svf technology white paperdocs.huatech.cz/huawei_sx700_switches_svf_techn… · ·...

Huawei Sx7 Series Switches

SVF Technology White Paper

Issue 01

Date 2014-11-20

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2014-11-20) Huawei Proprietary and

ConfidentialCopyright © Huawei

Technologies Co., Ltd.

i

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not

be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all

statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://enterprise.huawei.com

http://enterprise.huawei.com/





ii


Keywords: SVF, vertical stacking, wired and wireless convergence, redundancy backup

Abstract: Huawei's Super Virtual Fabric (SVF) technology virtualizes multiple devices into

one logical device to shield complex connections among devices and implement unified

management and control of network devices.

Acronyms and Abbreviations:

Acronym/

Abbreviation

Full Name Remarks

SVF Super Virtual Fabric

SVF-Parent SVF-Parent Parent node in an SVF system, the

control device

SVF-Client SVF-Client Client node in an SVF system, an

access device

CAPWAP Control and Provisioning of

Wireless Access Points

ENP Ethernet Network Processor

AS Access Switch

AP Access Point

AC Access Controller

CSS Cluster Switch System A stacking technology applicable to

modular switches

CSS2 Cluster Switch System

Generation2

Second generation of CSS

technology, applicable to modular

switches

iStack Intelligent Stacking A stacking technology applicable to

fixed switches

ASDP AS Discover Protocol

LBNT LLDP-Based Network

Topology

UCL User Control List


SVF Technology White Paper Contents




iii

Contents

1 Overview ................................................................................................................................... 1

1.1 Background ........................................................................................................................................................... 1

1.2 Technology Advantages ......................................................................................................................................... 2

2 Implementation ........................................................................................................................ 1

2.1 Concepts ............................................................................................................................................................... 1

2.2 SVF Topology and Connection Rules ..................................................................................................................... 2

2.3 Unified Device Management ................................................................................................................................. 4

2.4 Unified Configuration ............................................................................................................................................ 7

2.5 Unified User Management ..................................................................................................................................... 8

2.6 Packet Forwarding ................................................................................................................................................10

3 Customer Benefits .................................................................................................................... 1

3.1 Simplified Network Management........................................................................................................................... 1

3.2 Wired and Wireless Convergence ........................................................................................................................... 2

3.3 Visualized Management ......................................................................................................................................... 2

4 Typical Application Scenarios................................................................................................ 1

4.1 Small or Medium-Sized Wired Campus Network ................................................................................................... 1

4.2 Large Wired and Wireless Converged Campus Network ......................................................................................... 2

4.3 Super-Large Wired and Wireless Converged Campus Network ............................................................................... 3

4.4 Cross-Area Large Campus Network ....................................................................................................................... 4

4.5 SVF System Across an Intermediate L2 Network ................................................................................................... 5


SVF Technology White Paper 1 Overview




1

1 Overview

1.1 Background

Huawei CSS/CSS2 and iStack are horizontal virtualization technologies that virtualize

multiple network devices at the same layer into one logical device, without changing the

physical network topology, as shown in Figure 1-1. These virtualization technologies make

ring network protocols in dual-homing networking obsolete and shorten failover time (trunk

link convergence time instead of protocol convergence time). CSS/CSS2 and iStack simplify

the network structure, which ultimately reduces network management costs.

Figure 1-1 Network architecture evolution

On a large-scale enterprise campus network, access switches are usually widely distributed

and use similar simple service configurations. Although iStack simplifies the structure of the

access layer, a large number of access nodes on the network still require configuration and

management.

Aggregation

AC

AP

User

Access

AP

CSS2

MSTP

VRRP

iStack

AC

Aggregation

User

AccessEvolution






2

To further simplify deployment and management of those access nodes, Huawei developed

Super Virtualization Fabric (SVF), a vertical virtualization technology. As shown in Figure

1-2, SVF virtualizes downstream access devices (SVF-Client) under the control device

(SVF-Parent) into one logical device (SVF system). In the SVF system, access switches (ASs)

are managed as wired ports, and access points (APs) as wireless ports. In this way, the

aggregation and access devices in the SVF system are managed as one node, which greatly

reduces the number of network nodes and implements centralized control and management on

the network.

Figure 1-2 Network virtualization using SVF technology

1.2 Technology Advantages SVF technology applies to networks where many access devices are widely distributed and

use similar simple service configurations. This section describes the advantages of this

technology.

Unified Device Management

Unified device management provides the following benefits:

Centralized control: The SVF-Parent and SVF-Client nodes are virtualized into one

logical device and share the same management plane, control plane, and forwarding

plane, which reduces the number of network layers and nodes that need to be managed.

Zero-touch provisioning: Configuration is performed on the parent. Access devices join

the SVF system automatically after they are connected to the network and obtain

configuration files, system software, and patch packages from the parent, providing plug-and-play functionality to access devices.

