No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 16800, 12800, 8800, 6800, and 5800 Series Switches M-LAG Best Practices
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Spine Nodes

Configuring Spine Nodes

Configuration Summary

No.

Configuration Task

No.

Configuration Task

Step 1

Configuring the System R...

Step 6

Configure links on the spine nodes to connect to the leaf nodes.

Step 2

Configure basic device information.

Step 7

Configure the interconnection links between the spine nodes and firewalls.

Step 3

Configure the user name and password for device maintenance and management.

Step 8

Configure the spine nodes to connect to the NMS.

Step 4

Configure VLANs for forwarding server and storage traffic.

Step 9

Configure an egress network of spine nodes.

Step 5

Configure an active-active group of spine nodes.

Step 10

Configure CRC and disable unused interfaces.

Procedure

  1. Configuring the System Resource Mode.

    Leaf-01-01

    Leaf-01-02

    Description

    assign forward ipv6 longer-mask resource share-mode

    assign forward ipv6 longer-mask resource share-mode

    For the CE6857EI, CE6857E, CE6857F, CE6865EI, CE6865E, CE8861, and CE8868 running a V2 version, set the resource allocation mode to shared mode for IPv6 addresses or IPv6 routes with prefix lengths greater than 64 and less than 128. In this mode, IPv4 addresses/IPv4 routes and IPv6 addresses/IPv6 routes share chip resources.

    The configuration takes effect only after the device is restarted.

  2. Configure basic device information.

    Spine-01

    Spine-02

    Description

    system-view immediately

    system-view immediately

    Enter the system view and set the immediate validation mode.

    sysname Spine-01

    sysname Spine-02

    Name the spine nodes.

    #

    #

    -

    ip vpn-instance Management_out

    ip vpn-instance Management_out

    Create a dedicated out-of-band management VPN instance named Management_out.

    ipv4-family

    ipv4-family

    route-distinguisher 11:40

    route-distinguisher 12:40

    ipv6-family

    ipv6-family

    route-distinguisher 11:40

    route-distinguisher 12:40

    #

    #

    -

    interface MEth0/0/0

    interface MEth0/0/0

    Add MEth0/0/0 to the dedicated out-of-band management VPN instance.

    ip binding vpn-instance Management_out

    ip binding vpn-instance Management_out

    ip address 192.168.21.18 24

    ip address 192.168.21.19 24

    Configure unique IPv4 addresses for management interfaces on the devices.

    ipv6 enable

    ipv6 address 2001:db8:21::18/64

    ipv6 enable

    ipv6 address 2001:db8:21::19/64

    Configure unique IPv6 addresses for management interfaces on the devices.

    #

    #

    -

    ip vpn-instance Management_in

    ip vpn-instance Management_in

    Create a VPN instance named Management_in for in-band management.

    ipv4-family

    ipv4-family

    route-distinguisher 11:41

    route-distinguisher 12:41

    ipv6-family

    ipv6-family

    route-distinguisher 11:41

    route-distinguisher 12:41

    #

    #

    -

    vlan reserved for main-interface 4050 to 4060

    vlan reserved for main-interface 4050 to 4060

    This configuration is required only on the CE6856HI, CE6857EI, CE6857E, CE6857F, CE6865EI, CE6865E, CE8850E-32CQ-EI, CE8861EI, and CE8868EI.

    Configure reserved VLANs for Layer 3 main interfaces. VLANs 4050 to 4060 are recommended.

    1. By default, VLANs 4064 to 4094 are used as reserved VLANs on the CE switch. The reserved VLANs are used as channels of the internal control plane and bearer channels for user service data of some features.

    2. On the CE6856HI, CE6857EI, CE6857E, CE6857F, CE6865EI, CE6865E, CE8850E-32CQ-EI, CE8861EI, and CE8868EI, if an interface needs to be switched to a Layer 3 interface, the running Layer 3 interface occupies additional VLAN resources. You need to run the vlan reserved for main-interface startvlanid to endvlanid command to configure dedicated VLANs for the Layer 3 interface. Otherwise, the interface cannot be switched to a Layer 3 interface.

    3. startvlanid and endvlanid in the command must be different from the existing reserved VLAN IDs in the system. Do not plan the reserved VLANs and VLANs defined in this command for other services.

    #

    #

    -

    In-Band Management Configuration

    Spine-01

    Spine-02

    Description

    interface Loopback0

    interface Loopback0

    Configure the loopback interface as the inband management address.

    ip binding vpn-instance Management-in

    ip binding vpn-instance Management-in

    -

    ip address 10.88.21.52 255.255.255.255

    ip address 10.88.21.53 255.255.255.255

    -

    ipv6 enable

    ipv6 address fc00:88:21::52 64

    ipv6 enable

    ipv6 address fc00:88:21::53 64

    -

    #

    #

    -

    interface Eth-Trunk1

    interface Eth-Trunk1

    Backup path of the uplink Layer 3 link of the service network.

    undo portswitch

    undo portswitch

    -

    ip binding vpn-instance Management-in

    ip binding vpn-instance Management-in

    -

    ip address 10.254.122.2 255.255.255.0

    ip address 10.254.122.3 255.255.255.0

    Spine nodes manage loopback IPv4 addresses. Direct Layer 3 links function as DAD links.

    ipv6 enable

    ipv6 address fc00:254:122::2/64

    ipv6 enable

    ipv6 address fc00:254:122::3/64

    Spine nodes manage loopback IPv6 addresses. Direct Layer 3 links function as DAD links.

    m-lag unpaired-port reserved

    m-lag unpaired-port reserved

    Configure an interface not to enter the Error-Down state when the peer-link is faulty but DAD is normal.

