[All About Switches] Example for Configuring an Agile Campus Network Highlighted

Latest reply: Aug 23, 2016 19:50:55 4397 3 1 0

 

1.1 Solution Overview

Campus networks develop quickly and are carrying more diversified services. As smart mobile terminals are popularized in campuses, users need to access campus networks during moving and wireless data traffic increases rapidly. Cloud computing development requires real-time service monitoring and service virtualization. Campus networks also need to carry high definition (HD) video services and social networking services (SNSs). These service requirements are challenging current network deployment. To meet these challenges, Huawei introduces the agility concept to campus networks based on the software-defined networking (SDN) architecture. Huawei agile campus network solutions help build high-performance core networks and highly efficient wireless access networks and enable networks to be more agile for services.

On agile networks, flexible and fast agile switches replace traditional switches. For example, administrators can flexibly and fast configure, manage, and maintain devices. They do not need to modify configurations for devices one by one to change a service or take a long time to locate a network fault. Users can flexibly and fast access an agile network and enjoy the same network experience at any locations using any access mode.

An agile campus network for a university is taken as an example in the following sections to describe how agile networks improve the network services for campus users.

1.2 Networking Requirements

Figure 1-1 shows the original network in the university's main campus. Core switches manage wired users, and independent ACs manage wireless users.

l   Users in different areas of the main campus can access the campus network and connect to the Internet through the campus network. Wired users use 802.1x authentication and wireless users use Web authentication to access the network.

The following figure shows only the network deployment for teaching and office areas. The network deployment for other areas is similar and is not shown in the figure.

l   The network provides the Voice over Internet Protocol (VoIP), network printer, and multimedia services.

l   Users in branch campuses can access the main campus network through the Intranet.

l   Users outside the campuses can access the main campus network through the Internet.

Figure 1-1 Campus networking diagram for the main campus (with no agile network deployed)

 56161b3f5aa7e.png

The service deployment on the current campus network faces the following problems:

l   As the population in the university grows, a large number of wireless users demand for wireless services. The wired and wireless networks are separately deployed and difficult to manage. The university demands for the wired and wireless convergence to simplify network management and improve network operation and maintenance (O&M) efficiency.

l   As various network services develop in the campus and users need to access the network during moving, network information security becomes more important. The university desires the classification of access user roles to ensure that service policies and network experience are consistent wherever users go.

l   The university has a large number of network devices and needs to frequently adjust network services. Network administrators need to modify configurations or upgrade versions on devices one by one to change a service, requiring heavy and trivial workload. The university desires the centralized configuration, management, and maintenance of network access devices.

l   When a network fault occurs, network administrators cannot detect or troubleshoot it quickly, affecting user experience. The university needs a real-time network quality monitoring mechanism to reduce the impacts of network faults.

The university intends to deploy an agile network to simplify network deployment and configuration, improve user experience, and improve O&M efficiency.

1.3 Service Planning

1.3.1 Network Planning

Figure 1-2 shows the agile campus networking. Two S12708 agile switches are deployed to set up a cluster switch system (CSS) at the core layer. The S5700LI switches at the aggregation and access layers are enabled with only Layer 2 forwarding (the S7700 core switches in the original networking are used at the aggregation layer). Some APs are deployed in the campus as needed. The S5700LI switches are deployed at the access layer to connect to and manage wired users and APs, providing wired and wireless coverage for the campus.

Figure 1-2 Agile campus networking diagram

56161b4cc7eb1.png 

The requirements for NEs shown in Figure 1-2 are as follows:

l   Core switch

Agile switches are used at the core layer. If modular switches are used as agile switches, X1E cards need to be installed on the switches to implement wired and wireless convergence.

l   Aggregation and access switches

To support the agile feature Super Virtual Fabric (SVF), see "SVF hardware and software requirements" in the corresponding product documentation.

l   Agile Controller

The Agile Controller integrates functions of the RADIUS server, Portal server, and free mobility controller, facilitating service adjustment. When a user connects to the network from different locations, the free mobility controller uniformly delivers network access rights to ensure that the user can have the same network access rights at different locations.

l   eSight network management system (NMS)

eSight provides a graphical user interface (GUI) to help manage network devices, perform configurations, and facilitate convenient and visual management.

1.3.2 Feature Planning

After the S12708 agile switches are deployed on the campus network, the following agile features can be applied to solve the service deployment problems described in 1.2 Networking Requirements, and to enable the network to fast and flexibly adapt to service requirements.

l   Wired and wireless convergence: Wired and wireless networks are uniformly managed and maintained.

