Example for Configuring an Agile Campus Network

46 0 0 0


Solution Overview

Campus networks develop quickly and are carrying more diversified services. As smart mobile terminals are popularized in campuses, users need to access campus networks during moving and wireless data traffic increases rapidly. Cloud computing development requires real-time service monitoring and service virtualization. Campus networks also need to carry high definition (HD) video services and social networking services (SNSs). These service requirements are challenging current network deployment. To meet these challenges, Huawei introduces the agility concept to campus networks based on the software-defined networking (SDN) architecture. Huawei agile campus network solutions help build high-performance core networks and highly efficient wireless access networks and enable networks to be more agile for services.

On agile networks, flexible and fast agile switches replace traditional switches. For example, administrators can flexibly and fast configure, manage, and maintain devices. They do not need to modify configurations for devices one by one to change a service or take a long time to locate a network fault. Users can flexibly and fast access an agile network and enjoy the same network experience at any locations using any access mode.

An agile campus network for a university is taken as an example in the following sections to describe how agile networks improve the network services for campus users.

Networking Requirements

Figure 1-15 shows the original network in the university's main campus. Core switches manage wired users, and independent ACs manage wireless users.

  • Users in different areas of the main campus can access the campus network and connect to the Internet through the campus network. Wired users use 802.1X authentication and wireless users use Web authentication to access the network.

    The following figure shows only the network deployment for teaching and office areas. The network deployment for other areas is similar and is not shown in the figure.

  • The network provides the Voice over Internet Protocol (VoIP), network printer, and multimedia services.
  • Users in branch campuses can access the main campus network through the Intranet.
  • Users outside the campuses can access the main campus network through the Internet.
Figure 1-15  Campus networking diagram for the main campus (with no agile network deployed) 
imgDownload?uuid=5e1d1be40a5c43a0813ae24

The service deployment on the current campus network faces the following problems:

  • As the population in the university grows, a large number of wireless users demand for wireless services. The wired and wireless networks are separately deployed and difficult to manage. The university demands for the wired and wireless convergence to simplify network management and improve network operation and maintenance (O&M) efficiency.
  • As various network services develop in the campus and users need to access the network during moving, network information security becomes more important. The university desires the classification of access user roles to ensure that service policies and network experience are consistent wherever users go.
  • The university has a large number of network devices and needs to frequently adjust network services. Network administrators need to modify configurations or upgrade versions on devices one by one to change a service, requiring heavy and trivial workload. The university desires the centralized configuration, management, and maintenance of network access devices.
  • When a network fault occurs, network administrators cannot detect or troubleshoot it quickly, affecting user experience. The university needs a real-time network quality monitoring mechanism to reduce the impacts of network faults.

The university intends to deploy an agile network to simplify network deployment and configuration, improve user experience, and improve O&M efficiency.

Network Planning

Figure 1-16 shows the agile campus networking. Two S12708 agile switches are deployed to set up a cluster switch system (CSS) at the core layer. The S5700LI switches at the aggregation and access layers are enabled with only Layer 2 forwarding (the S7700 core switches in the original networking are used at the aggregation layer). Some APs are deployed in the campus as needed. The S5700LI switches are deployed at the access layer to connect to and manage wired users and APs, providing wired and wireless coverage for the campus.

Figure 1-16  Agile campus networking diagram 
imgDownload?uuid=568e5c0d8ef747a2937621a

The requirements for NEs shown in Figure 1-16 are as follows:

  • Core switch

    Agile switches are used at the core layer. If modular switches are used as agile switches, X series cards need to be installed on the switches to implement wired and wireless convergence.

  • Aggregation and access switches

    To support the agile feature Super Virtual Fabric (SVF), see "SVF hardware and software requirements" in SVF Technical Characteristics.

  • Agile Controller

    The Agile Controller integrates functions of the RADIUS server, Portal server, and free mobility controller, facilitating service adjustment. When a user connects to the network from different locations, the free mobility controller uniformly delivers network access rights to ensure that the user can have the same network access rights at different locations.

  • eSight network management system (NMS)

    eSight provides a graphical user interface (GUI) to help manage network devices, perform configurations, and facilitate convenient and visual management.

Feature Planning

After the S12708 agile switches are deployed on the campus network, the following agile features can be applied to solve the service deployment problems described in Networking Requirements, and to enable the network to fast and flexibly adapt to service requirements.

  • Wired and wireless convergence: Wired and wireless networks are uniformly managed and maintained.

    Agile switches at the core layer provide native capabilities on their line cards, so no independent AC devices or AC cards (such as ACU2) are required. Administrators do not need to configure and deploy user access services on the wired and wireless networks respectively and can manage wired and wireless networks simply as managing one device. The high switching capability and scalability of agile switches eliminate bottlenecks in centralized traffic forwarding when independent ACs or AC cards are used.

  • Free mobility: Service control policies can be migrated with users, delivering consistent experience for users.

