No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S2720, S5700, and S6700 V200R019C10 Configuration Guide - Device Management

This document describes the configurations of Device Management, including device status query, hardware management, Stack, SVF, cloud-based management, PoE, monitoring interface, OPS, energy-saving management, information center, fault management, NTP, synchronous ethernet, PTP.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Parent

Configuring the Parent

Configuration Procedure

The parent can be an independent device, a cluster or a stack. To ensure high reliability for an SVF system, configure the parent as a cluster or a stack. For cluster configuration details, see CSS Configuration in the Configuration Guide - Device Management of modular switches. For stack configuration details, see Stack Configuration in the Configuration Guide - Device Management of fixed switches. After the parent is selected, perform the following configurations in sequence.

Enabling the SVF Function on the Parent

Context

The SVF function is disabled on the parent by default and needs to be enabled using a command. Before enabling the SVF function, you need to perform the following configuration:
  • Establish a CAPWAP link between the parent and ASs.
    • Configure a management VLAN on the parent for Layer 2 communication with ASs.
    • Configure a DHCP address pool on the parent to allocate IP addresses to ASs.
    • Configure a CAPWAP source interface.
  • Ensure that requirements for enabling the SVF function have been met.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run as-mode disable

    Change the device working mode to the parent mode.

    If the S5732-H24UM2CC, S5732-H48UM2CC, S6730-S, S6730S-S, S6720-SI, S6720S-SI, S6720-EI, and S6720S-EI function as the parent, change the working mode of the switch to the parent mode first. By default, a switch works in AS mode. The configured working mode takes effect after the switch restarts.

  3. Run vlan batch vlan-id

    The management VLAN is created for the SVF system and cannot be VLAN 1 or VLAN 4093.

  4. Configure a DHCP address pool.
    1. Run dhcp enable

      DHCP is enabled on the parent.

    2. Run interface vlanif vlan-id

      A VLANIF interface is created and the VLANIF interface view is displayed.

      vlan-id must be consistent with that management VLAN.

    3. Run ip address ip-address { mask | mask-length }

      An IP address is configured for the VLANIF interface.

      This address is also used as the source address for setting up a CAPWAP link.

    4. Run dhcp select interface

      The DHCP server function is configured to assign IP addresses from the interface address pool to clients.

      The DHCP server function enables an AS to obtain an IP address from the parent.

    5. (Optional) Run dhcp server option 43 ip-address ip-address

      The parent is configured to send its IP address in the Option 43 field to an AS.

      The parent can send its IP address in the Option 43 field to an AS. The IP address must be the same as that configured in step c.

      If the Option 43 field is not configured, an AS obtains the IP address of the parent in broadcast mode. If the Option 43 field is configured, an AS sets up a CAPWAP link with only a specified IP address, and does not obtain the IP address of the parent in broadcast mode. To improve service reliability, you are advised to configure the parent to send its IP address in the Option 43 field to an AS.

    6. Run quit

      Exit from the VLANIF interface view.

  5. Run capwap source interface vlanif vlan-id

    The source interface on which the parent sets up a CAPWAP link with an AS is configured.

    vlan-id must be consistent with that management VLAN.

    You are not advised to configure other services except the preceding configurations in the management VLAN and corresponding VLANIF interface of the SVF system. Otherwise, ASs or APs cannot go online normally.

    If the SVF function is enabled, only one source interface can be configured.

  6. Check whether requirements for enabling the SVF function on the parent are met.

    Requirements

    Criteria

    Commands to Be Executed If Requirements Are Not Met

    The NAC configuration mode is unified mode.

    By default, the NAC configuration mode is unified mode.

    When enabling the SVF function, ensure that the current and next startup NAC configuration modes are the unified mode. You can run the display authentication mode command to check the current and next startup NAC configuration modes. If the two modes are the unified mode, this step is not required. If the modes are not the unified mode, change them to the unified mode.

    After changing the NAC configuration mode, save the configuration and then restart the device to make the configuration take effect.

    authentication unified-mode

    The STP working mode is STP or RSTP mode.

    By default, the STP working mode is MSTP mode.

    When enabling the SVF function, ensure that the STP working mode is STP or RSTP mode. You can run the display stp command to check the current STP working mode. If the mode is STP or RSTP mode, ignore this step. If the mode is not STP or RSTP mode, set the STP working mode to STP or RSTP mode.

    stp mode { rstp | stp }

    The STP/RSTP port path cost is calculated using IEEE 802.1t (dot1t) standard.

    The default STP/RSTP port path cost algorithm is restored.

    By default, IEEE 802.1t (dot1t) standard is used to calculate the STP/RSTP port path cost.

    When enabling the SVF function, ensure that the default STP/RSTP port path cost algorithm is used. You can run the display stp command to check the current STP/RSTP port path cost algorithm. If the algorithm is not the default value, restore the default STP/RSTP port path cost algorithm.

    undo stp pathcost-standard

    The device role on a transparent transmission network is customer. This requirement must be met only when the modular switches as the parent.

    The default device role on a transparent transmission network is restored.

    By default, a device is a customer on a transparent transmission network.

    When enabling the SVF function, ensure that the default device role on a transparent transmission network is used. You can run the display bpdu-tunnel global config command to check the current device role. If the default device role is used, ignore this step. If the default device role is not used, restore the default device role.

    undo bpdu-tunnel stp bridge role provider

    No MSTP process is configured.

    You can run the display current-configuration command to check whether the MSTP process configuration exists. If so, perform this step to delete the configuration. If not, ignore this step.

    undo stp process process-id

    Remote authorization is not configured.

    By default, remote authorization is not configured.

    When enabling the SVF function, ensure that remote authorization is not configured. You can run the display current-configuration command to check whether remote authorization is configured. If remote authorization is not configured, ignore this step. If remote authorization is configured, disable remote authorization.
    • Run the aaa command to enter the AAA view.
    • Run the service-scheme service-scheme-name command to enter the service scheme view.
    • Run the undo remote-authorize command to disable remote authorization.

  7. Run uni-mng

    The SVF function is enabled and the uni-mng view is displayed.

    By default, SVF is disabled.

  8. (Optional) Run topology explore [ interval interval ]

    The interval for collecting SVF network topology information is set.

    By default, the interval for collecting SVF network topology information is 10 minutes. If interval interval is not specified, SVF network topology collection is triggered immediately.

    You can adjust the interval for collecting SVF network topology information based on SVF network stability. When the network topology is stable, you can increase the interval or disable periodic topology information collection. When the network topology is unstable, you can shorten the interval.

Configuring a Fabric Port (on the Parent)

Context

When the parent connects to a level-1 AS through a fabric port across a network, the parent-side fabric port needs to be configured to the indirect connection mode. After this fabric port is bound to an Eth-Trunk, the configurations required for Layer 2 management VLAN communication on the Eth-Trunk must be manually configured. However, if the parent is directly connected to a level-1 AS, these configurations can be automatically generated.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run interface fabric-port port-id

    A fabric port is created and the fabric port view is displayed.

  4. Run port connect-type indirect

    The indirect connection mode is configured for the fabric port.

    The default connection mode of a fabric port is direct connection.

  5. Run port member-group interface eth-trunk trunk-id

    The fabric port is bound to an Eth-Trunk.

    A fabric port can be bound to only the Eth-Trunk that has not been created. When a fabric port is bound to an Eth-Trunk, the system creates the Eth-Trunk.

  6. (Optional) Run description description

    The description of the fabric port is configured.

    By default, a fabric port does not have a description.

    To facilitate fabric port management and identification, you can configure descriptions for fabric ports. For example, you can describe the name of an AS that connects to a fabric port.

  7. Run quit

    Exit from the fabric port view.

  8. Run quit

    Exit from the uni-mng view.

  9. Run interface eth-trunk trunk-id

    The Eth-Trunk interface view is displayed. The Eth-Trunk is the one bound in step 5. Perform the following configurations on the Eth-Trunk for Layer 2 management VLAN communication.

