Configuring Leaf Nodes
Configuration Summary
No. |
Configuration Task |
No. |
Configuration Task |
|---|---|---|---|
Step 1 |
Step 6 |
Configure links on the leaf nodes to connect to the spine nodes. |
|
Step 2 |
Configure the user name and password for device maintenance and management. |
Step 7 |
Configure an interface for BMC interfaces to connect to a leaf node. |
Step 3 |
Step 8 |
Configure storage service access and server access on the leaf nodes. |
|
Step 4 |
Step 9 |
||
Step 5 |
- |
- |
Procedure
- Configure basic device information and VPNs for device management.
Leaf-01-01
Leaf-01-02
Description
system-view immediately
system-view immediately
Enter the system view and set the immediate validation mode.
sysname Leaf-01-01
sysname Leaf-01-02
Name the leaf nodes.
#
#
-
ip vpn-instance Management_out
ip vpn-instance Management_out
Create a dedicated out-of-band management VPN instance named Management_out.
ipv4-family
ipv4-family
route-distinguisher 13:40
route-distinguisher 14:40
#
#
-
interface MEth0/0/0
interface MEth0/0/0
Add MEth0/0/0 to the dedicated out-of-band management VPN instance.
ip binding vpn-instance Management_out
ip binding vpn-instance Management_out
ip address 192.168.21.16 24
ip address 192.168.21.17 24
Configure unique IP addresses for management interfaces on the devices.
#
#
-
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
ip route-static vpn-instance Management_out 10.0.0.0 255.0.0.0 192.168.21.1
Configure a static route for remote management. Do not use a default route.
#
#
-
ip vpn-instance Management_in
ip vpn-instance Management_in
Create a VPN instance named Management_in for in-band management on the storage network.
ipv4-family
ipv4-family
-
route-distinguisher 13:41
route-distinguisher 14:41
-
#
#
-
interface Vlanif 4010
interface Vlanif 4010
Create VLANIF 4010 and configure its IP address as the in-band management IP address. Add VLANIF 4010 to the VPN instance Management-in. You do not need to perform this operation if out-of-band management is used.
(Constraints) In in-band management mode, the standby device cannot be managed due to DAD when the peer-link fails. Therefore, the out-of-band management mode is recommended.
ip binding vpn-instance Management-in
ip binding vpn-instance Management-in
-
ip address 10.130.21.11 255.255.255.0
ip address 10.130.21.12 255.255.255.0
-
#
#
-
- Configure the user name and password for device maintenance and management.
Leaf-01-01
Leaf-01-02
Description
user-interface console 0
user-interface console 0
Configure a console port login password to improve security. This configuration is mandatory.
authentication-mode password
authentication-mode password
set authentication password cipher Huawei@123
set authentication password cipher Huawei@123
#
#
-
user-interface maximum-vty 21
user-interface maximum-vty 21
Set the maximum number of VTY user interfaces to 21.
user-interface vty 0 20
user-interface vty 0 20
-
authentication-mode aaa
authentication-mode aaa
Set the authentication mode to AAA.
user privilege level 3
user privilege level 3
Set the user level to 3.
protocol inbound ssh
protocol inbound ssh
Specify the SSH protocol to improve security.
#
#
-
stelnet server enable
stelnet server enable
Enable the STelnet service on an SSH server.
#
#
-
aaa
aaa
Enter the AAA view.
local-user huawei password irreversible-cipher Admin@123
local-user huawei password irreversible-cipher Admin@123
Set the local user name to huawei and password to Admin@123 for an administrator to log in to and maintain the device.
local-user huawei service-type ssh
local-user huawei service-type ssh
Specify the SSH protocol.
local-user huawei level 3
local-user huawei level 3
Set the user level of the huawei user.
#
#
-
ssh user huawei
ssh user huawei
Create an SSH user.
ssh user huawei authentication-type password
ssh user huawei authentication-type password
-
ssh user huawei service-type stelnet
ssh user huawei service-type stelnet
-
ssh server-source -i Meth0/0/0
ssh server-source -i Meth0/0/0
Specify the source interface of the SSH server (for example, use the MEth interface for out-of-band management) to restrict logins and improve security.