    For example, in Networking Requirements, teacher Lee connects to the campus network from the office area, teaching area, library, and residential community every day. He may be granted different access rights on a traditional network. For example, he can access the essay database only in the office area, teaching area, and library, but not in public areas in the campus.

    The free mobility solution enables users to have the same network access rights at different locations. Network access policies are configured centrally on the Agile Controller and delivered to all associated access devices. In this way, users can obtain the same network access policies and enjoy consistent network access experience at any locations and using any IP addresses.

    Table 1-7 lists the access policies that are configured on the Agile Controller and delivered to three user groups: guest, student, and teacher.

    Table 1-7  Free mobility policy configuration
    User (Source Security Group)Resource (Destination Security Group)Access Control Policy
    GuestPublic resources (IP address: 10.10.1.1/32)Permit
    Education management system (IP address: 10.10.2.1/32)Forbid
    Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)Forbid
    StudentPublic resources (IP address: 10.10.1.1/32)Permit
    Education management system (IP address: 10.10.2.1/32)Forbid
    Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)Permit
    TeacherPublic resources (IP address: 10.10.1.1/32)Permit
    Education management system (IP address: 10.10.2.1/32)Permit
    Fire Transfer Protocol (FTP) resources (IP address: 10.10.3.1/32)Permit

    After the preceding policies are configured, users have the same network access rights and network experience after passing authentication.

  • Super Virtual Fabric (SVF): Agile switches deliver configurations to devices at the aggregation and access layers.

    The SVF solution virtualizes core, aggregation, and access switches on a network into one switch. The core switch manages the aggregation and access switches, and uses configuration templates to complete batch configuration of aggregation and access switches. In this way, administrators do not need to configure switches one by one.

    Table 1-8 describes the roles in an SVF system. The agile switch functions as a parent to manage all access switches (ASs) and APs. In the SVF system, wired and wireless users are all managed on the parent.

    Table 1-8  SVF deployment
    RoleDevice
    ParentTwo S12708 switches in a CSS
    ClientLevel-1 ASSwitches directly connected to the parent, providing wired connections to access switches or terminals
    Level-2 ASSwitches directly connected to level-1 ASs, providing wired connections to terminals
    Wireless access device

    APs on a WLAN, providing wireless connections to terminals

    If APs are deployed in an SVF system, the parent functions as a wireless access controller (AC) to control and manage all APs.

    Services on ASs are configured on the parent, and the key states of ASs and APs are maintained on the parent. Administrators can complete service configurations for aggregation and access switches by simply connecting unconfigured aggregation and access switches to the parent. The aggregation and access layers realize zero-touch configuration, automatic upgrade, and plug-and-play deployment, simplifying network configuration, management, and maintenance.

    imgDownload?uuid=840e98fc55aa4af59ae02ea NOTE:

    An SVF system supports at most two levels of ASs and one level of APs. When eSight is deployed to manage the SVF system, SVF can better simplify device management.

  • Packet Conservation Algorithm for Internet (iPCA): iPCA allows an agile network to be aware of the service quality and to locate network failures.

    An agile switch with iPCA configured can monitor packet loss in real time. Table 1-9 lists packet loss measurement modes. If a link fails, an iPCA-capable switch can quickly detect the fault and sends an alarm to administrators immediately. iPCA allows the network to be aware of the service quality, reducing impact of network failures. eSight can display packet loss measurement results on a GUI, so administrators can easily monitor the network quality.

    Table 1-9  iPCA deployment
    Packet Loss Measurement ModeDeployment Scenario
    Network-level packet loss measurementMonitor packet loss on the links between the main campus and branch campuses. iPCA needs to be configured on local and remote core switches.
    Device-level packet loss measurementMonitor packet loss on core switches. iPCA only needs to be configured on local core switches.

Table 1-10 lists the minimum versions supporting agile features and precautions for configuring these features.

Table 1-10  Applicable versions and precautions

Agile FeatureMinimum VersionPrecaution
SVFV200R007 (V200R007C20 is not included)

A license is required to enable the SVF function on a parent.

When enabling the SVF function, ensure that the current and next startup network admission control (NAC) configuration modes are the unified mode.

Free mobilityV200R006

The Agile Controller needs to be deployed to enable the free mobility function. Free mobility is supported only in the unified NAC mode.

iPCAV200R006

If modular switches are used, X series cards need to be installed.

Wired and wireless convergenceV200R005 (V200R007C20 is not included)

If modular switches are used, X series cards need to be installed.

For details about the applicable AP models and versions, see the product documents.

imgDownload?uuid=840e98fc55aa4af59ae02ea NOTE:

This case uses S series switches in V200R009C00 as an example. The configuration may slightly vary depending on the product and version. Refer to the configuration manual accordingly.

Data Planning

Basic Agile Campus Networking

This section uses simplified networking to replace the preceding agile campus networking to describe the deployment of agile features. Figure 1-17shows the networking for teaching area 1 and library.

