No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AS Service Configuration

AS Service Configuration

AS Service Configuration Method and Roadmap

Configuration Method

In an SVF system, two AS service configuration modes are available: centralized mode and independent mode. The two modes cannot be used on the same AS.

In centralized mode, all service configurations for ASs are performed on the parent. Therefore, which services can be configured on ASs depends on the services that can be configured on the parent, but not depend on the services supported by a standalone access switch.
Table 5-8  Configurations in centralized mode

Method

Description

Global configuration

Configure service functions in the uni-mng view of the parent (except that authentication-free rules need to be configured in the system view), and then run the commit as { name as-name | all } command to deliver AS service configurations. This mode supports few configurations.

Profile-based configuration

Create service profiles and specified device and port groups on the parent, bind the service profiles to the device and port groups, and then run the commit as { name as-name | all } command to deliver AS service configurations. If multiple ASs or ports in an SVF system need the same configurations, you can add these ASs or ports to the same group for batch configuration. In this manner, the configuration efficiency is improved.

Direct configuration

Run the direct-command command on the parent to directly deliver configurations to an AS. These configurations will take effect on the AS immediately.

In independent mode, you can log in to an AS to configure services on the AS using commands. After the configuration is complete, run the upload config command to save the configuration file to the AS and upload it to the parent. The independent mode supports more service configurations than the centralized mode. When services cannot be batch configured on the parent for an AS, log in to the AS to configure this AS. After the AS changes from the centralized mode to independent mode, all the service configurations performed using profiles or directly delivered before mode switching will be retained.

Configuration Roadmap
  1. Determine the services to be configured for an AS.
  2. Determine the configuration method based on SVF Service Deployment Limitations. For example, you need to configure SNMP on an AS. According to "Service Configuration Supported on an AS", you determine that SNMP can be configured only in independent mode.
  3. Configure services based on the configuration method. Figure 5-22 illustrates the process of delivering configurations from the parent to AS ports using service profiles.
    Figure 5-22  Process of delivering configurations from the parent to AS ports using service profiles
    The configuration delivery process has the following phases:
    1. Create port groups and add AS ports into port groups. Each port group is a set of ports, which are connected to users with the same service characteristics.
    2. Create service profiles. Each service profile is a set of services to be delivered.
    3. Bind service profiles to port groups.
    4. Commit the configurations on the parent so that services can be automatically delivered to ASs.
    When configuring services for ASs through port groups, you only need to focus on user ports on ASs. Whether services of fabric ports need to be manually configured depends on networking scenarios:
    • When the parent is directly connected to ASs, service configurations of fabric ports on the parent and ASs will be automatically generated according to service configurations of user ports.
    • When the parent is connected to ASs across an intermediate network, you need to configure services for the fabric port of the parent.

AS Access User Network Partitioning Configuration

During access user network partitioning, you need to add user ports to VLANs.

In a campus network, you can classify users based on departments and configure same services for the same type of users. AS ports are directly connected to users, so you can add AS ports connected to the same type of users to the same port group. This operation simplifies the port configuration and greatly reduces the configuration workload. When configuring a port group, pay attention to the following:

  • When configuring port groups, ensure that the port groups meet the specifications listed in Table 5-9.

    Table 5-9  Port group specifications

    Port Group Type

    Maximum Number of Port Groups Supported by an SVF System

    Restrictions on AS Ports and Port Groups

    Port group directly connected to users

    256

    • V200R009 and earlier versions: Ports on an AS can be added to a maximum of six directly connected user port groups.

    • V200R010 and later versions: Ports on an AS can be added to a maximum of sixteen directly connected user port groups.

    Port group directly connected to APs

    1

    Ports on an AS can be added to a maximum of one AP connected port group.

  • In V200R009 and earlier versions, user ports on each AS can have a maximum of 1 default VLAN, 1 voice VLAN, and 16 allowed VLANs. In V200R010 and later versions, user ports on each AS can have a maximum of 1 default VLAN, 1 voice VLAN, and 32 allowed VLANs.
  • In versions earlier than V200R011C10, user ports on an AS cannot be configured as Eth-Trunk member ports. In V200R011C10 or later versions, user ports on an AS can be configured as Eth-Trunk member ports.

