Example for Configuring an SVF System Across a Layer 2 Network on a Wired Campus Network Access Layer (S12700 as the Parent)
Networking Requirements
A new wired campus network has many access devices. The widely distributed access devices complicate management and configuration of the access layer. Unified management and configuration of access devices are required to reduce the management cost.
As shown in Figure 1, two aggregation switches set up a CSS, which then functions as the parent to connect to multiple ASs.
In this example, the S12700 functions as the parent, and S5720-28P-SI-AC and S5720-12TP-LI-AC function as ASs.
The administrator needs to ensure that the downlink fabric port of the parent and the intermediate Layer 2 network are correctly configured, the SVF management VLAN and service VLAN between the parent and AS are correctly connected, and the intermediate network transparently transmits data traffic between the parent and AS. Therefore, the intermediate network must be a pure Layer 2 network.
Configuration Roadmap
Configure the parent as a CSS to ensure high reliability of the SVF system.
Enable the SVF function on the parent.
Configure AS access parameters on the parent, including the AS name, authentication mode, and fabric port that connects the parent to an AS.
If the parent connects to multiple devices on the Layer 2 intermediate network, on the parent, you need to configure a different fabric port to connect to each intermediate device and bind each fabric port to a different Eth-Trunk. If the parent connects to only one device on the Layer 2 intermediate network, on the parent, you need to configure only one fabric port and bind this fabric port to one Eth-Trunk. In this example, if the parent connects to only one device on the Layer 2 intermediate network, on the parent, you need to configure only one fabric port (Fabric-port1) and bind this fabric port to one Eth-Trunk (Eth-Trunk1).
Configure an uplink fabric port that connects an AS to the parent.
Connect the parent and ASs to the Layer 2 network using cables. Clear the configurations of ASs and restart the ASs.
Configure service profiles and bind them to ASs.
Procedure
- Configure two switches in the parent to set up a CSS.
- Log in to the CSS and enable the SVF function.
# Configure the management VLAN in the SVF system and enable the SVF function on the parent.
<HUAWEI> system-view [HUAWEI] vlan batch 11 [HUAWEI] dhcp enable [HUAWEI] interface vlanif 11 [HUAWEI-Vlanif11] ip address 192.168.11.1 24 [HUAWEI-Vlanif11] dhcp select interface [HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1 [HUAWEI-Vlanif11] quit [HUAWEI] capwap source interface vlanif 11 [HUAWEI] stp mode rstp [HUAWEI] uni-mng Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be triggered and service traffic will be affected. Continue? [Y/N]:y
- Configure AS access parameters on the parent.# (Optional) Configure a name for each AS.
- If you do not perform this step, the system will generate AS device information when ASs connect to the SVF system. An AS name is in the format of system default name-system MAC address.
- If you need to perform this step, ensure that the configured model and mac-address parameters are consistent with the actual AS information. The value of mac-address must be the AS management MAC address or system MAC address. To view the AS management MAC address, run the display as access configuration command on the AS. If the management MAC displays --, the value of mac-address is the system MAC address. If the configured parameters are inconsistent with the actual AS information, the AS cannot go online.
[HUAWEI-um] as name as1 model S5720-28P-SI-AC mac-address 0200-0000-0011 [HUAWEI-um-as-as1] quit [HUAWEI-um] as name as2 model S5720-12TP-LI-AC mac-address 0200-0000-0022 [HUAWEI-um-as-as2] quit
# Configure fabric ports that connect the parent to ASs. The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the member port must also be set to LACP.
[HUAWEI-um] interface fabric-port 1 [HUAWEI-um-fabric-port-1] port connect-type indirect [HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1 [HUAWEI-um-fabric-port-1] quit [HUAWEI-um] quit [HUAWEI] interface eth-trunk 1 [HUAWEI-Eth-Trunk1] port link-type hybrid [HUAWEI-Eth-Trunk1] port hybrid tagged vlan 11 [HUAWEI-Eth-Trunk1] stp root-protection [HUAWEI-Eth-Trunk1] stp edged-port disable [HUAWEI-Eth-Trunk1] loop-detection disable [HUAWEI-Eth-Trunk1] mode lacp //In this example, the Eth-Trunk working mode on the Layer 2 network interface is set to LACP. [HUAWEI-Eth-Trunk1] authentication control-point open [HUAWEI-Eth-Trunk1] quit [HUAWEI] interface gigabitethernet 1/1/0/1 [HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1 [HUAWEI-GigabitEthernet1/1/0/1] quit [HUAWEI] interface gigabitethernet 2/1/0/1 [HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1 [HUAWEI-GigabitEthernet2/1/0/1] quit
The configuration of fabric port 2 that connects the parent to AS 2 is similar to the configuration of fabric port 1, and is not mentioned here.
# Configure ASs to be authenticated using a whitelist when they connect to the SVF system.
To view the AS management MAC address, run the display as access configuration command on the AS. If the management MAC displays --, the MAC address configured in the whitelist is the AS system MAC address. Otherwise, the MAC address configured in the whitelist is the AS management MAC address.
[HUAWEI] as-auth [HUAWEI-as-auth] undo auth-mode [HUAWEI-as-auth] whitelist mac-address 0200-0000-0011 [HUAWEI-as-auth] whitelist mac-address 0200-0000-0022 [HUAWEI-as-auth] quit
- Configure an uplink fabric port that connects an AS to the parent.# Set the role of the device in a VCMP domain to silent.
<HUAWEI> system-view [HUAWEI] vcmp role silent [HUAWEI] quit
# Configure an uplink fabric port that connects AS 1 to the parent.
<HUAWEI> uni-mng indirect mng-vlan 11 <HUAWEI> uni-mng indirect fabric-port member interface gigabitethernet 0/0/27 <HUAWEI> uni-mng indirect fabric-port member interface gigabitethernet 0/0/28
# Configure an uplink fabric port that connects AS 2 to the parent.
<HUAWEI> uni-mng indirect mng-vlan 11 <HUAWEI> uni-mng indirect fabric-port member interface gigabitethernet 0/0/1 <HUAWEI> uni-mng indirect fabric-port member interface gigabitethernet 0/0/2
- Clear the configurations of ASs and restart the ASs. Connect the parent and ASs to the Layer 2 network using cables.# Clear the configurations of ASs, restart the ASs, and then connect the parent and ASs to the Layer 2 network using cables. Subsequently, an SVF system is set up.
- Before restarting an AS, check whether the port that connects this AS to the parent is a downlink port. You can run the display port connection-type access all command on this AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-direction fabric-port command on this AS to configure this port as an uplink port before restarting this AS. Otherwise, this AS cannot go online.
- Before connecting an AS to the parent, ensure that the AS has no configuration file and no input on the console port.
# After connecting cables, run the display as all command to check whether ASs have connected to the SVF system.
[HUAWEI] display as all Total: 2, Normal: 2, Fault: 0, Idle: 0, Version mismatch: 0 -------------------------------------------------------------------------------- No. Type MAC IP State Name -------------------------------------------------------------------------------- 0 S5720-SI 0200-0000-0011 192.168.11.254 normal as1 1 S5720-LI 0200-0000-0022 192.168.11.250 normal as2 --------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS has connected to the SVF system.
- Configure service profiles and bind them to ASs.# Configure an AS administrator profile and bind it to all ASs.
[HUAWEI] uni-mng [HUAWEI-um] as-admin-profile name admin_profile [HUAWEI-um-as-admin-admin_profile] user asuser password hello@123 [HUAWEI-um-as-admin-admin_profile] quit [HUAWEI-um] as-group name admin_group [HUAWEI-um-as-group-admin_group] as name-include as [HUAWEI-um-as-group-admin_group] as-admin-profile admin_profile [HUAWEI-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.[HUAWEI-um] network-basic-profile name basic_profile_1 [HUAWEI-um-net-basic-basic_profile_1] user-vlan 10 [HUAWEI-um-net-basic-basic_profile_1] quit [HUAWEI-um] network-basic-profile name basic_profile_2 [HUAWEI-um-net-basic-basic_profile_2] user-vlan 20 [HUAWEI-um-net-basic-basic_profile_2] quit [HUAWEI-um] port-group name port_group_1 [HUAWEI-um-portgroup-port_group_1] as name as1 interface all [HUAWEI-um-portgroup-port_group_1] network-basic-profile basic_profile_1 [HUAWEI-um-portgroup-port_group_1] quit [HUAWEI-um] port-group name port_group_2 [HUAWEI-um-portgroup-port_group_2] as name as2 interface all [HUAWEI-um-portgroup-port_group_2] network-basic-profile basic_profile_2 [HUAWEI-um-portgroup-port_group_2] quit [HUAWEI-um] quit
# Configure a user access profile and bind it to all AS ports.[HUAWEI] dot1x-access-profile name 1 [HUAWEI-dot1x-access-profile-1] quit [HUAWEI] authentication-profile name dot1x_auth [HUAWEI-authen-profile-dot1x_auth] dot1x-access-profile 1 [HUAWEI-authen-profile-dot1x_auth] quit [HUAWEI] uni-mng [HUAWEI-um] user-access-profile name access_profile [HUAWEI-um-user-access-access_profile] authentication-profile dot1x_auth [HUAWEI-um-user-access-access_profile] quit [HUAWEI-um] port-group name port_group_1 [HUAWEI-um-portgroup-port_group_1] user-access-profile access_profile [HUAWEI-um-portgroup-port_group_1] quit [HUAWEI-um] port-group name port_group_2 [HUAWEI-um-portgroup-port_group_2] user-access-profile access_profile [HUAWEI-um-portgroup-port_group_2] quit
# Commit the configuration to deliver the configurations in service profiles to ASs.
[HUAWEI-um] commit as all Warning: Committing the configuration will take a long time. Continue?[Y/N]: y [HUAWEI-um] quit
# Bind a user access profile to a fabric port.[HUAWEI] interface eth-trunk 1 [HUAWEI-Eth-Trunk1] authentication-profile dot1x_auth [HUAWEI-Eth-Trunk1] quit [HUAWEI] interface eth-trunk 2 [HUAWEI-Eth-Trunk2] authentication-profile dot1x_auth [HUAWEI-Eth-Trunk2] quit
# Run the display uni-mng commit-result profile command to check whether the configurations in service profiles have been delivered to ASs.
[HUAWEI] display uni-mng commit-result profile Result of profile: -------------------------------------------------------------------------------- AS Name Commit Time Commit/Execute Result -------------------------------------------------------------------------------- as1 2014-08-25 22:29:18 Success/Success as2 2014-08-25 22:29:18 Success/Success --------------------------------------------------------------------------------When the Commit/Execute Result field in the command output displays Success/Success for an AS, the configurations in service profiles have been delivered to the AS.
Configuration Files
Configuration file of the SVF system
# vlan batch 11 # stp mode rstp stp instance 0 priority 28672 # authentication-profile name dot1x_auth dot1x-access-profile 1 # lldp enable # dhcp enable # interface Vlanif11 ip address 192.168.11.1 255.255.255.0 dhcp select interface dhcp server option 43 ip-address 192.168.11.1 # interface Eth-Trunk1 port link-type hybrid port hybrid tagged vlan 11 stp root-protection stp edged-port disable authentication control-point open authentication-profile dot1x_auth mode lacp loop-detection disable # interface Eth-Trunk2 port link-type hybrid port hybrid tagged vlan 11 stp root-protection stp edged-port disable authentication control-point open authentication-profile dot1x_auth mode lacp loop-detection disable # interface GigabitEthernet1/1/0/1 eth-trunk 1 # interface GigabitEthernet1/1/0/2 eth-trunk 2 # interface GigabitEthernet2/1/0/1 eth-trunk 1 # interface GigabitEthernet2/1/0/2 eth-trunk 2 # capwap source interface vlanif11 # as-auth whitelist mac-address 0200-0000-0011 whitelist mac-address 0200-0000-0022 # uni-mng as name as1 model S5720-28P-SI-AC mac-address 0200-0000-0011 as name as2 model S5720-12TP-LI-AC mac-address 0200-0000-0022 interface fabric-port 1 port connect-type indirect port member-group interface Eth-Trunk 1 interface fabric-port 2 port connect-type indirect port member-group interface Eth-Trunk 2 as-admin-profile name admin_profile user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%# network-basic-profile name basic_profile_1 user-vlan 10 network-basic-profile name basic_profile_2 user-vlan 20 user-access-profile name access_profile authentication-profile dot1x_auth as-group name admin_group as-admin-profile admin_profile as name as1 as name as2 port-group name port_group_1 network-basic-profile basic_profile_1 user-access-profile access_profile as name as1 interface GigabitEthernet 0/0/1 to 0/0/24 port-group name port_group_2 network-basic-profile basic_profile_2 user-access-profile access_profile as name as2 interface Ethernet 0/0/1 to 0/0/24 # dot1x-access-profile name 1 # return