Login
- Released At: 25-06-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C Campus Switches SmartMC Best Practices |
|
|
|
|
|
|
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Configuring automatic deployment
Deploying configurations in bulk
Configuring unified wired and wireless maintenance
Configuring basic WLAN settings
Viewing the network topology and device details
Managing cameras in static mode
Managing cameras in dynamic mode
Viewing cameras in the topology
Configuring audio and video monitoring
Viewing audio and video monitoring information
Automatic endpoint identification
Identifying an endpoint through DHCP Option 55 fingerprint
Identifying an endpoint through HTTP user agent fingerprint
Configuring fingerprints on a TM
Enabling or disabling health analysis
Configuring port authentication
Appendix Configurations automatically deployed by port authentication
SmartMC feature specifications
SmartMC restrictions and guidelines
Recommended devices for SmartMC
About SmartMC
Background
As the network scale expands, a large number of access devices need to be deployed at the network edge, increasing the complexity and operational costs of campus networks. Users require a simple, low-cost, and efficient network management platform to manage the increasingly complex campus networks.
Smart Management Center (SmartMC) is an integrated network management platform. Users only need to log in to the Web page of the switch device using a browser to access the SmartMC network management platform. SmartMC integrates a multitude of network management and maintenance functions, facilitating users to manage devices in bulk, effectively solving the centralized management issue for a large number of devices.
Operating mechanism
Network framework
Figure 1 shows the basic framework of a SmartMC network. The SmartMC network contains the following elements:
· Commander—Also called typology master (TM), which manages all members in the SmartMC network. In a SmartMC network, only one device acts as the commander and the remaining devices all act as members.
· Member—Also called typology client (TC), which is managed by the commander. The maximum number of manageable member devices in a SmartMC network varies by device model.
· File server—Stores startup software images and configuration files for the commander and members. Members obtain the required files from the server according to commands issued by the commander. The file server can be an independent server or co-located with the commander or a member. As a best practice to reduce workloads on the commander or member, deploy an independent file server.
· Host—Used for accessing the management device's Web page through a browser. Users can enter the SmartMC network management platform by clicking SmartMC in the navigation bar on the Web page.
Figure 1 SmartMC network framework
Management platform
The SmartMC management platform integrates the following functions:
· Intelligent management—Includes device role changing, network topology collection, outbound interface configuration, and automated Ethernet link aggregation.
· Intelligent operation and maintenance—Includes member upgrade, bulk backup of configuration files, one-key VLAN deployment, smart port identification, resource monitoring, and faulty device replacement.
· Visibility—Includes network topology management, member adding, device list display, and device state display.
· Intelligent servicing—Includes user creation and activation.
With the SmartMC management platform, you can manage the SmartMC network topology and manage members in bulk.
Figure 2 through Figure 5 show example Web interfaces.
Figure 2 Intelligent management
Figure 3 Intelligent operation and maintenance
Figure 4 Visibility
Figure 5 Intelligent servicing
Best practice configuration
Network requirements
As shown in Figure 6, an AP is connected to TC 3, two cameras are connected to TC 3, and one camera is connected to TC 1. Configure the TM in the SmartMC configuration wizard.
· Configure TCs to automatically join the SmartMC network or manually add TCs to the network.
· Configure the AP, TM, and TCs to communicate with each other in VLAN 1.
· Enable AC functions on the TM and configure TC 3 to supply power to the AP and the cameras through PoE.
· Enable camera monitoring on the TM.
· Enable SIP-based SQA on all TCs to monitor audio and video sessions.
· Enable automatic endpoint identification on the TM.
· Enable the network-wide health analysis feature on the TM to view device health status.
· Enable port authentication on the TM to authenticate access users.
Deploying the SmartMC network
You can configure the members to join the network automatically or add them manually.
Configuring automatic deployment
Procedure
1. Configure the commander:
a. Log in to the commander and then click SmartMC from the left navigation pane.
Figure 7 SmartMC Web interface
b. Specify the management IP address (IP address of VLAN-interface 1 on the commander).
Figure 8 Specifying the management IP address
c. Specify the outgoing interface. Specify the interface on the commander that connects the commander to the current PC as the outgoing interface.
Figure 9 Specifying the outgoing interface
d. Specify the local user of the commander. You can specify an existing local user or a new local user. If you specify a new user, the system creates the user automatically.
Figure 10 Specifying the management user
e. Verify the commander settings.
Figure 11 Verifying the commander settings
2. Power on the members without loading any configuration. The members will join the SmartMC network automatically.
Verifying the configuration
Access the Visibility > Topology page and view the network topology. Verify that members have joined the network as expected.
Figure 12 Network topology
Configuring manual deployment
For members that cannot join the network automatically, you can access the Visibility > Topology page and click Add device to manually add them one by one.
Before a manual adding, make sure the settings in Table 1 have been configured on the member to add.
Table 1 Required settings on members to add manually
|
Item |
Commands |
|
Specify an IP address for VLAN-interface 1. Make sure the IP address is in the same subnet as the IP address of VLAN-interface 1 on the commander. |
· interface vlan-interface 1 · ip address ip-address { mask-length | mask } |
|
Enable HTTP and HTTPS. |
· ip http enable · ip https enable |
|
Enable the Telnet service. |
telnet server enable |
|
Enable NETCONF over SOAP over HTTP. |
netconf soap http enable |
|
Enable LLDP globally. |
lldp global enable |
|
Create a user. Set the username and password to admin, add the telnet, http, and https service types, and authorize the user to use the network-admin user role. NOTE: Before configuring the password, lower the password complexity requirements for local users. |
· password-control length 4 · password-control composition type-number 1 type-length 1 · undo password-control complexity user-name check · local-user admin · password simple admin · service-type telnet http https · authorization-attribute user-role network-admin |
|
Set scheme authentication for VTY user lines 0 to 63. |
· line vty 0 63 · authentication-mode scheme |
|
Enable SNMPv2c and create read-only community public. |
· snmp-agent sys-info version v2c · snmp-agent community read public |
Figure 13 Manually adding a member
Specifying a file server
A file server is required for fault member replacement, device upgrade, bulk configuration file backup, and bulk configuration deployment.