Agile switches at the core layer provide native capabilities on their line cards, so no independent AC devices or AC cards (such as ACU2) are required. Administrators do not need to configure and deploy user access services on the wired and wireless networks respectively and can manage wired and wireless networks simply as managing one device. The high switching capability and scalability of agile switches eliminate bottlenecks in centralized traffic forwarding when independent ACs or AC cards are used.

l   Free mobility: Service control policies can be migrated with users, delivering consistent experience for users.

For example, in 1.2 Networking Requirements, teacher Lee connects to the campus network from the office area, teaching area, library, and residential community every day. He may be granted different access rights on a traditional network. For example, he can access the essay database only in the office area, teaching area, and library, but not in public areas in the campus.

The free mobility solution enables users to have the same network access rights at different locations. Network access policies are configured centrally on the Agile Controller and delivered to all associated access devices. In this way, users can obtain the same network access policies and enjoy consistent network access experience at any locations and using any IP addresses.

Table 1-1 lists the access policies that are configured on the Agile Controller and delivered to three user groups: guest, student, and teacher.

Table 1-1 Free mobility policy configuration

User (Source Security Group)

Resource (Destination Security Group)

Access Control Policy

Guest

Public resources (IP address: 10.10.1.1/32)

Permit

Education management system (IP address: 10.10.2.1/32)

Forbid

Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)

Forbid

Student

Public resources (IP address: 10.10.1.1/32)

Permit

Education management system (IP address: 10.10.2.1/32)

Forbid

Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)

Permit

Teacher

Public resources (IP address: 10.10.1.1/32)

Permit

Education management system (IP address: 10.10.2.1/32)

Permit

Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)

Permit

 

After the preceding policies are configured, users have the same network access rights and network experience after passing authentication.

l   Super Virtual Fabric (SVF): Agile switches deliver configurations to devices at the aggregation and access layers.

The SVF solution virtualizes core, aggregation, and access switches on a network into one switch. The core switch manages the aggregation and access switches, and uses configuration templates to complete batch configuration of aggregation and access switches. In this way, administrators do not need to configure switches one by one.

Table 1-2 describes the roles in an SVF system. The agile switch functions as a parent to manage all access switches (ASs) and APs. In the SVF system, wired and wireless users are all managed on the parent.

Table 1-2 SVF deployment

Role

Device

Parent

Two S12708 switches in a CSS

Client

Level-1 AS

Switches directly connected to the parent, providing wired connections to access switches or terminals

Level-2 AS

Switches directly connected to level-1 ASs, providing wired connections to terminals

Wireless access device

APs on a WLAN, providing wireless connections to terminals

If APs are deployed in an SVF system, the parent functions as a wireless access controller (AC) to control and manage all APs.

 

Services on ASs are configured on the parent, and the key states of ASs and APs are maintained on the parent. Administrators can complete service configurations for aggregation and access switches by simply connecting unconfigured aggregation and access switches to the parent. The aggregation and access layers realize zero-touch configuration, automatic upgrade, and plug-and-play deployment, simplifying network configuration, management, and maintenance.

56161b1714ddc.jpg

An SVF system supports at most two levels of ASs and one level of APs. When eSight is deployed to manage the SVF system, SVF can better simplify device management.

l   Packet Conservation Algorithm for Internet (iPCA): iPCA allows an agile network to be aware of the service quality and to locate network failures.

An agile switch with iPCA configured can monitor packet loss in real time. Table 1-3 lists packet loss measurement modes. If a link fails, an iPCA-capable switch can quickly detect the fault and sends an alarm to administrators immediately. iPCA allows the network to be aware of the service quality, reducing impact of network failures. eSight can display packet loss measurement results on a GUI, so administrators can easily monitor the network quality.

Table 1-3 iPCA deployment

Packet Loss Measurement Mode

Deployment Scenario

Network-level packet loss measurement

Monitor packet loss on the links between the main campus and branch campuses. iPCA needs to be configured on local and remote core switches.

Device-level packet loss measurement

Monitor packet loss on core switches. iPCA only needs to be configured on local core switches.

 

Table 1-4 lists the minimum versions supporting agile features and precautions for configuring these features.

Table 1-4 Applicable versions and precautions

Agile Feature

Minimum Version

Precaution

SVF

V200R007 (V200R007C20 is not included)

A license is required to enable the SVF function on a parent.

When enabling the SVF function, ensure that the current and next startup network admission control (NAC) configuration modes are the unified mode.

NOTE

The S12700 series switches can only set up SVF systems with the Sx700 series switches, and cannot set up SVF systems with the Sx300 series switches.

