0/2
    [~HUAWEI-10GE1/0/2] smart-link flush receive control-vlan 200 password sha 123
    [*HUAWEI-10GE1/0/2] commit
    [~HUAWEI-10GE1/0/2] quit
  5. To implement load balancing, create multiple VLAN instances and specify a load balancing instance.
    [~HUAWEI] stp region-configuration
    [~HUAWEI-mst-region] instance 10 vlan 201
    [*HUAWEI-mst-region] commit
    [~HUAWEI-mst-region] quit
    [~HUAWEI] smart-link group 1
    [~HUAWEI-smlk-group1] load-balance instance 10 slave
    [*HUAWEI-smlk-group1] commit
  6. Set the WTR time to be more than 60s.
    [~HUAWEI-smlk-group1] restore enable
    [*HUAWEI-smlk-group1] timer wtr 120
    [*HUAWEI-smlk-group1] commit
  7. Enable the Smart Link group.
    [~HUAWEI-smlk-group1] smart-link enable
    [*HUAWEI-smlk-group1] commit
    [*HUAWEI-smlk-group1] quit
DLDP

The Device Link Detection Protocol (DLDP) is used to detect unidirectional links. DLDP automatically shuts down or notifies the network administrator if a unidirectional link fault occurs.

If optical fibers are intersected, an optical fiber is disconnected, or a line in the copper twisted pair wire or optical fiber is disconnected, the interface on one end of the link can receive the link layer packets from the remote device, but the remote device cannot receive packets from the local device. This link is a unidirectional link. The physical layer of a unidirectional link is in connected state and can work properly. The detection mechanisms at the physical layer such as auto-negotiation cannot detect faults on communication among devices. This may lead to incorrect traffic forwarding.

As shown in the two figures, a unidirectional link fault may be caused by intersected fibers or disconnection of an optical fiber.

DLDP can work in normal or enhanced mode:

  • Normal mode: DLDP can identify only unidirectional links caused by intersected fibers.
  • Enhanced mode: DLDP can identify unidirectional links caused by intersected fibers or disconnection of an optical fiber. By default, DLDP works in enhanced mode.

Default values of DLDP parameters:

Parameter

Default Value

DLDP status

Disabled

DLDP working mode

Enhanced

Shutdown mode of an interface after a unidirectional link is detected

Automatic

The following DLDP configurations are recommended when DLDP needs to be enabled on the interconnected interfaces between devices.

  1. Enable DLDP globally.
    <HUAWEI> system-view
    [~HUAWEI] dldp enable
    [*HUAWEI] commit
  2. Enable DLDP on an interface.
    [~HUAWEI] interface 10ge 1/0/1
    [~HUAWEI-10GE1/0/1] dldp enable
    [*HUAWEI-10GE1/0/1] commit
Routing Configuration

The following figure shows routing design for a tier 1 branch data center.

Data center design consists of LAN design and MAN&WAN design.

Entire Routing Design

The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2 branches and uses OSPF as an IGP within itself.

In the LAN, the core area and other areas use OSPF to provide service routes, except that the extranet uses static routes between the DS and AR.

EBGP

The tier 1 branch is planned as an independent autonomous system (AS) and uses a private AS number.

IBGP

The WAN area of the tier 1 branch runs IBGP. OSPF 300 ensures connectivity for IBGP between the WN_DSs and WN_ARs in the WAN area.

Three OSPF processes are designed on the network: OSPF 300, OSPF 400, and OSPF 500.

OSPF 300

OSPF 300 ensures IBGP connectivity between the WN_DSs and WN_ARs in the WAN area. Links between the devices in the WAN area belong to Area 0.

OSPF 400

OSPF 400 ensures that there are reachable routes between the MAN/WAN area of the tier 1 branch and intra-city organizations. Interconnected links belong to Area 0.

OSPF 500

OSPF 500 ensure that there are reachable routes between the LAN area of branches and WN_DSs. Interconnected links belong to Area 0 to transmit services of the tier 1 branch.

Static route

The EP_AR in the extranet and external FW, external FW and internal FW, as well as internal FW and EP_DS use static routes to communicate.

Routing Protocol Preference/Distance Design

Preferences of routing protocols to be used on all network devices are planned to ensure consistent route selection between routing protocols on devices of different vendors.

