Configuring access level switches in the provider's network
In the article I will talk about how we (a small regional provider) configure access level switches.
In the beginning, briefly go over what the hierarchical model of building a network is, what functions are recommended to hang at each level and how exactly the network is arranged, using which I will set out the switch configuration for example. Well, and then configure the switch based on the proposed requirements.
And so, in a hierarchical model of building a switching network, there are three levels - an access layer (access layer), an aggregation level (distibution layer) and a core layer. The division into levels allows you to achieve greater ease of handling the network: simplifies network scalability, it is easier to configure devices, it is easier to introduce redundancy, to design a network, and the like.
Each level requires a certain set of functions, so at the access level (in the provider’s network) devices are required
')
With reference to the provider network, the following picture is obtained:
At the ditribtution level and, especially, at the core level, as a rule, advanced Cisco and / or Juniper switches work, but at the access level you have to install cheaper hardware. As a rule, this is D-Link (or Linksys or Planet ).
And so, with the access level in the first approximation, we figured out, now, before proceeding to directly setting up the switch, a few words about how the network in which the switch has to work is arranged.
First, we do not use VLAN per user. The network is quite old and began to be built at a time when Q-in-Q was not yet a standard, so most of the old equipment does not support double tagging.
Secondly, we use PPPoE. And do not use DHCP. That is, the client receives one white address, through the PPP protocol, the home network is missing as a class.
Thirdly, all switches live in a separate VLAN allocated only for them, all home PPPoE clients also live in one VLAN.
As an experimental switch I will use D-Link DES-3200-10 , because
And so, let's go. All commands are given for the above model D-Link, however, it will be easy to do the same thing on the device of another vendor.
Based on the above requirements for the access level switch, we will formulate what we want to configure on it and do it.
And so, on the need ...
Create two VLANs, one for clients, the other for controlling the switch and assign them to the switch ports. 100 megabit ports - client, gigabit ports - uplinks.
Configure port security by banning more than one mac address on the port (this way we are fighting an undesirable and potentially dangerous situation when a client connects to the provider's network not a router, but a switch, merging the broadband domain of his home network with the broadband domain of the provider)
Prohibit STP on client ports so that users cannot spoil packets with BPDU provider
Configure loopback detection so that 1) buggy network cards that reflect packets back and 2) users who create rings on the second level in their apartment do not interfere with the network
Create acl that will prevent non-PPPoE packets from passing to USER vlan (blocking DHCP, IP, ARP and all other unnecessary protocols that allow users to communicate directly with each other, ignoring the PPPoE server).
Create an ACL that prevents PPPoE PADO packets from client ports (we block fake PPPoE servers).
And, finally, enable STORM Control to combat brodcast and multicast floods. It may seem that we have already solved this problem by banning non-PPPoE traffic, but there is a but. In PPPoE, the first request (to search for a PPPoE server) is sent by Broadcast, and if the client's equipment, due to a glitch, virus or other reasons, sends such requests intensively, this may well disable the network.
Thus, we solve many of the problems inherent in a flat network - fake DHCP and PPPoE servers (often many include such things unintentionally, and not by knowledge, that is, there is no malicious intent, but other clients are hampered by work), broadcasted storms, buggy network cards and other
In the beginning, briefly go over what the hierarchical model of building a network is, what functions are recommended to hang at each level and how exactly the network is arranged, using which I will set out the switch configuration for example. Well, and then configure the switch based on the proposed requirements.
Hierarchical network building model
And so, in a hierarchical model of building a switching network, there are three levels - an access layer (access layer), an aggregation level (distibution layer) and a core layer. The division into levels allows you to achieve greater ease of handling the network: simplifies network scalability, it is easier to configure devices, it is easier to introduce redundancy, to design a network, and the like.
Each level requires a certain set of functions, so at the access level (in the provider’s network) devices are required
- Connecting end users at 100 Mbps
- Connection (preferably via SFP) to a switch distribution level at 1 Gbit / s
- VLAN support
- Port security support
- Acl support
- Support for other security features (loopback detection, storm control, bpdu filtering, etc.)
')
With reference to the provider network, the following picture is obtained:
- Residential building - access level switch
- Microdistrict - switch distribution level, we connect individual houses to it
- DPC - core level switch, we connect individual neighborhoods to it
At the ditribtution level and, especially, at the core level, as a rule, advanced Cisco and / or Juniper switches work, but at the access level you have to install cheaper hardware. As a rule, this is D-Link (or Linksys or Planet ).
A few words about the network device
And so, with the access level in the first approximation, we figured out, now, before proceeding to directly setting up the switch, a few words about how the network in which the switch has to work is arranged.
First, we do not use VLAN per user. The network is quite old and began to be built at a time when Q-in-Q was not yet a standard, so most of the old equipment does not support double tagging.
Secondly, we use PPPoE. And do not use DHCP. That is, the client receives one white address, through the PPP protocol, the home network is missing as a class.
Thirdly, all switches live in a separate VLAN allocated only for them, all home PPPoE clients also live in one VLAN.
Switch Setup
As an experimental switch I will use D-Link DES-3200-10 , because
- In our city, D-Link is the easiest to buy, so this brand is preferred over Planet, Linksys and other competitors.
- This switch has all the functionality we need.
And so, let's go. All commands are given for the above model D-Link, however, it will be easy to do the same thing on the device of another vendor.
Based on the above requirements for the access level switch, we will formulate what we want to configure on it and do it.
And so, on the need ...
Create two VLANs, one for clients, the other for controlling the switch and assign them to the switch ports. 100 megabit ports - client, gigabit ports - uplinks.
create vlan USER tag 2
create vlan MANAGEMENT tag 3
config vlan USER add untagged 1-8
config vlan USER add tagged 9-10
config vlan MANAGEMENT add tagged 9-10
Configure port security by banning more than one mac address on the port (this way we are fighting an undesirable and potentially dangerous situation when a client connects to the provider's network not a router, but a switch, merging the broadband domain of his home network with the broadband domain of the provider)
config port_security ports 1-8 admin_state enable max_learning_addr 1 lock_address_mode DeleteOnTimeout
Prohibit STP on client ports so that users cannot spoil packets with BPDU provider
config stp version rstp
config stp ports 1-8 fbpdu disable state disable
Configure loopback detection so that 1) buggy network cards that reflect packets back and 2) users who create rings on the second level in their apartment do not interfere with the network
enable loopdetect
config loopdetect recover_timer 1800
config loopdetect interval 10
config loopdetect ports 1-8 state enable
config loopdetect ports 9-10 state disable
Create acl that will prevent non-PPPoE packets from passing to USER vlan (blocking DHCP, IP, ARP and all other unnecessary protocols that allow users to communicate directly with each other, ignoring the PPPoE server).
create access_profile ethernet vlan 0xFFF ethernet_type profile_id 1
config access_profile profile_id 1 add access_id 1 ethernet vlan USER ethernet_type 0x8863 port 1-10 permit
config access_profile profile_id 1 add access_id 2 ethernet vlan USER ethernet_type 0x8864 port 1-10 permit
config access_profile profile_id 1 add access_id 3 ethernet vlan USER port 1-10 deny
Create an ACL that prevents PPPoE PADO packets from client ports (we block fake PPPoE servers).
create access_profile packet_content_mask offset1 l2 0 0xFFFF offset2 l3 0 0xFF profile_id 2
config access_profile profile_id 2 add access_id 1 packet_content offset1 0x8863 offset2 0x0007 port 1-8 deny
And, finally, enable STORM Control to combat brodcast and multicast floods. It may seem that we have already solved this problem by banning non-PPPoE traffic, but there is a but. In PPPoE, the first request (to search for a PPPoE server) is sent by Broadcast, and if the client's equipment, due to a glitch, virus or other reasons, sends such requests intensively, this may well disable the network.
config traffic control 1-8 broadcast enable multicast enable action drop threshold 64 countdown 5 time_interval 5
Thus, we solve many of the problems inherent in a flat network - fake DHCP and PPPoE servers (often many include such things unintentionally, and not by knowledge, that is, there is no malicious intent, but other clients are hampered by work), broadcasted storms, buggy network cards and other
Source: https://habr.com/ru/post/123038/
All Articles