Fundamentals of 802.1x To understand 802.1x, let us define some fundamental terminology. Supplicant (Client) – In IEEE terminology, the supplicant refers to the client software that supports the 802.1x and EAP Protocols. The supplicant software may be integrated into the client operating system, included in the client device firmware, or implemented as add-in software. The term supplicant also refers to the actual client requesting access to the network, (“Overview of 802.1x”, n.d, Page 2). Authenticator – The device to which the supplicant directly connects and through which the supplicant obtains network access is known as authenticator. The authenticator could be LAN switch ports and Wireless Access Points (WAP). In case of LAN the switch must support 802.1x in order to work as authenticator. Authentication Server – As the name suggests, this is the actual source of authentication services provided to end points. Based on the username/password or the user credentials supplied to the server, it decides whether to allow or deny users access to the network. The 802.1x standard specifies that Remote Authentication Dial-In User Service (RADIUS) is the required Authentication Server that supports the following RFC’s: • RFC 2284 PPP Extensible Authentication Protocol (“PPP EAP”, 1998) • RFC 2865 -Remote Authentication Dial In User Service (“RADIUS”, 2000)) • RFC 2869 - RADIUS Extensions (“RADIUS Extension”, 2000) Port Access Entry (PAE) – The PAE refers to the processes executing the authentication protocols and algorithms associated with a port. PAE is the 802.1x “logical” component of the client and authenticator that exchange EAP messages. EAP – The Extensible Authentication Protocol RFC 2284 was originally written as an optional authentication mechanism for the Point-to-Point Protocol RFC 1661 (“ppp”, 1994). EAP is used between the client and the authenticator. EAP Messages are carried over different media depending upon the encapsulation method used by 802.1x. Some of the encapsulation methods are: • EAP over LAN (EAPOL) This encapsulation method defines how the EAP packets are encapsulated when transmitted over LAN media protocol like Ethernet, Token Ring or FDDI. • EAP over Wireless (EAPOW) Describes how EAP packets are encapsulated when transmitted over wireless media
Fundamentas of 802.1x
mesbah
Created: Feb 7, 2019 11:57:52Latest reply: Mar 10, 2019 08:04:09
497
1
7
0
- x
- convention:
|
Configuring Basic IGMP Functions
After the basic IGMP functions are configured on the interface that connects a multicast device to the user network segment, the hosts on the user network segment can access the multicast network and multicast packets can reach receivers. 2.2.1 Before You Start Before configuring basic IGMP functions, familiarize yourself with the usage scenario, pre-configuration tasks, and required data. This can help you complete the configuration task quickly and accurately. Usage Scenario IGMP is applicable to the network segment where routers are connected to hosts. routers and hosts need to run IGMP. This section only describes how to configure IGMP on routers. Before configuring IGMP, enable IP multicast routing. IP multicast routing is the precondition for configuring all multicast functions. If IP multicast routing is disabled, the multicast configurations are deleted. You need to enable IGMP on the interface connected to the hosts. Because the packet formats of IGMPv1, IGMPv2, and IGMPv3 are different, you need to specify the IGMP version for routers and hosts first (the later version at the router side is compatible with the earlier version at the host side). After this, perform other IGMP configurations. You can set an ACL rule so that the host joins specified multicast groups and receives packets from these groups. This ACL rule serves as a filter on the associated interface and limits the range of groups that an interface joins. Pre-configuration Tasks Before configuring basic IGMP functions, complete the following tasks: Configuring the link layer protocol parameters and an IP address for each interface to make the link protocol of the interface Up Configuring a unicast routing protocol to make IP routes between nodes reachable Data Preparation To configure basic IGMP functions, you need the following data. No. Data 1 (Optional) The name of VPN instance 2 IGMP version 3 (Optional) Group address and source address used to configure multicast static routes 4 (Optional) ACL rules defined to filter multicast group addresses NOTE: The configuration in the IGMP view is effective globally, whereas the configuration in the interface view is effective only on the interface. When the command is not used in the interface view, the global values set in the IGMP view are used. When the command is used in both views, the values set in the interface view are preferred. 2.2.2 Enabling IP Multicast Routing Enabling multicast routing is the first step for configuring multicast functions. Context Perform the following steps on the router connected to hosts: Procedure Run: system-view The system view is displayed. Run: multicast routing-enable IP multicast routing is enabled in the public network instance. By default, IPv4 multicast routing is not enabled in the public network instance. NOTICE: Configurations related to VPN instances are applicable only to Provider Edge (PE) devices. On the PE, if the VPN instance interface is connected to hosts, you need to perform following steps. (Optional) Run: ip vpn-instance vpn-instance-name The VPN instance view is displayed. (Optional) Run: ipv4-family The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address family view is displayed. (Optional) Run: route-distinguisher route-distinguisher An RD is configured for the VPN instance IPv4 address family. (Optional) Run: multicast routing-enable IP multicast routing is enabled in the VPN instance IPv4 address family. 2.2.3 Enabling Basic IGMP Functions After IGMP is enabled on the interface that connects a multicast device to the user network segment, the hosts on the user network segment can dynamically join the desired multicast groups. Context Perform the following steps on the router connecting hosts: Procedure Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. interface-type interface-number specified the interface connecting the host. (Optional) Run: pim dm or pim sm PIM is enabled. If IGMPv1 is run on an interface, you must enable PIM. This is because IGMPv1 does not the querier election. In IGMPv1, the querier is specified by PIM. If IGMPv2/v3 is run on an interface, PIM is recommended. Although IGMPv2/v3 supports the querier election, enabling PIM improves the system stability. Run: igmp enable IGMP is enabled. By default, IGMP is not enabled on the interface. NOTE: When the interface that connects a multicast device to the user network segment joins a multicast group in both dynamic and static modes, the interface preferentially joins the multicast group in static mode if a conflict occurs. 2.2.4 (Optional) Configuring IGMP Version The IGMP version needs to be configured on the interface that connects a multicast device to the user network segment. Ensure that all IGMP devices on the same network segment are configured with the same IGMP version. Otherwise, multicast function can not run normally. Context IGMP versions are classified as IGMPv1, IGMPv2, or IGMPv3. For the differences among the three versions, see the section "Protocol Comparison" in the HUAWEI NetEngine80E/40E Router Feature Description – IP Multicast – IGMP. You can select a desired IGMP version. NOTICE: All the devices on the same subnet must be configured with the same IGMP version. By default, IGMPv2 is used. Perform the following steps on the router connected to hosts. Procedure Configuration on an Interface Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Run: igmp version { 1 | 2 | 3 } An IGMP version is configured for the interface. 2.2.5 (Optional) Configuring a Static IGMP Group After a static IGMP group is configured on the interface that connects a multicast device to the user network segment, the multicast device considers that the interface has multicast group members and keeps on forwarding matched multicast packets to the interface. Context Perform the following steps on the router connected to hosts: Procedure Run: system-view The system view is displayed. Run: interface interface-type interface-number The interface view is displayed. Choose one of the following configures to configure an interface to statically join one or more multicast groups To configure an interface to statically join one or multiple multicast groups, run: igmp static-group group-address [ inc-step-mask { group-mask | group-mask-length } number group-number ] [ source source-address ] To configure sub-interface for QinQ termination or dot1q termination to statically join one or multiple multicast groups, run: igmp static-group group-address [ inc-step-mask { group-mask | group-mask-length } number group-number ] { qinq pe-vid pe-vid ce-vid low-ce-vid [ to high-ce-vid ] | dot1q vid low-pe-vid [ to high-pe-vid ] } By default, the interface does not statically join any multicast group. After the interface joins the multicast groups, the router considers that the members of the multicast groups exist on the network segment where the interface resides. NOTE: The static group with VLAN tag can be configured only on the sub-interface for QinQ termination or the sub-interface for dot1q termination. When the interface that connects a multicast device to the user network segment joins a multicast group in both dynamic and static modes, the interface preferentially joins the multicast group in static mode if a conflict occurs. 2.2.6 (Optional) Configuring an Interface to Join a Multicast Group in a Certain Range When a host joins a multicast group, you can configure this function on the interface through which the multicast device is connected to the user network segment to limit the range of multicast groups that the host can join. Context Perform the following steps on the router connected to hosts: Procedure Run: system-view The system view is displayed. Configure a basic or an advanced ACL as needed. Configure a basic ACL. Run: acl [ number ] acl-number1 [ match-order { auto | config } ] A basic ACL is created, and the basic ACL view is displayed. Run: rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard | any } Rules are configured for the basic ACL. Configure an advanced ACL. Run: acl { [ number ] acl-number1 | name acl-name [ advance ] [ number acl-number2 ] } [ match-order { auto | config } ] An advanced ACL is created, and the advanced ACL view is displayed. Run: rule [ rule-id ] { deny | permit } ip [ destination { destination-ip-address destination-wildcard | any } | source { source-ip-address source-wildcard | any } ] * Rules are configured for the advanced ACL. If a basic ACL is used, run the rule command and set the source parameter to a multicast group address. If an advanced ACL is used, run the rule command, set the source parameter to sources address that are allowed to send multicast data to multicast groups, and set the destination parameter to a multicast group address. Run: quit Return to the system view. Run: interface interface-type interface-number The interface view is displayed. Run: igmp group-policy { acl-number | acl-name acl-name } [ 1 | 2 | 3 ] The range of multicast groups that the interface is allowed to join is configured. By default, the interface serves any multicast group. NOTE: If a multicast group matches an ACL rule and the action is permit, the interface allows hosts to join this group. If a multicast group matches an ACL rule and the action is deny, the interface does not allow hosts to join this group. If a multicast group does not match any ACL rule, the interface does not allow hosts to join this group. If a specified ACL does not exist or does not contain rules, the interface does not allow hosts to join any multicast group. 2.2.7 Checking the Configurations After configuring basic IGMP functions, check the configuration and running information about IGMP on the interface and memberships of IGMP multicast groups to ensure that IGMP runs properly. Procedure Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] interface [ interface-type interface-number | up | down ] [ verbose ] command to check the configuration and running of IGMP on an interface. Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] group [ group-address | interface interface-type interface-number ] * static command to check the members of static IGMP multicast groups. Run the display igmp [ vpn-instance vpn-instance-name | all-instance ] group [ group-address | interface interface-type interface-number ] * verbose command to check the detail information of members of an IGMP multicast group. |
|
Reply
Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:- Politically sensitive content
- Content concerning pornography, gambling, and drug abuse
- Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
* Including Third Party’s Trade Secret or No:
?
Third Party’s Trade Secret
Third Party’s Trade Secret refers to Third Party’s (other than Huawei’s) technical or commercial information which is unknown to the public, with commercial value, and kept confidential by Third Party. It may include without limitation Price Information, Roadmap, Commercial Authorization, Core Algorithm and Source Code. Should you have any questions, please contact e.support@huawei.com.