Protocol

Preference

Static route

5

OSPF

10

IBGP

170

EBGP

170

OSPF ASE

190

Floating static route

200

LAN Routing Configuration
Routing Design and Basic Function Configuration
Figure 5-3 LAN routing design diagram

In a data center LAN shown in the figure, ASs are access devices, LAN_DSs are aggregation devices in the LAN, gateways are configured on the aggregation devices, VRRP is configured on downlink interfaces of the LAN_DSs to ensure reliability. CSs are core forwarding devices, and WAN_DSs are aggregation devices in the MAN/WAN area to connect LAN core devices and network egress routers.

This example uses OSPF to ensure intra-area connectivity.

OSPF Area Partition

The entire network uses OSPF process 500. Only a small number of devices run OSPF in the LAN. Therefore, OSPF 500 uses only the backbone area Area 0. The following interfaces and IP address need to be advertised in OSPF process 500:

  • Virtual IP address of the VRRP group on downlink interfaces of LAN_DSs
  • Interconnected interfaces between LAN_DSs and CSs, and between WAN_DSs and CSs
  • Loopback interface whose IP address will be used as a router ID (This interface does not need to participate in OSPF calculation and so is configured as a silent interface.)

OSPF Router ID Design

In each OSPF process, a router must have a unique router ID to identify itself. By default, the largest loopback interface IP address is used as the router ID. To ensure a stable OSPF router ID, specify the IP address of Loopback 0 as a router ID when configuring an OSPF process.

Basic OSPF Function Configuration

Here, LAN_DS_01 is used as an example:

<LAN_DS_01> system-view
[~LAN_DS_01] interface loopback 0
[*LAN_DS_01-LoopBack0] ip address 172.16.1.1 32
[*LAN_DS_01-LoopBack0] quit
[*LAN_DS_01] ospf 500 router-id 172.16.1.1
[*LAN_DS_01-ospf-500] silent-interface loopback 0
[*LAN_DS_01-ospf-500] area 0
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] commit

Here, CS_01 is used as an example:

<CS_01> system-view
[~CS_01] interface loopback 0
[*CS_01-LoopBack0] ip address 172.16.1.2 32
[*CS_01-LoopBack0] quit
[*CS_01] ospf 500 router-id 172.16.1.2
[*CS_01-ospf-500] silent-interface loopback 0
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.6.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] commit
Routing Protocol Performance, Reliability, and Security Design and Configuration

Here, CS_01 is used as an example. The configurations of other devices are similar to that of CS_01.

OSPF Interface Network Type Design

By default, the network type of OSPF interfaces on an Ethernet network is broadcast. In this example, every two OSPF neighbors are interconnected. To speed up OSPF neighbor relationship establishment and route convergence, you can set the network type of non-silent OSPF interfaces to point-to-point.

<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf network-type p2p

OSPF Timer Design

Unless special requirements need to be met, default OSPF timer values are recommended. This example uses default values of all OSPF timers. If you need to modify timer parameter values, ensure that neighbors use the same OSPF timer parameter values.

For example, you can use the following commands to modify the interval for sending Hello packets to 20s:

<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf timer hello 20

OSPF Metric Design

By default, the metric value of an OSPF interface is automatically calculated using the formula: Reference bandwidth/Interface bandwidth. The reference bandwidth can be modified and defaults to 100 Mbps.

In this example, to facilitate maintenance and management, you can manually configure and design the metric value of each link without using the preceding formula.

Table 5-2 OSPF metric design

No.

Link

Metric

1

East-to-west links between CSs, and between DSs

100

2

South-to-north links between CSs and DSs

100

3

DS service interfaces

1000

4

CS/DS loopback interfaces

0 (no need to configure)

To set the metric of the link between CSs to 100, use the following commands:

<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf cost 100

BFD for OSPF

In BFD for OSPF, a BFD session is associated with OSPF. The BFD session quickly detects a link fault and then notifies OSPF of the fault. This speeds up OSPF's response to the change of the network topology.

A dynamic BFD session established between all non-silent OSPF interfaces and neighbors can implement millisecond-level detection of faults on the links between OSPF neighbors and associate fast OSPF neighbor status switching to trigger route convergence calculation. The link faults include physical link faults and upper-layer forwarding faults.

All BFD sessions use the following parameters.

Table 5-3 BFD for OSPF parameter design

Parameter

Parameter Description

Recommended Value

min-rx-interval

Specifies the minimum interval at which BFD packets are received from the peer end.