Figure 1-17  Basic agile campus networking diagram 
imgDownload?uuid=c3ba1a28725c429d942d358

Table 1-11 and Table 1-12 describe the data planning based on the preceding networking diagram.

Table 1-11  Device data planning

RoleDeviceData

Parent

Two S12708 switches in a CSS

/

Level-1 ASAggregation switches in teaching area 1

AS_1: S5700-52X-PWR-LI-AC

MAC address: 0200-0000-0011

IP address: 192.168.11.254/24

Access switches in the library

AS_2: S5700-52X-PWR-LI-AC

MAC address: 0200-0000-0022

IP address: 192.168.11.253/24

Level-2 ASAccess devices in teaching area 1

AS_3: S5700-28X-PWR-LI-AC

MAC address: 0200-0000-0033

IP address: 192.168.11.252/24

AP

Wireless access devices in teaching area 1

AP_1: AP5010DN-AGN

MAC address: AC85-3DA6-A420

Wireless access devices in the library

AP_2: AP5010DN-AGN

MAC address: AC85-3DA6-F240

Free mobility controller

Agile Controller

NOTE:

The Agile Controller integrates functions of the RADIUS server and Portal server.

On the Agile Controller, the fixed RADIUS authentication port number is 1812, and the fixed Portal server port number is 50200.

IP address: 192.168.2.31

Interoperation key: Huawei@123
RADIUS server

IP address: 192.168.2.31

Interoperation key: Huawei@123

Authentication port number: 1812

Portal server

IP address: 192.168.2.31

Interoperation key: Huawei@123

Port number: 50200

Public resource serverFile server 1

IP address: 10.10.1.1/32

Education management system serverFile server 2

IP address: 10.10.2.1/32

FTP resource serverFile server 3

IP address: 10.10.3.1/32

Core switches on branch campus networks

S9706

/

Table 1-12  VLAN data planning

DataDescription

ID: 11

IP address: 192.168.11.1/24

  • SVF management VLAN on which a parent can set up Control and Provisioning of Wireless Access Points (CAPWAP) tunnels with ASs and APs

  • Service VLAN accessed by AP_1 in teaching area 1 and AP_2 in the library

  • VLAN on which a parent can communicate with the Agile Controller

ID: 101

Service set VLAN

VLAN that wired users in teaching area 1 belong to.

ID: 100

IP address: 192.168.100.1/24

Service VLAN accessed by wired users in teaching area 1, such as the VLAN that PC_1 belongs to.

VLAN that wired users in the library belong to.

ID: 200

IP address: 192.168.200.1/24

Service VLAN accessed by wired users in the library, such as the VLAN that PC_2 belongs to.

VLAN that mobile terminals in teaching area 1 belong to.

ID: 202

IP address: 192.168.202.1/24

Service VLAN accessed by STAs in teaching area 1, such as the VLAN that STA_1 belongs to.

VLAN that mobile terminals in the library belong to.

ID: 204

IP address: 192.168.204.1/24

Service VLAN accessed by STAs in the library, such as the VLAN that STA_2 belongs to.

Configuration Procedure

This section only describes how to configure agile features, and does not describe other basic configurations, such as routing connectivity.

SVF Configuration Procedure

Configure ASs to connect to the parent.

  1. Configure the two switches in the parent to set up a CSS. For details, see the product documents.
  2. Log in to the CSS and enable the SVF function.

    <HUAWEI> system-view [HUAWEI] vlan batch 11 [HUAWEI] dhcp enable   //Enable the DHCP server function to allow an AS to obtain an IP address from the parent. [HUAWEI] interface vlanif 11 [HUAWEI-Vlanif11] ip address 192.168.11.1 24 [HUAWEI-Vlanif11] dhcp select interface [HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1   //Configure the parent to send the IP address to an AS so that the AS can set up a CAPWAP link with the specified IP address. [HUAWEI-Vlanif11] quit [HUAWEI] capwap source interface vlanif 11   //Set up a CAPWAP link between the parent and the AS. [HUAWEI] authentication unified-mode   //Change the network admission control (NAC) configuration mode to the united mode. [HUAWEI] stp mode rstp   //Set the working mode to STP or RSTP when enabling the SVF function. [HUAWEI] uni-mng   //Enable the SVF function and enter the uni-mng view. Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue?[Y/N]: y
    imgDownload?uuid=f7a5d6bdfc6541c2b77ef5b NOTE:

    When enabling the SVF function, ensure that the current and next startup NAC configuration modes are the unified mode.

    You can run the display authentication mode command to check whether the current and next startup NAC configuration modes are the unified mode. If not, set the modes to the unified mode.

    After the traditional and unified modes are switched, restart the device to make the configuration take effect. By default, the NAC configuration mode is unified mode.

