No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Virtual Access 01

This is ME60 V800R010C10SPC500 Configuration Guide - Virtual Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Establishing a Virtual Access System

Establishing a Virtual Access System

This section describes how to establish a virtual access system.

Background

A virtual access system consists of masters and APs. To simplify service deployment and facilitate O&M and management, the control and management planes of the virtual access system are centralized on a master. You can establish a virtual access system on a master. APs support plug-and-play (PnP). A master uses ESNs to automatically identify APs and manage them, and delivers the virtual access system's configurations to APs through NETCONF channels. You do not need to perform configurations on APs.

Pre-configuration Tasks

Before establishing a virtual access system, complete the following tasks:

  • Obtain the ESN of an AP. To check the ESN of an AP, run the display esn command.

  • Enabling First Authentication on Masters. ( Configuring ssh client first-time enable command )

Configuration Procedures

Figure 2-2 Flowchart for establishing a virtual access system

Configuring Basic Master Functions

A master is a control node in a virtual access system. You must configure a master before establishing a virtual access system.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    virtual-access

    Virtual access is enabled, and the virtual access view is displayed.

  3. Run:

    role master

    The node is configured as a master.

    After this step is performed:

    • All local physical interfaces become four-dimensional interfaces. For example, dimension 1 in GigabitEthernet 1/1/0/1 indicates that the interface is a local interface.

    • The node automatically enables global BFD capabilities and establishes a virtual access IS-IS process based on local feature configurations. The following table describes IS-IS process establishment rules.

      Scenario

      Sub-scenario

      IS-IS Process Establishment Rules

      No IS-IS process exists.

      By default, no IS-IS process exists.

      An AP and a master automatically establish an IS-IS process with the ID of 65534.

      One or more IS-IS processes exist.

      The ID of 65534 has been used for an IS-IS process.

      An AP and a master search for an unused IS-IS process ID in descending order from 65534 and use the ID to establish a virtual access IS-IS process.

      The ID of 65534 has not been used for an IS-IS process.

      An AP and a master automatically establish an IS-IS process with the ID of 65534.

  4. Run:

    admin ip-address

    A management IP address is configured for the master.

    The management IP address of the master is advertised to an AP over OSPF for establishing internal management channels to the AP. After this step is performed, the master automatically generates a loopback interface with the management IP address specified by ip-address.

  5. Run:

    isis authentication-mode hmac-sha256 key-id key-id cipher cipher-text [ send-only ]

    IS-IS authentication is configured.

    To improve virtual access network security, run the isis authentication-mode command to authenticate received Hello, LSP, and SNP packets and to encapsulate authentication information into sent Hello, LSP, and SNP packets. Only authenticated or encrypted packets can be forwarded on a network, preventing invalid packets from interfering with the network.

    The values of key-id and cipher-text configured on the secondary master must be the same as those on the primary master.

  6. Run:

    commit

    The configuration is committed.

  7. Run:

    quit

    Return to the system view.

  8. Run:

    interface interface-type interface-number [ .subinterface-number ]

    The interface view is displayed.

  9. Run:

    virtual-access enable [ inter-link ]

    Virtual access is enabled on the interface.

    To establish a virtual access system, configure the interfaces between a master and AP and between the primary and secondary masters.

    • To enable virtual access on the interfaces between a master and AP, run the virtual-access enable command.

    • To enable virtual access on the interfaces between the primary and secondary masters, run the virtual-access enable inter-link command.

    The virtual-access enable command can be run only on Ethernet interfaces. The virtual-access enable inter-link command can be run on Ethernet and Eth-Trunk interfaces and their sub-interfaces.

    After this step is performed, a virtual access IS-IS process is automatically enabled on the interface and the isis circuit-type p2p command is automatically run to simulate the interface as a P2P interface.

    NOTE:

    If you manually run the isis enable process-id command and then run the virtual-access enable command on the interface, a virtual access IS-IS process is not automatically enabled and the isis circuit-type p2p command is not automatically run on the interface. In this situation, to establish a virtual access system successfully, you must ensure that virtual access has been enabled for the IS-IS process specified by process-id, manually run the isis circuit-type p2p command on the interface, and ensure that the same configurations are manually performed on other masters and APs. This brings heavy configuration workloads. Therefore, do not manually run the isis enable process-id command before running the virtual-access enable command.

  10. Run:

    commit

    The configuration is committed.

Configuring Basic AP Functions on a Master

An AP can be considered as a master's remote card. You can configure basic AP functions on a master.

Context

In a virtual access system, a master can manage multiple APs at the same time. You can repeat the following steps on a master to configure basic functions for multiple APs.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ap-id ap-id

    An AP is configured on the master, and the AP view is displayed.

  3. Run esn esn-number

    An ESN is configured for the AP.

    The virtual access system supports plug-and-play (PnP) for an AP. After an AP starts, it automatically enables the data communication network (DCN) function and uses OSPF to advertise its ESN and initial PnP status. After a master discovers the AP and identifies the initial PnP status, the master checks whether the AP's ESN has been locally configured. If the AP's ESN has been locally configured, the master starts the PnP process. A master uses an ESN to uniquely identify an AP, and therefore different APs' ESNs cannot be the same.

