Example for Configuring SVF to Deploy a Wired Campus Network Access Layer (S6720-EI as the Parent)
Networking Requirements
A new wired campus network has many access devices. The widely distributed access devices complicate management and configuration of the access layer. Unified management and configuration of access devices are required to reduce the management cost.
As shown in Figure 1, two aggregation switches set up a CSS and function as the parent to connect to multiple ASs.
In this example, the S6720-30C-EI-24S-AC functions as the parent, the S5720-28P-LI-AC functions as a level-1 AS.
Configuration Roadmap
Configure the parent as a stack system to ensure high reliability of the SVF system.
Enable the SVF function on the parent.
Configure AS access parameters, including the AS name, authentication mode, and fabric ports that connect the parent to level-1 ASs.
Connect the parent to level-1 ASs using cables.
Configure service profiles and bind them to ASs.
Procedure
- Configure two switches in the parent to set up a stack and then change the stack to the parent mode.
# For the procedure and notes for configuring a stack, see Stack Configuration in the Ethernet Fixed Switches Configuration Guide - Device Management Configuration.
# Log in to the stack and change it to the parent mode.
<HUAWEI> system-view [HUAWEI] as-mode disable Warning: Switching the AS mode will clear current configuration and reboot the system. Continue? [Y/N]:y
If the S5732-H24UM2CC, S5732-H48UM2CC, S6730-S, S6730S-S, S6720-SI, S6720S-SI, S6720-EI, and S6720S-EI function as the parent, change the working mode of the switch to the parent mode first. By default, a switch works in AS mode. The configured working mode takes effect after the switch restarts.
- Log in to the stack system and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on the parent.
[HUAWEI] vlan batch 11 [HUAWEI] dhcp enable [HUAWEI] interface vlanif 11 [HUAWEI-Vlanif11] ip address 192.168.11.1 24 [HUAWEI-Vlanif11] dhcp select interface [HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1 [HUAWEI-Vlanif11] quit [HUAWEI] capwap source interface vlanif 11 [HUAWEI] stp mode rstp [HUAWEI] uni-mng Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue? [Y/N]:y
- Configure AS access parameters.# (Optional) Configure a name for each AS.
- If you do not perform this step, the system will generate AS device information when ASs connect to the SVF system. An AS name is in the format of system default name-system MAC address.
- If you need to perform this step, ensure that the configured model and mac-address parameters are consistent with the actual AS information. The value of mac-address must be the AS management MAC address or system MAC address. To view the AS management MAC address, run the display as access configuration command on the AS. If the management MAC displays --, the value of mac-address is the system MAC address. If the configured parameters are inconsistent with the actual AS information, the AS cannot go online.
[HUAWEI-um] as name as1 model S5720-28P-LI-AC mac-address 0200-0000-0011 [HUAWEI-um-as-as1] quit [HUAWEI-um] as name as2 model S5720-28P-LI-AC mac-address 0200-0000-0022 [HUAWEI-um-as-as2] quit [HUAWEI-um] as name as3 model S5720-28P-LI-AC mac-address 0200-0000-0033 [HUAWEI-um-as-as3] quit
# Configure fabric ports that connect the parent to level-1 ASs. The following uses fabric port 1 that connects the parent to AS 1 as an example.
[HUAWEI-um] interface fabric-port 1 [HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1 [HUAWEI-um-fabric-port-1] quit [HUAWEI-um] quit [HUAWEI] interface xgigabitethernet 1/0/1 [HUAWEI-XGigabitEthernet1/0/1] eth-trunk 1 [HUAWEI-XGigabitEthernet1/0/1] quit [HUAWEI] interface xgigabitethernet 2/0/1 [HUAWEI-XGigabitEthernet2/0/1] eth-trunk 1 [HUAWEI-XGigabitEthernet2/0/1] quit
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
To view the AS management MAC address, run the display as access configuration command on the AS. If the management MAC displays --, the MAC address configured in the whitelist is the AS system MAC address. Otherwise, the MAC address configured in the whitelist is the AS management MAC address.
[HUAWEI] as-auth [HUAWEI-as-auth] undo auth-mode [HUAWEI-as-auth] whitelist mac-address 0200-0000-0011 [HUAWEI-as-auth] whitelist mac-address 0200-0000-0022 [HUAWEI-as-auth] whitelist mac-address 0200-0000-0033 [HUAWEI-as-auth] quit
- Connect the parent to level-1 ASs using cables.# Run the reset saved-configuration command to clear the configurations of ASs, restart the ASs, and then connect the parent to level-1 ASs using cables. Subsequently, an SVF system is set up.
- Before restarting an AS, check whether the port that connects this AS to the parent is a downlink port. You can run the display port connection-type access all command on this AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-direction fabric-port command on this AS to configure this port as an uplink port before restarting this AS. Otherwise, this AS cannot go online.
- Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the console port.
# After connecting cables, run the display as all command to check whether ASs have connected to the SVF system.
[HUAWEI] display as all Total: 3, Normal: 3, Fault: 0, Idle: 0, Version mismatch: 0 -------------------------------------------------------------------------------- No. Type MAC IP State Name -------------------------------------------------------------------------------- 0 S5720-P-LI 0200-0000-0011 192.168.11.254 normal as1 1 S5720-P-LI 0200-0000-0022 192.168.11.253 normal as2 2 S5720-P-LI 0200-0000-0033 192.168.11.252 normal as3 --------------------------------------------------------------------------------When the State field in the command output displays normal for an AS, the AS has connected to the SVF system.
- Configure service profiles and bind them to ASs.# Configure an AS administrator profile and bind it to all ASs.
[HUAWEI] uni-mng [HUAWEI-um] as-admin-profile name admin_profile [HUAWEI-um-as-admin-admin_profile] user asuser password hello@123 [HUAWEI-um-as-admin-admin_profile] quit [HUAWEI-um] as-group name admin_group [HUAWEI-um-as-group-admin_group] as name-include as [HUAWEI-um-as-group-admin_group] as-admin-profile admin_profile [HUAWEI-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.[HUAWEI-um] network-basic-profile name basic_profile_1 [HUAWEI-um-net-basic-basic_profile_1] user-vlan 10 [HUAWEI-um-net-basic-basic_profile_1] quit [HUAWEI-um] port-group name port_group_1 [HUAWEI-um-portgroup-port_group_1] as name as1 interface all [HUAWEI-um-portgroup-port_group_1] as name as2 interface all [HUAWEI-um-portgroup-port_group_1] as name as3 interface all [HUAWEI-um-portgroup-port_group_1] network-basic-profile basic_profile_1 [HUAWEI-um-portgroup-port_group_1] quit [HUAWEI-um] quit
# Configure a user access profile and bind it to all AS ports.[HUAWEI] dot1x-access-profile name 1 [HUAWEI-dot1x-access-profile-1] quit [HUAWEI] authentication-profile name dot1x_auth [HUAWEI-authen-profile-dot1x_auth] dot1x-access-profile 1 [HUAWEI-authen-profile-dot1x_auth] quit [HUAWEI] uni-mng [HUAWEI-um] user-access-profile name access_profile [HUAWEI-um-user-access-access_profile] authentication-profile dot1x_auth [HUAWEI-um-user-access-access_profile] quit [HUAWEI-um] port-group name port_group_1 [HUAWEI-um-portgroup-port_group_1] user-access-profile access_profile [HUAWEI-um-portgroup-port_group_1] quit
# Commit the configuration to deliver the configurations in service profiles to ASs.
[HUAWEI-um] commit as all Warning: Committing the configuration will take a long time. Continue?[Y/N]: y# Run the display uni-mng commit-result profile command to check whether the configurations in service profiles have been delivered to ASs.
[HUAWEI-um] display uni-mng commit-result profile Result of profile: -------------------------------------------------------------------------------- AS Name Commit Time Commit/Execute Result -------------------------------------------------------------------------------- as1 2015-08-25 22:29:18 Success/Success as2 2015-08-25 22:29:18 Success/Success as3 2015-08-25 22:29:20 Success/Success --------------------------------------------------------------------------------When the Commit/Execute Result field in the command output displays Success/Success for an AS, the configurations in service profiles have been delivered to the AS.
Configuration Files
SVF system configuration file
# vlan batch 11 # stp mode rstp stp instance 0 priority 28672 # authentication-profile name dot1x_auth dot1x-access-profile 1 # lldp enable # dhcp enable # interface Vlanif11 ip address 192.168.11.1 255.255.255.0 dhcp select interface dhcp server option 43 ip-address 192.168.11.1 # interface Eth-Trunk1 port link-type hybrid port hybrid tagged vlan 1 10 to 11 stp root-protection stp edged-port disable mode lacp mad relay # interface Eth-Trunk2 port link-type hybrid port hybrid tagged vlan 1 10 to 11 stp root-protection stp edged-port disable mode lacp mad relay # interface Eth-Trunk3 port link-type hybrid port hybrid tagged vlan 1 11 20 stp root-protection stp edged-port disable mode lacp mad relay # interface XGigabitEthernet1/0/1 eth-trunk 1 # interface XGigabitEthernet1/0/2 eth-trunk 2 # interface XGigabitEthernet1/0/3 eth-trunk 3 # interface XGigabitEthernet2/0/1 eth-trunk 1 # interface XGigabitEthernet2/0/2 eth-trunk 2 # interface XGigabitEthernet2/0/3 eth-trunk 3 # capwap source interface vlanif11 # as-auth whitelist mac-address 0200-0000-0011 whitelist mac-address 0200-0000-0022 whitelist mac-address 0200-0000-0033 # uni-mng as name as1 model S5720-28P-LI-AC mac-address 0200-0000-0011 as name as2 model S5720-28P-LI-AC mac-address 0200-0000-0022 as name as3 model S5720-28P-LI-AC mac-address 0200-0000-0033 interface fabric-port 1 port member-group interface Eth-Trunk 1 interface fabric-port 2 port member-group interface Eth-Trunk 2 interface fabric-port 3 port member-group interface Eth-Trunk 3 as-admin-profile name admin_profile user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%# network-basic-profile name basic_profile_1 user-vlan 10 user-access-profile name access_profile authentication-profile dot1x_auth as-group name admin_group as-admin-profile admin_profile as name as1 as name as2 as name as3 port-group name port_group_1 network-basic-profile basic_profile_1 user-access-profile access_profile as name as1 interface GigabitEthernet 0/0/1 to 0/0/24 as name as2 interface GigabitEthernet 0/0/1 to 0/0/24 as name as3 interface GigabitEthernet 0/0/1 to 0/0/24 # dot1x-access-profile name 1 # return