  3. Configure access parameters for ASs.

    # Configure ASs' names, and specify the device models and management MAC addresses for the ASs.

    [HUAWEI-um] as name as1 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0011 [HUAWEI-um-as-as1] quit [HUAWEI-um] as name as2 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0022 [HUAWEI-um-as-as2] quit [HUAWEI-um] as name as3 model S5700-28X-PWR-LI-AC mac-address 0200-0000-0033 [HUAWEI-um-as-as3] quit

    # Configure the fabric ports that connect the parent to level-1 ASs (AS_1 and AS_2). The following example configures the fabric port that connects the parent to AS_1. The configuration of the fabric port that connects the parent to AS_2 is similar and is not mentioned here.

    [HUAWEI-um] interface fabric-port 1 [HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1 [HUAWEI-um-fabric-port-1] quit [HUAWEI-um] quit [HUAWEI] interface gigabitethernet 1/1/0/1 [HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1 [HUAWEI-GigabitEthernet1/1/0/1] quit [HUAWEI] interface gigabitethernet 2/1/0/1 [HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1 [HUAWEI-GigabitEthernet2/1/0/1] quit

    # Configure the fabric port that connects level-1 AS (AS_1) to level-2 AS (AS_3).

    [HUAWEI] uni-mng [HUAWEI-um] as name as1 [HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4 [HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23 to 0/0/24 [HUAWEI-um-as-as1] quit [HUAWEI-um] quit

    # Configure ASs to be authenticated using a whitelist when they connect to an SVF system.

    [HUAWEI] as-auth [HUAWEI-as-auth] undo auth-mode [HUAWEI-as-auth] whitelist mac-address 0200-0000-0011 [HUAWEI-as-auth] whitelist mac-address 0200-0000-0022 [HUAWEI-as-auth] whitelist mac-address 0200-0000-0033 [HUAWEI-as-auth] quit [HUAWEI] quit
  4. Clear the configurations of ASs, restart the ASs, and then connect the ASs to the parent using cables. Subsequently, an SVF system is set up.imgDownload?uuid=f7a5d6bdfc6541c2b77ef5b NOTE:

    Before connecting an AS to the parent, ensure that the AS has no configuration file or input on the console port.

    # Clear the configurations of ASs and restart the ASs. (This process takes 5 minutes. During the process, ensure that the AS has no input on the console port. If the ASs are unconfigured, you can directly connect the ASs to the parent with no need to restart the ASs.)

    <HUAWEI> reset saved-configuration Warning: The action will delete the saved configuration in the device. The configuration will be erased to reconfigure. Continue? [Y/N]:y

    # After connecting the cables, run the display as all command to check whether all ASs have connected to the SVF system successfully.

    <HUAWEI> display as all ------------------------------------------------------------------------------ No.   Type       Mac            IP              State            Name ------------------------------------------------------------------------------ 0     S5700-52X-PWR-LI-AC 0200-0000-0011 192.168.11.254  normal          as1 1     S5700-52X-PWR-LI-AC 0200-0000-0022 192.168.11.253  normal          as2 2     S5700-28X-PWR-LI-AC 0200-0000-0033 192.168.11.252  normal          as3 ------------------------------------------------------------------------------ Total: 3

Configure an AP to connect to an AS. The following example describes how to connect AP_1 to AS_3, and the procedure for connecting AP_2 to AS_2 is not mentioned here.

  1. Create a network basic profile, and specify a pass-VLAN for mobile terminals connected to AP_1.

    <HUAWEI> system-view [HUAWEI] uni-mng [HUAWEI-um] network-basic-profile name profile_ap [HUAWEI-um-net-basic-profile_ap] pass-vlan 202 [HUAWEI-um-net-basic-profile_ap] quit
  2. Add the port connecting AS_3 to AP_1 to an AP port group.

    [HUAWEI-um] port-group connect-ap name group_ap [HUAWEI-um-portgroup-group_ap] network-basic-profile profile_ap [HUAWEI-um-portgroup-group_ap] as name as3 interface gigabitethernet 0/0/24 [HUAWEI-um-portgroup-group_ap] quit [HUAWEI-um] commit as all Warning: Committing the configuration will take a long time. Continue?[Y/N]:y [HUAWEI-um] quit
  3. Configure access parameters for AP_1.

    # Configure the AP ID.

    [HUAWEI] wlan [HUAWEI-wlan-view] ap-id 1 ap-type ap5010dn-agn ap-mac ac85-3da6-a420 [HUAWEI-wlan-ap-1] quit

    # Configure non-authentication for AP_1 to connect to an SVF system.

    [HUAWEI-wlan-view] ap auth-mode no-auth [HUAWEI-wlan-view] quit
  4. Power on AP_1 and connect AP_1 to AS_3 using cables.

    # After connecting the cables, run the display ap all command to check whether AP_1 has connected to the SVF system successfully.

