OHCSCP1308 Agile Network ISSUE 3.0

Revision Record Do Not Print this Page
Course Code Product Product Version Course Version
HCSCP1308 USG6000 V500R001 V3.0
Author/ID Date Reviewer/ID New/ Update
Shi Xiaojian/wx296245 2017.02 Wang Rui/wx163689 Newly Developed
Lu Yueyue/wx445705 2017.12 Optimization
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 1
Agile Network
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Foreword
 The user access security technology is based on the terminal secu
rity control of the access network. It integrates terminal securi
ty with network access control to ensure security of each termina
l and the entire enterprise network. However, a traditional IP-ba
sed campus network implements user access control based on the IP
or MAC address control.
 With the popularization of mobile terminals and emergence of mobi
le office, users want to use various terminals to access networks
anywhere, anytime, with unified user experience. Huawei agile net
work solution is a new enterprise network solution. Compared with
traditional enterprise networks, agile networks are more simple,
flexible, and fast in configurations, maintenance, and service re
sponse. This document focuses on the application scenarios, worki
ng principles, and configuration methods of agile features.
Objectives
 Upon completion of this course, you will be able to:
 Learn the agile network solution
 Know the functions and principles of the agile network
solution
 Know the configurations of agile features
Contents
1. Principles of the Agile Network Solution
2. Configurations of Agile Features
Limitations of Traditional Network
s
Limitations of IP-based campus network
access authentication
Large
workloads of
Uncontrollable Inconsistent
access control
access rights user
and policy
experience
deployment
Manually configuring Access rights are bound to Users cannot obtain the
access control policies IP addresses. When a user same priority and
based on the IP addresses moves or the IP address bandwidth when they
and VLANs requires heavy changes, user rights are connect to the network
workloads and is difficult to difficult to control. from different locations.
maintenance.
Breakthrough of Agile Network
Different users use

different service
policies. Identify- Consistent Different user service
based service policy
Policy levels for different
user
can be executed mobility users ensure consistent
experience
anywhere anytime, user experience
allowing users to regardless of user
move freely. location.
Application Scenarios of Free Mobi
lity
Mobile employee
Agile
HQ Branch Controller
campus
FW Resource
SSID SSID guest
employee
DC
Employee Guest
Agile
Controller
SSID AP SSID guest User accessing the DC

employee
Teamwork office
Mobile office and

Employee Guest Wired office preferential selection of
gateways
Free Mobility and Admission Contro
l
 The Free Mobility function provides a special access control mode
. This function grants specified rights to users based on the acc
ess location, access time, access mode, and terminal type. Users
enjoy the same rights and network experience as long as the acces
s conditions remain unchanged.
Home Location
Campus or Hotel or
Dumb
Grant rights
PC or Paid or Terminal type
terminal
User
Workday or Holiday or Day/Night Time
Wired Wireless or VPN Access mode

or
Logical Architecture of Free Mobil
ity Access Control
Authentication and Service policy
authorization sub-system sub-system
Define the Group

global group synchronization
Service Administrator Authentication Policy
management plane server server
reported user
Authentication
IP address of
Deliver
Authorization Query user
group
(Group ID) information
policies
Policy
Network device Authentication
enforcement
plane point
point
Authentication
and access
User Static
User plane terminal resource
Inter-component communication
User service traffic
Free Mobility Deployment
Step3: System runs
automatically
Step2: Define and
deploy group
policies
Step1: Define a
security group
1. Authentication: When a user tries to
access a network, the authentication
server authenticates the identity.
1. Define group policies 2. Authorization: The authentication
 Experience policy (VIP server matches the authorization
group forwarding priority) policies based on the matching
1. Define a security group  Permission policy (whether conditions and authorizes the user
2. Add group members: inter-group communication group. The enforcement point device
 Dynamic type: is allowed) dynamically adds the IP addresses of
selecting a user 2. Deploy group policies users to the group.
 Static type:  The enforcement point 3. Execution: Based on the mapping
configuring a fixed IP interconnects with the policy relationships between groups and IP
address or network server. addresses stored on the local host and
segment  The policy server the authentication server, network
automatically delivers devices identify the source and
security groups and group destination group information of
policies to the device. packets, and then match and execute
group policies.
Contents
1. Principles of the Agile Network Solution
2. Configurations of Agile Features
Free Mobility in the Campus Access
Scenario
 Employees in the campus have fixed access and mobile access requirements,
demanding consistent bandwidth, forwarding priority, and rights for acces
sing the DC and Internet, regardless of their locations and access modes.
Authentication point for wired and wireless users is deployed on the core
DNS Firewall
switches. DMZ G1/0/3
10.10.11.0/24 G1/0/2 VLAN11