When the device is upgraded from V200R005C20 to V200R019C10, no configuration is required. Perform this configuration when the device running V200R019C10 or later is deployed.
- Configure the leaf nodes to connect to the NMS.
Leaf-01-01
Leaf-01-02
Description
snmp-agent
snmp-agent
Enable the SNMP agent.
snmp-agent sys-info version v3
snmp-agent sys-info version v3
Set the SNMP version to SNMPv3, which must be the same as the SNMP version used by the NMS.
snmp-agent mib-view included myview iso
snmp-agent mib-view included myview iso
Configure the MIB view that can be accessed by the NMS. To ensure that the NMS can manage devices normally (for example, discovering device links based on LLDP), the MIB view must contain the iso node.
snmp-agent group v3 uhmroot privacy write-view myview notify-view myview
snmp-agent group v3 uhmroot privacy write-view myview notify-view myview
-
snmp-agent usm-user v3 uhmroot group dc-admin
snmp-agent usm-user v3 uhmroot group dc-admin
Set the SNMPv3 user name to uhmroot, which must be the same as the security name on the NMS.
snmp-agent usm-user v3 uhmroot authentication-mode sha
snmp-agent usm-user v3 uhmroot authentication-mode sha
Configure the authentication mode and password for the uhmroot user, which must correspond to the authentication protocol and password on the NMS.
Huawei12#$
Huawei12#$
-
Huawei12#$
Huawei12#$
-
snmp-agent usm-user v3 uhmroot privacy-mode aes128
snmp-agent usm-user v3 uhmroot privacy-mode aes128
Set the encryption mode and password of the uhmroot user, which must correspond to the proprietary protocol and encryption password on the NMS.
Huawei12#$
Huawei12#$
-
Huawei12#$
Huawei12#$
-
#
#
-
snmp-agent trap enable
snmp-agent trap enable
Enable the trap function for all modules. By default, the trap function of some modules is disabled.
snmp-agent trap source MEth0/0/0
snmp-agent trap source MEth0/0/0
For out-of-band management, set the source interface for sending traps to MEth0/0/0.
For in-band management, configure VLANIF 4010 for sending traps.
#
#
-
snmp-agent protocol source-interface MEth0/0/0
snmp-agent protocol source-interface MEth0/0/0
Specify the source interface used by SNMP to receive and respond to request packets from the NMS or controller.
When the device is upgraded from V200R005C20 to V200R019C10, no configuration is required. Perform this configuration when the device running V200R019C10 or later is deployed.
#
#
-
rsa local-key-pair create
rsa local-key-pair create
Generate a local key pair.
#
#
-
user-interface vty 0 4
user-interface vty 0 4
-
authentication-mode aaa
authentication-mode aaa
-
protocol inbound ssh
protocol inbound ssh
Set the protocol type supported by VTY user interfaces to SSH.
#
#
-
stelnet server enable
stelnet server enable
Enable the STelnet service on an SSH server.
#
#
-
aaa
aaa
-
local-user client password irreversible-cipher Huawei@123
local-user client password irreversible-cipher Huawei@123
Create a user named client and set a password for the user, which must be the same as the STelnet user name and password used by the NMS.
local-user client level 3
local-user client level 3
-
local-user client service-type ssh
local-user client service-type ssh
Set the access type of the client user to SSH, which must be the same as the login protocol on the NMS.
#
#
-
ssh user client
ssh user client
Create an SSH user.
ssh user client authentication-type password
ssh user client authentication-type password
Set the authentication mode of the client user to password authentication, which must be the same as that on the NMS.
ssh user client service-type stelnet
ssh user client service-type stelnet
Set the service type of the SSH user client to STelnet.
set net-manager vpn-instance Management-out (or Management-in)
set net-manager vpn-instance Management-out (or Management-in)
Set the default VPN instance for the NMS to manage devices to Management-out. For in-band management, set it to Management-in.
#
#
-
lldp enable
lldp enable
Enable LLDP.
#
#
-
- Configure VLANs for forwarding server and storage traffic.
Leaf-01-01
Leaf-01-02
Description
vlan batch 4002 4010
vlan batch 4002 4010
Create VLANs in batches. For example, configure VLAN 4002 for forwarding storage data and VLAN 4010 for access of management interfaces on network devices and BMC interfaces on servers.
#
#
-
- Configure an active-active group of leaf nodes.
Leaf-01-01
Leaf-01-02
Description
interface 10GE1/0/48
interface 10GE1/0/48
Deploy an independent Layer 3 interconnection link between the two leaf nodes to function as the M-LAG heartbeat link.
undo portswitch
undo portswitch
-
ip binding vpn-instance Management-in
ip binding vpn-instance Management-in
The link should function as the bypass link when all uplinks fail and should be added to the VPN instance Management-in.
ip address 10.254.120.2 255.255.255.0
ip address 10.254.120.3 255.255.255.0
Configure IP addresses for interconnection.
m-lag unpaired-port reserved
m-lag unpaired-port reserved
Configure the interface not to enter the Error-Down state when the peer-link fails but DAD is normal.
#
#
-
stp tc-protection
stp tc-protection
Enable TC BPDU attack defense.
stp bpdu-protection
stp bpdu-protection
Enable BPDU attack defense.
stp mode rstp
stp mode rstp
Configure the working mode as RSTP. RSTP should be configured before the V-STP mode is configured.
stp bridge-address 1-1-2
stp bridge-address 1-1-2
Configure the bridge MAC address used by the device to calculate the spanning tree. The bridge MAC addresses of the two leaf nodes in an M-LAG must be the same. It is recommended that the system MAC address of one device be used as the bridge MAC address. The bridge MAC addresses of devices in different M-LAGs are different.
stp v-stp enable
stp v-stp enable
Configure the M-LAG in V-STP mode on the leaf nodes.
#
#
-
dfs-group 1
dfs-group 1
Configure DFS.
priority 150
priority 100
Set the priority of the DFS group. The default value is 100.
m-lag up-delay 240 auto-recovery interval 10
m-lag up-delay 240 auto-recovery interval 10
Configure the M-LAG member interfaces to go Up one by one at an interval of 10s after the delay.
source ip 10.254.120.2 vpn-instance Management-in peer 10.254.120.3
source ip 10.254.120.3 vpn-instance Management-in peer 10.254.120.2
Configure the address of an independent Layer 3 interconnection interface as the source address of the DFS group and add the interface to the VPN instance Management-in.
dual-active detection enhanced enable
dual-active detection enhanced enable
To enable enhanced DAD for secondary faults in an M-LAG scenario, configure the interfaces on the DAD link as reserved interfaces, and set the peer IP address of the DFS group.
#
#
-
interface Eth-Trunk0
interface Eth-Trunk0
Create an Eth-Trunk for the peer-link.
trunkport 40GE 1/0/1
trunkport 40GE 1/0/1
Deploy the peer-link on multiple links. If multiple cards are installed on the switch, the peer-link must be deployed on different cards. When the interfaces on a card are of different types, configure port speed decrease or bundle interfaces at different rates. (To bundle interfaces, run the lacp mixed-rate link enable command to forward packets after the interfaces are added to an Eth-Trunk interface in LACP mode, and run the distribute-weight command to configure the weight of load sharing for a member interface.)
trunkport 40GE 1/0/2
trunkport 40GE 1/0/2
mode lacp-static
mode lacp-static
-
peer-link 1
peer-link 1
-
port vlan exclude 1
port vlan exclude 1
Configure the interface to reject packets from VLAN 1.
#
#
-
- Configure links on the leaf nodes to connect to the spine nodes.
Leaf-01-01
Leaf-01-02
Description
interface Eth-Trunk100
interface Eth-Trunk100
Create an Eth-Trunk and configure physical interfaces.
description Linkto_Spine
description Linkto_Spine
-
trunkport 40GE 1/0/5 to 1/0/6
trunkport 40GE 1/0/5 to 1/0/6
-
port link-type trunk
port link-type trunk
-
undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1
Delete VLAN 1 from the Eth-Trunk.
port trunk allow-pass vlan 4002 4010
port trunk allow-pass vlan 4002 4010
Configure the interface to allow packets from specific VLANs to pass through.
mode lacp-static
mode lacp-static
Deploy the static LACP mode.
dfs-group 1 m-lag 100
dfs-group 1 m-lag 100
Configure an M-LAG. You are advised to set the M-LAG ID to the Eth-Trunk ID.
lacp timeout fast
lacp timeout fast
-
stp disable
stp disable
Disable the STP function to speed up network convergence. Perform the same configuration on the peer interface.
Enabling the STP function will increase the convergence time by 1s to 2s.
Enable STP on interfaces where no service is deployed.
#
#
-
- Configure an interface to connect to the leaf node in single-homed mode.In this example, an interface is configured for BMC management interfaces on servers to connect to the leaf node in single-homed mode.
Leaf-01-01
Leaf-01-02
Description
interface 10GE 1/0/25
-
Configure an interface for BMC management interfaces on servers to connect to the leaf node.
description Linkto_RAID_A_BMC
-
-
port default vlan 4010
-
Add the interface to the VLAN created in step 4.
stp edged-port enable
-
Configure the interface as an STP edge interface.
storm suppression broadcast packets 1000
-
Configure broadcast suppression on the interface of the access switch and configure the interface to receive 1000 pps broadcast traffic per second.
storm suppression multicast packets 1000
-
Configure multicast suppression on the interface of the access switch and configure the interface to receive 1000 pps multicast traffic per second.
storm suppression unknown-unicast 5
-
Configure unknown unicast suppression on the interface of the access switch. It is recommended that the number of unknown unicast packets on the interface per second be 5% of the interface bandwidth.
#
-
-
- Configure storage service access and server access on the leaf nodes.
- In the IP SAN storage service access scenario, add the service interfaces on controllers A and B to the same VLAN ID.
Leaf-01-01
Leaf-01-02
Description
interface 10GE 1/0/20
interface 10GE 1/0/20
Configure storage data access.
description Linkto_RAID_A_Data
description Linkto_RAID_A_Data
-
port default vlan 4002
port default vlan 4002
-
stp edged-port enable
stp edged-port enable
Configure the interface as an STP edge interface.
storm suppression broadcast packets 1000
storm suppression broadcast packets 1000
Configure broadcast suppression on the interface of the access switch and configure the interface to receive 1000 pps broadcast traffic per second.
storm suppression multicast packets 1000
storm suppression multicast packets 1000
Configure multicast suppression on the interface of the access switch and configure the interface to receive 1000 pps multicast traffic per second.
storm suppression unknown-unicast 5
storm suppression unknown-unicast 5
Configure unknown unicast suppression on the interface of the access switch. It is recommended that the number of unknown unicast packets on the interface per second be 5% of the interface bandwidth.
#
#
-
interface 10GE 1/0/21
interface 10GE 1/0/21
Configure storage data access.
description Linkto_RAID_B_Data
description Linkto_RAID_B_Data
-
port default vlan 4002
port default vlan 4002
-
stp edged-port enable
stp edged-port enable
Configure the interface as an STP edge interface.
storm suppression broadcast packets 1000
storm suppression broadcast packets 1000
Configure broadcast suppression on the interface of the access switch and configure the interface to receive 1000 pps broadcast traffic per second.
storm suppression multicast packets 1000
storm suppression multicast packets 1000
Configure multicast suppression on the interface of the access switch and configure the interface to receive 1000 pps multicast traffic per second.
storm suppression unknown-unicast 5
storm suppression unknown-unicast 5
Configure unknown unicast suppression on the interface of the access switch. It is recommended that the number of unknown unicast packets on the interface per second be 5% of the interface bandwidth.
#
#
-
- Configure server access or cloud storage access in load sharing mode.
Leaf-01-01
Leaf-01-02
Description
interface Eth-Trunk22
interface Eth-Trunk22
Create an Eth-Trunk.
description Linkto_Server
description Linkto_Server
-
trunkport 10GE 1/0/22
trunkport 10GE 1/0/22
-
port link-type trunk
port link-type trunk
-
undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1
Delete VLAN 1 from the Eth-Trunk.
port trunk allow-pass vlan 4002 4010
port trunk allow-pass vlan 4002 4010
Configure the interface to allow packets from specific VLANs to pass through.
mode lacp-static
mode lacp-static
Configure the static LACP mode as required.
dfs-group 1 m-lag 22
dfs-group 1 m-lag 22
Configure an M-LAG.
stp edged-port enable
stp edged-port enable
Configure the interface as an STP edge interface.
#
#
-
interface 10GE 1/0/22
interface 10GE 1/0/22
Configure server access or storage data access.
description Linkto_Server
description Linkto_Server
-
storm suppression broadcast packets 1000
storm suppression broadcast packets 1000
Configure broadcast suppression on the interface of the access switch and configure the interface to receive 1000 pps broadcast traffic per second.
storm suppression multicast packets 1000
storm suppression multicast packets 1000
Configure multicast suppression on the interface of the access switch and configure the interface to receive 1000 pps multicast traffic per second.
storm suppression unknown-unicast 5
storm suppression unknown-unicast 5
Configure unknown unicast suppression on the interface of the access switch. It is recommended that the number of unknown unicast packets on the interface per second be 5% of the interface bandwidth.
#
#
-
- Perform the following configuration for server access or storage device access in active/standby mode or Layer 3 NIC access using an independent IP address in single-homed mode. (In this example, the IP addresses of the two network interfaces on the server or storage device are in the same subnet, and the active-active gateway configuration is the same as that in other scenarios.)
Leaf-01-01
Leaf-01-02
Description
interface 10GE 1/0/23
interface 10GE 1/0/23
-
description Linkto_Server
description Linkto_Server
-
port link-type trunk
port link-type trunk
-
undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1
Delete VLAN 1 from the Eth-Trunk.
port trunk allow-pass vlan 4002 4010
port trunk allow-pass vlan 4002 4010
Configure the interface to allow packets from specific VLANs to pass through.
stp edged-port enable
stp edged-port enable
Configure the interface as an STP edge interface.
storm suppression broadcast packets 1000
storm suppression broadcast packets 1000
Configure broadcast suppression on the interface of the access switch and configure the interface to receive 1000 pps broadcast traffic per second.
storm suppression multicast packets 1000
storm suppression multicast packets 1000
Configure multicast suppression on the interface of the access switch and configure the interface to receive 1000 pps multicast traffic per second.
storm suppression unknown-unicast 5
storm suppression unknown-unicast 5
Configure unknown unicast suppression on the interface of the access switch. It is recommended that the number of unknown unicast packets on the interface per second be 5% of the interface bandwidth.
#
#
-
- In the IP SAN storage service access scenario, add the service interfaces on controllers A and B to the same VLAN ID.
- Configure CRC and disable unused interfaces.
Leaf-01-01
Leaf-01-02
Description
port-group group-member 10ge 1/0/1 to 10ge 1/0/18
port-group group-member 10ge 1/0/1 to 10ge 1/0/18
Create a temporary port group and add the unused physical interfaces to the port group.
shutdown
shutdown
Shut down the interfaces.
stp instance 0 cost 10000
stp instance 0 cost 10000
Increase the STP cost.
port link-type trunk
port link-type trunk
-
undo port trunk allow-pass vlan 1
undo port trunk allow-pass vlan 1
Delete VLAN 1 from the Eth-Trunk.
#
#
-
port-group group-member 40ge 1/0/1 to 40ge 1/0/6
port-group group-member 40ge 1/0/1 to 40ge 1/0/6
Create a temporary port group. CRC needs to be performed for all interfaces.
trap-threshold crc-statistics 100 interval 10
trap-threshold crc-statistics 100 interval 10
Set the alarm threshold of CRC error packets to 100 and the alarm interval to 10s.
port crc-statistics trigger error-down
port crc-statistics trigger error-down
Configure the interface to enter the Error-Down state when the number of received CRC error packets exceeds the threshold. In this way, services can be switched to the backup link in a timely manner, ensuring reliable data transmission.
#
#
-
