VXLAN is an NVO3 network virtualization technology that encapsulates data packets sent from original hosts into UDP packets and encapsulates IP and MAC addresses used on the physical network in outer headers before sending the packets over an IP network. The virtual tunnel endpoint (VTEP) then decapsulates the packets and sends the packets to the destination host.

By leveraging VXLAN, a virtual network can accommodate a large number of tenants. Tenants can plan their own virtual networks without being limited by physical network IP addresses or broadcast domains. This technology significantly simplifies network management, allows VMs to migrate over a large Layer 2 network, and isolates tenants in a virtual.

Similar to a traditional VLAN, a VXLAN also allows for intra- and inter-VXLAN communication.

Intra-VXLAN Communication

VXLAN technology constructs a virtual Layer 2 network over a Layer 3 network, implementing Layer 2 communication between VMs. Figure 9-160 shows intra-VXLAN communication.

Figure 9-160 Intra-VXLAN Communication

Involved concepts

Inter-VXLAN Network Communication (Centralized Gateway)

VMs in different BDs cannot directly communicate at Layer 2. VXLAN Layer 3 gateways need to be configured to implement Layer 3 communication between VMs. Figure 9-161 shows inter-VLAN communication.

Figure 9-161 Inter-VXLAN Communication

Inter-VXLAN Network Communication (Distributed Gateway)

A distributed gateway is the device that supports the functions of a VXLAN Layer 2 gateway and a Layer 3 gateway. As shown in Figure 9-162, the VTEP device work as a Layer 2 gateway on the VXLAN network and is connected to hosts, allowing terminal tenants to access the VXLAN network. The VTEP device can also work as a Layer 3 gateway on the VXLAN network, allowing terminal tenants across subnets to communicate with each other and access the extranet. The distributed gateway is supported only for the VXLAN network deployed in BGP EVPN mode.

Figure 9-162 Inter-VXLAN communication

Comparison Between VXLAN and VLAN

The following table lists the differences between VXLAN and VLAN.

VXLAN Identification by VLAN

The 1:1 or N:1 mapping between VLANs and BDs is configured on VTEPs based on network planning. After a VTEP receives service packets, it selects a VXLAN tunnel to forward the packets based on the mappings between VLANs and BDs and between BDs and VNIs.

As shown in Figure 9-165, VLANs 10 and 20 are mapped to BD 10. The mappings between BD 10 and VLAN 10 and between BD 10 and VLAN 20 exist on the VTEP. In addition, the VNI of the VXLAN corresponding to BD 10 is 1000. After the VTEP receives a packet from PC_1 or PC_2, the VTEP forwards the packet over the VXLAN tunnel with VNI 1000.

Figure 9-165 VXLAN identification by VLAN

• When VLAN access is configured on a VXLAN network, if the VLAN mapped to a BD is the port VLAN ID (PVID) of an interface, packets with multiple VLAN tags and the outer VLAN ID being the PVID cannot be transmitted to the VXLAN network.
• When VLAN access is configured on a VXLAN network, packets cannot be transmitted to the VXLAN network through a dot1q-tunnel interface.

VXLAN Identification by Encapsulation Mode

An encapsulation mode defines packet processing based on whether a packet contains VLAN tags. To implement VXLAN identification by encapsulation mode, Layer 2 sub-interfaces need to be configured on a downlink physical interface of a VTEP, different encapsulation modes need to be configured for these sub-interfaces, and 1:1 mapping between Layer 2 sub-interfaces and BDs needs to be defined. Then service packets are sent to specified Layer 2 sub-interfaces after reaching the VTEP. The VTEP selects a correct VXLAN tunnel to forward packets based on the mappings between Layer 2 sub-interfaces and BDs and between BDs and VNIs.

Table 9-557 lists four default packet processing methods of Layer 2 sub-interfaces that use different encapsulation modes.

After packets from PC_1 or PC_2 reach the VTEP, the VTEP sends the packets to different Layer 2 sub-interfaces based VLAN tags in the packets. Then the VTEP selects a correct VXLAN tunnel to forward the packets based on the mappings between sub-interfaces and BDs and between BDs and VNIs.

Figure 9-166 VXLAN identification by encapsulation mode

Introduction

Ethernet virtual private network (EVPN) is a VPN technology used for Layer 2 internetworking. EVPN is similar to BGP/MPLS IP VPN. EVPN defines a new type of BGP network layer reachability information (NLRI), called the EVPN NLRI. The EVPN NLRI defines new BGP EVPN routes to implement MAC address learning and advertisement between Layer 2 networks at different sites.

VXLAN does not provide the control plane, and VTEP discovery and host information (IP and MAC addresses, VNIs, and gateway VTEP IP address) learning are implemented by traffic flooding on the data plane, resulting in high traffic volumes on VXLAN networks. To address this problem, VXLAN uses EVPN as the control plane. EVPN allows VTEPs to exchange BGP EVPN routes to implement automatic VTEP discovery and host information advertisement, preventing unnecessary traffic flooding.

EVPN uses extended BGP and defines new BGP EVPN routes to transmit VTEP addresses and host information. As such, the application of EVPN on VXLANs moves VTEP discovery and host information learning from the data plane to the control plane.

BGP EVPN Routes

EVPN NLRI defines the following BGP EVPN route types applicable to the VXLAN control plane:

Type 2 route—MAC/IP route

The following figure shows the format of MAC/IP routes.

Figure 9-168 MAC/IP route

The following table describes the fields.

MAC/IP routes function as follows on the VXLAN control plane:

• MAC address advertisement

  To implement Layer 2 communication between intra-subnet hosts, the source and remote VTEPs must learn the MAC addresses of the hosts. The VTEPs function as BGP EVPN peers to exchange MAC/IP routes so that they can obtain the host MAC addresses. The MAC Address Length and MAC Address fields identify the MAC address of a host.

• ARP advertisement

  A MAC/IP route can carry both the MAC and IP addresses of a host, and therefore can be used to advertise ARP entries between VTEPs. The MAC Address and MAC Address Length fields identify the MAC address of the host, whereas the IP Address and IP Address Length fields identify the IP address of the host. This type of MAC/IP route is called the ARP route. ARP advertisement applies to the following scenarios:

  1. ARP broadcast suppression. After a Layer 3 gateway learns the ARP entries of a host, it generates host information that contains the host IP and MAC addresses, Layer 2 VNI, and gateway's VTEP IP address. The Layer 3 gateway then transmits an ARP route carrying the host information to a Layer 2 gateway. When the Layer 2 gateway receives an ARP request, it checks whether it has the host information corresponding to the destination IP address of the packet. If such host information exists, the Layer 2 gateway replaces the broadcast MAC address in the ARP request with the destination unicast MAC address and unicasts the packet. This implementation suppresses ARP broadcast packets.

  2. VM migration in distributed gateway scenarios. After a VM migrates from one gateway to another, the new gateway learns the ARP entry of the VM (after the VM sends gratuitous ARP packets) and generates host information that contains the host IP and MAC addresses, Layer 2 VNI, and gateway's VTEP IP address. The new gateway then transmits an ARP route carrying the host information to the original gateway. After the original gateway receives the ARP route, it detects a VM location change and triggers ARP probe. If ARP probe fails, the original gateway withdraws the ARP and host routes of the VM.

• IP route advertisement

  In distributed VXLAN gateway scenarios, to implement Layer 3 communication between inter-subnet hosts, the source and remote VTEPs that function as Layer 3 gateways must learn the host IP routes. The VTEPs function as BGP EVPN peers to exchange MAC/IP routes so that they can obtain the host IP routes. The IP Address Length and IP Address fields identify the destination address of the IP route. In addition, the MPLS Label2 field must carry the Layer 3 VNI. This type of MAC/IP route is called the integrated routing and bridging (IRB) route.

  An ARP route carries host MAC and IP addresses and a Layer 2 VNI. An IRB route carries host MAC and IP addresses, a Layer 2 VNI, and a Layer 3 VNI. Therefore, IRB routes carry ARP routes and can be used to advertise IP routes as well as ARP entries.

• ND entry flooding

  A MAC/IP route can carry both the MAC address and IPv6 address of a host. Therefore, this type of route can be used to transmit ND entries between VTEPs, implementing ND entry advertisement. The MAC Address and MAC Address Length fields carried in a MAC/IP route indicate information about the host MAC address, and the IP Address and IP Address Length fields indicate information about the host IPv6 address. The MAC/IP route in this case is also called an ND route. ND entry flooding applies to the following scenarios:

  • NS multicast suppression. After a VXLAN gateway collects information about a local IPv6 host, it generates an NS multicast suppression entry and floods the entry through a MAC/IP route. After receiving the MAC/IP route, other VXLAN gateways (BGP EVPN peers) each generate a local NS multicast suppression entry. In this manner, when a VXLAN gateway receives an NS message, it searches the local NS multicast suppression table. If an entry is hit, the VXLAN gateway directly performs multicast-to-unicast processing to reduce or suppress NS message flooding.

  • IPv6 VM migration in a distributed gateway scenario. After an IPv6 VM is migrated from one gateway to another, the VM sends a gratuitous NA message. After receiving the message, the new gateway generates an ND entry and floods it to the original gateway through a MAC/IP route. After receiving the message, the original gateway detects that the location of the IPv6 VM changes and triggers NUD. When the original gateway cannot detect the IPv6 VM in the original location, it deletes its local ND entry and uses an MAC/IP route to instruct the new gateway to delete the old proxy ND entry for the IPv6 VM.

• Host IPv6 route advertisement

  In a distributed gateway scenario, to implement Layer 3 communication between hosts on different subnets, the VTEPs (functioning as Layer 3 gateways) must learn host IPv6 routes from each other. To achieve this, VTEPs as EVPN peers exchange MAC/IP routes to advertise host IPv6 routes to each other. The IP Address Length and IP Address fields carried in the MAC/IP routes indicate the destination addresses of host IPv6 routes, and the MPLS Label2 field must carry a Layer 3 VNI. MAC/IP routes in this case are also called IRBv6 routes.

  An ND route carries the following valid information: host MAC address, host IPv6 address, and Layer 2 VNI. An IRBv6 route carries the following valid information: host MAC address, host IPv6 address, Layer 2 VNI, and Layer 3 VNI. It can be seen that an IRBv6 route includes information about an ND route and therefore can be used to advertise both a host IPv6 route and host ND entry.

Type 3 route—inclusive multicast route

An inclusive multicast route comprises a prefix and a PMSI attribute.

Figure 9-169 Format of an inclusive multicast route

The following table describes the fields.

This type of route is used on the VXLAN control plane for automatic VTEP discovery and dynamic VXLAN tunnel establishment. VTEPs that function as BGP EVPN peers exchange inclusive multicast routes to transfer Layer 2 VNIs and VTEPs' IP addresses. The Originating Router's IP Address field identifies the local VTEP's IP address; the MPLS Label field identifies a Layer 2 VNI. If the remote VTEP's IP address is reachable at Layer 3, a VXLAN tunnel to the remote VTEP is established. If the remote VNI is the same as the local VNI, an ingress replication list is created for subsequent BUM packet forwarding.

Type 5 route—IP prefix route

The following figure shows the format of IP prefix routes.

Figure 9-170 IP prefix route

The following table describes the fields.

The IP Prefix Length and IP Prefix fields in an IP prefix route can identify a host IP address or network segment.

• If the IP Prefix Length and IP Prefix fields in an IP prefix route identify a host IP address, the route is used for IP route advertisement in distributed VXLAN gateway scenarios, which functions the same as an IRB route on the VXLAN control plane.

• If the IP Prefix Length and IP Prefix fields in an IP prefix route identify a network segment, the route allows external network access.

Ultra-Broadband

• Wired, wireless, and IoT convergence, meeting diversified access terminals and services

  Huawei campus switches integrate the WLAN access controller (WAC) functionality to implement wired and wireless convergence and provide unified wired and wireless management and experience. Huawei APs integrate IoT modules to provide functions of IoT base stations, implementing Wi-Fi and IoT convergence as well as simplified management. The solution provides unified authentication and access policy control for wired and wireless users by integrating the user authentication, user management, and policy association functions. Administrators can obtain consistent user management experience and simplify O&M management of wired and wireless networks.

Simplified

• Automated deployment of a physical network: Devices can be pre-configured and plug-and-play

  Through the GUI, iMaster NCE-Campus can help implement automated deployment of devices, as well as route orchestration and interworking configuration for the underlay network.

• Automated provisioning of virtual networks: Virtual networks can be automatically created to achieve 'one network for multiple purposes'

  With iMaster NCE-Campus, fabric networks can be deployed, and VXLAN tunnels can be automatically set up based on the BGP EVPN control plane. iMaster NCE-Campus helps achieve automated virtual network construction, centralized service configuration, and automatic service provisioning.

• Automated user policy configuration and delivery: user/service/experience-centricity for policy migration with users and consistent service experience

  The free mobility solution uses iMaster NCE-Campus to plan user groups and inter-group policies and automatically deliver policies to network devices. When an authenticated user accesses the network using different terminals and at different locations, iMaster NCE-Campus automatically identifies the user and delivers relevant user policies to the corresponding policy enforcement devices on the network. This achieves consistent and assured user access experience. A user can have consistent policies and service experience anywhere, irrespective of its access locations.

Intelligent

The CloudCampus Solution introduces Huawei's intelligent campus network analyzer iMaster NCE-CampusInsight, which transforms the traditional way of monitoring focusing on the resource status. By leveraging Telemetry technology, iMaster NCE-CampusInsight provides data visibility from user, application, and time perspectives, performs feature analysis and baseline calculation by utilizing the machine learning algorithm, and identifies potential faults and locates their root causes, thereby improving user experience.

• Full-journey experience visibility for each user, at each moment

  iMaster NCE-CampusInsight uses the de facto industry standard Telemetry technology to dynamically capture network KPI data in seconds, enabling fault tracing. In addition, it collects data from multiple dimensions, displays the network profile of each user in real time, and visualizes the network experience throughout the full user journey (who, when, which AP the user connects to, experience, and issue).

• Automatic identification of network issues

  Through big data and AI technologies, iMaster NCE-CampusInsight automatically identifies connection, air interface performance, roaming, and device issues, improving the potential issue identification rate to 85%. It leverages the machine learning algorithm to learn historical data and dynamically generates a baseline. It then predicts the possible faults by comparing real-time data with the dynamic baseline.

• Intelligent demarcation and root cause analysis of network issues

  iMaster NCE-CampusInsight intelligently identifies fault patterns and impact scopes based on the network O&M expert system and various intelligent algorithms, helping administrators identify and demarcate faults. iMaster NCE-CampusInsight can also analyze possible fault causes by working with the big data platform and provides rectification suggestions.

Open

The intent-driven campus network architecture is open at all layers and supports over 150 service APIs. With this architecture, Huawei collaborates with more than 30 industry partners to build an ecosystem to accelerate digital transformation of industries. Because Huawei devices are developed in strict compliance with international universal standards and industry standards, together they can perfectly interoperate with third-party devices.

Fundamentals

Before creating virtual networks (VNs), you need to configure global resources, including the resource pools of VLANs, VXLAN Network Identifiers (VNIs), and bridge domains (BDs). When you create a VN, iMaster NCE-Campus automatically allocates resources from these resource pools.

The following figure shows the layers where VLANs, VNIs, and BDs are located on the network and the relationships among these resources.

Feature Requirements

Configure a service VLAN pool when you need to configure VLANs for interconnection with external gateways and network service resources, management VLANs for policy association, and access VLANs for virtual network access. When planning VLANs, ensure that the desired VLANs are not used by non-VXLAN fabric services. For example, the VLAN ID of the planned management VLAN cannot be included in the VLAN resource pool. Otherwise, services may be interrupted.

Procedure

1. Choose Design > Basic Network Design > Network Settings and click the VXLAN Fabric Global Resource Pool tab.
2. Set parameters and click to make the settings take effect.

   Configuration example: For the VLAN resource pool, enter 3000 - 4000 and 4012 - 4012. After each input, click for the setting to take effect. Then, set Bridge Domain (BD) to the default value (1 - 4095) and VXLAN Network Identifier (VNI) to the default value (1 - 4095).

Related Operations

• Select the resource to be deleted and click to delete the resource.
• Click to refresh resources displayed on the page.

Parameters Description

Fundamentals

When you create VXLAN fabric networks, you can enable automated underlay routing domain orchestration. This implements automatic deployment of the underlay network. After this function is enabled, iMaster NCE-Campus automatically provisions configurations using resources in the underlay automation resource pool, such as VLANIF interfaces, loopback interfaces, VTEP IP addresses, and routes, required for BGP-EVPN to devices on VXLAN fabric networks.

The hierarchy and relationship of loopback interface IP addresses, interconnection VLANs, and interconnection IP addresses in the network are shown in the figure below:

Feature Requirements

If multi-layer aggregation devices are deployed on the network, underlay automation is supported only for a single domain.

Application Scenario

Automated underlay routing domain orchestration supports automatic deployment of routes between border and edge nodes on VXLAN fabrics. The system configures interconnection links between border nodes and between border nodes and edge nodes to ensure that the VTEPs on the entire network are reachable to each other through OSPF routes.