    [HUAWEI] display ap all Total AP information: nor  : normal          [1] ------------------------------------------------------------------------------------------------- ID   MAC             Name             Group     IP              Type            State STA Uptime ------------------------------------------------------------------------------------------------- 1   ac85-3da6-a420   ac85-3da6-a420   default   192.168.11.254   AP5010DN-AGN    nor   0   6H:3M:40S ------------------------------------------------------------------------------------------------- Total: 1

Configure a PC to connect to an AS. The following example describes how to connect PC_1 to AS_3, and the procedure for connecting PC_2 to AS_2 is not mentioned here.

  1. Create a network basic profile.
    [HUAWEI] uni-mng [HUAWEI-um] network-basic-profile name profile_1 [HUAWEI-um-net-basic-profile_1] user-vlan 100 [HUAWEI-um-net-basic-profile_1] quit [HUAWEI-um] quit
  2. Create a user access profile.
    [HUAWEI] dot1x-access-profile name 1 [HUAWEI-dot1x-access-profile-1] quit [HUAWEI] authentication-profile name dot1x_auth [HUAWEI-authen-profile-dot1x_auth] dot1x-access-profile 1 [HUAWEI-authen-profile-dot1x_auth] quit [HUAWEI] uni-mng [HUAWEI-um] user-access-profile name pro1 [HUAWEI-um-user-access-pro1] authentication-profile dot1x_auth 
  3. Create a group, and bind the network basic profile and user access profile to the group.
    [HUAWEI-um] port-group name group1 [HUAWEI-um-portgroup-group1] network-basic-profile profile_1 [HUAWEI-um-portgroup-group1] user-access-profile pro1 [HUAWEI-um-portgroup-group1] as name as3 interface GigabitEthernet 0/0/23 [HUAWEI-um] commit as name as3 [HUAWEI-um] quit
  4. Configure PC_1 to connect to AS_3.
    [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme sch1 [HUAWEI-aaa-authen-shc1] authentication-mode none [HUAWEI-aaa-authen-shc1] quit [HUAWEI-aaa] domain pc [HUAWEI-aaa-domain-pc] authentication-scheme sch1 [HUAWEI-aaa-domain-pc] quit [HUAWEI-aaa] quit
  5. Check whether the user has connected to the SVF system.

    If the user is dynamically configured to connect to an SVF system, perform shutdown and undo shutdown operations to reconnect the wired user to the SVF system. Run the display access-user command to check whether the user has connected to the SVF system.

    [HUAWEI] uni-mng [HUAWEI-um] as name as3 [HUAWEI-um-as-as3] shutdown interface gigabitethernet 0/0/23 [HUAWEI-um-as-as3] undo shutdown interface gigabitethernet 0/0/23 [HUAWEI-um-as-as3] quit [HUAWEI-um] quit

Free Mobility Configuration Procedure

  1. Create and configure a RADIUS server template, an AAA authentication scheme, and an authentication domain.

    # Create and configure a RADIUS server template rd1.

    [HUAWEI] radius-server template rd1 [HUAWEI-radius-rd1] radius-server authentication 192.168.2.31 1812 [HUAWEI-radius-rd1] radius-server shared-key cipher Huawei@123 [HUAWEI-radius-rd1] quit

    # Create an AAA authentication scheme abc, and set the authentication mode to RADIUS.

    [HUAWEI] aaa [HUAWEI-aaa] authentication-scheme abc [HUAWEI-aaa-authen-abc] authentication-mode radius [HUAWEI-aaa-authen-abc] quit

    # Create an authentication domain isp1, and bind the AAA authentication scheme abc and RADIUS server template rd1 to the domain.

    [HUAWEI-aaa] domain isp1 [HUAWEI-aaa-domain-isp1] authentication-scheme abc [HUAWEI-aaa-domain-isp1] radius-server rd1 [HUAWEI-aaa-domain-isp1] quit [HUAWEI-aaa] quit

    # Configure a global default domain isp1. If a user name does not contain a domain name or contains an invalid domain name, the user is authenticated in the default domain.

    [HUAWEI] domain isp1
  2. Configure 802.1X authentication and web authentication.

    # Create and configure a Portal server template abc.

    [HUAWEI] web-auth-server abc [HUAWEI-web-auth-server-abc] server-ip 192.168.2.31 [HUAWEI-web-auth-server-abc] url http://192.168.2.31:50200/webagent [HUAWEI-web-auth-server-abc] shared-key cipher Huawei@123 [HUAWEI-web-auth-server-abc] quit

    # Enable 802.1X authentication and web authentication on GE1/1/0/1.

    [HUAWEI] interface gigabitethernet 1/1/0/1 [HUAWEI-GigabitEthernet1/1/0/1] authentication dot1x portal [HUAWEI-GigabitEthernet1/1/0/1] web-auth-server abc direct   //Bind the Portal server template to GE1/1/0/1. [HUAWEI-GigabitEthernet1/1/0/1] quit

    # Enable the free mobility function, and configure an IP address for the Agile Controller server and a password used for communicating with the Agile Controller.

    [HUAWEI] group-policy controller 192.168.2.31 password Huawei@123
  3. Perform the following configurations on the Agile Controller.

    Screenshots on the Agile Controller are not provided here. For details, see the Agile Controller product documents.

    1. Create user accounts in source security groups. For example, you can configure user names, passwords, and departments for common guests, undergraduates, postgraduates, and teachers.
    2. Configure RADIUS, Portal, and XMPP parameters, and add the core switch to ensure that the S series switches can communicate with the Agile Controller.
    3. Configure source security groups and destination security groups to indicate users and resources respectively. For example, the IP address of the public resource server is 10.10.1.1/32.
    4. Use fast authorization to authorize a source security group to the corresponding department. Users are mapped to the source security group after being authenticated.
    5. Configure access control policies and specify whether users in a source security group are permitted to access a destination security group. Deploy the access control policies on all devices on the network. For example, common guests can only access the public resources, and cannot access the education management system and internal FTP resources.

Table 1-13  Security groups and access control policies configured on the Agile Controller

Source Security Group (User)Destination Security Group (Resource)Access Control Policy
Common guestPublic resources (bound IP address: 10.10.1.1/32)Permit
Education management system (bound IP address 10.10.2.1/32)Forbid
FTP resources (bound IP address: 10.10.3.1/32)Forbid
Undergraduate or postgraduatePublic resources (bound IP address: 10.10.1.1/32)Permit
Education management system (bound IP address 10.10.2.1/32)Forbid
FTP resources (bound IP address: 10.10.3.1/32)Permit
TeacherPublic resources (bound IP address: 10.10.1.1/32)Permit
Education management system (bound IP address 10.10.2.1/32)Permit
FTP resources (bound IP address: 10.10.3.1/32)Permit

Wired and Wireless Convergence Configuration Procedure

After wired and wireless convergence is configured on an agile switch, you do not need to individually configure the switch and independent AC or ACU2; you can perform configurations on the switch directly.

  1. Configure the S12708 to function as a DHCP server to assign IP addresses to PCs and STAs. The S12708 assigns IP addresses to APs through SVF. You do not need to configure the S12708 to assign IP addresses to APs. The following example describes how the S12708 assigns IP addresses to the PCs and STAs in teaching area 1.

    # Configure the S12708 to assign an IP address to PC_1 from the global address pool.

    <HUAWEI> system-view [HUAWEI] dhcp enable [HUAWEI] vlan batch 100 202 [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] ip address 192.168.100.1 24 [HUAWEI-Vlanif100] dhcp select global [HUAWEI-Vlanif100] quit [HUAWEI] ip pool 100 [HUAWEI-ip-pool-100] gateway-list 192.168.100.1 [HUAWEI-ip-pool-100] network 192.168.100.0 mask 24 [HUAWEI-ip-pool-100] quit

    # Configure the S12708 to assign IP addresses to STAs from the global address pool. The IP addresses in the address pool 202 are assigned to the STAs connected to AP_1, and the IP addresses in the address pool 204 are assigned to the STAs connected to AP_2.

    The following example describes how the S12708 assigns IP addresses to the STAs connected to AP_1.

    [HUAWEI] interface vlanif 202 [HUAWEI-Vlanif202] ip address 192.168.202.1 24 [HUAWEI-Vlanif202] dhcp select global [HUAWEI-Vlanif202] quit [HUAWEI] ip pool 202 [HUAWEI-ip-pool-202] gateway-list 192.168.202.1 [HUAWEI-ip-pool-202] network 192.168.202.0 mask 24 [HUAWEI-ip-pool-202] quit
  2. Configure an AP to go online.

    # Create an AP group to which the APs with the same configuration can be added.

    [HUAWEI] wlan [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP group.

    [HUAWEI-wlan-view] regulatory-domain-profile name domain1 [HUAWEI-wlan-regulate-domain-domain1] country-code cn [HUAWEI-wlan-regulate-domain-domain1] quit [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continu e?[Y/N]:y  [HUAWEI-wlan-ap-group-ap-group1] quit [HUAWEI-wlan-view] quit

    # Configure the AC's source interface.

    [HUAWEI] capwap source interface vlanif 11

    # Add an AP to the AP group ap-group1. In this example, the AP's MAC address is ac85-3da6-a420.

    [HUAWEI] wlan [HUAWEI-wlan-view] ap-id 1 ap-mac ac85-3da6-a420 [HUAWEI-wlan-ap-1] ap-name area_1 [HUAWEI-wlan-ap-1] ap-group ap-group1 Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  [HUAWEI-wlan-ap-1] quit

    # After the AP is powered on, run the display ap all command to check the AP state. If the State field displays nor, the AP has gone online.

    [HUAWEI-wlan-view] display ap all Total AP information: nor  : normal          [1] ------------------------------------------------------------------------------------- ID   MAC            Name   Group     IP            Type            State STA Uptime ------------------------------------------------------------------------------------- 1    ac85-3da6-a420 area_1 ap-group1 192.168.11.254 AP5010DN-AGN    nor   0   10S ------------------------------------------------------------------------------------- Total: 1
  3. Configure WLAN service parameters.

    # Create the security profile security and set the security policy in the profile.

    imgDownload?uuid=f7a5d6bdfc6541c2b77ef5b NOTE:

    In this example, the security policy is set to WPA2+PSK+AES and password to huawei123. In actual situations, the security policy must be configured according to service requirements.

    [HUAWEI-wlan-view] security-profile name security [HUAWEI-wlan-sec-prof-security] security wpa2 psk pass-phrase huawei123 aes [HUAWEI-wlan-sec-prof-security] quit

    # Create the SSID profile area1 and set the SSID name to area1.

    [HUAWEI-wlan-view] ssid-profile name area1 [HUAWEI-wlan-ssid-prof-area1] ssid area1 Warning: This action may cause service interruption. Continue?[Y/N]y [HUAWEI-wlan-ssid-prof-area1] quit

    # Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply the security profile and SSID profile to the VAP profile.

    [HUAWEI-wlan-view] vap-profile name wlan-vap [HUAWEI-wlan-vap-prof-wlan-vap] forward-mode direct-forward Warning: This action may cause service interruption. Continue?[Y/N]y [HUAWEI-wlan-vap-prof-wlan-vap] service-vlan vlan-id 202 [HUAWEI-wlan-vap-prof-wlan-vap] security-profile security [HUAWEI-wlan-vap-prof-wlan-vap] ssid-profile area1 [HUAWEI-wlan-vap-prof-wlan-vap] quit

    # Bind the VAP profile wlan-vap to radio 0 and radio 1 of the AP group.

    [HUAWEI-wlan-view] ap-group name ap-group1 [HUAWEI-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0 [HUAWEI-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1 [HUAWEI-wlan-ap-group-ap-group1] quit
  4. Commit the configuration.

    [HUAWEI-wlan-view] commit all   //From V200R011C10, WLAN configurations are automatically delivered, without the need of running the commit all command. Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

iPCA Configuration Procedure

imgDownload?uuid=f7a5d6bdfc6541c2b77ef5b NOTE:

iPCA can be performed to detect packet loss on agile switches and between agile switches. If you want to detect packet loss between the main campus and branch campus networks, agile switches need to be deployed on both networks.

Configure the packet loss measurement function for a device.

  1. Enable iPCA on each device to implement packet loss measurement so that you can know packet loss in a timely manner. Configure the packet loss alarm on each device.

    [HUAWEI] iplpm global loss-measure alarm enable   //Enable the packet loss alarm and clear alarm on a device. [HUAWEI] iplpm global loss-measure enable   //Enable the packet loss measurement
  2. Run the display iplpm loss-measure statistics global command to check the packet loss measurement results on a device. You can check the values of Loss Packets and LossRatio to know whether packet loss occurs on a device.
    [HUAWEI] display iplpm loss-measure statistics global Latest global loss statistics: --------------------------------------------------------------------------------  StartTime(DST)        Loss Packets            LossRatio         ErrorInfo       --------------------------------------------------------------------------------  2015-06-12 18:47   344127                  4.513519%         OK   2015-06-12 18:47   381085                  4.513196%         OK   2015-06-12 18:47   381192                  4.513290%         OK   2015-06-12 18:47   381339                  4.513341%         OK   2015-06-12 18:47   381465                  4.513392%         OK   2015-06-12 18:47   381444                  4.513487%         OK   2015-06-12 18:47   381129                  4.513309%         OK  --------------------------------------------------------------------------------

Configure the end-to-end packet loss measurement function.

  1. Configure the core switches in the main campus.

    [HUAWEI] nqa ipfpm dcp   //Enable the DCP function globally. [HUAWEI-nqa-ipfpm-dcp] dcp id 1.1.1.1   //Configure the DCP ID. [HUAWEI-nqa-ipfpm-dcp] instance 1 [HUAWEI-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2 [HUAWEI-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24   //Set the target flow to a bidirectional symmetrical flow. [HUAWEI-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress   //Color the target flows that enter the network. [HUAWEI-nqa-ipfpm-dcp-instance-1] quit [HUAWEI-nqa-ipfpm-dcp] quit [HUAWEI] interface gigabitethernet 3/1/0/1   //Specify the interface connecting to the core switch in the branch campus.  [HUAWEI-GigabitEthernet3/1/0/1] ipfpm tlp 1   //Bind a Target Logical Port (TLP) to the interface.  [HUAWEI-GigabitEthernet3/1/0/1] quit [HUAWEI] interface gigabitethernet 3/1/0/2   //Specify the interface connecting to the core switch in the branch campus. [HUAWEI-GigabitEthernet3/1/0/2] ipfpm tlp 1   //Bind a TLP to the interface. [HUAWEI-GigabitEthernet3/1/0/2] quit [HUAWEI] nqa ipfpm dcp [HUAWEI-nqa-ipfpm-dcp] instance 1 [HUAWEI-nqa-ipfpm-dcp-instance-1] loss-measure enable continual   //Enable the continual packet loss measurement function for the DCP instance. [HUAWEI-nqa-ipfpm-dcp-instance-1] quit [HUAWEI-nqa-ipfpm-dcp] quit
  2. Configure the core switches in the branch campus.

    <HUAWEI> system-view [HUAWEI] sysname Switch [Switch] nqa ipfpm dcp [Switch-nqa-ipfpm-dcp] dcp id 2.2.2.2 [Switch-nqa-ipfpm-dcp] instance 1 [Switch-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2 [Switch-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24 [Switch-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress [Switch-nqa-ipfpm-dcp-instance-1] quit [Switch-nqa-ipfpm-dcp] quit [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] ipfpm tlp 2 [Switch-GigabitEthernet1/0/1] quit [Switch] nqa ipfpm dcp [Switch-nqa-ipfpm-dcp] instance 1 [Switch-nqa-ipfpm-dcp-instance-1] loss-measure enable continual [Switch-nqa-ipfpm-dcp-instance-1] quit [Switch-nqa-ipfpm-dcp] quit [Switch] nqa ipfpm mcp   //Enable the MCP function globally. [Switch-nqa-ipfpm-mcp] mcp id 2.2.2.2   //Create a MCP. [Switch-nqa-ipfpm-mcp] instance 1 [Switch-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1 [Switch-nqa-ipfpm-mcp-instance-1] dcp 2.2.2.2 [Switch-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 7 lower-limit 5   //Set the packet loss alarm threshold to 7% and clear alarm threshold to 5% for the MCP instance. [Switch-nqa-ipfpm-mcp-instance-1] quit [Switch-nqa-ipfpm-mcp] quit [Switch] quit
  3. Verify the configurations.

    # Run the display ipfpm statistic-type loss instance 1 command on the core switches in the branch campus to view the packet loss measurement results.

    <Switch> display ipfpm statistic-type loss instance 1 Latest loss statistics of forward flow: Unit: p - packet, b - byte ------------------------------------------------------------------------------------------ Period               Loss(p)              LossRatio(p)  Loss(b)              LossRatio(b) ------------------------------------------------------------------------------------------ 127636768            381549               4.514649%     40444194             4.514649% 127636767            381528               4.514620%     40441968             4.514620% 127636766            381318               4.514996%     40419708             4.514996% 127636765            381192               4.514686%     40406352             4.514686% 127636764            381381               4.514679%     40426386             4.514679% 127636763            381402               4.514748%     40428612             4.514748% 127636762            381081               4.514797%     40394586             4.514797% 127636761            381324               4.514702%     40420344             4.514702% 127636760            381549               4.514870%     40444194             4.514870% 127636759            381066               4.514638%     40392996             4.514638% 127636758            381570               4.514836%     40446420             4.514836% 127636757            382452               4.514757%     40539912             4.514757% Latest loss statistics of backward flow: Unit: p - packet, b - byte ------------------------------------------------------------------------------------------ Period               Loss(p)              LossRatio(p)  Loss(b)              LossRatio(b) ------------------------------------------------------------------------------------------ 127636768            381087               4.513306%     40395222             4.513306% 127636767            381129               4.513384%     40399674             4.513384% 127636766            381465               4.513444%     40435290             4.513444% 127636765            381087               4.513222%     40395222             4.513222% 127636764            381045               4.513272%     40390770             4.513272% 127636763            381381               4.513364%     40426386             4.513364% 127636762            381276               4.513435%     40415256             4.513435% 127636761            380961               4.513280%     40381866             4.513280% 127636760            381339               4.513574%     40421934             4.513574% 127636759            381045               4.513270%     40390770             4.513270% 127636758            381088               4.513226%     40395328             4.513226% 127636757            382409               4.513464%     40535354             4.513464%

Summary and Recommendations

In this document, the application of S series agile switches on the agile network in the education industry is taken as an example to describe the application and key configurations of agile features of agile switches.

  • Wired and wireless convergence

    Agile switches have native AC cards installed to converge wired and wireless networks into one network, simplifying the configuration and maintenance of wired and wireless networks. The high switching capability and scalability of agile switches eliminate bottlenecks in centralized traffic forwarding when independent ACs or AC cards are used.

  • Free mobility

    Free mobility enables the unified management of users' identity information on the entire network. It ensures that a user can have the same network access rights and enjoy the same service experience when using different IP addresses to access the network from different locations.

  • SVF

    The SVF technology virtualizes core, aggregation, and access switches on a network into one super switch. The core switch uniformly delivers configurations to and manages aggregation and access switches.

  • iPCA

    iPCA collects statistics of packets that each device sends and forwards on one or multiple paths. If a packet is lost, eSight can immediately detect the packet loss information and locate where the packet is lost. iPCA realize the real-time monitoring of real service traffic.

The agile features of S series switches are being developed and optimized. In the future, S series switches will be more widely used on agile networks.

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top