    Configuration

    Command

    Description

    Set the link type of the Eth-Trunk to hybrid.

    port link-type hybrid

    -

    Add a port to the management VLAN.

    port hybrid tagged vlan vlan-id

    -

    Enable root protection.

    stp root-protection

    -

    Configure the port as a non-edge port.

    stp edged-port disable

    -

    Disable an interface from detecting loops in the local VLAN (applicable only to modular switches).

    loop-detection disable

    -

    Configure the port as a control point.

    authentication control-point open

    -

    Configure the Eth-Trunk to work in LACP mode.

    mode lacp

    The Eth-Trunk working mode configuration must be consistent on the member port in the indirectly connected fabric port of the parent and the Layer 2 network port connected to the member port. If the Eth-Trunk working mode on the Layer 2 network port is set to LACP, the Eth-Trunk working mode on the member port must also be set to LACP.

  10. Run quit

    The Eth-Trunk interface view is displayed.

  11. Run interface interface-type interface-number

    The interface view is displayed.

  12. Run eth-trunk trunk-id

    The current interface is added to the Eth-Trunk.

    • You can perform the two steps multiple times to add multiple interfaces to an Eth-Trunk.

    • Before removing an Up member port from a fabric port, run the shutdown command in the interface view to shut down the member port.

    • When a port joins a downlink fabric port of the parent, the port enters the blocking state. When the port negotiates with the peer port successfully, the port is unblocked.

Verifying the Configuration

  • Run the display uni-mng interface fabric-port configuration [ parent | as name as-name ] command to check the fabric port configuration.

  • Run the display uni-mng interface fabric-port [ port-id ] state command to check the fabric port status.

Pre-configuring an AS Name

Context

You can configure a name for an AS and use the name to uniquely identify the AS. This configuration facilitates AS identification and management.

If no AS name is configured, system default name-device MAC address is used as the AS name after the AS connects to an SVF system.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run as name as-name model as-model mac-address mac-address

    An AS name is configured.

    By default, an AS uses its system default name-device MAC address as its name after going online.

    Ensure that the model as-model and mac-address mac-address settings are consistent with the actual settings.

    If no AS name is pre-configured before an AS goes online, you can also run this command to modify the AS name after an AS goes online. In this situation, the AS must meet the following conditions:
    • The AS is not bound to any service profile.
    • The AS is not added to any AS group.
    • Ports of the AS are not added to any port group.

Configuring AS Access Authentication

Context

An AS needs to be authenticated before connecting to an SVF system by default. An AS is authenticated using a blacklist or whitelist. An AS in the blacklist cannot connect to an SVF system, but an AS in the whitelist can connect to an SVF system. An AS that is neither in the blacklist nor in the whitelist fails the authentication. You need to run the confirm { all | mac-address mac-address } command to allow all ASs or a specified AS to pass the authentication.

You can also configure non-authentication for ASs so that an AS can connect to an SVF system regardless of whether it is in a blacklist or whitelist. Non-authentication has security risks. Therefore, authentication is recommended.

Procedure

  • Authentication is required before an AS connects to an SVF system.
    1. Run system-view

      The system view is displayed.

    2. Run as-auth

      The AS authentication view is displayed.

    3. Run undo auth-mode

      The AS needs to be authenticated to connect to an SVF system.

      By default, authentication is required before an AS connects to an SVF system.

    4. Run blacklist mac-address mac-address1 [ to mac-address2 ]

      A blacklist is configured for AS authentication. A maximum of 128 blacklists can be configured.

    5. Run whitelist mac-address mac-address1 [ to mac-address2 ]

      A whitelist is configured for AS authentication. A maximum of 512 whitelists can be configured.

      If there are ASs that are neither in the whitelist nor in the blacklist, you can run the confirm { all | mac-address mac-address } command to allow all ASs or a specified AS to pass the authentication.

  • No authentication is required before an AS connects to an SVF system.
    1. Run system-view

      The system view is displayed.

    2. Run as-auth

      The AS authentication view is displayed.

    3. Run auth-mode none

      The AS does not need to be authenticated to connect to an SVF system.

      By default, authentication is required before an AS connects to an SVF system.

Verify the configuration.

  • Run the display as blacklist command to check the AS blacklist.

  • Run the display as whitelist command to check the AS whitelist.

  • Run the display as unauthorized record command to check the ASs that fail the authentication.

  • Run the display uni-mng unauthen-user command to check information about non-authenticated users on an AS.