1 2

M

User

SVF-Parent

AP

AS

User

CSS2

AS

iStack

SVF-Client

AP

CSS2

iStack

SVF system

Virtualization






3

Simplified network maintenance: Network administrators can upgrade system software

and patches for access devices, query AS information, including port status, CPU usage, and memory usage, and centrally manage wired and wireless users on the parent.

Unified Service Configuration

An SVF system provides intelligent and easy-to-understand unified service configuration

using service configuration profiles. As a result, network administrators need to perform

configuration on the SVF-Parent only, eliminating the need to log in to access devices

individually to configure them. The parent can identify access devices and their ports and

automatically deliver configuration data to the access devices. Automatic configuration

delivery avoids repetitive configuration on access devices, significantly improving network

deployment efficiency.

Unified Policy Deployment

An SVF system implements authentication and policy-based authorization on the parent. User

policies can be enforced on the parent or delivered to access devices. Because user policies

are delivered to access devices from the parent, administrators do not need to configure user

policies on individual access devices.

Wired and Wireless Convergence

The SVF-Parent supports the native access controller (AC) function and integrates wireless

devices into the fabric system. The native AC function avoids bottlenecks of wireless traffic

forwarding in the fabric architecture and realizes in-depth wired and wireless

convergence, which helps to reduce network construction cost and improves user experience.

High Reliability

An SVF system implements device and link redundancy using CSS/CSS2, iStack, and

link-aggregation technologies. Huawei's industry-leading CSS2 technology supports 1+N

backup of Main Processing Units (MPUs) in a cluster, which enables the SVF system to work

normally even when only one MPU is operational. The entire SVF system requires a tree

topology. When a port is connected incorrectly, the system generates an alarm and blocks the

port to prevent any impact on services.

Diversified Product Models

Any product models supporting the SVF-Parent and SVF-Client roles can be combined to set

up an SVF system.

The following table lists the product models supporting SVF technology.

Role Product Series Description

SVF-Parent S12700 X1E cards (supporting

native AC) are not

mandatory on modular

switches functioning as the

S9700

S7700






4

Role Product Series Description

S5720HI SVF-Parent. They are

required only when APs

need to connect to the SVF

system.

The SVF function is

controlled by license on the SVF-Parent.

SVF-Client (AS) S2750EI N/A

S5700LI

S5700S-LI

S5720EI

SVF-Client (AP) AP6010SN/DN,

AP6310SN, AP6510DN,

AP6610DN, AP3010DN,

AP5010SN/DN,

AP7110SN/DN,

AP5030DN, AP5130DN, AP2010DN

N/A

SVF-Parent and SVF-Client devices can be connected using GE or 10 GE ports, and edge

ports of SVF-Client devices provide 100 Mbit/s, 1,000 Mbit/s, or 10 Gbit/s forwarding

capabilities.

Low TCO

SVF provides the following benefits to help to reduce the total cost of ownership (TCO):

Reduces cost: SVF technology virtualizes high-end devices and low-end or

medium-range devices into one logical device to expand port density and bandwidth of

high-end devices. This virtualization technology reduces network deployment costs and

improves access capacity of the entire network. Additionally, an SVF system is easy to

expand. When higher network capacity is required, more devices can be connected to the

SVF system to expand port density and bandwidth. The high extensibility helps reduce

investment in earlier stages of network construction.

Protects investments: Original SVF-capable hardware devices can support SVF

virtualization after an upgrade of software. SVF allows parent and client devices to be

connected across third-party or Huawei devices that do not support the SVF function.

Therefore, these devices do not need to be replaced, protecting customers' initial investment.


SVF Technology White Paper 2 Implementation




1

2 Implementation

2.1 Concepts

Figure 2-1 Roles of devices and ports in an SVF system

Device Roles

SVF-Parent: control device in an SVF system, which is responsible for control, management,

and service configuration of the entire SVF system. The SVF-Parent node often acts as the

Layer 3 (L3) gateway for access users. This node can be a standalone device or a CSS/CSS2

or iStack system.

SVF-Parent

SVF-Client

Level-1 AS

Level-2 AS

Terminal

AP

Fabric port

Fabric port

Fabric port

Fabric port

AS

AS

AS

User-side portUser-side port






2

SVF-Client: access device in an SVF system, which can be a wired AS or a wireless AP. ASs

in an SVF system are divided into two levels: Level-1 and level-2. Level-1 ASs are connected

directly to the SVF-Parent, and level-2 ASs are connected to the level-1 ASs. Each level-1 or

level-2 AS can be a standalone device or an iStack system.

Port Roles

Fabric port: a port connecting the SVF-Parent and a level-1 AS or a level-1 AS and a level-2

AS. A fabric port can have one to eight member ports. To ensure sufficient bandwidth and link

reliability between connected devices, each fabric port should have two or more member ports.

On modular switches or S5720HI switches functioning as the SVF-Parent, any ports on the

front panel can be used as fabric ports. When an AS functions as the SVF-Client, only the last

two or four network-side ports or the ports on extended cards can be used as uplink fabric

ports. A standalone AS can have a maximum of six uplink fabric ports, including fixed ports

on the front panel and ports on the extended card. An AS stack system can have a maximum

of eight uplink fabric ports.

User-side port: an edge device's port connected to a user terminal. User-side ports can be

connected to wired terminals like PCs or wireless APs.

2.2 SVF Topology and Connection Rules An SVF system supports only the tree topology. The SVF-Parent can manage two layers of

ASs and allows ASs at each layer to connect to wireless APs and wired terminals. If wireless

services are required in the SVF network, APs can connect to X1E cards of the modular

switches or S5720HI switches. If wireless services are not required, modular switches can be

used without X1E cards.

The SVF-Parent can manage one layer of ASs across a Layer 2 (L2) network. The ASs can

connect to APs or wired terminals. Third-party devices are allowed on the intermediate L2

network. The network administrator must perform the following configuration on the

intermediate L2 network:

1. Bundle the uplink ports connected to the SVF-Parent into an Eth-Trunk to connect to the

fabric port of the SVF-Parent, and bundle downlink ports connected to ASs into Eth-Trunks.

2. Assign a management VLAN and corresponding service VLANs to the Eth-Trunks to

implement L2 communication between the SVF-Parent and ASs.

If the SVF-Parent connects to an SVF-Client through a third-party L2 device, the specific

ports connecting these devices cannot be displayed in the topology. The fabric ports between

the SVF-Parent and SVF-Client are displayed as virtual connections.

As shown in Figure 2-2, the SVF-Parent can be a standalone device or a stack, and each AS

can be a standalone device or stack. One or more ports connecting the SVF-Parent to an AS

can be bundled into a fabric port. You can design an SVF network architecture based on the

network scale, service requirements, reliability requirements, and investment.






3

Figure 2-2 SVF networking capability

Figure 2-3 shows common incorrect connections in an SVF system. When incorrect

connections are detected, the system generates alarms to prompt the administrator to

reconnect the cables. In addition, the incorrectly connected ports are blocked to prevent

services from being affected.

SVF-Parent

SVF-Client

One layer of AS

SVF-Parent

SVF-Client

Level-1 ASLevel-1 AS

Level-2 AS

• Applicable to small or medium-sized campus

networks with only wired terminals

Two layers of AS

• Applicable to large or medium-sized campus

networks with only wired terminals

SVF-Parent

SVF-Client

One layer of AS & AP

Level-1 AS

• Applicable to small or medium-sized campus

networks with both wired and wireless terminals

SVF-Parent

SVF-Client

Level-1 AS

Level-2 AS

Two layers of AS & AP

• Applicable to large or medium-sized campus

networks with both wired and wireless terminals

SVF-Parent

SVF-Client

Single link between fabric ports

Level-1 AS

Level-2 AS

• Applicable to networks with low reliability

requirements, insuf f icient f iber resources,

and limited investment

SVF-Parent

SVF-Client

SVF connection across a Layer 2 network

• Only one layer of AS allowed

• Third-party or Huawei devices can exist on

the L2 network

Transparent L2

network






4

Figure 2-3 Typical incorrect connections in an SVF system

2.3 Unified Device Management In an SVF system, the SVF-Parent uses Huawei's proprietary protocols AS Discover Protocol

(ASDP) and LLDP-Based Network Topology (LBNT) to discover ASs and collect topology

information. The SVF-Parent uses the ASDP protocol to discover ASs and deliver network

parameters to ASs, while ASs use the ASDP protocol to establish connections with the

aggregated fabric ports on the SVF-Parent. The SVF-Parent uses the LBNT protocol to collect

neighbor information from ASs and calculates the topology of the entire network based on the

collected information. Both ASs and APs can set up Control and Provisioning of Wireless

Access Points (CAPWAP) control channels with the SVF-Parent. The ASs and APs

register with the SVF-Parent, and are controlled and managed by the SVF-Parent over the

control channels. Using the ASDP, LBNT, and CAPWAP protocols, the SVF-Parent centrally

manages all the attached ASs and APs so that the network is virtualized into one logical

device.

Automatic Discovery

To enable automatic discovery, the administrator must first configure a management VLAN

and create an IP address pool for the management VLAN on the SVF-Parent. Then the

downlink fabric port connecting the SVF-Parent to the level-1 AS must be specified, as shown

in callout 1 in Figure 2-4. The level-1 AS has no configuration file and requires no manual

configuration by the administrator. When the level-1 AS is connected to the SVF-Parent, the

SVF-Parent detects the AS using ASDP and checks whether the connection is correct through

ASDP negotiation. If an incorrect connection is detected, the SVF-Parent generates an alarm

and blocks the incorrectly connected port. If the connection is correct, the SVF-Parent

delivers the management VLAN ID to the level-1 AS. The AS negotiates with the SVF-Parent

using the ASDP protocol. Upon successful negotiation, the AS's uplink ports connected to the

SVF-Parent join the fabric port, and the management VLAN is automatically assigned to the

fabric port. In this way, L2 connectivity is implemented between the AS and

SVF-Parent without manual intervention, as shown in callout 2 of Figure 2-4. The AS then

applies for an IP address from the SVF-Parent using the DHCP protocol, sets up a CAPWAP

control tunnel with SVF-Parent, and registers with the SVF-Parent.

SVF-Parent

• One AS is connected to two parent nodes

(alarm generated).

SVF-Parent

SVF-Client

• One level-1 AS is connected to two Level-1

ASs (alarm generated).

SVF-Client

Incorrect connection 1 Incorrect connection 2

SVF-Parent

SVF-Client

• Two ASs of the same level are connected, so

the topology is not a tree topology (alarm

generated).

Incorrect connection 3






5

After level-1 AS registration is complete, the administrator specifies the downlink fabric port

that connects the level-1 AS to a level-2 AS on the SVF-Parent. After similar automatic

discovery and fabric port aggregation processes, the level-2 AS automatically establishes L2

communication with the level-1 AS, as shown in callout 3 of Figure 2-4. Similarly, the level-2

AS sets up a CAPWAP control tunnel and registers with the SVF-Parent. In this way, multiple

devices are vertically virtualized into one logical device, as shown in callout 4 of Figure 2-4.

The SVF-Parent discovers first level-1 ASs and then level-2 ASs. At most, two layers of ASs

are allowed in an SVF system. An AS's user-side ports can connect to APs, which can also be

managed in the SVF system. After the management VLAN is assigned to user-side ports

connected to APs, APs can obtain IP addresses from the SVF-Parent, set up CAPWAP control

tunnels with the SVF-Parent, and register with the SVF-Parent.

An AS can be a stack that is set up by multiple access switches through stack card connection

or service port connection. If the service port connection mode is used, the stack must be set

up before fabric ports of the AS can be connected. If the stack card connection mode is used,

the stack can be set up before or after fabric ports are connected.

Figure 2-4 SVF-Client automatic discovery

SVF-Parent

SVF-Client

SVF-Parent

SVF-Client

Level-1 AS Level-1 AS

SVF-Parent

SVF-Client

Level-1 AS

Level-2 AS

SVF-Parent

SVF-Client

Level-1 AS

Level-2 AS

1 2

34

Configure

fabric port

on Parent

Auto fabric port

negotiation, auto

AS discovery

Auto fabric port

negotiation, auto

AS discovery on

level-2 AS

Assign management

VLAN to user-side

port on Parent to

enable AP to connect

to SVF directly

Specify fabric

port for

registered AS

on Parent






6

Topology Collection

After SVF-Client nodes are discovered using the ASDP protocol, L2 link connectivity is

implemented between the SVF-Parent and SVF-Client nodes. The SVF-Parent then sets up

CAPWAP control tunnels with ASs. When the link between an AS and its neighbor becomes

Up, the AS discovers the directly connected neighbor using the LLDP protocol. Each AS

saves collected neighbor information locally. After SVF-Client nodes are registered on the

SVF-Parent, the SVF-Parent uses the proprietary LBNT protocol to collect neighbor

information from ASs, and then calculates the topology of the entire network based on that

collected information. The topology needs to be recalculated when the topology changes, for

example, when a link becomes Up or Down, or an AS joins or leaves the SVF system.

Figure 2-5 Topology collection

Centralized Device Management

The SVF-Parent exchanges control messages with ASs over CAPWAP tunnels to control and

manage ASs in a centralized manner. After an AS registers with the SVF-Parent successfully,

the AS determines whether to download the upgrade system software and patch from the

SVF-Parent. SVF supports batch software/patch upgrades for ASs and can also upgrade a

specified AS individually. All service configuration is performed on the SVF-Parent, and all

ASs obtain configuration files from the SVF-Parent.

SVF-Parent

AS AS ASAS AP

AS AS AP

AP

CAPWAP tunnel






7

The SVF-Parent collects AS information, including CPU usage, memory usage, and port

status, and ASs report key maintenance information to the SVF-Parent. For example, if an AS

has a high CPU or memory usage, it sends a notification to the SVF-Parent. The network

administrator monitors AS status on the SVF-Parent.

Pre-configuration

As shown in Figure 2-6, an SVF system allows ASs to join the system with zero configuration,

implementing plug-and-play access. The network administrator needs only to specify MAC

addresses of new ASs and complete pre-configuration for the ASs on the SVF-Parent. When

the ASs connect to the SVF system, the SVF-Parent delivers configuration data to the ASs,

and the ASs automatically update their system software and patch versions, if needed. The

automatic configuration delivery and version upgrade greatly improve device deployment

efficiency.

Figure 2-6 Pre-configuration

2.4 Unified Configuration

SVF supports batch configuration of ASs using configuration profiles, as shown in Figure 2-7.

This function frees network administrators from repeated configuration on each access device.

A configuration profile can be delivered to multiple ASs and multiple configuration profiles

can be delivered to one AS. Service-oriented configuration profiles are easy to understand and

shield dependency between features, thereby greatly improving user experience.

Configuration profiles can be classified into two categories: network management profiles and

service profiles. Network management profiles are used for centralized management and

maintenance of SVF-Client nodes. Service profiles are divided into network basic profile,

network enhanced profile, and user access profile, which are mainly used for user access and

security protection.

SVF-Parent

SVF-Client

Plug-and-play access of one layer of ASs

SVF-Parent

SVF-Client

Plug-and-play access of two layers of ASs

Level-1 AS Level-1 AS

Level-2 AS

Make pre-configuration on Parent before AS

connection

Auto configuration delivery when ASs connect to the

system

Make pre-configuration for two layers of ASs

on Parent before AS connection

Auto configuration delivery when ASs connect to the

system






8

Figure 2-7 Profile-based configuration

2.5 Unified User Management

Policy Association

S series switches support the policy association feature, which can be used independently

or with the SVF feature. The SVF-Parent authenticates all users and delivers policies for

dynamic authorization after users are successfully authenticated. User policies can be

enforced on the SVF-Parent or delivered to access devices from the SVF-Parent and enforced

on access devices. Policy association can be configured in an SVF system to ensure SVF

network security or implement fine-grained management on user traffic. The SVF-Parent

functions as the centralized authentication and authorization point. The policy enforcement

point (PEP) can be deployed on the SVF-Parent (local authorization) or SVF-Clients (remote

authorization). The administrator can flexibly configure local and remote authentication in an

SVF system. When SVF-Clients function as PEPs in remote authorization mode, they act as

data-forwarding control points. When the SVF-Parent functions as the PEP in local

authorization mode, it can dynamically deliver user control list (UCL), access control list

(ACL), committed access rate (CAR), priority, and other policies for refined user access and

traffic control.

After policy association is configured in an SVF system, the access port of an unauthenticated

user is in a restricted state. The user can access DHCP, RADIUS, Portal, eSight, and other

servers specified in authentication-free rules, and data packets sent from this user to other

Security configuration for access ports

Basic QoS configuration

安全管控设备管理安全审计

Network basic

profile

(mandatory)

VLAN configuration

Port configuration

Network

management

profile

Device login and administrator

password configuration Local administrator user name and

password configuration

Version management

AAA configuration

Authentication mode configuration

Se

rvic

e

Acce

ss

Ne

two

rk

Ma

na

ge

me

nt

Network

enhanced profile

(optional)

User access

profile

(optional)

Manage and

maintain

SVF-Client

Define a

logical

network

Logical

network is

secure

Terminals

connect to

network and

obtain

access rights

Configuration

templates are configured on

parent and

delivered to clients






9

users or the network side are not forwarded. After the user is authenticated, the SVF-Parent

sends a message to the AS over the CAPWAP control tunnel, notifying the AS that the access

port can forward data packets. The user then obtains access rights. This mechanism prevents

unauthenticated users from communicating with other users through the L2 network. If the

SVF-Parent functions as the PEP, traffic forwarded to the SVF-Parent is controlled by more

refined policies, implementing fine-grained user management.

Figure 2-8 Policy association

Centralized User Information Query

The SVF-Parent provides unified authentication and policy control for both wired

and wireless users. The authentication point is also the PEP, which facilitates management.

SVF-Parent

AS AS ASAS

AS AS

CAPWAP tunnel

DHCP/Radius/Portal/eSight

server

Authenticated user Unauthenticated

user

1 Before authentication

Auth point

PEP

Authenticated user

Unauthenticated

users can access only

specif ied servers

Unauthenticated

users cannot access

other users or

network resources

SVF-Parent

AS AS ASAS

AS AS

Newly

authenticated user

2 After authenticationCAPWAP tunnel

Authenticated user Authenticated user

DHCP/Radius/Portal/eSight

serverAuth point

PEP

Authenticated users

can access other

users and network

resources

User is authenticated.

Parent deliver a policy

to grant access rights

over CAPWAP tunnel.

User can access

network resources.






10

The network administrator can view information about all access users connected to ASs and

APs on the SVF-Parent, including the access devices and ports to which wired users connect

and the APs to which wireless users connect.

2.6 Packet Forwarding An SVF system provides comprehensive L2/L3 forwarding capabilities. The SVF-Parent

provides L2/L3 forwarding, and SVF-Clients provide L2 forwarding. To forward a received

packet, an SVF-Client searches the local forwarding table to find the outbound interface and

sends the packet from this interface. L2 packets can be directly forwarded by

SVF-Clients, whereas L3 packets must be sent to the SVF-Parent and forwarded based on the

L3 forwarding table of the SVF-Parent. SVF supports distributed and centralized forwarding

modes, which can be set using commands. The distributed forwarding mode is the default

mode.

Figure 2-9 shows the distributed forwarding mode, in which each device looks up outbound

interfaces of packets in its local forwarding table and forwards packets from the outbound

interfaces directly. Each SVF-Client learns MAC addresses of all attached access users in the

same VLAN as it and allows these users to communicate directly. For example, Host 1 and

Host 2 in Figure 2-9 can communicate directly through the SVF-Client. Distributed

forwarding leverages the forwarding capability of each SVF-Client and avoids circuitous

forwarding paths, making full use of each device's bandwidth. This forwarding mode is

recommended if the customer requires direct L2 communication between users but does not

require L2 user isolation or access control.

Figure 2-9 Distributed forwarding

SVF-Parent

SVF-Client

HostsHost1

MAC1IP1

Host2

MAC2IP2

SA = MAC1 + IP1,

DA = MAC2 + IP2 + Payload

SA = MAC1 + IP1,


SA = MAC1 + IP1,


Gateway

MAC3IP3






11

Figure 2-10 shows the centralized forwarding mode, in which packets are sent to the

SVF-Parent and forwarded from outbound interfaces on the SVF-Parent according to its

forwarding table. On an SVF-Client, ports in the same VLAN are isolated; therefore, users

connected to the SVF-Client cannot communicate through the SVF-Client directly. When

Host 1 needs to communicate with Host 2, Host 1 sends an Address Resolution Protocol (ARP)

Request to Host 2. The gateway (SVF-Parent) sends an ARP Reply to Host 1 but the MAC

address mapped to IP2 in the ARP Reply is the gateway's MAC address (MAC3), not Host 2's

MAC address (MAC2). Subsequently, data packets sent from Host 1 to Host 2 are sent to the

gateway for L3 forwarding. The centralized forwarding mode is recommended if the customer

requires centralized control or fine-grained management of user traffic and L2 user isolation.

Figure 2-10 Centralized forwarding

Table 2-1 Deployment suggestions for various user access scenarios

Access Scenario Forwarding Mode

Policy Association

Authentication Mode

Authentication-Free Rule

1. Unauthenticated

users are not

allowed to connect to the network.

2. Authenticated

users are allowed to

communicate directly.

3. Users can access

Distributed

forwarding

1. ASs disable data

forwarding before

authentication.

2. Use the local

authorization mode

and enforce policies

on the SVF-Parent (optional).

3. Assign different

Dot1x/MAC/Portal Configure

authentication-free

rules to allow

access to basic

servers before

authentication.

SVF-Parent

SVF-Client

HostsHost1

MAC1IP1

Host2

MAC2IP2

SA = MAC1 + IP1,


SA=MAC3 + IP1,

DA=MAC2 + IP2 + Payload

SA = MAC3 + IP1,


Gateway

MAC3IP3

SA=MAC1 + IP1,

DA=MAC3 + IP2 + Payload






12

Access Scenario Forwarding Mode

Policy Association

Authentication Mode

Authentication-Free Rule

basic servers before authentication.

VLANs to

departments that

need to be isolated

(optional).

1. Unauthenticated

users are not

allowed to connect

to the network.

2. Communication

between

authenticated users

is controlled

centrally and L2

communication is

isolated.

3. Users can access

basic servers before authentication.

Centralized

forwarding

1. ASs disable data

forwarding before authentication.

2. Use the local

authorization mode

and enforce policies on the SVF-Parent.

Dot1x/MAC/Portal Configure

authentication-free

rules to allow

access to basic

servers before authentication.

1. Unauthenticated

users are not

allowed to connect to the network.

2. Authenticated

users do not need to

be isolated.

3. Basic servers do

not need to be

specified for

pre-authentication

access.

Distributed or

centralized

forwarding

ASs disable data

forwarding before

authentication.

Dot1x/MAC/Portal In Portal

authentication

mode, configure

authentication-free

rules for the Portal

server. No

authentication-free

rule is required in

other authentication

modes.

SVF is used only to

simplify network

management and

there is no

requirement for user authentication.

Distributed or

centralized forwarding

None None None


SVF Technology White Paper 3 Customer Benefits




1

3 Customer Benefits

3.1 Simplified Network Management

If a campus network has many access devices that are widely distributed and use similar,

simple service configurations, SVF technology can be used to virtualize the campus network

into one or multiple SVF systems to simplify network management. SVF supports automatic

topology discovery and establishment, enables plug-and-play connection of access devices

through pre-configuration, and provides unified device management, user management,

configuration, and maintenance. All of these features improve network management and

maintenance efficiency.

The SVF-Parent sends key alarms, for example, alarms about high CPU usage and memory

usage, to the Huawei eSight network management system, as shown in Figure 3-1. eSight

then displays all alarms for the administrator to check. Once a fault occurs on the network,

eSight quickly identifies the failure point based on the key alarms without comparing time

stamps of access devices.






