< Home

VCMP Implementation

VCMP enables switches of different roles to exchange VCMP packets to implement centralized VLAN management. VCMP packets can be only transmitted in VLAN 1 on trunk or hybrid interfaces. To retain the same VLAN information on the VCMP server and clients, VCMP defines three types of multicast packets: Summary-Advert, Subset-Advert, and Advert-Request. Table 1 describes the functions and applicable scenarios of the three types of packets.

Table 1 VCMP packets

Packet Type

Function

Applicable Scenario

Sent By

Summary-Advert

The VCMP server sends Summary-Advert packets to other devices in the local VCMP domain to notify them of the domain name, device ID, configuration revision number, and VLAN information.
  • The VCMP server sends a Summary-Advert packet every 5 minutes to ensure real-time synchronization of VLAN information on the VCMP server and clients and prevent VLAN information loss due to packet loss.
  • The VCMP server configuration is changed. For example, VLANs are created or deleted, the VCMP domain name or device ID is changed, and the VCMP server restarts.
  • The VCMP server receives Advert-Request packets from VCMP clients in the same VCMP domain.

VCMP server

Subset-Advert

The VCMP server sends Subset-Advert packets to other devices in the VCMP domain to notify them of the non-default VLAN names or descriptions.
Non-default VLAN names or descriptions are configured on the VCMP server, and either of the following conditions is met:
  • The VCMP server configuration changes, including creating VLANs, deleting VLANs, and changing the VLAN name, VLAN description, VCMP domain name, device ID, or authentication password.
  • The VCMP server receives Advert-Request packets from VCMP clients in the same VCMP domain.

The VCMP server sends a Subset-Advert packet to ensure real-time synchronization of VLAN information on the VCMP server and clients and prevent VLAN information loss due to packet loss.

VCMP server

Advert-Request

A VCMP client sends Advert-Request packets to the VCMP server to request VLAN information.
  • A VCMP client is added.
  • A VCMP client restarts or a client interface becomes Up.

VCMP client

Summary-Advert and Subset-Advert packets sent by the VCMP server carry the configuration revision number. A VCMP client uses it to determine whether VLAN information sent from the VCMP server is newer than the local VLAN information. If so, the VCMP client synchronizes VLAN information with the VCMP server.

A configuration revision number is represented by an 8-digit hexadecimal number. The four left-most bits indicate the change of the VCMP domain or device ID and the four right-most bits indicate the VLAN change. Upon a VLAN change on the VCMP server, the configuration revision number is automatically increased. When the VCMP domain name or device ID changes, the four left-most bits of the configuration revision number are recalculated and the four right-most bits are reset.

VLAN Synchronization When the VCMP Server Configuration Changes

When the VCMP server configuration changes, for example, creating and deleting VLANs, changing the VLAN name, VLAN description, VCMP domain name, or device ID, or restarting the VCMP server, the VCMP server sends a Summary-Advert packet and a Subset-Advert packet to instruct VCMP clients in the local VCMP domain to synchronize VLAN information. The following uses creation of VLAN 100 on the VCMP server as an example to describe synchronization upon a server configuration change. Assume that the VCMP server uses the default VLAN name and description. That is, no Subset-Advert packet needs to be sent.

In Figure 1:
  • SwitchA: VCMP server
  • SwitchB: VCMP transparent switch
  • SwitchC, SwitchD and SwitchE: VCMP clients
  • SwitchF: VCMP silent switch
Figure 1 VLAN synchronization when the VCMP server configuration changes
After VLAN 100 is created on SwitchA:
  1. SwitchA sends a Summary-Advert packet carrying a VLAN information change to notify the neighbor (SwitchB) of the VLAN information change.
  2. When receiving the Summary-Advert packet, SwitchB directly forwards the packet.
  3. After a VCMP client receives the Summary-Advert packet:
    • If the VCMP client receives the packet for the first time, it learns the device ID, revision number, and VLAN ID in the packet. If the VCMP domain name of the VCMP client is empty, the VCMP client learns the VCMP domain name in the packet.
    • If it is not the first time the VCMP client receives the packet, the VCMP processes the packet as follows:
      1. The VCMP client performs VCMP authentication for the Summary-Advert packet according to the configured authentication password, and VCMP domain name, device ID, and configuration revision number in the Summary-Advert packet. After the Summary-Advert packet is authenticated, the VCMP client proceeds to the next step.
      2. If the VCMP domain name and device ID are saved locally, the VCMP client compares the local ones with those in the Summary-Advert packet. When the local ones are the same as those in the packet, the VCMP client proceeds to the next step.

      3. The VCMP client compares the local configuration revision number with that in the Summary-Advert packet:

        • If the four left-most bits are different, the VCMP client synchronizes VLAN information with the VCMP server according to the Summary-Advert packet and learns the VCMP domain name and device ID.
        • If the four left-most bits are the same, the VCMP client checks whether the local four right-most bits are less than or equal to those in the Summary-Advert packet. If so, the VCMP client only synchronizes VLAN information with the VCMP server.
      4. The VCMP client forwards the Summary-Advert packet to other devices in the local VCMP domain.

    Here, it is not the first time the VCMP client receives the Summary-Advert packet. The VCMP client finds that the highest four bits in the local revision number are the same as those in the Summary-Advert packet but the lowest four bits in the local revision number are less than or equal to those in the Summary-Advert packet. The VCMP client therefore synchronizes information of the VCMP server according to the Summary-Advert packet, and creates VLAN 100 locally.

  4. SwitchF directly discards the packet.
  • VLAN information synchronization is similar in other scenarios where Summary-Advert packets are triggered.
  • If non-default VLAN names and descriptions are configured on the VCMP server, the VCMP server also sends the Subset-Advert packet.
  • Within 30 minutes after a client synchronizes VLAN information from the server, the client generates the vlan.dat file to store the current VLAN information. After the client restarts, the client reads the vlan.dat file to obtain the VLAN information before the restart. The vlan.dat file cannot be modified, deleted, or overwritten. The file is deleted when the following operations are performed:
    • Run the reset vcmp command to clear VCMP domain information.
    • Run the vcmp role { server | silent | transparent } command to change the VCMP role to non-client.
    • Run the startup saved-configuration configuration-file command to configure a new configuration file whose name is different from the name of the current configuration file.
    • Run the reset saved-configuration command to delete the saved configuration file. This operation will delete all the configuration.

VLAN Information Synchronization When a VCMP Client Is Added

To ensure VLAN information synchronization between the VCMP server and clients, the VCMP server sends a Summary-Advert packet every 5 minutes to notify switches in the local VCMP domain of the domain name, device ID, and configuration revision number. The VCMP server also sends a Subset-Advert packet to notify switches of the VLAN names and descriptions that change. When a VCMP client is added or a VCMP client restarts, the VCMP client sends an Advert-Request packet to the VCMP server to request VLAN information on the VCMP server. The following describes how the VCMP client synchronizes VLAN information. Assume that the VCMP server uses the default VLAN name and description. That is, no Subset-Advert packet needs to be sent.

In Figure 2:
  • SwitchA: VCMP server
  • SwitchB: VCMP transparent switch
  • SwitchC and SwitchE: VCMP silent switches
  • SwitchD: VCMP client
  • SwitchF: new VCMP client
Figure 2 VLAN synchronization when a VCMP client is added
After SwitchF is configured with VCMP and specified as a VCMP client, SwitchF becomes the new VCMP client.

  1. SwitchF sends an Advert-Request packet to SwitchD to request VLAN information on SwitchA.

  2. SwitchD forwards the Advert-Request packet to SwitchB.

  3. SwitchB forwards the Advert-Request packet to its neighbors.

  4. In the following situations:

    • When the VCMP server receives an Advert-Request packet:

      • The VCMP server performs VCMP authentication for the Advert-Request packet according to the configured authentication password, and VCMP domain name, device ID, and configuration revision number in the Advert-Request packet. After the Advert-Request packet is authenticated, the VCMP server proceeds to the next step.
      • If the VCMP domain name or device ID in the Advert-Request packet is not empty but is different from the VCMP domain name or device ID on the VCMP server, the VCMP server discards the Advert-Request packet. Otherwise, the VCMP server replies with a Summary-Advert packet carrying its VLAN information.
    • The VCMP silent switch directly discards the received Advert-Request packet.
  5. After SwitchD, SwitchB, SwitchC and SwitchE, and SwitchF receive the Summary-Advert packet from SwitchA, the Summary-Advert packet is processed according to VLAN Synchronization When the VCMP Server Configuration Changes. SwitchD compares the locally configured VCMP domain name, device ID, and configuration revision number with those in the Summary-Advert packet. If they are the same, SwitchD directly forwards the packet. SwitchF synchronizes VLAN information on SwitchA. If the VCMP domain is not configured on the SwitchF, SwitchF learns the VCMP domain name and device ID on SwitchA.

Advert-Request packets are triggered when a VCMP client restarts or a VCMP interface goes Up. VLAN information synchronization is similar.

If non-default VLAN names and descriptions are configured on the VCMP server, the VCMP server also sends the Subset-Advert packet.

Multi-Server Trap

Only one VCMP server exists in a VCMP domain. To prevent attacks of bogus VCMP servers, the VCMP server matches the VCMP domain name, device ID, and source MAC address in the received Summary-Advert packets with local ones. If the VCMP domain name and device ID match local ones but the source MAC address in the packet is different from the system MAC address, the VCMP server sends a trap about the multi-server event to the NMS.

To prevent the VCMP server from being affected by too many traps, the VCMP server sends traps to the NMS once every 30 minutes.

VCMP Authentication

When an unauthorized switch joins a VCMP domain, VLAN information on the switch may be synchronized in the VCMP domain, affecting network stability. To prevent unauthorized switches from joining a VCMP domain and enhance VCMP domain security, configure a VCMP domain authentication password on the VCMP server and clients.

If the VCMP domain authentication password is configured on the VCMP server or a VCMP client, the VCMP server or VCMP client uses the password character string (empty character string is used by default) as the key and performs SHA-256 for the VCMP domain name, and device ID to obtain a digest. The digest is sent in the Summary-Advert, Subset-Advert, or Advert-Request packet. When each VCMP client in the VCMP domain receives a Summary-Advert packet or a Subset-Advert packet from the VCMP server, the VCMP client uses the locally configured password to perform SHA-256 for the VCMP domain name, device ID, and configuration revision number, and compares the calculated digest with the digest in the Summary-Advert or Subset-Advert packet. If the calculated digest matches the digest in the Summary-Advert or Subset-Advert packet, the Summary-Advert or Subset-Advert packet passes authentication and further VCMP processing is performed. Otherwise, the Summary-Advert or Subset-Advert packet is discarded. When the VCMP server receives an Advert-Request packet from a VCMP client, authentication and processing are similar.

If no domain authentication password is set, VCMP packets pass without authentication.

  • In a VCMP domain, the VCMP domain authentication password on the VCMP server and clients must be the same.
  • To ensure device security, change the password periodically.
Parent Topic: Understanding VCMP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic