June 29, 2011 at 19:06Setting up access level switches on the provider's network
In this article, I will talk about how we (a small regional provider) configure access level switches.
In the beginning, we will briefly go over what a hierarchical model of building a network is, what functions are recommended to be hung at each of its levels, and how exactly the network is arranged, on the example of which I will outline the switch settings. Well, then configure the switch based on the proposed requirements.
And so, in the hierarchical model of building a switching network, three levels are distinguished - the access layer (access layer), the aggregation level (distibution layer) and the core level (core layer). Dividing into levels allows you to achieve greater ease of handling the network: network mastability is simplified, it is easier to configure devices, it is easier to introduce redundancy, design a network, and the like.
Each level requires a certain set of functions, so at the access level (in the provider's network), devices are required
In relation to the provider's network, the following picture is obtained:
At the ditribtution level and, especially, at the core level, as a rule, advanced Cisco and / or Juniper switches work , but you have to put cheaper pieces of hardware on the access level. Typically, this is D-Link (or Linksys or Planet ).
And so, with an access level as a first approximation, we figured out now, before moving on to directly configuring the switch, a few words about how the network is arranged in which the switch has to work.
Firstly, we do not use VLAN per user. The network is quite old and began to be built at a time when Q-in-Q was not yet a standard, so most of the old equipment does not support double tagging.
Secondly, we use PPPoE. And do not use DHCP. That is, the client receives one white address, through the PPP protocol, the home network is absent as a class.
Thirdly, all switches live in a separate VLAN dedicated to them only; all home PPPoE clients also live in one VLAN.
As an experimental switch I will use D-Link DES-3200-10 , since
And so, let's go. All commands are given for the D-Link model indicated above, however, it will not be difficult to do the same on the device of another vendor.
Based on the above requirements for the access level switch, we formulate what exactly we want to configure on it and do it.
And so, it’s necessary ...
Create two VLANs, one for clients, the other for managing the switch and assigning them to switch ports. 100 megabit ports - client, gigabit ports - uplinks. Configure port security by prohibiting more than one mac address on the port (in this way we deal with an undesirable and potentially dangerous situation when a client connects to the provider’s network not a router, but a switch, merging the Broadcast domain of his home network with the Broadcast domain of the provider)
Disable STP on client ports so that users cannot spoil BPDU provider packets in the network Configure loopback detection so that 1) buggy network cards that reflect packets back and 2) users who create rings in the second level in their apartment do not interfere with the network Create acl , which will prohibit the passage of non-PPPoE packets in the USER vlan (blocking DHCP, IP, ARP and all other unnecessary protocols that will allow users to communicate directly with each other, ignoring the PPPoE server). Create an ACL that prohibits PPPoE PADO packets from client ports (blocking fake PPPoE servers).
And finally, enable STORM Control to combat Broadcast and Multicast floods. It may seem that we have already solved this problem by prohibiting non-PPPoE traffic, however there is a but. In PPPoE, the first request (to search for a PPPoE server) is sent by Broadcast, and if the client equipment, due to a glitch, virus, or other reasons, sends such requests intensively, it may completely disable the network. Thus, we solve many problems inherent in a flat network - fake DHCP and PPPoE servers (often many include such things unintentionally, but not by knowledge, that is, there is no malicious intent, but other clients interfere with work), Broadcast storms, buggy network cards and other things.
In the beginning, we will briefly go over what a hierarchical model of building a network is, what functions are recommended to be hung at each of its levels, and how exactly the network is arranged, on the example of which I will outline the switch settings. Well, then configure the switch based on the proposed requirements.
Hierarchical network building model
And so, in the hierarchical model of building a switching network, three levels are distinguished - the access layer (access layer), the aggregation level (distibution layer) and the core level (core layer). Dividing into levels allows you to achieve greater ease of handling the network: network mastability is simplified, it is easier to configure devices, it is easier to introduce redundancy, design a network, and the like.
Each level requires a certain set of functions, so at the access level (in the provider's network), devices are required
- Connecting end users at 100 Mbps
- Connection (preferably via SFP) to a 1 Gb / s distribution layer switch
- VLAN Support
- Port security support
- Acl support
- Support for other security features (loopback detection, storm control, bpdu filtering, etc.)
