No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Service Chain to Guide Data Flow Forwarding (on Modular Switches)

Example for Configuring a Service Chain to Guide Data Flow Forwarding (on Modular Switches)

Service Chain

On a typical campus network, value-added service devices, such as firewall, antivirus expert system, and application security gateway, are often deployed at the edge of an important service department, demilitarized zone (DMZ), campus egress, and data center. The scheme that deploys an independent value-added service device in each network zone has the following disadvantages:
  • Increases investment because too many value-added service devices need to be deployed.

  • Wastes resources because value-added service devices are not fully used.

  • Complicates device deployment and maintenance because different service processing policies need to be configured on each value-added service device.

To address the preceding issues, Huawei offers the service chain solution. As shown in Figure 18-1, the service chain solution includes the policy controller, core switches, and security resource pool. Core switches classify service traffic and then redirect the traffic to different value-added service devices. In the security resource pool, you can deploy one device that has multiple value-added service capabilities or multiple devices that have independent value-added service capabilities. The service chain solution allows value-added service devices to be concentrated in a physical zone. In this solution, you do not need to deploy an independent value-added service device for each network, reducing device costs and improving device utilization. On the campus network, the policy controller controls which service traffic needs to be processed by value-added service devices, improving deployment and maintenance efficiency.

Figure 18-1  Service chain solution on a campus network

Configuration Notes

  • SA series cards (except the ET1D2X12SSA0 card) do not support the service chain function.

  • X series cards support advanced ACLs (3000 to 3999) and UCLs (6000 to 9999) for service flows, while other series cards support only advanced ACLs (3000 to 3999) for service flows.

  • Currently, the service chain solution supports three types of value-added service devices: firewall, antivirus expert system, and application security gateway.

  • The following table lists the applicable products and versions.

    Table 18-1  Products and minimum version supporting service chain
    Switch Version

    Agile Controller-Campus Version

    Switch Model

    V200R006C00, V200R007C00

    V100R001

    S12700

    V200R008C00, V200R009C00 V100R002C00, V100R002C10
    V200R010C00 V100R002C10, V100R003C00

    V200R011C10

    V100R003C30

    V200R012C00

    V100R003C50

    V200R013C00

    V100R003C60

Networking Requirements

As shown in Figure 18-2, there is an FTP server in the equipment room of company M. The FTP server stores important data of the R&D department. The administrator must prevent key data leaks caused by attacks to ensure security of this FTP server. The administrator wants to achieve the following functions through service orchestration:

  • R&D employees can access the FTP server, but marketing employees cannot.

  • Data flows generated when R&D employees access the FTP server must be processed by the firewall for security detection.

  • If the firewall fails, R&D employees cannot access the FTP server.

Figure 18-2  Networking of company M

Data Plan

Table 18-2  IP address planning for users and resources

Users and Resources

IP Address

R&D employee A

10.85.100.11

R&D employee B

10.85.100.12

R&D employee C

10.85.100.13

R&D employee D

10.85.100.14

R&D employee E

10.85.100.15

FTP server

10.85.10.2

Controller

10.85.10.3

SwitchA

10.85.10.5

NGFW

10.85.10.6

Table 18-3  Service flow planning

No.

Protocol

Source IP/Mask Length

Source Port

Destination IP/Mask Length

Destination Port

1

TCP

10.85.100.11/32

22

10.85.10.2/32

21

2

TCP

10.85.100.12/32

3

TCP

10.85.100.13/32

4

TCP

10.85.100.14/32

5

TCP

10.85.100.15/32

Table 18-4  Device parameter planning

Device

Configuration

Switch

Interface directly connected to the firewall
  • Interface name: GigabitEthernet 1/0/1
  • VLAN: Vlan100
  • IP address: 10.85.10.5/24
Loopback 100
  • IP address: 10.7.2.1/32
Loopback 101
  • IP address: 10.7.2.2/32

Extensible Messaging and Presence Protocol (XMPP) connection password: Admin@123

Firewall

Interface directly connected to the switch
  • Interface name: GigabitEthernet 1/0/1
  • Security zone: trust
  • IP address: 10.85.10.6/24
Loopback 100
  • IP address: 10.6.2.1/32
Loopback 101
  • IP address: 10.6.2.2/32

XMPP connection password: Admin@123

RADIUS shared key: Radius@123

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic parameters on the switch and firewall.
    • Configure XMPP parameters to add the switch and firewall on the Controller.
    • Configure IP addresses and static routes for interfaces so that network devices can communicate with each other.
      NOTE:
      Ensure that loopback interface numbers of the switch and firewall are larger than those of other devices. In this example, loopback interfaces 100 and 101 are used.
  2. Add the switch and firewall to the Controller using XMPP.