  4. Run remote-interface interface-type interface-number

    A virtual access interface is created for the AP on the master, and the creation of a vaPW is triggered between the master and AP.

    An AP's physical interface for receiving service data is called an external communication interface. A virtual access interface is a four-dimensional interface, which is a virtual agent interface of an AP's external communication interface on a master. For example, GigabitEthernet 1025/1/0/1 indicates that the virtual access interface corresponds to AP 1025's external communication interface GigabitEthernet 1/0/1. After creating a virtual access interface, you can treat the AP's external communication interface as the master's local interface for configurations.

    An AP's external communication interface is connected to a master's local virtual access interface through a vaPW, which is used to forward service traffic in a virtual access system.

    NOTE:

    After an AP finishes the PnP process, virtual access is automatically enabled on the AP's all Ethernet interfaces. That is, the interfaces are internal communication interfaces by default. After this step is performed, virtual access is automatically disabled on the AP's external communication interface, because an interface cannot function as both an internal communication interface and an external communication interface.

  5. (Optional) Run sysname host-name

    A host name is specified for the AP.

  6. Run commit

    The configuration is committed.

  7. Run admin ip-address

    A management IP address is configured for the AP.

    The management IP address of the AP is used to establish internal management channels to the master. The master delivers the configuration to the AP in the PnP process, and the AP automatically performs and saves the configuration. After the AP automatically performs the configuration, it automatically generates a loopback interface with the management IP address specified by ip-address.

    The configuration takes effect immediately after being performed.

Configuring an Authentication Scheme for Virtual Access

To ensure the security of a virtual access system, you must configure an authentication scheme for virtual access.

Context

To establish a virtual access system, you must establish channels (such as STelnet, SFTP, and NETCONF channels) between a master and AP. To ensure system security, you must configure an authentication scheme for AP login. The current authentication scheme supports the following authentication modes:

  • Local authentication: If no HWTACACS server is deployed on the current network, you can use the local authentication mode. Local authentication features fast processing and low operation costs, but the amount of information that can be stored is limited by a device's hardware capacity.

  • HWTACACS authentication: HWTACACS authentication can be used to prevent unauthorized users from attacking a virtual access system. Compared with local authentication, HWTACACS authentication features more reliable transmission and encryption.

Perform the following steps on a master.

Procedure

  1. Run systerm-view

    The system view is displayed.

  2. Run ap-id ap-id

    The AP view is displayed.

  3. Run login-user user-name login-password password

    A user name and password required for the master to log in to the AP are configured.

  4. Run login-user user-name sftp-directory sftp-directory

    A user name and SFTP directory required for the master to log in to the AP are configured.

  5. Run authentication-mode { hwtacacs | local } *

    An authentication mode is configured for the authentication scheme.

    To configure local authentication, specify the local parameter. To configure HWTACACS authentication, specify the hwtacacs parameter. By default, local authentication is used.

    You can configure both local and HWTACACS authentication modes in an authentication scheme. The system performs authentication based on the configuration sequence.

    • When the authentication mode is configured as local authentication and then HWTACACS authentication:

      If the user name in Step 3 is not created on the AP, the system performs HWTACACS authentication.

      If the user name in Step 3 has been created on both the AP and HWTACACS server and a password error causes local authentication to fail, the system does not perform HWTACACS authentication.

    • When the authentication mode is configured as HWTACACS authentication and then local authentication:

      If the user name in Step 3 is not created on the HWTACACS server but exists on the AP, the system considers HWTACACS authentication failed and does not perform local authentication.

      The system performs local authentication only when the HWTACACS authentication server goes Down.

    The authentication mode of HWTACACS authentication and then local authentication is recommended.

  6. Perform operations based on the configured authentication mode.
    • If HWTACACS authentication is configured, perform the following operations:

      1. Run the hwtacacs command to enter the virtual access HWTACACS view.

      2. Run the hwtacacs-server shared-key { cipher cipher-string | key-string } command to configure a global shared key for the AP's HWTACACS server for communicating with the master.

        By default, no shared key is configured for the AP's HWTACACS server.

        To improve the security of communication between the master and the AP's HWTACACS server, configure a shared key.

      3. Run the hwtacacs-server ip-address [ port ] [ shared-key { key-string | cipher cipher-string } ] [ secondary ] command to configure primary and secondary HWTACACS servers for the AP.

        where

        • If you do not specify shared-key { key-string | cipher cipher-string }, the global shared key is used.

        • The IP addresses of the primary and secondary HWTACACS servers must be different; otherwise, the configuration fails.

      NOTE:

      If HWTACACS authentication is used, you must ensure that the user name and password configured using the login-user command in Step 3 are the same as those on the HWTACACS server. Otherwise, the AP cannot work normally.

    • If local authentication is configured, perform the following operations:

      1. Run the ap-user command to enter the virtual access AP-user view.

      2. Run the local-user user-name password cipher password command to create a local user name on the AP and configure a login password.

      NOTE:

      If local authentication is used, you must ensure that the user name and password configured using the login-user command in Step 3 are the same as those configured using the local-user command. Otherwise, the AP cannot work normally.

  7. Run commit

    The configuration is committed.

(Optional) Configuring a User Access Load Balancing Mode in Virtual Access Scenarios

An AP can be considered as a master's remote card. You can configure basic AP functions on a master.

Context

In virtual access scenarios, the primary and backup LSPs exist between a master and AP, and each LSP has different outbound interfaces.

For non-BRAS services, only the primary LSP's primary interface is used as downstream traffic's outbound interface. For BRAS services, all internal communication interfaces on an LSP can be used as downstream traffic's outbound interfaces. The corresponding internal communication interface is selected as the outbound interface of traffic to an external communication interface based on a configured load balancing mode, implementing load balancing.

By default, when a BRAS user goes online, the primary LSP's primary interface is selected as downstream traffic's outbound interface.

When a user goes online, if refined load balancing is required, run the access virtual-access bas-load-balance command to implement load balancing based on internal communication interfaces for user traffic to an external communication interface. The primary and backup internal communication interfaces of an external communication interface's primary and backup LSPs forward downstream traffic.

After the user goes online, the corresponding internal communication interface is selected based on a configured load balancing mode to balance user traffic.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run access virtual-access bas-load-balance { flow-mode | user-mode | real-flow-mode }

    A user access load balancing mode is configured on the master in BRAS virtual access scenarios.

(Optional) Configuring Route Import Between the Virtual Access System and External Network

To enable an NMS to directly manage masters and APs, configure route import between the virtual access system and external network.

Context

A virtual access system uses the DCN function to implement AP PnP, but a DCN is characterized by route isolation. Therefore, if an NMS is used to manage a master and AP, you must configure route import between the virtual access system and external network on a master.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run virtual-access

    The virtual access view is displayed.

  3. Run import admin-ip to { bgp [ vpn-instance vpn-instance-name ] | isis process-id [ level-1 | level-1-2 | level-2 ] | ospf process-id | public }

    The routes to the management IP addresses of the master and AP are imported into a specified routing protocol.

    After this step is performed, routes in the virtual access system are imported to the outside of the DCN. Before this step is performed, configure routing protocols on the master based on the protocol types of the routes to be imported.

    NOTE:

    If a route to a management IP address is imported into IS-IS or OSPF, ensure that the process specified by process-id does not import other routes. Otherwise, the configuration fails.

  4. Run import { bgp [ vpn-instance vpn-instance-name ] | static [ vpn-instance vpn-instance-name ] | isis process-id | ospf process-id } to dcn-ospf [ route-policy route-policy-name ]

    A specified protocol's routes are imported into DCN.

    After this step is performed, the route between the master and NMS is imported into DCN in the virtual access system. Before this step is performed, configure routing protocols whose routes are to be imported into DCN and routing policies on the master.

  5. Run commit

    The configuration is committed.

(Optional) Disabling Isolation Between Management and Service Interfaces

To use outband DCN in the virtual access system, disable isolation between management and service interfaces.

Context

Usually, the NMS manages masters and APs in inband mode. The access ring advertises private network routes to the NMS through the DCN plane and device management IP addresses. This implementation affects routing on the aggregation ring to some extent. Currently, masters and APs can also be managed by the NMS in outband mode. Because APs do not have outband connections, traffic from APs has to take a detour to the DCN and master before arriving at the NMS. In outband mode, the NMS manages APs through the master's management interface. The NMS provides functions such as full synchronization, fault information collection (from log and alarm information), performance monitoring (for voltage and temperature information) and software upgrades (including both system software and patch upgrades).

Outband management provides more reliable device management channels than inband management, but involves complex DCN networking and high deployment costs. Carriers usually plan and design outband management by themselves.

Procedure

  1. Run systerm-view

    The system view is displayed.

  2. Run virtual-access

    The virtual access view is displayed.

  3. Run management-port isolate disable

    Isolation between management and service interfaces is disabled.

  4. Run commit

    The configuration is committed.

Checking the Configurations

After establishing a virtual access system, check the configurations on the master, including basic virtual access, basic AP, AP interface, label space, internal path, and vaPW information.

Prerequisites

Virtual access has been configured.

Procedure

  • Run the display virtual-access ap [ ap-id ] command to check basic AP information.
  • Run the display virtual-access ap statistics command to check AP statistics.
  • Run the display virtual-access ap-interface [ ap-id ap-id ] command to check AP interface information.
  • Run the display virtual-access va-tunnel p2p [ source source-address destination destination-address ] command to check P2P tunnel information in the virtual access system.
  • Run the display virtual-access va-tunnel p2p statistics command to check statistics about P2P tunnels in the virtual access system.
  • Run the display virtual-access va-pw [ ap ap-id | state { up | down } | interface interface-type interface-number ] command to check vaPW information in the virtual access system.
  • Run the display interface { interface-name | interface-type interface-number } remote command to check information about a specified virtual access interface on the master.
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059451

Views: 3772

Downloads: 18

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next