In relation to the provider's network, the following picture is obtained:
- Residential building - access level switch
- The microdistrict is a distribution level switch, we connect separate houses to it
- DPC - a core level switch, we connect individual microdistricts to it
At the ditribtution level and, especially, at the core level, as a rule, advanced Cisco and / or Juniper switches work , but you have to put cheaper pieces of hardware on the access level. Typically, this is D-Link (or Linksys or Planet ).
A few words about the network device
And so, with an access level as a first approximation, we figured out now, before moving on to directly configuring the switch, a few words about how the network is arranged in which the switch has to work.
Firstly, we do not use VLAN per user. The network is quite old and began to be built at a time when Q-in-Q was not yet a standard, so most of the old equipment does not support double tagging.
Secondly, we use PPPoE. And do not use DHCP. That is, the client receives one white address, through the PPP protocol, the home network is absent as a class.
Thirdly, all switches live in a separate VLAN dedicated to them only; all home PPPoE clients also live in one VLAN.
Switch Configuration
As an experimental switch I will use D-Link DES-3200-10 , since
- In our city, it is easiest to buy D-Link, so this brand is preferred over Planet, Linksys and other competitors
- This switch has all the functionality we need.
And so, let's go. All commands are given for the D-Link model indicated above, however, it will not be difficult to do the same on the device of another vendor.
Based on the above requirements for the access level switch, we formulate what exactly we want to configure on it and do it.
And so, it’s necessary ...
Create two VLANs, one for clients, the other for managing the switch and assigning them to switch ports. 100 megabit ports - client, gigabit ports - uplinks. Configure port security by prohibiting more than one mac address on the port (in this way we deal with an undesirable and potentially dangerous situation when a client connects to the provider’s network not a router, but a switch, merging the Broadcast domain of his home network with the Broadcast domain of the provider)
create vlan USER tag 2
create vlan MANAGEMENT tag 3
config vlan USER add untagged 1-8
config vlan USER add tagged 9-10
config vlan MANAGEMENT add tagged 9-10
config port_security ports 1-8 admin_state enable max_learning_addr 1 lock_address_mode DeleteOnTimeout
Disable STP on client ports so that users cannot spoil BPDU provider packets in the network Configure loopback detection so that 1) buggy network cards that reflect packets back and 2) users who create rings in the second level in their apartment do not interfere with the network Create acl , which will prohibit the passage of non-PPPoE packets in the USER vlan (blocking DHCP, IP, ARP and all other unnecessary protocols that will allow users to communicate directly with each other, ignoring the PPPoE server). Create an ACL that prohibits PPPoE PADO packets from client ports (blocking fake PPPoE servers).
config stp version rstp
config stp ports 1-8 fbpdu disable state disable
enable loopdetect
config loopdetect recover_timer 1800
config loopdetect interval 10
config loopdetect ports 1-8 state enable
config loopdetect ports 9-10 state disable
create access_profile ethernet vlan 0xFFF ethernet_type profile_id 1
config access_profile profile_id 1 add access_id 1 ethernet vlan USER ethernet_type 0x8863 port 1-10 permit
config access_profile profile_id 1 add access_id 2 ethernet vlan USER ethernet_type 0x8864 port 1-10 permit
config access_profile profile_id 1 add access_id 3 ethernet vlan USER port 1-10 deny
create access_profile packet_content_mask offset1 l2 0 0xFFFF offset2 l3 0 0xFF profile_id 2
config access_profile profile_id 2 add access_id 1 packet_content offset1 0x8863 offset2 0x0007 port 1-8 deny
And finally, enable STORM Control to combat Broadcast and Multicast floods. It may seem that we have already solved this problem by prohibiting non-PPPoE traffic, however there is a but. In PPPoE, the first request (to search for a PPPoE server) is sent by Broadcast, and if the client equipment, due to a glitch, virus, or other reasons, sends such requests intensively, it may completely disable the network. Thus, we solve many problems inherent in a flat network - fake DHCP and PPPoE servers (often many include such things unintentionally, but not by knowledge, that is, there is no malicious intent, but other clients interfere with work), Broadcast storms, buggy network cards and other things.
config traffic control 1-8 broadcast enable multicast enable action drop threshold 64 countdown 5 time_interval 5