• Recommended scenario: A VXLAN fabric has one site with core, aggregation, and access devices.
  Figure 9-176 Three-layer VXLAN fabric networking 1
  

  Choose Design > Site Agile Deployment > Device Management from the main menu, configure the border node as Core, edge nodes as Aggregation, and access nodes as Access.

• Other networking scenarios: If transparent transmission devices are deployed on the underlay network under a fabric network, it is recommended that the device role of border nodes be set to Core, that of edge nodes be set to Aggregation, that of transparent transmission devices (deployed on the fabric network) between border nodes and edge nodes be set to Regional aggregation. Currently, transparent transmission devices can be deployed only between border nodes and edge nodes. When a VXLAN fabric network spans multiple sites, ensure that device roles are set correctly and there are reachable OSPF routes between these sites.
  • Scenario 1: A VXLAN fabric network spans multiple sites, and only one site has a border node, as shown in the following figure.
    Figure 9-177 Multi-site scenario
    

    Perform the following operations to configure automatic underlay deployment:

    1. Choose Design > Site Agile Deployment > Device Management from the main menu and set the role of edge node 2 to Core.
    2. Check the OSPF areas automatically configured for the border node, choose Provision > Physical Network > Site Configuration from the main menu, choose Switch > Route from the navigation pane, and click the Interface OSPF tab, and manually configure routes for interconnection interfaces on the border node and Edge 2 to ensure that there are reachable routes between their interconnection interfaces.
  • Scenario 2: A VXLAN fabric network has three layers of devices, including a border node, edge nodes, and an access device, as shown in the following figure.
    Figure 9-178 Three-layer VXLAN fabric networking 2
    

    Perform the following operations to configure automatic underlay deployment:

    1. Choose Design > Site Agile Deployment > Device Management from the main menu and set the role of edge node 2 to Aggregation.
    2. Set the role of the access device on the VXLAN fabric network to an extended node.
  • Scenario 3: A VXLAN fabric network has multiple border nodes that form a ring network with downlink devices, as shown in the following figure.
    Figure 9-179 Multi-border ring networking
    

    Perform the following operations to configure automatic underlay deployment:

    1. Choose Design > Site Agile Deployment > Device Management, set the role of transparent transmission devices 1 and 2 to Regional aggregation.
    2. Choose Design > Site Agile Deployment > Device Management and set the role of edge nodes 1 and 2 to Aggregation.

Procedure

1. Choose Design > Basic Network Design > Network Settings and click the Underlay Automation Resource Pool tab.
2. Set parameters and click to make the settings take effect.

   Configuration example: For the interconnection VLAN resource pool, enter 100 - 200. After the input, click for the setting to take effect. Then set Interworking IP to 192.168.1.0 - 192.168.2.0/24 and Loopback interface IP to 192.168.3.0 - 192.168.4.0/24.

Related Operations

• Select the resource to be deleted and click to delete the resource.
• Click to refresh resources displayed on the page.

Parameters

Application Scenario

By delivering and applying authentication templates to authentication points, the system can implement user access control. A RADIUS server template and a user access template must be bound to a user authentication template, and the authentication mode must be specified.

Feature Requirements

A RADIUS server template and a Portal server template have been created.

Procedure

1. Choose Design > Basic Network Design > Template Management, from the main menu and click Policy Template. Choose Authentication Template from the navigation pane.
2. Click Create and set the template name to Authen1. In this template, set the user authentication mode to Portal, MAC, or 802.1X, select the RADIUS server template iMaster_RADIUS, select the Portal server template iMaster_Portal, set the user domain to which the template is applied to Default, retain the default setting of dynamic RADIUS authorization, and select the most suitable bypass policy. If IP phones are connected to the authentication point where this authentication template applies, enable IP phone authentication in the authentication template. Click OK.

Parameter Description

Fundamentals

Internet Group Management Protocol Snooping (IGMP snooping) is an IPv4 Layer 2 multicast protocol. With IGMP snooping, a Layer 2 multicast device analyzes IGMP messages exchanged between an upstream router and user hosts to create and maintain a Layer 2 multicast forwarding table. The device uses then these entries to control multicast packet forwarding. In this way, it prevents multicast data from being broadcast on Layer 2 networks. This not only saves network bandwidth, but also ensures network security. To configure IGMP snooping in VNs, you need to define and deploy an IGMP snooping template.

IGMP snooping is a basic Layer 2 multicast function that forwards and controls multicast traffic at the data link layer. IGMP snooping runs on a Layer 2 device and analyzes IGMP messages exchanged between a Layer 3 device and hosts to create and maintain a Layer 2 multicast forwarding table. Based on this table, the Layer 2 device forwards multicast packets at the data link layer.

In the following figure, after receiving multicast packets from a Layer 3 multicast device (Router), a Layer 2 multicast device (Switch) at the edge of the access layer forwards the multicast packets to receiver hosts, so that the receivers can watch the ordered programs. If Switch does not run IGMP snooping, it broadcasts multicast packets at Layer 2. After IGMP snooping is configured, Switch forwards multicast packets only to specified hosts.

With IGMP snooping configured, Switch listens to IGMP messages exchanged between hosts and the upstream Layer 3 device. It analyzes packet information (such as the packet type, group address, and receiving interface) to set up and maintain a Layer 2 multicast forwarding table, based on which it forwards multicast packets at the data link layer.

Figure 9-180 Multicast packet forwarding before and after IGMP snooping is configured on a Layer 2 device

Procedure

1. Choose Design > Basic Network Design > Template Management, from the main menu and click Policy Template. Choose IGMP Snooping Profile from the navigation pane.
2. Click Create to create an IGMP snooping profile. Set the profile name to iMaster_IGMP_Snooping, enable Discard unknown multicast packets and Fast leave, set Aging time of dynamic router interfaces (s) to 180, set Query message sending interval (s) to 125, set IGMP robustness variable to 2, and set Maximum response time (s) to 10. Click OK.

Parameter Description

Context

A VXLAN fabric network consists of a group of interconnected border, transparent, edge, and access nodes to provide non-differentiated access capabilities. In this way, an access device can access different network services at the same time. This reduces costs and improves network device utilization.

A virtualized campus network uses the VXLAN technology to create multiple virtual networks (overlay network) on the same underlay network and allow flexible service deployment.

Feature Requirements

• If the switch to be added has been registered with iMaster NCE-Campus using NETCONF but has been deleted from iMaster NCE-Campus, before you add this switch to iMaster NCE-Campus again, run the reset netconf db-configuration command on the switch to clear the residual data in the NAAS database. After this command is executed, the switch will restart. Otherwise, iMaster NCE-Campus may fail to deliver services to the switch or even disconnect it.
• When the system is upgraded, for example, from V300R019C00 to the latest version, if an error message is displayed indicating a configuration conflict when you enable Report terminal identification information during VXLAN fabric network creation, set DHCP snooping to Snooping on the Switch > Interface > Physical Interface page under Provision > Physical Network > Site Configuration.
• By default, the ports for device interconnection are trunk ports. After the VXLAN fabric service configuration is deleted from the ports, the ports remain as trunk ports. In addition, devices using manually configured trunk ports for interconnection may be disconnected from the controller.

Prerequisites

• Devices are already online on iMaster NCE-Campus and under the management of the current tenant.
• The license of the VN type has been imported into the system.

Fundamentals

• VXLAN fabric network with a centralized gateway
  • Only one device functions as the centralized Layer 3 gateway. All extranet and intranet access traffic are forwarded through this gateway, implementing centralized traffic management. Hosts in different BDs cannot directly communicate with each other at Layer 2. A Layer 3 VXLAN gateway is required to implement Layer 3 communication between the hosts. In this scenario, only a border node can function as the gateway.
  • VNs of the Layer 3 VXLAN, Layer 2 VXLAN, Layer 3 VLAN, and Layer 2 VLAN types are supported.
• VXLAN fabric network with distributed gateways
  • In distributed gateway mode, Layer 2 and Layer 3 gateways are deployed on the same device. VTEP devices function as Layer 2 VXLAN gateways and connect to hosts, allowing tenants to access VNs on VXLAN networks. They also function as Layer 3 VXLAN gateways, allowing for inter-subnet communication and external network access. On a VXLAN fabric network with distributed gateways, both border and edge nodes can function as user gateways.
  • VNs of the Layer 3 VXLAN and Layer 2 VXLAN types are supported. VNs of the Layer 3 VLAN and Layer 2 VLAN types are not supported.