AS Access User Authentication Configuration

NOTE:

If access users do not need to be authenticated, skip this section.

In an SVF system shown in Figure 5-23, the parent functions as the access control authentication point of all users, and so services of the authentication server only need to be configured on the parent once, simplifying deployment. The access control enforcement points of all users are deployed on ASs. To ensure security, users who fail authentication cannot access ASs.

Figure 5-23  Access control authentication point and enforcement points

An SVF system supports three access user authentication modes: MAC, 802.1X, and Portal. Table 5-10 lists the characteristics and application scenarios of the three authentication modes.

Table 5-10  Characteristics and application scenarios of authentication modes

Authentication Mode

Characteristics

Applicable Scenario

MAC

  • No client software needs to be installed.
  • Users do not need to enter user names and passwords when logging in to the network.
  • MAC addresses of all users need to be configured, complicating the configurations.

Dumb terminals, such as printers and fax machines, need to connect to the network.

802.1X

  • The 802.1X client software needs to be installed.
  • Easy-to-remember user names can be configured.
  • Users need to enter user names and passwords when logging in to the network.

The network is newly built, users are densely distributed, and high information security is required.

Portal

  • No client software needs to be installed.
  • Easy-to-remember user names can be configured.
  • Users need to enter user names and passwords when logging in to the network.

Users are sparsely distributed or move freely.

An SVF system supports only one combination of authentication modes. The combination can contain one or more of MAC, 802.1X, and Portal authentication modes according to scenario requirements.

  • Wired access terminal authentication scenario
    1. Wired access terminal authentication mode
      Table 5-11  Recommended authentication modes in a wired access terminal authentication scenario

      Scenario

      Scenario Characteristics

      Typical Terminal

      Recommended Authentication Mode

      Remarks

      Campus office network

      • The network is closed, users seldom change their locations, and high security is required.
      • Locations of some laptops may change. For example, these laptops are moved from offices to meeting rooms or moved between departments.
      • A few dumb terminals such as printers exist.

      Laptops and printers

      802.1X

      • Configure dumb terminals such as printers as static users on the parent.
      • Configure 802.1X authentication on all AS ports to which access terminals are connected.
      • Use centralized forwarding of user traffic and UCL to implement inter-departmental user isolation.

      Educational institution

      • The network is closed, and terminals are densely distributed.
      • Locations of wired terminals seldom change, and communication between local users generally does not need to be restricted.

      Laptops

      Portal

      If terminals need to be isolated, use centralized forwarding. Otherwise, use distributed forwarding to improve bandwidth forwarding efficiency.

    2. Precautions for configuring wired access terminal authentication

      1. It is not recommended to configure the combination of MAC and 802.1X (or Portal) authentication modes. If such combination is configured, concurrent access performance is reduced for terminals requiring 802.1X authentication when the system first performs MAC authentication on these terminals.
      2. When Portal authentication is configured, the built-in Portal server is not supported.
      3. Terminals cannot send DHCPv6 and neighbor discovery (ND) packets to trigger authentication.
      4. When authentication-free rules are configured on the parent, the parent delivers the authentication-free rules within the specified range to all ASs. For example, the parent can deliver authentication-free rules 0 to 127 to ASs of the S5320EI or S5720EI model and 0 to 31 to ASs of other switch models. Authentication-free rules delivered to ASs do not carry interface information.
      5. In an SVF system, network access rights can be authorized through authentication-free rules but not a UCL group before users pass NAC authentication.
    3. Precautions for authorizing wired access terminals
      • In an SVF system running a version earlier than V200R011C10, authorization VLANs cannot be assigned to wired users. In an SVF system running V200R011C10 or later, authorization VLANs can be assigned to wired users.
  • Wireless access terminal authentication scenario
    1. Wireless access terminal authentication mode
      Table 5-12  Recommended authentication modes in a wireless access terminal authentication scenario

      Scenario

      Scenario Characteristics

      Typical Terminal

      Recommended Authentication Mode

      Remarks

      Campus Bring Your Own Device (BYOD) network

      • The network is closed, users seldom change their locations, and high security is required.
      • Many users roam simultaneously.

      Laptops, PADs, and mobile phones

      802.1X

      • When a large number of users roam simultaneously, non-roaming users will not be disconnected, but roaming users may be disconnected.
      • Roaming users will not be disconnected when a few users roam simultaneously.
      • Use tunnel forwarding.

      Educational institution

      • The network is closed, and terminals are densely distributed.
      • Many users roam simultaneously.

      Laptops

      MAC+Portal

      • When a large number of users roam simultaneously, non-roaming users will not be disconnected, but roaming users may be disconnected.
      • Use tunnel forwarding.
    2. Precautions for configuring wireless access terminal authentication

      You are advised to configure tunnel forwarding.

AS Security Configuration

Common Attack Scenarios in the Campus Network

Security configurations are used to prevent an SVF system against various attacks. Common attacks in a campus network include attacks on the control plane and forwarding plane. Table 5-13 lists attack types and their impacts on the campus network.

Table 5-13  Attack types and scenarios

Attack Type

Attack Subtype

Impact

Attack on the control plane

ARP attack with fixed source MAC address

The CPU usage of the parent becomes high, and traffic of some users is interrupted.

ARP attack with fixed source IP address

ARP attack from bogus gateways

A large number of gateway collision alarms will be generated on the parent.

ARP spoofing gateway attack

Users cannot access the network.

ARP flooding attack

Users cannot learn ARP entries and even cannot access the network.

Bogus DHCP server attack

Users cannot obtain expected IP addresses.

DHCP flooding attack

When terminals are not authenticated, users cannot obtain IP addresses.

Attack on the forwarding plane

ARP Miss attack with fixed source IP address

The parent has a high CPU usage and cannot learn ARP entries.

IP packet attack with the device IP address as destination IP address

The CPU usage of the parent becomes high. Packet loss occurs or traffic forwarding is interrupted when the parent pings the gateway. The parent responds slowly during a Telnet login to the parent. Unicast IP packets of protocols such as BGP and LDP cannot be processed in a timely manner, preventing these protocols from working normally.

DDoS attack

Uplink ports are congested, and user traffic is interrupted.

Attack Defense Methods and Recommendations

In an SVF system, ASs are connected to terminals, and AS ports are directly connected to terminals. By default, some device security measures have been deployed in an SVF system. For example, packet rate limiting has been configured in the inbound or outbound direction of AS ports. You can also run commands to perform security configurations on the ports to which terminals are connected.

Table 5-14 lists attack defense methods and recommendations.

Table 5-14  Attack defense methods and recommendations

Attack Type

Attack Subtype

Attack Defense Method Used When Terminals Need to Be Authenticated Attack Defense Method Used When Terminals Do Not Need to Be Authenticated

Wired Terminal Access

Wireless Terminal Access

Wired Terminal Access

Wireless Terminal Access

Attack on the control plane

ARP attack with fixed source MAC address

Automatic defense against ARP packet attacks has been supported.

Configure attack defense policies on APs.

Configure ARP packet rate limiting on AS ports.

Configure attack defense policies on APs.

ARP attack with fixed source IP address

ARP attack from bogus gateways

Configure the ARP gateway anti-collision function on the parent.

ARP spoofing gateway attack

Set the forwarding mode to centralized forwarding.

ARP flooding attack

The ARP anti-flooding function is automatically enabled in the outbound direction of ASs. Therefore, ARP flooding attacks can only affect attacked ASs. Configure rate limiting for incoming ARP packets on AS ports to which terminals are connected after attack sources are identified.

Bogus DHCP server attack

None

Configure DHCP snooping on ASs.

Configure DHCP snooping on APs.

DHCP flooding attack

Enable the DHCP anti-flooding function in the outbound direction of ASs automatically. Therefore, ARP flooding attacks can only affect attacked ASs. Configure rate limiting for incoming DHCP packets on AS ports to which terminals are connected after attack sources are identified.

Attack on the forwarding plane

ARP Miss attack with fixed source IP address

Configure rate limiting for ARP Miss packets on the parent to limit the packets based on the source IP address.

IP packet attack with the device IP address as destination IP address

Configure a blacklist on the parent.

DDoS attack

Configure rate limiting, broadcast, multicast, and unknown unicast traffic suppression on ports.

Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 244526

Downloads: 1972

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next