2

Figure 3-1 Simplifying network management through SVF

3.2 Wired and Wireless Convergence When X1E cards are installed on the SVF-Parent, the SVF system implements wired

and wireless convergence. SVF technology unifies the management plane, control plane, and

forwarding plane of devices, which eliminates bandwidth bottlenecks for wireless forwarding

and improves work efficiency and user experience of network administrators.

Wireless devices can connect directly to the X1E cards. This networking is recommended for

new wired and wireless converged networks or networks with a large number of users.

Wireless devices can also connect to non-X1E cards; however, X1E cards are still required

because wireless traffic must be directed to the X1E cards for processing. This networking is

recommended when wireless service needs to be added to an SVF wired network with many

access devices and wireless users are widely distributed.

3.3 Visualized Management

The Huawei eSight network management system provides visualized SVF system

management, and shows topology of the SVF-Parent, ASs, and APs in an SVF system, as

shown in Figure 3-2. eSight monitors device and link status in real time. When an AS or AP

joins or leaves the SVF system, the AS or AP is added or deleted automatically in the

topology view. When the status of a link changes, the new link status is displayed in the

topology view, helping the network administrator to identify topology changes quickly.

Access

Aggregation

Access

Building B:

Sales center

Building A:

Administration & management center

Building C:

Customer service center

Building D:

R&D center

Building E:

Testing center

Building F:

Production center

CSS

iStackiStack

eSight

SVF system

Reporting key alarms

Virtual device






3

Figure 3-2 Topology of an SVF system

eSight also displays a device's panel, as shown in Figure 3-3. The network administrator can

click a fabric port on the SVF-Parent's panel to view status of the SVF-Client connected to the

fabric port and downstream topology. The administrator can monitor all the

downstream wired and wireless devices connected on the SVF-Parent's panel.

Figure 3-3 Centralized SVF system management on the Device Panel page

eSight provides unified management of wired and wireless users, as shown in Figure 3-4. The

user list shows characteristics of both wired and wireless users, including AS ports

to which wired users connect and APs to which wireless users connect. When a user fails to

connect to the network, the network administrator can quickly locate the AS or AP

through which the user connects to the network. This feature improves troubleshooting

efficiency and facilitates fault diagnosis for wireless users. eSight also provides configuration

templates, which allow the network administrator to see the configuration required for service

operations on the template configuration matrix.






4

Figure 3-4 Unified management of wired and wireless users


SVF Technology White Paper 4 Typical Application Scenarios




1

4 Typical Application Scenarios

4.1 Small or Medium-Sized Wired Campus Network

As shown in Figure 4-1, a small or medium-sized campus network often uses a two-layer

architecture. Campus networks of small and medium-sized enterprises or enterprise branch

networks fall into this category. Access devices provide L2 forwarding and use similar, simple

service configurations. The L3 gateway is deployed on aggregation devices. SVF can be used

to simplify network management.

Figure 4-1 Small or medium-sized wired campus network

NE deployment at the aggregation layer

S7700/S9700 or 5720HI switches are deployed at the aggregation layer and function as

the SVF-Parent to manage all of the ASs. Huawei eSight can be deployed for visualized

network management.

DHCP server deployment

CSSSVF-Parent

SVF-Client

…

WAN Internet

L2

sw

itch

ing

L3

rou

ting

eSight

VLAN 10 VLAN 200VLAN 100 VLAN 10 VLAN 200VLAN 100 VLAN 10 VLAN 200VLAN 100VLAN 10 VLAN 200VLAN 100

VLAN 10

VLAN 100

VLAN 200

Access layer

Aggregation layer

Core layer

Profile_1






2

The enterprise does not have many employees, so the DHCP server is deployed on

aggregation switches to simplify network deployment.

Reliability deployment

Two aggregation switches set up a CSS to implement device backup.

User management deployment

If the customer requires high security of wired user access security, 802.1x

authentication is configured for wired user access and configure MAC address bypass

authentication for dumb terminals. If the customer does not require high security, Portal

authentication is recommended. The SVF-Parent should be the authentication point.

Forwarding model deployment

If the customer requires high security of traffic forwarding, the centralized forwarding

mode on the SVF-Parent is configured to centrally control traffic of wired users at the

aggregation layer. If the customer does not have high security requirements, the distributed forwarding mode is used.

4.2 Large Wired and Wireless Converged Campus Network

Figure 4-2 shows a large campus network, on which the L3 gateway connects to two layers of

ASs. Such networks have a large scale and many access users. University campus networks

and networks of large enterprises fall into this category. SVF provides customers with a

simplified network structure and reduces network construction costs through wired

and wireless convergence.

Figure 4-2 Large campus network

CSS2SVF-Parent

SVF-Client

…

WAN Internet

Level-1 AS

Level-2 AS

eSight

VLAN 10 VLAN 200VLAN 100 VLAN 300 VLAN 500VLAN 400

VLAN

100

VLAN 200

VLAN 10 VLAN 300

VLAN

400

VLAN 500

Profile_1 Profile_2

Access layer

Aggregation layer

Core layer

L2

sw

itch

ing

L3

rou

ting






3

Wired and wireless convergence point deployment

Huawei recommends that S12700 switches be deployed as the SVF-Parent to manage all

ASs and APs. The S12700 switches provide native AC functions for wireless user

management and both wired and wireless devices can connect directly to X1E cards of the S12700 switches.

DHCP server deployment

Because there are many users on a campus network, it is recommended that an

external DHCP server be deployed to allocate IP addresses to all wired and wireless users in the campus.

Reliability deployment

Two aggregation switches set up a CSS to implement device backup.

User management deployment

− 802.1x authentication is configured to ensure secure access of wireless users. If the

customer does not require high security, Portal authentication is recommended. The SVF-Parent is used as the authentication point.

− A university campus network can use Point-to-Point Protocol over Ethernet (PPPoE)

authentication for wired users and deploy the authentication point on the SVF-Parent.

An enterprise campus network can use 802.1x authentication for wired users. To

block communication between unauthenticated users, remote authorization and

authentication-free rules can be configured to specify the resource servers that users

can access before authentication. Local authorization can be configured on the SVF-Parent to implement more user-specific access control.

Forwarding model deployment

− Wireless traffic is forwarded over tunnels in centralized mode.

− If centralized traffic control is required for traffic of wired users, the centralized

forwarding mode can be used. If the customer does not require high security, the

distributed forwarding mode can be used as it is easy to deploy and can fully use bandwidth of access devices.

4.3 Super-Large Wired and Wireless Converged Campus Network

Figure 4-3 shows a super-large campus network that covers a large area and has a large

number of access devices. Such a network can be virtualized into multiple SVF systems so

that only several nodes need to be managed and maintained. High-performance S12700

switches are recommended at the core layer, and S7700/S9700 or S5720HI switches can be

deployed at the aggregation layer as the SVF-Parent in each SVF system to manage ASs and

APs in the system. The deployment in each SVF system is similar to that described in section

4.1 "Small or Medium-Sized Wired Campus Network." In this scenario, each SVF-Parent

manages only one layer of ASs. This networking architecture is suitable for campus networks

that have many widely distributed ASs, such as large enterprise campus networks.






4

Figure 4-3 Super-large campus network

4.4 Cross-Area Large Campus Network Figure 4-4 shows a large campus network covering multiple areas, also known as cross-area

networks. The network in each area can be virtualized into an SVF system and the

deployment in each SVF system is similar to that described in section 4.2 "Large Wired and

Wireless Converged Campus Network." In this scenario, each SVF-Parent manages two

layers of ASs. This networking architecture is suitable to networks that have many densely

distributed ASs in multiple areas, for example, a large enterprise's office buildings. Devices in

each building can be virtualized into an SVF system, and each SVF-Parent connects to two

layers of ASs. This scenario is similar to that described in section 4.3 "Super-Large Wired and

Wireless Converged Campus Network." Select either networking modes based on actual

situations.

CSS/iStackSVF-Parent

SVF-Client

…

WAN Internet

AS

eSight

VLAN 10 VLAN 200VLAN 100 VLAN 300 VLAN 500VLAN 400

…CSS/iStack

CSS2

Access layer

Aggregation layer

Core layer






5

Figure 4-4 Cross-area large campus network

4.5 SVF System Across an Intermediate L2 Network

An SVF system can be established across an L2 network. Therefore, Huawei or non-Huawei

devices not supporting the SVF function do not need to be replaced when an SVF network is

deployed, which protects the customer's initial investment. The intermediate L2 network must

have uplink and downlink Eth-Trunks configured to connect to fabric ports of the SVF

members. In addition, the management VLAN of the SVF system and corresponding service

VLANs need to be assigned to the uplink and downlink Eth-Trunks to ensure L2 link

connectivity. Only one layer of ASs can connect to the intermediate L2 network. As this L2

network is not a member of the SVF system, the SVF-Parent cannot manage devices on the

L2 network. To implement unified management of all access devices and facilitate network

management and maintenance, avoid this networking if possible. The SVF system

deployment is similar to that described in section 4.2 "Large Wired and Wireless Converged

Campus Network."

CSSSVF-Parent

SVF-Client

…

IP/MPLS

Core

Level-1 AS

Level-2 AS

eSight

CSS

…

SVF1 SVFn

…

Access layer

Aggregation layer

Core layer






6

Figure 4-5 SVF system across an intermediate L2 network

CSSSVF-Parent

SVF-Client

………

…

WAN Internet

eSight

L2 network of

third-party devices

L2 network of

Huawei devices

L2 switching

L3 routing

svf technology white paperdocs.huatech.cz/huawei_sx700_switches_svf_techn… · ·...

Documents