Procedure

1. Create a VXLAN fabric network and select a fabric networking type.
   1. Choose Provision > Virtual Network > VXLAN Fabric Management, and then click Create Fabric. On the Create VXLAN Fabric page, set Name to Tenant_Fabric, Networking type to Centralized gateway, and Wireless authentication device to Border, enable Automatic routing domain configuration, and set AS number to 100.

   2. Click the Advanced drop-down arrow. Set storm suppression parameters for the VXLAN fabric network, and enable the function of reporting terminal identification information. Click Apply.

      You are advised to set the storm suppression thresholds of the VXLAN fabric network to 1% of the tunnel-side uplink rate of the edge node. Set the thresholds based on the actual network situation, for example, the user access status and access interface capacity in a broadcast domain.

2. Add devices to the VXLAN fabric network, and configure automatic underlay route orchestration and BGP EVPN.
   1. Click the Network Management tab of Tenant_Fabric and click Add Device. In the Add Device window, select the devices to be added, and set core switches to Border, aggregation switches to Trans, and access switches to Edge. Enable the route reflector function for the core switches. After setting the parameters, click Next.

      Devices of the following models cannot function as border or edge nodes on fabric networks with distributed gateways, and cannot function as border nodes on fabric networks with the centralized gateway, either.

      S6720-30C-EI-24S-AC, S6720-30C-EI-24S-DC, S6720-54C-EI-48S-AC, S6720-54C-EI-48S-DC,S6720S-26Q-EI-24S-DC, S6720S-26Q-EI-24S-AC, S6735-S48X6C, S6735S-S48X6C-A, S6735S-S24X6C-A, S6735-S24X6C

   2. Enable automatic underlay route orchestration and set related parameters.
      • Set the OSPF area to Multiple areas. When there are fewer than 100 switches in a network area where routes need to be deployed on the underlay network, single-area orchestration is recommended. When there are more than 100 switches in a network area where routes need to be deployed on the underlay network, multi-area orchestration is recommended.
      • Set the network type to P2P.
      • Select the OSPF packet encryption mode, and set the key and password.
      • Enable OSPF GR.

      Routing domains cannot be automatically configured if border and edge nodes are not at the same site. To configure routing domains to implement site interconnection, configure routes on the Provision > Physical Network > Site Configuration > Site Configuration > Switch > Route > Interface OSPF page.

   3. Configure BGP EVPN. Click OK. After the configuration is complete, you are advised to click Configuration Status to check whether the configuration is successfully delivered.

Follow-up Procedure

• After services on the VXLAN fabric network are configured, if a link needs to be changed due to a port fault or capacity expansion is needed, you can click in the upper left corner next to a VXLAN fabric network name to display the VXLAN fabric list and click on the right of the specified VXLAN fabric network name to update links on the network. You can also click in the topology mode to update links on a specified VXLAN fabric network. Link changes are supported only in the following scenarios:
  • Port fault: The port at one end fails or ports at both end fail.
  • Bandwidth expansion: Member interfaces are added to an existing Eth-Trunk for capacity expansion. Link changes will be automatically deployed in this scenario. When a physical interface is configured as an Eth-Trunk interface, a link change needs to be deployed. If services have been configured on the original physical interface, after the link change, another physical interface is configured as an Eth-Trunk interface and services are migrated to the Eth-Trunk interface.

    Link changes can be deployed only when corresponding ports are changed. When devices on both sides of a link are changed, for example, a device is replaced or faulty, link changes cannot be deployed.

    If a port is faulty or the link capacity is expanded, click to update links on the VXLAN fabric network and then adjust VXLAN fabric service configurations.

• View the configuration status.

  Select the VXLAN fabric to be modified and click under the VXLAN fabric, or click Configuration Status to view the configuration status. If the configuration status is Failed, see Troubleshooting.

• View a VXLAN fabric network.

  Select a VXLAN fabric and click under the network to view its information.

• Change links on a VXLAN fabric network.

  Select a VXLAN fabric and click under the network to change links on the network.

• Modify a VXLAN fabric network.

  Select a VXLAN fabric network and click under the network to modify it.

• Delete a VXLAN fabric network.

  Select a VXLAN fabric network and click under the network to delete it.

Parameters

Application Scenario

iMaster NCE-Campus supports external networks of three egress types in VXLAN scenarios.

Layer 3 Shared Egress Application Scenario

Figure 9-181 Customized VRF networking

DC access: In a large or midsize enterprise, if employees in both R&D and marketing departments are allowed to access applications in the data center, an external network of the shared egress type can be configured. In this scenario, there is no need to create a separate VRF instance for each VN on the PE. Only local and remote interconnection IP addresses need to be configured for the shared VRF on the border node, which simplifies the route configuration on the PE. As such, when the DC access traffic from R&D and marketing departments arrives at the PE, the traffic enters the VRF for communication with the DC.

Figure 9-182 Public VRF networking

Internet access: For a higher education institution, if both the student network (VN 1) and teacher network (VN 2) need to access the Internet, an external network of the shared egress type can be configured. In this scenario, the controller delivers a default route with the next hop of 192.168.1.2 to the VRF instances of VN 1 and VN 2 (vn1_vrf and vn2_vrf in the preceding figure) on the border node, and delivers static routes destined for the VRF instances of VN 1 and VN 2 to the PE and the public VRF on the border node.

Although this solution saves resources and simplifies configuration, the student network and teacher network can communicate with each other through routes on the PE/FW. To meet high security requirements, you can configure policies on the PE/FW to control inter-VN communication, or configure an external network of the Layer 3 exclusive egress type.

Layer 3 Exclusive Egress Application Scenario

Figure 9-183 External network of the exclusive egress type

1. Firewall interconnection: For an enterprise, the R&D and marketing departments each have one VN configured, and the two VNs are allowed to communicate only through the corresponding vFW on the FW. Policies and routes are configured for the vFWs to control inter-VN communication. In this situation, an external network of the Layer 3 exclusive egress type is required to implement VRF communication between the border node and FW.
2. PE interconnection: For a higher education institution that uses MPLS VPN to connect networks in different campuses, for example, connecting student or teacher networks in campuses A and B, an external network of the Layer 3 exclusive egress type is required to implement VRF communication between the border node and PE.

If VNs and VRF instances or vFWs on the PE/FW connected to the border node are one-to-one mapped, you need to configure external networks of the Layer 3 exclusive egress type.

Feature Requirements

• In dual-border networking, you cannot configure multiple external gateways in one external network with a Layer 3 shared egress. Instead, you need to configure multiple external networks.
• If you need to use static routes to implement load balancing between the two border nodes, you need to configure static route manually. External service IP Address cannot fulfill this requirement.

Prerequisites

When a tenant needs to access an external network, the connection between the border node and external network and an external gateway need to be configured for service provisioning. The following conditions must be met:

• The interface, IP address, and VLAN for interconnection with the border node have been set on the external gateway.
• A VXLAN fabric has been created and a border node has been configured on the network.
• The gateway location has been determined.
  • If the gateway needs to be deployed inside the VXLAN fabric network, create an external gateway of the Layer 3 type to connect the gateway to the egress device.
  • If the gateway needs to be deployed outside the VXLAN fabric network, the gateway needs to connect to the egress device through a Layer 2 interface. In this case, you need to create an external gateway of the Layer 2 type to connect the gateway to the egress device.

Procedure

1. Select the egress type for the VXLAN fabric network to connect to an external network.

   Choose Provision > Virtual Network > VXLAN Fabric Management. On the Network Management tab page of Tenant_Fabric, click the edit button next to External Network and then click Create.

   In the Create External Network window, select L3 Exclusive Egress and click OK.

2. Configure basic information for communication between the VXLAN fabric and external networks.

   For example, to create an external network for RD_VN, set Name to RD_Outer, Outbound interface type to VLANIF, and Egress routing mode to Static route, enable Internet connection, and click Next.

   Enabling Internet connection automatically generates a default static route for the VXLAN fabric network to communicate with the external network.

3. Configure the ports and IP addresses for the VXLAN fabric network to connect to the external network.

   Select Core for Core device, and click Add to configure the interconnection port (Table 9-566 describes the parameters). Click OK and then Next.

   Table 9-566 Parameters for configuring the interconnection ports between the border node and firewall

   Parameter	Description
   Name	In this example, the interconnection port corresponding to the external network RD_Outer is set to RD_Int. The interconnection VLAN is VLAN 3950, the local IP address is 192.168.5.3, and the peer IP address is 192.168.5.254 (VRRP virtual IP address of the firewall).
   Port	Port that connects the core switch to the firewall. Select Eth-Trunk 3 and Eth-Trunk 4 as planned.
   VLAN	VLAN for connecting the core switch to the firewall. Select a VLAN from the VXLAN fabric global resource pool. You can click on the right to view the VLAN resource usage. Set this parameter to VLAN 3950 as planned.
   IP address type	This example selects IPv4.
   Local IPv4 IP address	Set this parameter to 192.168.5.3 as planned.
   Peer IPv4 address	Set this parameter to the VRRP virtual IP address of the firewall (192.168.5.254) as planned.
   IPv4 Mask	Set this parameter to 24 as planned.

4. Configure a route from the VXLAN fabric network to the external network.

   The static route can be a default route or a specific route manually created. Then click Apply. After the configuration is complete, you are advised to click Configuration Status to check whether the configuration is successfully delivered.

5. Repeat steps 1 to 4 to create the external network egress Market_Outer for the marketing department.

Parameter Description

Fundamentals

The DHCP server processes requests for address assignment, address lease renewal, and address release from clients or relay agents, and assigns IP addresses and other network configurations to clients. When the gateway of a Layer 3 VN needs to use the DHCP service, the system automatically delivers related configurations based on the DHCP server configuration. For a Layer 2 VN, no DHCP group needs to be configured.

The traffic for accessing a DHCP server is forwarded as follows:

1. When a user terminal goes online for the first time, the terminal needs to be authenticated before communication. Before the authentication, the terminal needs to access the default VN through the default VLAN to access the DHCP VN. Then the terminal obtains a temporary IP address through the DHCP process. After obtaining the temporary IP address, the terminal initiates an authentication process and accesses the authentication server through the default VN.
2. After the authentication is successful, the terminal accesses the service virtual network VN-VRF through the authorized VLAN.

Application Scenario

A border node can connect to a DHCP server in the following methods:

• Directly connect to a server: The border node directly connects to the network service resource server.
• Directly connect to a switch: The border node connects to the network service resource server through a switch.
• Connect to a remote server: The border node connects to the DHCP server through an external network.

End users access a Portal server, RADIUS server, or a DNS server through a border node. You need to configure interconnection information between the border node and servers for service provisioning.

Procedure

1. Set the network service resource types for the VXLAN fabric and the corresponding IP addresses to be accessed.

   In this example, to simplify route planning between the border node and the gateway in the network management zone, the DHCP server and authentication server in the network management zone need to be configured as a single network service source for communication with the VXLAN fabric. In addition, if a user needs to access a server to download an 802.1X client or update the antivirus database before authentication, consider the server IP address when configuring network service resources.

   Choose Provision > Virtual Network > VXLAN Fabric Management. On the Network Management tab page of Tenant_Fabric, click the edit button next to Network Service Resources and then click Create. For the parameters, see Table 9-568. After setting the parameters, click Next.

   Table 9-568 Parameters for creating a network service resource

   Parameter	Description
   Name	This example sets the network service resource name to Dserver_and_Aserver.
   VRF	User-defined VRF name. If this parameter is not specified, iMaster NCE-Campus automatically generates a VRF that corresponds to the network service resource. In this example, the user-defined VRF name of the network service resource is DA_VRF.
   Server type	This example selects DHCP and Other. That is to allow the fabric to connect to a DHCP server and the built-in authentication server of iMaster NCE-Campus.
   DHCP server	Set this parameter to the IP address of the DHCP server, that is, 172.16.8.101.
   Other server	Set this parameter to the network segment where the iMaster NCE-Campus southbound IP address resides, that is, 172.16.2.0/24.

2. Configure the port and IP address for the VXLAN fabric to connect to the external network resource. For the parameters, see Table 9-569. Then click Complete. After the configuration is complete, you are advised to click Configuration Status to check whether the configuration is successfully delivered.
   Table 9-569 Parameters for configuring the port for the border node to connect to the gateway in the network management zone

   Parameter	Description
   Scenario	Mode for interconnection between the border node and external servers. The following modes are supported. In this example, the core switch is directly connected to the gateway in the network management zone. Therefore, Directly connected to a switch is selected. Directly connect to a server: The border node directly connects to a network service resource server. Directly connect to a switch: The border node connects to a network service resource server through a switch. Connect to a remote server: The border node connects to a DHCP server through an external network.
   Interconnection device	Device that connects the VXLAN fabric to the gateway in the network management zone. This example selects Core, the border node.
   External Port	Port that connects the core switch to the gateway in the network management zone. Select Eth-Trunk 5 as planned.
   VLAN	VLAN for connecting the core switch to the gateway in the network management zone. This resource is from the VXLAN fabric global resource pool. You can click on the right to view the VLAN resource usage. Set this parameter to VLAN 4012 as planned.
   Interconnection IPv4 address	Set this parameter to 172.16.12.254 as planned.
   Peer IPv4 address	Set this parameter to 172.16.12.1 as planned.
   IPv4 Mask	Set this parameter to 24 as planned.

   If the DHCP server is deployed remotely and connects to the campus network from an external network, you need to plan an independent network service resource. In this case, set the server type to DHCP and Scenario to Connect to a remote server. In this scenario, iMaster NCE-Campus only needs to deliver DHCP relay configurations to the user gateway. The communication between the user subnet and the DHCP server depends on the routes destined for the external network, which are delivered during external network configuration.

Parameter Description

Fundamentals

iMaster NCE-Campus uses policy association between wired and wireless devices to implement unified authentication for wired and wireless users and support free mobility.

Wired User Authentication

There are two networking scenarios for wired user access:

• VXLAN is deployed at the edge (terminals are directly connected to the ports of edge nodes):
  • Terminals are directly connected to the ports of edge nodes, and no forwarding device is deployed between them. Policy association is not used for wired user access authentication.
  • 802.1X authentication or MAC address authentication can be configured on interfaces. After a user is authenticated successfully, the user is authorized with a specific VLAN and is added to the corresponding VXLAN based on the authorized VLAN.
  • Terminals can access edge nodes through static VLANs, dynamic VLANs, and VLAN pools.

• VXLAN is deployed on edge nodes (terminals are directly connected to the ports of extended nodes or edge nodes):
  • 802.1X authentication and MAC address authentication are supported.
  • A Control and Provisioning of Wireless Access Points (CAPWAP) tunnel is established between an edge node and an extended access node for policy association. After a terminal user accesses the network through the extended access device, authentication packets are sent to the edge node through the CAPWAP tunnel and then forwarded to the authentication server. After the user is authenticated successfully, the authentication server delivers the authorized VLAN to the edge node. Then the edge node forwards the authorized VLAN to the extended access device through the CAPWAP tunnel.
  • Terminals can access extended nodes through static VLANs, dynamic VLANs, and VLAN pools.
  • VXLAN encapsulation is not performed on packets at the access layer. Packets are forwarded using traditional VLAN technology and transmitted to the corresponding bridge domain (BD) based on the VLAN and are VXLAN encapsulated by edge nodes.

    Currently, only two layers of extended nodes are supported.

Wireless User Authentication

Wireless user authentication supports three networking scenarios: authentication control points on edge nodes (native WAC+Fit AP), authentication control points on border nodes (native WAC+Fit AP), and authentication control points on standalone WACs (standalone WAC+Fit AP).

Wireless traffic can be transmitted in tunnel forwarding or local forwarding mode.

1. Tunnel forwarding
   1. Switches with native WAC or standalone WACs function as authentication control points and support 802.1X authentication and MAC address authentication. Fit APs function as authentication enforcement points.
   2. An authentication packet is sent to an authentication control point through a CAPWAP tunnel and then forwarded to the authentication and authorization server. After authentication is complete, authorized VLAN information is sent to the authentication control point, which then forwards the information to the AP through a CAPWAP tunnel.
   3. After a terminal goes online on the AP, the service packets of the terminal are encapsulated in the CAPWAP tunnel on the AP and forwarded to the authentication control point. The authentication control point then decapsulates the CAPWAP-encapsulated packets.
   4. The access device connected to the wireless terminal through a CAPWAP tunnel forwards the packets to a specific BD based on the service VLAN of the SSID or authorized VLAN.

2. Local forwarding
   1. Switches with native WAC or standalone WACs function as authentication control points, and support 802.1X authentication and MAC address authentication. Fit APs function as authentication enforcement points.
   2. An authentication packet is sent to an authentication control point through a CAPWAP tunnel and then forwarded to the authentication and authorization server. After authentication is complete, authorized VLAN information is sent to the authentication control point, which then forwards the information to the AP through a CAPWAP tunnel.
   3. After a terminal goes online on the AP, the service traffic of the terminal is transmitted upstream as VLAN packets on the AP and arrives at an access switch as VLAN tagged packets.
   4. The access device connected to the wireless terminal forwards the packets to a specific BD based on the VLAN information in the packets.
      1. Solution 1 is recommended.
      2. Currently, the configurations of native WAC and Fit AP need to be delivered through the CLI or the web system.

Application Scenario

To authenticate users in different authentication modes, the fabric network needs to communicate with the authentication server. When configuring this, you need to select authentication control points and bind authentication templates to them. In the centralized gateway scenario:

• If VXLAN across the core and access layers is deployed (that is, there is no extended node under the edge node), the authentication control point for wired user access is typically deployed on the edge node (that is, an access switch). Binding an authentication profile to the interface of an authentication control point on the wired side is performed on the Access Management tab page of the fabric.
• If VXLAN across the core and aggregation layers is deployed (that is, there are extended nodes under the edge node), the authentication control point needs to be deployed on the edge node for wired user access authentication. In addition, the extended node needs to be specified as the authentication enforcement point through the controller, and the extended node needs to be configured as the authentication enforcement point through the controller. The preceding configurations are performed on the Access Management tab page of the fabric.
• The authentication control point for wireless user access is deployed on the WAC, that is, the core switch.

Feature Requirements

• Only the transparent nodes that have been added to a VXLAN fabric network can be deployed between authentication control points and enforcement points. Otherwise, downstream access switches, which are authentication enforcement points, connected to the transparent nodes cannot be identified by the authentication control points.

• To configure ports in batches, you need to select the target ports and then click the corresponding buttons on the top of the port list.
• When an authentication template is configured on an interface of an authentication control point, either IPv4 or IPv6 portal server can be configured.
• If the authentication control point is a border gateway and Set Connected Device Type is set to VXLAN fabric extended AP, you need to configure routes from the border gateway to edge devices to ensure that iMaster NCE-Campus can access the AP management network. The routes can be automatically learned through dynamic routing protocols or configured as static routes. When a static route is configured through the device CLI or delivered with site configurations from iMaster NCE-Campus, the destination address of the static route must be set to the management IP address of CAPWAP, and the next hop must be set to the VTEP IP address of an edge node.

Prerequisites

• You have configured authentication templates for extended nodes to access VNs. For details about how to configure an authentication template, see Customizing a LAN Policy Template. In addition, you have enabled the built-in RADIUS server or Portal server in the authentication template. That is, you have enabled iMaster NCE-Campus to function as the RADIUS server or portal server. Alternatively, you have specified a third-party authentication server in the authentication template. In this case, ensure that you have configured network service resources for VXLAN fabric networks.
• You have performed admission configuration, including configuring user accounts, authentication rules, authorization rules, and authentication results. For details, see Admission Management.
• For a VXLAN fabric network with distributed gateways, edge nodes have been configured. For a VXLAN fabric network with a centralized gateway, edge and border nodes have been configured.

Procedure

1. Choose Provision > Virtual Network > VXLAN Fabric Management, and click the Access Management tab.
2. Select the target VXLAN fabric network on the left, and select an authentication control point. Configure the extended parameters of the authentication control point.

3. Configure interfaces on of the authentication control point.

   In the interface list, click next to an interface, set the Connected Device Type and Authentication Template parameters of the interface, and click . For details about how to configure an authentication template, see Customizing Policy Template.

4. (Optional) Configure the policy for each interface on the authentication enforcement point connected to the authentication control point.

   Before the configuration, click Refresh Execution Point Device List to refresh status of the authentication enforcement point.

5. (Optional) Associate a wireless authentication SSID with the desired authentication template. Perform this step if iMaster NCE-Campus functions as an authentication server. Wireless access is configurable only on switches that support the native WAC function. SSIDs need to be configured on the switch's web system and SSID names must be the same as VAP profile names.

   In wireless scenarios, Portal authentication and 802.1X authentication cannot be configured together. Therefore, the authentication template bound to an SSID cannot be configured with both Portal authentication and 802.1X authentication.

6. Click Apply.
7. (Optional) When a third-party device needs to be configured as an admission device or portal authentication-free needs to be configured on VXLAN fabric networks, choose Admission > Admission Policy > Online User Control > User Control Policy from the main menu.
   1. On the page that is displayed, click the Portal Authentication-Free Policy tab and click Create to create a Portal authentication-free policy. This Portal authentication-free policy takes effect only when an admission device serves as the authentication point and in VXLAN fabric scenarios.

   2. After the Portal authentication-free policy is configured, click to apply the policy to a user group or user. A user group or user can be bound to only one Portal authentication-free policy. If Portal authentication-free extension is enabled on the Advanced Parameters tab page under Admission > Admission Policy > Admission Settings, this function takes effect in the portal address authentication-free control policy. That is, the portal address authentication-free validity period is extended as configured.

Follow-up Procedure

• Modify the access management configuration.

  Select the target authentication control point to be modified from the authentication control point list and modify related parameters. To make the modification take effect, click Apply. To cancel the modification, click Cancel.

• Delete the access management configuration.

  To delete all access management configurations, click Reset.

Parameters

Supported Device Types

The following table lists the models of the devices that can be configured as authentication control points and enforcement points.

Prerequisites

A VXLAN fabric network has been created.

Context

In the VXLAN fabric list mode, you can view basic device information, change network links, set device roles, add or delete devices, and set the default egress device on VXLAN fabric networks.

Procedure

1. Choose Provision > Virtual Network > VXLAN Fabric Management, and click the Network Management tab.
2. Click in the upper right corner to enter the list mode.

   Click Add Device. Select devices to be added and set the related parameters as planned.

   For an online device, you can click the device name to view the device status. In addition, you can also lock the device's configuration, reboot the device, and log in to the device CLI.

   • The web UI display varies according to devices.
   • You can log in to the web system only of firewalls, ARs, WACs, and switches with native WACs through iMaster NCE-Campus. A maximum of 20 device's web systems can be opened together.
   • If a user opens the web system of a device through the Device Configuration function and then opens the web system of another device, the session information of the first device will be overwritten and the user will be logged out from the web system of the first device when the user opens the web system of the second device. This is because different devices use the same IP address to forward sessions using SSH. If you need to open the web system of two devices at the same time, open a non-trace page or use another browser to log in to iMaster NCE-Campus, and then log in to the web system of the devices.

3. Delete devices.

   Select one or more devices to be deleted and click Delete. Alternatively, to delete a device, click next to the device.

   A device cannot be deleted if the device has been deployed with services, such as extended access, network service resource, external gateway, and VN services. Before deleting a device, delete the network services deployed on the device in the following sequence: VN interworking > VN > network service resource > external network > access management service.

4. Change the role of a device to border, trans, edge, or access.

   Select one or more devices to be modified, click Set Role, and select a value from the drop-down list box.

   The role of a device cannot be changed if the device has been deployed with services, such as extended access, network service resource, external gateway, and VN services.

   On a VXLAN fabric network with a centralized gateway, only one border node can be deployed, along with multiple extended and edge nodes. On a VXLAN fabric network with distributed gateways, a maximum of eight border nodes can be deployed, along with multiple extended, transparent, and edge nodes.

5. Configure source interfaces for sending BGP packets.

   Select one or more devices to be modified and click Set BGP Source Interface. In the displayed dialog box, select the connection interface type (loopback or VLANIF interface), enter the interface number, and click OK.

   After automatic orchestration of routing domains is enabled, the source interfaces for sending BGP packets cannot be set.

   The source interface cannot be changed if the device has been deployed with services, such as extended access, network service resource, external gateway, and VN services.

6. Configure the default egress device.

   Select one or more edge nodes and choose More > Set Default Egress Device. In the dialog box that is displayed, select a border node as the default egress device and click OK. With multiple border nodes deployed on a VXLAN fabric network, if you want to configure active and standby egresses for the network, you need to set the default egress device and set the forwarding mode to Active/standby egress devices when creating a VXLAN fabric network.

7. Change the RR.

   To enable or disable the RR function, click the RR icon corresponding to the device.

   • On a VXLAN fabric network with a centralized gateway, only one device can be configured as an RR. On a VXLAN fabric network with distributed gateways, a maximum of two devices can be configured as RRs. In both scenarios, the role of RRs cannot be set to access.
   • If the RR is disabled, all basic BGP configurations will be deleted from the device, and administrators need to perform re-configurations using command lines.

8. Redeliver configurations.

   If Domain Name-Supported Policy Configuration Status, BGP Pre-configuration Status, or Configuration Status of the Terminal Identification Channel of a device does not display success, select the device and click Redeliver to redeliver configurations.

9. Change a link.

   After VXLAN fabric services are deployed, if physical links change (for example, a port is faulty or the network plan is adjusted), you can click Change Link in the upper left corner to change the links or click to display the VXLAN fabric list, and click on the right of the desired VXLAN fabric name to update the VXLAN fabric links. Alternatively, you can click in the topology view to update links in a VXLAN fabric. The controller supports automatic update of physical networks and services on VXLAN fabric networks as well. Link changes are supported only in the following scenarios.

   • Port fault: The ports at one end or both ends of the link change.
   • Bandwidth expansion: Member interfaces are added to an existing Eth-Trunk for capacity expansion. Links automatically change in this scenario. You do not need to manually change links. When a physical interface is added to an Eth-Trunk interface, a link change needs to be deployed. If services have been configured on this physical interface, after the link change, another physical interface is used to set up an Eth-Trunk interface and services are migrated to the Eth-Trunk interface.

     The link change function is supported only in the port change scenario. When devices on both sides of a link are changed, for example, a device is replaced or faulty, the link change function is unavailable.

     If a port is faulty or the capacity of a link is expanded, click to update links on the VXLAN fabric network and then configure VXLAN fabric services as needed.

Application Scenario

iMaster NCE-Campus can display a VXLAN fabric network in a topology. Users can add devices, change links, set device roles, and view the following information: configuration status, dynamic routes, external networks, network service resources, NQA test instances, multicast information, device interfaces, and network services.

Feature Requirements

• Currently, two devices can be connected through only one logical link.
• In some scenarios, to increase the bandwidth between two devices or increase the reliability, you need to connect two devices through more than one physical link. In this case, you need to add the interfaces on the local device to an Eth-Trunk interface, and those on the peer device to another Eth-Trunk interface, and set up an Eth-Trunk between the two devices.
• After interfaces on the local and peer device are added to an Eth-Trunk interface, respectively, if the devices are online, you can click the device names to go to the device details page, and perform interface configuration synchronization and link discovery on the interface list page and link management page, respectively.

Context

In a topology, you can obtain the icon meanings on the right. Pay attention to the following:

• A device with in the lower right corner of the device icon is displayed on the current page. If there are a large number of devices in a VXLAN fabric network, the devices are displayed on multiple pages in the topology. By default, a maximum of 20 devices and their upper-level devices can be displayed on a single page. You can change the maximum number of devices that can be displayed per page as needed.
• If an AP is directly connected to a device, is displayed in the upper left corner of the device icon, and the number in the circle indicates the number of directly connected APs.
• In a VXLAN fabric network, the switches that can be managed include physical switches and stacks. A stack combines multiple stacking-capable switches into a logical switch. Stacking technology provides high network reliability and forwarding performance, and simplifies network management.
• You can tune the topology structure as required, and then click on the right to save the modification.

Prerequisites

A VXLAN fabric network has been created and devices have been added to the VXLAN fabric network.

Procedure

1. Choose Provision > Virtual Network > VXLAN Fabric Management, click to select a VXLAN fabric network from the drop-down list box, and click the Network Management tab.
2. Click in the upper right corner to enter the topology mode.
3. Click Add Device. Select devices to be added and set the related parameters as planned.
4. Change the device role.

   Right-click the device to be configured and choose Set as Core, Set as Trans, Set as Edge, or Set as Extended from the shortcut menu.

5. Create an NQA test instance.
   • Currently, an NQA test instance can be created only in the default VRF to probe public addresses.
   • If an NQA test instance is started, the NQA configuration cannot be modified.
   • Ensure that the NQA license of the related device has been activated. Some devices may require additional NQA licenses.
   When configuring an NQA test instance, you need to configure a separate probe path for this instance by creating an external network that uses a Layer 3 shared egress and the default VRF.

   1. Select the egress type for the fabric network to connect to an external network.

      Choose Provision > Virtual Network > VXLAN Fabric Management. On the Network Management tab page of Tenant_Fabric, click the edit button next to External Network and then click Create.

      In the Create External Network page that is displayed, select L3 shared egress and click OK.

   2. Configure basic information for interconnection between the fabric and the external network.

      In this example, set Name, toggle on Use default VRF, and click Next.

   3. Configure the port and IP address for the fabric network to connect to the external network.

      Click Add next to Interconnection port and configure an interconnection port. After the configuration is complete, click OK and then Next.

   4. Configure a route from the fabric network to the external network.

      Click Create and specify the destination IP address and the next-hop IP address.

      Set Association Type to NQA, click , and click Create to create an NQA test instance. In the Create NQA page that is displayed, set Destination IP to the IP address to be detected and set Next-hop IP Address to the peer address of the interconnection port configured for the external network. Click OK.

      Click OK.

   5. Create a VN and bind it to the created external network.

      Choose Provision > Virtual Network > VXLAN Virtual Network. On the VN Configuration tab page, click Create to create a VN and bind it to an external network. For details, see Configuring a VN.

6. Configure a route monitoring group.

   When there are two or more egresses on a network, if the active egress fails, all traffic can be transmitted through the standby egress with a lower priority. To implement network backup, you can associate routes with NQA test instances and route monitoring groups to quickly detect link faults. After an NQA instance detects a link fault, the corresponding routes will be deleted from the IP routing tables on the devices bound to the NQA instance. Then, service traffic is switched to a route without a link fault, preventing lengthy service interruptions.

   Choose Provision > Virtual Network > VXLAN Fabric Management, click to select a VXLAN fabric from the Fabric drop-down list box, and click on the right of Route Monitoring. On the Route Monitoring page that is displayed, click the Route Monitoring Group tab and click Create. Set related parameters and select the created NQA test instance. After the configuration is complete, click OK.

   IPv6 NQA test instances cannot be associated with route monitoring groups.

Related Operations

1. Check interface information and network configuration of devices on a VXLAN fabric network.

   In the topology view, click the desired device and click the Interface Information tab. The interface information and network configuration of the selected device is then displayed, including the authentication mode, VLAN, and logical network settings. Currently, interface and multicast information about transparent nodes cannot be displayed.

2. Check multicast information about a device on a VXLAN fabric.

   Click the desired device and click the Multicast Information tab. The multicast information about the selected device is then displayed, including multicast member ports, multicast router ports, and multicast statistics.

   • Click Start to obtain all multicast information about the selected device.
     • Multicast information can be obtained only when Report performance data is enabled. This function is enabled by default. To enable this function, choose Monitoring > Monitoring Settings > Monitoring Settings > HTTP, select Switch, and enable Report performance data next to CloudCampus.
     • After you click Start to obtain multicast information from a device, if complete information is not displayed after six minutes, the obtaining request times out.
     • Multicast information about a device can be obtained only once at a time. You can obtain multicast information about a maximum of two devices under a tenant at the same time. When the system is collecting either multicast member port information, multicast router port information, or multicast statistics from a single device, you are not allowed to operate the device. The reset operation is not allowed on a device when the system is obtaining multicast information from the device.
     • Multicast information on devices may be different from that obtained by the controller. If this occurs, compare information on the devices and controller to figure out the differences.

   • Click Filter under Multicast Group Member Port to filter multicast group member ports by VLAN or BD. You can also query multicast member ports by the Group-address field.

   • Click Filter under Multicast Router Port to filter multicast router ports by VLAN or BD.

   • Click Filter under Multicast Statistics to filter multicast statistics by VLAN or BD.

   • Click Reset All under Multicast Statistics to clear multicast statistics in all VLANs or BDs from the selected device. Alternatively, click to clear multicast statistics in a specific VLAN or BD. To obtain the latest multicast statistics, click Start.

     After you click Reset All, the existing multicast statistics on the device are cleared and cannot be restored. Therefore, exercise caution when performing this operation.

3. View the AP list of an access device.

   In the topology view, right-click an access device and choose View AP from the shortcut menu to view the APs connected to the selected access device

4. Set device roles.

   In the topology view, you can right-click a device and set a role for the selected device.

5. View dynamic routes.

   In the topology view, you can right-click a device and choose View Dynamic Routes from the shortcut menu to view dynamic routes of the device.

Parameters

Application Scenario

Unauthenticated users can access the default VN temporarily in the following scenarios:

• Before authentication, an end user accesses the default VN to apply for a temporary IP address. During portal authentication, the authentication server needs to obtain the user's temporary IP address to push the Portal page to the user. After the authentication succeeds, the end user is connected to a service VN.
• Pre-authentication resources need to be deployed together with the authentication-free function. For example, resources such as the FTP server for downloading 802.1X clients can be deployed in the default VN to ensure that unauthenticated users can access the FTP server.

Prerequisites

• Before managing the default VN, you must have the corresponding management permission. The permission can be assigned when a tenant administrator is created, and can be modified after the role is created. The permission assigned for a tenant administrator can be either of the following:
  • Permission to manage all sites in the system
  • Permission to manage a specific default VN

  The default tenant administrator is the first tenant administrator created in the system and has the permission to manage all VNs.

