The importance of link aggregation and queue scheduling based on priorities is to ensure service reliability. And the security policies ensure service security. Therefore, we are about to introduces how to configure Link Aggregation and Security Policy.
Context
Link aggregation provides a higher bandwidth and uplink reliability for Huawei optical line terminals (such as Huawei MA5600T series, Huawei MA5800 series) by aggregating multiple uplink Ethernet ports to one link aggregation group (LAG).
Congestion control places the packets to be sent from a port into multiple queues that are marked with different priorities. Then, the packets are sent based on queue priorities.
Security policies ensure system, user, and service security.
NOTE: Enable a service security function based on the service type.
Procedure
Configure link aggregation.
The following configurations are used as an example to configure link aggregation:
Uplink ports 0/19/0 and 0/19/1 are added to a LAG.
The two ports send packets upstream based on the packets’ source MAC addresses.
The LAG works in Link Aggregation Control Protocol (LACP) static aggregation mode.
huawei(config)#link-aggregation 0/19 0-1 ingress workmode lacp-static
Configure queue scheduling.
According to quality of service (QoS) planning principles, all packets are scheduled in strict priority (SP) mode and mapped to queues according to the packets’ priorities. For details about QoS planning principles.
huawei(config)#queue-scheduler strict-priority huawei(config)#cos-queue-map cos0 0 cos4 4 cos5 5 cos6 6
Configure system security.
Enable MAC address anti-flapping on the Huawei MA5800-X7.
1.Run the security anti-dos enable command to globally enable DoS anti-attack.
2.Run the security anti-dos control-packet policy command to configure a protocol packet processing policy that will be used when a DoS attack occurs.
3.Run the security anti-dos control-packet rate command to configure the threshold for the rate of sending protocol packets to the CPU.
Run the security anti-ipattack enable command to enable IP address anti-attack.
Configure user security.
Enable MAC address anti-flapping on the Huawei MA5800-X7.
Run the security anti-macduplicate enable command to enable MAC address anti-flapping.
Enable MAC address anti-spoofing on the Huawei MA5800-X7.
1.In global config mode, run the security anti-macspoofing enable command to globally enable MAC address anti-spoofing.
2.Enable MAC address anti-spoofing at VLAN level in global config mode or service profile mode:
a.In global config mode, run the security anti-macspoofing vlan command to enable MAC address anti-spoofing.
b.In global config mode, run the vlan service-profile command to create a VLAN service profile.
c.Perform the following operations to enable MAC address anti-spoofing in VLAN service profile mode:
i.Run the security anti-macspoofing enable command to enable MAC address anti-spoofing at VLAN level.
ii.Run the commit command to make the profile configuration take effect.
iii.Run the quit command to quit the VLAN service profile mode
iv.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.
3.(Optional) Run the security anti-macspoofing max-mac-count command to set the maximum number of MAC addresses that can be bound to a service flow.
4.(Optional) Run the security anti-macspoofing exclude command to configure the types of packets for which MAC address anti-spoofing does not take effect, such as Internet Group Management Protocol (IGMP) packets.
Enable IP address anti-spoofing on the Huawei MA5800-X7.
IP address anti-spoofing can be enabled or disabled at three levels: global, VLAN, and service port levels. This function takes effect only after it is enabled at the three levels. Among the three levels, IP address anti-spoofing is disabled only at the global level by default.
1.In global config mode, run the security anti-ipspoofing enable command to enable IP address anti-spoofing at the global level.
2.In VLAN service profile mode, run the security anti-ipspoofing enable command to enable IP address anti-spoofing at the VLAN level.
3.Run the security anti-ipspoofing service-port serviceport-id enable command to enable IP address anti-spoofing at the service port level.
Configure service security.
Enable Dynamic Host Configuration Protocol (DHCP) Option 82 on the Huawei MA5800-X7. This configuration is recommended for the DHCP-based Internet access service.
1.Enable DHCP Option 82 on the Huawei MA5800-X7.
DHCP Option 82 can be enabled or disabled at four levels: global, port, VLAN, and service port levels. This function takes effect only after it is enabled at the four levels. Among the four levels, DHCP Option 82 is disabled only at the global level by default.
The global level: In global config mode, run the dhcp option82 command to enable DHCP Option 82 at the global level.
When you run this command, select the enable, forward, or rebuild parameter based on site requirements. The three parameters can all enable DHCP Option 82 but provide different packet processing policies on the Huawei MA5800-X7. For details, please check the dhcp option82 command.
The port level: In global config mode, run the dhcp option82 port or dhcp option82 board command to enable DHCP Option 82 at the port level.
The VLAN level:
a.In global config mode, run the vlan service-profile command to create a VLAN service profile.
b.Run the dhcp option82 enable command to enable DHCP Option 82 at the VLAN level.
c.Run the commit command to make the profile configuration take effect.
d.Run the quit command to quit the VLAN service profile mode.
e.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.
The service port level: In global config mode, run the dhcp option82 service-port command to enable DHCP Option 82 at the service port level.
2.On Huawei MA5800-X7, run the dhcp-option82 permit-forwarding service-port command with the enable parameter selected, to allow Huawei EG8141A5 DHCP packets to carry Option 82 information.
Enable Policy Information Transfer Protocol (PITP) on the Huawei MA5800-X7. This configuration is recommended for the PPPoE-based Internet access service.
1.Enable PITP on the Huawei MA5800-X7.
PITP can be enabled or disabled at four levels: global, port, VLAN, and service port levels. This function takes effect only after it is enabled at the four levels. Among the four levels, PITP is disabled only at the global level by default.
The global level: In global config mode, run the pitp enable pmode, pitp forward pmode, or pitp rebuild pmode command to enable PITP at the global level.
In the preceding commands, the enable, forward, and rebuild parameters can all enable PITP but provide different packet processing policies on Huawei MA5800-X7. Select one of them based on site requirements. For details, please check the pitp command.
The port level: In global config mode, run the pitp port or pitp board command to enable PITP at the port level.
The VLAN level:
a.In global config mode, run the vlan service-profile command to create a VLAN service profile.
b.Run the pitp enable command to enable PITP at the VLAN level.
c.Run the commit command to make the profile configuration take effect.
d.Run the quit command to quit the VLAN service profile mode.
e.Run the vlan bind service-profile command to bind the created VLAN service profile to a VLAN.
The service port level: In global config mode, run the pitp service-port command to enable PITP at the service port level.
2.On Huawei MA5800-X7, run the pitp permit-forwarding service-port command with the enable parameter selected, to allow EG8141A5 PPPoE packets to carry a vendor tag.
Link Aggregation and Security Policy of Huawei MA5600T & MA5800 series OLT are recommended to ensure the security of network service, this article will assist you to configure link aggregation and security policy.