1000 ms

min-tx-interval

Specifies the minimum interval for sending BFD packets to the peer end.

1000 ms

detect-multiplier

Specifies the local detection multiplier.

3

<CS_01> system-view
[~CS_01] bfd
[*CS_01-bfd] quit
[*CS_01] ospf 500
[*CS_01-ospf-500] bfd all-interfaces enable
[*CS_01-ospf-500] bfd all-interfaces min-tx-interval 1000 min-rx-interval 1000 detect-multiplier 3

OSPF Smart Timer Design

In an unstable network, route calculation may be performed frequently, which consumes a great number of CPU resources. Especially on an unstable network, LSAs that describe unstable topology will be generated and advertised frequently. Processing such LSAs frequently affects network stability. The OSPF smart timer controls the route calculation, LSA generation, and receiving of LSAs to speed up network convergence.

The OSPF smart timer speeds up network convergence in the following modes:

  • In a network where routes are frequently calculated, the OSPF smart timer dynamically adjusts the interval for calculating routes according to the user configuration and the exponential backoff technology. In this manner, the number of route calculations is reduced, and so CPU resource consumption is reduced. Routes are calculated after the network topology becomes table.
  • In an unstable network, if a router generates or receives LSAs due to frequent topology changes, the OSPF smart timer can dynamically adjust the interval for calculating routes. No LSA is generated or handled within an interval, which prevents invalid LSAs from being generated and advertised in the entire network.

OSPF smart timer uses the following parameters.

Table 5-4 OSPF smart timer design

Smart Timer

Description

Recommended Value

spf-schedule-interval

Specifies the interval for calculating OSPF routes.

The default value is recommended. That is, the maximum interval for SPF calculation is 10000 ms, the initial interval is 500 ms, and the base interval is 1000 ms.

lsa-arrival-interval

Specifies the interval for receiving LSAs.

The default value is recommended. That is, the maximum interval for receiving LSAs is 1000 ms, the initial interval is 500 ms, and the base interval is 500 ms.

lsa-originate-interval

Specifies the interval for updating LSAs.

The default value is recommended. That is, the maximum interval for updating LSAs is 5000 ms, the initial interval is 500 ms, and the base interval is 1000 ms.

<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] lsa-arrival-interval intelligent-timer 1000 500 500
[*CS_01-ospf-500] lsa-originate-interval intelligent-timer 5000 500 1000
[*CS_01-ospf-500] spf-schedule-interval intelligent-timer 10000 500 1000

OSPF Route Authentication

To prevent unauthorized devices from access an OSPF network to obtain network routing information, configure the OSPF route authentication function. In this example, OSPF area authentication is configured, the authentication mode is MD5, and the authentication password is not provided here, which can be specified according to your requirements.

<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] authentication-mode md5 1 cipher xxxxxxxx

Extranet Routing Configuration
Figure 5-4 Extranet routing design diagram

The extranet connects the data center to other service areas. Because fine-grained control is required for access rights, the extranet uses the in-line firewall connection for networking.

In routing design, the extranet uses static specific routes and static default routes and is separated from the LAN in routes. The following provides key configuration of each device.

Aggregation Switches (EP_DSs) in the Extranet

Aggregation switches (EP_DSs) in the extranet use OSPF to communicate with CSs of the LAN and need to have static specific routes to all extranet service network segments configured on downlink interfaces. The next-hop address of the routes is the uplink VRRP virtual address of firewalls (EP_FWs). For details about the configuration of OSPF 500 and VRRP, see the LAN Routing Configuration. The following provides only the static specific route configuration of EP_DS_01. The configuration of EP_DS_02 is the same as that of EP_DS_01.

<EP_DS_01> system-view
[~EP_DS_01] ip route-static 172.16.1.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.2.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.3.0 24 10.3.1.1

Firewall (EP_FW)

EP_FWs communicate with uplink devices using static default routes with the next-hop address as the downlink VRRP virtual address of EP_DS. EP_FWs have static specific routes to all extranet service network segments configured on downlink interfaces. The next-hop address of the routes is the uplink VRRP virtual address of access devices (EP_ASs) in the extranet. The following provides only the static route configuration of EP_FW_01. The configuration of EP_FW_02 is the same as that of EP_FW_01.

<EP_FW_01> system-view
[~EP_FW_01] ip route-static 172.16.1.0 24 10.1.1.1
[*EP_FW_01] ip route-static 172.16.2.0 24 10.1.1.1
[*EP_FW_01] ip route-static 172.16.3.0 24 10.1.1.1
[*EP_FW_01] ip route-static 0.0.0.0 0 10.4.1.1

Access Devices (EP_ASs) in the Extranet

EP_ASs communicate with uplink devices using static default routes with the next-hop address as the downlink VRRP virtual address of EP_FW. EP_ASs have static specific routes to all extranet service network segments configured on downlink interfaces. The next-hop address of the routes is the IP address of the interface on the directly connected peer device. The following provides the static route configuration of EP_AS_01, in which x.x.x.x indicates the IP address of the interface on the directly connected peer device.

<EP_AS_01> system-view
[~EP_AS_01] ip route-static 172.16.1.0 24 x.x.x.x
[*EP_AS_01] ip route-static 172.16.2.0 24 x.x.x.x
[*EP_AS_01] ip route-static 172.16.3.0 24 x.x.x.x
[*EP_AS_01] ip route-static 0.0.0.0 0 10.2.1.1
MAN/WAN Routing Configuration

The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2 branches.

Security
ACL-based Antivirus Configuration

To prevent viruses with Layer 3 and Layer 4 characteristics, it is recommended that you configure ACLs on network devices to filter data flows, improving network security. The recommended antivirus configuration is as follows:

[*HUAWEI]acl number 3000 
[*HUAWEI-acl4-advence-3000]rule 0 deny tcp destination-port eq 445
[*HUAWEI-acl4-advence-3000]rule 1 deny udp destination-port eq 445
[*HUAWEI-acl4-advence-3000]rule 2 deny tcp destination-port eq 135
[*HUAWEI-acl4-advence-3000]rule 3 deny tcp destination-port eq 136
[*HUAWEI-acl4-advence-3000]rule 4 deny tcp destination-port eq 137
[*HUAWEI-acl4-advence-3000]rule 5 deny tcp destination-port eq 138
[*HUAWEI-acl4-advence-3000]rule 6 deny tcp destination-port eq 139
[*HUAWEI-acl4-advence-3000]rule 7 deny udp destination-port eq 135
[*HUAWEI-acl4-advence-3000]rule 8 deny udp destination-port eq 136
[*HUAWEI-acl4-advence-3000]rule 9 deny udp destination-port eq netbios-ns
[*HUAWEI-acl4-advence-3000]rule 10 deny udp destination-port eq netbios-dgm
[*HUAWEI-acl4-advence-3000]rule 11 deny udp destination-port eq netbios-ssn
[*HUAWEI-acl4-advence-3000]rule 12 deny udp destination-port eq 1434
[*HUAWEI-acl4-advence-3000]rule 13 deny udp destination-port eq 6667
[*HUAWEI-acl4-advence-3000]rule 14 deny udp destination-port eq 7626
[*HUAWEI-acl4-advence-3000]rule 15 deny udp destination-port eq 6789
[*HUAWEI-acl4-advence-3000]rule 16 deny udp destination-port eq 5800
[*HUAWEI-acl4-advence-3000]rule 17 deny udp destination-port eq 5900
[*HUAWEI-acl4-advence-3000]rule 18 deny tcp destination-port eq 5900
[*HUAWEI-acl4-advence-3000]rule 19 deny tcp destination-port eq 5800
[*HUAWEI-acl4-advence-3000]rule 20 deny tcp destination-port eq 1999
[*HUAWEI-acl4-advence-3000]rule 21 deny tcp destination-port eq 5554
[*HUAWEI-acl4-advence-3000]rule 22 deny tcp destination-port eq 9995
[*HUAWEI-acl4-advence-3000]rule 23 deny tcp destination-port eq 9996
[*HUAWEI-acl4-advence-3000]rule 24 deny udp destination-port eq 12345
[*HUAWEI-acl4-advence-3000]rule 25 deny udp destination-port eq 1057
[*HUAWEI-acl4-advence-3000]rule 26 deny udp destination-port eq 2616
Broadcast Storm Suppression Configuration

A broadcast storm will greatly affect the network. The broadcast storm suppression function reduces the impact on a network.

The antivirus effect is better when broadcast storm suppression is configured on the network devices closer to users. Therefore, configure it on the downstream interfaces of aggregation switches and all interfaces of access switches.

