[All About Switches - Configuration Examples] Example for Configuring a Service

Latest reply: Jun 4, 2015 10:37:26 1674 1 0 0

1 Example for Configuring a Service Chain to Guide Data Flow Forwarding

Service Chain

On a typical campus network, value-added service devices, such as firewall, antivirus expert system, and application security gateway, are often deployed at the edge of an important service department, demilitarized zone (DMZ), campus egress, and data center. The scheme that deploys an independent value-added service device in each network zone has the following disadvantages:

l   Increases investment because too many value-added service devices need to be deployed.

l   Wastes resources because value-added service devices are not fully used.

l   Complicates device deployment and maintenance because different service processing policies need to be configured on each value-added service device.

To address the preceding issues, Huawei offers the service chain solution. As shown in Figure 1-1, the service chain solution includes the policy controller, core switches, and security resource pool. Core switches classify service traffic and then redirect the traffic to different value-added service devices. In the security resource pool, you can deploy one device that has multiple value-added service capabilities or multiple devices that have independent value-added service capabilities. The service chain solution allows value-added service devices to be concentrated in a physical zone. In this solution, you do not need to deploy an independent value-added service device for each network, reducing device costs and improving device utilization. On the campus network, the policy controller controls which service traffic needs to be processed by value-added service devices, improving deployment and maintenance efficiency.

Figure 1-1 Service chain solution on a campus network

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-1
 

Configuration Notes

l   Currently, the service chain solution supports three types of value-added service devices: firewall, antivirus expert system, and application security gateway.

l   The following table lists the products and versions supporting the service chain solution.

Product

Earliest Software Version

S12700/S9700/S7700

V200R006C00

Agile Controller

V100R001C00

NGFW

V100R001C20

 

Networking Requirements

As shown in Figure 1-2, there is an FTP server in the equipment room of company M. The FTP server stores important data of the R&D department. The administrator must prevent key data leaks caused by attacks to ensure security of this FTP server. The administrator wants to achieve the following functions through service orchestration:

l   R&D employees can access the FTP server, but marketing employees cannot.

l   Data flows generated when R&D employees access the FTP server must be processed by the firewall for security detection.

l   If the firewall fails, R&D employees cannot access the FTP server.

Figure 1-2 Networking of company M

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-2

 

Data Plan

Table 1-1 IP address planning for users and resources

Users and Resources

IP Address

R&D employee A

10.85.100.11

R&D employee B

10.85.100.12

R&D employee C

10.85.100.13

R&D employee D

10.85.100.14

R&D employee E

10.85.100.15

FTP server

10.85.10.2

Controller

10.85.10.3

SwitchA

10.85.10.5

NGFW

10.85.10.6

 

Table 1-2 Service flow planning

No.

Protocol

Source IP/Mask Length

Source Port

Destination IP/Mask Length

Destination Port

1

TCP

10.85.100.11/32

22

10.85.10.2/32

21

2

TCP

10.85.100.12/32

3

TCP

10.85.100.13/32

4

TCP

10.85.100.14/32

5

TCP

10.85.100.15/32

 

Table 1-3 Device parameter planning

Device

Configuration

Switch

Interface directly connected to the firewall

l Interface name: GigabitEthernet 1/0/1

l VLAN: Vlan100

l IP address: 10.85.10.5/24

LoopBack 100

l IP address: 10.7.2.1/32

LoopBack 101

l IP address: 10.7.2.2/32

Extensible Messaging and Presence Protocol (XMPP) connection password: Admin@123

Firewall

Interface directly connected to the switch

l Interface name: GigabitEthernet 1/0/1

l Security zone: trust

l IP address: 10.85.10.6/24

LoopBack 100

l IP address: 10.6.2.1/32

LoopBack 101

l IP address: 10.6.2.2/32

XMPP connection password: Admin@123

RADIUS shared key: Radius@123

 

Configuration Roadmap

The configuration roadmap is as follows:

1.         Configure basic parameters on the switch and firewall.

l   Configure XMPP parameters to add the switch and firewall on the Controller.

l   Configure IP addresses and static routes for interfaces so that network devices can communicate with each other.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-3

Ensure that loopback interface numbers of the switch and firewall are larger than those of other devices. In this example, loopback interfaces 100 and 101 are used.

2.         Add the switch and firewall to the Controller using XMPP.

3.         Configure service flows on the Controller and allow only R&D employees to access the FTP server using ACL rules.

4.         Configure an IP address pool and service chain resources on the Controller to establish a GRE tunnel between the switch and firewall.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-4

The IP address pool cannot contain IP addresses that are being used on the network.

5.         Orchestrate and deploy a service chain on the Controller to redirect FTP server access traffic so that the traffic first passes through the firewall and then is forwarded to the FTP server.

Procedure

                               Step 1     Configure basic parameters on the switch, including IP addresses of interfaces, static routes, and XMPP connection parameters.

 
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.85.10.5 24
[SwitchA-Vlanif100] quit
[SwitchA] interface LoopBack 100
[SwitchA–LoopBack100] ip address 10.7.2.1 255.255.255.255
[SwitchA–LoopBack100] quit
[SwitchA] interface LoopBack 101
[SwitchA–LoopBack101] ip address 10.7.2.2 255.255.255.255
[SwitchA–LoopBack101] quit
[SwitchA] ip route-static 10.6.2.1 255.255.255.255 10.85.10.6
[SwitchA] ip route-static 10.6.2.2 255.255.255.255 10.85.10.6
[SwitchA] group-policy controller 10.85.10.3 password Admin@123 src-ip 10.85.10.5

                               Step 2     Configure basic parameters on the firewall, including IP addresses of interfaces, static routes, and XMPP connection parameters.

1.         Configure IP addresses for interfaces and security zones to complete the configurations of basic network parameters.

1.         Choose Network > Interface List.

l   Click [All About Switches - Configuration Examples] Example for Configuring a Service-1327877-5 of GE1/0/1 and configure parameters.

Security Zone

trust

IPv4

IP address

10.85.10.6/24

 

1.         Configure the RADIUS server.

l   Choose Object > Authentication Server > RADIUS. Click Add and configure parameters.

The configured parameters must be the same as the parameters of the RADIUS server. The shared key is Radius@123.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-6

1.         Click OK.

2.         Enable the agile network function of the firewall.

1.         Choose System > Agile Network Configuration.

3.         Select Enable following Agile Network Function.

4.         Configure parameters for connection with the Controller. The status following Controller Active Server IP Address displays Connected, indicating that the firewall has connected to the Controller.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-7

In a service orchestration scenario, because a firewall needs to have the content security testing function configured, select Manually configured for Security Policy Configuration.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-8

5.         Configure two loopback interfaces on the firewall.

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-9

You need to log in to the CLI console to complete the configuration.

1.         Click [All About Switches - Configuration Examples] Example for Configuring a Service-1327877-10 in the lower-right part.

6.         Click in the CLI Console (Disconnected) dialog box to connect to the CLI console.

7.         After the connection is successful, configure the following commands.

<sysname> sysname NGFW
[NGFW] interface LoopBack 100
[NGFW-LoopBack100] ip address 10.6.2.1 255.255.255.255
[NGFW-LoopBack100] quit
[NGFW] interface LoopBack 101
[NGFW-LoopBack101] ip address 10.6.2.2 255.255.255.255
[NGFW-LoopBack101] quit
[NGFW] ip route-static 10.7.2.1 255.255.255.255 10.85.10.5
[NGFW] ip route-static 10.7.2.2 255.255.255.255 10.85.10.5

                               Step 3     Add the switch and firewall on the Controller.

1.         Choose Resource > Device > Device Management from the main menu.

2.         Click Add.

3.         Configure parameters for the device to be added.

Figure 1-3 and Figure 1-4 show how to configure parameters for the switch and firewall to be added.

Set Password to the configured communication password Admin@123.

Figure 1-3 Parameter settings on the switch

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-11

 

Figure 1-4 Parameter settings on the firewall to be added

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-12

 

                               Step 4     Configure service flows.

1.         Choose Policy > Service Chain Orchestration > Service Flow Defining from the main menu.

2.         Click Add.

3.         Set service flow parameters.

Set service flow parameters as shown in Figure 1-5.

Figure 1-5 Service flow parameter settings

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-13

 

                               Step 5     Configure an IP address pool.

1.         Choose Policy > Service Chain Orchestration > IP Address Pool from the main menu.

2.         Click Add.

3.         Set the name to 10.10.192.0, IP address to 10.10.192.0, and mask length to 24.

Figure 1-6 IP address pool parameter settings

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-14

 

4.         Click OK.

                               Step 6     Configure service chain resources.

1.         Choose Policy > Service Chain Orchestration > Service Chain Resource from the main menu.

2.         Click Add.

3.         Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.

4.         Select NGFW in the left Service Device area and drag NGFW to the right Firewall node.

5.         Select 10.10.192.0 in the left IP Address Pool area.

Figure 1-7 Service chain resource parameter settings

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-15

 

6.         Click Save. In the dialog box that is displayed, click OK.

                               Step 7     Orchestrate and deploy a service chain.

1.         Choose Policy > Service Chain Orchestration > Service Chain Orchestration from the main menu.

2.         Click Add.

3.         Select User_to_Datacenter in the left Service Flow area and drag User_to_Datacenter to the right Service Flow node.

4.         Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.

5.         Drag NGFW to the upper firewall node.

6.         Select Block in the left Chain Exception Handling Mode area.

Figure 1-8 Service orchestration parameter settings

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-16

 

7.         Click Save. In the dialog box that is displayed, click OK.

                               Step 8     Verify the configuration.

# Check whether the tunnel between the switch and firewall is established on the Controller.

Figure 1-9 shows tunnel information after service chain resources are delivered.

Figure 1-9 Tunnel deployment results

[All About Switches - Configuration Examples] Example for Configuring a Service-1327877-17

 

# Run the display acl all command on the switch. The command output shows that service flow rules are delivered successfully.

[SwitchA] display acl all
 Total nonempty ACL number is 1 
Advanced ACL S_ACL_20140401153202_B3E0 3998, 5 rules
Acl's step is 5
 rule 5 permit tcp source 10.85.100.11 0 source-port eq 22 destination 10.85.1
0.2 0 destination-port eq 21 (match-counter 0)
 rule 10 permit tcp source 10.85.100.12 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 15 permit tcp source 10.85.100.13 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 20 permit tcp source 10.85.100.14 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 25 permit tcp source 10.85.100.15 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)

# Run the display current-configuration | include traffic-redirect command on the switch. The command output shows that the service orchestration configurations are delivered successfully.

[SwitchA] display current-configuration | include traffic-redirect
traffic-redirect inbound acl name S_ACL_20140401153202_B3E0 3998 interface Tunnel16370 
[SwitchA] interface Tunnel 16370
[SwitchA-Tunnel16370] display this
#
interface Tunnel16370
 description Controller_S_from_10.6.2.1
 ip address 10.10.192.5 255.255.255.0
 tunnel-protocol gre
 keepalive period 1
 source 10.7.2.1
 destination 10.6.2.1
 traffic-filter inbound acl name S_ACL_20140401153202_B3E0 3998
#
return

----End

Configuration Files

l   Configuration file of the SwitchA

#
sysname SwitchA
#
vlan batch 100
#
group-policy controller 10.85.10.3 password %#%#FG9.7h,|j$2'c2$LRG%N#lBU;3_^;AVo,7)"f%^M%#%# src-ip 10.85.10.5
#
interface Vlanif100
 ip address 10.85.10.5 255.255.255.0
#
interface LoopBack100
 ip address 10.7.2.1 255.255.255.255
#
interface LoopBack101
 ip address 10.7.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
return

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

user_2790689
Created Jun 4, 2015 10:37:26 Helpful(0) Helpful(0)

Very goog.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login