VS Configuration
Virtual systems (VSs) are managed by administrators that are granted with corresponding authority. A physical system (PS) administrator can manage all VSs which belong to the PS; a VS administrator can perform operations only on the managed VS, including starting and stopping the allocated services.
Overview of VSs
Virtual system (VS) partitioning helps manage networks by layer.
Background
As the demand on various types of network services is growing, network management becomes more complex. Requirements for service isolation, system security, and reliability are steadily increasing. The virtual private network (VPN) technique can be used to isolate services on a PS. If a module failure occurs on the PS, all services configured on the PS will be interrupted.
To prevent service interruptions, the VS technique is used to partition a PS into several VSs. Each VS functions as an independent network element and uses separate physical resources to isolate services.
Further development of the distributed routing and switching systems allows VS technique to fully utilize the service processing capability of a single PS. The VS technique helps simplify network deployment and management, and strengthen system security and reliability.
Relationship Between a PS and VSs
As shown in Figure 2-1, a physical router, which can be regarded as a PS, is partitioned into several VSs. Each VS functions as an independent router to process services.
The PS administrator has the authority to manage all VSs. The VS administrator has the authority to query VSs but cannot manage them.
Basic Concepts
Figure 2-2 shows VS concepts.
Concept |
Description |
|---|---|
PS |
Physical system |
VS |
A VS is a virtual system on both software and hardware planes. Each VS performs independent routing tasks. VSs share all resources, such as MBs, LCs, and chassis, except interfaces. That is, VSs can share the main control board and interface board resources. Each VS has its own primary VS main board (PVMB) and configuration management instance. Generally, the routing management system and configuration management system work on the PVMB. NOTE:
Each PS has a default VS named Admin-VS. All unassigned interfaces belong to this VS. All VSs in a PS must use the same system software. Each VS is configured with its own configuration management system and routing protocols. |
MB |
Main boards (MBs) are used to carry tasks on the management control plane. In a VS, the MB refers to a common MB, that is, the MB is not a master main board (MMB) or PVMB. |
PVMB |
A VS has many MBs, two of which manage the entire VS. The two MBs are PVMBs. |
Limitations for VS Management
Limitations
Restrictions |
Guidelines |
Impact |
|---|---|---|
Forwarding plane performance alarms and flow creation rate control are performed at the board level, not at the VS granularity. |
None |
None |
The function of filtering DHCP packets based on the whitelist does not support multiple VSs. |
Configure the whitelist function only in Admin VS. |
None |
After port mirroring is configured on a main interface, the port mirroring configuration becomes ineffective on its sub-interface, regardless of whether the main interface and its sub-interface belong to the same independent VS. |
N/A |
After port mirroring is configured on a main interface, the port mirroring configuration becomes ineffective on its sub-interface, regardless of whether the main interface and its sub-interface belong to the same independent VS. |
If the memory of the master main control board is inconsistent with that of the slave main control board, a master/slave main control board switchover or device restart occurs, which may cause VS configurations to be lost. |
If the memory of the master main control board is inconsistent with that of the slave main control board, increase the memory of the master or slave main control board to achieve memory consistency. |
VS configurations may be lost. |
The clock service can be configured only in Admin VS. |
None |
Configurations will fail to be committed for VSs. |
Multicast NAT does not support multiple VSs. |
Plan services properly. |
Multicast NAT does not support multiple VSs. |
After a pre-splitting 100GE interface or post-splitting 10GE interface is added to a VS (non-admin VS), interface splitting is not supported and can be configured only after the interface is removed from the VS. |
None |
Interface usage is under restriction. |
When an interface and its sub-interfaces are deployed in different VSs, ESI route negotiation is not supported. |
Deploy an interface and its sub-interfaces in the same VS. |
If an interface and its sub-interfaces are deployed in different VSs and an ESI is configured on the interface, the sub-interfaces fail to forward packets. |
The group-mac of L2PT and BPDU tunnels can be configured only in Admin VS. |
None |
None |
The destination IP address or UDP port number cannot be configured for the output NetStream flows in the view of a non-Admin VS. The NetStream service processing board cannot be configured for an interface board in the view of a non-Admin VS. |
None |
None |
The DAA service does not support multi-VS and can be deployed only on the Admin-AS. |
None |
DAA service activation fails. |
The BOD service does not support multi-VS and can be deployed only on the Admin-AS. |
None |
BOD service activation fails. |
The EDSG service does not support multi-VS and can be deployed only on the Admin-AS. |
None |
EDSG service activation fails. |
Different names and IDs must be configured for NAT instances, service-locations, service instance groups on different VSes. |
Configure different names and IDs for NAT instances, service-locations, service instance groups on different VSes. |
NAT instances, service-locations, service instance groups on different Vses cannot have the same name or ID. |
Different names and IDs must be configured for DS-Lite instances, NAT64 instances, service-locations, service instance groups on different VSes. |
Configure different names and IDs for DS-Lite instances, NAT64 instances, service-locations, service instance groups on different VSes. |
DS-Lite instances, NAT64 instances, service-locations, service instance groups on different Vses cannot have the same name or ID. |
For a subcard that allows two 50G ports with consecutive port numbers to be switched to a 100G port, when the port with an odd port number is added to a service VS:
|
None |
The switching mode of port 0 on the subcard 2-Port 50GBase/1-Port 100GBase-QSFP28 FlexE Flexible Card (P120) is affected. |
A standard Ethernet interface that has been added to VSn cannot be switched to the FlexE mode. |
None |
A standard Ethernet interface that has been added to VSn cannot be switched to the FlexE mode. |
After a standard Ethernet interface is added to VSn, the interface rate does not support auto-negotiation against an optical module. |
None |
After a standard Ethernet interface is added to VSn, the interface rate does not support auto-negotiation against an optical module. |
A FlexE physical interface cannot be added to VSn. |
None |
A FlexE physical interface cannot be added to VSn. |
A FlexE logical interface can be created only in Admin VS. |
None |
A FlexE logical interface cannot be created in VSn. |
An ATM bundle interface can be created Admin VS or VSn. An ATM bundle interface in Admin VS cannot be bound to VSn. |
None |
None |
The Controller's interfaces can be configured only in Admin VS and cannot be allocated to VSn. |
None |
None |
An MLPPP interface can be created only in Admin VS. |
None |
None |
A serial main interface can be created only in Admin VS. |
None |
None |
A CPOS-Trunk interface can be created only in Admin VS. A CPOS-Trunk interface in Admin VS cannot be bound to VSn. |
None |
None |
A trunk serial main interface can be created only in Admin VS. |
None |
None |
A global MP-group main interface can be created only in Admin VS. |
None |
None |
An IMA-group main interface can be created only in Admin VS. |
None |
None |
An IMA-group sub-interface can be created in Admin VS or VSn. An IMA-group main interface and its sub-interfaces must be in the VS. An IMA-group sub-interface in Admin VS cannot be bound to VSn. |
None |
None |
A serial sub-interface can be created in Admin VS or VSn. A serial main interface and its sub-interfaces must be in the VS. A serial sub-interface in Admin VS cannot be bound to VSn. |
None |
None |
A global IMA-group main interface can be created only in Admin VS. |
None |
None |
The CPU-defend policy needs to be configured in the slot view. Many security functions can be configured only in Admin VS and take effect in all VSs, including CP-CAR, attack source tracing, TCP/IP attack defense, application layer association, GTSM, and MA-defend. The MA-defend policy can be configured only in Admin VS. The policy can be applied to a device, a board, or an interface. The device and board policies can be based on Admin VS. Only the interface policy can be applied based on the VSn. |
None |
None |
If ARP invalid packet filtering or ARP destination address detection is configured on a main interface, the corresponding configuration is also delivered to its sub-interfaces that reside in VSs different from the main interface's VS. |
None |
None |
The command for Layer 2 loop detection can be configured only in the admin VS and takes effect for all VSs. |
None |
None |
The command for Layer 3 loop detection can be configured only in the admin VS and takes effect for all VSs. |
None |
None |
The SOC, including the commands in the SOC view, can be configured only in Admin VS and takes effect in all VSs. |
None |
None |
Host-CAR does not support multiple VSs. |
None |
None |
RADIUS services do not support multiple VSs. (RADIUS services can be deployed only in Admin VS.) |
None |
None |
BRAS services do not support multiple VSs. (BRAS services can be deployed only in Admin VS.) |
None |
None |
802.1X port-based authentication does not support multiple VSs. (802.1X port-based authentication can be configured only in the Admin VS.) |
None |
None |
1. The local discriminator (MD) of BFD is unique in all VSs. That is, if BFD with MD=200 is configured in VS
|
None |
None |
|
None |
None |
The system determines VS specifications based on the memory of the master main control board. If the memory of the master main control board is less than 8 GB, creating multiple VSs is not supported. If the memory of the master main control board is greater than or equal to 8 GB but less than 16 GB, the system supports a maximum of four VSs. If the memory of the master main control board is greater than or equal to 16 GB, the system supports a maximum of eight VSs. |
Plan VS resources properly. |
None |
Non-Admin VSs share system memory resources with each other. Memory resources cannot be separately allocated to the VSs. |
None |
None |
After a device is upgraded from the unified VS mode to the independent VS mode with existing configurations, data in all VSs except Admin-VS is lost. |
Before the upgrade, save the configuration file of a non-Admin-VS VS. After the upgrade, save the configuration file to the non-Admin VS directory for configuration restoration. |
The configuration information of the non-Admin VS is lost. |
All VSs except Admin-VS do not support .dat configuration files. |
None |
Non-Admin VSs do not support fast startup in DAT mode. |
A device allows a maximum of 21 users to deliver configurations. Other users can only perform the query operation. The users in non-Admin VSs are in preemption mode. |
None |
None |
Configurations cannot be concurrently committed for Admin-VS and non-Admin-VS VSs. Configurations can be concurrently committed for multiple non-Admin-VS VSs. However, if configurations that affect Admin-VS are modified for a non-Admin VS, configurations cannot be committed for other non-Admin-VS VSs during configuration commission for this non-Admin-VS VS. |
None |
Configurations may fail to be committed for some VSs, and you need to try again in this case. |
VSs except Admin-VS do not support independent NTP. |
None |
None |
KPI files generated through the KPI diagnosis function are not independently saved by VS. |
None |
None |
The maintenance assistant function does not apply to non-Admin VSs. Admin-VS collects information uniformly. |
None |
None |
DCN can be enabled only in Admin-VS. |
None |
None |
IP FPM measurement flags cannot be configured for VSs except Admin-VS. |
None |
None |
The BFD local descriptor (MD) is unique on a device. Different VSs cannot be configured with the same local descriptor. |
None |
None |
Different VSs cannot be configured with the same PWE3 static VC label. |
None |
None |
The EVPN supports multiple VSs, but the ESI-ID is unique on a device. |
Do not configure the same ESI-ID for different non-Admin VSs. |
None |
GRESM labels in the system are unique and cannot conflict with each other even in different VSs. |
Do not configure the same GRESM label for different non-VS0 VSs. |
None |
The sampling mode and destination address are configured in the Slot view and can only be configured in Admin-VS. |
None |
None |
The display diagnostic-information command can be run in the Admin-VS view to collect diagnostic information of all VSs. If the command is run in the VSn view, only diagnostic information of the current VS is collected. Each VS can have only one piece of task collector diagnostics information. Therefore, when the command is run in the Admin-VS view to collect global diagnostic information and a VSn has an information collection task being executed, the diagnostic information if this VSn will not be collected. |
None |
The execution efficiency of the one-click diagnostic command is affected. |
Each independent management VS allows the private VB function to be enabled on a maximum of three target hosts. |
None |
For an independent management VS, only up to three target hosts can be adapted to Huawei proprietary NMSs. |
The function of filtering DHCP packets based on the whitelist does not support multiple VSs. |
Configure the whitelist function only in Admin-VS. |
Hardware does not support this feature. |
Managing VSs by a PS Administrator
A Physical System (PS) administrator has the authority to manage Virtual Systems (VSs), including configuring VSs, allocating resources to VSs, and configuring services on VSs.
Creating a VS
A Physical System (PS) administrator can create Virtual Systems (VSs) on the PS, but cannot create, or delete the Admin-VS. The Admin-VS is the default VS on a PS and manages the entire PS. The Admin-VS is automatically created when a PS is being started. All the unassigned resources on a PS belong to the Admin-VS by default. A VS is started as soon as it is created.
Procedure
- Run system-view
The system view is displayed.
- Run admin
The admin view is displayed.
- Run virtual-system vs-name
A VS is created and started.
- (Optional) Run port-mode port [ resource-template template-name ]
A port mode is configured for the VS.
You cannot delete the port mode that has been configured for a VS.
- (Optional) Run description description
The description of a VS is displayed.
The network administrator can configure a description for the VS to describe the service type or usage.
- Run commit
The configuration is committed.
In the VS creation process, the NetStream function becomes unavailable in two minutes.
Configuring Hardware Resources for the VS
A Physical System (PS) administrator can allocate board and interface resources to Virtual Systems (VSs) so that the VSs can carry services, or delete board and interface resources so that the services on the VSs can be stopped.
Context
The Admin-VS is the default VS in a PS and manages the PS. All unallocated resources in the PS belong to the Admin-VS by default.
The Admin-VS has all board and interface resources of a PS, and the board and interface resources of the Admin-VS cannot be added to or deleted.
Only in the virtual cluster scenario, hardware resources can be configured for the VS.
This configuration process is supported only on the Admin-VS.
Procedure
- Run system-view
The system view is displayed.
- Run admin
The admin view is displayed.
- Run virtual-system vs-name
The VS view is displayed.
- (Optional) Run port-mode port [ resource-template template-name ]
A port mode is configured for the VS.
You cannot delete the port mode that has been configured for a VS.
- Run assign interface interface-type interface-number]
Interface resources are allocated to the VS.
Interface allocation must comply with the following rules:- The board and interface resources of a VS can be allocated by a PS administrator only.
- A VS administrator only has the authority to perform operations on the managed VS but not the other VSs.
- When an interface in the admin VS is allocated to a VS, all configurations on the interface are cleared.
- Each VS can be allocated a maximum of two PVMB resources.
- The slot resources deleted from a VS are automatically allocated to the Admin-VS, and the Admin-VS takes over services carried using these slot resources.
- (Optional) Run resource cpu weight weight-limit
A CPU weight value is assigned to the VS.
You can run this command to change the default CPU weight value.
- Run commit
The configuration is committed.
In the VS creation process, the NetStream function becomes unavailable in two minutes.
(Optional) Configuring Logical Resources for the VS
A Physical System (PS) administrator can allocate logical resources to Virtual Systems through two methods.
Context
PS administrator can assign a logical resource to a VS each time, or use a resource template to assign multiple logical resources to a VS in a batch.
This configuration process is supported only on the Admin-VS.
Procedure
- Assign a logical resource to a VS each time.
- Run port-mode port [ resource-template template-name ]
A port mode is configured for the VS.
You cannot delete the port mode that has been configured for a VS.
- Run port-mode port [ resource-template template-name ]
- Assign multiple logical resources to a VS in a batch.
- Run port-mode port [ resource-template template-name ]
A port mode is configured for the VS.
You cannot delete the port mode that has been configured for a VS.
- Run port-mode port [ resource-template template-name ]
(Optional) Switching a VS
A Physical System (PS) administrator can switch from one Virtual System (VS) to another.
Verifying the VS Configuration
Verify the VS configuration as a PS administrator.
Procedure
- Run the display virtual-system [ name vs-name ] [ verbose ] command to check basic VS information.
- Run the display virtual-system [ name vs-name ] resource command to check resource information about a specified VS or all VSs of a PS.
The parameter name is supported only on the Admin-VS.
- Run the display virtual-system resource-template command to check resource template information about a specified VS or all VSs of a PS.
- Run the display virtual-system configuration state command to check the VS configuration status.
Maintaining VSs
This section describes how to reset a VS when a VS needs to be upgraded or the diagnostics system is abnormal.
Resetting a VS
When updating VS configurations or diagnosing faults, you can reset the VS.
Configuration Examples for VSs
This section provides VS configuration examples.
Example for Creating VSs
This section provides an example for creating VSs and allocating resources to the VSs.
Networking Requirements
This configuration example is supported only on the Admin-VS.
On the network shown in Figure 2-3, the main control board of a PS processes all services offered by an SP. If a service failure on the PS causes a PS failure, other services running on the PS cannot be properly forwarded. To prevent this problem, configure different VSs on the PS to independently carry services to improve network security.
As shown in Figure 2-3, different VSs can be created on a PS. The VSs carry their own services that are mutually isolated. Services can be quickly differentiated by VS, and physical interfaces can be shared between the VSs, saving physical links and reducing networking costs.
Precautions
- A VS starts after it is created.
- The VS slot resources can be allocated only by the PS administrator.
- The same slot resources can be allocated to multiple VSs.
- An interface can be allocated only to a single VS.
- The slot resources deleted from a VS are automatically allocated to the Admin-VS, and the Admin-VS takes over services carried using these slot resources.
Configuration Roadmap
The configuration roadmap is as follows:
Create VSs and configure PVMBs for each VS so that the VSs can start.
Allocate interfaces to VSs to allow the VSs to forward services.
Data Preparation
To complete the configuration, you need the following data:
- Names of the VSs to be created: vs1, vs2, and vs3
- Interface number allocated to each VS
Procedure
- Create and start VSs.
<HUAWEI> system-view[~HUAWEI] admin [~HUAWEI-admin] virtual-system vs1 [*HUAWEI-admin-vs:vs1] port-mode port [*HUAWEI-admin-vs:vs1] description vs1 [*HUAWEI-admin-vs:vs1] quit [~HUAWEI-admin] virtual-system vs2 [*HUAWEI-admin-vs:vs2] port-mode port [*HUAWEI-admin-vs:vs2] description vs2 [*HUAWEI-admin-vs:vs2] quit [~HUAWEI-admin] virtual-system vs3 [*HUAWEI-admin-vs:vs3] port-mode port [*HUAWEI-admin-vs:vs3] description vs3 [*HUAWEI-admin-vs:vs3] quit [*HUAWEI-admin] commit
- Allocate resources to the VSs.
[~HUAWEI-admin] virtual-system vs1
[*HUAWEI-admin-vs:vs1] assign interface gigabitethernet 3/0/2
[*HUAWEI-admin-vs:vs1] quit
[~HUAWEI-admin] virtual-system vs2
[*HUAWEI-admin-vs:vs2] assign interface gigabitethernet 3/0/3
[*HUAWEI-admin-vs:vs2] quit
[~HUAWEI-admin] virtual-system vs3
[*HUAWEI admin-vs:vs3] assign interface gigabitethernet 3/0/4
[*HUAWEI admin] commit
- Configure different services or features on the VSs.
For configuration details, see the related feature configurations. For example, to configure a routing protocol on VS1, see the chapter "IP Routing" in the NE40E Configuration Guide - IP Routing.
- Verify the configuration.
Run the display virtual-system command on the PS. The command output shows that vs1, vs2, and vs3 have been created and started.
[*HUAWEI-admin] display virtual-system
--------------------------------------------------------------- Name Status Description --------------------------------------------------------------- Admin-VS running admin-vs vs1 running vs1 vs2 running vs2 vs3 running vs3 ---------------------------------------------------------------
Run the display virtual-system [ name vs-name ] [ verbose ] command on the PS. The following example uses vs1 configurations.
[~HUAWEI-admin] display virtual-system name vs1 verbose
Name : vs1 Status : running Description : Create time : 2017-03-13 21:24:27+09:30 DST Port mode : port System MAC : 00-e0-fc-12-34-56 Assigned slot(s) pvmb : 6 pvmb : 7 CPU(s) slot 6 : 4% slot 7 : 4% fcard:/VS_huawei: 0%, 16/41943040 (Used Kbytes/Max Kbytes) Assigned interface(s) GE3/0/0, slot 3 Assigned resource(s) u4route : 10000(Max) m4route : 1000(Max) u6route : 1000(Max) m6route : 1000(Max) vpn-instance : 256(Max) cpu : 5(weight)
Run the display virtual-system configuration state command on the PS to check whether VS configurations have been saved.[~HUAWEI-admin] display virtual-system configuration state
----------------------------------------------------------------- Name Saved-configuration ----------------------------------------------------------------- Admin-VS not saved vs1 not saved vs2 not saved vs3 not saved -----------------------------------------------------------------
