Upload
sarkanyr
View
33
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Huawei
Citation preview
Huawei Sx7 Series Switches
SVF Technology White Paper
Issue 01
Date 2014-11-20
HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
i
Copyright Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not
be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
SVF Technology White Paper
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
ii
SVF Technology White Paper
Keywords: SVF, vertical stacking, wired and wireless convergence, redundancy backup
Abstract: Huawei's Super Virtual Fabric (SVF) technology virtualizes multiple devices into
one logical device to shield complex connections among devices and implement unified
management and control of network devices.
Acronyms and Abbreviations:
Acronym/
Abbreviation
Full Name Remarks
SVF Super Virtual Fabric
SVF-Parent SVF-Parent Parent node in an SVF system, the
control device
SVF-Client SVF-Client Client node in an SVF system, an
access device
CAPWAP Control and Provisioning of
Wireless Access Points
ENP Ethernet Network Processor
AS Access Switch
AP Access Point
AC Access Controller
CSS Cluster Switch System A stacking technology applicable to
modular switches
CSS2 Cluster Switch System
Generation2
Second generation of CSS
technology, applicable to modular
switches
iStack Intelligent Stacking A stacking technology applicable to
fixed switches
ASDP AS Discover Protocol
LBNT LLDP-Based Network
Topology
UCL User Control List
Huawei Sx7 Series Switches
SVF Technology White Paper Contents
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
iii
Contents
1 Overview ................................................................................................................................... 1
1.1 Background ........................................................................................................................................................... 1
1.2 Technology Advantages ......................................................................................................................................... 2
2 Implementation ........................................................................................................................ 1
2.1 Concepts ............................................................................................................................................................... 1
2.2 SVF Topology and Connection Rules ..................................................................................................................... 2
2.3 Unified Device Management ................................................................................................................................. 4
2.4 Unified Configuration ............................................................................................................................................ 7
2.5 Unified User Management ..................................................................................................................................... 8
2.6 Packet Forwarding ................................................................................................................................................10
3 Customer Benefits .................................................................................................................... 1
3.1 Simplified Network Management........................................................................................................................... 1
3.2 Wired and Wireless Convergence ........................................................................................................................... 2
3.3 Visualized Management ......................................................................................................................................... 2
4 Typical Application Scenarios................................................................................................ 1
4.1 Small or Medium-Sized Wired Campus Network ................................................................................................... 1
4.2 Large Wired and Wireless Converged Campus Network ......................................................................................... 2
4.3 Super-Large Wired and Wireless Converged Campus Network ............................................................................... 3
4.4 Cross-Area Large Campus Network ....................................................................................................................... 4
4.5 SVF System Across an Intermediate L2 Network ................................................................................................... 5
Huawei Sx7 Series Switches
SVF Technology White Paper 1 Overview
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
1
1 Overview 1.1 Background
Huawei CSS/CSS2 and iStack are horizontal virtualization technologies that virtualize
multiple network devices at the same layer into one logical device, without changing the
physical network topology, as shown in Figure 1-1. These virtualization technologies make
ring network protocols in dual-homing networking obsolete and shorten failover time (trunk
link convergence time instead of protocol convergence time). CSS/CSS2 and iStack simplify
the network structure, which ultimately reduces network management costs.
Figure 1-1 Network architecture evolution
On a large-scale enterprise campus network, access switches are usually widely distributed
and use similar simple service configurations. Although iStack simplifies the structure of the
access layer, a large number of access nodes on the network still require configuration and
management.
Aggregation
AC
AP
User
Access
AP
CSS2
MSTP
VRRP
iStack
AC
Aggregation
User
AccessEvolution
Huawei Sx7 Series Switches
SVF Technology White Paper 1 Overview
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
2
To further simplify deployment and management of those access nodes, Huawei developed
Super Virtualization Fabric (SVF), a vertical virtualization technology. As shown in Figure
1-2, SVF virtualizes downstream access devices (SVF-Client) under the control device
(SVF-Parent) into one logical device (SVF system). In the SVF system, access switches (ASs)
are managed as wired ports, and access points (APs) as wireless ports. In this way, the
aggregation and access devices in the SVF system are managed as one node, which greatly
reduces the number of network nodes and implements centralized control and management on
the network.
Figure 1-2 Network virtualization using SVF technology
1.2 Technology Advantages SVF technology applies to networks where many access devices are widely distributed and
use similar simple service configurations. This section describes the advantages of this
technology.
Unified Device Management
Unified device management provides the following benefits:
Centralized control: The SVF-Parent and SVF-Client nodes are virtualized into one
logical device and share the same management plane, control plane, and forwarding
plane, which reduces the number of network layers and nodes that need to be managed.
Zero-touch provisioning: Configuration is performed on the parent. Access devices join
the SVF system automatically after they are connected to the network and obtain
configuration files, system software, and patch packages from the parent, providing plug-and-play functionality to access devices.
1 2
M
User
SVF-Parent
AP
AS
User
CSS2
AS
iStack
SVF-Client
AP
CSS2
iStack
SVF system
Virtualization
Huawei Sx7 Series Switches
SVF Technology White Paper 1 Overview
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
3
Simplified network maintenance: Network administrators can upgrade system software
and patches for access devices, query AS information, including port status, CPU usage, and memory usage, and centrally manage wired and wireless users on the parent.
Unified Service Configuration
An SVF system provides intelligent and easy-to-understand unified service configuration
using service configuration profiles. As a result, network administrators need to perform
configuration on the SVF-Parent only, eliminating the need to log in to access devices
individually to configure them. The parent can identify access devices and their ports and
automatically deliver configuration data to the access devices. Automatic configuration
delivery avoids repetitive configuration on access devices, significantly improving network
deployment efficiency.
Unified Policy Deployment
An SVF system implements authentication and policy-based authorization on the parent. User
policies can be enforced on the parent or delivered to access devices. Because user policies
are delivered to access devices from the parent, administrators do not need to configure user
policies on individual access devices.
Wired and Wireless Convergence
The SVF-Parent supports the native access controller (AC) function and integrates wireless
devices into the fabric system. The native AC function avoids bottlenecks of wireless traffic
forwarding in the fabric architecture and realizes in-depth wired and wireless
convergence, which helps to reduce network construction cost and improves user experience.
High Reliability
An SVF system implements device and link redundancy using CSS/CSS2, iStack, and
link-aggregation technologies. Huawei's industry-leading CSS2 technology supports 1+N
backup of Main Processing Units (MPUs) in a cluster, which enables the SVF system to work
normally even when only one MPU is operational. The entire SVF system requires a tree
topology. When a port is connected incorrectly, the system generates an alarm and blocks the
port to prevent any impact on services.
Diversified Product Models
Any product models supporting the SVF-Parent and SVF-Client roles can be combined to set
up an SVF system.
The following table lists the product models supporting SVF technology.
Role Product Series Description
SVF-Parent S12700 X1E cards (supporting
native AC) are not
mandatory on modular
switches functioning as the
S9700
S7700
Huawei Sx7 Series Switches
SVF Technology White Paper 1 Overview
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
4
Role Product Series Description
S5720HI SVF-Parent. They are
required only when APs
need to connect to the SVF
system.
The SVF function is
controlled by license on the SVF-Parent.
SVF-Client (AS) S2750EI N/A
S5700LI
S5700S-LI
S5720EI
SVF-Client (AP) AP6010SN/DN,
AP6310SN, AP6510DN,
AP6610DN, AP3010DN,
AP5010SN/DN,
AP7110SN/DN,
AP5030DN, AP5130DN, AP2010DN
N/A
SVF-Parent and SVF-Client devices can be connected using GE or 10 GE ports, and edge
ports of SVF-Client devices provide 100 Mbit/s, 1,000 Mbit/s, or 10 Gbit/s forwarding
capabilities.
Low TCO
SVF provides the following benefits to help to reduce the total cost of ownership (TCO):
Reduces cost: SVF technology virtualizes high-end devices and low-end or
medium-range devices into one logical device to expand port density and bandwidth of
high-end devices. This virtualization technology reduces network deployment costs and
improves access capacity of the entire network. Additionally, an SVF system is easy to
expand. When higher network capacity is required, more devices can be connected to the
SVF system to expand port density and bandwidth. The high extensibility helps reduce
investment in earlier stages of network construction.
Protects investments: Original SVF-capable hardware devices can support SVF
virtualization after an upgrade of software. SVF allows parent and client devices to be
connected across third-party or Huawei devices that do not support the SVF function.
Therefore, these devices do not need to be replaced, protecting customers' initial investment.
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
1
2 Implementation 2.1 Concepts
Figure 2-1 Roles of devices and ports in an SVF system
Device Roles
SVF-Parent: control device in an SVF system, which is responsible for control, management,
and service configuration of the entire SVF system. The SVF-Parent node often acts as the
Layer 3 (L3) gateway for access users. This node can be a standalone device or a CSS/CSS2
or iStack system.
SVF-Parent
SVF-Client
Level-1 AS
Level-2 AS
Terminal
AP
Fabric port
Fabric port
Fabric port
Fabric port
AS
AS
AS
User-side portUser-side port
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
2
SVF-Client: access device in an SVF system, which can be a wired AS or a wireless AP. ASs
in an SVF system are divided into two levels: Level-1 and level-2. Level-1 ASs are connected
directly to the SVF-Parent, and level-2 ASs are connected to the level-1 ASs. Each level-1 or
level-2 AS can be a standalone device or an iStack system.
Port Roles
Fabric port: a port connecting the SVF-Parent and a level-1 AS or a level-1 AS and a level-2
AS. A fabric port can have one to eight member ports. To ensure sufficient bandwidth and link
reliability between connected devices, each fabric port should have two or more member ports.
On modular switches or S5720HI switches functioning as the SVF-Parent, any ports on the
front panel can be used as fabric ports. When an AS functions as the SVF-Client, only the last
two or four network-side ports or the ports on extended cards can be used as uplink fabric
ports. A standalone AS can have a maximum of six uplink fabric ports, including fixed ports
on the front panel and ports on the extended card. An AS stack system can have a maximum
of eight uplink fabric ports.
User-side port: an edge device's port connected to a user terminal. User-side ports can be
connected to wired terminals like PCs or wireless APs.
2.2 SVF Topology and Connection Rules An SVF system supports only the tree topology. The SVF-Parent can manage two layers of
ASs and allows ASs at each layer to connect to wireless APs and wired terminals. If wireless
services are required in the SVF network, APs can connect to X1E cards of the modular
switches or S5720HI switches. If wireless services are not required, modular switches can be
used without X1E cards.
The SVF-Parent can manage one layer of ASs across a Layer 2 (L2) network. The ASs can
connect to APs or wired terminals. Third-party devices are allowed on the intermediate L2
network. The network administrator must perform the following configuration on the
intermediate L2 network:
1. Bundle the uplink ports connected to the SVF-Parent into an Eth-Trunk to connect to the fabric port of the SVF-Parent, and bundle downlink ports connected to ASs into Eth-Trunks.
2. Assign a management VLAN and corresponding service VLANs to the Eth-Trunks to implement L2 communication between the SVF-Parent and ASs.
If the SVF-Parent connects to an SVF-Client through a third-party L2 device, the specific
ports connecting these devices cannot be displayed in the topology. The fabric ports between
the SVF-Parent and SVF-Client are displayed as virtual connections.
As shown in Figure 2-2, the SVF-Parent can be a standalone device or a stack, and each AS
can be a standalone device or stack. One or more ports connecting the SVF-Parent to an AS
can be bundled into a fabric port. You can design an SVF network architecture based on the
network scale, service requirements, reliability requirements, and investment.
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
3
Figure 2-2 SVF networking capability
Figure 2-3 shows common incorrect connections in an SVF system. When incorrect
connections are detected, the system generates alarms to prompt the administrator to
reconnect the cables. In addition, the incorrectly connected ports are blocked to prevent
services from being affected.
SVF-Parent
SVF-Client
One layer of AS
SVF-Parent
SVF-Client
Level-1 ASLevel-1 AS
Level-2 AS
Applicable to small or medium-sized campus
networks with only wired terminals
Two layers of AS
Applicable to large or medium-sized campus
networks with only wired terminals
SVF-Parent
SVF-Client
One layer of AS & AP
Level-1 AS
Applicable to small or medium-sized campus
networks with both wired and wireless terminals
SVF-Parent
SVF-Client
Level-1 AS
Level-2 AS
Two layers of AS & AP
Applicable to large or medium-sized campus
networks with both wired and wireless terminals
SVF-Parent
SVF-Client
Single link between fabric ports
Level-1 AS
Level-2 AS
Applicable to networks with low reliability
requirements, insuf f icient f iber resources,
and limited investment
SVF-Parent
SVF-Client
SVF connection across a Layer 2 network
Only one layer of AS allowed
Third-party or Huawei devices can exist on
the L2 network
Transparent L2
network
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
4
Figure 2-3 Typical incorrect connections in an SVF system
2.3 Unified Device Management In an SVF system, the SVF-Parent uses Huawei's proprietary protocols AS Discover Protocol
(ASDP) and LLDP-Based Network Topology (LBNT) to discover ASs and collect topology
information. The SVF-Parent uses the ASDP protocol to discover ASs and deliver network
parameters to ASs, while ASs use the ASDP protocol to establish connections with the
aggregated fabric ports on the SVF-Parent. The SVF-Parent uses the LBNT protocol to collect
neighbor information from ASs and calculates the topology of the entire network based on the
collected information. Both ASs and APs can set up Control and Provisioning of Wireless
Access Points (CAPWAP) control channels with the SVF-Parent. The ASs and APs
register with the SVF-Parent, and are controlled and managed by the SVF-Parent over the
control channels. Using the ASDP, LBNT, and CAPWAP protocols, the SVF-Parent centrally
manages all the attached ASs and APs so that the network is virtualized into one logical
device.
Automatic Discovery
To enable automatic discovery, the administrator must first configure a management VLAN
and create an IP address pool for the management VLAN on the SVF-Parent. Then the
downlink fabric port connecting the SVF-Parent to the level-1 AS must be specified, as shown
in callout 1 in Figure 2-4. The level-1 AS has no configuration file and requires no manual
configuration by the administrator. When the level-1 AS is connected to the SVF-Parent, the
SVF-Parent detects the AS using ASDP and checks whether the connection is correct through
ASDP negotiation. If an incorrect connection is detected, the SVF-Parent generates an alarm
and blocks the incorrectly connected port. If the connection is correct, the SVF-Parent
delivers the management VLAN ID to the level-1 AS. The AS negotiates with the SVF-Parent
using the ASDP protocol. Upon successful negotiation, the AS's uplink ports connected to the
SVF-Parent join the fabric port, and the management VLAN is automatically assigned to the
fabric port. In this way, L2 connectivity is implemented between the AS and
SVF-Parent without manual intervention, as shown in callout 2 of Figure 2-4. The AS then
applies for an IP address from the SVF-Parent using the DHCP protocol, sets up a CAPWAP
control tunnel with SVF-Parent, and registers with the SVF-Parent.