Free mobility

V200R006

The Agile Controller needs to be deployed to enable the free mobility function. Free mobility is supported only in the unified NAC mode.

iPCA

V200R006

If modular switches are used, X1E cards need to be installed.

Wired and wireless

V200R005 (V200R007C20 is not included)

If modular switches are used, X1E cards need to be installed.

For details about the applicable AP models and versions, see the product documents.

 

1.3.3 Data Planning

Basic Agile Campus Networking

This section uses simplified networking to replace the preceding agile campus networking to describe the deployment of agile features. Figure 1-3 shows the networking for teaching area 1 and library.

Figure 1-3 Basic agile campus networking diagram

56161b64f1bb2.png 

Table 1-5 and Table 1-6 describe the data planning based on the preceding networking diagram.

Table 1-5 Device data planning

Role

Device

Data

Parent

Two S12708 switches in a CSS

/

Level-1 AS

Aggregation switches in teaching area 1

AS_1: S5700-52X-PWR-LI-AC

MAC address: 0200-0000-0011

IP address: 192.168.11.254/24

Access switches in the library

AS_2: S5700-52X-PWR-LI-AC

MAC address: 0200-0000-0022

IP address: 192.168.11.253/24

Level-2 AS

Access devices in teaching area 1

AS_3: S5700-28X-PWR-LI-AC

MAC address: 0200-0000-0033

IP address: 192.168.11.252/24

AP

Wireless access devices in teaching area 1

AP_1: AP5010DN-AGN

MAC address: AC85-3DA6-A420

Wireless access devices in the library

AP_2: AP5010DN-AGN

MAC address: AC85-3DA6-F240

Free mobility controller

Agile Controller

NOTE

The Agile Controller integrates functions of the RADIUS server and Portal server.

On the Agile Controller, the fixed RADIUS authentication port number is 1812, and the fixed Portal server port number is 50200.

IP address: 192.168.2.31

Interconnection key: Huawei@123

RADIUS server

IP address: 192.168.2.31

Interconnection key: Huawei@123

Authentication port number: 1812

Portal server

IP address: 192.168.2.31

Interconnection key: Huawei@123

Port number: 50200

Public resource server

File server 1

IP address: 10.10.1.1/32

Education management system server

File server 2

IP address: 10.10.2.1/32

FTP resource server

File server 3

IP address: 10.10.3.1/32

Core switches on branch campus networks

S9706

/

 

Table 1-6 VLAN data planning

Data

Description

ID: 11

IP address: 192.168.11.1/24

l  SVF management VLAN on which a parent can set up Control and Provisioning of Wireless Access Points (CAPWAP) tunnels with ASs and APs

l  Service VLAN accessed by AP_1 in teaching area 1 and AP_2 in the library

l  VLAN on which a parent can communicate with the Agile Controller

ID: 101

Service set VLAN

VLAN that wired users in teaching area 1 belong to.

ID: 100

IP address: 192.168.100.1/24

Service VLAN accessed by wired users in teaching area 1, such as the VLAN that PC_1 belongs to.

VLAN that wired users in the library belong to.

ID: 200

IP address: 192.168.200.1/24

Service VLAN accessed by wired users in the library, such as the VLAN that PC_2 belongs to.

VLAN that mobile terminals in teaching area 1 belong to.

ID: 202

IP address: 192.168.202.1/24

Service VLAN accessed by STAs in teaching area 1, such as the VLAN that STA_1 belongs to.

VLAN that mobile terminals in the library belong to.

ID: 204

IP address: 192.168.204.1/24

Service VLAN accessed by STAs in the library, such as the VLAN that STA_2 belongs to.

 

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

All_About_Switch
Official Created Oct 8, 2015 07:33:38 Helpful(1) Helpful(1)

1.4 Configuration Procedure

This section only describes how to configure agile features, and does not describe other basic configurations, such as routing connectivity.

SVF Configuration Procedure

Configure ASs to connect to the parent.

1.         Configure the two switches in the parent to set up a CSS. For details, see the product documents.

2.         Log in to the CSS and enable the SVF function.

<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable  //Enable the DHCP server function to allow an AS to obtain an IP address from the parent.
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1  //Configure the parent to send the IP address to an AS so that the AS can set up a CAPWAP link with the specified IP address.
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11  //Set up a CAPWAP link between the parent and the AS.
[HUAWEI] authentication unified-mode  //Change the network admission control (NAC) configuration mode to the united mode.
[HUAWEI] stp mode rstp  //Set the working mode to STP or RSTP when enabling the SVF function.
[HUAWEI] uni-mng  //Enable the SVF function and enter the uni-mng view.
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue?[Y/N]: y

[All About Switches] Example for Configuring an Agile Campus Network-1696627-1

When enabling the SVF function, ensure that the current and next startup NAC configuration modes are the unified mode.

You can run the display authentication mode command to check whether the current and next startup NAC configuration modes are the unified mode. If not, set the modes to the unified mode.

After the traditional and unified modes are switched, restart the device to make the configuration take effect. By default, the NAC configuration mode is unified mode.

3.         Configure access parameters for ASs.

# Configure ASs' names, and specify the device models and management MAC addresses for the ASs.

[HUAWEI-um] as name as1 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0011
[HUAWEI-um-as-as1] quit
[HUAWEI-um] as name as2 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0022
[HUAWEI-um-as-as2] quit
[HUAWEI-um] as name as3 model S5700-28X-PWR-LI-AC mac-address 0200-0000-0033
[HUAWEI-um-as-as3] quit

# Configure the fabric ports that connect the parent to level-1 ASs (AS_1 and AS_2). The following example configures the fabric port that connects the parent to AS_1. The configuration of the fabric port that connects the parent to AS_2 is similar and is not mentioned here.

[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit

# Configure the fabric port that connects level-1 AS (AS_1) to level-2 AS (AS_3).

[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23 to 0/0/24
[HUAWEI-um-as-as1] quit
[HUAWEI-um] quit

# Configure AS to be authenticated using a whitelist when they connect to an SVF system.

[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0033
[HUAWEI-as-auth] quit
[HUAWEI] quit

4.         Clear the configurations of ASs, restart the ASs, and then connect the ASs to the parent using cables. Subsequently, an SVF system is set up.

[All About Switches] Example for Configuring an Agile Campus Network-1696627-2

Before connecting an AS to the parent, ensure that the AS has no configuration file or input on the console port.

# Clear the configurations of ASs and restart the ASs. (This process takes 5 minutes. During the process, ensure that the AS has no input on the console port. If the ASs are unconfigured, you can directly connect the ASs to the parent with no need to restart the ASs.)

<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y

# After connecting the cables, run the display as all command to check whether all ASs have connected to the SVF system successfully.

<HUAWEI> display as all
------------------------------------------------------------------------------
No.   Type       Mac            IP              State            Name
------------------------------------------------------------------------------
0     S5700-52X-PWR-LI-AC 0200-0000-0011 192.168.11.254  normal          as1
1     S5700-52X-PWR-LI-AC 0200-0000-0022 192.168.11.253  normal          as2
2     S5700-28X-PWR-LI-AC 0200-0000-0033 192.168.11.252  normal          as3
------------------------------------------------------------------------------
Total: 3

Configure an AP to connect to an AS. The following example describes how to connect AP_1 to AS_3, and the procedure for connecting AP_2 to AS_2 is not mentioned here.

1.         Create a network basic profile, and specify a pass-VLAN for mobile terminals connected to AP_1.

<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_ap
[HUAWEI-um-net-basic-profile_ap] pass-vlan 202
[HUAWEI-um-net-basic-profile_ap] quit

2.         Add the the port connecting AS_3 to AP_1 to an AP port group.

[HUAWEI-um] port-group connect-ap name group_ap
[HUAWEI-um-portgroup-group_ap] network-basic-profile profile_ap
[HUAWEI-um-portgroup-group_ap] as name as3 interface gigabitethernet 0/0/24
[HUAWEI-um-portgroup-group_ap] quit
[HUAWEI-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]:y
[HUAWEI-um] quit

3.         Configure access parameters for AP_1.

# Configure the AP ID.

[HUAWEI] wlan
[HUAWEI-wlan-view] ap id 1 ap-type ap5010dn-agn mac ac85-3da6-a420
[HUAWEI-wlan-ap-1] quit

# Configure non-authentication for AP_1 to connect to an SVF system.

[HUAWEI-wlan-view] ap-auth-mode no-auth
[HUAWEI-wlan-view] quit

4.         Power on AP_1 and connect AP_1 to AS_3 using cables.

# After connecting the cables, run the display ap all command to check whether AP_1 has connected to the SVF system successfully.

[HUAWEI] display ap all
All AP(s) information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP    AP               AP              Profile   AP              AP
                                       /Region
ID    Type             MAC             ID        State           Sysname
------------------------------------------------------------------------------
1     AP5010DN-AGN     ac85-3da6-a420    0/0     normal         ap-1
------------------------------------------------------------------------------
Total number: 1,printed: 1

Configure a PC to connect to an AS. The following example describes how to connect PC_1 to AS_3, and the procedure for connecting PC_2 to AS_2 is not mentioned here.

1.         Create a network basic profile and a user access profile.

[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] user-vlan 100
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] user-access-profile name pro1
[HUAWEI-um-user-access-pro1] authentication dot1x
[HUAWEI-um-user-access-pro1] quit

2.         Create a group, and bind the network basic profile and user access profile to the group.

[HUAWEI-um] port-group name group1
[HUAWEI-um-portgroup-group1] network-basic-profile profile_1
[HUAWEI-um-portgroup-group1] user-access-profile pro1
[HUAWEI-um-portgroup-group1] as name as3 interface GigabitEthernet 0/0/23
[HUAWEI-um] commit as name as3
[HUAWEI-um] quit

3.         Configure PC_1 to connect to AS_3.

[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme sch1
[HUAWEI-aaa-authen-shc1] authentication-mode none
[HUAWEI-aaa-authen-shc1] quit
[HUAWEI-aaa] domain pc
[HUAWEI-aaa-domain-pc] authentication-scheme sch1
[HUAWEI-aaa-domain-pc] quit
[HUAWEI-aaa] quit

4.         Check whether the user has connected to the SVF system.

If the user is dynamically configured to connect to an SVF system, perform shutdown and undo shutdown operations to reconnect the wired user to the SVF system. Run the display access-user command to check whether the user has connected to the SVF system.

[HUAWEI] uni-mng
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] undo shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] quit
[HUAWEI-um] quit

Free Mobility Configuration Procedure

1.         Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

# Create and configure a RADIUS server template rd1.

[HUAWEI] radius-server template rd1
[HUAWEI-radius-rd1] radius-server authentication 192.168.2.31 1812
[HUAWEI-radius-rd1] radius-server shared-key cipher Huawei@123
[HUAWEI-radius-rd1] quit

# Create an AAA authentication scheme abc, and set the authentication mode to RADIUS.

[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme abc
[HUAWEI-aaa-authen-abc] authentication-mode radius
[HUAWEI-aaa-authen-abc] quit

# Create an authentication domain isp1, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authentication-scheme abc
[HUAWEI-aaa-domain-isp1] radius-server rd1
[HUAWEI-aaa-domain-isp1] quit
[HUAWEI-aaa] quit

# Configure a global default domain isp1. If a user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

[HUAWEI] domain isp1

2.         Configure 802.1x authentication and web authentication.

# Create and configure a Portal server template abc.

[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-ip 192.168.2.31
[HUAWEI-web-auth-server-abc] url http://192.168.2.31:50200/webagent
[HUAWEI-web-auth-server-abc] shared-key cipher Huawei@123
[HUAWEI-web-auth-server-abc] quit

# Enable 802.1x authentication and web authentication on GE1/1/0/1.

[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] authentication dot1x portal
[HUAWEI-GigabitEthernet1/1/0/1] web-auth-server abc direct  //Bind the Portal server template to GE1/1/0/1.
[HUAWEI-GigabitEthernet1/1/0/1] quit

# Enable the free mobility function, and configure an IP address for the Agile Controller server and a password used for communicating with the Agile Controller.

[HUAWEI] group-policy controller 192.168.2.31 password Huawei@123

3.         Perform the following configurations on the Agile Controller.

Screenshots need to be provided for describing the configurations on the Agile Controller. For details, see the Agile Controller product documents. The following describes the configuration roadmap.

a.         Create user accounts in source security groups. For example, you can configure user names, passwords, and departments for common guests, undergraduates, postgraduates, and teachers.

b.         Configure RADIUS, Portal, and XMPP parameters, and add the core switch to ensure that the S series switches can communicate with the Agile Controller.

c.         Configure source security groups and destination security groups to indicate users and resources respectively. For example, the IP address of the public resource server is 10.10.1.1/32.

d.         Use fast authorization to authorize a source security group to the corresponding department. Users are mapped to the source security group after being authenticated.

e.         Configure access control policies and specify whether users in a source security group are permitted to access a destination security group. Deploy the access control policies on all devices on the network. For example, common guests can only access the public resources, and cannot access the education management system and internal FTP resources.

Table 1-7 Security groups and access control policies configured on the Agile Controller

Source Security Group (User)

Destination Security Group (Resource)

Access Control Policy

Common guest

Public resources (bound IP address: 10.10.1.1/32)

Permit

Education management system (bound IP address 10.10.2.1/32)

Forbid

FTP resources (bound IP address: 10.10.3.1/32)

Forbid

Undergraduate or postgraduate

Public resources (bound IP address: 10.10.1.1/32)

Permit

Education management system (bound IP address 10.10.2.1/32)

Forbid

FTP resources (bound IP address: 10.10.3.1/32)

Permit

Teacher

Public resources (bound IP address: 10.10.1.1/32)

Permit

Education management system (bound IP address 10.10.2.1/32)

Permit

FTP resources (bound IP address: 10.10.3.1/32)

Permit

 

Wired and Wireless Convergence Configuration Procedure

After wired and wireless convergence is configured on an agile switch, you can directly configure the agile switch but does not need to configure the switch and independent AC or ACU2 respectively.

1.         Configure the S12708 to function as a DHCP server to assign IP addresses to PCs and STAs. The S12708 assigns IP addresses to APs through SVF. You do not need to configure the S12708 to assign IP addresses to APs. The following example describes how the S12708 assigns IP addresses to the PCs and STAs in teaching area 1.

# Configure the S12708 to assign an IP address to PC_1 from the global address pool.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] vlan batch 100 202
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 192.168.100.1 24
[HUAWEI-Vlanif100] dhcp select global
[HUAWEI-Vlanif100] quit
[HUAWEI] ip pool 100
[HUAWEI-ip-pool-100] gateway-list 192.168.100.1
[HUAWEI-ip-pool-100] network 192.168.100.0 mask 24
[HUAWEI-ip-pool-100] quit

# Configure the S12708 to assign IP addresses to STAs from the global address pool. The IP addresses in the address pool 202 are assigned to the STAs connected to AP_1, and the IP addresses in the address pool 204 are assigned to the STAs connected to AP_2.

The following example describes how the S12708 assigns IP addresses to the STAs connected to AP_1.

[HUAWEI] interface vlanif 202
[HUAWEI-Vlanif202] ip address 192.168.202.1 24
[HUAWEI-Vlanif202] dhcp select global
[HUAWEI-Vlanif202] quit
[HUAWEI] ip pool 202
[HUAWEI-ip-pool-202] gateway-list 192.168.202.1
[HUAWEI-ip-pool-202] network 192.168.202.0 mask 24
[HUAWEI-ip-pool-202] quit

2.         Configure the AC's system parameters.

# Configure the AC's country code.

[HUAWEI] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which use
the global country code and reset them, continue?[Y/N]:y

# Configure the AC ID and carrier ID.

[HUAWEI] wlan ac-global ac id 1 carrier id other  //The AC ID is 0 by default. In this example, the AC ID is changed to 1.

# Configure the AC's source interface.

[HUAWEI] wlan
[HUAWEI-wlan-view] wlan ac source interface vlanif 11

3.         Configure the AC to manage APs.

# Check the AP type ID after obtaining the AP's MAC address.

[HUAWEI-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID     Type
------------------------------------------------------------------------------
1      AP5010DN-AGN
------------------------------------------------------------------------------
Total number: 1

# Set the AP authentication mode to MAC address authentication (default setting). Add the APs offline according to the obtained AP type ID. The configuration of AP access parameters is described in the SVF configuration procedure, and will not be described here.

# Configure an AP region and add the APs to the region.

[HUAWEI-wlan-view] ap-region id 10
[HUAWEI-wlan-ap-region-10] quit
[HUAWEI-wlan-view] ap id 1
[HUAWEI-wlan-ap-1] region-id 10
[HUAWEI-wlan-ap-1] quit
[HUAWEI-wlan-view] ap id 2
[HUAWEI-wlan-ap-2] region-id 10
[HUAWEI-wlan-ap-2] quit

# After powering on the AP, run the display ap all command on the AC to check the AP state. The command output shows that the AP state is normal.

[HUAWEI-wlan-view] display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP    AP               AP              Profile   AP              AP
                                       /Region
ID    Type             MAC             ID        State           Sysname
------------------------------------------------------------------------------
0     AP6010DN-AGN     60de-4476-e360  0/10      normal          ap-0
------------------------------------------------------------------------------
Total number: 1,printed: 1

4.         Configure the WLAN service parameters.

# Create a WMM profile wmm.

[HUAWEI-wlan-view] wmm-profile name wmm id 1
[HUAWEI-wlan-wmm-prof-wmm] quit

# Create a radio profile radio, and bind the WMM profile wmm to the radio profile.

[HUAWEI-wlan-view] radio-profile name radio id 1
[HUAWEI-wlan-radio-prof-radio] wmm-profile name wmm
[HUAWEI-wlan-radio-prof-radio] quit
[HUAWEI-wlan-view] quit