To specify a file server, access the Intelligent Management > File server page and specify the file server parameters as needed.
Figure 14 Specifying a file server
Deploying VLAN settings
About this task
To facilitate batch configuration of ports and simplify device management, VLANs can be created for member devices. All access-type ports in member devices that are not connected to other member or management devices can be added to the VLAN.
Restrictions and guidelines
For access-type ports connected to offline devices, you must manually clear the offline devices before performing this operation.
If a member device successfully creates a VLAN but fails to add all qualifying ports to the VLAN, the configurations of all qualifying ports will revert to their state before VLAN creation.
The failure of VLAN creation on one member device does not affect the VLAN creation on other member devices.
Procedure
1. Access the Intelligent O&M > VLAN deployment page.
Figure 15 VLAN deployment
2. Select the operation object. Options include Members and SmartMC groups, which indicates creating VLANs for member devices and creating VLANs for SmartMC groups, respectively.
3. Select the target members or SmartMC groups, and then click Deploy VLAN in one step. In the dialog box that opens, enter the VLAN ID, and then click Certain.
Figure 16 Entering the VLAN ID
4. To view the VLAN deployment result, click View deployment result.
¡ Processing—Indicates that the member device is in the process of creating a VLAN.
¡ Success—Indicates that the member device has successfully created a VLAN.
¡ Failure. The port xxx is not an access port—Indicates that the member device failed to create a VLAN because the port is not an access port.
¡ Failure. xxx not exist—Indicates that the member device failed to create a VLAN because the port does not exist.
Figure 17 Viewing the deployment result
Deploying configurations in bulk
About this task
You can use this feature to deploy multiple configurations to member devices at once, without the need to log in to each member to configure them individually. This simplifies the configuration process and saves time. The processing flow of the function is:
· Users create a command-line batch file on the management device and edit the commands that need to be executed in bulk on the member devices.
· The management device sends the file to the member devices through a NETCONF session.
· The member devices execute the batch commands issued by the management device.
Procedure
1. Access the Intelligent O&M > Batch deployment page.
Figure 18 Batch deployment
2. Select the location where the command line batch file to be saved. The batch file can be stored on the Flash or a file server.
3. Create a new command-line batch file. If a batch processing file already exists on the device, proceed to the next step.
Click Create. In the Create batch file dialog box, enter the file name and configuration content. After completing the configuration, click OK to finish creating the batch configuration file. As shown in the figure below, enter the commands that the member devices need to execute in the configuration content area, with each command occupying one line. The device does not check the correctness of the commands, so when editing the commands, you must make sure their accuracy.
Figure 19 Creating a batch file
4. Select the created .cmdset batch file, click the Edit icon 
to view or edit the file.
Figure 20 Batch file list
5. On the Batch deployment page, click Deploy batch config. In the dialog box that opens, select the deployment target. If you select Members, you can enter the device ID or a list of device IDs. If you select SmartMC groups, you can select one or more SmartMC groups. Then, click Certain.
Figure 21 Deploying configurations
6. To view the command execution result on devices, click View deployment status on the Batch deployment page.
Figure 22 Viewing the deployment status
Configuring ports
About this task
The bulk configuration of ports feature is used to deploy configurations from a command-line batch file to one or more specified ports (non-OLT ports).
Restrictions and guidelines
To avoid configuration errors, make sure all the configurations in the port batch configuration file are in port view.
The content of the command-line batch file cannot exceed 8190 characters.
When you configure the command-line batch file, the device does not check the correctness of the commands, so when you edit the commands, you must make sure their accuracy.
Prerequisites
Make sure the batch file already exists before you configuring ports in bulk. To create or edit a batch configuration file:
1. Access the Intelligent O&M > Batch deployment page.
Figure 23 Batch deployment
2. Select the location where the command line batch file to be saved. The batch file can be stored on the Flash or a file server.
3. Create a new command-line batch file. If a batch processing file already exists on the device, proceed to the next step.
Click Create. In the Create batch file dialog box, enter the file name and configuration content. After completing the configuration, click OK to finish creating the batch configuration file. As shown in the figure below, enter the commands that the member devices need to execute in the configuration content area, with each command occupying one line. The device does not check the correctness of the commands, so when editing the commands, you must make sure their accuracy.
Figure 24 Creating a batch file
4. Select the created .cmdset batch file, click the Edit icon to view or edit the file.
Figure 25 Batch file list
Procedure
1. Access the Visibility > Topology page. Select a device enabled with port authentication, view the device ports, and select the target ports (non-OLT ports) on the device panel at the bottom of the page.
Figure 26 Selecting ports
2. Click Configure ports. In the dialog box that opens, select the configuration file, and then click Certain.
Figure 27 Selecting a configuration file
Figure 28 Batch deployment prompt
3. View the port status. Access the Intelligent O&M > Port identification page, and click View deployment status. You can view the execution status of the configuration file deployed.
Figure 29 Port identification
View the configuration files, and click the icon in the Operation column to view the file details. Select the manual deployment method.
Figure 30 Viewing port configuration status
Figure 31 Viewing detailed port configuration status
Configuring unified wired and wireless maintenance
Unified wired and wireless maintenance integrates wired network management, basic wireless network management, and PoE power visibility functions, allowing unified management and statistics displaying for both the wired and wireless networks.
Configuring basic WLAN settings
Perform this task to add, delete, or modify wireless services, configure inter-AP Layer 2 isolation, and manage PoE power supply on all devices in the SmartMC network.
Prerequisites
Perform the following tasks to enable the AC function on the TM:
1. Install the feature image of the unified wired and wireless AC.
The feature image of the unified wired and wireless AC is contained in the switch software image package. When loading the feature image, make sure that the feature image version matches the switch software image version. To obtain the image of the unified wired and wireless AC, contact Technical Support.
2. Activate the feature image of the unified wired and wireless AC.
install activate feature filename&<1-30> slot slot-number [ test ]
3. Configure the feature image to remain activated after the system reboots.
install commit
4. Install licenses.
To increase the number of APs that the AC can manage, you must install licenses. For more information about installing licenses, see H3C Comware 7 and Comware 9 WLAN Products Local Licensing Guide at http://www.h3c.com/cn/home/qr/default.htm?id=607.
Restrictions and guidelines
By default, the authentication mode is PSK for created wireless services.
Procedure
1. Access the Intelligent O&M > WLAN setup page.
2. Click Add.
Figure 32 Adding a wireless service
3. Configure wireless service parameters and then click Confirm.
Figure 33 Configuring wireless service parameters
4. Click the Edit icon for the wireless service.
Figure 34 Editing a wireless service
5. Configure advanced wireless service settings as needed.
Figure 35 Configuring advanced wireless service settings
Configuring PoE power supply
1. From the left navigation pane, click Visibility.
2. To view PSE information, click the PSEs tab. You can click an action link in the Actions column to view PSE details or PDs, or configure PoE power supply.
Figure 36 Viewing PSE information
Figure 37 Viewing PSE details
Figure 38 Configuring PoE power supply
3. To view PD information, click the PDs tab.
Figure 39 Viewing PD information
Viewing the network topology and device details
You can view the network topology on the Visibility > Topology page.
To view details information about an AP, click Expand.
To view neighbor information about a device, double click the device icon.
Figure 40 Viewing the network topology and device details
Configuring camera monitoring
Perform this task to monitor the association and disassociation of cameras in VLANs. With this feature configured, the system displays monitored cameras on the Visibility > Topology page and refreshes camera status in real time.
Managing cameras in static mode
To manage cameras in static mode, access the Intelligent Management > Camera management page and select Static for Management mode.
On the page that opens, you must specify parameters such as MAC addresses of cameras to be monitored, and the device will monitor associations and disassociations of the cameras by matching MAC address entries.
You can manage a single camera or manage multiple cameras in one operation.
Adding cameras to monitor
To add a single camera, specify the MAC address of the camera and the VLAN in which the camera will be monitored, and then click Add.
To add multiple cameras in bulk, click Import config, and then import a configuration file that contains camera information.
Figure 41 Import cameras to monitor
Viewing all monitored cameras
To view all camera monitoring configurations, click View all config.
Figure 42 Viewing all camera monitoring configurations
Deleting cameras
You can delete a camera or multiple cameras in bulk. (Details not shown.)
Managing cameras in dynamic mode
To manage cameras in dynamic mode, access the Intelligent Management > Camera management page and select Dynamic for Management mode.
In this mode, the device uses Open Network Video Interface Forum (ONVIF) to monitor associations and disassociations of ONVIF endpoints.
Dynamic camera management supports the following features:
· ONVIF Probe—Detects ONVIF endpoints in a network proactively. To use this feature, you must enable it on the TM VLAN interface in the same VLAN as the monitored endpoints.
· ONVIF Snooping—Identifies ONVIF endpoints and monitors associations and disassociations of ONVIF endpoints. To use the feature, you must enable it on the TCs or TM to which the ONVIF endpoints are directly connected.
· ONVIF Reset—Clears information about ONVIF endpoints detected on the specified interface. After the clearing, the device can detect the ONVIF endpoints again and generate updated endpoint information.
Enabling ONVIF probe
To enable ONVIF probe and configure the probe
interval, click the 
icon in the Operation column for a TM. With this feature enabled, the
device can detect ONVIF endpoints on the subnet where the VLAN interface
resides.
Figure 43 Accessing ONVIF probe configuration
Figure 44 Configuring ONVIF probe parameters
Enabling ONVIF snooping
To enable ONVIF snooping, click the 
icon in the Operation
column for a device (TM or TC) to which the monitored endpoint is directly
connected. With this feature enabled, the device can identify directly
connected ONVIF endpoints and monitor the associations and disassociations of
these endpoints.
Figure 45 ONVIF snooping configuration
Figure 46 Enabling ONVIF snooping
(Optional) Configuring ONVIF reset
To clear information about endpoints detected on an interface through ONVIF, click the ONVIF Reset tab, select the device and interface, and click OK. After the clearing, the device can detect the ONVIF endpoints again.
Figure 47 Configuring ONVIF reset
Viewing cameras in the topology
You can access the Visibility > Topology page to view monitored cameras in the topology.
Figure 48 Viewing cameras in the topology
To view detailed information about monitored cameras, click View camera information.
Figure 49 Viewing detailed camera information
Configuring audio and video monitoring
Perform this task to monitor audio and video sessions for multimedia traffic. You can configure SIP-based service quality analysis (SQA) on devices one by one from the CLI or configure SIP-based SQA for multiple devices in bulk from the Web interface.
Configuring SQA
Configuring SQA on a single device from the CLI
You must perform this task on both the commander and members.
To configure SQA on a single device:
1. Enter system view.
system-view
2. Enter SQA view.
sqa
3. Enable SIP-based SQA.
sqa-sip enable
By default, SIP-based SQA is disabled.
4. (Optional.) Specify the SIP listening port number.
sqa-sip port port-number
By default, the SIP listening port number is 5060.
Make sure the SIP listening port number on the device is the same as that on the SIP server.
5. (Optional.) Specify an IP address range for SIP-based SQA.
sqa-sip filter address start-address end-address
By default, no IP address range is specified for SIP-based SQA. The device performs SQA on all SIP packets.
After this command is executed, the device performs SQA only on SIP calls in the specified IP address range.
Configuring SQA on multiple devices from the Web interface
1. Create configuration file Config.cfg and save the file to the file server. The content of the configuration file must contain the following commands:
<FTP Server> more Config.cfg
system-view
sqa
sqa-sip enable
sqa-sip port 5066
sqa-sip filter address 192.168.56.1 192.168.56.244
2. Access the Intelligent O&M > Batch deployment page, select the file server as the batch file storage location, and select Config.cfg from the file list.
3. Click Deploy batch config.
4. Select Members as the deployment object, specify the member ID range, and then click Confirm.
Figure 50 Deploying a batch configuration file
5. Click View deployment status to verify the deployment result.
To view deployment details, click the right chevron icon.
Figure 51 Viewing the deployment status
Viewing audio and video monitoring information
You can access the Visibility > Audio and video monitoring page to view detailed information about audio and video monitoring and identify session quality based on the uplink and downlink MOS values.
Figure 52 Viewing audio and video monitoring information
|
|
NOTE: The device whose TC ID is 0 is the commander. A higher MOS value represents a higher session quality. MOS values are in the range of 0 to 5. · 0 to 1—Extremely poor session quality. · 1 to 2—Poor session quality. · 2 to 3—Average session quality. · 3 to 4—Good session quality. · 4 to 5—Excellent session quality. · N/A—The system fails to obtain the MOS value. |
Automatic endpoint identification
When an endpoint accesses the network, a TM or TC obtains fingerprint information from the authentication request of an endpoint and matches the fingerprint with the endpoint identification rules. If a match is found, the device considers that the endpoint is online, records the MAC address, endpoint category, and vendor of the endpoint, and sends the information to the TM for unified display. Devices that support automatic endpoint identification are mobile phones, tablets, laptops, and routers.
The following fingerprint types are supported:
· DHCP Option 55 fingerprint—Parameter request list option. The option is used by an endpoint to request specified configuration parameters. To use this fingerprint, enable DHCP snooping entries on the access interface of endpoints and configure the access interface as a trusted port.
· HTTP user agent fingerprint—Located in the header of HTTP requests to carry information about the endpoint operating system, Web browser, and versions. To use this fingerprint, enable portal authentication on the access interface of endpoints.
· MAC address fingerprint—MAC address of the endpoint or MAC address range to which the endpoint belongs.
The device matches fingerprint information for an endpoint in the following order:
· DHCP Option 55 fingerprint.
· HTTP user agent fingerprint.
· MAC address fingerprint.
The priority of static camera management is higher than automatic recognition of access endpoints. If an endpoint matches the static mode camera management function (matches an EPA endpoint static identification rule), it will prioritize the endpoint information determined by that function. For more information about static camera management, see "Managing cameras in static mode."
Identifying an endpoint through DHCP Option 55 fingerprint
As a best practice, connect endpoints to TCs in the SmartMC network. Configure the TM interface to act as the DHCP server and enable DHCP snooping on TCs. After an endpoint comes online through DHCP, the corresponding TC can identify the endpoint by using the DHCP Option 55 fingerprint.
Configuring the TM interface to act as the DHCP server
1. Enter system view of the TM.
system-view
2. (Optional.) Specify IP addresses excluded from automatic address allocation.
dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
By default, all IP addresses in the DHCP address pool, except for the IP address of the DHCP server interface, are available for automatic address allocation.
3. Create a DHCP address pool and enter its view.
dhcp server ip-pool pool-name
4. Specify the subnet for dynamic allocation in the DHCP address pool.
network network-address [ mask-length | mask mask ]
By default, no subnet is specified in a DHCP address pool.
5. (Optional.) Set the lease duration in the DHCP address pool.
expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }
By default, the lease duration is 1 day.
6. Return to system view.
quit
7. Enable DHCP.
dhcp enable
By default, DHCP is disabled.
Enabling DHCP snooping on the TC globally
1. Enter system view of the TC.
system-view
2. Enable DHCP snooping globally.
dhcp snooping enable
By default, DHCP snooping is disabled.
3. Enter interface view.
interface interface-type interface-number
Specify the interface connected to endpoints.
4. Specify the port as a trusted port.
dhcp snooping trust
By default, all ports are untrusted after DHCP snooping is enabled.
Identifying an endpoint through HTTP user agent fingerprint
As a best practice, connect endpoints to TCs in the SmartMC network. Enable portal authentication on the TC. After an endpoint comes online through portal authentication, the corresponding TC can identify the endpoint by using the HTTP user agent fingerprint.
To configure portal authentication for automatic endpoint identification through HTTP user agent fingerprint:
1. Enter system view of a TC.
system-view
2. Create an ISP domain and enter its view.
domain isp-name
By default, an ISP domain named system exists.
3. (Optional.) Specify the default authentication method for the current ISP domain as local.
authentication default local
By default, the default authentication method for an ISP domain is local.
4. Enable local portal authentication.
authentication portal local
By default, the default authentication method in the current ISP domain is used.
5. Configure local portal authorization.
authorization portal local
By default, the default authorization method in the ISP domain is used.
6. Configure local portal accounting.
accounting portal local
By default, the default accounting method in the ISP domain is used.
7. Return to system view.
quit
8. Create a portal Web server and enter its view.
portal web-server server-name
9. Specify a URL for the portal Web server.
url url-string
By default, no URL is specified for the portal Web server.
10. Return to system view.
quit
11. Enter interface view.
interface interface-type interface-number
12. Configure direct portal authentication.
portal enable method direct
By default, portal authentication is disabled on an interface.
13. Apply a portal Web server.
portal apply web-server server-name
By default, no portal Web server is applied.
14. Return to system view.
quit
15. Return to user view.
quit
16. Obtain an authentication page file from the TFTP server.
tftp tftp-server get source-filename
17. Enter system view.
system-view
18. Enable the HTTP-based local portal Web service.
portal local-web-server http
19. Specify the default authentication page file for a local portal Web service. For the feature to take effect, make sure the authentication page file already exists in the root directory of the storage medium on the device.
default-logon-page file-name
20. (Optional.) Specify the listening port for the HTTP-based local portal Web service.
tcp-port port-number
By default, the number of the listening port is 80.
Configuring fingerprints on a TM
A fingerprint entry records a set of fingerprint information, including the fingerprint type, fingerprint value, endpoint type, endpoint category, endpoint vendor, and endpoint OS. The TM is predefined with some common fingerprints and you can add fingerprints based on network requirements.
To add a fingerprint, access the Intelligent Management > Fingerprint management page and then click Add.
Figure 53 Accessing fingerprint management
Figure 54 Adding a fingerprint
For an online endpoint, if the fingerprint information of the endpoint in the fingerprint library is modified, the updated fingerprint information will take effect after the SmartMC management or member device recognizes the endpoint upon its next access.
Viewing online clients
To view access client information, access the Visibility > Access endpoints page and then click Endpoint identification enabling. After endpoint identification is enabled, when an endpoint accesses the SmartMC network, the TC compares the endpoint information with the configured endpoint fingerprints. If a match is found, the TC records the MAC address, category, and vendor of the endpoint, and sends the endpoint information to the TM for unified display.
Figure 55 Viewing online clients
Health degree
The SmartMC network management platform offers a health check feature, where administrators can enable the health analysis function for all member devices of the SmartMC network or for specified ones. After the health analysis function is enabled, it automatically calculates the health status of devices every 30 minutes and presents the calculated device health status in a graphical form, allowing administrators to quickly and intuitively understand the condition of devices.
Based on industry consensus and operational experience, devices use certain key parameters to reflect their operating status, which are called Key Performance Indicators (KPIs). Devices collect these KPI data periodically and convert these KPI data into a health score according to certain rules to reflect whether the device is operating normally. A good health score indicates that the device is in good condition. A poor health score suggests that the device might be experiencing abnormalities. Users can further analyze and pinpoint faults based on the detailed health data.
Enabling or disabling health analysis
After enabling the health analysis function for a device, you can view the device health status through the health summary, environmental health details, capacity health details, performance health details, and status health details pages.
Prerequisites
The health analysis function of SmartMC requires data provided by the Key Performance Indicator (KPI) module. For the normal operation of SmartMC's health analysis function, complete the KPI data collection configuration first. By default, all service modules on the device that support KPI data collection have the KPI data collection function enabled.
For more information about KPI data collection configuration, see KPI data collection configuration in Intelligent O&M Configuration Guide.
Procedure
By default, the health analysis function of the device is disabled. Select Visibility from the navigation pane, and click the Health Analysis Configuration tab. On the health analysis configuration page, you can enable the device's health analysis function in the following two ways (with the most recent configuration taking effect in case of multiple configurations):
1. Enable network-wide health analysis.
Click Refresh to refresh the list of devices, and select Enable to enable the network-wide health analysis function for all devices in the SmartMC network.
2. Enable health analysis for specific devices.
Click Refresh to refresh the list of devices. Select the target devices, click Enable Health Analysis.
Figure 56 Enabling health analysis
3. Disable network-wide health analysis.
Click Refresh to refresh the list of devices, and select Disable to disable the network-wide health analysis function for all devices in the SmartMC network.
4. Disable health analysis for specific devices.
Click Refresh to refresh the list of devices. Select the target devices, click Disable Health Analysis.
Viewing health status
From the left navigation pane, select Visibility and click the Health Degree tab. You can select an item from the Device ID field to display the health status of the entire network or a specific device.
Network-wide health overview
If you select Network-Wide, the page displays the network-wide health overview. This page shows the overall health status of the SmartMC network, including health level, health score, and health distribution.
Figure 57 Network-wide health overview
Click a time period in the top right corner of the line chart to view the health scores recorded by the device for a specified time period within the last seven days.
Figure 58 Specifying a custom time period
Single-device health overview
If you select a specific device, the page displays the single device health overview. At the same time, the Environmental Health, Capacity Health, Performance Health, and Status Health tabs will also display the details for that particular device.
On the Health Overview tab:
· The Health Overview section displays the health score and corresponding level of the device in the form of a gauge chart. The health score of the device is equal to the proportion of normal indicator items in the total number of indicators monitored for single device health. The formula is:
Number of normal indicator items for the single device / Total number of indicator items for the single device * 100%.
· The Health Dimension section displays the health scores of the device from the environment, network, performance, and capacity aspects, represented as percentages, in the form of a radar chart. The percentage value for each dimension is the proportion of the number of normal indicator items within that dimension for the device to the total number of indicator items within the same dimension. The formula is:
Number of normal indicator items for the dimension / Total number of indicator items for the dimension * 100%.
· The Health Trend section displays the change over time of the overall health score for the device in the form of a line graph, as well as the average, maximum, and minimum values of the overall health score for the device during that time period.
· The Device Environment section provides a detailed display for the environmental health dimension. The health analysis function calculates the device environmental health rating based on the proportion of the number of normal indicator items to the total number of indicator items within that environmental dimension for the device. The formula is:
Number of normal environmental indicator items / Total number of environmental indicator items * 100%.
· The Device Environment Trend section displays the change over time of the device environmental health score in the form of a line graph.
Figure 59 Viewing the device health overview
If the device has a potential fault, you can click Potential Failures to view the details of the fault. Then, pinpoint the fault based on the question type and score presented on the failure details page.
Figure 60 Viewing potential failures
Clicking View Details allows you to view the analysis dimensions, analysis indicators, and health score. If the score is below 60 points, it indicates that the device might have a fault that requires further diagnosis.
Figure 61 Viewing health details
Viewing health details
On the health details page, you can view the health data of key indicators within the dimensions of environment, capacity, performance, and status. By selecting a device ID in the top right corner of the page, the display area will show the health details of that device. At the same time, the selected device ID will be passed to the Health Overview and other health details pages, which will also correspondingly display the details of that device.
Environment health
On the Environmental Health tab, you can view the health data for key indicators within the environmental health dimension, such as devices, interfaces, modules, fans, and power supplies.
Figure 62 Viewing the environment health status
Capacity health
On the Capacity Health tab, you can view the health data of key indicators within the capacity health dimension, such as CPU usage and memory usage.
Figure 63 Viewing the capacity health status
Performance health
On the Performance Health tab, you can view the health data for key indicators within the performance health dimension, including Layer 2 environment, port/queue congestion, port errors, softcar packet loss, and port bandwidth usage.
Figure 64 Viewing the performance health status
Status health
On the Status Health tab, you can view the health data of key indicators within the environmental health dimension, such as port status, routing protocol status, DHCP functionality status, attack detection service status, and illegal user detection status.
Figure 65 Viewing the status health
Exporting the health report
On any health analysis page, select a device ID from the Device ID field, then click Export Health Report in the top right corner of the page. The system will automatically export the health report of the selected device into an Excel spreadsheet. You can view the specific indicators for the device and the score for each indicator through this spreadsheet. If the score for a certain indicator is below 60 points, it indicates that an anomaly might be present with that parameter, and further diagnosis is required.
Figure 66 Health report
Port authentication
About port authentication
You can control access to network resources by configuring port authentication for devices connecting to the network. By default, port authentication on the SmartMC network is disabled, meaning that other devices can access the SmartMC network without authentication when connecting to TM or TC devices.
Port authentication supports the following authentication methods: Web authentication, 802.1X authentication, and MAC address authentication.
· Web authentication—Accepts a username and password entered by the user on a Web page to authenticate the user identity, with the aim of controlling access to user visits. Web authentication is typically deployed at the access layer and key data entry points that require protection for implementing access control. In a network environment that utilizes Web authentication, users can proactively visit a known portal Web server site for Web authentication or be redirected to a portal Web server site when attempting to access any non-portal Web server site, thereby initiating the Web authentication process.
· 802.1X authentication—Based on the 802.1X protocol, a port-based network access control protocol, which authenticates users and devices connected to ports on LAN access equipment to control the access of user devices to network resources.
· MAC address authentication—An authentication method that controls network access permissions for users based on ports and MAC addresses without the need for client software installation. When a device detects a user's MAC address for the first time on a port with MAC address authentication enabled, it initiates the authentication process for that user. During the authentication process, the user does not need to manually enter a username or password. A successfully authenticated user is allowed to access network resources through the port. If a user fails MAC address authentication, the user's MAC address is set as a silent MAC. During the silent period, if packets from this MAC address arrive, the device directly discards them to prevent repeated authentication attempts by illegal MACs in a short time span.
With port authentication enabled, SmartMC automatically distributes the relevant authentication configurations to the device where the port is located, and configures the device to act as both a RADIUS server and RADIUS client. For more information about port authentication configurations automatically distributed by SmartMC, see "Appendix Configurations automatically deployed by port authentication."
Restrictions and guidelines
When you configure port authentication, follow these restrictions and guidelines:
· To ensure the normal operation of port authentication, after enabling port authentication on a Layer 2 Ethernet interface of the access device, do not enable the port security feature or configure port security mode on this interface.
· The following ports do not support port authentication configuration: ports that connect member devices to each other, ports that connect management devices to member devices, OLT ports, and IRF physical ports.
· An interface does not support the configuration of multiple authentication methods. To change the authentication method for a port, first remove the configured authentication method and then configure the new method.
· Configuring port authentication on a large number of ports at once takes a significant amount of time. As a best practice, configure port authentication for them in batches.
· Before using the SmartMC port authentication feature, make sure IP address 1.1.1.1 is not in use to avoid IP address conflicts, which could lead to authentication failure.
· Before using the port authentication feature, make sure the RADIUS schemes named rs1, rs2, and rs3 are not in use to avoid conflicts with RADIUS schemes, which could lead to authentication failure.
Prerequisites
Creating and activating a user
1. Access the Intelligent Services > User management page, and create and activate a user. If MAC address authentication is used, create a user with the user's MAC address as the username and password.
Figure 67 User management page
For more information about authorization VLAN, authorization ACL, expiration time, and remarks, see Security Configuration Guide.
Figure 68 Creating a user
Figure 69 Creating a user for MAC address authentication
2. Activate the user. On the User management page, select Local, click Activate, and then click Certain to activate all local users.
Figure 70 Viewing local users
Figure 71 Confirming user activation
Figure 72 Viewing activated local users
Configuring port authentication
1. Access the Intelligent Visibility > Topology page, select the target device, and view the device ports.
Figure 73 Viewing device ports
2. Select one or more ports. The selected ports are blue marked. Click Port authentication. In the dialog box that opens, select the authentication method. If you select no authentication, the system cancels authentication settings on the ports.
Figure 74 Selecting an authentication method
3. Click Certain.
Figure 75 Port authentication configuration completed
4. After the configuration, the ports are yellow marked. If you hover over a port, the system prompts the port number and authentication method.
Figure 76 Viewing the topology
Verifying the configuration
For the configuration steps of the username and password used in this step, see "Creating and activating a user." For MAC address authentication, the username and password are both the MAC address of the accessing device.
Web authentication
After the configuration is complete, when a client with a browser running HTTP/HTTPS protocol accesses from the specified port, the device initiates Web authentication and redirects the page to http://1.1.1.1/portal/. The user can access the SmartMC network after entering the correct account and password.
MAC address authentication
After the configuration is complete, when a device with the specified MAC address accesses through the port, the device initiates the authentication process for that user. During authentication, the user is not required to manually enter a username or password. After being authenticated successfully, the user is allowed to access network resources through the port.
802.1X authentication
After the configuration is complete, when an 802.1X user enters the correct username and password, the user can access the SmartMC network. Client software that supports 802.1X authentication must be installed on the user's device.
Appendix Configurations automatically deployed by port authentication
After port authentication is enabled, SmartMC will automatically distribute the relevant configurations to the devices and ports where authentication has been activated. Taking the activation of the GE1/0/1 interface as an example, the configurations distributed for different authentication methods are as follows.
Configuration deployed for Web authentication
1. Specify an IP address for interface LoopBack 3.
<Device> system-view
[Device] interface loopback 3
[Device-LoopBack3] ip address 1.1.1.1 255.255.255.255
[Device-LoopBack3] quit
2. Configure the RADIUS server.
# Specify the IP address of the RADIUS client as 192.168.77.2 and set a ciphertext password.
[Device] radius-server client ip 192.168.77.2 key cipher $c$3$mHjMHiLgn93EwyFFdn3B0VsjPBmyzUw=
# Activate the current RADIUS client.
[Device] radius-server activate
3. Configure a RADIUS scheme.
# Create a RADIUS scheme named rs1 and enter its view.
[Device] radius scheme rs1
# Specify the primary authentication server and the communication password.
[Device-radius-rs1] primary authentication 192.168.77.2 key cipher $c$3$1EKfg0B/Lxfr8cNMhIsLn2AkPBT9EhA=
# Remove the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-rs1] user-name-format without-domain
[Device-radius-rs1] quit
4. Configure the authentication domain.
# Create an ISP domain named dm1 and enter its view.
[Device] domain dm1
# Configure the ISP domain to use RADIUS scheme rs1.
[Device-isp-dm1] authentication lan-access radius-scheme rs1
[Device-isp-dm1] authorization lan-access radius-scheme rs1
[Device-isp-dm1] quit
5. Configure the local portal Web service.
# Enable the local portal Web service and enter the HTTP-based local portal Web service view.
[Device] portal local-web-server http
# Specify the default authentication page file provided by the local portal Web service as defaultfile.zip. For the portal Web service to take effect, make sure the authentication page file must already exist in the root directory of the device storage medium.
[Device-portal-local-websvr-http] default-logon-page defaultfile.zip
# Configure the local portal Web service to listen to TCP port 80 for HTTP services.
[Device–portal-local-websvr-http] tcp-port 80
[Device-portal-local-websvr-http] quit
6. Configure local Web authentication.
# Create a local Web server named user and enter its view.
[Device] web-auth server user
# Specify the redirect URL for the Web authentication local Web server as http://1.1.1.1/portal/.
[Device-web-auth-server-user] url http://1.1.1.1/portal/
# Specify the IP address of the local Web server as 1.1.1.1 and the port number as 80.
[Device-web-auth-server-user] ip 1.1.1.1 port 80
[Device-web-auth-server-user] quit
# Specify the authentication domain used by Web authentication users as domain dm1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] web-auth domain dm1
# Enable Web authentication and configure Web authentication to use the local Web server named user.
[Device-GigabitEthernet1/0/1] web-auth enable apply server user
[Device-GigabitEthernet1/0/1] quit
Configuration deployed for MAC address authentication
1. Configure the RADIUS server.
# Specify the IP address of the RADIUS client as 192.168.77.2 and set a ciphertext password.
[Device] radius-server client ip 192.168.77.2 key cipher $c$3$mHjMHiLgn93EwyFFdn3B0VsjPBmyzUw=
# Activate the current RADIUS client.
[Device] radius-server activate
2. Configure the system to use the RADIUS server for MAC address authentication.
# Configure the RADIUS scheme.
[Device] radius scheme rs2
[Device-radius-rs2] primary authentication 192.168.77.2 key cipher $c$3$hrZlHhTWMvw/3g/PodeD+aPLIYSWH5Q=
[Device-radius-rs2] user-name-format without-domain
[Device-radius-rs2] quit
# Specify the MAC address authentication method as PAP.
[Device] mac-authentication authentication-method pap
# Configure AAA for the ISP domain.
[Device] domain dm2
[Device-isp-dm2] authentication lan-access radius-scheme rs2
[Device-isp-dm2] authorization lan-access radius-scheme rs2
[Device-isp-dm2] quit
# Enable MAC address authentication on interface GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] mac-authentication
[Device-GigabitEthernet1/0/1] mac-authentication domain dm2
[Device-GigabitEthernet1/0/1] quit
# Specify the ISP domain used by MAC authentication users.
[Device] mac-authentication domain dm2
# Enable MAC address authentication globally.
[Device] mac-authentication
Configuration deployed for 802.1X authentication
1. Configure the RADIUS server.
# Specify the IP address of the RADIUS client as 192.168.77.2 and set a ciphertext password.
[Device] radius-server client ip 192.168.77.2 key cipher $c$3$mHjMHiLgn93EwyFFdn3B0VsjPBmyzUw=
# Activate the current RADIUS client.
[Device] radius-server activate
2. Configure the RADIUS scheme.
# Create a RADIUS scheme named rs3 and enter its view.
[Device] radius scheme rs3
# Specify the IP address of the primary authentication server and the communication password.
[Device-radius-rs3] primary authentication 192.168.77.2 key cipher $c$3$07XPuTCBvom+Tvaj8vuSEU9RnDzID8g=
# Remove the ISP domain names from the usernames sent to the RADIUS server.
[Device-radius-rs3] user-name-format without-domain
[Device-radius-rs3] quit
3. Configure an ISP domain.
# Create an ISP domain named dm3 and enter its view.
[Device] domain dm3
# Configure 802.1X users to use RADIUS scheme radius1 for authentication, authorization, and accounting, and use the local method as the backup.
[Device-isp-dm3] authentication lan-access radius-scheme radius1 rs3
[Device-isp-dm3] authorization lan-access radius-scheme radius1 rs3
[Device-isp-dm3] quit
4. Configure 802.1X authentication.
# Enable 802.1X authentication on interface GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x
# Set the port 802.1X access control mode to MAC-based. This configuration is optional, as the port access control is MAC address-based by default.
[Device-GigabitEthernet1/0/1] dot1x port-method macbased
# Specify a mandatory domain for 802.1X users that come online from the interface.
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain dm3
# Disable the 802.1X unicast triggering feature.
[Device-GigabitEthernet1/0/1] undo dot1x unicast-trigger
[Device-GigabitEthernet1/0/1] quit
# Enable 802.1X globally.
SmartMC feature specifications
|
Item |
Value |
|
Maximum number of supported members |
Varies by device model |
|
Maximum number of supported APs |
Same as the number supported by the unified wired and wireless AC on the commander |
|
Maximum number of supported camera monitoring rules |
512 |
|
Maximum number of supported SIP sessions on the commander or a member |
1000 |
|
Maximum number of devices supported by the management device for health monitoring |
256 |
SmartMC restrictions and guidelines
As a best practice, use the automatic method to deploy the SmartMC network.
To use PoE, make sure the deployed devices are PoE-capable.
A SmartMC network is established in VLAN 1. For the network to work correctly, do not configure security settings in VLAN 1.
Recommended devices for SmartMC
The table below lists only some models. More devices will support this function in the future. For detailed information on device compatibility with SmartMC, see the configuration guides and command references for the corresponding device.
|
Device model |
TM |
TC |
Recommended version |
Remarks |
|
S6520-SI |
Supported |
Supported |
F6509L01 or higher |
· Dynamic camera monitoring (ONVIF) is supported only in F6615 and higher versions. · Unified wired and wireless ACs and basic WLAN settings are supported only in R6522 and higher versions. · Health degree is supported only in R6652P02 and later versions. |
|
S6520X-SI |
Supported |
Supported |
||
|
S6520X-EI |
Supported |
Supported |
||
|
S6520X-HI |
Supported |
Supported |
||
|
S5560X-30F-HI S5560X-54F-HI |
Supported |
Supported |
R6530P01 or higher |
|
|
S5560X-34C-HI S5560X-58C-HI |
Supported |
Supported |
R6615P03 or higher |
|
|
MS4600 |
Supported |
Supported |
F6509L01 or higher |
· Dynamic camera monitoring (ONVIF) and automatic endpoint identification are supported only in R6615P03 and higher versions. · Unified wired and wireless ACs and basic WLAN settings are supported only in R6522 and higher versions. · The series devices do not support health degree. |
|
S5000-EI |
Supported |
Supported |
F6509L01 or higher |
|
|
S5560X-EI |
Supported |
Supported |
F6509L01 or higher |
· Dynamic camera monitoring (ONVIF) and automatic endpoint identification are supported only in F6615 and higher versions. · Unified wired and wireless ACs and basic WLAN settings are supported only in F6512P01 and higher versions. · Health degree is supported only in R6652P02 and later versions. |
|
MS4520V2-30F |
Supported |
Supported |
F6509L01 or higher |
· Dynamic camera monitoring (ONVIF) and automatic endpoint identification are supported only in R6615P03 and higher versions. · Unified wired and wireless ACs and basic WLAN settings are supported only in F6512P01 and higher versions. · The series devices do not support health degree. |
|
MS4520V2-30C MS4520V2-54C |
Supported |
Supported |
R6510P01 or higher |
|
|
S5500V2-EI |
Supported |
Supported |
F6509L01 or higher |
|
|
S5560S-EI |
Supported |
Supported |
R6318P01 or higher |
· Devices of these series do not support SIP-based SQA. · Devices of these series do not support unified wired and wireless ACs and basic WLAN settings. · Static camera management and automatic endpoint identification are supported only in R6328 and higher versions. · Dynamic camera monitoring (ONVIF) is supported only on S5130S-EI series switches of R6338 and higher versions. · The series devices do not support health degree. · Devices of these series can act as TMs. As a best practice, configure device roles as recommended. |
|
S5560S-SI |
Supported |
Supported |
||
|
S5500V3-SI |
Supported |
Supported |
||
|
MS4520V2 |
Supported |
Supported |
||
|
S5130S-HI |
Not supported |
Supported |
||
|
S5130S-EI |
Not supported |
Supported |
||
|
S5130S-SI |
Not supported |
Supported |
||
|
MS4320V2 |
Not supported |
Supported |
||
|
MS4320 |
Not supported |
Supported |
||
|
MS4300V2 |
Not supported |
Supported |
||
|
MS4200 |
Not supported |
Supported |
||
|
S5130S-LI |
Not supported |
Supported |
||
|
S5120V2-SI |
Not supported |
Supported |
||
|
S5120V2-LI |
Not supported |
Supported |
||
|
E128C[E152C] |
Not supported |
Supported |
||
|
E500C |
Not supported |
Supported |
||
|
E500D |
Not supported |
Supported |
||
|
S5110V2 |
Not supported |
Supported |
||
|
S5110V2-SI |
Not supported |
Supported |
||
|
S5000V3-EI |
Not supported |
Supported |
||
|
S5000E-X |
Not supported |
Supported |
||
|
S3100V3-EI |
Not supported |
Supported |
||
|
S3100V3-SI |
Not supported |
Supported |
||
|
S1850-X |
Not supported |
Supported |
||
|
S5000V5-EI |
Not supported |
Supported |
Release 6319P01 or higher |
|
|
S5120V3-SI |
Not supported |
Supported |
R6329 or higher |
|
|
S5120V3-LI |
Not supported |
Supported |
R6329 or higher |
|
|
S5000X-EI |
Not supported |
Supported |
R6329 or higher |
|
|
S1850V2-X |
Not supported |
Supported |
R6329 or higher |
|
|
MS4320V3 |
Not supported |
Supported |
R6329 or higher |
|
|
S1850V2-EI |
Not supported |
Supported |
R6330 or higher |
|
|
E500C-F |
Not supported |
Supported |
R6338 or higher |
|
|
US500S |
Supported |
Supported |
R3507P09 or higher |
|
|
US300S |
Not supported |
Supported |
R8305 or higher |
|
|
S5130V2-LI |
Supported |
Supported |
R3507P12 or higher |
|
|
S5130V2-SI |
Supported |
Supported |
R3507P12 or higher |
|
|
S12500-S series |
Supported |
Supported |
See the actual product |
|
|
S12500-XS series |
Supported |
Supported |
||
|
S12500G-AF series |
Supported |
Supported |
||
|
S10500 series |
Supported |
Supported |
||
|
S10500X series |
Supported |
Supported |
||
|
S7600 series |
Supported |
Supported |
||
|
S7600E-X series |
Supported |
Supported |
||
|
S7500E series |
Supported |
Supported |
||
|
S7500E-X series |
Supported |
Supported |
||
|
S7500X-X series |
Supported |
Supported |
||
|
S7500E-XS series |
Supported |
Supported |
||
|
S10500X-G series |
Supported |
Supported |
||
|
S7500X-G series |
Supported |
Supported |
||
|
S7000X series |
Supported |
Supported |
||
|
S5590XP-HI-G series |
Supported |
Supported |
||
|
S6520X-EI-G series |
Supported |
Supported |
||
|
S6520XP-EI-G series |
Supported |
Supported |
||
|
S5560-EI-G series |
Supported |
Supported |