• A VXLAN fabric network has been created and related configurations have been performed.

Context

• A VXLAN fabric network supports only one default VN.
• The default VN supports the following network types:
  • VXLAN fabric network with a centralized gateway: Virtualized VXLAN and traditional VLAN
  • VXLAN fabric network with distributed gateways: Virtualized VXLAN
• You can set the service gateway location in the default VN to Outside the VXLAN fabric based on the users' requirements of Layer 2 VN access before authentication.
• You can set the service gateway location in the default VN to Inside the VXLAN fabric based on the users' requirements of Layer 3 VN access before authentication.

Procedure

1. Choose Provision > Virtual Network > Logical Network and click the VN Configuration tab.
2. Select a VXLAN fabric network on the left and click next to Default VN. Then, modify VN parameters on the page that is displayed.
3. Configure the network type of the default VN.

   In the centralized gateway scenario, if VLAN networking is toggled on when you create a fabric network, the Network technology parameter is available on the current page and you can set this parameter to Virtualized VXLAN or Traditional VLAN as needed.

4. (Optional) Set External network. To create, modify, or delete an external gateway, click .
5. (Optional) Set Network service resources. To create, modify, or delete a network service resource, click .
6. Click Next and configure the user gateway.

   Click Manually Specified and set subnet parameters. Determine whether to enable the DHCP snooping, mDNS snooping, IPSG, and DAI functions. After the configuration is complete, click OK.

   • For the VLAN type of the default VN, only static VLANs are supported.
   • The default VN configuration will be delivered to the access interfaces configured with authentication and their uplink authentication control points. The authentication mode on access interfaces is configured on the Access Management page.

7. Click Apply.

Parameters

Fundamentals

VXLAN enables a virtual network to provide access services for numerous tenants, and allows tenants to plan their own virtual networks, not limited by the physical network IP addresses or broadcast domains. As a result, network management is greatly simplified.

The VXLAN technology may be used to construct a Layer 2 virtual network on an existing Layer 3 network to implement Layer 2 communication between VMs. The following figure shows communication on a VXLAN network.

Application Scenario

iMaster NCE-Campus allows administrators to create VNs on a VXLAN fabric network. Different VNs carry different tenant services, thereby implementing service isolation between tenants. For example, if the tenant is a university, VNs can be created for the faculty of computer and the faculty of finance and economics of the university, respectively.

Prerequisites

• Before managing the default VN, you must have the corresponding management permission. You can assign rights to a tenant administrator when creating the account, or modify the rights of a tenant administrator after the account is created. Administrators can have either of the following rights:
  • Permission to manage all sites
  • Permission to manage a specific VN

  The default tenant administrator is the first tenant administrator created in the system and has the permission to manage all VNs.

• A VXLAN fabric network has been created and related configurations have been performed.
• Before performing extended access configuration for a VXLAN Fabric, if the VXLAN fabric contains a device port whose authentication profile uses portal authentication or customers are allowed access to network resources before being authenticated, you need to configure a default VN.

Feature Constraints and Limitations

• A single tenant supports a maximum of 4000 VLAN pools. A single VXLAN fabric network supports a maximum of 1000 VLAN pools. A single VN supports a maximum of 32 VLAN pools. A single VLAN pool supports a maximum of 128 VLANs.
• VNs support the following network types:
  • VXLAN Fabric network with a centralized gateway: Virtualized VXLAN and traditional VLAN
  • VXLAN Fabric network with distributed gateways: Virtualized VXLAN
• You can set the gateway location in the default VN to Outside the VXLAN Fabric based on the users' requirements of Layer 2 VN access before authentication.
• You can set the gateway location in the default VN to Inside the VXLAN Fabric based on the users' requirements of Layer 3 VN access before authentication.
• To connect a dual-border VXLAN fabric network to an external network of the Layer 3 exclusive egress type, you need to configure two VNs and bind them to two external gateways.

Procedure

1. Choose Provision > Virtual Network > VXLAN Virtual Network and click the VN Configuration tab.
2. Select the target VXLAN fabric network on the left and click Create.
3. In the Create area, set the VN name.
4. Configure the network type of the VN.
   Figure 9-184 Configuring a VN on a VXLAN fabric network with a centralized gateway
   
   Figure 9-185 Configuring a VN on a VXLAN fabric network with distributed gateways
   

5. (Optional) Set Network service resources. To create, modify, or delete a network service resource, click .
6. (Optional) Set External network. To create, modify, or delete an external network, click .
7. Click Next and configure the user gateway.
   • Automatic creation: Click Automatic, and enter the number of subnets, subnet mask, and start IP address. Click OK.
     • Only VN subnets can be automatically created.

     • If a VN is assigned to a voice VLAN, the CDP function is enabled by default on the devices in the VN. If you need to configure interfaces that have joined in the voice VLAN on the devices, choose Provision > Physical Network > Site Configuration from the main menu and choose Switch > Interface > Physical Interface from the navigation pane to enable the CDP function on the iMaster NCE-Campus web UI.
     • If a VN is assigned to a VLAN pool, enter or set VLAN Pool Name. A single VN supports a maximum of 32 VLAN pools. In the VN Configuration tab, click VLAN Pool Management create VLAN pool or modify VLAN pool parameters.

   • Manual creation: Click Manual and set parameters. Click .

8. Configure wired client access.
   1. Click .
   2. Set the service name, service access type, and the site involved in the service. A maximum of 50 devices can be added to a service group, and a maximum of 2000 ports can be configured in batches at a time.
   3. Under Port List, set the authorization mode of service access ports.
   4. Click OK.

9. Configure wireless client access.
   1. Click Create.
   2. Select the site involved in the service.
   3. Under Port List, select the devices to be added to the VN.
   4. Click OK.

   If the VXLAN fabric configuration conflicts with the device configuration in the site configuration, the VXLAN fabric network may fail to be deployed. For details about the conflicting devices and conflict causes, see the conflicting device and conflicting path in the prompt information.

10. Click Apply.

Follow-up Procedure

• Check the topology of a VN.

  Move the cursor over the icon of the target VN and click to view the VN topology.

• Check VN details.

  Move the cursor over the icon of the target VN and click to view the configuration details.

• Modify a VN.

  Move the cursor over the icon of the VN to be modified, click , and modify VN parameters on the page that is displayed.

• Delete a VN.

  Move the cursor over the icon of the VN to be deleted and click to delete it.

• VLAN pool management

  Click VLAN Pool Management to create or modify a VLAN pool.

Parameters

Fundamentals

Internet Group Management Protocol Snooping (IGMP snooping) is an IPv4 Layer 2 multicast protocol. With IGMP snooping, a Layer 2 multicast device analyzes IGMP messages exchanged between an upstream router and user hosts to create and maintain a Layer 2 multicast forwarding table. The device uses then these entries to control multicast packet forwarding. In this way, it prevents multicast data from being broadcast on Layer 2 networks. This not only saves network bandwidth, but also ensures network security. To configure IGMP snooping in VNs, you need to define and deploy an IGMP snooping template.

IGMP snooping is a basic Layer 2 multicast function that forwards and controls multicast traffic at the data link layer. IGMP snooping runs on a Layer 2 device and analyzes IGMP messages exchanged between a Layer 3 device and hosts to create and maintain a Layer 2 multicast forwarding table. Based on this table, the Layer 2 device forwards multicast packets at the data link layer.

In the following figure, after receiving multicast packets from a Layer 3 multicast device (Router), a Layer 2 multicast device (Switch) at the edge of the access layer forwards the multicast packets to receiver hosts, so that the receivers can watch the ordered programs. If Switch does not run IGMP snooping, it broadcasts multicast packets at Layer 2. After IGMP snooping is configured, Switch forwards multicast packets only to specified hosts.

With IGMP snooping configured, Switch listens to IGMP messages exchanged between hosts and the upstream Layer 3 device. It analyzes packet information (such as the packet type, group address, and receiving interface) to set up and maintain a Layer 2 multicast forwarding table, based on which it forwards multicast packets at the data link layer.

Figure 9-186 Multicast packet forwarding before and after IGMP snooping is configured on a Layer 2 device

Feature Requirements

If the multicast source is inside a VXLAN fabric network, only subnets of the static VLAN type can be selected when you configure Layer 2 multicast.

Prerequisites

An IGMP snooping profile has been configured. For details, see IGMP Snooping Profile.

Procedure

1. Choose Provision > Virtual Network > VXLAN Virtual Network and click the Layer 2 multicast tab.
2. Select a VXLAN fabric network on the left, click next to the VN where Layer 2 multicast needs to be configured, and click Create.

Parameter Description