# Create a WLAN-ESS interface.

[HUAWEI] interface wlan-ess 1
[HUAWEI-Wlan-Ess1] port trunk allow-pass vlan 202
[HUAWEI-Wlan-Ess1] quit

# Create a security profile security.

[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name security id 1
[HUAWEI-wlan-sec-prof-security] security-policy wpa2  //Set the security policy to WPA2.
[HUAWEI-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase cipher huawei123 encryption-method ccmp  //Set the encryption method to PSK+CCMP.
[HUAWEI-wlan-sec-prof-security] quit

# Create a traffic profile traffic and set the STA's uplink rate limit to 2000 kbit/s and downlink rate limit to 2400 kbit/s.

[HUAWEI-wlan-view] traffic-profile name traffic id 1
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client up 2000
[HUAWEI-wlan-traffic-prof-traffic] rate-limit client down 2400
[HUAWEI-wlan-traffic-prof-traffic] quit

# Create a service set area1, and bind the WLAN-ESS interface, security profile, and traffic profile to the service set. Set the forwarding mode to direct forwarding (default setting).

[HUAWEI-wlan-view] service-set name area1 id 1
[HUAWEI-wlan-service-set-area1] ssid area1
[HUAWEI-wlan-service-set-area1] wlan-ess 1
[HUAWEI-wlan-service-set-area1] security-profile name security
[HUAWEI-wlan-service-set-area1] traffic-profile name traffic
[HUAWEI-wlan-service-set-area1] service-vlan 202
[HUAWEI-wlan-service-set-area1] quit

5.         Configure a virtual AP (VAP) and deliver it to an AP.

# Configure a VAP.

[HUAWEI-wlan-view] ap 1 radio 0
[HUAWEI-wlan-radio-1/0] radio-profile name radio
[HUAWEI-wlan-radio-1/0] service-set name area1
[HUAWEI-wlan-radio-1/0] quit

# Commit the configuration.

[HUAWEI-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

  • x
  • convention:

All_About_Switch
Official Created Oct 8, 2015 07:34:14 Helpful(1) Helpful(1)

iPCA Configuration Procedure

[All About Switches] Example for Configuring an Agile Campus Network-1696655-1

iPCA can be performed to detect packet loss on agile switches and between agile switches. If you want to detect packet loss between the main campus and branch campus networks, agile switches need to be deployed on both networks.

Configure the packet loss measurement function for a device.

1.         Enable iPCA on each device to implement packet loss measurement so that you can know packet loss in a timely manner. Configure the packet loss alarm on each device.

[HUAWEI] iplpm global loss-measure alarm enable  //Enable the packet loss alarm and clear alarm on a device.
[HUAWEI] iplpm global loss-measure enable  //Enable the packet loss measurement

2.         Run the display iplpm loss-measure statistics global command to check the packet loss measurement results on a device. You can check the values of Loss Packets and LossRatio to know whether packet loss occurs on a device.

[HUAWEI] display iplpm loss-measure statistics global
Latest global loss statistics:
--------------------------------------------------------------------------------
 StartTime(DST)        Loss Packets            LossRatio         ErrorInfo      
--------------------------------------------------------------------------------
 2015-06-12 10:47   344127                  4.513519%         OK 
 2015-06-12 10:47   381085                  4.513196%         OK 
 2015-06-12 10:47   381192                  4.513290%         OK 
 2015-06-12 10:47   381339                  4.513341%         OK 
 2015-06-12 10:47   381465                  4.513392%         OK 
 2015-06-12 10:47   381444                  4.513487%         OK 
 2015-06-12 10:47   381129                  4.513309%         OK 
--------------------------------------------------------------------------------

Configure the end-to-end packet loss measurement function.

1.         Configure the core switches in the main campus.

[HUAWEI] nqa ipfpm dcp  //Enable the DCP function globally.
[HUAWEI-nqa-ipfpm-dcp] dcp id 1.1.1.1  //Configure the DCP ID.
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[HUAWEI-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24  //Set the target flow to a bidirectional symmetrical flow.
[HUAWEI-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress  //Color the target flows that enter the network.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit
[HUAWEI] interface gigabitethernet 3/1/0/1  //Specify the interface connecting to the core switch in the branch campus. 
[HUAWEI-GigabitEthernet3/1/0/1] ipfpm tlp 1  //Bind a Target Logical Port (TLP) to the interface. 
[HUAWEI-GigabitEthernet3/1/0/1] quit
[HUAWEI] interface gigabitethernet 3/1/0/2  //Specify the interface connecting to the core switch in the branch campus.
[HUAWEI-GigabitEthernet3/1/0/2] ipfpm tlp 1  //Bind a TLP to the interface.
[HUAWEI-GigabitEthernet3/1/0/2] quit
[HUAWEI] nqa ipfpm dcp
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] loss-measure enable continual  //Enable the continual packet loss measurement function for the DCP instance.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit

2.         Configure the core switches in the branch campus.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[Switch-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24
[Switch-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch-GigabitEthernet1/0/1] quit
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] nqa ipfpm mcp  //Enable the MCP function globally.
[Switch-nqa-ipfpm-mcp] mcp id 2.2.2.2  //Create a MCP.
[Switch-nqa-ipfpm-mcp] instance 1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 2.2.2.2
[Switch-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 7 lower-limit 5  //Set the packet loss alarm threshold to 7% and clear alarm threshold to 5% for the MCP instance.
[Switch-nqa-ipfpm-mcp-instance-1] quit
[Switch-nqa-ipfpm-mcp] quit
[Switch] quit

3.         Verify the configurations.

# Run the display ipfpm statistic-type loss instance 1 command on the core switches in the branch campus to view the packet loss measurement results.

<Switch> display ipfpm statistic-type loss instance 1
 
Latest loss statistics of forward flow:
Unit: p - packet, b - byte
------------------------------------------------------------------------------------------
Period               Loss(p)              LossRatio(p)  Loss(b)              LossRatio(b)
------------------------------------------------------------------------------------------
127636768            381549               4.514649%     40444194             4.514649%
127636767            381528               4.514620%     40441968             4.514620%
127636766            381318               4.514996%     40419708             4.514996%
127636765            381192               4.514686%     40406352             4.514686%
127636764            381381               4.514679%     40426386             4.514679%
127636763            381402               4.514748%     40428612             4.514748%
127636762            381081               4.514797%     40394586             4.514797%
127636761            381324               4.514702%     40420344             4.514702%
127636760            381549               4.514870%     40444194             4.514870%
127636759            381066               4.514638%     40392996             4.514638%
127636758            381570               4.514836%     40446420             4.514836%
127636757            382452               4.514757%     40539912             4.514757%
 
Latest loss statistics of backward flow:
Unit: p - packet, b - byte
------------------------------------------------------------------------------------------
Period               Loss(p)              LossRatio(p)  Loss(b)              LossRatio(b)
------------------------------------------------------------------------------------------
127636768            381087               4.513306%     40395222             4.513306%
127636767            381129               4.513384%     40399674             4.513384%
127636766            381465               4.513444%     40435290             4.513444%
127636765            381087               4.513222%     40395222             4.513222%
127636764            381045               4.513272%     40390770             4.513272%
127636763            381381               4.513364%     40426386             4.513364%
127636762            381276               4.513435%     40415256             4.513435%
127636761            380961               4.513280%     40381866             4.513280%
127636760            381339               4.513574%     40421934             4.513574%
127636759            381045               4.513270%     40390770             4.513270%
127636758            381088               4.513226%     40395328             4.513226%
127636757            382409               4.513464%     40535354             4.513464%

1.2 Summary and Recommendations

In this document, the application of S series agile switches on the agile network in the education industry is taken as an example to describe the application and key configurations of agile features of agile switches.

l   Wired and wireless convergence

Agile switches have native AC cards installed to converge wired and wireless networks into one network, simplifying the configuration and maintenance of wired and wireless networks. The high switching capability and scalability of agile switches eliminate bottlenecks in centralized traffic forwarding when independent ACs or AC cards are used.

l   Free mobility

Free mobility enables the unified management of users' identity information on the entire network. It ensures that a user can have the same network access rights and enjoy the same service experience when using different IP addresses to access the network from different locations.

l   SVF

The SVF technology virtualizes core, aggregation, and access switches on a network into one super switch. The core switch uniformly delivers configurations to and manages aggregation and access switches.

l   iPCA

iPCA collects statistics of packets that each device sends and forwards on one or multiple paths. If a packet is lost, eSight can immediately detect the packet loss information and locate where the packet is lost. iPCA realize the real-time monitoring of real service traffic.

The agile features of S series switches are being developed and optimized. In the future, S series switches will be more widely used on agile networks.

 

      ★★★Summary★★★ All About Huawei Switch Features and Configurations

  • x
  • convention:

ivyivy
Created Oct 8, 2015 08:03:37 Helpful(1) Helpful(1)

I like it. Helpful!!
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login