  • Run the display uni-mng authen-user command to check authenticated user information on an AS.

  • Run the display uni-mng unauthen-user offline-record command to check offline records of non-authenticated users on an AS.

(Optional) Configuring CAPWAP Tunnel Encryption

Context

The parent and an AS transmit management packets through a CAPWAP tunnel. To ensure tunnel confidentiality and security, you can use Datagram Transport Layer Security (DTLS) to encrypt packets transmitted in the CAPWAP tunnel.

The parent and AS encrypt packets transmitted in the CAPWAP tunnel using the pre-shared key. That is, a key is pre-configured on the parent and AS. When the pre-shared keys of the parent and AS are the same, the parent and AS can negotiate successfully and set up a CAPWAP tunnel.

After DTLS is used for CAPWAP tunnel encryption, the CPUs of the parent and AS participate in DTLS encryption, deteriorating AS login performance. To mitigate this impact, use DTLS only in scenarios requiring high confidentiality.

Procedure

  • Configure a pre-shared key on the parent.
    1. Run system-view

      The system view is displayed.

    2. Run capwap dtls psk psk-value

      A pre-shared key is configured on the parent.

      The default username and password are available in S Series Switches Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    3. (Optional) Run capwap dtls psk-mandatory-match enable

      An AS is not allowed to establish a DTLS session with the parent using the default pre-shared key.

      By default, an AS cannot use the default pre-shared key to establish a DTLS session with the parent.

      When an AS is allowed to establish a DTLS session with the parent using the default pre-shared key, the AS first uses the pre-shared key configured using the as access dtls psk psk-value command to establish a DTLS session with the parent. If the DTLS session cannot be established, the AS uses the default pre-shared key to establish a DTLS session with the parent (it also uses the default pre-shared key).

    4. Run capwap dtls control-link encrypt

      CAPWAP tunnel DTLS encryption is enabled.

      By default, CAPWAP tunnel DTLS encryption is disabled.

    5. (Optional) Run capwap sensitive-info psk psk-value

      The pre-shared key (PSK) for encrypting sensitive information is modified.

      By default, the default PSK is used for encrypting sensitive information.

    6. (Optional) Run capwap message-integrity psk psk-value

      A pre-shared key (PSK) for checking integrity of CAPWAP packets is configured.

      By default, no PSK is configured for checking integrity of CAPWAP packets.

      • The parent and an AS cannot support the HA and CAPWAP tunnel DTLS encryption functions simultaneously. If the two functions are enabled simultaneously, the AS waits until the original CAPWAP tunnel ages before it can re-establish a CAPWAP tunnel when an active/standby switchover occurs on the parent, causing service interruption. When an active/standby switchover occurs on the AS, the AS needs to re-establish a link and go online again, causing service interruption.

      • When the status of DTLS encryption and the shared key for encrypting sensitive information change on the parent or a PSK for checking integrity of CAPWAP packets is configured on the parent, ASs connected to the parent will restart.

      • When an AS is being upgraded, you cannot change the status of DTLS encryption or the shared key for encrypting sensitive information, or cannot configure a PSK for checking integrity of CAPWAP packets on the parent.

  • Configure a pre-shared key on an AS.
    1. Run as access dtls psk psk-value

      A pre-shared key is configured on an AS.

      The default username and password are available in S Series Switches Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

      When CAPWAP tunnel DTLS encryption is enabled on the parent and an AS has connected to the parent, the pre-shared key is automatically delivered to the AS if the pre-shared key is modified on the parent. You are advised not to repeatedly modify the pre-shared key in 10 minutes.

(Optional) Pre-configuring the Stack ID for an AS

Context

When an AS is a stack of multiple member switches, the system pre-configures only stack ID 0 by default. You can only pre-configure services for the member switch with stack ID 0. Before pre-configuring services for another member switch, pre-configure a stack ID for the member switch.

The pre-configured stack ID does not affect the actual stack ID. For example, the pre-configured stack ID is 0 (default value), but the actual stack IDs are 0 and 2. The actual stack IDs remain 0 and 2 except that no services are configured on the device with stack ID 2.

An AS can be a stack of the same device series but different device models. If the stack contains different device models, you need to specify the replace-model parameter to change the device model that is different from the other device models in the stack to the actual access device model. If you do not specify the device model of a specified member, by default, the device model of this member is consistent with the pre-configured AS type.

  • If an AS is a single device but its stack ID is not 0 and no stack ID is configured on the parent, the parent changes the stack ID of the AS to 0 and restarts the AS when the AS connects to the parent.
  • If an AS is a switch that does not support the stacking function, you can pre-configure a stack ID on the parent but the configured stack ID does not take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run as name as-name

    The AS view is displayed.

  4. Run slot slot-id1 replace-model model-name or slot slot-id2 [ to slot-id3 ] [ replace-model model-name ]

    A stack ID is pre-configured for the AS or the pre-configured device model is changed.

    By default, the pre-configured stack ID is 0.

(Optional) Enabling ASs to Automatically Upgrade After Going Online

Context

During online automatic upgrade, an AS checks whether its software version is consistent with that of the parent. If not, the AS searches for and downloads the system software from the parent to upgrade its software version.

The AS first searches for the software version with the same V, R, C, and SPC versions as the parent. If such version is unavailable, the AS searches for the software version with the same V, R, and C versions as the parent and selects the one with the latest SPC version. If no version meets the preceding requirements, the AS does not upgrade its software version. Additionally, a version upgrade failure alarm is generated when the AS runs a software version with a different V, R, or C version than the parent.

  • The files used to upgrade an AS are often saved in the root directory unimng/ of the parent. These files can also be saved on an AS when the AS is upgraded or downgraded to the software version that is consistent with that of the parent.

  • To upgrade an AS, you must configure the FTP or SFTP server function on the parent so that the AS can download the related upgrade files from the parent.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run uni-mng

    The uni-mng view is displayed.

  3. Run upgrade { local-ftp-server | local-sftp-server } username username password password

    The local file server is configured.

    By default, no local file server is configured on the parent.

    • If the local file server is not configured, an AS cannot download upgrade files from the parent and so cannot be upgraded.

    • FTP has potential security risks, and so SFTP is recommended. If you want to use FTP, you are advised to configure ACLs to improve security. For details, see Configure the FTP ACL in "File Management" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Basic Configuration.

    • When the file server is an FTP server, the parent automatically enables the FTP service and creates an FTP user. You only need to run the ftp server-source command to specify the source IP address of the FTP server.

    • When the file server type is set to SFTP, the SFTP service is not automatically enabled and no SFTP user is created on the parent. You need to manually pre-configure SFTP on the parent.

      For more details about the SFTP configuration, see File Management in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Basic Configuration.

    • After the upgrade { local-ftp-server | local-sftp-server } command is executed, the same user name and password configuration is also generated in the AAA view. If you modify the configured local user information (the user password for example) in AAA view, the version management function does not take effect.

    • If information about a user already exists in the AAA view, you cannot run this command to configure the same user name.

    • Running this command multiple times to create new users will delete previous user information. Previous user information can be deleted only when the user level of the user running this command is higher or equal to the user level configured in the AAA view. Otherwise, the command does not take effect.

    • If a remote authentication server is used for AAA authentication, the user name and password configured using this command must also be configured on the remote authentication server.

    • If a remote authentication server is used for AAA authentication and the remote authentication server does not support FTP or SFTP, ASs will fail to be authenticated. In this case, run the authentication-scheme authentication-scheme-name command in the AAA view to create an authentication scheme and run the authentication-mode local command in the authentication scheme view to set the authentication mode to local authentication. Then, run the domain command in the AAA view to create a domain and run the authentication-scheme authentication-scheme-name command in the AAA domain view to apply the created authentication scheme to the domain. ASs can be authenticated when they use the newly created domain for local authentication.

  4. (Optional) Run as type as-type { system-software system-software | patch patch } *

    Files to be loaded on an AS of the specified type are specified.

    If files to be loaded on an AS are specified, the AS downloads the specified files when connecting to an SVF system without searching for the upgrade files, even though the matching system software version exists on the parent.

Translation
简体中文
Download
Updated: 2023-03-02

Document ID: EDOC1100127053

Views: 463287

Downloads: 1246

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :