No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a Service Chain to Guide Data Flow Forwarding (on Modular Switches)

Example for Configuring a Service Chain to Guide Data Flow Forwarding (on Modular Switches)

Service Chain

On a typical campus network, value-added service devices, such as firewall, antivirus expert system, and application security gateway, are often deployed at the edge of an important service department, demilitarized zone (DMZ), campus egress, and data center. The scheme that deploys an independent value-added service device in each network zone has the following disadvantages:

  • Increases investment because too many value-added service devices need to be deployed.

  • Wastes resources because value-added service devices are not fully used.

  • Complicates device deployment and maintenance because different service processing policies need to be configured on each value-added service device.

To address the preceding issues, Huawei offers the service chain solution. As shown in Figure 3-295, the service chain solution includes the policy controller, core switches, and security resource pool. Core switches classify service traffic and then redirect the traffic to different value-added service devices. In the security resource pool, you can deploy one device that has multiple value-added service capabilities or multiple devices that have independent value-added service capabilities. The service chain solution allows value-added service devices to be concentrated in a physical zone. In this solution, you do not need to deploy an independent value-added service device for each network, reducing device costs and improving device utilization. On the campus network, the policy controller controls which service traffic needs to be processed by value-added service devices, improving deployment and maintenance efficiency.

Figure 3-295 Service chain solution on a campus network

Configuration Notes

  • SA series cards do not support the service chain function.

  • X series cards support advanced ACLs (3000 to 3999) and UCLs (6000 to 9999) for service flows, while other series cards support only advanced ACLs (3000 to 3999) for service flows.

  • Currently, the service chain solution supports three types of value-added service devices: firewall, antivirus expert system, and application security gateway.

  • The following table lists the applicable products and versions.

    Table 3-162 Products and minimum version supporting service chain

    Switch Version

    Agile Controller-Campus Version

    Switch Model

    V200R006C00, V200R007C00

    V100R001

    S7700, S9700

    V200R008C00, V200R009C00

    V100R002C00, V100R002C10

    V200R010C00

    V100R002C10, V100R003C00

    V200R011C10

    V100R003C30

    V200R012C00

    V100R003C50

    V200R013C00, V200R019C00

    V100R003C60

Networking Requirements

As shown in Figure 3-296, there is an FTP server in the equipment room of company M. The FTP server stores important data of the R&D department. The administrator must prevent key data leaks caused by attacks to ensure security of this FTP server. The administrator wants to achieve the following functions through service orchestration:

  • R&D employees can access the FTP server, but marketing employees cannot.

  • Data flows generated when R&D employees access the FTP server must be processed by the firewall for security detection.

  • If the firewall fails, R&D employees cannot access the FTP server.

Figure 3-296 Networking of company M

Data Plan

Table 3-163 IP address planning for users and resources

Users and Resources

IP Address

R&D employee A

10.85.100.11

R&D employee B

10.85.100.12

R&D employee C

10.85.100.13

R&D employee D

10.85.100.14

R&D employee E

10.85.100.15

FTP server

10.85.10.2

Controller

10.85.10.3

SwitchA

10.85.10.5

NGFW

10.85.10.6
Table 3-164 Service flow planning

No.

Protocol

Source IP/Mask Length

Source Port

Destination IP/Mask Length

Destination Port

1

TCP

10.85.100.11/32

22

10.85.10.2/32

21

2

TCP

10.85.100.12/32

3

TCP

10.85.100.13/32

4

TCP

10.85.100.14/32

5

TCP

10.85.100.15/32
Table 3-165 Device parameter planning

Device

Configuration

Switch
Interface directly connected to the firewall
  • Interface name: GigabitEthernet 1/0/1
  • VLAN: Vlan100
  • IP address: 10.85.10.5/24
Loopback 100
  • IP address: 10.7.2.1/32
Loopback 101
  • IP address: 10.7.2.2/32

Extensible Messaging and Presence Protocol (XMPP) connection password: Admin@123

Firewall
Interface directly connected to the switch
  • Interface name: GigabitEthernet 1/0/1
  • Security zone: trust
  • IP address: 10.85.10.6/24
Loopback 100
  • IP address: 10.6.2.1/32
Loopback 101
  • IP address: 10.6.2.2/32

XMPP connection password: Admin@123

RADIUS shared key: Radius@123

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure basic parameters on the switch and firewall.
    • Configure XMPP parameters to add the switch and firewall on the Controller.
    • Configure IP addresses and static routes for interfaces so that network devices can communicate with each other.

      Ensure that loopback interface numbers of the switch and firewall are larger than those of other devices. In this example, loopback interfaces 100 and 101 are used.

  2. Add the switch and firewall to the Controller using XMPP.

  3. Configure service flows on the Controller and allow only R&D employees to access the FTP server using ACL rules.

  4. Configure an IP address pool and service chain resources on the Controller to establish a GRE tunnel between the switch and firewall.

    The IP address pool cannot contain IP addresses that are being used on the network.

  5. Orchestrate and deploy a service chain on the Controller to redirect FTP server access traffic so that the traffic first passes through the firewall and then is forwarded to the FTP server.

Procedure

  1. Configure basic parameters on the switch, including IP addresses of interfaces, static routes, and XMPP connection parameters.

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.85.10.5 24
[SwitchA-Vlanif100] quit
[SwitchA] interface LoopBack 100
[SwitchA–LoopBack100] ip address 10.7.2.1 255.255.255.255
[SwitchA–LoopBack100] quit
[SwitchA] interface LoopBack 101
[SwitchA–LoopBack101] ip address 10.7.2.2 255.255.255.255
[SwitchA–LoopBack101] quit
[SwitchA] ip route-static 10.6.2.1 255.255.255.255 10.85.10.6
[SwitchA] ip route-static 10.6.2.2 255.255.255.255 10.85.10.6
[SwitchA] group-policy controller 10.85.10.3 password Admin@123 src-ip 10.85.10.5

  2. Configure basic parameters on the firewall, including IP addresses of interfaces, static routes, and XMPP connection parameters.
    1. Configure IP addresses for interfaces and security zones to complete the configurations of basic network parameters.

      1. Choose Network > Interface List.

      2. Click of GE1/0/1 and configure parameters.

        Security Zone

        trust

        IPv4

        IP address

        10.85.10.6/24

    2. Configure the RADIUS server.

      1. Choose Object > Authentication Server > RADIUS. Click Add and configure parameters.

        The configured parameters must be the same as the parameters of the RADIUS server. The shared key is Radius@123.

      2. Click OK.

    3. Enable the agile network function of the firewall.

      1. Choose System > Agile Network Configuration.
      2. Select Enable following Agile Network Function.
      3. Configure parameters for connection with the Controller. The status following Controller Active Server IP Address displays Connected, indicating that the firewall has connected to the Controller.

        In a service orchestration scenario, because a firewall needs to have the content security testing function configured, select Manually configured for Security Policy Configuration.

    4. Configure two loopback interfaces on the firewall.

      You need to log in to the CLI console to complete the configuration.

      1. Click in the lower-right part.
      2. Click in the CLI Console (Disconnected) dialog box to connect to the CLI console.
      3. After the connection is successful, configure the following commands.
        <sysname> sysname NGFW
[NGFW] interface LoopBack 100
[NGFW-LoopBack100] ip address 10.6.2.1 255.255.255.255
[NGFW-LoopBack100] quit
[NGFW] interface LoopBack 101
[NGFW-LoopBack101] ip address 10.6.2.2 255.255.255.255
[NGFW-LoopBack101] quit
[NGFW] ip route-static 10.7.2.1 255.255.255.255 10.85.10.5
[NGFW] ip route-static 10.7.2.2 255.255.255.255 10.85.10.5

  3. Add the switch and firewall on the Controller.
    1. Choose Resource > Device > Device Management from the main menu.
    2. Click Add.
    3. Configure parameters for the device to be added.

      Figure 3-297 and Figure 3-298 show how to configure parameters for the switch and firewall to be added.

      Set Password to the configured communication password Admin@123.

      Figure 3-297 Parameter settings on the switch

      Figure 3-298 Parameter settings on the firewall to be added

  4. Configure service flows.
    1. Choose Policy > Service Chain Orchestration > Service Flow Defining from the main menu.
    2. Click Add.
    3. Set service flow parameters.

      Set service flow parameters as shown in Figure 3-299.

      Figure 3-299 Service flow parameter settings

  5. Configure an IP address pool.
    1. Choose Policy > Service Chain Orchestration > IP Address Pool from the main menu.
    2. Click Add.
    3. Set the name to 10.10.192.0, IP address to 10.10.192.0, and mask length to 24.

      Figure 3-300 IP address pool parameter settings

    4. Click OK.
  6. Configure service chain resources.
    1. Choose Policy > Service Chain Orchestration > Service Chain Resource from the main menu.
    2. Click Add.
    3. Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.
    4. Select NGFW in the left Service Device area and drag NGFW to the right Firewall node.
    5. Select 10.10.192.0 in the left IP Address Pool area.

      Figure 3-301 Service chain resource parameter settings

    6. Click Save. In the dialog box that is displayed, click OK.
  7. Orchestrate and deploy a service chain.
    1. Choose Policy > Service Chain Orchestration > Service Chain Orchestration from the main menu.
    2. Click Add.
    3. Select User_to_Datacenter in the left Service Flow area and drag User_to_Datacenter to the right Service Flow node.
    4. Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.
    5. Drag NGFW to the upper firewall node.
    6. Select Block in the left Chain Exception Handling Mode area.

      Figure 3-302 Service orchestration parameter settings

    7. Click Save. In the dialog box that is displayed, click OK.
  8. Verify the configuration.

    # Check whether the tunnel between the switch and firewall is established on the Controller.

    Figure 3-303 shows tunnel information after service chain resources are delivered.

    Figure 3-303 Tunnel deployment results

    # Run the display acl all command on the switch. The command output shows that service flow rules are delivered successfully.

    [SwitchA] display acl all
 Total nonempty ACL number is 1 
Advanced ACL S_ACL_20140401153202_B3E0 3998, 5 rules
Acl's step is 5
 rule 5 permit tcp source 10.85.100.11 0 source-port eq 22 destination 10.85.1
0.2 0 destination-port eq 21 (match-counter 0)
 rule 10 permit tcp source 10.85.100.12 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 15 permit tcp source 10.85.100.13 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 20 permit tcp source 10.85.100.14 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 25 permit tcp source 10.85.100.15 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)

    # Run the display current-configuration | include traffic-redirect command on the switch. The command output shows that the service orchestration configurations are delivered successfully.

    [SwitchA] display current-configuration | include traffic-redirect
traffic-redirect inbound acl name S_ACL_20140401153202_B3E0 3998 interface Tunnel16370 
[SwitchA] interface Tunnel 16370
[SwitchA-Tunnel16370] display this
#
interface Tunnel16370
 description Controller_S_from_10.6.2.1
 ip address 10.10.192.5 255.255.255.0
 tunnel-protocol gre
 keepalive period 1
 source 10.7.2.1
 destination 10.6.2.1
 traffic-filter inbound acl name S_ACL_20140401153202_B3E0 3998
#
return

Configuration Files

  • Configuration file of the SwitchA
    #
sysname SwitchA
#
vlan batch 100
#
group-policy controller 10.85.10.3 password %#%#FG9.7h,|j$2'c2$LRG%N#lBU;3_^;AVo,7)"f%^M%#%# src-ip 10.85.10.5
#
interface Vlanif100
 ip address 10.85.10.5 255.255.255.0
#
interface LoopBack100
 ip address 10.7.2.1 255.255.255.255
#
interface LoopBack101
 ip address 10.7.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1863773

Downloads: 41244

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :