Service Chain

On a typical campus network, value-added service devices, such as firewall, antivirus expert system, and application security gateway, are often deployed at the edge of an important service department, demilitarized zone (DMZ), campus egress, and data center. The scheme that deploys an independent value-added service device in each network zone has the following disadvantages:

l   Increases investment because too many value-added service devices need to be deployed.

l   Wastes resources because value-added service devices are not fully used.

l   Complicates device deployment and maintenance because different service processing policies need to be configured on each value-added service device.

To address the preceding issues, Huawei offers the service chain solution. As shown in Figure 1-1, the service chain solution includes the policy controller, core switches, and security resource pool. Core switches classify service traffic and then redirect the traffic to different value-added service devices. In the security resource pool, you can deploy one device that has multiple value-added service capabilities or multiple devices that have independent value-added service capabilities. The service chain solution allows value-added service devices to be concentrated in a physical zone. In this solution, you do not need to deploy an independent value-added service device for each network, reducing device costs and improving device utilization. On the campus network, the policy controller controls which service traffic needs to be processed by value-added service devices, improving deployment and maintenance efficiency.

Figure 1-1 Service chain solution on a campus network

Configuration Notes

l   Currently, the service chain solution supports three types of value-added service devices: firewall, antivirus expert system, and application security gateway.

l   The following table lists the products and versions supporting the service chain solution.

Networking Requirements

As shown in Figure 1-2, there is an FTP server in the equipment room of company M. The FTP server stores important data of the R&D department. The administrator must prevent key data leaks caused by attacks to ensure security of this FTP server. The administrator wants to achieve the following functions through service orchestration:

l   R&D employees can access the FTP server, but marketing employees cannot.

l   Data flows generated when R&D employees access the FTP server must be processed by the firewall for security detection.

l   If the firewall fails, R&D employees cannot access the FTP server.

Figure 1-2 Networking of company M

Data Plan

Table 1-1 IP address planning for users and resources

Table 1-2 Service flow planning

Table 1-3 Device parameter planning

Configuration Roadmap

The configuration roadmap is as follows:

1.         Configure basic parameters on the switch and firewall.

l   Configure XMPP parameters to add the switch and firewall on the Controller.

l   Configure IP addresses and static routes for interfaces so that network devices can communicate with each other.

Ensure that loopback interface numbers of the switch and firewall are larger than those of other devices. In this example, loopback interfaces 100 and 101 are used.

2.         Add the switch and firewall to the Controller using XMPP.

3.         Configure service flows on the Controller and allow only R&D employees to access the FTP server using ACL rules.

4.         Configure an IP address pool and service chain resources on the Controller to establish a GRE tunnel between the switch and firewall.

The IP address pool cannot contain IP addresses that are being used on the network.

5.         Orchestrate and deploy a service chain on the Controller to redirect FTP server access traffic so that the traffic first passes through the firewall and then is forwarded to the FTP server.

Procedure

                               Step 1     Configure basic parameters on the switch, including IP addresses of interfaces, static routes, and XMPP connection parameters.

 
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.85.10.5 24
[SwitchA-Vlanif100] quit
[SwitchA] interface LoopBack 100
[SwitchA–LoopBack100] ip address 10.7.2.1 255.255.255.255
[SwitchA–LoopBack100] quit
[SwitchA] interface LoopBack 101
[SwitchA–LoopBack101] ip address 10.7.2.2 255.255.255.255
[SwitchA–LoopBack101] quit
[SwitchA] ip route-static 10.6.2.1 255.255.255.255 10.85.10.6
[SwitchA] ip route-static 10.6.2.2 255.255.255.255 10.85.10.6
[SwitchA] group-policy controller 10.85.10.3 password Admin@123 src-ip 10.85.10.5

                               Step 2     Configure basic parameters on the firewall, including IP addresses of interfaces, static routes, and XMPP connection parameters.

1.         Configure IP addresses for interfaces and security zones to complete the configurations of basic network parameters.

1.         Choose Network > Interface List.

l   Click  of GE1/0/1 and configure parameters.

1.         Configure the RADIUS server.

l   Choose Object > Authentication Server > RADIUS. Click Add and configure parameters.

The configured parameters must be the same as the parameters of the RADIUS server. The shared key is Radius@123.

1.         Click OK.

2.         Enable the agile network function of the firewall.

1.         Choose System > Agile Network Configuration.

3.         Select Enable following Agile Network Function.

4.         Configure parameters for connection with the Controller. The status following Controller Active Server IP Address displays Connected, indicating that the firewall has connected to the Controller.

In a service orchestration scenario, because a firewall needs to have the content security testing function configured, select Manually configured for Security Policy Configuration.

5.         Configure two loopback interfaces on the firewall.

You need to log in to the CLI console to complete the configuration.

1.         Click  in the lower-right part.

6.         Click in the CLI Console (Disconnected) dialog box to connect to the CLI console.

7.         After the connection is successful, configure the following commands.

<sysname> sysname NGFW
[NGFW] interface LoopBack 100
[NGFW-LoopBack100] ip address 10.6.2.1 255.255.255.255
[NGFW-LoopBack100] quit
[NGFW] interface LoopBack 101
[NGFW-LoopBack101] ip address 10.6.2.2 255.255.255.255
[NGFW-LoopBack101] quit
[NGFW] ip route-static 10.7.2.1 255.255.255.255 10.85.10.5
[NGFW] ip route-static 10.7.2.2 255.255.255.255 10.85.10.5

                               Step 3     Add the switch and firewall on the Controller.

1.         Choose Resource > Device > Device Management from the main menu.

2.         Click Add.

3.         Configure parameters for the device to be added.

Figure 1-3 and Figure 1-4 show how to configure parameters for the switch and firewall to be added.

Set Password to the configured communication password Admin@123.

Figure 1-3 Parameter settings on the switch

Figure 1-4 Parameter settings on the firewall to be added

                               Step 4     Configure service flows.

1.         Choose Policy > Service Chain Orchestration > Service Flow Defining from the main menu.

2.         Click Add.

3.         Set service flow parameters.

Set service flow parameters as shown in Figure 1-5.

Figure 1-5 Service flow parameter settings

                               Step 5     Configure an IP address pool.

1.         Choose Policy > Service Chain Orchestration > IP Address Pool from the main menu.

2.         Click Add.

3.         Set the name to 10.10.192.0, IP address to 10.10.192.0, and mask length to 24.

Figure 1-6 IP address pool parameter settings

4.         Click OK.

                               Step 6     Configure service chain resources.

1.         Choose Policy > Service Chain Orchestration > Service Chain Resource from the main menu.

2.         Click Add.

3.         Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.

4.         Select NGFW in the left Service Device area and drag NGFW to the right Firewall node.

5.         Select 10.10.192.0 in the left IP Address Pool area.

Figure 1-7 Service chain resource parameter settings

6.         Click Save. In the dialog box that is displayed, click OK.

                               Step 7     Orchestrate and deploy a service chain.

1.         Choose Policy > Service Chain Orchestration > Service Chain Orchestration from the main menu.

2.         Click Add.

3.         Select User_to_Datacenter in the left Service Flow area and drag User_to_Datacenter to the right Service Flow node.

4.         Select SwitchA in the left Orchestration Device area and drag SwitchA to the right Orchestration Device node.

5.         Drag NGFW to the upper firewall node.

6.         Select Block in the left Chain Exception Handling Mode area.

Figure 1-8 Service orchestration parameter settings

7.         Click Save. In the dialog box that is displayed, click OK.

                               Step 8     Verify the configuration.

# Check whether the tunnel between the switch and firewall is established on the Controller.

Figure 1-9 shows tunnel information after service chain resources are delivered.

Figure 1-9 Tunnel deployment results

# Run the display acl all command on the switch. The command output shows that service flow rules are delivered successfully.

[SwitchA] display acl all
 Total nonempty ACL number is 1 
Advanced ACL S_ACL_20140401153202_B3E0 3998, 5 rules
Acl's step is 5
 rule 5 permit tcp source 10.85.100.11 0 source-port eq 22 destination 10.85.1
0.2 0 destination-port eq 21 (match-counter 0)
 rule 10 permit tcp source 10.85.100.12 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 15 permit tcp source 10.85.100.13 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 20 permit tcp source 10.85.100.14 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)
 rule 25 permit tcp source 10.85.100.15 0 source-port eq 22 destination 10.85.
10.2 0 destination-port eq 21 (match-counter 0)

# Run the display current-configuration | include traffic-redirect command on the switch. The command output shows that the service orchestration configurations are delivered successfully.

[SwitchA] display current-configuration | include traffic-redirect
traffic-redirect inbound acl name S_ACL_20140401153202_B3E0 3998 interface Tunnel16370 
[SwitchA] interface Tunnel 16370
[SwitchA-Tunnel16370] display this
#
interface Tunnel16370
 description Controller_S_from_10.6.2.1
 ip address 10.10.192.5 255.255.255.0
 tunnel-protocol gre
 keepalive period 1
 source 10.7.2.1
 destination 10.6.2.1
 traffic-filter inbound acl name S_ACL_20140401153202_B3E0 3998
#
return

----End

Configuration Files

l   Configuration file of the SwitchA