Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

In an SVF system, the parent delivers configurations to ASs using service profiles. Service profiles are a set of service configurations. After service profiles are delivered to an AS, the AS parses and executes the services configured in the service profiles.

For services that can be batch configured for ASs using service profiles, see Service Configuration Supported on an AS.

• An AS port group can be bound to a network basic profile, network enhanced profile, user access profile, and network QoS profile.

• Ports of an AS can be added to a maximum of 32 different AS port groups.

• Only a network basic profile can be bound to an AP port group, and an AP port group can be bound to only one network basic profile.

• When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is changed on the parent and the changed configuration is committed.

Configuring Services for ASs Using an AS Administrator Profile

1. Run system-view

   The system view is displayed.

2. Run uni-mng

   The uni-mng view is displayed.

3. Run as-admin-profile name profile-name

   An AS administrator profile is created.

4. Configure required services in the AS administrator profile.
   • Run user user-name password password

     The user name and password required for AS logins are configured.

   • Run traffic-limit outbound { arp | dhcp } cir cir-value,

     By default, the rate limits for outgoing ARP packets and DHCP packets are 32 kbit/s and 128 kbit/s respectively on an AS uplink fabric port.

     The rate limit for outgoing ARP and DHCP packets on an uplink fabric port is configured.

   • Run stp bpdu-protection

     BPDU protection is configured on the AS.

5. Run quit

   Exit from the AS administrator profile view.

6. Run as-group name group-name

   An AS group is created.

7. Add ASs in the AS group using one of the following methods:
   • Run as name as-name

     An AS with a specified name is added to the AS group.

   • Run as name-include string

     ASs of which the name contains a specified string are added to the AS group.

   • Run as all

     All online ASs are added to the AS group.

8. Run as-admin-profile profile-name

   The specified AS administrator profile is bound to the AS group.

9. Run quit

   Exit from the AS group view.

10. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to an AS group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] as-admin-profile name profile_1
[HUAWEI-um-as-admin-profile_1] user test password Pwd@123456  // Specify the user name and password used to log in to ASs.
[HUAWEI-um-as-admin-profile_1] quit
[HUAWEI-um] as-group name group_1
[HUAWEI-um-as-group-group_1] as all  // This configuration takes effect for all online ASs.
[HUAWEI-um-as-group-group_1] as-admin-profile profile_1  // Bind the AS group to the AS administrator profile.
[HUAWEI-um-as-group-group_1] quit
[HUAWEI-um] commit as all  // Commit the configuration to deliver it to ASs.

Configuring Services for ASs Using a Network Basic Profile

1. Run system-view

   The system view is displayed.

2. Run uni-mng

   The uni-mng view is displayed.

3. Run network-basic-profile name profile-name

   A network basic profile is created.

4. Configure required services in the network basic profile.

   Service Functions	Configuration Command	Usage Description
   Configure the default VLAN on an interface.	user-vlan vlan-id	-
   Configure allowed VLANs on an interface.	pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>	A maximum of 32 allowed VLANs can be configured on each AS port.
   Configure a voice VLAN on an interface.	voice-vlan vlan-id [ include-untagged ]	The command configuration does not take effect on the service Eth-Trunk bound to a port group. When configuring a voice VLAN on an AS port, ensure that IP phones connected to the AS port support LLDP and have LLDP enabled.

5. Run quit

   Exit from the network basic profile view.

6. Run port-group name group-name

   An AS port group is created.

7. (Optional) Run description description

   The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

8. Add AS ports in the AS port group using one of the following methods:
   • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

     Ports of a specified AS are added to the AS port group.

   • Run as name-include string interface all

     Ports of ASs of which the name contains a specified string are added to the AS port group.

9. Run network-basic-profile profile-name

   The specified network basic profile is bound to the AS port group.

10. Run quit

    Exit from the AS port group view.

11. Run port-group connect-ap name group-name

    An AP port group is created.

12. (Optional) Run description description

    The AP port group description is configured to facilitate identification of the terminals connected to the AP port group.

13. Add AP ports to the AP port group.
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

14. Run network-basic-profile profile-name

    The specified network basic profile is bound to the AP port group.

    When an AP port group is bound to a network basic profile, only the pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> command takes effect in the network basic profile view.

15. Run quit

    Exit from the AP port group view.

16. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] pass-vlan 10 to 12  // Specify the allowed VLANs on AS ports.
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-basic-profile profile_1  // Bind the port group to the network basic profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a Network Enhanced Profile

1. Run system-view

   The system view is displayed.

2. Run uni-mng

   The uni-mng view is displayed.

3. Run network-enhanced-profile name profile-name

   A network enhanced profile is created.

4. Configure required services in the network enhanced profile.

   Service Functions	Configuration Command	Usage Description
   Configure unknown unicast traffic suppression on an interface.	unicast-suppression packets packets-per-second	The command configuration does not take effect on the service Eth-Trunk bound to a port group.
   Configure multicast traffic suppression on an interface.	multicast-suppression packets packets-per-second	The command configuration does not take effect on the service Eth-Trunk bound to a port group.
   Configure broadcast traffic suppression on an interface.	broadcast-suppression packets packets-per-second	The command configuration does not take effect on the service Eth-Trunk bound to a port group.
   Enable DHCP snooping on an interface.	dhcp snooping enable	This command can only be used to check packets against DHCP dynamic binding entries but not DHCP static binding entries.
   Enable IP packet check on an interface.	ip source check user-bind enable	Before running this command, you must run the dhcp snooping enable command.
   Configure dynamic ARP inspection (DAI) on an interface.	arp anti-attack check user-bind enable	Before running this command, you must run the dhcp snooping enable command.
   Configure traffic rate limiting on an interface.	rate-limit cir-value	The command configuration does not take effect on the service Eth-Trunk bound to a port group. If user traffic is not limited, continuous burst data from numerous users can make the network congested. You can configure traffic rate limiting in inbound direction on an interface to limit traffic entering from the interface within a specified range.
   Configure an interface as an edge interface.	user-access-port enable	Ports connected to a Layer 2 STP network do not need to participate in spanning tree calculation. If these ports participate in the calculation, the network topology convergence speed is affected and the status changes of these ports may cause network flapping. After these ports are configured as edge ports, they do not participate in spanning tree calculation. This configuration speeds up network topology convergence and enhances network stability.
   Configure the system to set an interface to the Error-Down state when MAC address flapping is detected on the interface.	mac-address flapping action error-down	-
   Configure the alarm function for MAC address learning and aging on an interface.	mac-address trap notification all	-

5. Run quit

   Exit from the network enhanced profile view.

6. Run port-group name group-name

   An AS port group is created.

7. (Optional) Run description description

   The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

8. Add AS ports in the AS port group using one of the following methods:
   • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

     Ports of a specified AS are added to the AS port group.

   • Run as name-include string interface all

     Ports of ASs of which the name contains a specified string are added to the AS port group.

9. Run network-enhanced-profile profile-name

   The network enhanced profile is bound to the AS port group.

10. Run quit

    Exit from the AS port group view.

11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-enhanced-profile name profile_1
[HUAWEI-um-net-enhanced-profile_1] unicast-suppression packets 148810  // Configure unknown unicast traffic suppression for ASs.
[HUAWEI-um-net-enhanced-profile_1] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-enhanced-profile profile_1  // Bind the port group to the network enhanced profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a User Access Profile

1. Run system-view

   The system view is displayed.

2. Run uni-mng

   The uni-mng view is displayed.

3. Run user-access-profile name profile-name

   A user access profile is created.

4. Before configuring the user authentication mode, configure an authentication profile.

   NAC provides three user authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. To implement user access authentication, run the dot1x-access-profile name access-profile-name, mac-access-profile name access-profile-name, and portal-access-profile name access-profile-name commands in the system view to create an access profile, bind one or multiple of the three user authentication modes to the authentication profile, and then bind the authentication profile to the user access profile in an SVF system.

5. Configure required services in the user access profile.

   Service Functions	Configuration Command	Usage Description
   Configure an authentication profile to set the user access authentication mode.	authentication-profile authentication-profile-name	The command configuration does not take effect on the service Eth-Trunk bound to a port group. The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured. The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured. If Portal authentication is deployed in an SVF system, you must run the web-auth-server server-name command to specify the Portal server profile used in Portal authentication in the Portal access profile view. Additionally, only one Portal server profile can be configured in a Portal access profile. If the Portal authentication mode has been set to layer3 in the portal-access-profile bound to the authentication profile, it is not allowed to bind this authentication profile to the user access profile. If an authentication profile has been bound to the user access profile, it is now allowed to set the Portal authentication mode to layer3. Different user access profiles must be bound to the same authentication profile. If an interface needs to be unbound from an authentication profile and there are many users on the interface, it takes a long time to unbind the interface from the authentication profile. To shorten the time, run the authentication speed-limit max-num command to increase the rate at which a specified AS sends user disassociation request messages.
   Configure MAC address limiting on an interface.	mac-limit maximum max-num	The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured.
   Rate limit incoming ARP and DHCP packets on an AS port.	traffic-limit inbound { arp | dhcp } cir cir-value	By default, the forwarding rate of incoming ARP and DHCP packets on an AS port is not limited. The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured. Do not run the traffic-limit inbound dhcp and dhcp snooping enable (network enhanced profile view) commands simultaneously on the same port; otherwise, the traffic-limit inbound dhcp command does not take effect. On an AS of the S2720EI, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5720I-SI, S5710-X-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, or S600-E model, running the dhcp snooping enable (network enhanced profile view) command on any port may cause the traffic-limit inbound dhcp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks. Do not run the traffic-limit inbound arp and arp anti-attack check user-bind enable (network enhanced profile view) commands simultaneously on the same port. Otherwise, the traffic-limit inbound arp command may not take effect. On an AS of the S2720EI, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5720I-SI, S5710-X-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, or S600-E model, running the arp anti-attack check user-bind enable (network enhanced profile view) command on any port may cause the traffic-limit inbound arp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.
   Configure the maximum number of access users on an AS port.	authentication access-user maximum	The maximum number of access users ranges from 1 to 512. After the value is delivered to an AS, the effective value depends on the AS specifications. For details, see authentication access-point max-user. The authentication access-user maximum command configuration takes effect only for new users. The command configuration does not take effect on the service Eth-Trunk bound to a port group.

6. Run quit

   Exit from the user access profile view.

7. Run port-group name group-name

   An AS port group is created.

8. (Optional) Run description description

   The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

9. Add AS ports in the AS port group using one of the following methods:
   • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

     Ports of a specified AS are added to the AS port group.

   • Run as name-include string interface all

     Ports of ASs of which the name contains a specified string are added to the AS port group.

10. Run user-access-profile name profile-name

    The specified user access profile is bound to the AS port group.

11. Run quit

    Exit from the AS port group view.

12. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

<HUAWEI> system-view
[HUAWEI] mac-access-profile name 1
[HUAWEI-mac-access-profile-1] quit
[HUAWEI] authentication-profile name test
[HUAWEI-authen-profile-test] mac-access-profile 1  // Configure a MAC access profile.
[HUAWEI-authen-profile-test] quit
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name huawei
[HUAWEI-um-user-access-huawei] authentication-profile test  // Bind the authentication profile to the user access profile.
[HUAWEI-um-user-access-huawei] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] user-access-profile huawei  // Bind the port group to the user access profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.

Configuring Services for ASs Using a Network QoS Profile

1. Run system-view

   The system view is displayed.

2. Run uni-mng

   The uni-mng view is displayed.

3. Run network-qos-profile name profile-name

   A network QoS profile is created.

4. Configure required services in the network QoS profile

   Service Functions	Configuration Command	Usage Description
   Configure priority mapping based on DSCP priorities.	trust dscp	-
   Set a scheduling mode for interface queues.	qos { pq | wrr | drr }	-
   Configure a queue scheduling weight.	qos queue queue-index { drr | wrr } weight weight	The queue scheduling mode of an AS port has been set to WRR or WDRR using the qos { pq | wrr | drr } command.

5. Run quit

   Exit from the network QoS profile view.

6. Run port-group name group-name

   An AS port group is created.

7. (Optional) Run description description

   The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

8. Add AS ports in the AS port group using one of the following methods:
   • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

     Ports of a specified AS are added to the AS port group.

   • Run as name-include string interface all

     Ports of ASs of which the name contains a specified string are added to the AS port group.

9. Run network-qos-profile profile-name

   The specified network QoS profile is bound to the AS port group.

10. Run quit

    Exit from the AS port group view.

11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Example

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-qos-profile name test
[HUAWEI-um-net-qos-test] trust dscp  // Perform priority mapping on packets based on DSCP priorities.
[HUAWEI-um-net-qos-test] quit
[HUAWEI-um] port-group name group_1
[HUAWEI-um-portgroup-group_1] as name as1 interface gigabitethernet 0/0/1 to 0/0/5  // Deliver the configuration to ports GE0/0/1 to GE0/0/5 on AS1.
[HUAWEI-um-portgroup-group_1] network-qos-profile test  // Bind the port group to the network QoS profile.
[HUAWEI-um-portgroup-group_1] quit
[HUAWEI-um] commit as name as1  // Commit the configuration to deliver it to AS1.