No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Device Management

S7700 and S9700 V200R013C00

This document describes the configurations of Device Management, including device status query, hardware management, CSS, SVF, PoE, OPS, OIDS, energy-saving management, information center, fault management, NTP, synchronous ethernet, PTP.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

Configuring an AS in Centralized Mode (Profile-based Batch Configuration)

In an SVF system, the parent delivers configurations to ASs using service profiles. Service profiles are a set of service configurations. After service profiles are delivered to an AS, the AS parses and executes the services configured in the service profiles.

For services that can be batch configured for ASs using service profiles, see Service Configuration Supported on an AS.

  • An AS port group can be bound to a network basic profile, network enhanced profile, user access profile, and network qos profile.

  • Ports of an AS can be added to a maximum of 32 different AS port groups.

  • Only a network basic profile can be bound to an AP port group, and an AP port group can be bound to only one network basic profile.

  • When an AS goes offline and then goes online again, the AS restarts if the global configuration of the AS is changed on the parent and the changed configuration is committed.

Configuring an AS Administrator Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run as-admin-profile name profile-name

    An AS administrator profile is created.

  4. Configure required services in the AS administrator profile.
    • Run user user-name password password

      The user name and password required for AS logins are configured.

    • Run traffic-limit outbound { arp | dhcp } cir cir-value,

      By default, the rate limits for outgoing ARP packets and DHCP packets are 32 kbit/s and 128 kbit/s respectively on an AS uplink fabric port.

      The rate limit for outgoing ARP and DHCP packets on an uplink fabric port is configured.

    • Run stp bpdu-protection

      BPDU protection is configured on the AS.

  5. Run quit

    Exit from the AS administrator profile view.

  6. Run as-group name group-name

    An AS group is created.

  7. Add ASs in the AS group using one of the following methods:
    • Run as name as-name

      An AS with a specified name is added to the AS group.

    • Run as name-include string

      ASs of which the name contains a specified string are added to the AS group.

    • Run as all

      All online ASs are added to the AS group.

  8. Run as-admin-profile profile-name

    The specified AS administrator profile is bound to the AS group.

  9. Run quit

    Exit from the AS group view.

  10. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to an AS group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Configuring a Network Basic Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-basic-profile name profile-name

    A network basic profile is created.

  4. Configure required services in the network basic profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure the default VLAN on an interface.

    user-vlan vlan-id

    -

    Configure allowed VLANs on an interface.

    pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

    A maximum of 32 allowed VLANs can be configured on each AS port.

    Configure a voice VLAN on an interface.

    voice-vlan vlan-id [ include-untagged ]

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    When configuring a voice VLAN on an AS port, ensure that IP phones connected to the AS port support LLDP and have LLDP enabled.

  5. Run quit

    Exit from the network basic profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-basic-profile profile-name

    The specified network basic profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run port-group connect-ap name group-name

    An AP port group is created.

  12. (Optional) Run description description

    The AP port group description is configured to facilitate identification of the terminals connected to the AP port group.

  13. Add AP ports to the AP port group.
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  14. Run network-basic-profile profile-name

    The specified network basic profile is bound to the AP port group.

    When an AP port group is bound to a network basic profile, only the pass-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> command takes effect in the network basic profile view.

  15. Run quit

    Exit from the AP port group view.

  16. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Configuring a Network Enhanced Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-enhanced-profile name profile-name

    A network enhanced profile is created.

  4. Configure required services in the network enhanced profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure unknown unicast traffic suppression on an interface.

    unicast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Configure multicast traffic suppression on an interface.

    multicast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Configure broadcast traffic suppression on an interface.

    broadcast-suppression packets packets-per-second

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    Enable DHCP snooping on an interface.

    dhcp snooping enable

    This command can only be used to check packets against DHCP dynamic binding entries but not DHCP static binding entries.

    Enable IP packet check on an interface.

    ip source check user-bind enable

    Before running this command, you must run the dhcp snooping enable command.

    Configure dynamic ARP inspection (DAI) on an interface.

    arp anti-attack check user-bind enable

    Before running this command, you must run the dhcp snooping enable command.

    Configure traffic rate limiting on an interface.

    rate-limit cir-value

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    If user traffic is not limited, continuous burst data from numerous users can make the network congested. You can configure traffic rate limiting in inbound direction on an interface to limit traffic entering from the interface within a specified range.

    Configure an interface as an edge interface.

    user-access-port enable

    Ports connected to a Layer 2 STP network do not need to participate in spanning tree calculation. If these ports participate in the calculation, the network topology convergence speed is affected and the status changes of these ports may cause network flapping. After these ports are configured as edge ports, they do not participate in spanning tree calculation. This configuration speeds up network topology convergence and enhances network stability.

    Configure the system to set an interface to the Error-Down state when MAC address flapping is detected on the interface.

    mac-address flapping action error-down

    -

    Configure the alarm function for MAC address learning and aging on an interface.

    mac-address trap notification all

    -

  5. Run quit

    Exit from the network enhanced profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-enhanced-profile profile-name

    The network enhanced profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Configuring a User Access Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run user-access-profile name profile-name

    A user access profile is created.

  4. Configure required services in the user access profile.

    Service Functions

    Configuration Command

    Usage Description

    Configure an authentication profile to set the user access authentication mode.

    authentication-profile authentication-profile-name

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

    The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured.

    The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured.

    • NAC provides three user authentication modes: 802.1X authentication, MAC address authentication, and Portal authentication. To implement user access authentication, run the dot1x-access-profile name access-profile-name, mac-access-profile name access-profile-name, and portal-access-profile name access-profile-name commands in the system view to create an access profile, bind one or multiple of the three user authentication modes to the authentication profile, and then bind the authentication profile to the user access profile in an SVF system.

    • If Portal authentication is deployed in an SVF system, you must run the web-auth-server server-name command to specify the Portal server profile used in Portal authentication in the Portal access profile view. Additionally, only one Portal server profile can be configured in a Portal access profile.

    • If the Portal authentication mode has been set to layer3 in the portal-access-profile bound to the authentication profile, it is not allowed to bind this authentication profile to the user access profile. If an authentication profile has been bound to the user access profile, it is now allowed to set the Portal authentication mode to layer3.

    • Different user access profiles must be bound to the same authentication profile.

    Configure MAC address limiting on an interface.

    mac-limit maximum max-num

    The user access authentication mode configured through an authentication profile is mutually exclusive with MAC address limiting on an interface and cannot be both configured.

    Rate limit incoming ARP and DHCP packets on an AS port.

    traffic-limit inbound { arp | dhcp } cir cir-value

    By default, the forwarding rate of incoming ARP and DHCP packets on an AS port is not limited.

    • The user access authentication mode configured through an authentication profile is mutually exclusive with the function of rate limiting incoming ARP and DHCP packets on an AS port and cannot be both configured.
    • Do not run the traffic-limit inbound dhcp and dhcp snooping enable (network enhanced profile view) commands simultaneously on the same port; otherwise, the traffic-limit inbound dhcp command does not take effect. On an AS of the S2720EI, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5720I-SI, S5710-X-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, or S600-E model, running the dhcp snooping enable (network enhanced profile view) command on any port may cause the traffic-limit inbound dhcp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    • Do not run the traffic-limit inbound arp and arp anti-attack check user-bind enable (network enhanced profile view) commands simultaneously on the same port. Otherwise, the traffic-limit inbound arp command may not take effect. On an AS of the S2720EI, S2750EI, S5700LI, S5700S-LI, S5720S-LI, S5720LI, S5720SI, S5720S-SI, S5720I-SI, S5710-X-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, or S600-E model, running the arp anti-attack check user-bind enable (network enhanced profile view) command on any port may cause the traffic-limit inbound arp command unable to take effect on all ports. You are advised to shut down the attacked port after detecting DoS attacks.

    Configure the maximum number of access users on an AS port.

    authentication access-user maximum

    The maximum number of access users ranges from 1 to 512. After the value is delivered to an AS, the effective value depends on the AS specifications. For details, see authentication access-point max-user.

    The authentication access-user maximum command configuration takes effect only for new users.

    The command configuration does not take effect on the service Eth-Trunk bound to a port group.

  5. Run quit

    Exit from the user access profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run user-access-profile name profile-name

    The specified user access profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Configuring a Network QoS Profile

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run network-qos-profile name profile-name

    A network QoS profile is created.

  4. Configure required services in the network QoS profile

    Service Functions

    Configuration Command

    Usage Description

    Configure priority mapping based on DSCP priorities.

    trust dscp

    -

    Set a scheduling mode for interface queues.

    qos { pq | wrr | drr }

    -

    Configure a queue scheduling weight.

    qos queue queue-index { drr | wrr } weight weight

    The queue scheduling mode of an AS port has been set to WRR or WDRR using the qos { pq | wrr | drr } command.

  5. Run quit

    Exit from the network QoS profile view.

  6. Run port-group name group-name

    An AS port group is created.

  7. (Optional) Run description description

    The AS port group description is configured to facilitate identification of the terminals connected to the AS port group.

  8. Add AS ports in the AS port group using one of the following methods:
    • Run as name as-name interface { { interface-type interface-number1 [ to interface-number2 ] } &<1-10> | all }

      Ports of a specified AS are added to the AS port group.

    • Run as name-include string interface all

      Ports of ASs of which the name contains a specified string are added to the AS port group.

  9. Run network-qos-profile profile-name

    The specified network QoS profile is bound to the AS port group.

  10. Run quit

    Exit from the AS port group view.

  11. Run commit as { name as-name | all }

    The configuration is committed.

    After configuring service profiles and binding them to a port group, you must run this command to commit the configuration so that the configuration can be delivered to ASs.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100065738

Views: 44083

Downloads: 37

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next