SVF-Parent
One AS is connected to two parent nodes
(alarm generated).
SVF-Parent
SVF-Client
One level-1 AS is connected to two Level-1
ASs (alarm generated).
SVF-Client
Incorrect connection 1 Incorrect connection 2
SVF-Parent
SVF-Client
Two ASs of the same level are connected, so
the topology is not a tree topology (alarm
generated).
Incorrect connection 3
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
5
After level-1 AS registration is complete, the administrator specifies the downlink fabric port
that connects the level-1 AS to a level-2 AS on the SVF-Parent. After similar automatic
discovery and fabric port aggregation processes, the level-2 AS automatically establishes L2
communication with the level-1 AS, as shown in callout 3 of Figure 2-4. Similarly, the level-2
AS sets up a CAPWAP control tunnel and registers with the SVF-Parent. In this way, multiple
devices are vertically virtualized into one logical device, as shown in callout 4 of Figure 2-4.
The SVF-Parent discovers first level-1 ASs and then level-2 ASs. At most, two layers of ASs
are allowed in an SVF system. An AS's user-side ports can connect to APs, which can also be
managed in the SVF system. After the management VLAN is assigned to user-side ports
connected to APs, APs can obtain IP addresses from the SVF-Parent, set up CAPWAP control
tunnels with the SVF-Parent, and register with the SVF-Parent.
An AS can be a stack that is set up by multiple access switches through stack card connection
or service port connection. If the service port connection mode is used, the stack must be set
up before fabric ports of the AS can be connected. If the stack card connection mode is used,
the stack can be set up before or after fabric ports are connected.
Figure 2-4 SVF-Client automatic discovery
SVF-Parent
SVF-Client
SVF-Parent
SVF-Client
Level-1 AS Level-1 AS
SVF-Parent
SVF-Client
Level-1 AS
Level-2 AS
SVF-Parent
SVF-Client
Level-1 AS
Level-2 AS
1 2
34
Configure
fabric port
on Parent
Auto fabric port
negotiation, auto
AS discovery
Auto fabric port
negotiation, auto
AS discovery on
level-2 AS
Assign management
VLAN to user-side
port on Parent to
enable AP to connect
to SVF directly
Specify fabric
port for
registered AS
on Parent
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
6
Topology Collection
After SVF-Client nodes are discovered using the ASDP protocol, L2 link connectivity is
implemented between the SVF-Parent and SVF-Client nodes. The SVF-Parent then sets up
CAPWAP control tunnels with ASs. When the link between an AS and its neighbor becomes
Up, the AS discovers the directly connected neighbor using the LLDP protocol. Each AS
saves collected neighbor information locally. After SVF-Client nodes are registered on the
SVF-Parent, the SVF-Parent uses the proprietary LBNT protocol to collect neighbor
information from ASs, and then calculates the topology of the entire network based on that
collected information. The topology needs to be recalculated when the topology changes, for
example, when a link becomes Up or Down, or an AS joins or leaves the SVF system.
Figure 2-5 Topology collection
Centralized Device Management
The SVF-Parent exchanges control messages with ASs over CAPWAP tunnels to control and
manage ASs in a centralized manner. After an AS registers with the SVF-Parent successfully,
the AS determines whether to download the upgrade system software and patch from the
SVF-Parent. SVF supports batch software/patch upgrades for ASs and can also upgrade a
specified AS individually. All service configuration is performed on the SVF-Parent, and all
ASs obtain configuration files from the SVF-Parent.
SVF-Parent
AS AS ASAS AP
AS AS AP
AP
CAPWAP tunnel
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
7
The SVF-Parent collects AS information, including CPU usage, memory usage, and port
status, and ASs report key maintenance information to the SVF-Parent. For example, if an AS
has a high CPU or memory usage, it sends a notification to the SVF-Parent. The network
administrator monitors AS status on the SVF-Parent.
Pre-configuration
As shown in Figure 2-6, an SVF system allows ASs to join the system with zero configuration,
implementing plug-and-play access. The network administrator needs only to specify MAC
addresses of new ASs and complete pre-configuration for the ASs on the SVF-Parent. When
the ASs connect to the SVF system, the SVF-Parent delivers configuration data to the ASs,
and the ASs automatically update their system software and patch versions, if needed. The
automatic configuration delivery and version upgrade greatly improve device deployment
efficiency.
Figure 2-6 Pre-configuration
2.4 Unified Configuration
SVF supports batch configuration of ASs using configuration profiles, as shown in Figure 2-7.
This function frees network administrators from repeated configuration on each access device.
A configuration profile can be delivered to multiple ASs and multiple configuration profiles
can be delivered to one AS. Service-oriented configuration profiles are easy to understand and
shield dependency between features, thereby greatly improving user experience.
Configuration profiles can be classified into two categories: network management profiles and
service profiles. Network management profiles are used for centralized management and
maintenance of SVF-Client nodes. Service profiles are divided into network basic profile,
network enhanced profile, and user access profile, which are mainly used for user access and
security protection.
SVF-Parent
SVF-Client
Plug-and-play access of one layer of ASs
SVF-Parent
SVF-Client
Plug-and-play access of two layers of ASs
Level-1 AS Level-1 AS
Level-2 AS
Make pre-configuration on Parent before AS
connection
Auto configuration delivery when ASs connect to the
system
Make pre-configuration for two layers of ASs
on Parent before AS connection
Auto configuration delivery when ASs connect to the
system
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
8
Figure 2-7 Profile-based configuration
2.5 Unified User Management
Policy Association
S series switches support the policy association feature, which can be used independently
or with the SVF feature. The SVF-Parent authenticates all users and delivers policies for
dynamic authorization after users are successfully authenticated. User policies can be
enforced on the SVF-Parent or delivered to access devices from the SVF-Parent and enforced
on access devices. Policy association can be configured in an SVF system to ensure SVF
network security or implement fine-grained management on user traffic. The SVF-Parent
functions as the centralized authentication and authorization point. The policy enforcement
point (PEP) can be deployed on the SVF-Parent (local authorization) or SVF-Clients (remote
authorization). The administrator can flexibly configure local and remote authentication in an
SVF system. When SVF-Clients function as PEPs in remote authorization mode, they act as
data-forwarding control points. When the SVF-Parent functions as the PEP in local
authorization mode, it can dynamically deliver user control list (UCL), access control list
(ACL), committed access rate (CAR), priority, and other policies for refined user access and
traffic control.
After policy association is configured in an SVF system, the access port of an unauthenticated
user is in a restricted state. The user can access DHCP, RADIUS, Portal, eSight, and other
servers specified in authentication-free rules, and data packets sent from this user to other
Security configuration for access portsBasic QoS configuration
Network basic
profile
(mandatory)
VLAN configurationPort configuration
Network
management
profile
Device login and administrator password configuration Local administrator user name and password configuration
Version management
AAA configurationAuthentication mode configuration
Se
rvic
e
Acce
ss
Ne
two
rk
Ma
na
ge
me
nt
Network
enhanced profile
(optional)
User access
profile
(optional)
Manage and
maintain
SVF-Client
Define a
logical
network
Logical
network is
secure
Terminals
connect to
network and
obtain
access rights
Configuration
templates are configured on
parent and
delivered to clients
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
9
users or the network side are not forwarded. After the user is authenticated, the SVF-Parent
sends a message to the AS over the CAPWAP control tunnel, notifying the AS that the access
port can forward data packets. The user then obtains access rights. This mechanism prevents
unauthenticated users from communicating with other users through the L2 network. If the
SVF-Parent functions as the PEP, traffic forwarded to the SVF-Parent is controlled by more
refined policies, implementing fine-grained user management.
Figure 2-8 Policy association
Centralized User Information Query
The SVF-Parent provides unified authentication and policy control for both wired
and wireless users. The authentication point is also the PEP, which facilitates management.
SVF-Parent
AS AS ASAS
AS AS
CAPWAP tunnel
DHCP/Radius/Portal/eSight
server
Authenticated user Unauthenticated
user
1 Before authentication
Auth point
PEP
Authenticated user
Unauthenticated
users can access only
specif ied servers
Unauthenticated
users cannot access
other users or
network resources
SVF-Parent
AS AS ASAS
AS AS
Newly
authenticated user
2 After authenticationCAPWAP tunnel
Authenticated user Authenticated user
DHCP/Radius/Portal/eSight
serverAuth point
PEP
Authenticated users
can access other
users and network
resources
User is authenticated.
Parent deliver a policy
to grant access rights
over CAPWAP tunnel.
User can access
network resources.
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
10
The network administrator can view information about all access users connected to ASs and
APs on the SVF-Parent, including the access devices and ports to which wired users connect
and the APs to which wireless users connect.
2.6 Packet Forwarding An SVF system provides comprehensive L2/L3 forwarding capabilities. The SVF-Parent
provides L2/L3 forwarding, and SVF-Clients provide L2 forwarding. To forward a received
packet, an SVF-Client searches the local forwarding table to find the outbound interface and
sends the packet from this interface. L2 packets can be directly forwarded by
SVF-Clients, whereas L3 packets must be sent to the SVF-Parent and forwarded based on the
L3 forwarding table of the SVF-Parent. SVF supports distributed and centralized forwarding
modes, which can be set using commands. The distributed forwarding mode is the default
mode.
Figure 2-9 shows the distributed forwarding mode, in which each device looks up outbound
interfaces of packets in its local forwarding table and forwards packets from the outbound
interfaces directly. Each SVF-Client learns MAC addresses of all attached access users in the
same VLAN as it and allows these users to communicate directly. For example, Host 1 and
Host 2 in Figure 2-9 can communicate directly through the SVF-Client. Distributed
forwarding leverages the forwarding capability of each SVF-Client and avoids circuitous
forwarding paths, making full use of each device's bandwidth. This forwarding mode is
recommended if the customer requires direct L2 communication between users but does not
require L2 user isolation or access control.
Figure 2-9 Distributed forwarding
SVF-Parent
SVF-Client
HostsHost1
MAC1IP1
Host2
MAC2IP2
SA = MAC1 + IP1,
DA = MAC2 + IP2 + Payload
SA = MAC1 + IP1,
DA = MAC2 + IP2 + Payload
SA = MAC1 + IP1,
DA = MAC2 + IP2 + Payload
Gateway
MAC3IP3
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
11
Figure 2-10 shows the centralized forwarding mode, in which packets are sent to the
SVF-Parent and forwarded from outbound interfaces on the SVF-Parent according to its
forwarding table. On an SVF-Client, ports in the same VLAN are isolated; therefore, users
connected to the SVF-Client cannot communicate through the SVF-Client directly. When
Host 1 needs to communicate with Host 2, Host 1 sends an Address Resolution Protocol (ARP)
Request to Host 2. The gateway (SVF-Parent) sends an ARP Reply to Host 1 but the MAC
address mapped to IP2 in the ARP Reply is the gateway's MAC address (MAC3), not Host 2's
MAC address (MAC2). Subsequently, data packets sent from Host 1 to Host 2 are sent to the
gateway for L3 forwarding. The centralized forwarding mode is recommended if the customer
requires centralized control or fine-grained management of user traffic and L2 user isolation.
Figure 2-10 Centralized forwarding
Table 2-1 Deployment suggestions for various user access scenarios
Access Scenario Forwarding Mode
Policy Association
Authentication Mode
Authentication-Free Rule
1. Unauthenticated
users are not
allowed to connect to the network.
2. Authenticated
users are allowed to
communicate directly.
3. Users can access
Distributed
forwarding
1. ASs disable data
forwarding before
authentication.
2. Use the local
authorization mode
and enforce policies
on the SVF-Parent (optional).
3. Assign different
Dot1x/MAC/Portal Configure
authentication-free
rules to allow
access to basic
servers before
authentication.
SVF-Parent
SVF-Client
HostsHost1
MAC1IP1
Host2
MAC2IP2
SA = MAC1 + IP1,
DA = MAC3 + IP2 + Payload
SA=MAC3 + IP1,
DA=MAC2 + IP2 + Payload
SA = MAC3 + IP1,
DA = MAC2 + IP2 + Payload
Gateway
MAC3IP3
SA=MAC1 + IP1,
DA=MAC3 + IP2 + Payload
Huawei Sx7 Series Switches
SVF Technology White Paper 2 Implementation
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
12
Access Scenario Forwarding Mode
Policy Association
Authentication Mode
Authentication-Free Rule
basic servers before authentication.
VLANs to
departments that
need to be isolated
(optional).
1. Unauthenticated
users are not
allowed to connect
to the network.
2. Communication
between
authenticated users
is controlled
centrally and L2
communication is
isolated.
3. Users can access
basic servers before authentication.
Centralized
forwarding
1. ASs disable data
forwarding before authentication.
2. Use the local
authorization mode
and enforce policies on the SVF-Parent.
Dot1x/MAC/Portal Configure
authentication-free
rules to allow
access to basic
servers before authentication.
1. Unauthenticated
users are not
allowed to connect to the network.
2. Authenticated
users do not need to
be isolated.
3. Basic servers do
not need to be
specified for
pre-authentication
access.
Distributed or
centralized
forwarding
ASs disable data
forwarding before
authentication.
Dot1x/MAC/Portal In Portal
authentication
mode, configure
authentication-free
rules for the Portal
server. No
authentication-free
rule is required in
other authentication
modes.
SVF is used only to
simplify network
management and
there is no
requirement for user authentication.
Distributed or
centralized forwarding
None None None
Huawei Sx7 Series Switches
SVF Technology White Paper 3 Customer Benefits
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
1
3 Customer Benefits 3.1 Simplified Network Management
If a campus network has many access devices that are widely distributed and use similar,
simple service configurations, SVF technology can be used to virtualize the campus network
into one or multiple SVF systems to simplify network management. SVF supports automatic
topology discovery and establishment, enables plug-and-play connection of access devices
through pre-configuration, and provides unified device management, user management,
configuration, and maintenance. All of these features improve network management and
maintenance efficiency.
The SVF-Parent sends key alarms, for example, alarms about high CPU usage and memory
usage, to the Huawei eSight network management system, as shown in Figure 3-1. eSight
then displays all alarms for the administrator to check. Once a fault occurs on the network,
eSight quickly identifies the failure point based on the key alarms without comparing time
stamps of access devices.
Huawei Sx7 Series Switches
SVF Technology White Paper 3 Customer Benefits
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
2
Figure 3-1 Simplifying network management through SVF
3.2 Wired and Wireless Convergence When X1E cards are installed on the SVF-Parent, the SVF system implements wired
and wireless convergence. SVF technology unifies the management plane, control plane, and
forwarding plane of devices, which eliminates bandwidth bottlenecks for wireless forwarding
and improves work efficiency and user experience of network administrators.
Wireless devices can connect directly to the X1E cards. This networking is recommended for
new wired and wireless converged networks or networks with a large number of users.
Wireless devices can also connect to non-X1E cards; however, X1E cards are still required
because wireless traffic must be directed to the X1E cards for processing. This networking is
recommended when wireless service needs to be added to an SVF wired network with many
access devices and wireless users are widely distributed.
3.3 Visualized Management
The Huawei eSight network management system provides visualized SVF system
management, and shows topology of the SVF-Parent, ASs, and APs in an SVF system, as
shown in Figure 3-2. eSight monitors device and link status in real time. When an AS or AP
joins or leaves the SVF system, the AS or AP is added or deleted automatically in the
topology view. When the status of a link changes, the new link status is displayed in the
topology view, helping the network administrator to identify topology changes quickly.
Access
Aggregation
Access
Building B:
Sales center
Building A:
Administration & management center
Building C:
Customer service center
Building D:
R&D center
Building E:
Testing center
Building F:
Production center
CSS
iStackiStack
eSight
SVF system
Reporting key alarms
Virtual device
Huawei Sx7 Series Switches
SVF Technology White Paper 3 Customer Benefits
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
3
Figure 3-2 Topology of an SVF system
eSight also displays a device's panel, as shown in Figure 3-3. The network administrator can
click a fabric port on the SVF-Parent's panel to view status of the SVF-Client connected to the
fabric port and downstream topology. The administrator can monitor all the
downstream wired and wireless devices connected on the SVF-Parent's panel.
Figure 3-3 Centralized SVF system management on the Device Panel page
eSight provides unified management of wired and wireless users, as shown in Figure 3-4. The
user list shows characteristics of both wired and wireless users, including AS ports
to which wired users connect and APs to which wireless users connect. When a user fails to
connect to the network, the network administrator can quickly locate the AS or AP
through which the user connects to the network. This feature improves troubleshooting
efficiency and facilitates fault diagnosis for wireless users. eSight also provides configuration
templates, which allow the network administrator to see the configuration required for service
operations on the template configuration matrix.
Huawei Sx7 Series Switches
SVF Technology White Paper 3 Customer Benefits
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
4
Figure 3-4 Unified management of wired and wireless users
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
1
4 Typical Application Scenarios 4.1 Small or Medium-Sized Wired Campus Network
As shown in Figure 4-1, a small or medium-sized campus network often uses a two-layer
architecture. Campus networks of small and medium-sized enterprises or enterprise branch
networks fall into this category. Access devices provide L2 forwarding and use similar, simple
service configurations. The L3 gateway is deployed on aggregation devices. SVF can be used
to simplify network management.
Figure 4-1 Small or medium-sized wired campus network
NE deployment at the aggregation layer
S7700/S9700 or 5720HI switches are deployed at the aggregation layer and function as
the SVF-Parent to manage all of the ASs. Huawei eSight can be deployed for visualized
network management.
DHCP server deployment
CSSSVF-Parent
SVF-Client
WAN Internet
L2
sw
itch
ing
L3
rou
ting
eSight
VLAN 10 VLAN 200VLAN 100 VLAN 10 VLAN 200VLAN 100 VLAN 10 VLAN 200VLAN 100VLAN 10 VLAN 200VLAN 100
VLAN 10
VLAN 100
VLAN 200
Access layer
Aggregation layer
Core layer
Profile_1
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
2
The enterprise does not have many employees, so the DHCP server is deployed on
aggregation switches to simplify network deployment.
Reliability deployment
Two aggregation switches set up a CSS to implement device backup.
User management deployment
If the customer requires high security of wired user access security, 802.1x
authentication is configured for wired user access and configure MAC address bypass
authentication for dumb terminals. If the customer does not require high security, Portal
authentication is recommended. The SVF-Parent should be the authentication point.
Forwarding model deployment
If the customer requires high security of traffic forwarding, the centralized forwarding
mode on the SVF-Parent is configured to centrally control traffic of wired users at the
aggregation layer. If the customer does not have high security requirements, the distributed forwarding mode is used.
4.2 Large Wired and Wireless Converged Campus Network
Figure 4-2 shows a large campus network, on which the L3 gateway connects to two layers of
ASs. Such networks have a large scale and many access users. University campus networks
and networks of large enterprises fall into this category. SVF provides customers with a
simplified network structure and reduces network construction costs through wired
and wireless convergence.
Figure 4-2 Large campus network
CSS2SVF-Parent
SVF-Client
WAN Internet
Level-1 AS
Level-2 AS
eSight
VLAN 10 VLAN 200VLAN 100 VLAN 300 VLAN 500VLAN 400
VLAN
100
VLAN 200
VLAN 10 VLAN 300
VLAN
400
VLAN 500
Profile_1 Profile_2
Access layer
Aggregation layer
Core layer
L2
sw
itch
ing
L3
rou
ting
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
3
Wired and wireless convergence point deployment
Huawei recommends that S12700 switches be deployed as the SVF-Parent to manage all
ASs and APs. The S12700 switches provide native AC functions for wireless user
management and both wired and wireless devices can connect directly to X1E cards of the S12700 switches.
DHCP server deployment
Because there are many users on a campus network, it is recommended that an
external DHCP server be deployed to allocate IP addresses to all wired and wireless users in the campus.
Reliability deployment
Two aggregation switches set up a CSS to implement device backup.
User management deployment
802.1x authentication is configured to ensure secure access of wireless users. If the
customer does not require high security, Portal authentication is recommended. The SVF-Parent is used as the authentication point.
A university campus network can use Point-to-Point Protocol over Ethernet (PPPoE)
authentication for wired users and deploy the authentication point on the SVF-Parent.
An enterprise campus network can use 802.1x authentication for wired users. To
block communication between unauthenticated users, remote authorization and
authentication-free rules can be configured to specify the resource servers that users
can access before authentication. Local authorization can be configured on the SVF-Parent to implement more user-specific access control.
Forwarding model deployment
Wireless traffic is forwarded over tunnels in centralized mode.
If centralized traffic control is required for traffic of wired users, the centralized
forwarding mode can be used. If the customer does not require high security, the
distributed forwarding mode can be used as it is easy to deploy and can fully use bandwidth of access devices.
4.3 Super-Large Wired and Wireless Converged Campus Network
Figure 4-3 shows a super-large campus network that covers a large area and has a large
number of access devices. Such a network can be virtualized into multiple SVF systems so
that only several nodes need to be managed and maintained. High-performance S12700
switches are recommended at the core layer, and S7700/S9700 or S5720HI switches can be
deployed at the aggregation layer as the SVF-Parent in each SVF system to manage ASs and
APs in the system. The deployment in each SVF system is similar to that described in section
4.1 "Small or Medium-Sized Wired Campus Network." In this scenario, each SVF-Parent
manages only one layer of ASs. This networking architecture is suitable for campus networks
that have many widely distributed ASs, such as large enterprise campus networks.
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
4
Figure 4-3 Super-large campus network
4.4 Cross-Area Large Campus Network Figure 4-4 shows a large campus network covering multiple areas, also known as cross-area
networks. The network in each area can be virtualized into an SVF system and the
deployment in each SVF system is similar to that described in section 4.2 "Large Wired and
Wireless Converged Campus Network." In this scenario, each SVF-Parent manages two
layers of ASs. This networking architecture is suitable to networks that have many densely
distributed ASs in multiple areas, for example, a large enterprise's office buildings. Devices in
each building can be virtualized into an SVF system, and each SVF-Parent connects to two
layers of ASs. This scenario is similar to that described in section 4.3 "Super-Large Wired and
Wireless Converged Campus Network." Select either networking modes based on actual
situations.
CSS/iStackSVF-Parent
SVF-Client
WAN Internet
AS
eSight
VLAN 10 VLAN 200VLAN 100 VLAN 300 VLAN 500VLAN 400
CSS/iStack
CSS2
Access layer
Aggregation layer
Core layer
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
5
Figure 4-4 Cross-area large campus network
4.5 SVF System Across an Intermediate L2 Network
An SVF system can be established across an L2 network. Therefore, Huawei or non-Huawei
devices not supporting the SVF function do not need to be replaced when an SVF network is
deployed, which protects the customer's initial investment. The intermediate L2 network must
have uplink and downlink Eth-Trunks configured to connect to fabric ports of the SVF
members. In addition, the management VLAN of the SVF system and corresponding service
VLANs need to be assigned to the uplink and downlink Eth-Trunks to ensure L2 link
connectivity. Only one layer of ASs can connect to the intermediate L2 network. As this L2
network is not a member of the SVF system, the SVF-Parent cannot manage devices on the
L2 network. To implement unified management of all access devices and facilitate network
management and maintenance, avoid this networking if possible. The SVF system
deployment is similar to that described in section 4.2 "Large Wired and Wireless Converged
Campus Network."
CSSSVF-Parent
SVF-Client
IP/MPLS
Core
Level-1 AS
Level-2 AS
eSight
CSS
SVF1 SVFn
Access layer
Aggregation layer
Core layer
Huawei Sx7 Series Switches
SVF Technology White Paper 4 Typical Application Scenarios
Issue 01 (2014-11-20) Huawei Proprietary and
ConfidentialCopyright Huawei
Technologies Co., Ltd.
6
Figure 4-5 SVF system across an intermediate L2 network
CSSSVF-Parent
SVF-Client
WAN Internet
eSight
L2 network of
third-party devices
L2 network of
Huawei devices
L2 switching
L3 routing