How to configure Link Aggregation and Security Policy?


The global configuration of link aggregation and queue scheduling based on priorities ensures service reliability. The global configuration of security policies ensures service security.
 
Context
Link aggregation provides a higher bandwidth and uplink reliability for optical line terminals (OLTs) by aggregating multiple uplink Ethernet ports to one link aggregation group (LAG). Link aggregation is recommended.
Congestion control places the packets to be sent from a port into multiple queues that are marked with different priorities. Then, the packets are sent based on queue priorities. Congestion control is recommended.
Security policies ensure system, user, and service security.
NOTE:
Enable a service security function based on the service type.
 
Procedure
  • Configure link aggregation.

The following configurations are used as an example to configure link aggregation:
  • Uplink ports 0/19/0 and 0/19/1 are added to a LAG.

  • The two ports send packets upstream based on the packets' source MAC addresses.

  • The LAG works in Link Aggregation Control Protocol (LACP) static aggregation mode.

huawei(config)#link-aggregation 0/19 0-1 ingress workmode lacp-static
 
  • Configure queue scheduling.

According to quality of service (QoS) planning principles, all packets are scheduled in strict priority (SP) mode and mapped to queues according to the packets' priorities. For details about QoS planning principles.
huawei(config)#queue-scheduler strict-priority
huawei(config)#cos-queue-map cos0 0 cos4 4 cos5 5 cos6 6
 
Configure system security.
  • Enable MAC address anti-flapping on the OLT.

1.Run the security anti-dos enable command to globally enable DoS anti-attack.

2.Run the security anti-dos control-packet policy command to configure a protocol packet processing policy that will be used when a DoS attack occurs.

3.Run the security anti-dos control-packet rate command to configure the threshold for the rate of sending protocol packets to the CPU.

Run the security anti-ipattack enable command to enable IP address anti-attack.


  • Configure user security.

  •  Enable MAC address anti-flapping on the OLT.

  • Run the security anti-macduplicate enable command to enable MAC address anti-flapping.

Enable MAC address anti-spoofing on the OLT.
1.In global config mode, run the security anti-macspoofing enable command to globally enable MAC address anti-spoofing.
2.Enable MAC address anti-spoofing at VLAN level in global config mode or service profile mode:
  a.In global config mode, run the security anti-macspoofing vlan command to enable MAC address anti-spoofing.
  b.In global config mode, run the vlan service-profile command to create a VLAN service profile.
  c.Perform the following operations to enable MAC address anti-spoofing in VLAN service profile mode:
      i.Run the security anti-macspoofing enable command to enable MAC address anti-spoofing at VLAN level.
      ii.Run the commit command to make the profile configuration take effect.

      iii.Run the quit command to quit the VLAN service profile mode

      iv.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.

3.(Optional) Run the security anti-macspoofing max-mac-count command to set the maximum number of MAC addresses that can be bound to a service flow.
4.(Optional) Run the security anti-macspoofing exclude command to configure the types of packets for which MAC address anti-spoofing does not take effect, such as Internet Group Management Protocol (IGMP) packets.
 
  • Enable IP address anti-spoofing on the OLT.

IP address anti-spoofing can be enabled or disabled at three levels: global, VLAN, and service port levels. This function takes effect only after it is enabled at the three levels. Among the three levels, IP address anti-spoofing is disabled only at the global level by default.
1.In global config mode, run the security anti-ipspoofing enable command to enable IP address anti-spoofing at the global level.
2.In VLAN service profile mode, run the security anti-ipspoofing enable command to enable IP address anti-spoofing at the VLAN level.
3.Run the security anti-ipspoofing service-port serviceport-id enable command to enable IP address anti-spoofing at the service port level.
 
  • Configure service security.

  • Enable Dynamic Host Configuration Protocol (DHCP) Option 82 on the OLT. This configuration is recommended for the DHCP-based Internet access service.

1.Enable DHCP Option 82 on the OLT.
DHCP Option 82 can be enabled or disabled at four levels: global, port, VLAN, and service port levels. This function takes effect only after it is enabled at the four levels. Among the four levels, DHCP Option 82 is disabled only at the global level by default.
  • The global level: In global config mode, run the dhcp option82 command to enable DHCP Option 82 at the global level.

    When you run this command, select the enable, forward, or rebuild parameter based on site requirements. The three parameters can all enable DHCP Option 82 but provide different packet processing policies on the OLT. For details, see the dhcp option82 command.

  • The port level: In global config mode, run the dhcp option82 port or dhcp option82 board command to enable DHCP Option 82 at the port level.

  • The VLAN level:

     a.In global config mode, run the vlan service-profile command to create a VLAN service profile.
     b.Run the dhcp option82 enable command to enable DHCP Option 82 at the VLAN level.
     c.Run the commit command to make the profile configuration take effect.
     d.Run the quit command to quit the VLAN service profile mode.
     e.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.
  • The service port level: In global config mode, run the dhcp option82 service-port command to enable DHCP Option 82 at the service port level.

 
2.On the OLT, run the dhcp-option82 permit-forwarding service-port command with the enable parameter selected, to allow ONT DHCP packets to carry Option 82 information.
  • Enable Policy Information Transfer Protocol (PITP) on the OLT. This configuration is recommended for the PPPoE-based Internet access service.

1.Enable PITP on the OLT.
PITP can be enabled or disabled at four levels: global, port, VLAN, and service port levels. This function takes effect only after it is enabled at the four levels. Among the four levels, PITP is disabled only at the global level by default.
  • The global level: In global config mode, run the pitp enable pmodepitp forward pmode, or pitp rebuild pmode command to enable PITP at the global level.

In the preceding commands, the enableforward, and rebuild parameters can all enable PITP but provide different packet processing policies on the OLT. Select one of them based on site requirements. For details, see the pitp command.
  • The port level: In global config mode, run the pitp port or pitp board command to enable PITP at the port level.

  • The VLAN level:

       a.In global config mode, run the vlan service-profile command to create a VLAN service profile.
       b.Run the pitp enable command to enable PITP at the VLAN level.
       c.Run the commit command to make the profile configuration take effect.
       d.Run the quit command to quit the VLAN service profile mode.
       e.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.
  • The service port level: In global config mode, run the pitp service-port command to enable PITP at the service port level.

 
2.On the OLT, run the pitp permit-forwarding service-port command with the enable parameter selected, to allow ONT PPPoE packets to carry a vendor tag.