    #

    #

    -

    interface 40GE1/0/3

    interface 40GE1/0/3

    -

    eth-trunk 1

    eth-trunk 1

    Add the DAD link to the Eth-Trunk interface.

    #

    #

    -

    interface 40GE2/0/3

    interface 40GE2/0/3

    -

    eth-trunk 1

    eth-trunk 1

    Add the DAD link to the Eth-Trunk interface.

    #

    #

    -

    ip route-static vpn-instance Management_in 10.88.21.53 255.255.255.255 10.254.122.3 preference 120

    ip route-static vpn-instance Management_in 10.88.21.52 255.255.255.255 10.254.122.2 preference 120

    Configure an IPv4 route to the in-band management address of the interconnected spine node.

    ipv6 route-static vpn-instance Management_in fc00:88:21::53 64 fc00:254:122::3 preference 120

    ipv6 route-static vpn-instance Management_in fc00:88:21::52 64 fc00:254:122::2 preference 120

    Configure an IPv6 route to the in-band management address of the interconnected spine node.

    #

    #

    -

  3. Configure the user name and password for device maintenance and management.

    Spine-01

    Spine-02

    Description

    user-interface console 0

    user-interface console 0

    Configure a console port login password to improve security. This configuration is mandatory.

    authentication-mode password

    authentication-mode password

    set authentication password cipher Myrhgl@131

    set authentication password cipher Myrhgl@131

    #

    #

    -

    user-interface maximum-vty 21

    user-interface maximum-vty 21

    Set the maximum number of VTY user interfaces to 21.

    user-interface vty 0 20

    user-interface vty 0 20

    -

    authentication-mode aaa

    authentication-mode aaa

    Set the authentication mode to AAA.

    user privilege level 3

    user privilege level 3

    Set the user level to 3.

    protocol inbound ssh

    protocol inbound ssh

    Specify the SSH protocol to improve security.

    #

    #

    -

    stelnet server enable

    stelnet server enable

    Enable the STelnet service on an SSH server.

    #

    #

    -

    aaa

    aaa

    Enter the AAA view.

    local-user huawei password irreversible-cipher Myrhgl@520

    local-user huawei password irreversible-cipher Myrhgl@520

    Set the local user name to huawei and password to Myrhgl@520 for an administrator to log in to and maintain the device.

    local-user huawei service-type ssh

    local-user huawei service-type ssh

    Specify the SSH protocol.

    CE device running a V2 version:

    local-user huawei level 3

    CE device running a V3 version:

    local-user huawei privilege level 3

    CE device running a V2 version:

    local-user huawei level 3

    CE device running a V3 version:

    local-user huawei privilege level 3

    Set the user level of the huawei user.

    #

    #

    -

    ssh user huawei

    ssh user huawei

    Create an SSH user.

    ssh user huawei authentication-type password

    ssh user huawei authentication-type password

    -

    ssh user huawei service-type stelnet

    ssh user huawei service-type stelnet

    -

    ssh server-source -i Meth0/0/0

    ssh server-source -i Meth0/0/0

    Specify the source interface of the SSH server (for example, use the MEth interface for out-of-band management) to restrict logins and improve security.

    If in-band management is used, you need to configure the in-band management interface Loopback0.

    If the device is upgraded from V200R005C20 to V200R019C10, this configuration is not required. If the device running V200R019C10 or a later version is deployed, perform this configuration.

    ssh ipv6 server-source -a 2001:db8:21::18 -vpn-instance Management_out

    ssh ipv6 server-source -a 2001:db8:21::19 -vpn-instance Management_out

    Specifies the source IP address of the SSH server to restrict logins and improve security. For out-of-band management, enter the Meth interface address and VPN. For in-band management, add the IPv6 address of the in-band management interface (vlanif4010).

  4. Configure VLANs for forwarding server and storage traffic.

    Spine-01

    Spine-02

    Description

    vlan batch 4002 4010

    vlan batch 4002 4010

    Create VLANs in batches.

    #

    #

    -

    vlan 4002

    vlan 4002

    -

    description StorageData

    description StorageData

    Configure a service VLAN. Here, VLAN 4002 is used as an example.

    #

    #

    -

    vlan 4010

    vlan 4010

    -

    description Server_BMC

    description Server_BMC

    Configure a remote management network plane where management interfaces of network devices and BMC interfaces of servers are located.

    #

    #

    -

    interface Vlanif4010

    interface Vlanif4010

    Create a VLANIF interface for the leaf nodes to provide in-band management and use the IP address of the interface as the management gateway address for BMC interfaces of servers.

    ip binding vpn-instance Management-in

    ip binding vpn-instance Management-in

    Add the interface to the VPN instance Management-in.

    ip address 10.130.21.254 255.255.255.0

    ip address 10.130.21.254 255.255.255.0

    Configuring an IPv4 Address.

    CE device running a V2 version:

    ipv6 enable

    ipv6 address fc00:130:21::254/64

    CE device running a V3 version:

    ipv6 enable

    ipv6 address fc00:130:21::254/64

    ipv6 nd na glean

    CE device running a V2 version:

    ipv6 enable

    ipv6 address fc00:130:21::254/64

    CE device running a V3 version:

    ipv6 enable

    ipv6 address fc00:130:21::254/64

    ipv6 nd na glean

    Configuring an IPv6 Address.

