No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R010C00 Configuration Guide - Device Management

This document describes the principles and configurations of the Device Management features, and provides configuration examples of these features.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

Context

In an SVF system, the parent delivers configurations to ASs using service profiles. Service profiles are a set of service configurations. After service profiles are delivered to an AS, the AS parses and executes the services configured in the service profiles.

For services that can be batch configured for ASs using service profiles, see Service Configuration Supported on an AS.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    uni-mng

    The uni-mng view is displayed.

  3. Create service profiles and configure services in the service profiles.

    Create Service Profile

    Configure Services in Service Profiles

    Service Description

    AS administrator profile

    as-admin-profile name profile-name

    user user-name password password Configure the user name and password required for AS logins.
    traffic-limit outbound { arp | dhcp } cir cir-value

    Configure the rate limit for outgoing ARP and DHCP packets on an uplink fabric port.

    By default, the rate limits for outgoing ARP packets and DHCP packets are 32 kbit/s and 128 kbit/s respectively on an AS uplink fabric port.

    Network basic profile

    network-basic-profile name profile-name

    user-vlan vlan-id Configure the default VLAN on an interface.
    pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> Configure allowed VLANs on an interface. A maximum of 32 allowed VLANs can be configured on each AS port.
    voice-vlan vlan-id Configure a voice VLAN on an interface.
    NOTE:

    When configuring a voice VLAN on an AS port, ensure that IP phones connected to the AS port support LLDP and have LLDP enabled.

    Network enhanced profile

    network-enhanced-profile name profile-name

    unicast-suppression packets packets-per-second

    Configure unknown unicast traffic suppression on an interface.

    To prevent broadcast storms, you can run the unicast-suppression command to configure the maximum number of unknown unicast packets that can pass through a port. When the unknown unicast traffic rate reaches the rate limit, the system discards excess unknown unicast packets to control the traffic volume within a proper range.

    multicast-suppression packets packets-per-second

    Configure multicast traffic suppression on an interface.

    To prevent broadcast storms, you can run the multicast-suppression command to configure the maximum number of multicast packets that can pass through a port. When the multicast traffic rate reaches the maximum value, the system discards excess multicast packets to control the traffic volume within a proper range.

    broadcast-suppression packets packets-per-second

    Configure broadcast traffic suppression on an interface.

    To prevent broadcast storms, you can run the broadcast-suppression command to configure the maximum number of broadcast packets that can pass through a port. When the broadcast traffic rate reaches the maximum value, the system discards excess broadcast packets to control the traffic volume within a proper range.

    dhcp snooping enable Enable DHCP snooping on an interface. In this situation, packets can only be checked against DHCP dynamic binding entries but not DHCP static binding entries.

    You can run the dhcp snooping enable command to enable DHCP snooping on a port so as to improve DHCP security.

    ip source check user-bind enable Enable IP packet checking on an interface.

    When attackers steal authorized users' IP addresses or MAC addresses to send packets to access or attack networks, authorized users cannot obtain stable and secure network services. After configuring IP packet checking on a device, the device checks received IP packets against the binding table to prevent such attacks.

    NOTE:

    Before running this command, you must run the dhcp snooping enable command.

    arp anti-attack check user-bind enable Configure dynamic ARP inspection (DAI) on an interface.

    You can configure DAI to prevent Man in The Middle (MITM) attacks and theft on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries. If the ARP packet matches a binding entry, the device allows the packet to pass through. If the ARP packet does not match any binding entry, the device discards the packet.

    NOTE:

    Before running this command, you must run the dhcp snooping enable command.

    priority-trust enable Configure the priority trust function on an interface.

    After the priority trust function is configured on a port, the port searches the priority mapping table based on 802.1p priorities in packets, tags the packets with the mapping internal priority, and then sends the packets to queues based on the internal priority.

    rate-limit cir-value Configure traffic rate limiting on an interface.

    If user traffic is not limited, continuous burst data from numerous users can make the network congested. You can configure traffic rate limiting in inbound direction on an interface to limit traffic entering from the interface within a specified range.

    user-access-port enable Configure an interface as an edge interface.

    Ports connected to a Layer 2 STP network do not need to participate in spanning tree calculation. If these ports participate in the calculation, the network topology convergence speed is affected and the status changes of these ports may cause network flapping. After these ports are configured as edge ports, they do not participate in spanning tree calculation. This configuration speeds up network topology convergence and enhances network stability.

    User access profile

    user-access-profile name profile-name

    NOTE:
    In the user access profile, you can:
    • Configure the authentication profile to set the user access authentication mode.
    • Limit the number of learned MAC addresses and the rate of incoming ARP and DHCP packets on an AS interface.
    authentication-profile authentication-profile-name Bind an authentication profile to the user access profile.
    • NAC provides three user authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. To implement user access authentication, run the dot1x-access-profile name access-profile-name, mac-access-profile name access-profile-name, and portal-access-profile name access-profile-name commands in the system view to create an access profile, bind one or multiple of the three user authentication modes to the authentication profile, and then bind the authentication profile to the user access profile in an SVF system.

    • If Portal authentication is deployed in an SVF system, you must run the web-auth-server server-name command to specify the Portal server profile used in Portal authentication in the Portal access profile view. Additionally, only one Portal server profile can be configured in a Portal access profile.

    • If the Portal authentication mode has been set to layer3 in the Portal access profile bound to the authentication profile, it is not allowed to bind this authentication profile to the user access profile. If an authentication profile has been bound to the user access profile, it is now allowed to set the Portal authentication mode to layer3.

    • Different user access profiles must be bound to the same authentication profile.

    mac-limit maximum max-num Configure MAC address learning limiting on an interface.

    To control the number of access users and protect the MAC address table against attacks, you can limit the maximum number of MAC addresses that can be learned on an interface.

    NOTE:

    In the user access profile view, the authentication-profile authentication-profile-name and mac-limit maximum max-num commands are mutually exclusive and cannot be configured simultaneously.

    traffic-limit inbound { arp | dhcp } cir cir-value

    Configure the rate limit for incoming ARP and DHCP packets on an AS port.

    By default, the forwarding rate of incoming ARP and DHCP packets on an AS port is not limited.

    NOTE:
    • This command and the authentication { dot1x | mac-auth | portal } * command cannot be both run in the user access profile view.

    • Do not run the traffic-limit inbound dhcp and dhcp snooping enable (network enhanced profile view) commands simultaneously on the same port; otherwise, the traffic-limit inbound dhcp command does not take effect. On an AS of the S5320LI, S5320SI, S2720, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5710-X-LI, or S600-E model, running the dhcp snooping enable (network enhanced profile view) command on any port may cause the traffic-limit inbound dhcp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    • Do not run the traffic-limit inbound arp and arp anti-attack check user-bind enable (network enhanced profile view) commands simultaneously on the same port. Otherwise, the traffic-limit inbound arp command may not take effect. On an AS of the S5320LI, S5320SI, S2720, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5710-X-LI, or S600-E model, running the arp anti-attack check user-bind enable (network enhanced profile view) command on any port may cause the traffic-limit inbound arp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    authentication access-user maximum max-num

    Configure the maximum number of access users on an AS port.

    The value is an integer that ranges from 1 to 512. After the value is delivered to an AS, the effective value depends on the AS specifications. For details, see authentication access-point max-user.

    NOTE:

    The authentication access-user maximum command configuration takes effect only for new users.

    By default, no service profile is created, and no service is configured in new service profiles.

  4. Run:

    quit

    Exit from the profile view.

  5. Create a group and bind it to service profiles.

    Create a Group

    Add Members to a Group

    Bind a Group to a Service Profile

    Description

    AS group

    as-group name group-name
    • as name as-name

      Add an AS with a specified name.

    • as name-include string

      Add ASs of which the name contains a specified string.

    • as all

      Add all ASs.

    as-admin-profile profile-name

    An AS group can be bound to only one AS administrator profile.

    AS port group

    port-group name group-name
    • as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Add ports of a specified AS.

    • as name-include string interface all

      Add ports of ASs of which the name contains a specified string.

    • network-basic-profile profile-name
    • network-enhanced-profile profile-name
    • user-access-profile name profile-name
    • An AS port group can be bound to a network basic profile, network enhanced profile, and user access profile.

    • Ports of an AS can be added to a maximum of 32 different AS port groups.

    • The description description command can be used to configure the description of a port group, facilitating identification of the terminal type connected to the port group.

    AP port group

    port-group connect-ap name group-name
    network-basic-profile profile-name
    • An AP port group can be bound to only one network basic profile.

    • When an AP port group is bound to a network basic profile, only the pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> command takes effect in the network basic profile view.

    By default, no group is created in the system, and new groups have no members and are not bound to service profiles.

  6. Run:

    quit

    Exit from the group view.

  7. Run:

    commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to an AS group or port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

    NOTE:

    When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is changed on the parent and the changed configuration is committed.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000142080

Views: 113451

Downloads: 149

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next