VLANIF:10.10.10.0/24
Agile Controller- Mai G1/0/11
Campus l Core switch
Authentication control point
AP gateway: VLANIF 10: 192.168.10.1/24
G1/0/10 Wired gateway: VLANIF 100: 192.168.100.1/24
Wireless gateway: VLANIF 101:
G0/0/3 192.168.101.1/24
Access
switch
G0/0/1 G0/0/2
Common user VIP Common user
Configuration Flowchart
Configuration Flowchart
Configuration plan
Basic configuration
Core switch configuration
Firewall configuration
Agile Controller-Campus
configuration
Firewall Configuration - Basic Con
figuration
 Configure the access switch.
 Allocate VLANs.
 Configure transparent transmission of 802.1X authentication pa
ckets.
 Configure the core switch.
 Configure interfaces and VLANs, and enable the DHCP server fun
ction.
 Configure the default route and set the next hop to the IP add
ress of the interface connecting the firewall and the core swi
tch.
 Configure parameters of the Agile Controller-Campus system to
provide wireless access.
Core Switch Configuration - RADIUS
Interconnection Parameters
 Configure RADIUS interconnection parameters.
[S12700] radius-server template rd_temp // Create a RADIUS server
template.
[S12700-radius-rd_temp] radius-server authentication 10.10.11.2 1812
source ip-address 10.10.10.1
[S12700-radius-rd_temp] radius-server accounting 10.10.11.2 1813 source
ip-address 10.10.10.1
[S12700-radius-rd_temp] radius-server shared-key cipher Admin@123
[S12700] radius-server authorization 10.10.11.2 shared-key cipher
Admin@123
[S12700] aaa
[S12700-aaa] authentication-scheme auth // Create an authentication
scheme auth.
[S12700-aaa-authen-auth] authentication-mode radius
[S12700-aaa] accounting-scheme acco // Create an accounting scheme acco.
[S12700-aaa-accounting-acco] accounting-mode radius
[S12700-aaa-accounting-acco] accounting realtime 15
[S12700-aaa] domain default
[S12700-aaa-domain-default] radius-server rd_temp
[S12700-aaa-domain-default] authentication-scheme auth
[S12700-aaa-domain-default] accounting-scheme acco
Core Switch Configuration - Portal
Interconnection Parameters
 Configure Portal interconnection parameters.
[S12700] web-auth-server web_temp // Create a Portal server template.
[S12700-web-auth-server-web_temp] server-ip 10.10.11.2
[S12700-web-auth-server-web_temp] source-ip 10.10.10.1
[S12700-web-auth-server-web_temp] port 50200
// Specify the port number used by the Portal server. The fixed port
number is 50200.
[S12700-web-auth-server-web_temp] shared-key cipher Admin@123
[S12700-web-auth-server-web_temp] url http://access.example.com/portal
// Specify the URL of the pushed Portal page.
 Configure authentication-free rules to enable APs to go online an

d terminals to access the DNS server.
[S12700] authentication free-rule 1 destination ip 10.10.11.3 mask 32
source ip any
[S12700] authentication free-rule 2 source vlan 10
Core Switch Configuration - Enable
Wired Authentication
 Enable 802.1X and Portal authentication for wired access.
[S12700] interface gigabitEthernet 1/0/10
[S12700-GigabitEthernet1/0/10] authentication dot1x portal
// Configure 802.1X + Portal authentication.
[S12700-GigabitEthernet1/0/10] dot1x authentication-method eap //
Configure 802.1X authentication in EAP mode.
[S12700-GigabitEthernet1/0/10] web-auth-server web_temp direct //
Configure Layer 2 Portal authentication.
[S12700-GigabitEthernet1/0/10] domain name default force
// Set the domain default as the forcible authentication domain for
users going online through the interface.
 Configure XMPP interconnection parameters on the core switch for