When the average packet rate exceeds 5000 kbit/s, the devices discard excess packets.

Run the following commands on the downstream interfaces of aggregation switches, interconnected interfaces between aggregation switches, and upstream interfaces of access switches:

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression broadcast cir 5000
MAC Address Flapping Detection

MAC address flapping means that a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one.

MAC address flapping detection enables devices to check whether MAC address flapping has occurred. When detecting a MAC address flapping, the devices report an alarm to the NMS for maintenance personnel to locate the fault.

Common configuration:

<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection
MAC Address Triggered ARP Entry Update

A network device needs to search for the ARP table for Layer 3 forwarding, and forwards the packets matching entries. When logical locations of user terminals change (for example, an active/standby switchover occurs between the network adapters of a server), the interfaces matching the changed IP addresses also change.

The outbound interfaces in the MAC address table are updated after certain packets are received. The outbound interfaces in the ARP table are updated after the aging time expires. Therefore, the outbound interfaces in the MAC address and ARP tables may be inconsistent. For example, the outbound interfaces in the MAC address table are updated before the outbound interfaces in the ARP table are updated.

To resolve this problem, you need to enable the function of MAC address triggered ARP entry update so that the outbound interfaces in the ARP table are updated immediately when the outbound interfaces in MAC address table are updated.

Common configuration:

<HUAWEI> system-view
[~HUAWEI] mac-address update arp enable  
Loopback Detection on a Single Interface

STP cannot detect loops on a single interface. Loopback detection needs to be enabled on a single interface.

Run the following commands on the downstream interface of an access switch:

<HUAWEI> system-view
[~HUAWEI] interface ge 1/0/1
[~HUAWEI-GE1/0/1] loopback-detect enable
ARP Attack Defense Configuration
  • Configure ARP rate limiting.

If a host sends a large number of IP packets with unreachable destination IP addresses to a network device, the device is greatly affected.

Configure ARP rate limiting in the system view:

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit 200
Configure ARP rate limiting in the VLAN view:
<HUAWEI> system-view
[~HUAWEI] vlan 201
[*HUAWEI-vlan201] arp anti-attack rate-limit 200
  • Configure ARP rate limiting based on source IP addresses.

    Considering the special requirements of some users, you can configure a different ARP rate limit for these users.

NOTE:

By default, the source IP address-based ARP rate limit is 30 pps. When the gateway requests MAC addresses of many users on the network segment and the rate of ARP packets from the gateway IP address exceeds 30 pps, you must increase the source IP address-based ARP rate limit; otherwise, the ARP packets exceeding 30 pps will be discarded, causing a long delay on the gateway to learn ARP entries. If an ARP scanning attack occurs, reduce the source IP address-based ARP rate limit.

Configure ARP rate limiting for any source IP address.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip maximum 100

Configure rate limit for the ARP packets from 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip 10.1.1.1 maximum 100

When both the preceding configurations are performed, the later configuration takes precedence. That is, if the source IP address of received ARP packets matches the IP address specified in rate limiting, the rate limit specified in the later configuration takes effect. If the source IP address of received ARP packets does not match the specified one, the rate limit in the previous configuration takes effect.

  • Configure ARP Miss rate limiting based on source IP addresses.

    Considering the special requirements of some users, you can configure a different ARP Miss rate limit for these users.

    NOTE:

    By default, the source IP address-based ARP Miss rate limit is 30 pps. If a source IP address needs to frequently trigger ARP Miss messages of which the rate will exceed 30 pps, increase the source IP address-based ARP Miss rate limit. Otherwise, excessive ARP Miss messages from this source IP address will be discarded within 5 seconds after the rate limit is exceeded. As a result, this source IP address cannot trigger ARP learning.

    Configure ARP Miss rate limiting for any source IP address.

    <HUAWEI> system-view
    [~HUAWEI] arp miss anti-attack rate-limit source-ip maximum 60

    Configure rate limiting for the ARP Miss messages from a specified IP address.

    <HUAWEI> system-view
    [~HUAWEI] arp miss anti-attack rate-limit source-ip 10.0.0.1 maximum 60

    When both the preceding configurations are performed, the later configuration takes precedence. That is, if the source IP address of the IP packets triggering ARP Miss messages matches the IP address specified in rate limiting, the rate limit specified in the later configuration takes effect. If the source IP address of the IP packets does not match the specified one, the rate limit in the previous configuration takes effect.

  • Configure strict ARP learning.

    Strict ARP learning allows a device to learn ARP entries from only the ARP Reply packets in response to the ARP Request packets sent by itself.

    Configure strict ARP learning globally.
    <HUAWEI> system-view
    [~HUAWEI] arp learning strict
    Configure strict ARP learning on an interface.
    <HUAWEI> system-view
    [~HUAWEI] interface vlanif 201
    [~HUAWEI-Vlanif201] arp learning strict force-enable
  • Configure ARP anti-spoofing.

    To prevent ARP anti-spoofing attack, enable ARP entry fixing.

    <HUAWEI> system-view
    [~HUAWEI] arp anti-attack entry-check fixed-mac enable
Firewall Configuration

Firewalls are connected in bypass mode in the open platform area, development and testing area, operation and management area, and area egress to implement secure access of the local area and other functional areas.

VRF instances are created on the aggregation layer to separate service network routes and public network routes. Firewalls are connected in bypass mode to ensure secure access between different areas, and firewalls work in hot standby mode to ensure high reliability.

Different VLANs are created on DS1 and DS2, IP addresses are assigned to VLANIF interfaces, and VRRP is configured. Different VRRP virtual IP addresses are used as gateway addresses of server groups on ASs, and the Eth-Trunk between DS1 and DS2 allows packets from the VLANs to pass through. MSTP is deployed between AS and DSs to eliminate loops, and OSPF is configured on DSs and CSs to implement Layer 3 interworking.

VRF-A is created on the DS, service interfaces and downlink interfaces connected to firewalls are bound to VRF-A, and the default route of VRF-A points to the downlink VRRP virtual IP address of firewalls. Static routes from DSs to service network segments are configured, and the next hop IP address is the uplink VRRP virtual IP address of firewalls.

Configure static routes between firewalls and DSs. Firewalls are configured with the Huawei Redundancy Protocol (HRP) and security policies based on application requirements.

  1. Create VLAN 200, VLAN 300, and VLAN 400 on DS1. Create VLANIF 200, VLANIF 300, and VLANIF 400. Configure 10GE1/0/1 and Eth-Trunk 1 to allow packets from VLAN 200 to pass through, Eth-Trunk 3 to allow packets from VLAN 300 to pass through, and Eth-Trunk 2 to allow packets from VLAN 400 to pass through.
  2. Configure MSTP and VRRP on DS1 and DS2, and configure DS1 as the VRRP master.
  3. Create VRF-A on DS1, bind VLANIF 200 and VLANIF300 connected to the downlink interface of the firewall to VRF-A. The default route of VRF-A points to the downlink VRRP virtual IP address of firewalls.
    NOTE:

    When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.

    [~HUAWEI] ip vpn-instance VRF-A
    [*HUAWEI-vpn-instance-VRF-A] ipv4-family
    [*HUAWEI-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
    [*HUAWEI-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
    [*HUAWEI-vpn-instance-VRF-A-af-ipv4] quit
    [*HUAWEI-vpn-instance-VRF-A] quit
    [*HUAWEI] interface vlanif 200
    [*HUAWEI-Vlanif200] ip binding vpn-instance VRF-A
    [*HUAWEI-Vlanif200] ip address 10.10.1.1 24
    [*HUAWEI-Vlanif200] quit
    [*HUAWEI] interface vlanif 300
    [*HUAWEI-Vlanif300] ip binding vpn-instance VRF-A
    [*HUAWEI-Vlanif300] ip address 10.10.2.1 24
    [*HUAWEI-Vlanif300] quit
    [*HUAWEI] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5
    [*HUAWEI] commit
  4. Configure a static route from DS1 to the service network segment. The next hop address is the uplink VRRP virtual IP address of firewalls. Run OSPF between DS1 and CS and import the static route to OSPF.
    [~HUAWEI] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5
    [*HUAWEI] ospf 100
    [*HUAWEI-ospf-100] area 0
    [*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255
    [*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255
    [*HUAWEI-ospf-100-area-0.0.0.0] quit
    [*HUAWEI-ospf-100] import-route static
    [*HUAWEI-ospf-100] quit
    [*HUAWEI] commit
  5. Perform basic configurations including the device name, interface, and IP address on firewalls. The configurations are not provided here.
  6. Configure zones on FW1.
    [FW1] firewall zone trust
    [FW1-zone-trust] add interface eth-trunk 3
    [FW1-zone-trust] quit
    [FW1] firewall zone untrust
    [FW1-zone-untrust] add interface eth-trunk 2
    [FW1-zone-untrust] quit
    [FW1] firewall zone dmz
    [FW1-zone-dmz] add interface eth-trunk 1
    [FW1-zone-dmz] quit
  7. Configure zones on FW2.
    [FW2] firewall zone trust
    [FW2-zone-trust] add interface eth-trunk 3
    [FW2-zone-trust] quit
    [FW2] firewall zone untrust
    [FW2-zone-untrust] add interface eth-trunk 2
    [FW2-zone-untrust] quit
    [FW2] firewall zone dmz
    [FW2-zone-dmz] add interface eth-trunk 1
    [FW2-zone-dmz] quit
  8. Configure a static route on FW1. The next hop address in the route used for access from the internal network to the external network is the IP address of VLANIF 300 that connects to the uplink interface of the firewall. The next hop address in the route used for access from the external network to the internal network is the IP address of VLANIF 200 that connects to the downlink interface of the firewall.
    [FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
    [FW1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
  9. Configure a static route on FW2.
    [FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      
    [FW2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1  
  10. Configure HRP on FW1.
    [FW1] interface eth-trunk 3
    [FW1-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 master
    [FW1-Eth-Trunk3] quit
    [FW1] interface eth-trunk 2
    [FW1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 master
    [FW1-Eth-Trunk2] quit
    [FW1] hrp interface eth-trunk 1 remote 10.1.1.2
    [FW1] firewall packet-filter default permit interzone local dmz
    [FW1] hrp enable
  11. Configure HRP on FW2.
    [FW2] interface eth-trunk 3
    [FW2-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave
    [FW2-Eth-Trunk3] quit
    [FW2] interface eth-trunk 2
    [FW2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave
    [FW2-Eth-Trunk2] quit
    [FW2] hrp interface eth-trunk 1 remote 10.1.1.1
    [FW2] firewall packet-filter default permit interzone local dmz
    [FW2] hrp enable
    NOTE:

    After the HRP configuration is complete, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW1.

  12. Configure the security policy and intrusion prevention system (IPS).
    NOTE:

    Before configuring IPS, ensure that the IPS signature database uses the latest version.

    When configuring IPS, use the default IPS configuration file default.

    HRP_M[FW1] policy interzone trust untrust outbound
    HRP_M[FW1-policy-interzone-trust-untrust-outbound] policy 1
    HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24
    HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] action permit
    HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] profile ips default
    HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] quit
    HRP_M[FW1-policy-interzone-trust-untrust-outbound] quit
    HRP_M[FW1] policy interzone trust untrust inbound
    HRP_M[FW1-policy-interzone-trust-untrust-inbound] policy 1
    HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24
    HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http
    HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] action permit
    HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] profile ips default
    HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] quit
    HRP_M[FW1-policy-interzone-trust-untrust-inbound] quit
    HRP_M[FW1] ips enable
  13. Configure attack defense.
    NOTE:

    The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.

    HRP_M[FW1] firewall defend syn-flood enable
    HRP_M[FW1] firewall defend syn-flood zone untrust max-rate 20000
    HRP_M[FW1] firewall defend udp-flood enable
    HRP_M[FW1] firewall defend udp-flood zone untrust max-rate 1500
    HRP_M[FW1] firewall defend icmp-flood enable
    HRP_M[FW1] firewall defend icmp-flood zone untrust max-rate 20000
    HRP_M[FW1] firewall blacklist enable
    HRP_M[FW1] firewall defend ip-sweep enable
    HRP_M[FW1] firewall defend ip-sweep max-rate 4000
    HRP_M[FW1] firewall defend port-scan enable
    HRP_M[FW1] firewall defend port-scan max-rate 4000
    HRP_M[FW1] firewall defend ip-fragment enable
    HRP_M[FW1] firewall defend ip-spoofing enable
  14. Configure ASPF. FTP is used as an example. If there are other applications on the internal network, enable ASPF.
    HRP_M[FW1] firewall interzone trust untrust
    HRP_M[FW1-interzone-trust-untrust] detect ftp
    HRP_M[FW1-interzone-trust-untrust] quit
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 115623

Downloads: 7524

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next