  3. Configure service flows on the Controller and allow only R&D employees to access the FTP server using ACL rules.

  4. Configure an IP address pool and service chain resources on the Controller to establish a GRE tunnel between the switch and firewall.
    NOTE:
    The IP address pool cannot contain IP addresses that are being used on the network.
  5. Orchestrate and deploy a service chain on the Controller to redirect FTP server access traffic so that the traffic first passes through the firewall and then is forwarded to the FTP server.

Procedure

  1. Configure basic parameters on the switch, including IP addresses of interfaces, static routes, and XMPP connection parameters.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 100 
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type trunk
    [SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface vlanif 100
    [SwitchA-Vlanif100] ip address 10.85.10.5 24
    [SwitchA-Vlanif100] quit
    [SwitchA] interface LoopBack 100
    [SwitchA–LoopBack100] ip address 10.7.2.1 255.255.255.255
    [SwitchA–LoopBack100] quit
    [SwitchA] interface LoopBack 101
    [SwitchA–LoopBack101] ip address 10.7.2.2 255.255.255.255
    [SwitchA–LoopBack101] quit
    [SwitchA] ip route-static 10.6.2.1 255.255.255.255 10.85.10.6
    [SwitchA] ip route-static 10.6.2.2 255.255.255.255 10.85.10.6
    [SwitchA] group-policy controller 10.85.10.3 password Admin@123 src-ip 10.85.10.5
    

  2. Configure basic parameters on the firewall, including IP addresses of interfaces, static routes, and XMPP connection parameters.
    1. Configure IP addresses for interfaces and security zones to complete the configurations of basic network parameters.

      1. Choose Network > Interface List.
      2. Click of GE1/0/1 and configure parameters.

        Security Zone

        trust

        IPv4

        IP address

        10.85.10.6/24

    2. Configure the RADIUS server.

      1. Choose Object > Authentication Server > RADIUS. Click Add and configure parameters.

        The configured parameters must be the same as the parameters of the RADIUS server. The shared key is Radius@123.

      2. Click OK.

    3. Enable the agile network function of the firewall.

      1. Choose System > Agile Network Configuration.
      2. Select Enable following Agile Network Function.
      3. Configure parameters for connection with the Controller. The status following Controller Active Server IP Address displays Connected, indicating that the firewall has connected to the Controller.
        NOTE:
        In a service orchestration scenario, because a firewall needs to have the content security testing function configured, select Manually configured for Security Policy Configuration.

    4. Configure two loopback interfaces on the firewall.

      NOTE:
      You need to log in to the CLI console to complete the configuration.
      1. Click in the lower-right part.
      2. Click in the CLI Console (Disconnected) dialog box to connect to the CLI console.
      3. After the connection is successful, configure the following commands.
        <sysname> sysname NGFW
        [NGFW] interface LoopBack 100
        [NGFW-LoopBack100] ip address 10.6.2.1 255.255.255.255
        [NGFW-LoopBack100] quit
        [NGFW] interface LoopBack 101
        [NGFW-LoopBack101] ip address 10.6.2.2 255.255.255.255
        [NGFW-LoopBack101] quit
        [NGFW] ip route-static 10.7.2.1 255.255.255.255 10.85.10.5
        [NGFW] ip route-static 10.7.2.2 255.255.255.255 10.85.10.5
        

  3. Add the switch and firewall on the Controller.
    1. Choose Resource > Device > Device Management from the main menu.
    2. Click Add.
    3. Configure parameters for the device to be added.

      Figure 18-3 and Figure 18-4 show how to configure parameters for the switch and firewall to be added.

      Set Password to the configured communication password Admin@123.

      Figure 18-3  Parameter settings on the switch

      Figure 18-4  Parameter settings on the firewall to be added

  4. Configure service flows.
    1. Choose Policy > Service Chain Orchestration > Service Flow Defining from the main menu.
    2. Click Add.
    3. Set service flow parameters.

      Set service flow parameters as shown in Figure 18-5.

      Figure 18-5  Service flow parameter settings

  5. Configure an IP address pool.
    1. Choose Policy > Service Chain Orchestration > IP Address Pool from the main menu.
    2. Click Add.
    3. Set the name to 10.10.192.0, IP address to 10.10.192.0, and mask length to 24.

      Figure 18-6  IP address pool parameter settings

    4. Click OK.
  6. Configure service chain resources.
    1. Choose Policy > Service Chain Orchestration > Service Chain Resource from the main menu.
    2. Click Add.
    3. Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.
    4. Select NGFW in the left Service Device area and drag NGFW to the right Firewall node.
    5. Select 10.10.192.0 in the left IP Address Pool area.

      Figure 18-7  Service chain resource parameter settings

    6. Click Save. In the dialog box that is displayed, click OK.
  7. Orchestrate and deploy a service chain.
    1. Choose Policy > Service Chain Orchestration > Service Chain Orchestration from the main menu.
    2. Click Add.
    3. Select User_to_Datacenter in the left Service Flow area and drag User_to_Datacenter to the right Service Flow node.
    4. Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.
    5. Drag NGFW to the upper firewall node.
    6. Select Block in the left Chain Exception Handling Mode area.

      Figure 18-8  Service orchestration parameter settings

    7. Click Save. In the dialog box that is displayed, click OK.
  8. Verify the configuration.

    # Check whether the tunnel between the switch and firewall is established on the Controller.

    Figure 18-9 shows tunnel information after service chain resources are delivered.

    Figure 18-9  Tunnel deployment results

    # Run the display acl all command on the switch. The command output shows that service flow rules are delivered successfully.

    [SwitchA] display acl all
     Total nonempty ACL number is 1 
    Advanced ACL S_ACL_20140401153202_B3E0 3998, 5 rules
    Acl's step is 5
     rule 5 permit tcp source 10.85.100.11 0 source-port eq 22 destination 10.85.1
    0.2 0 destination-port eq 21 (match-counter 0)
     rule 10 permit tcp source 10.85.100.12 0 source-port eq 22 destination 10.85.
    10.2 0 destination-port eq 21 (match-counter 0)
     rule 15 permit tcp source 10.85.100.13 0 source-port eq 22 destination 10.85.
    10.2 0 destination-port eq 21 (match-counter 0)
     rule 20 permit tcp source 10.85.100.14 0 source-port eq 22 destination 10.85.
    10.2 0 destination-port eq 21 (match-counter 0)
     rule 25 permit tcp source 10.85.100.15 0 source-port eq 22 destination 10.85.
    10.2 0 destination-port eq 21 (match-counter 0)
    

    # Run the display current-configuration | include traffic-redirect command on the switch. The command output shows that the service orchestration configurations are delivered successfully.

    [SwitchA] display current-configuration | include traffic-redirect
    traffic-redirect inbound acl name S_ACL_20140401153202_B3E0 3998 interface Tunnel16370 
    [SwitchA] interface Tunnel 16370
    [SwitchA-Tunnel16370] display this
    #
    interface Tunnel16370
     description Controller_S_from_10.6.2.1
     ip address 10.10.192.5 255.255.255.0
     tunnel-protocol gre
     keepalive period 1
     source 10.7.2.1
     destination 10.6.2.1
     traffic-filter inbound acl name S_ACL_20140401153202_B3E0 3998
    #
    return

Configuration Files

  • Configuration file of the SwitchA
    #
    sysname SwitchA
    #
    vlan batch 100
    #
    group-policy controller 10.85.10.3 password %#%#FG9.7h,|j$2'c2$LRG%N#lBU;3_^;AVo,7)"f%^M%#%# src-ip 10.85.10.5
    #
    interface Vlanif100
     ip address 10.85.10.5 255.255.255.0
    #
    interface LoopBack100
     ip address 10.7.2.1 255.255.255.255
    #
    interface LoopBack101
     ip address 10.7.2.2 255.255.255.255
    #
    interface GigabitEthernet1/0/1
     port link-type trunk
     port trunk allow-pass vlan 100
    #
    return
    
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 166214

Downloads: 1817

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next