interconnection with the Agile Controller-Campus server to enable
the Agile Controller-Campus to deploy service mobility policies o
n the core switch through XMPP protocols.
[S12700] group-policy controller 10.10.11.2 password Admin@123 src-ip 10.10.10.1
//SRC-IP is the IP address of the VLANIF 11 interface.
Firewall Configuration - Agile Contr
oller-Campus Interconnection Paramet
ers
On the firewall, choose Object > Authentication Server > RADIUS to config
ure XMPP interconnection parameters for interconnection with the Agile Co
ntroller-Campus server.
 Create a RADIUS server (that is, the Agile Controller-Campus).
 Choose System > Agile Network Configuration. After completing the configu
ration, click Apply.
Agile Controller-Campus Configurat
ion - Add Core Switches
 Choose Resource > Device > Device Management.
1
 Click Add to add a core switch.
ion - Add Firewalls
 Choose Resource > Device > Device Management.
 Click Add to add a firewall. 1
ion - Deploy the Security Zone
 Choose Policy > Permission Control > Security Group > Intranet Co
nfiguration to add fixed and mobile terminal IP address pools to
the intranet segment, and add IP addresses of the DNS server, the
Agile Controller-Campus server, and the core switch VLANIF 11 to
the pre-security domain.
ion - Deploy Access Right Control
 Choose Policy > Free Mobility > Security Object Configuration > Applicati
on Group to create a non_work application group, and add the work-unrelat
ed applications to the group.
 Choose System > Terminal Configuration > Global Parameters, and set Servi
ce Mobility Configuration Mode to All Devices.
 Choose Policy > Free Mobility > Policy Configuration > Permission Contro
l to add a general policy.
1 2
3 4
ion - Deploy QoS Policies
 Choose Policy > Free Mobility > Policy Configuration > QoS Policy.
 Click QoS Guarantee Priority and select High. On the displayed page, set
the minimum total bandwidth to 10 Mbit/s.
 Drag the VIP, email server, and the Internet security groups to the High
area, and set the packet priority to cs7. The VIP security group maps to
the email server and Internet security groups.
1
Verification
 Use the VIP account Andy and common account Jack to separately perform au
thentication. After the authentication, run the following steps for verif
ication:
 On the Agile Controller-Campus, choose Resource > User > Online User Management
to view users' login information and security groups.
 On a core switch, run the display access-user command to view online users.
 On a core switch, run the display access-user user-id user ID command to view u
sers' login information, including their authentication methods (802.1X authent
ication or Portal authentication), terminal IP addresses, uplink and downlink b
andwidth, and corresponding security groups. The user ID can be obtained from t
he online users viewed in the preceding operation.
 On a firewall, choose Object > Agile Security Group > Agile Security Group to v
iew the number of online users in a security group. Click an online user to vie
w the terminal IP address and the user group of the user.
Quiz
1. Which of the following disadvantages does IP-based campus networks have?
( )
A. Heavy workload of access control and policy deployment
B. Difficult access right control
C. Inconsistent user experience
D. Limited number of IP addresses
2. Which of the following planes does the logical architecture of service mo

bility have? ( )
A. Service management plane
B. Network device plane
C. User plane
D. Authentication plane
Summary
 Principles of the Agile Network Solution
 Configurations of Agile Features
Thank You
www.huawei.com

OHCSCP1308 Agile Network ISSUE 3.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OHCSCP1308 Agile Network ISSUE 3.0

Uploaded by

Copyright:

Available Formats

Revision Record Do Not Print this Page

Course Code Product Product Version Course Version

HCSCP1308 USG6000 V500R001 V3.0

Author/ID Date Reviewer/ID New/ Update

Shi Xiaojian/wx296245 2017.02 Wang Rui/wx163689 Newly Developed

Lu Yueyue/wx445705 2017.12 Optimization

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Different users use

SSID AP SSID guest User accessing the DC

Mobile office and

Wired Wireless or VPN Access mode

Define the Group

10.10.11.0/24 G1/0/2 VLAN11

Common user VIP Common user

Core switch configuration

 Configure authentication-free rules to enable APs to go online an

 Configure XMPP interconnection parameters on the core switch for

//SRC-IP is the IP address of the VLANIF 11 interface.

2. Which of the following planes does the logical architecture of service mo

You might also like