Understanding VCMP
Introduction
This document describes the VLAN Central Management Protocol (VCMP) definition, basic concepts, application scenarios, protocol packets, and implementation mechanism.
Definition
The VCMP is used to implement centralized VLAN management and maintenance. VCMP is a Huawei proprietary protocol that works at the link layer to transmit VLAN information and ensures consistent VLAN information on the Layer 2 network. Compared with manual configuration, VCMP reduces the configuration workload and ensures VLAN information consistency.
Basic Concepts
VCMP uses a VCMP domain to manage switches and determine attributes of switches in the VCMP domain based on roles. VCMP defines four roles: server, client, transparent, and silent. Figure 1-1 shows VCMP domains and roles in the VCMP domains.
VCMP domain
A VCMP domain is composed of switches that have the same VCMP domain name and are connected through trunk or hybrid interfaces. All switches in the VCMP domain must use the same domain name, and each switch can join only one VCMP domain. Switches in different VCMP domains cannot synchronize VLAN information.
A VCMP domain specifies the scope for the administrative switch and managed switches. Switches in a VCMP domain are managed by the administrative switch. There is only one administrative switch and multiple managed switches in a VCMP domain.
VCMP role
VCMP determines attributes of switches based on VCMP roles. Table 1-1 describes VCMP roles.
VCMP Role |
Function |
Description |
|---|---|---|
Server |
The VCMP server synchronizes VLAN information to other switches in the local VCMP domain. |
If VLANs are created or deleted, or VLAN names or descriptions are changed on the VCMP server, the configurations are synchronized to the other switches in the VCMP domain. |
Client |
A VCMP client belongs to a specified VCMP domain and synchronizes VLAN information with the VCMP server. |
If VLANs are created or deleted, or VLAN names or descriptions are changed on a VCMP client, the configurations are not synchronized to the other switches in the VCMP domain. VLAN information on the VCMP client is overwritten by that sent by the VCMP server. |
Transparent |
A VCMP transparent switch does not affect other switches in the local VCMP domain and is not affected by VCMP management behaviors. |
A VCMP transparent switch transparently forwards VCMP packets to only trunk or hybrid links. If VLANs are created or deleted, or VLAN names or descriptions are changed on a VCMP transparent switch, VLAN information on the VCMP transparent switch is not affected by that on the VCMP server and is not synchronized to the other switches in the VCMP domain. In this way, some switches that do not need to be managed by VCMP can forward VCMP packets. |
Silent |
Deployed at the edge of a VCMP domain, a VCMP silent switch does not affect other switches in the local VCMP domain and is not affected by VCMP management behaviors. The VCMP silent switch prevents VCMP packets in a VCMP domain from being transmitted to other VCMP domains. |
A VCMP silent switch directly discards received VCMP packets. If VLANs are created or deleted, or VLAN names or descriptions are changed on a VCMP silent switch, VLAN information on the VCMP silent switch is not affected by that on the VCMP server and is not synchronized to the other switches in the VCMP domain. |
NOTE: - VCMP transparent and silent switches do not belong to any VCMP domain.
- If an edge switch in a VCMP domain needs to be managed, configure the edge switch as a VCMP client. To prevent VCMP packets in the local VCMP domain from being transmitted to other VCMP domains, disable VCMP on the edge switch interface connected to other VCMP domains.
Application Scenarios
On a small-scale enterprise network, the network administrator can log in to each switch to configure and maintain VLANs. On a large-scale enterprise network, a lot of switches are deployed, so a large amount of VLAN information needs to be configured and maintained. If the network administrator manually configures and maintains all VLANs, the workload is heavy and VLAN information may be inconsistent.
VCMP is used to implement centralized VLAN management. The network administrator simply needs to configure and maintain VLANs (for example, creating and deleting VLANs) on one switch. Then the changes will be automatically synchronized to all the switches in the specified domain without manual intervention. In this way, the configuration workload is reduced and VLAN information consistency is ensured.
NOTE: VCMP can only help the network administrator synchronize VLAN information but not dynamically assign VLANs. VCMP is often used with Link-type Negotiation Protocol (LNP) to simplify user configurations.
Generic VLAN Registration Protocol (GVRP) can reduce VLAN configurations and dynamically assign interfaces to VLANs. GVRP creates dynamic VLANs, but VCMP creates static VLANs.
As shown in Figure 1-2, departments A and B of an enterprise belong to different Layer 2 networks. The departments are large and a lot of VLANs need to be configured and maintained. To facilitate VLAN configuration and maintenance, deploy VCMP domains VCMP1 and VCMP2 for departments A and B respectively, and configure AGG1 as the VCMP server in VCMP1, ACC1 and ACC2 as VCMP clients in VCMP1, AGG2 as the VCMP server in VCMP2, and ACC3 and ACC4 as VCMP clients in VCMP2. The network administrator simply needs to create or delete VLANs or change VLAN names or descriptions on AGG1 and AGG2. ACC1 to ACC4 synchronize VLAN information with AGG1 and AGG2 respectively. This implements centralized VLAN configuration and management.
VCMP Packets
VCMP enables switches of different roles to exchange VCMP packets to implement centralized VLAN management. VCMP packets can be only transmitted in VLAN 1 on trunk or hybrid interfaces. To retain the same VLAN information on the VCMP server and clients, VCMP defines three types of multicast packets: Summary-Advert, Subset-Advert, and Advert-Request. Table 1-2 describes the functions and triggering scenarios of the three types of packets.
Packet Type |
Function |
Applicable Scenario |
Sent By |
|---|---|---|---|
Summary-Advert |
The VCMP server sends Summary-Advert packets to other devices in the local VCMP domain to notify them of the domain name, device ID, configuration revision number, and VLAN information. |
|
Server |
Subset-Advert |
The VCMP server sends Subset-Advert packets to other devices in the VCMP domain to notify them of the non-default VLAN names or descriptions. |
Non-default VLAN names or descriptions are configured on the VCMP server, and either of the following conditions is met:
The VCMP server sends a Subset-Advert packet to ensure real-time synchronization of VLAN information on the VCMP server and clients and prevent VLAN information loss due to packet loss. |
Server |
Advert-Request |
A VCMP client sends Advert-Request packets to the VCMP server to request VLAN information. |
|
Client |
Summary-Advert and Subset-Advert packets sent by the VCMP server carry the configuration revision number. A VCMP client uses it to determine whether VLAN information sent from the VCMP server is newer than the local VLAN information. If so, the VCMP client synchronizes VLAN information with the VCMP server. A configuration revision number is represented by an 8-digit hexadecimal number. The four left-most bits indicate the change of the VCMP domain or device ID and the four right-most bits indicate the VLAN change. Upon a VLAN change on the VCMP server, the configuration revision number is automatically increased. When the VCMP domain name or device ID changes, the four left-most bits of the configuration revision number are recalculated and the four right-most bits are reset.
VCMP Implementation
VLAN Synchronization When the VCMP Server Configuration Changes
When the VCMP server configuration changes, for example, creating and deleting VLANs, changing the VLAN name, VLAN description, VCMP domain name, or device ID, or restarting the VCMP server, the VCMP server sends a Summary-Advert packet and a Subset-Advert packet to instruct VCMP clients in the local VCMP domain to synchronize VLAN information.
VLAN Information Synchronization When a VCMP Client Is Added
To ensure VLAN information synchronization between the VCMP server and clients, the VCMP server sends a Summary-Advert packet every 5 minutes to notify switches in the local VCMP domain of the domain name, device ID, and configuration revision number. The VCMP server also sends a Subset-Advert packet to notify switches of the VLAN names and descriptions that change. When a VCMP client is added or a VCMP client restarts, the VCMP client sends an Advert-Request packet to the VCMP server to request VLAN information on the VCMP server.
Multi-Server Trap
Only one VCMP server exists in a VCMP domain. To prevent attacks of bogus VCMP servers, the VCMP server matches the VCMP domain name, device ID, and source MAC address in the received Summary-Advert packets with local ones. If the VCMP domain name and device ID match local ones but the source MAC address in the packet is different from the system MAC address, the VCMP server sends a trap about the multi-server event to the NMS.
To prevent the VCMP server from being affected by too many traps, the VCMP server sends traps to the NMS once every 30 minutes.
VCMP Authentication
When an unauthorized switch joins a VCMP domain, VLAN information on the switch may be synchronized in the VCMP domain, affecting network stability. To prevent unauthorized switches from joining a VCMP domain and enhance VCMP domain security, configure a VCMP domain authentication password on the VCMP server and clients.
If the VCMP domain authentication password is configured on the VCMP server or a VCMP client, the VCMP server or VCMP client uses the password character string (empty character string is used by default) as the key and performs SHA-256 for the VCMP domain name and device ID to obtain a digest. The digest is sent in a Summary-Advert, a Subset-Advert, or an Advert-Request packet. When each VCMP client in the VCMP domain receives a Summary-Advert packet or a Subset-Advert packet from the VCMP server, the VCMP client uses the locally configured password to perform SHA-256 for the VCMP domain name, device ID, and configuration revision number, and compares the calculated digest with the digest in the Summary-Advert or Subset-Advert packet. If the calculated digest matches the digest in the Summary-Advert or Subset-Advert packet, the Summary-Advert or Subset-Advert packet passes authentication and further VCMP processing is performed. Otherwise, the Summary-Advert or Subset-Advert packet is discarded. When the VCMP server receives an Advert-Request packet from a VCMP client, authentication and processing are similar.
If no domain authentication password is set, VCMP packets pass without authentication.
NOTE: In a VCMP domain, the VCMP domain authentication password on the VCMP server and clients must be the same.
To ensure device security, change the password periodically.