    An M-LAG IPv6 active-active gateway running V3 must be configured to generate ND entries after receiving an NA message.

    mac-address 0000-5e00-0113

    mac-address 0000-5e00-0113

    Specify the MAC address of the VLANIF interface. The MAC address cannot be all 0s, all 1s, or a multicast MAC address. The MAC address range varies depending on the device model, which will be described later in this section.

    #

    #

    -

    Deploy active-active service gateways.

    Spine-01

    Spine-02

    Description

    interface Vlanif4002

    interface Vlanif4002

    Configure a VLANIF interface. Here, VLANIF interface 4002 is used as an example.

    ip address 10.130.22.254 255.255.255.0

    ip address 10.130.22.254 255.255.255.0

    Configure gateway addresses. Plan the VPN as required. The following uses public as an example.

    CE device running a V2 version:

    ipv6 enable

    ipv6 address fc00:130:22::254/64

    CE device running a V3 version:

    ipv6 enable

    ipv6 address fc00:130:22::254/64

    ipv6 nd na glean

    CE device running a V2 version:

    ipv6 enable

    ipv6 address fc00:130:22:254/64

    CE device running a V3 version:

    ipv6 enable

    ipv6 address fc00:130:22::254/64

    ipv6 nd na glean

    Configure gateway addresses. Plan the VPN as required. The following uses public as an example.

    An M-LAG IPv6 active-active gateway running V3 must be configured to generate ND entries after receiving an NA message.

    mac-address 0000-5e00-0112

    mac-address 0000-5e00-0112

    Specify the MAC address of the VLANIF interface. The MAC address cannot be all 0s, all 1s, or a multicast MAC address. The MAC address range varies depending on the device model, which will be described later in this section.

    #

    #

    -

    In this document, M-LAG networking is used, and virtual MAC addresses must be configured. The MAC address range varies depending on the device model.

  5. Configure an active-active group of spine nodes.

    Spine-01

    Spine-02

    Description

    stp tc-protection

    stp tc-protection

    Configure STP TC BPDU attack defense.

    stp mode rstp

    stp mode rstp

    Configure the working mode as RSTP. RSTP should be configured before the V-STP mode is configured.

    stp root primary

    stp root primary

    Configure the device as the root bridge of the spanning tree.

    stp bridge-address 1-1-1

    stp bridge-address 1-1-1

    Configure the bridge MAC address used by the device to calculate the spanning tree. The bridge MAC addresses of the two spine nodes in an M-LAG must be the same. It is recommended that the system MAC address of one device be used as the bridge MAC address. The bridge MAC addresses of devices in different M-LAGs are different.

    stp v-stp enable

    stp v-stp enable

    Configure the M-LAG in V-STP mode on MS-TOR switches.

    #

    #

    -

    dfs-group 1

    dfs-group 1

    Configure a DFS group.

    priority 150

    priority 100

    Set the priority of the DFS group. The default value is 100.

    m-lag up-delay 240 auto-recovery interval 10

    m-lag up-delay 240 auto-recovery interval 10

    Configure the M-LAG member interfaces to go Up one by one at an interval of 10s after the delay.

    Device running a V2 version:

    source ip 10.254.122.2 vpn-instance Management-in peer 10.254.122.3

    Device running a V3 version:

    dual-active detection source ip 10.254.122.2 vpn-instance Management-in peer 10.254.122.3

    Device running a V2 version:

    source ip 10.254.122.3 vpn-instance Management-in peer 10.254.122.2

    Device running a V3 version:

    dual-active detection source ip 10.254.122.3 vpn-instance Management-in peer 10.254.122.2

    (Either IPv4 or IPv6) Use the IP address of the Layer 3 interconnection interface as the DFS source address and specify the peer IP address.

    Device running a V2 version:

    source ipv6 fc00:254:122::2 vpn-instance Management-in peer fc00:254:122::3

    Device running a V3 version:

    dual-active detection source ipv6 fc00:254:122::2 vpn-instance Management-in peer fc00:254:122::3

    Device running a V2 version:

    source ipv6 fc00:254:122::3 vpn-instance Management-in peer fc00:254:122::2

    Device running a V3 version:

    dual-active detection source ipv6 fc00:254:122::3 vpn-instance Management-in peer fc00:254:122::2

    Device running a V2 version:

    dual-active detection enhanced enable

    Device running a V3 version: N/A

    Device running a V2 version:

    dual-active detection enhanced enable

    Device running a V3 version: N/A

    Enable enhanced DAD for double-fault failures in an M-LAG scenario. Before enabling this function, you need to configure the interfaces on the DAD link as reserved interfaces, and set the peer IP address of the DFS group.

    Device running a V2 version: N/A

    Device running a V3 version:

    authentication-mode hmac-sha256 password Myrhgl@1314

    Device running a V2 version: N/A

    Device running a V3 version:

    authentication-mode hmac-sha256 password Myrhgl@1314

    Configure the authentication mode and password for DFS group synchronization packets.

    #

    #

    -

    interface Eth-Trunk0

    interface Eth-Trunk0

    Create an Eth-Trunk for the peer-link.

    trunkport 40GE 1/0/1

    trunkport 40GE 1/0/1

    Deploy the peer-link on multiple links. If multiple cards are installed on the switch, the peer-link must be deployed on different cards. When the interfaces on a card are of different types, configure port speed decrease or bundle interfaces at different rates. (To bundle interfaces, run the lacp mixed-rate link enable command to forward packets after the interfaces are added to an Eth-Trunk interface in LACP mode, and run the distribute-weight command to configure the weight of load sharing for a member interface.)

    trunkport 40GE 2/0/1

    trunkport 40GE 2/0/1

    mode lacp-static

    mode lacp-static

    -

    peer-link 1

    peer-link 1

    -

    port vlan exclude 1

    port vlan exclude 1

    Configure the interface to reject packets from VLAN 1.

    #

    #

    -

  6. Configure links on the spine nodes to connect to the leaf nodes.

    Spine-01

    Spine-02

    Description

    interface Eth-Trunk102

    interface Eth-Trunk102

    Create an Eth-Trunk.

    description Linkto_Leaf6855

    description Linkto_Leaf6855

    -

    trunkport 40GE 1/0/8 to 1/0/9

    trunkport 40GE 1/0/8 to 1/0/9

    When multiple cards are installed on the switch, the member interfaces of the Eth-Trunk should be deployed across cards.

    port link-type trunk

    port link-type trunk

    -

    undo port trunk allow-pass vlan 1

    undo port trunk allow-pass vlan 1

    Delete VLAN 1 from the Eth-Trunk interface.

    port trunk allow-pass vlan 4002 4010

    port trunk allow-pass vlan 4002 4010

    -

    mode lacp-static

    mode lacp-static

    -

    dfs-group 1 m-lag 102

    dfs-group 1 m-lag 102

    -

    lacp timeout fast

    lacp timeout fast

    -

    stp disable

    stp disable

    Disable the STP function to speed up network convergence. Perform the same configuration on the peer interface.

    Enabling the STP function will increase the convergence time by 1s to 2s.

    #

    #

    -

  7. Configure the interconnection links between the spine nodes and firewalls.

    Spine-01

    Spine-02

    Description

    vlan 1001

    vlan 1001

    Create a service VLAN for interconnecting with the firewalls.

    #

    #

    -

    interface Vlanif1001

    interface Vlanif1001

    Create a VLANIF interface for interconnecting with the firewalls.

    ip binding vpn-instance Management-in

    ip binding vpn-instance Management-in

    Configure the VPN as required. Management-in is used as an example.

    ip address 172.172.0.1 255.255.255.248

    ip address 172.172.0.1 255.255.255.248

    Configuring an IPv4 Address.

    Device running a V2 version:

    ipv6 enable

    ipv6 address fc00:172:1::1/64

    Device running a V3 version:

    ipv6 enable

    ipv6 address fc00:172:1::1/64

    ipv6 nd na glean

    Device running a V2 version:

    ipv6 enable

    ipv6 address fc00:172:1::1/64

    Device running a V3 version:

    ipv6 enable

    ipv6 address fc00:172:1::1/64

    ipv6 nd na glean

    Configuring an IPv6 Address.

    An M-LAG IPv6 active-active gateway running V3 must be configured to generate ND entries after receiving an NA message.

    mac-address 0000-5e00-0101

    mac-address 0000-5e00-0101

    -

    #

    #

    -

    interface Eth-Trunk11

    interface Eth-Trunk11

    Configure an interface for interconnecting with the active firewall.

    description Linkto_FW1

    description Linkto_FW1

    -

    trunkport 40GE 1/0/11

    trunkport 40GE 1/0/11

    -

    port link-type trunk

    port link-type trunk

    -

    undo port trunk allow-pass vlan 1

    undo port trunk allow-pass vlan 1

    Delete VLAN 1 from the Eth-Trunk interface.

    port trunk allow-pass vlan 1001

    port trunk allow-pass vlan 1001

    -

    mode lacp-static

    mode lacp-static

    -

    dfs-group 1 m-lag 11

    dfs-group 1 m-lag 11

    -

    lacp timeout fast

    lacp timeout fast

    -

    stp edged-port enable

    stp edged-port enable

    Configure the interface as an STP edge interface. (Generally, firewalls do not support STP. Configure edge interfaces to speed up convergence.)

    #

    #

    -

    interface Eth-Trunk12

    interface Eth-Trunk12

    Configure an interface for interconnecting with the standby firewall.

    description Linkto_FW2

    description Linkto_FW2

    -

    trunkport 40GE 1/0/12

    trunkport 40GE 1/0/12

    -

    port link-type trunk

    port link-type trunk

    -

    undo port trunk allow-pass vlan 1

    undo port trunk allow-pass vlan 1

    Delete VLAN 1 from the Eth-Trunk interface.

    port trunk allow-pass vlan 1001

    port trunk allow-pass vlan 1001

    -

    mode lacp-static

    mode lacp-static

    -

    dfs-group 1 m-lag 12

    dfs-group 1 m-lag 12

    -

    lacp timeout fast

    lacp timeout fast

    -

    stp edged-port enable

    stp edged-port enable

    Configure the interface as an STP edge interface.

    #

    #

    -

  8. Configure the spine nodes to connect to the NMS.

    Spine-01

    Spine-02

    Description

    interface Loopback0

    interface Loopback0

    Create Loopback0 and configure its IP address as the in-band management IP address. Add Loopback0 to the VPN instance Management-in. You do not need to perform this operation if out-of-band management is used.

    In in-band management mode, the standby device cannot be managed due to DAD when the peer-link fails.

    ip binding vpn-instance Management-in

    ip binding vpn-instance Management-in

    ip address 10.130.21.52 255.255.255.255

    ip address 10.130.21.53 255.255.255.255

    ipv6 enable

    ipv6 address fc00:130:21:52/128

    ipv6 enable

    ipv6 address fc00:130:21::53/128

    Configure an IPv6 address as the IP address for inband management.

    #

    #

    -

    snmp-agent

    snmp-agent

    Enable the SNMP agent.

    snmp-agent sys-info version v3

    snmp-agent sys-info version v3

    Set the SNMP version to SNMPv3, which must be the same as the SNMP version used by the NMS.

    snmp-agent mib-view included myview iso

    snmp-agent mib-view included myview iso

    Configure the MIB view that can be accessed by the NMS. To ensure that the NMS can manage devices normally (for example, discovering device links based on LLDP), the MIB view must contain the iso node.

    snmp-agent group v3 uhmroot privacy write-view myview notify-view myview

    snmp-agent group v3 uhmroot privacy write-view myview notify-view myview

    -

    snmp-agent usm-user v3 uhmroot group dc-admin

    snmp-agent usm-user v3 uhmroot group dc-admin

    Set the SNMPv3 user name to uhmroot, which must be the same as the security name on the NMS.

    snmp-agent usm-user v3 uhmroot authentication-mode sha

    snmp-agent usm-user v3 uhmroot authentication-mode sha

    Configure the authentication mode and password for the uhmroot user, which must correspond to the authentication protocol and password on the NMS.

    Myrhgl12#$

    Myrhgl12#$

    -

    Myrhgl12#$

    Myrhgl12#$

    -

    snmp-agent usm-user v3 uhmroot privacy-mode aes256

    snmp-agent usm-user v3 uhmroot privacy-mode aes256

    Set the encryption mode and password of the uhmroot user, which must correspond to the proprietary protocol and encryption password on the NMS.

    Myrhgl12#$

    Myrhgl12#$

    -

    Myrhgl12#$

    Myrhgl12#$

    -

    #

    #

    -

    snmp-agent trap enable

    snmp-agent trap enable

    Enable the trap function for all modules. By default, the trap function of some modules is disabled.

    snmp-agent trap source MEth0/0/0

    snmp-agent trap source MEth0/0/0

    For out-of-band management, set the source interface for sending traps to MEth0/0/0.

    For in-band management, configure Loopback0 for sending traps.

    #

    #

    -

    snmp-agent protocol source-interface MEth0/0/0

    snmp-agent protocol source-interface MEth0/0/0

    Specify the source interface used by SNMP to receive and respond to request packets from the NMS or controller.

    For in-band management, configure Loopback0 for sending traps.

    If the device is upgraded from V200R005C20 to V200R019C10, this configuration is not required. If the device running V200R019C10 or a later version is deployed, perform this configuration.

    #

    #

    -

    rsa local-key-pair create

    rsa local-key-pair create

    Generate a local key pair.

    #

    #

    -

    user-interface vty 0 4

    user-interface vty 0 4

    -

    authentication-mode aaa

    authentication-mode aaa

    -

    protocol inbound ssh

    protocol inbound ssh

    Set the protocol type supported by VTY user interfaces to SSH.

    #

    #

    -

    stelnet server enable

    stelnet server enable

    Enable the STelnet service on an SSH server.

    #

    #

    -

    aaa

    aaa

    -

    local-user client password irreversible-cipher Myrhgl@131

    local-user client password irreversible-cipher Myrhgl@131

    Create a user named client and set a password for the user, which must be the same as the STelnet user name and password used by the NMS.

    CE device running a V2 version:

    local-user client level 3

    CE device running a V3 version:

    local-user client privilege level 3

    CE device running a V2 version:

    local-user client level 3

    CE device running a V3 version:

    local-user client privilege level 3

    Set the user level of the client user.

    local-user client service-type ssh

    local-user client service-type ssh

    Set the access type of the client user to SSH, which must be the same as the login protocol on the NMS.

    #

    #

    -

    ssh user client

    ssh user client

    Create an SSH user.

    ssh user client authentication-type password

    ssh user client authentication-type password

    Set the authentication mode of the client user to password authentication, which must be the same as that on the NMS.

    ssh user client service-type stelnet

    ssh user client service-type stelnet

    Set the service type of the SSH user client to STelnet.

    set net-manager vpn-instance Management-out

    set net-manager vpn-instance Management-out

    Set the default VPN instance for the NMS to manage devices to Management-out. For in-band management, set it to Management-in.

    #

    #

    -

    lldp enable

    lldp enable

    Enable LLDP.

    #

    #

    -

  9. Configure an egress network of spine nodes.

    • Static routes with traffic passing through a firewall in bypass mode

      Spine-01

      Spine-02

      Description

      ip vpn-instance Ext_out

      ip vpn-instance Ext_out

      Create an external interconnection VPN named Ext_out for connecting the spine nodes and PEs.

      ipv4-family

      ipv4-family

      route-distinguisher 11:43

      route-distinguisher 12:43

      ipv6-family

      ipv6-family

      route-distinguisher 11:43

      route-distinguisher 12:43

      #

      #

      -

      interface Eth-trunk1.1

      interface Eth-trunk1.1

      Configure a Layer 3 backup uplink on the management network, which is the same as the physical link for DAD.

      ip binding vpn-instance Ext_out

      ip binding vpn-instance Ext_out

      -

      ip address 10.254.122.2 255.255.255.0

      ip address 10.254.122.3 255.255.255.0

      Configuring an IPv4 Address.

      ipv6 enable

      ipv6 address fc00:254:122::2/64

      ipv6 enable

      ipv6 address fc00:254:122::3/64

      Configuring an IPv6 Address.

      dot1q termination vid 2001

      dot1q termination vid 2001

      -

      #

      #

      -

      interface 40GE 2/0/4

      interface 40GE 2/0/4

      Configure the management network to connect to the PEs. The configuration method is the same as that for the uplink solution of a service network. The configuration of a management network is used as an example.

      Deploy the uplink and DAD link on different cards to prevent Layer 3 traffic forwarding failures upon card faults.

      description Linkto_PE

      description Linkto_PE

      undo portswitch

      undo portswitch

      ip binding vpn-instance Ext_out

      ip binding vpn-instance Ext_out

      ip address 172.16.1.1 255.255.255.0

      ip address 172.16.2.1 255.255.255.0

      ipv6 enable

      ipv6 address fc00:16:1::1/64

      ipv6 enable

      ipv6 address fc00:16:2::1/64

      Configuring an IPv6 Address.

      #

      #

      -

      vlan 1002

      vlan 1002

      Create a VLAN corresponding to the egress VPN for interconnecting with the firewalls.

      #

      #

      -

      interface Vlanif1002

      interface Vlanif1002

      Create a VLANIF interface corresponding to the egress VPN for interconnecting with the firewalls.

      ip binding vpn-instance Ext_out

      ip binding vpn-instance Ext_out

      -

      ip address 172.172.0.1 255.255.255.248

      ip address 172.172.0.1 255.255.255.248

      Configuring an IPv4 Address.

      ipv6 enable

      ipv6 address fc00:172:2::1/64

      ipv6 enable

      ipv6 address fc00:172:2::1/64

      Configuring an IPv6 Address.

      mac-address 0000-5e00-0101

      mac-address 0000-5e00-0101

      -

      #

      #

      -

      interface Eth-Trunk11

      interface Eth-Trunk11

      Add the interface for interconnecting with the active firewall to the corresponding VLAN.

      port trunk allow-pass vlan 1002

      port trunk allow-pass vlan 1002

      #

      #

      -

      interface Eth-Trunk12

      interface Eth-Trunk12

      Add the interface for interconnecting with the standby firewall to the corresponding VLAN.

      port trunk allow-pass vlan 1002

      port trunk allow-pass vlan 1002

      #

      #

      -

      ip route-static vpn-instance Ext_out 0.0.0.0 0.0.0.0 172.16.1.2 preference 120

      ip route-static vpn-instance Ext_out 0.0.0.0 0.0.0.0 172.16.2.2 preference 120

      Configure a static route to a PE in the external interconnection VPN, and set a higher priority for the route.

      ipv6 route-static vpn-instance Ext_out :: 0 fc00:16:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out :: 0 fc00:16:2::2 preference 120

      ip route-static vpn-instance Ext_out 0.0.0.0 0.0.0.0 10.254.122.3 preference 150

      ip route-static vpn-instance Ext_out 0.0.0.0 0.0.0.0 10.254.122.2 preference 150

      Configure a bypass link in the external interconnection VPN, configure it to use the same physical link as the DAD link, and set a lower priority for the link.

      ipv6 route-static vpn-instance Ext_out :: 0 fc00:254:122::3 preference 150

      ipv6 route-static vpn-instance Ext_out :: 0 fc00:254:122::2 preference 150

      #

      #

      -

      ip route-static vpn-instance Ext_out 10.88.21.0 24 172.172.0.2 preference 120

      ip route-static vpn-instance Ext_out 10.130.21.0 24 172.172.0.2 preference 120

      ip route-static vpn-instance Ext_out 10.130.22.0 24 172.172.0.2 preference 120

      ip route-static vpn-instance Ext_out 10.88.21.0 24 172.172.0.2 preference 120

      ip route-static vpn-instance Ext_out 10.130.21.0 24 172.172.0.2 preference 120

      ip route-static vpn-instance Ext_out 10.130.22.0 24 172.172.0.2 preference 120

      Configure a return route to the internal network segment in the external interconnection VPN, and set the next hop to the firewall.

      ipv6 route-static vpn-instance Ext_out fc00:88:21:: 64 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out fc00:130:21:: 64 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out fc00:130:22:: 64 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out fc00:88:21:: 64 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out fc00:130:21:: 64 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Ext_out fc00:130:22:: 64 fc00:172:1::2 preference 120

      #

      #

      -

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 172.172.0.2 preference 120

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 172.172.0.2 preference 120

      Configure a static route to the firewall in the management VPN.

      ipv6 route-static vpn-instance Management_in :: 0 fc00:172:1::2 preference 120

      ipv6 route-static vpn-instance Management_in :: 0 fc00:172:1::2 preference 120

      #

      #

      -
    • Static routes exclusively occupying a VPN

      Spine-01

      Spine-02

      Description

      interface 40GE 2/0/4

      interface 40GE 2/0/4

      Configure the management network to connect to the PEs. The configuration method is the same as that for the uplink solution of a service network. The configuration of a management network is used as an example.

      Deploy the uplink and DAD link on different cards to prevent Layer 3 traffic forwarding failures upon card faults.

      description Linkto_PE

      description Linkto_PE

      undo portswitch

      undo portswitch

      ip binding vpn-instance Management_in

      ip binding vpn-instance Management_in

      ip address 172.16.1.1 255.255.255.0

      ip address 172.16.2.1 255.255.255.0

      ipv6 enable

      ipv6 address fc00:16:1::1/64

      ipv6 enable

      ipv6 address fc00:16:2::1/64

      Configuring an IPv6 Address.

      #

      #

      -

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 172.16.1.2 preference 120

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 172.16.2.2 preference 120

      Configure a static route to a PE, and set a higher priority for the route.

      ipv6 route-static vpn-instance Management_in :: 0 fc00:16:1::2 preference 120

      ipv6 route-static vpn-instance Management_in :: 0 fc00:16:2::2 preference 120

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 10.254.122.3 preference 150

      ip route-static vpn-instance Management_in 0.0.0.0 0.0.0.0 10.254.122.2 preference 150

      Configure a bypass link, and set a lower priority for the link.

      ipv6 route-static vpn-instance Management_in :: 0 fc00:254:122::3 preference 150

      ipv6 route-static vpn-instance Management_in :: 0 fc00:254:122::2 preference 150

      ip route-static vpn-instance Management_in 10.88.21.53 255.255.255.255 10.254.122.3 preference 120

      ip route-static vpn-instance Management_in 10.88.21.52 255.255.255.255 10.254.122.2 preference 120

      Configure a route to the in-band management address of the peer spine node.

      ipv6 route-static vpn-instance Management_in fc00:88:21::53 128 fc00:254:122::3

      ipv6 route-static vpn-instance Management_in fc00:88:21::53 128 fc00:254:122::2

      #

      #

      -
    • Dynamic routes exclusively occupying a VPN
      1. IS-IS routing

        Spine-01

        Spine-02

        Description

        isis 20 vpn-instance Management_in

        isis 20 vpn-instance Management_in

        -

        cost-style wide

        cost-style wide

        Set the cost type of IS-IS routes to wide.

        network-entity 00.1111.0100.8802.1052.00

        network-entity 00.1111.0100.8802.1053.00

        Set the network entity title (NET) for an IS-IS process.

        import-route direct

        import-route direct

        Import IPv4 direct routes.

        timer lsp-max-age 65535

        timer lsp-max-age 65535

        -

        timer lsp-refresh 65000

        timer lsp-refresh 65000

        -

        #

        #

        -

        ipv6 enable topology ipv6

        ipv6 enable topology ipv6

        -

        #

        #

        -

        -

        interface 40GE 2/0/4

        interface 40GE 2/0/4

        Configure the interface for interconnecting with the PE and enable IS-IS on the interface.

        -

        description Linkto_PE

        description Linkto_PE

        undo portswitch

        undo portswitch

        ip binding vpn-instance Management_in

        ip binding vpn-instance Management_in

        ip address 172.16.1.1 255.255.255.0

        ip address 172.16.2.1 255.255.255.0

        ipv6 enable topology ipv6

        ipv6 enable topology ipv6

        isis enable 20

        isis enable 20

        isis ipv6 enable 20

        isis ipv6 enable 20

        isis circuit-type p2p

        isis circuit-type p2p

        #

        #

        interface Eth-trunk1

        interface Eth-trunk1

        Configure the link between spine nodes as the bypass link and enable IS-IS.

        isis enable 20

        isis enable 20

        isis ipv6 enable 20

        isis ipv6 enable 20

        isis circuit-type p2p

        isis circuit-type p2p

        #

        #
      2. OSPF routing

        Spine-01

        Spine-02

        Description

        ospf 20 router-id 10.88.21.52 vpn-instance Management_in

        ospf 20 router-id 10.88.21.53 vpn-instance Management_in

        -

        area 0.0.0.0

        area 0.0.0.0

        -

        network 10.88.21.52 0.0.0.0

        network 10.88.21.53 0.0.0.0

        Configure the in-band management loopback IP address.

        network 10.130.21.0 0.0.0.255

        network 10.130.21.0 0.0.0.255

        Configure the service network segment.

        network 10.130.22.0 0.0.0.255

        network 10.130.22.0 0.0.0.255

        silent-interface vlanif 4010

        silent-interface vlanif 4010

        Disable an interface from receiving and sending OSPF packets.

        silent-interface vlanif 4002

        silent-interface vlanif 4002

        #

        #

        -

        interface 40GE 2/0/4

        interface 40GE 2/0/4

        Configure the interface for interconnecting with the PE and enable OSPF on the interface.

        description Linkto_PE

        description Linkto_PE

        undo portswitch

        undo portswitch

        ip binding vpn-instance Management_in

        ip binding vpn-instance Management_in

        ip address 172.16.1.1 255.255.255.0

        ip address 172.16.2.1 255.255.255.0

        ospf network-type p2p

        ospf network-type p2p

        ospf enable 20 area 0.0.0.0

        ospf enable 20 area 0.0.0.0

        #

        #

        interface Eth-trunk1

        interface Eth-trunk1

        Configure the link between spine nodes as the bypass link and enable OSPF.

        ospf network-type p2p

        ospf network-type p2p

        ospf enable 20 area 0.0.0.0

        ospf enable 20 area 0.0.0.0

        #

        #

        OSPFv3

        Table 3-1

        Spine-01

        Spine-02

        Description

        ospfv3 20 vpn-instance Management_in

        ospfv3 20 vpn-instance Management_in

        Configure an OSPFv3 process.

        router-id 10.88.21.52

        router-id 10.88.21.53

        -

        area 0.0.0.0

        area 0.0.0.0

        -

        #

        #

        -

        interface Loopback0

        interface Loopback0

        Advertise the inband management loopback address.

        ospfv3 20 area 0.0.0.0

        ospfv3 20 area 0.0.0.0

        -

        #

        #

        -

        interface Vlanif4010

        interface Vlanif4010

        Releasing a Service Network Segment.

        ospfv3 20 area 0.0.0.0

        ospfv3 20 area 0.0.0.0

        #

        #

        interface Vlanif4002

        interface Vlanif4002

        Releasing a Service Network Segment.

        ospfv3 20 area 0.0.0.0

        ospfv3 20 area 0.0.0.0

        #

        #

        interface 40GE 2/0/4

        interface 40GE 2/0/4

        Configure interfaces connected to PEs and enable OSPFv3.

        ipv6 enable

        ipv6 address fc00:16:1::1/64

        ipv6 enable

        ipv6 address fc00:16:1::1/64

        Configuring an IPv6 Address.

        ospfv3 network-type p2p

        ospfv3 network-type p2p

        -

        ospfv3 20 area 0.0.0.0

        ospfv3 20 area 0.0.0.0

        -

        #

        #

        -

        interface Eth-trunk1

        interface Eth-trunk1

        The spine interconnection link is used as the best-effort path, and enable OSPFv3.

        ospfv3 network-type p2p

        ospfv3 network-type p2p

        -

        ospfv3 20 area 0.0.0.0

        ospfv3 20 area 0.0.0.0

        -

        #

        #

        -
      3. BGP routing

        Spine-01

        Spine-02

        Description

        interface 40GE 2/0/4

        interface 40GE 2/0/4

        Configure the interface for interconnecting with the PE.

        description Linkto_PE

        description Linkto_PE

        undo portswitch

        undo portswitch

        ip binding vpn-instance Management_in

        ip binding vpn-instance Management_in

        ip address 172.16.1.1 255.255.255.0

        ip address 172.16.2.1 255.255.255.0

        ipv6 enable

        ipv6 address fc00:16:1::1/64

        ipv6 enable

        ipv6 address fc00:16:2::1/64

        #

        #

        bgp 100

        bgp 100

        -

        ipv4-family vpn-instance Management_in

        ipv4-family vpn-instance Management_in

        -

        network 10.88.21.52 255.255.255.255

        network 10.88.21.53 255.255.255.255

        Configure the in-band management loopback IP address.

        network 10.130.21.0 255.255.255.0

        network 10.130.21.0 255.255.255.0

        Configure the service network segment.

        network 10.130.22.0 255.255.255.0

        network 10.130.22.0 255.255.255.0

        maximum load-balancing 2

        maximum load-balancing 2

        -

        peer 172.16.1.2 as-number 200

        peer 172.16.2.2 as-number 200

        Configure the EBGP peer relationship with the PE.

        peer 10.254.122.3 as-number 100

        peer 10.254.122.2 as-number 100

        Configure the IBGP peer relationship between spine nodes and the link between spine nodes as the bypass link.

        #

        #

        -

        ipv6-family vpn-instance Management_in

        ipv6-family vpn-instance Management_in

        -

        network fc00:254:122:: 64

        network fc00:254:122:: 64

        Configure the in-band management loopback IP address.

        network fc00:130:21:: 64

        network fc00:130:21:: 64

        Configure the service network segment.

        network fc00:130:22:: 64

        network fc00:130:22:: 64

        maximum load-balancing 2

        maximum load-balancing 2

        -

        peer fc00:16:1::1 as-number 200

        peer fc00:16:2::2 as-number 200

        Configure the EBGP peer relationship with the PE.

        peer fc00:254:122::3 as-number 100

        peer fc00:254:122::2 as-number 100

        Configure the IBGP peer relationship between spine nodes and the link between spine nodes as the bypass link.

        #

        #

        -

  10. Configure CRC and disable unused interfaces.

    Spine-01

    Spine-02

    Description

    port-group group-member 10ge 3/0/18 to 10ge 3/0/22

    port-group group-member 10ge 1/0/18 to 10ge 1/0/22

    Create a temporary port group and add the unused physical interfaces to the port group.

    shutdown

    shutdown

    Shut down the interfaces.

    stp instance 0 cost 10000

    stp instance 0 cost 10000

    Increase the STP cost.

    port link-type trunk

    port link-type trunk

    -

    undo port trunk allow-pass vlan 1

    undo port trunk allow-pass vlan 1

    Delete VLAN 1 from the Eth-Trunk interface.

    #

    #

    -

    port-group group-member 40ge 1/0/0 to 40ge 1/0/35

    port-group group-member 40ge 1/0/0 to 40ge 1/0/35

    Create a temporary port group. CRC needs to be performed for all interfaces.

    trap-threshold crc-statistics 100 interval 10

    trap-threshold crc-statistics 100 interval 10

    Set the alarm threshold of CRC error packets to 100 and the alarm interval to 10s.

    port crc-statistics trigger error-down

    port crc-statistics trigger error-down

    Configure the interface to enter the Error-Down state when the number of received CRC error packets exceeds the threshold. In this way, services can be switched to the backup link in a timely manner, ensuring reliable data transmission.

    #

    #

    -

Translation
简体中文
Download
Updated: 2023-01-17

Document ID: EDOC1000137639

Views: 108896

Downloads: 2388

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :