Configuring VCMP
Context
VCMP implements centralized VLAN management and manages network devices based on VCMP domains (for details, see VCMP Domain). VCMP defines four roles: server, client, transparent, and silent (for details, see VCMP Roles). Switches added to a VCMP domain as clients are managed by the VCMP server in the same VCMP domain. When VLANs are created or deleted, or VLAN names or descriptions are changed on the VCMP server, VCMP clients automatically synchronize VLAN information with the server. VCMP reduces the workload on modifying the same VLAN information on multiple switches and ensures VLAN information consistency.
- Configure an aggregation or core switch as the VCMP server. Only one VCMP server exists in a VCMP domain.
- Configure access switches as VCMP clients.
- Configure switches that do not need to be managed by the VCMP server and are located between the VCMP server and clients as VCMP transparent switches.
- Configure edge devices connected to other networks as VCMP silent switches to prevent the connected networks from being affected.
A VCMP client identifies the VCMP server by device ID. The VCMP client obtains the device ID of the VCMP server from the first received VCMP packet, and synchronizes VLAN information with only the VCMP server specified by the device ID. The device ID of the VCMP server learned by a VCMP client remains unchanged unless the role of the VCMP client changes. The VCMP server can receive and transmit VCMP packets and achieve centralized management only when being configured with the device ID.
When an unauthorized switch is added to a VCMP domain, VCMP clients in this VCMP domain may synchronize VLAN information of the unauthorized switch, affecting network stability. To prevent unauthorized switches from joining a VCMP domain, configure an authentication password on the VCMP server and clients in the VCMP domain.
Pre-configuration Tasks
Before configuring VCMP, complete the following tasks:
- Connect interfaces and setting physical parameters of the interfaces to ensure that the physical status of the interfaces is Up. For details, see Ethernet Interface Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Interface Management.
Configure the link type of interfaces as trunk and hybrid so that the interfaces can forward VCMP packets.
VCMP is often used with LNP to dynamically negotiate the link type, which simplifies use configurations. For detailed LNP configuration, see steps 1 to 6 in Configuring Interface-based VLAN Assignment (LNP Dynamically Negotiates the Link Type).
You can run the display lnp summary command to check whether LNP is configured on the switch and check the link type of the interface. If LNP is not configured on the switch or the link type of the interface is not trunk or hybrid, run the port link-type { hybrid | trunk } command to configure the link type of the interface.
Procedure
- Run system-view
The system view is displayed.
- Run vcmp role { client | server | silent | transparent }
A VCMP role of the switch is configured.
By default, switches in a VCMP domain are VCMP clients.
After a switch is upgraded from a version earlier than V200R005C00 to V200R005C00 or a later version, the role of the switch is silent.
- Perform the following operations based on the VCMP role of the switch.
- Perform the following operations on the VCMP server:
Run vcmp domain domain-name
A VCMP domain is configured.
By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name.
Each switch can be added to only one VCMP domain.
Run vcmp device-id device-name
A device ID is set for the VCMP server.
By default, no device ID is set for the VCMP server.
(Optional) Run vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.
The VCMP server and clients in a VCMP domain must be configured with the same authentication password. To ensure device security, change the password periodically.
By default, no authentication password is configured in a VCMP domain, and VCMP packets pass authentication.
- Perform the following operations on a VCMP client:
(Optional) Run vcmp domain domain-name
A VCMP domain is configured.
By default, no VCMP domain is created.
All switches in a VCMP domain must use the same VCMP domain name. If the domain name is not set on a VCMP client, the VCMP client learns the domain name in the first received VCMP packet.
Each switch can be added to only one VCMP domain.
(Optional) Run vcmp authentication sha2-256 password password
A VCMP domain authentication password is configured.
The VCMP server and clients in a VCMP domain must be configured with the same authentication password. To ensure device security, change the password periodically.
By default, no authentication password is configured in a VCMP domain, and VCMP packets pass authentication.
- When the VCMP role is transparent or silent, go to the next step.
- Perform the following operations on the VCMP server:
- Run interface interface-type interface-number
The view of a Layer 2 Ethernet interface where VCMP is to be enabled is displayed.
VCMP can be enabled only on Layer 2 Ethernet interfaces.
- Run undo vcmp disable
VCMP is enabled on the interface.
By default, VCMP is enabled on all interfaces of a switch.
If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP client. To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP domains, run the vcmp disable command to disable VCMP on the edge switch interface connected to other VCMP domains.
- (Optional) Run snmp-agent trap enable feature-namevcmp
The VCMP trap function is enabled.
To protect the switch against attacks of bogus VCMP servers, enable the VCMP trap function. When receiving VCMP packets from bogus VCMP servers, the switch sends traps about the multi-server event to the NMS.
Verifying the Configuration
After you configure VCMP, check whether the configuration takes effect.
Run the display vcmp status command to check the VCMP configuration, including the VCMP domain name, VCMP role, device ID, configuration revision number, and VCMP domain authentication password.
Run the display vcmp interface brief command to check the VCMP status on Layer 2 Ethernet interfaces.