Configuration Examples for the
Financial Industry
Issue
03
Date
2017-05-08
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://e.huawei.com
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Configuration Examples for the Financial Industry
Contents
Contents
1 Preface..............................................................................................................................................1
2 Traditional Data Center Deployment Solution....................................................................... 4
2.1 Overview........................................................................................................................................................................ 5
2.1.1 Purpose........................................................................................................................................................................ 5
2.1.2 Typical Networking..................................................................................................................................................... 5
2.1.2.1 Logic Architecture.................................................................................................................................................... 5
2.1.2.2 Physical Architecture................................................................................................................................................7
2.1.2.3 Products Used........................................................................................................................................................... 8
2.1.3 Network Architecture Design...................................................................................................................................... 9
2.1.3.1 Core Switching Area................................................................................................................................................ 9
2.1.3.2 Open Platform Area..................................................................................................................................................9
2.1.3.3 Development and Testing Area.............................................................................................................................. 10
2.1.3.4 Operation and Management Area........................................................................................................................... 11
2.1.3.5 Local User Access Area......................................................................................................................................... 12
2.1.3.6 MAN/WAN Access Area........................................................................................................................................13
2.1.3.7 Extranet Area.......................................................................................................................................................... 14
2.1.3.8 Firewall Deployment.............................................................................................................................................. 16
2.2 Service Design and Configuration................................................................................................................................17
2.2.1 System Configuration................................................................................................................................................ 18
2.2.1.1 Device Login Configuration................................................................................................................................... 18
2.2.1.2 Device Naming Configuration................................................................................................................................21
2.2.1.3 Device Management Configuration........................................................................................................................23
2.2.1.4 Network Management Configuration..................................................................................................................... 23
2.2.1.5 Information Center Configuration.......................................................................................................................... 24
2.2.1.6 NTP Configuration................................................................................................................................................. 25
2.2.2 Service Configuration................................................................................................................................................25
2.2.2.1 Interface Configuration...........................................................................................................................................26
2.2.2.2 VLAN Configuration..............................................................................................................................................26
2.2.2.3 Link Aggregation Configuration............................................................................................................................ 28
2.2.2.4 IP Address Configuration....................................................................................................................................... 29
2.2.2.5 STP Configuration.................................................................................................................................................. 30
2.2.3 Reliability Configuration........................................................................................................................................... 33
2.2.3.1 VRRP Configuration.............................................................................................................................................. 33
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Configuration Examples for the Financial Industry
Contents
2.2.3.2 Smart Link Configuration.......................................................................................................................................34
2.2.3.3 DLDP......................................................................................................................................................................36
2.2.4 Routing Configuration............................................................................................................................................... 37
2.2.4.1 LAN Routing Configuration...................................................................................................................................39
2.2.4.2 Extranet Routing Configuration............................................................................................................................. 43
2.2.4.3 MAN/WAN Routing Configuration....................................................................................................................... 44
2.2.5 Security...................................................................................................................................................................... 44
2.2.5.1 ACL-based Antivirus Configuration...................................................................................................................... 44
2.2.5.2 Broadcast Storm Suppression Configuration......................................................................................................... 45
2.2.5.3 MAC Address Flapping Detection......................................................................................................................... 45
2.2.5.4 MAC Address Triggered ARP Entry Update......................................................................................................... 45
2.2.5.5 Loopback Detection on a Single Interface..............................................................................................................46
2.2.5.6 ARP Attack Defense Configuration....................................................................................................................... 46
2.2.6 Firewall Configuration.............................................................................................................................................. 48
3 M-LAG Data Center Deployment Solution........................................................................... 52
3.1 Overview...................................................................................................................................................................... 53
3.1.1 Purpose...................................................................................................................................................................... 53
3.1.2 Typical Networking................................................................................................................................................... 53
3.1.2.1 Logical Architecture............................................................................................................................................... 53
3.1.2.2 Physical Architecture..............................................................................................................................................55
3.1.2.3 Products Used......................................................................................................................................................... 57
3.1.3 Network Architecture Design.................................................................................................................................... 57
3.1.3.1 Core Switching Area.............................................................................................................................................. 57
3.1.3.2 Open Platform Area................................................................................................................................................57
3.1.3.3 Development and Testing Area.............................................................................................................................. 58
3.1.3.4 Operation and Management Area...........................................................................................................................59
3.1.3.5 Local User Access Area......................................................................................................................................... 61
3.1.3.6 MAN/WAN Access Area........................................................................................................................................61
3.1.3.7 Extranet Area.......................................................................................................................................................... 62
3.1.3.8 Firewall Deployment.............................................................................................................................................. 65
3.2 Service Design and Configuration................................................................................................................................66
3.2.1 System Configuration................................................................................................................................................ 66
3.2.1.1 Device Login Configuration................................................................................................................................... 67
3.2.1.2 Device Naming Configuration................................................................................................................................70
3.2.1.3 Device Management Configuration........................................................................................................................71
3.2.1.4 Network Management Configuration..................................................................................................................... 72
3.2.1.5 Information Center Configuration.......................................................................................................................... 72
3.2.1.6 NTP Configuration................................................................................................................................................. 73
3.2.2 Service Configuration................................................................................................................................................74
3.2.2.1 Interface Configuration...........................................................................................................................................74
3.2.2.2 VLAN Configuration..............................................................................................................................................74
3.2.2.3 Link Aggregation Configuration............................................................................................................................ 75
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Configuration Examples for the Financial Industry
Contents
3.2.2.4 IP Address Configuration....................................................................................................................................... 76
3.2.2.5 STP Configuration.................................................................................................................................................. 77
3.2.3 Reliability Configuration........................................................................................................................................... 77
3.2.3.1 M-LAG Configuration............................................................................................................................................77
3.2.3.2 Monitor Link Configuration................................................................................................................................... 79
3.2.3.3 Dual-Active Gateway Configuration......................................................................................................................80
3.2.4 Routing Configuration............................................................................................................................................... 81
3.2.4.1 LAN Routing Configuration...................................................................................................................................84
3.2.4.2 Extranet Routing Configuration............................................................................................................................. 88
3.2.4.3 MAN/WAN Routing Configuration....................................................................................................................... 89
3.2.5 Security Configuration.............................................................................................................................................. 89
3.2.5.1 ACL-based Antivirus Configuration...................................................................................................................... 89
3.2.5.2 Broadcast Storm Suppression Configuration......................................................................................................... 90
3.2.5.3 MAC Address Flapping Detection......................................................................................................................... 90
3.2.5.4 MAC Address Triggered ARP Entry Update......................................................................................................... 90
3.2.5.5 Loopback Detection on a Single Interface..............................................................................................................91
3.2.5.6 ARP Attack Defense Configuration....................................................................................................................... 91
3.2.6 Firewall Configuration.............................................................................................................................................. 93
4 DCN Deployment Solution Based on the Agile Controller and Integrated Hardware
Overlay Network............................................................................................................................ 97
4.1 Overview...................................................................................................................................................................... 98
4.1.1 Purpose...................................................................................................................................................................... 98
4.1.2 Typical Networking................................................................................................................................................... 98
4.1.2.1 Logic Architecture.................................................................................................................................................. 98
4.1.2.2 Physical Architecture............................................................................................................................................100
4.1.3 Version Support....................................................................................................................................................... 101
4.1.4 Solution Restrictions................................................................................................................................................102
4.2 Network Deployment................................................................................................................................................. 105
4.2.1 Network Deployment Panorama............................................................................................................................. 105
4.2.2 Checking Software and Hardware Environments....................................................................................................106
4.2.3 Underlay Network Configuration............................................................................................................................ 109
4.2.3.1 Configuring Network Management......................................................................................................................109
4.2.3.2 Configuring TOR Stack Working Group..............................................................................................................109
4.2.3.3 Configuring a TOR M-LAG................................................................................................................................. 113
4.2.3.4 Configuring Spine Nodes......................................................................................................................................118
4.2.3.5 Configuring a Gateway M-LAG...........................................................................................................................121
4.2.3.6 Configuring Firewalls...........................................................................................................................................128
4.2.3.7 Configuring SNMP...............................................................................................................................................132
4.2.3.8 Configuring NETCONF....................................................................................................................................... 136
4.2.3.9 Configuring LLDP................................................................................................................................................138
4.2.3.10 Configuring VXLAN..........................................................................................................................................138
4.2.3.11 (Optional) Configuring Load Balancers............................................................................................................. 140
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Configuration Examples for the Financial Industry
Contents
4.2.4 Installing the AC-DCN............................................................................................................................................ 141
4.2.5 Pre-configuring the AC-DCN..................................................................................................................................142
4.2.5.1 Logging In to the AC-DCN.................................................................................................................................. 142
4.2.5.2 Applying For and Loading a License File............................................................................................................ 143
4.2.5.3 Discovering Network Devices..............................................................................................................................144
4.2.5.4 Creating and Configuring a POD......................................................................................................................... 144
4.2.5.5 Discovering and Adding Links.............................................................................................................................146
4.2.5.6 Defining Network Device Roles...........................................................................................................................147
4.2.5.7 Configuring an Access Switch Group, Gateway Group, and Firewall Group......................................................147
4.2.5.8 Adding LBs and Links..........................................................................................................................................148
4.2.5.9 Configuring NVE Nodes...................................................................................................................................... 149
4.2.5.10 Configuring Internal and External Links Between Firewalls and Gateways..................................................... 151
4.2.5.11 Configuring Resources for Interface Interconnection........................................................................................ 152
4.2.5.12 Configuring Available VNI, VLAN, and BD Ranges........................................................................................ 153
4.2.5.13 Configuring a PXE Network.............................................................................................................................. 154
4.2.6 Interconnecting the AC-DCN with FusionSphere OpenStack................................................................................ 155
4.2.6.1 Creating a Management Network for FusionSphere............................................................................................ 155
4.2.6.2 Installing and Configuring FusionSphere OpenStack.......................................................................................... 156
4.2.6.3 Installing Interconnection Plug-ins.......................................................................................................................157
4.2.6.4 Creating a Northbound Interface Operator........................................................................................................... 158
4.2.6.5 Configuring a Cloud Platform.............................................................................................................................. 159
4.2.6.6 Binding the Cloud Platform to a POD..................................................................................................................160
4.2.6.7 Adding Servers to the POD.................................................................................................................................. 160
4.2.6.8 Configuring External Networks............................................................................................................................162
4.2.6.9 Interconnecting FusionSphere with a VMM........................................................................................................ 164
4.2.7 Interconnecting the AC-DCN with Open-Source OpenStack................................................................................. 164
4.2.7.1 Creating a Management Network for OpenStack.................................................................................................164
4.2.7.2 Installing and Configuring OpenStack................................................................................................................. 166
4.2.7.3 Installing Interconnection Plug-ins.......................................................................................................................167
4.2.7.4 Configuring the Interconnection on OpenStack................................................................................................... 167
4.2.7.5 Creating a Northbound Interface Operator........................................................................................................... 172
4.2.7.6 Configuring a Cloud Platform.............................................................................................................................. 174
4.2.7.7 Binding the Cloud Platform to a POD..................................................................................................................175
4.2.7.8 Adding Servers to the POD.................................................................................................................................. 175
4.2.7.9 Configuring External Networks............................................................................................................................177
4.2.7.10 Interconnecting OpenStack with a VMM...........................................................................................................178
4.2.8 Deploying the Overlay Network..............................................................................................................................178
4.2.9 Common Operation Guide.......................................................................................................................................178
4.2.9.1 Adding a TOR Node.............................................................................................................................................179
4.2.9.2 Replacing a Device............................................................................................................................................... 180
4.2.9.3 Deleting a Device................................................................................................................................................. 181
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
1 Preface
Configuration Examples for the Financial Industry
1
Preface
The information in this document is subject to change without notice. It is provided only for
reference.
The commands and command outputs of different versions may be different; therefore, the
command outputs on your device may be different from that provided in this document.
Intended Audience
This document is a reference for network planning and device configuration.
This document is intended for:
l
Data configuration engineers
l
Commissioning engineers
l
Network monitoring engineers
l
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
Indicates an imminently hazardous situation which, if not
avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided,
could result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided,
may result in minor or moderate injury.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Configuration Examples for the Financial Industry
Symbol
1 Preface
Description
Indicates a potentially hazardous situation which, if not avoided,
could result in equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Calls attention to important information, best practices and tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Command Conventions
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by vertical bars.
One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by vertical
bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by vertical bars.
A minimum of one item or a maximum of all items can be selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by vertical
bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
#
A line starting with the # sign is comments.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 03 (2017-05-08) for Product Version
This version is updated according to product changes.
Changes in Issue 02 (2016-09-10) for Product Version
This version has the following updates:
The following information is added:
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Configuration Examples for the Financial Industry
1 Preface
l
M-LAG Data Center Deployment Solution
l
DCN Deployment Solution Based on the Agile Controller and Integrated Hardware
Overlay Network
Changes in Issue 01 (2015-10-10) for Product Version
Initial commercial release.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Configuration Examples for the Financial Industry
2
2 Traditional Data Center Deployment Solution
Traditional Data Center Deployment
Solution
2.1 Overview
2.2 Service Design and Configuration
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.1 Overview
2.1.1 Purpose
This document provides a detailed data center design for a level-1 bank branch, covering the
network architecture, IP address and VLAN planning, routing design, security design,
network reliability design, and network management system design for the data center. You
can use this document as a reference for data center project implementation.
2.1.2 Typical Networking
2.1.2.1 Logic Architecture
The following figure shows the logical topology of the level-1 bank branch's data center
network, which is divided into multiple areas depending on the functions provided.
The following describes the functional areas.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Area
Function and Positioning
Accessible To
Open platform area: OP
Provides access to running
open systems, including the
accounting system as well as
other accounting relevant
and irrelevant service
systems. This area is a major
business area for
communication between
production and office
departments.
Clients and servers
Operation and management
area: OM
Has servers deployed for
system operations,
monitoring, and
maintenance. This area is
responsible for network and
system management and
maintenance.
Only a few authorized
maintenance users
Development and testing
area: DT
Accommodates servers of
systems that have not been
put into use, including the
hosts and open platform
systems that are under
development or testing.
Clients and servers
MAN/WAN access area
(WN/MN)
Connects the level-1 bank
branch to the head office
and its data center,
downstream level-2
branches and outlets, as well
as offices, branches, and
outlets in the local city. This
area provides connections to
the level-1 bank branch's
LANs and subordinate
branches.
ATM machines, POS
machines, teller terminals,
maintenance users, office
terminals, and terminals in
business centers
Local user access area: LU
Allows access of various
user terminals.
Local maintenance users,
local office terminals, and
terminals in local business
centers
DMZ Extranet: EP
Implements interconnection
with business platforms of
partners, major accounts,
and agents through lines of
carriers.
Partners, international
branches, off-bank devices
(3G/2G/PSTN), telephone
banking systems, and
customer service centers
The level-1 bank branch's data center network is logically divided into three layers: core,
distribution, and access layers.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
l
Core layer: high-speed Layer 3 switching backbone network. This layer is not directly
connected to terminals or servers and does not provide functions that will affect highspeed switching performance, such as ACL.
l
Distribution layer: boundary of Layer 2 and Layer 3 networks, and boundary of
functional areas. This layer connects to the core layer at Layer 3 and connects to the
access layer at Layer 2. It provides the following functions:
l
–
Acts as a unified gateway for terminals and servers in the functional areas.
–
Summarizes routes within each functional area.
–
Implements intra-VLAN routing within each functional area.
–
Provides routing policies for communication between functional areas and the core
layer.
–
Applies ACLs to control communication between systems within a functional area.
–
Has firewalls deployed to enforce access control between areas.
Access layer: connects to the distribution layer and consists of the following devices:
–
Access switch (AS)
Provides Layer 2 access for servers and terminals and isolates users through
VLANs.
–
Access router (AR)
Provides access to the WAN and MAN networks, and functions as autonomous
system boundary router (ASBR) to implement routing control.
2.1.2.2 Physical Architecture
The following figure shows the physical network connections of the level-1 bank branch's
data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
In the core switching area, two high-performance data center switches are deployed, and they
are interconnected through 10GE bundled links to provide highly reliable, high-speed
switching.
The switches in the core switching area and distribution layer are connected in square
networking to implement redundancy of physical links, enhancing network reliability. The
core switches and distribution switches are connected using bundled 10GE or GE links.
The distribution layer of each area has two high-performance switches deployed for traffic
aggregation in the area. The two switches are interconnected using bundled 10GE or GE links
depending on the line cards used in the switches. Access switches in each area are dualhomed to two distribution switches.
Firewalls are deployed in each area for access control. Firewalls are connected to distribution
switches in bypass mode through bundled GE links The two firewalls in an area work in
active/standby mode. If the active firewall fails, traffic can be switched to the standby firewall
within a short time. If both firewalls fail, service traffic is switched to the bypass link without
passing through the firewalls, ensuring nonstop data forwarding and service operations.
The two pairs of firewalls in the extranet area are connected to distribution switches, access
switches, and access routers in square networking to enhance network reliability.
2.1.2.3 Products Used
Huawei CE12816, CE12808, and CE6800 switches are used at the core layer, distribution
layer, and access layer, respectively. Huawei NE40E-X8 is used at the access layer as access
router. Huawei USG5500 is used as firwall.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.1.3 Network Architecture Design
2.1.3.1 Core Switching Area
The following figure shows the core switching area of the level-1 bank branch's data center.
The core layer connects to each functional area in the data center. Two high-performance
CE12816 data center switches are deployed at the core layer, which are interconnected using
an Eth-Trunk of two 10GE links to enhance connection reliability.
Product model:
Core switch (CS): Huawei CE12816
2.1.3.2 Open Platform Area
The following figure shows the open platform area of the level-1 bank branch's data center.
The distribution layer of the open platform area has two high-performance CE12808 data
center switches, which use 2x10GE inter-card Eth-Trunk links to connect to each other and
the upstream core switches. The CE6800 switches at the access layer are dual-homed to the
CE12808 switches through GE links.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use 4xGE inter-card
Eth-Trunk links for uplink and downlink connections.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall: Huawei USG5500
2.1.3.3 Development and Testing Area
The following figure shows the development and testing area of the level-1 bank branch's data
center.
The distribution layer of the development and testing area has two high-performance
CE12808 data center switches, which use 2x10GE inter-card Eth-Trunk links to connect to
each other and the upstream core switches. The CE6800 switches at the access layer are dualhomed to the CE12808 switches through GE links.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use 4xGE inter-card
Eth-Trunk links for uplink and downlink connections.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Access switch (AS): Huawei CE6800
Firewall: Huawei USG5500
2.1.3.4 Operation and Management Area
The following figure shows the operation and management area of the level-1 bank branch's
data center.
This area is the network management and maintenance center of the level-1 bank branch. It
collects running status data of managed systems and devices, monitors network and system
status, issues management instructions, and detects system failures to help in troubleshooting.
The distribution layer of the operation and management area has two high-performance
CE12808 data center switches, which use inter-card Eth-Trunk links of two GE optical
interfaces to connect to each other and the upstream core switches. The CE6800 switches at
the access layer are dual-homed to the CE12808 switches through GE links.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use inter-card EthTrunk links of two GE optical interfaces for uplink and downlink connections.
The following systems are deployed in this area:
Management server: uses the Simple Network Management Protocol (SNMP) to collect
network and system running information and receive logs and alarms sent from various
systems on the network. The management server summarizes and processes management
information collected from the network, monitors running status of the data center network
and systems, and generates network and system management reports.
Management platform: enables maintenance personnel to access the management server to
diagnose and rectify faults of devices.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Security tools: guarantee system security. Security tools include RADIUS server, intrusion
detection system (IDS) server, and antivirus server.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall: Huawei USG5500
2.1.3.5 Local User Access Area
The following figure shows the local user access area of the level-1 bank branch's data center.
This area is designed to enable communication between various types of user terminals.
The distribution layer of the operation and management area has two high-performance
CE12808 data center switches, which use inter-card Eth-Trunk links of two GE optical
interfaces to connect to each other and the upstream core switches. The CE6800 switches at
the access layer are dual-homed to the CE12808 switches through GE links.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use inter-card EthTrunk links of two GE optical interfaces for uplink and downlink connections.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Access switch (AS): Huawei CE6800
Firewall: Huawei USG5500
2.1.3.6 MAN/WAN Access Area
The following figure shows the MAN/WAN area of the level-1 bank branch's data center.
This area connects upstream and downstream routers, and allows communication between
access switches in the same city.
The distribution layer of this area has two high-performance CE12808 data center switches,
which use inter-card Eth-Trunk links of two GE optical interfaces to connect to each other and
the upstream core switches. The access routers connect to the distribution switches in dualhoming mode.
The MAN/WAN access area is only used for access to the WAN or MAN and has no servers,
so no firewalls need to be deployed in this area. The offices and banking outlets in the same
city or level-2 bank branches deploy the Unified Threat Management (UTM) system for
security guarantee.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access router (AR): Huawei NE40E-X8
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.1.3.7 Extranet Area
The following figure shows the extranet area of the level-1 bank branch's data center.
The extranet area provides network connections to partners. To improve security of the area
and prevent Internet users from directly accessing servers of the bank, a two-layer
heterogeneous firewall architecture is used to partition the entire area into three security
subareas of different security levels: extranet area, DMZ, and intranet area. The following
table describes functions of the three security subareas.
Issue 03 (2017-05-08)
Subarea
Function
Extranet area
Allows partners to connect to the network
through private lines and translates private
IP addresses of packets sent from partners
into private IP addresses in the DMZ.
DMZ
Deploys front end servers for partners.
Intranet area
Deploys systems on the level-1 bank
branch's data center network.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
The access layer, distribution layer, and core layer of the extranet area provide different
network functions, with ascending security levels. The following table describes devices in
the extranet area.
Role
Function
Extranet router
To provide access for partners, two extranet
routers connect to lines of different carriers.
The primary line connects to the master
router, and the backup line connects to the
backup router, implementing link
redundancy.
The routers' interfaces connected to the
external firewalls run the Virtual Router
Redundancy Protocol (VRRP). Generally,
data flows are forwarded through the master
router. If the master router fails, traffic will
be switched to the backup router. VRRP
enhances system reliability through
redundancy and prevents single-point
failures.
If routers are connected to links that do not
support automatic link state detection, for
example, ATM or MSTP links, configure a
link failure detection protocol such as OAM
or BFD on the interfaces. In this case,
ensure that the remote ends also support the
link failure detection protocol.
External firewall
Security policies need to be configured on
the firewalls according to application
requirements to implement logical isolation
and security control between the extranet
area and DMZ.
The two firewalls work in NAT mode and
use the two-node redundancy HA
architecture. Generally, one firewall works
in active mode, and the other works in
standby mode. If the active firewall fails,
traffic can be quickly switched to the
standby firewall, ensuring uninterrupted
data forwarding and normal service
operations.
Access switch
The switches connect to front end servers in
the extranet and connect to each other
through a 2xGE Eth-Trunk link to enhance
reliability.
More access switches can be added to the
extranet based on business requirements.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Role
Function
Internal firewall
Security policies need to be configured on
firewalls according to application
requirements to implement logical isolation
and security control between the DMZ and
intranet.
The two firewalls work in NAT mode and
use the two-node redundancy HA
architecture. Generally, one firewall works
in active mode, and the other works in
standby mode. If the active firewall fails,
traffic can be quickly switched to the
standby firewall, ensuring uninterrupted
data forwarding and normal service
operations.
Distribution switch
The switches connect the extranet to the
LANs on the data center network.
The two switches are interconnected
through two bundled links to enhance
reliability.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE12808
Access router (AR): Huawei NE40E-X8
Firewall: Huawei USG5500
2.1.3.8 Firewall Deployment
The level-1 bank branch's data center network has firewalls deployed in the open platform
area (OP), development and testing area (DT), local user access area (LU), and operation and
management area (OM) to improve network security. Access control policies are configured
on the firewalls to isolate different functional areas, control communication between the
areas, and protect servers in these areas.
The firewalls are connected to distribution switches in bypass mode, as shown in the
following figure.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
l
The firewalls are deployed in the HA architecture and work in preemption mode. When
both firewalls are running normally, FW1 acts as the active firewall, and FW2 acts as the
standby firewall.
l
The two firewalls exchange heartbeat packets through two directly connected interfaces.
l
FW1 and FW2 are connected to the distribution switches in bypass mode.
l
Link aggregation is used between the firewalls and distribution switches. Two or four
uplink interfaces of the active firewall FW1 are bundled into Eth-Trunk 1 and connected
to DS1. Two or four downlink interfaces of FW1 are bundled into Eth-Trunk 2 and
connected to DS1. The number of member interfaces in an Eth-Trunk is determined
based on the requirements in the area. Two or four uplink interfaces of the standby
firewall FW2 are bundled into Eth-Trunk 1 and connected to DS2. Two or four downlink
interfaces of FW2 are bundled into Eth-Trunk 2 and connected to DS2.
l
The firewalls monitor the physical status of Eth-Trunk 1 and Eth-Trunk 2. If either EthTrunk interface fails, an active/standby switchover is triggered. Then FW2 becomes the
active firewall, and FW1 becomes the standby firewall.
l
If both the two firewalls are faulty, manually switch data traffic to the bypass link so that
the traffic does not pass through the firewalls. The bypass link is an independent link
deployed between the uplink and downlink VRF instances.
l
The firewalls communicate with distribution switches using static routes and run the
VRRP protocol.
l
Trusted and untrusted zones are defined on the firewalls, and security policies are
configured based on application requires to implement isolation and security control
between trusted and untrusted zones.
Product models:
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall: Huawei USG5500
2.2 Service Design and Configuration
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.2.1 System Configuration
2.2.1.1 Device Login Configuration
Users can log in to the device through a console port, Telnet, or STelnet to perform local or
remote device maintenance. A user must use the console port to log in to the device for the
first time. Telnet or STelnet can be used to implement remote management and maintenance.
The following describes how to log in to the device through the console port and STelnet.
l
Logging in to a device through a console port
Before logging in to the device through a console port, complete the following tasks:
a.
Prepare a console cable.
b.
Install the terminal emulation software on the PC.
NOTE
You can use the built-in terminal emulation software (such as the HyperTerminal of
Windows 2000) on the PC. If no built-in terminal emulation software is available, use the
third-party terminal emulation software. For details, see the software user guide or online
help.
Procedure:
Use the terminal simulation software to log in to the device through a console port.
a.
Issue 03 (2017-05-08)
Insert a DB9 plug of a console cable delivered with the device into a 9-pin serial
socket on a PC, and insert an RJ-45 connector into the console port of the device, as
shown in the following figure.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Figure 2-1 Connecting the PC to the device through the console port
b.
Start the terminal emulation software on the PC, establish a connection, and set the
connected interface and communication parameters.
NOTE
One PC may have multiple connection interfaces. Select the interface connected to the
console cable. Usually, the interface COM1 is selected.
You must set the communication parameters of the PC to be the same as the changed
communication parameters of the serial interface, and reconnect the PC to the serial
interface.
c.
Press Enter until the system asks you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for your reference only.)
Login authentication
Password:
You can run commands to configure the device. Enter a question mark (?) whenever
you need help.
l
Logging in to the device using STelnet
Before logging in to the device through STelnet, complete the following tasks:
a.
Configure routes between a terminal and the device.
b.
Install the SSH client software on the terminal.
Procedure:
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Configuration Examples for the Financial Industry
a.
2 Traditional Data Center Deployment Solution
Configure the STelnet server functions and parameters.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 ~ 2048).
NOTE: Key pair generation will take a short while.
Input the bits in the modulus [default = 2048] : 2048
[*HUAWEI] stelnet server enable
[*HUAWEI] commit
b.
Configure the SSH user login interface.
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh
[*HUAWEI-ui-vty0-4] commit
[~HUAWEI-ui-vty0-4] quit
c.
Configure an SSH user.
You need to configure the authentication mode. The device supports the following
authentication modes: RSA, password, password-rsa, DSA, password-dsa, ECC,
password-ecc, and all. The authentication modes are described as follows:
password-rsa: The password and RSA authentication requirements must be met.
password-dsa: The password and DSA authentication requirements must be met.
password-ecc: The password and ECC authentication requirements must be met.
all: The requirements of password, RSA, DSA, or ECC authentication are met.
[~HUAWEI] ssh user client001
[*HUAWEI] ssh user client001 authentication-type password
[*HUAWEI] ssh user client001 service-type stelnet
[*HUAWEI] aaa
[*HUAWEI-aaa] local-user client001 password irreversible-cipher Huawei@123
[*HUAWEI-aaa] local-user client001 level 3
[*HUAWEI-aaa] local-user client001 service-type ssh
[*HUAWEI-aaa] quit
[*HUAWEI] commit
4. Log in to the device through STelnet.
The PuTTY software is used as an example.
# Use the PuTTY software to log in to the device, enter the device IP address, and select
the SSH protocol type, as shown in the following figure.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Figure 2-2 Logging in to the SSH server through PuTTY in password authentication
mode
# Click Open. Enter the user name and password as prompted, and press Enter. You
have logged in to the SSH server. (The following information is for your reference only.)
login as: client001
Sent username "client001"
client001@10.137.217.203's password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]: n
Info: The max number of VTY users is 21, the number of current VTY users
online is 2, and total number of terminal users online is 2.
The current login time is 2012-08-04 20:09:11+00:00.
First login successfully.
<HUAWEI>
2.2.1.2 Device Naming Configuration
Devices in this project are named using letters and numbers to facilitate tier-1 branch data
center network implementation and branch network O&M. The name format is field 1_field
2_field 3_nn.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Each field is described as follows according to the tier-1 branch data center network
construction implementation objectives.
Field 1
Identifies the device installation position.
For a tier-1 branch data center, the value is
as follows:
Abbreviation of tier-1 branch area+
abbreviation of local area + bank level
In the format:
1. Bank level
Data center: 0
Tier-1 branch: 1
Tier-2 branch: 2
Tier-3 branch: 3
Reserved: 4
Outlet: 5
Downstream ATM: 6
For example, a branch at Changjiang Road
in Hefei, Anhui province can be identified
as AHCJL3.
Field 2
Identifies a functional area. According to
the network architecture of the tier-1 branch
data center, areas are defined as follows:
1. Core area: CO
2. Open platform area: OP
3. Development and testing area: DT
4. Operation and management area: OM
5. Local user access area: LU
6. Extranet: EP
7. MAN/WAN access area: WN
Field 3
Identifies device functions and is defined as
follows according to the logical hierarchy of
the tier-1 branch data center:
1. Core switch: CS
2. Aggregation switch: DS
3. Access switch: AS
4. WAN access router: AR
5. Firewall: FW
nn
Issue 03 (2017-05-08)
Number of network devices of the same
application system in the same area: 01 to
99
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
For example, DS 1 in the open platform area of xx Branch is named XX1_OP_DS_01.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] sysname XX1_OP_DS_01
[*HUAWEI] commit
2.2.1.3 Device Management Configuration
Device management configuration includes restarting a device and specifying system startup
files for the next startup.
The recommended configuration is to specify startup files for the next startup.
l
Restarting a Device
To make the specified system software and files take effect, restart the device after
system startup configuration is complete. Devices can be restarted immediately or
periodically.
Example for restarting a device immediately:
<HUAWEI> reboot
Example for restarting a device periodically:
<HUAWEI> schedule reboot at 22:00
Warning: The current configuration will be saved to the next startup savedconfiguration file. Continue? [Y/N]:y
Now saving the current configuration...
Save the configuration successfully.
Info: Reboot system at 22:00:00 2015/07/17 UTC (in 15 hours and 49
minutes).
Confirm? [Y/N]:y
l
Specifying system startup files
Specify the system software and configuration file for system startup so that the device
will start with the specified software and initialize with the specified configuration file. If
a new patch needs to be loaded during system startup, specify a patch file.
Example for specifying the system software for the next startup:
<HUAWEI> startup system-software basicsoft.cc slave-board
The optional parameter slave-board is valid only for switches with two MPUs.
2.2.1.4 Network Management Configuration
Network management is an important part in the standard configuration. Currently, SNMP is
widely used for network management. SNMP includes three versions: SNMPv1, SNMPv2c,
and SNMPv3. SNMPv1 and SNMPv2c perform authentication using community names,
resulting in security risks. SNMPv3 is recommended because it is more secure.
The following example configures a device to communicate with the NMS using SNMPv3.
1.
Enable the SNMP agent.
<HUAWEI> system-view
[~HUAWEI] snmp-agent
2.
Configure the SNMP version to SNMPv3.
[*HUAWEI] snmp-agent sys-info version v3
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
NOTE
You can configure the SNMP version according to your requirements while ensuring that the
device and NMS use the same SNMP version. If they use different SNMP versions, the device
cannot connect to the NMS.
3.
Configure user access rights.
# Configure an ACL to allow only the packets with the source IP address 192.168.1.10
to pass through.
[*HUAWEI] acl 2001
[*HUAWEI-acl4-basic-2001] rule permit source 192.168.1.10 0.0.0.0
[*HUAWEI-acl4-basic-2001] quit
# Configure the MIB view as alliso and include the view iso.
[*HUAWEI] snmp-agent mib-view include alliso iso
NOTE
You are advised to configure user access rights according to your requirements.
4.
Set the SNMPv3 user group name to huawei_group, user name to huawei_user, and
security level to privacy, and apply access control.
[*HUAWEI] snmp-agent
[*HUAWEI] snmp-agent
[*HUAWEI] snmp-agent
Please configure the
Enter Password:
Confirm Password:
[*HUAWEI] snmp-agent
Please configure the
Enter Password:
Confirm Password:
5.
group v3 huawei_group privacy write-view alliso acl 2001
usm-user v3 huawei_user group huawei_group
usm-user v3 huawei_user authentication-mode sha
authentication password (8-255)
//Enter an authentication password.
//Confirm the authentication password.
usm-user v3 huawei_user privacy-mode aes256
privacy password (8-255)
//Enter an encryption password.
//Confirm the encryption password.
Configure a trap host.
[*HUAWEI] snmp-agent target-host trap address udp-domain 192.168.1.10 params
securityname huawei_user v3 privacy
[*HUAWEI] commit
2.2.1.5 Information Center Configuration
The operation and management area is the network management and maintenance center. It
collects the device operating status. To monitor the device operating status and locate faults,
you can send logs of devices to the management server in the maintenance and management
area through the information center.
Step 1 Enable the information center.
<HUAWEI> system-view
[~HUAWEI] info-center enable
[*HUAWEI] commit
Step 2 Configure the device to output logs to a log host.
[~HUAWEI] info-center loghost 10.1.1.1
[*HUAWEI] commit
----End
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.2.1.6 NTP Configuration
An NTP clock source on a data center network provides clock signals for all network devices.
All network devices in data centers synchronize their clocks with the NTP clock source.
Set the NTP working mode of all network devices to the unicast server/client mode, configure
CS1 as the primary time server, and ensure that CS1 has synchronized its time with an
authoritative clock (global positioning system). Configure CS2, DS, and AS as clients. To
ensure security, you are advised to enable the NTP authentication function.
Configure the NTP master clock, and enable the NTP authentication and NTP server
functions on CS1.
<CS1> system-view
[~CS1] ntp refclock-master 1
[*CS1] ntp authentication enable
[*CS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*CS1] ntp trusted authentication-keyid 42
[*CS1] undo ntp server disable
[*CS1] commit
Specify CS1 as the NTP server on DS1. The other configurations are similar.
<DS1> system-view
[~DS1] ntp authentication enable
[*DS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*DS1] ntp trusted authentication-keyid 42
[*DS1] ntp unicast-server 10.100.1.1 authentication-keyid 42
[*DS1] commit
2.2.2 Service Configuration
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.2.2.1 Interface Configuration
To ensure network reliability, physical interfaces comply with the following rules:
l
An interface uses the auto-negotiation mode by default.
For example, the common configuration of a 10GE electrical interface is as follows:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo negotiation disable
[*HUAWEI-10GE1/0/1] speed auto 100 1000 10000
[*HUAWEI-10GE1/0/1] commit
l
The physical interface that is not in use must be in shutdown state.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] shutdown
[*HUAWEI-10GE1/0/1] commit
l
An interface has link fault detection enabled.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port crc-statistics trigger error-down
[*HUAWEI-10GE1/0/1] commit
l
The interfaces that are used for device interconnection are enabled in descending order
of interface number, and the interfaces that are used for terminal connections are enabled
in ascending order of interface number.
2.2.2.2 VLAN Configuration
The network is divided into multiple areas based on service types. In each area, there are
multiple types of application systems. Each service involves multiple sub-systems, which
have different service characteristics, protocol types, QoS requirements (such as the delay and
jitter), and security levels.
VLAN assignment needs to be configured to achieve the preceding network architecture.
VLAN technology differentiates services to implement QoS. It also logically isolates services
with different security levels, so that different security policies are enforced for different
VLANs and applications to improve network security.
Here, interface-based VLAN assignment is used. The principles and notes of VLAN
assignment are as follows:
1.
2.
Issue 03 (2017-05-08)
VLAN assignment principles
–
Assign VLANs for interconnection between areas. VLAN IDs are valid only within
an area. A VLAN cannot span multiple areas.
–
Assign a VLAN range in each functional area, and assign VLANs to applications of
different levels within the VLAN range in each area. Reserve some VLANs for
expansion of different application systems in each area.
–
Define different VLAN ranges for different areas and assign different VLANs to
different service systems. Locate servers of the same service system in the same
VLAN and assign VLANs in ascending order of VLAN IDs. MAN and WAN users
share VLANs with local users.
VLAN configuration notes
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
–
In a functional area, all user VLANs are configured on ASs and DSs. AS-DS and
DS-DS Eth-Trunk links allow packets from service VLANs in the local area to pass
through.
–
An Eth-Trunk link cannot allow packets from all VLANs to pass through.
–
All Eth-Trunk links prevents packets from VLAN 1 from passing through.
The following table describes the VLAN design.
Table 2-1 VLAN design
Issue 03 (2017-05-08)
No.
Function
VLAN ID
Remarks
1
Open platform area
200-399
-
2
Development and
testing area
400-499
-
3
Operation and
management area
500-599
-
4
Local user access area
850-949
Multiplexing by MAN
and WAN users
5
Extranet
650-699
-
6
Network device
interconnection
800-849
-
7
Network device
management
600-649
-
8
Reserved
10-199, 700-799, and
950-1049
-
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Configure AS-server links as access links and the AS-DS and DS-DS links as trunk links.
VLAN configuration (AS1 is used as an example):
<AS1> system-view
[~AS1] vlan batch 200
[*AS1] interface ge 1/0/1
[*AS1-GE1/0/1] port default vlan 200
[*AS1-GE1/0/1] quit
[*AS1] interface 10ge 1/0/11
[*AS1-10GE1/0/11] port link-type trunk
[*AS1-10GE1/0/11] port trunk allow-pass vlan
[*AS1-10GE1/0/11] undo port trunk allow-pass
[*AS1-10GE1/0/11] quit
[*AS1] interface 10ge 1/0/12
[*AS1-10GE1/0/12] port link-type trunk
[*AS1-10GE1/0/12] port trunk allow-pass vlan
[*AS1-10GE1/0/12] undo port trunk allow-pass
[*AS1-10GE1/0/12] quit
[*AS1] commit
200
vlan 1
200
vlan 1
2.2.2.3 Link Aggregation Configuration
If high-bandwidth and high-reliability links are required, configure link aggregation.
Bundle CS-CS, CS-DS, DS-DS, DS-firewall, AS-DS, and AS-server links, as well as
heartbeat links between firewalls into link aggregation groups to improve bandwidth and
reliability.
Requirements for link aggregation deployment are:
l
Deploy member interfaces on different cards to improve link reliability when one card
fails.
l
Configure the manual load balancing mode and use member interfaces of the same rate.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
Configuration Examples for the Financial Industry
l
2 Traditional Data Center Deployment Solution
Configure member interfaces to work in auto-negotiation mode. (If auto-negotiation
fails, use the forcible mode and enable DLDP.)
Link aggregation configuration (the DS-DS link is used as an example):
<DS1> system-view
[*DS1] interface eth-trunk 1
[*DS1-Eth-Trunk1] trunkport 10ge 1/0/3
[*DS1-Eth-Trunk1] trunkport 10ge 2/0/3
[*DS1-Eth-Trunk1] port link-type trunk
[*DS1-Eth-Trunk1] port trunk allow-pass vlan
[*DS1-Eth-Trunk1] undo port trunk allow-pass
[*DS1-Eth-Trunk1] quit
[*DS1] commit
<DS2> system-view
[*DS2] interface eth-trunk 1
[*DS2-Eth-Trunk1] trunkport 10ge 1/0/3
[*DS2-Eth-Trunk1] trunkport 10ge 2/0/3
[*DS2-Eth-Trunk1] port link-type trunk
[*DS2-Eth-Trunk1] port trunk allow-pass vlan
[*DS2-Eth-Trunk1] undo port trunk allow-pass
[*DS2-Eth-Trunk1] quit
[*DS2] commit
200
vlan 1
200
vlan 1
By default, an Eth-Trunk works in manual load balancing mode.
2.2.2.4 IP Address Configuration
The IP address design for a new LAN of the branch data center should observe the following
principles:
l
Use IPv4.
l
IP addresses of interconnected interfaces use a 29-bit subnet mask (255.255.255.248) to
allow flexible network expansion and temporary deployment of test devices. One Class
C address space offers 32 interconnected network segments of LANs.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
l
Implement route summarization between the head office and branches.
l
The gateway address in a LAN uses the largest IP address on the local network segment.
When VRRP or similar technologies are used, virtual addresses and actual addresses are
allocated in descending order of IP address.
l
The management address (Loopback0) of a network device uses a 32-bit subnet mask
(255.255.255.255), which is used as the ID of a routing protocol such as OSPF. Assign
contiguous addresses on a network segment as management addresses of all network
devices based on the network layers where they are located.
l
Assign IP addresses to devices in each area. Apply the IP address plan of an area to the
downlink interfaces of aggregation switches in the area (including interconnection
interfaces of the switches at the distribution layer) and access switches connected to the
downlink interfaces. Apply the IP address plan of the core switching layer to core
switches' interfaces connected to other areas. Apply the MAN/WAN IP address plan to
DS switches' interfaces connected to WAN/MAN devices.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface vlanif 201
[*HUAWEI-Vlanif201] ip address 10.1.0.1 255.255.255.0
2.2.2.5 STP Configuration
Loop prevention protocols are important on Layer 2 networks. It is recommended that STP
and MSTP be used to eliminate loops.
Here, the MSTP configuration is used as an example. When service and reliability
requirements are met, simplify configurations as much as possible to achieve easy deployment
and maintenance.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
A functional area in a data center is used as an example.
Role
MSTP Global Configuration
MSTP Port Configuration
DS1
1. Configure the root bridge (which also
functions as the default VRRP master).
1. Disable MSTP on the ports
connected to the CSs.
2. Configure TC protection.
2. If the DS is connected to a
firewall working in routing
mode, disable MSTP on the port
connected to the firewall.
3. Configure root protection on the port
connected to the AS.
4. Configure BPDU protection (only
after edge ports are configured).
DS2
1. Configure the secondary root bridge.
2. Configure TC protection.
3. Configure BPDU protection (only
after edge ports are configured).
3. Configure the port directly
connected to a server as an edge
port.
1. Disable MSTP on the ports
connected to the CSs.
2. If the DS is connected to a
firewall working in routing
mode, disable MSTP on the port
connected to the firewall.
3. Configure the port directly
connected to a server as an edge
port.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Role
MSTP Global Configuration
MSTP Port Configuration
AS
1. Configure TC protection.
1. Configure the port directly
connected to a terminal such as a
server as an edge port.
2. Configure BPDU protection.
MSTP configuration points:
1.
Create MSTI 1 in MST region RG1 on DSs and ASs.
DS1 is used as an example. The configurations of other switches are similar.
<DS1> system-view
[~DS1] stp region-configuration
[~DS1-mst-region] region-name RG1
[*DS1-mst-region] instance 1 vlan 200
[*DS1-mst-region] quit
[*DS1] commit
2.
Configure DS1 as the root bridge and DS2 as the secondary root bridge in MSTI 1.
[~DS1]
[*DS1]
[~DS2]
[*DS2]
3.
stp instance 1 root primary
commit
stp instance 1 root secondary
commit
Configure DS1 to use Huawei proprietary algorithm to calculate the path cost, and set
the path cost of the blocked port to be larger than the default value in MSTI 1.
[~DS1] stp pathcost-standard legacy
[*DS1] commit
[~DS2] stp pathcost-standard legacy
[*DS2] commit
[~AS1] stp pathcost-standard legacy
[*AS1] interface 10ge 1/0/12
[*AS1-10GE1/0/12] stp instance 1 cost 20000
[*AS1-10GE1/0/12] quit
[*AS1] commit
[~AS2] stp pathcost-standard legacy
[*AS2] interface 10ge 1/0/11
[*AS2-10GE1/0/11] stp instance 1 cost 20000
[*AS2-10GE1/0/11] quit
[*AS2] commit
4.
Enable MSTP to prevent loops.
DS1 is used as an example. The configurations of other switches are similar.
[~DS1] stp enable
[*DS1] commit
5.
Configure protection functions and configure the port connected to a server as an edge
port.
[~DS1] stp tc-protection
[*DS1] interface 10ge 1/0/1
[*DS1-10GE1/0/1] stp root-protection
[*DS1-10GE1/0/1] quit
[*DS1] interface 10ge 1/0/2
[*DS1-10GE1/0/2] stp root-protection
[*DS1-10GE1/0/2] quit
[*DS1] commit
[~DS2] stp tc-protection
[*DS2] commit
[~AS1] stp tc-protection
[*AS1] interface ge 1/0/1
[*AS1-GE1/0/1] stp edged-port enable
[*AS1-GE1/0/1] quit
[*AS1] stp bpdu-protection
[*AS1] commit
[~AS2] stp tc-protection
[*AS2] interface ge 1/0/1
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
[*AS2-GE1/0/1] stp edged-port enable
[*AS2-GE1/0/1] quit
[*AS2] stp bpdu-protection
[*AS2] commit
2.2.3 Reliability Configuration
2.2.3.1 VRRP Configuration
Generally, all hosts on a network are configured with the same default route that points to the
egress gateway so that the hosts can communicate with external networks. When the egress
gateway fails, the communication between the hosts and external networks is interrupted.
VRRP virtualizes multiple routing devices into one logical device and uses the IP address of
the logical device as the default gateway address so that the routing devices can communicate
with external networks. When the gateway fails, VRRP can select a new gateway to transmit
data traffic, ensuring network reliability.
Different VLANs are created on DS1 and DS2, IP addresses are assigned to VLANIF
interfaces, and VRRP is configured. Different VRRP virtual IP addresses are used as gateway
addresses of server groups on ASs, and the Eth-Trunk between DS1 and DS2 allows packets
from the VLANs to pass through. MSTP is deployed between ASs and DSs to eliminate
loops, and the blocked point is configured on the link between the backup device and
downlink switch. OSPF is configured on DSs and CSs to implement Layer 3 interworking.
VRRP configuration points:
1.
Create VRRP group 1 on DS1.
<DS1> system-view
[~DS1] interface vlanif 100
[~DS1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
2.
Configure the priority of DS1 in the VRRP group.
[*DS1-Vlanif100] vrrp vrid 1 priority 120
3.
Set the preemption delay of VRRP group 1 on DS1 to 20s.
[*DS1-Vlanif100] vrrp vrid 1 preempt timer delay 20
4.
Set the interval for sending VRRP Advertisement packets of VRRP group 1 on DS1 to
2s.
[*DS1-Vlanif100] vrrp vrid 1 timer advertise 2
[*DS1-Vlanif100] commit
[~DS1-Vlanif100] quit
5.
Create VRRP group 1 on DS2.
<DS2> system-view
[~DS2] interface vlanif 100
[~DS2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
6.
Set the interval for sending VRRP Advertisement packets of VRRP group 1 on DS2 to
2s.
[*DS2-Vlanif100] vrrp vrid 1 timer advertise 2
[*DS2-Vlanif100] commit
[~DS2-Vlanif100] quit
7.
To implement load balancing, configure two or more VRRP groups on an interface. The
VRRP groups are differentiated using VRIDs.
–
Configure VRRP group 2 and parameters on DS1.
[~DS1] interface
[~DS1-Vlanif100]
[*DS1-Vlanif100]
[*DS1-Vlanif100]
[~DS1-Vlanif100]
–
vlanif 100
vrrp vrid 2 virtual-ip 10.1.1.112
vrrp vrid 2 timer advertise 2
commit
quit
Configure VRRP group 2 and parameters on DS2.
[~DS2] interface
[~DS2-Vlanif100]
[*DS2-Vlanif100]
[*DS2-Vlanif100]
[*DS2-Vlanif100]
[*DS2-Vlanif100]
[~DS2-Vlanif100]
vlanif 100
vrrp vrid 2
vrrp vrid 2
vrrp vrid 2
vrrp vrid 2
commit
quit
virtual-ip 10.1.1.112
priority 120
preempt timer delay 20
timer advertise 2
2.2.3.2 Smart Link Configuration
Smart Link is used in dual-homing networking to implement link redundancy.
Two uplinks constitute a backup link group. In a Smart link group, only the master interface is
in active state, and the slave interface is in inactive state. When the active link in forwarding
state fails, the Smart Link group blocks the master interface and switches the slave interface
to the forwarding state.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
For the tier-1 branch data center shown in the networking, each AS is dual-homed to two DSs,
two uplinks (uplinks can constitute an Eth-Trunk link) join one Smart Link group, and the
entire network is loop-free.
During topology calculation, ASs can use Smart Link to prevent loops without exchanging
protocol packets with remote devices. The remote device needs to process Flush packets sent
by an AS so that MAC address entries can be updated rapidly upon topology changes. Smart
Link is a proprietary protocol. When DSs and ASs are devices of different vendors, DSs
cannot update MAC address entries immediately because they cannot identify proprietary
protocol packets. Servers continuously send various types of data packets, so such a problem
has little impact. (There are differences between MAC address entry update mechanisms of
technologies similar to Smart Link.)
Smart Link configuration points:
1.
Add two uplink interfaces to a Smart Link group.
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] stp disable
[*HUAWEI-10GE1/0/1] commit
[~HUAWEI-10GE1/0/1] quit
[~HUAWEI] interface 10ge 1/0/2
[~HUAWEI-10GE1/0/2] stp disable
[*HUAWEI-10GE1/0/2] commit
[~HUAWEI-10GE1/0/2] quit
[~HUAWEI] smart-link group 1
[*HUAWEI-smlk-group1] port 10ge 1/0/1 master
[*HUAWEI-smlk-group1] port 10ge 1/0/2 slave
[*HUAWEI-smlk-group1] commit
2.
Bind a protection instance to the Smart Link group.
[~HUAWEI] smart-link group 1
[*HUAWEI-smlk-group1] protected-vlan reference-instance 10
3.
Configure the device to send Flush packets.
[*HUAWEI-smlk-group1] flush send control-vlan 200 password sha 123
[*HUAWEI-smlk-group1] quit
[*HUAWEI] commit
4.
Configure the device to receive Flush packets.
For example, if AS1 is configured to send Flush packets, DS1 and DS2 need to be
configured to receive Flush packets.
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] stp disable
[*HUAWEI-10GE1/0/1] smart-link flush receive control-vlan 200 password sha 123
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
Configuration Examples for the Financial Industry
[*HUAWEI-10GE1/0/1]
[~HUAWEI-10GE1/0/1]
[~HUAWEI] interface
[~HUAWEI-10GE1/0/2]
[*HUAWEI-10GE1/0/2]
[~HUAWEI-10GE1/0/2]
5.
2 Traditional Data Center Deployment Solution
commit
quit
10ge 1/0/2
smart-link flush receive control-vlan 200 password sha 123
commit
quit
To implement load balancing, create multiple VLAN instances and specify a load
balancing instance.
[~HUAWEI] stp region-configuration
[~HUAWEI-mst-region] instance 10 vlan 201
[*HUAWEI-mst-region] commit
[~HUAWEI-mst-region] quit
[~HUAWEI] smart-link group 1
[~HUAWEI-smlk-group1] load-balance instance 10 slave
[*HUAWEI-smlk-group1] commit
6.
Set the WTR time to be more than 60s.
[~HUAWEI-smlk-group1] restore enable
[*HUAWEI-smlk-group1] timer wtr 120
[*HUAWEI-smlk-group1] commit
2.2.3.3 DLDP
The Device Link Detection Protocol (DLDP) is used to detect unidirectional links. DLDP
automatically shuts down or notifies the network administrator if a unidirectional link fault
occurs.
If optical fibers are intersected, an optical fiber is disconnected, or a line in the copper twisted
pair wire or optical fiber is disconnected, the interface on one end of the link can receive the
link layer packets from the remote device, but the remote device cannot receive packets from
the local device. This link is a unidirectional link. The physical layer of a unidirectional link is
in connected state and can work properly. The detection mechanisms at the physical layer
such as auto-negotiation cannot detect faults on communication among devices. This may
lead to incorrect traffic forwarding.
As shown in the two figures, a unidirectional link fault may be caused by intersected fibers or
disconnection of an optical fiber.
DLDP can work in normal or enhanced mode:
l
Normal mode: DLDP can identify only unidirectional links caused by intersected fibers.
l
Enhanced mode: DLDP can identify unidirectional links caused by intersected fibers or
disconnection of an optical fiber. By default, DLDP works in enhanced mode.
Default values of DLDP parameters:
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Parameter
Default Value
DLDP status
Disabled
DLDP working mode
Enhanced
Shutdown mode of an interface after a
unidirectional link is detected
Automatic
The following DLDP configurations are recommended when DLDP needs to be enabled on
the interconnected interfaces between devices.
1.
Enable DLDP globally.
<HUAWEI> system-view
[~HUAWEI] dldp enable
[*HUAWEI] commit
2.
Enable DLDP on an interface.
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dldp enable
[*HUAWEI-10GE1/0/1] commit
2.2.4 Routing Configuration
The following figure shows routing design for a tier 1 branch data center.
Data center design consists of LAN design and MAN&WAN design.
Entire Routing Design
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2
branches and uses OSPF as an IGP within itself.
In the LAN, the core area and other areas use OSPF to provide service routes, except that the
extranet uses static routes between the DS and AR.
EBGP
The tier 1 branch is planned as an independent autonomous system (AS) and uses a private
AS number.
IBGP
The WAN area of the tier 1 branch runs IBGP. OSPF 300 ensures connectivity for IBGP
between the WN_DSs and WN_ARs in the WAN area.
Three OSPF processes are designed on the network: OSPF 300, OSPF 400, and OSPF 500.
OSPF 300
OSPF 300 ensures IBGP connectivity between the WN_DSs and WN_ARs in the WAN area.
Links between the devices in the WAN area belong to Area 0.
OSPF 400
OSPF 400 ensures that there are reachable routes between the MAN/WAN area of the tier 1
branch and intra-city organizations. Interconnected links belong to Area 0.
OSPF 500
OSPF 500 ensure that there are reachable routes between the LAN area of branches and
WN_DSs. Interconnected links belong to Area 0 to transmit services of the tier 1 branch.
Static route
The EP_AR in the extranet and external FW, external FW and internal FW, as well as internal
FW and EP_DS use static routes to communicate.
Routing Protocol Preference/Distance Design
Preferences of routing protocols to be used on all network devices are planned to ensure
consistent route selection between routing protocols on devices of different vendors.
Issue 03 (2017-05-08)
Protocol
Preference
Static route
5
OSPF
10
IBGP
170
EBGP
170
OSPF ASE
190
Floating static route
200
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
2.2.4.1 LAN Routing Configuration
Routing Design and Basic Function Configuration
Figure 2-3 LAN routing design diagram
In a data center LAN shown in the figure, ASs are access devices, LAN_DSs are aggregation
devices in the LAN, gateways are configured on the aggregation devices, VRRP is configured
on downlink interfaces of the LAN_DSs to ensure reliability. CSs are core forwarding
devices, and WAN_DSs are aggregation devices in the MAN/WAN area to connect LAN core
devices and network egress routers.
This example uses OSPF to ensure intra-area connectivity.
OSPF Area Partition
The entire network uses OSPF process 500. Only a small number of devices run OSPF in the
LAN. Therefore, OSPF 500 uses only the backbone area Area 0. The following interfaces and
IP address need to be advertised in OSPF process 500:
l
Virtual IP address of the VRRP group on downlink interfaces of LAN_DSs
l
Interconnected interfaces between LAN_DSs and CSs, and between WAN_DSs and CSs
l
Loopback interface whose IP address will be used as a router ID (This interface does not
need to participate in OSPF calculation and so is configured as a silent interface.)
OSPF Router ID Design
In each OSPF process, a router must have a unique router ID to identify itself. By default, the
largest loopback interface IP address is used as the router ID. To ensure a stable OSPF router
ID, specify the IP address of Loopback 0 as a router ID when configuring an OSPF process.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Basic OSPF Function Configuration
Here, LAN_DS_01 is used as an example:
<LAN_DS_01> system-view
[~LAN_DS_01] interface loopback 0
[*LAN_DS_01-LoopBack0] ip address 172.16.1.1 32
[*LAN_DS_01-LoopBack0] quit
[*LAN_DS_01] ospf 500 router-id 172.16.1.1
[*LAN_DS_01-ospf-500] silent-interface loopback 0
[*LAN_DS_01-ospf-500] area 0
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] commit
Here, CS_01 is used as an example:
<CS_01> system-view
[~CS_01] interface loopback 0
[*CS_01-LoopBack0] ip address 172.16.1.2 32
[*CS_01-LoopBack0] quit
[*CS_01] ospf 500 router-id 172.16.1.2
[*CS_01-ospf-500] silent-interface loopback 0
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.5.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.1.6.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] commit
Routing Protocol Performance, Reliability, and Security Design and
Configuration
Here, CS_01 is used as an example. The configurations of other devices are similar to that of
CS_01.
OSPF Interface Network Type Design
By default, the network type of OSPF interfaces on an Ethernet network is broadcast. In this
example, every two OSPF neighbors are interconnected. To speed up OSPF neighbor
relationship establishment and route convergence, you can set the network type of non-silent
OSPF interfaces to point-to-point.
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf network-type p2p
OSPF Timer Design
Unless special requirements need to be met, default OSPF timer values are recommended.
This example uses default values of all OSPF timers. If you need to modify timer parameter
values, ensure that neighbors use the same OSPF timer parameter values.
For example, you can use the following commands to modify the interval for sending Hello
packets to 20s:
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf timer hello 20
OSPF Metric Design
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
By default, the metric value of an OSPF interface is automatically calculated using the
formula: Reference bandwidth/Interface bandwidth. The reference bandwidth can be modified
and defaults to 100 Mbps.
In this example, to facilitate maintenance and management, you can manually configure and
design the metric value of each link without using the preceding formula.
Table 2-2 OSPF metric design
No.
Link
Metric
1
East-to-west links between CSs, and
between DSs
100
2
South-to-north links between CSs and
DSs
100
3
DS service interfaces
1000
4
CS/DS loopback interfaces
0 (no need to configure)
To set the metric of the link between CSs to 100, use the following commands:
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf cost 100
BFD for OSPF
In BFD for OSPF, a BFD session is associated with OSPF. The BFD session quickly detects a
link fault and then notifies OSPF of the fault. This speeds up OSPF's response to the change
of the network topology.
A dynamic BFD session established between all non-silent OSPF interfaces and neighbors
can implement millisecond-level detection of faults on the links between OSPF neighbors and
associate fast OSPF neighbor status switching to trigger route convergence calculation. The
link faults include physical link faults and upper-layer forwarding faults.
All BFD sessions use the following parameters.
Table 2-3 BFD for OSPF parameter design
Issue 03 (2017-05-08)
Parameter
Parameter Description
Recommended Value
min-rx-interval
Specifies the minimum
interval at which BFD
packets are received from
the peer end.
1000 ms
min-tx-interval
Specifies the minimum
interval for sending BFD
packets to the peer end.
1000 ms
detect-multiplier
Specifies the local detection
multiplier.
3
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
<CS_01> system-view
[~CS_01] bfd
[*CS_01-bfd] quit
[*CS_01] ospf 500
[*CS_01-ospf-500] bfd all-interfaces enable
[*CS_01-ospf-500] bfd all-interfaces min-tx-interval 1000 min-rx-interval 1000
detect-multiplier 3
OSPF Smart Timer Design
In an unstable network, route calculation may be performed frequently, which consumes a
great number of CPU resources. Especially on an unstable network, LSAs that describe
unstable topology will be generated and advertised frequently. Processing such LSAs
frequently affects network stability. The OSPF smart timer controls the route calculation, LSA
generation, and receiving of LSAs to speed up network convergence.
The OSPF smart timer speeds up network convergence in the following modes:
l
In a network where routes are frequently calculated, the OSPF smart timer dynamically
adjusts the interval for calculating routes according to the user configuration and the
exponential backoff technology. In this manner, the number of route calculations is
reduced, and so CPU resource consumption is reduced. Routes are calculated after the
network topology becomes table.
l
In an unstable network, if a router generates or receives LSAs due to frequent topology
changes, the OSPF smart timer can dynamically adjust the interval for calculating routes.
No LSA is generated or handled within an interval, which prevents invalid LSAs from
being generated and advertised in the entire network.
OSPF smart timer uses the following parameters.
Table 2-4 OSPF smart timer design
Smart Timer
Description
Recommended Value
spf-schedule-interval
Specifies the
interval for
calculating
OSPF routes.
The default value is recommended. That is,
the maximum interval for SPF calculation is
10000 ms, the initial interval is 500 ms, and
the base interval is 1000 ms.
lsa-arrival-interval
Specifies the
interval for
receiving LSAs.
The default value is recommended. That is,
the maximum interval for receiving LSAs is
1000 ms, the initial interval is 500 ms, and the
base interval is 500 ms.
lsa-originate-interval
Specifies the
interval for
updating LSAs.
The default value is recommended. That is,
the maximum interval for updating LSAs is
5000 ms, the initial interval is 500 ms, and the
base interval is 1000 ms.
<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] lsa-arrival-interval intelligent-timer 1000 500 500
[*CS_01-ospf-500] lsa-originate-interval intelligent-timer 5000 500 1000
[*CS_01-ospf-500] spf-schedule-interval intelligent-timer 10000 500 1000
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
OSPF Route Authentication
To prevent unauthorized devices from access an OSPF network to obtain network routing
information, configure the OSPF route authentication function. In this example, OSPF area
authentication is configured, the authentication mode is MD5, and the authentication
password is not provided here, which can be specified according to your requirements.
<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] authentication-mode md5 1 cipher xxxxxxxx
2.2.4.2 Extranet Routing Configuration
Figure 2-4 Extranet routing design diagram
The extranet connects the data center to other service areas. Because fine-grained control is
required for access rights, the extranet uses the in-line firewall connection for networking.
In routing design, the extranet uses static specific routes and static default routes and is
separated from the LAN in routes. The following provides key configuration of each device.
Aggregation Switches (EP_DSs) in the Extranet
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
Aggregation switches (EP_DSs) in the extranet use OSPF to communicate with CSs of the
LAN and need to have static specific routes to all extranet service network segments
configured on downlink interfaces. The next-hop address of the routes is the uplink VRRP
virtual address of firewalls (EP_FWs). For details about the configuration of OSPF 500 and
VRRP, see the LAN Routing Configuration. The following provides only the static specific
route configuration of EP_DS_01. The configuration of EP_DS_02 is the same as that of
EP_DS_01.
<EP_DS_01> system-view
[~EP_DS_01] ip route-static 172.16.1.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.2.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.3.0 24 10.3.1.1
Firewall (EP_FW)
EP_FWs communicate with uplink devices using static default routes with the next-hop
address as the downlink VRRP virtual address of EP_DS. EP_FWs have static specific routes
to all extranet service network segments configured on downlink interfaces. The next-hop
address of the routes is the uplink VRRP virtual address of access devices (EP_ASs) in the
extranet. The following provides only the static route configuration of EP_FW_01. The
configuration of EP_FW_02 is the same as that of EP_FW_01.
<EP_FW_01> system-view
[~EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
172.16.1.0 24 10.1.1.1
172.16.2.0 24 10.1.1.1
172.16.3.0 24 10.1.1.1
0.0.0.0 0 10.4.1.1
Access Devices (EP_ASs) in the Extranet
EP_ASs communicate with uplink devices using static default routes with the next-hop
address as the downlink VRRP virtual address of EP_FW. EP_ASs have static specific routes
to all extranet service network segments configured on downlink interfaces. The next-hop
address of the routes is the IP address of the interface on the directly connected peer device.
The following provides the static route configuration of EP_AS_01, in which x.x.x.x indicates
the IP address of the interface on the directly connected peer device.
<EP_AS_01> system-view
[~EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
172.16.1.0 24 x.x.x.x
172.16.2.0 24 x.x.x.x
172.16.3.0 24 x.x.x.x
0.0.0.0 0 10.2.1.1
2.2.4.3 MAN/WAN Routing Configuration
The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2
branches.
2.2.5 Security
2.2.5.1 ACL-based Antivirus Configuration
To prevent viruses with Layer 3 and Layer 4 characteristics, it is recommended that you
configure ACLs on network devices to filter data flows, improving network security. The
recommended antivirus configuration is as follows:
[*HUAWEI]acl number 3000
[*HUAWEI-acl4-advence-3000]rule 0 deny tcp destination-port eq 445
[*HUAWEI-acl4-advence-3000]rule 1 deny udp destination-port eq 445
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
2 Traditional Data Center Deployment Solution
Configuration Examples for the Financial Industry
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
2 deny tcp destination-port eq 135
3 deny tcp destination-port eq 136
4 deny tcp destination-port eq 137
5 deny tcp destination-port eq 138
6 deny tcp destination-port eq 139
7 deny udp destination-port eq 135
8 deny udp destination-port eq 136
9 deny udp destination-port eq netbios-ns
10 deny udp destination-port eq netbios-dgm
11 deny udp destination-port eq netbios-ssn
12 deny udp destination-port eq 1434
13 deny udp destination-port eq 6667
14 deny udp destination-port eq 7626
15 deny udp destination-port eq 6789
16 deny udp destination-port eq 5800
17 deny udp destination-port eq 5900
18 deny tcp destination-port eq 5900
19 deny tcp destination-port eq 5800
20 deny tcp destination-port eq 1999
21 deny tcp destination-port eq 5554
22 deny tcp destination-port eq 9995
23 deny tcp destination-port eq 9996
24 deny udp destination-port eq 12345
25 deny udp destination-port eq 1057
26 deny udp destination-port eq 2616
2.2.5.2 Broadcast Storm Suppression Configuration
A broadcast storm will greatly affect the network. The broadcast storm suppression function
reduces the impact on a network.
The antivirus effect is better when broadcast storm suppression is configured on the network
devices closer to users. Therefore, configure it on the downstream interfaces of aggregation
switches and all interfaces of access switches.
When the average packet rate exceeds 5000 kbit/s, the devices discard excess packets.
Run the following commands on the downstream interfaces of aggregation switches,
interconnected interfaces between aggregation switches, and upstream interfaces of access
switches:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression broadcast cir 5000
2.2.5.3 MAC Address Flapping Detection
MAC address flapping means that a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later replaces the earlier one.
MAC address flapping detection enables devices to check whether MAC address flapping has
occurred. When detecting a MAC address flapping, the devices report an alarm to the NMS
for maintenance personnel to locate the fault.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection
2.2.5.4 MAC Address Triggered ARP Entry Update
A network device needs to search for the ARP table for Layer 3 forwarding, and forwards the
packets matching entries. When logical locations of user terminals change (for example, an
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
active/standby switchover occurs between the network adapters of a server), the interfaces
matching the changed IP addresses also change.
The outbound interfaces in the MAC address table are updated after certain packets are
received. The outbound interfaces in the ARP table are updated after the aging time expires.
Therefore, the outbound interfaces in the MAC address and ARP tables may be inconsistent.
For example, the outbound interfaces in the MAC address table are updated before the
outbound interfaces in the ARP table are updated.
To resolve this problem, you need to enable the function of MAC address triggered ARP entry
update so that the outbound interfaces in the ARP table are updated immediately when the
outbound interfaces in MAC address table are updated.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] mac-address update arp enable
2.2.5.5 Loopback Detection on a Single Interface
STP cannot detect loops on a single interface. Loopback detection needs to be enabled on a
single interface.
Run the following commands on the downstream interface of an access switch:
<HUAWEI> system-view
[~HUAWEI] interface ge 1/0/1
[~HUAWEI-GE1/0/1] loopback-detect enable
2.2.5.6 ARP Attack Defense Configuration
l
Configure ARP rate limiting.
If a host sends a large number of IP packets with unreachable destination IP addresses to a
network device, the device is greatly affected.
Configure ARP rate limiting in the system view:
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit 200
Configure ARP rate limiting in the VLAN view:
<HUAWEI> system-view
[~HUAWEI] vlan 201
[*HUAWEI-vlan201] arp anti-attack rate-limit 200
l
Configure ARP rate limiting based on source IP addresses.
Considering the special requirements of some users, you can configure a different ARP
rate limit for these users.
NOTE
By default, the source IP address-based ARP rate limit is 30 pps. When the gateway requests MAC
addresses of many users on the network segment and the rate of ARP packets from the gateway IP
address exceeds 30 pps, you must increase the source IP address-based ARP rate limit; otherwise, the
ARP packets exceeding 30 pps will be discarded, causing a long delay on the gateway to learn ARP
entries. If an ARP scanning attack occurs, reduce the source IP address-based ARP rate limit.
Configure ARP rate limiting for any source IP address.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip maximum 100
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Configure rate limit for the ARP packets from 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip 10.1.1.1 maximum 100
When both the preceding configurations are performed, the later configuration takes
precedence. That is, if the source IP address of received ARP packets matches the IP address
specified in rate limiting, the rate limit specified in the later configuration takes effect. If the
source IP address of received ARP packets does not match the specified one, the rate limit in
the previous configuration takes effect.
l
Configure ARP Miss rate limiting based on source IP addresses.
Considering the special requirements of some users, you can configure a different ARP
Miss rate limit for these users.
NOTE
By default, the source IP address-based ARP Miss rate limit is 30 pps. If a source IP address needs
to frequently trigger ARP Miss messages of which the rate will exceed 30 pps, increase the source
IP address-based ARP Miss rate limit. Otherwise, excessive ARP Miss messages from this source
IP address will be discarded within 5 seconds after the rate limit is exceeded. As a result, this
source IP address cannot trigger ARP learning.
Configure ARP Miss rate limiting for any source IP address.
<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip maximum 60
Configure rate limiting for the ARP Miss messages from a specified IP address.
<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip 10.0.0.1 maximum 60
When both the preceding configurations are performed, the later configuration takes
precedence. That is, if the source IP address of the IP packets triggering ARP Miss
messages matches the IP address specified in rate limiting, the rate limit specified in the
later configuration takes effect. If the source IP address of the IP packets does not match
the specified one, the rate limit in the previous configuration takes effect.
l
Configure strict ARP learning.
Strict ARP learning allows a device to learn ARP entries from only the ARP Reply
packets in response to the ARP Request packets sent by itself.
Configure strict ARP learning globally.
<HUAWEI> system-view
[~HUAWEI] arp learning strict
Configure strict ARP learning on an interface.
<HUAWEI> system-view
[~HUAWEI] interface vlanif 201
[~HUAWEI-Vlanif201] arp learning strict force-enable
l
Configure ARP anti-spoofing.
To prevent ARP anti-spoofing attack, enable ARP entry fixing.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack entry-check fixed-mac enable
l
Prevent Man-in-the-Middle (MITM) attacks(excluding CE12800E and CE6880EI).
To prevent MITM attacks, configure ARP packet checking on interfaces or in VLANs. If
the packets received on an interface match a binding entry, the packets are forwarded;
otherwise, the packets are discarded.
In addition, you can configure the alarm function. When the number of discarded packets
exceeds the threshold, an alarm is generated.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
NOTE
This function applies only to DHCP users. The binding entries can be automatically generated
after DHCP snooping is enabled.
Enable dynamic ARP inspection to check ARP packets against binding entries.
<HUAWEI> system-view
[~HUAWEI] vlan 201
[*HUAWEI-vlan201] arp anti-attack check user-bind enable
Configure check items for ARP packets.
[*HUAWEI-vlan201] arp anti-attack check user-bind check-item ip-address
To allow the ARP packets matching only one or two items in a binding entry to pass
through, configure the device to match ARP packets against only one or two items.
NOTE
The specified check items do not take effect for the users with static binding entries configured.
That is, the device still checks ARP packets against the static binding entries.
2.2.6 Firewall Configuration
Firewalls are connected in bypass mode in the open platform area, development and testing
area, operation and management area, and area egress to implement secure access of the local
area and other functional areas.
VRF instances are created on the aggregation layer to separate service network routes and
public network routes. Firewalls are connected in bypass mode to ensure secure access
between different areas, and firewalls work in hot standby mode to ensure high reliability.
Different VLANs are created on DS1 and DS2, IP addresses are assigned to VLANIF
interfaces, and VRRP is configured. Different VRRP virtual IP addresses are used as gateway
addresses of server groups on ASs, and the Eth-Trunk between DS1 and DS2 allows packets
from the VLANs to pass through. MSTP is deployed between AS and DSs to eliminate loops,
and OSPF is configured on DSs and CSs to implement Layer 3 interworking.
VRF-A is created on the DS, service interfaces and downlink interfaces connected to firewalls
are bound to VRF-A, and the default route of VRF-A points to the downlink VRRP virtual IP
address of firewalls. Static routes from DSs to service network segments are configured, and
the next hop IP address is the uplink VRRP virtual IP address of firewalls.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
Configure static routes between firewalls and DSs. Firewalls are configured with the Huawei
Redundancy Protocol (HRP) and security policies based on application requirements.
1.
Create VLAN 200, VLAN 300, and VLAN 400 on DS1. Create VLANIF 200, VLANIF
300, and VLANIF 400. Configure 10GE1/0/1 and Eth-Trunk 1 to allow packets from
VLAN 200 to pass through, Eth-Trunk 3 to allow packets from VLAN 300 to pass
through, and Eth-Trunk 2 to allow packets from VLAN 400 to pass through.
2.
Configure MSTP and VRRP on DS1 and DS2, and configure DS1 as the VRRP master.
3.
Create VRF-A on DS1, bind VLANIF 200 and VLANIF300 connected to the downlink
interface of the firewall to VRF-A. The default route of VRF-A points to the downlink
VRRP virtual IP address of firewalls.
NOTE
When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore,
you need to reconfigure the IP address.
[~HUAWEI] ip vpn-instance VRF-A
[*HUAWEI-vpn-instance-VRF-A] ipv4-family
[*HUAWEI-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[*HUAWEI-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[*HUAWEI-vpn-instance-VRF-A-af-ipv4] quit
[*HUAWEI-vpn-instance-VRF-A] quit
[*HUAWEI] interface vlanif 200
[*HUAWEI-Vlanif200] ip binding vpn-instance VRF-A
[*HUAWEI-Vlanif200] ip address 10.10.1.1 24
[*HUAWEI-Vlanif200] quit
[*HUAWEI] interface vlanif 300
[*HUAWEI-Vlanif300] ip binding vpn-instance VRF-A
[*HUAWEI-Vlanif300] ip address 10.10.2.1 24
[*HUAWEI-Vlanif300] quit
[*HUAWEI] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5
[*HUAWEI] commit
4.
Configure a static route from DS1 to the service network segment. The next hop address
is the uplink VRRP virtual IP address of firewalls. Run OSPF between DS1 and CS and
import the static route to OSPF.
[~HUAWEI] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5
[*HUAWEI] ospf 100
[*HUAWEI-ospf-100] area 0
[*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255
[*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255
[*HUAWEI-ospf-100-area-0.0.0.0] quit
[*HUAWEI-ospf-100] import-route static
[*HUAWEI-ospf-100] quit
[*HUAWEI] commit
5.
6.
Perform basic configurations including the device name, interface, and IP address on
firewalls. The configurations are not provided here.
Configure zones on FW1.
[FW1] firewall zone trust
[FW1-zone-trust] add interface eth-trunk 3
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface eth-trunk 2
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface eth-trunk 1
[FW1-zone-dmz] quit
7.
Configure zones on FW2.
[FW2] firewall zone trust
[FW2-zone-trust] add interface eth-trunk 3
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface eth-trunk 2
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface eth-trunk 1
[FW2-zone-dmz] quit
8.
Configure a static route on FW1. The next hop address in the route used for access from
the internal network to the external network is the IP address of VLANIF 300 that
connects to the uplink interface of the firewall. The next hop address in the route used
for access from the external network to the internal network is the IP address of VLANIF
200 that connects to the downlink interface of the firewall.
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
[FW1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
9.
Configure a static route on FW2.
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
[FW2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
10. Configure HRP on FW1.
[FW1] interface eth-trunk 3
[FW1-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 master
[FW1-Eth-Trunk3] quit
[FW1] interface eth-trunk 2
[FW1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 master
[FW1-Eth-Trunk2] quit
[FW1] hrp interface eth-trunk 1 remote 10.1.1.2
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
11. Configure HRP on FW2.
[FW2] interface eth-trunk 3
[FW2-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave
[FW2-Eth-Trunk3] quit
[FW2] interface eth-trunk 2
[FW2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave
[FW2-Eth-Trunk2] quit
[FW2] hrp interface eth-trunk 1 remote 10.1.1.1
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
NOTE
After the HRP configuration is complete, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active firewall FW1.
12. Configure the security policy and intrusion prevention system (IPS).
NOTE
Before configuring IPS, ensure that the IPS signature database uses the latest version.
When configuring IPS, use the default IPS configuration file default.
HRP_M[FW1] policy interzone trust untrust outbound
HRP_M[FW1-policy-interzone-trust-untrust-outbound] policy 1
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0
mask 24
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] action permit
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] profile ips default
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] quit
HRP_M[FW1-policy-interzone-trust-untrust-outbound] quit
HRP_M[FW1] policy interzone trust untrust inbound
HRP_M[FW1-policy-interzone-trust-untrust-inbound] policy 1
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy destination
10.10.1.0 mask 24
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy service serviceset ftp http
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] action permit
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] profile ips default
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] quit
HRP_M[FW1-policy-interzone-trust-untrust-inbound] quit
HRP_M[FW1] ips enable
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
Configuration Examples for the Financial Industry
2 Traditional Data Center Deployment Solution
13. Configure attack defense.
NOTE
The attack defense thresholds in this example are only for reference. Configure the thresholds
according to the traffic volume on your network.
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
defend syn-flood enable
defend syn-flood zone untrust max-rate 20000
defend udp-flood enable
defend udp-flood zone untrust max-rate 1500
defend icmp-flood enable
defend icmp-flood zone untrust max-rate 20000
blacklist enable
defend ip-sweep enable
defend ip-sweep max-rate 4000
defend port-scan enable
defend port-scan max-rate 4000
defend ip-fragment enable
defend ip-spoofing enable
14. Configure ASPF. FTP is used as an example. If there are other applications on the
internal network, enable ASPF.
HRP_M[FW1] firewall interzone trust untrust
HRP_M[FW1-interzone-trust-untrust] detect ftp
HRP_M[FW1-interzone-trust-untrust] quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
Configuration Examples for the Financial Industry
3
3 M-LAG Data Center Deployment Solution
M-LAG Data Center Deployment Solution
3.1 Overview
3.2 Service Design and Configuration
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
3.1 Overview
3.1.1 Purpose
This document provides a detailed data center design for a level-1 bank branch, covering the
network architecture, IP address and VLAN planning, routing design, security design,
network reliability design, and network management system design for the data center. You
can use this document as a reference for data center project implementation.
3.1.2 Typical Networking
3.1.2.1 Logical Architecture
The following figure shows the logical topology of the level-1 bank branch's data center
network, which is divided into multiple areas depending on the functions provided.
The following describes the functional areas.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Area
Function and Positioning
Accessible To
Open platform area: OP
Provides access to running
open systems, including the
accounting system as well as
other accounting relevant
and irrelevant service
systems. This area is a major
business area for
communication between
production and office
departments.
Clients and servers
Operation and management
area: OM
Has servers deployed for
system operations,
monitoring, and
maintenance. This area is
responsible for network and
system management and
maintenance.
Only a few authorized
maintenance users
Development and testing
area: DT
Accommodates servers of
systems that have not been
put into use, including the
hosts and open platform
systems that are under
development or testing.
Clients and servers
MAN/WAN access area
(WN/MN)
Connects the level-1 bank
branch to the head office
and its data center,
downstream level-2
branches and outlets, as well
as offices, branches, and
outlets in the local city. This
area provides connections to
the level-1 bank branch's
LANs and subordinate
branches.
ATM machines, POS
machines, teller terminals,
maintenance users, office
terminals, and terminals in
business centers
Local user access area: LU
Allows access of various
user terminals.
Local maintenance users,
local office terminals, and
terminals in local business
centers
DMZ Extranet: EP
Implements interconnection
with business platforms of
partners, major accounts,
and agents through lines of
carriers.
Partners, international
branches, off-bank devices
(3G/2G/PSTN), telephone
banking systems, and
customer service centers
The level-1 bank branch's data center network is logically divided into three layers: core,
distribution, and access layers.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
l
Core layer: high-speed Layer 3 switching backbone network. This layer is not directly
connected to terminals or servers and does not provide functions that will affect highspeed switching performance, such as ACL.
l
Distribution layer: boundary of Layer 2 and Layer 3 networks, and boundary of
functional areas. This layer connects to the core layer at Layer 3 and connects to the
access layer at Layer 2. It provides the following functions:
l
–
Acts as a unified gateway for terminals and servers in the functional areas.
–
Summarizes routes within each functional area.
–
Implements intra-VLAN routing within each functional area.
–
Provides routing policies for communication between functional areas and the core
layer.
–
Applies ACLs to control communication between systems within a functional area.
–
Has firewalls deployed to enforce access control between areas.
Access layer: connects to the distribution layer and consists of the following devices:
–
Access switch (AS)
Provides Layer 2 access for servers and terminals and isolates users through
VLANs.
–
Access router (AR)
Provides access to the WAN and MAN networks, and functions as autonomous
system boundary router (ASBR) to implement routing control.
3.1.2.2 Physical Architecture
The following figure shows the physical network connections of the level-1 bank branch's
data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
In the core switching area, two high-performance data center switches are deployed, and they
are interconnected through 10GE bundled links to provide highly reliable, high-speed
switching.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
The switches in the core switching area and distribution layer are connected in square
networking to implement redundancy of physical links, enhancing network reliability. The
core switches and distribution switches are connected using bundled 10GE or GE links.
The distribution layer of each area has two high-performance switches deployed for traffic
aggregation in the area. The multi-level LAG is used to replace the traditional Layer 2
network where aggregation and access devices are used. Multi-level M-LAG ensures
reliability, improves the link use efficiency, and expands the network scale in dual-homing
mode. The gateway is deployed at the aggregation layer and supports application server
cluster virtualization, facilitating deployment of the large Layer 2 network and fast service
deployment and migration.
Firewalls are deployed in each area for access control. Firewalls are connected to distribution
switches in bypass mode through bundled GE links The two firewalls in an area work in
active/standby mode. If the active firewall fails, traffic can be switched to the standby firewall
within a short time. If both firewalls fail, service traffic is switched to the bypass link without
passing through the firewalls, ensuring nonstop data forwarding and service operations.
The two pairs of firewalls in the extranet area are connected to distribution switches, access
switches, and access routers in square networking to enhance network reliability.
3.1.2.3 Products Used
Huawei CE12816, CE12808, and CE6800 switches are used at the core layer, distribution
layer, and access layer, respectively. Huawei NE40E-X8 is used at the access layer as the
access router, and Huawei USG5500 is used as the firewall.
3.1.3 Network Architecture Design
3.1.3.1 Core Switching Area
The following figure shows the core switching area of the level-1 bank branch's data center.
The core layer connects to each functional area in the data center. Two high-performance
CE12816 data center switches are deployed at the core layer, which are interconnected using
an Eth-Trunk of two 10GE links to enhance connection reliability.
Core switch (CS): Huawei CE12816
3.1.3.2 Open Platform Area
The following figure shows the open platform area of the level-1 bank branch's data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
The distribution layer of the open platform area uses two-level M-LAG. The two highperformance CE12808 data center switches use 2x10GE inter-card Eth-Trunk links to connect
to each other and function as dual-active gateways. OSPF is enabled on switches at the core
and distribution layers to implement Layer 3 interworking. The access switch CE6800 is dualhomed to the distribution layer through M-LAG.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use 4xGE inter-card
Eth-Trunk links for uplink and downlink connections.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall (FW): Huawei USG5500
3.1.3.3 Development and Testing Area
The following figure shows the development and testing area of the level-1 bank branch's data
center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
The distribution layer of the development and testing area uses two-level M-LAG. The two
high-performance CE12808 data center switches use 2x10GE inter-card Eth-Trunk links to
connect to each other and function as dual-active gateways. OSPF is enabled on switches at
the core and distribution layers to implement Layer 3 interworking. The access switch
CE6800 is dual-homed to the distribution layer through M-LAG.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the development and testing area and other functional areas. The firewalls use 4xGE
inter-card Eth-Trunk links for uplink and downlink connections.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall (FW): Huawei USG5500
3.1.3.4 Operation and Management Area
The following figure shows the operation and management area of the level-1 bank branch's
data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
59
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
This area is the network management and maintenance center of the level-1 bank branch. It
collects running status data of managed systems and devices, monitors network and system
status, issues management instructions, and detects system failures to help in troubleshooting.
The distribution layer of the operation and management area uses two-level M-LAG. The two
high-performance CE12808 data center switches use inter-card Eth-Trunk links of two GE
optical interfaces to connect to each other and function as dual-active gateways. OSPF is
enabled on switches at the core and distribution layers to implement Layer 3 interworking.
The access switch CE6800 is dual-homed to the distribution layer through M-LAG on the GE
interface.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use inter-card EthTrunk links of two GE optical interfaces for uplink and downlink connections.
The following systems are deployed in this area:
Management server: uses the Simple Network Management Protocol (SNMP) to collect
network and system running information and receive logs and alarms sent from various
systems on the network. The management server summarizes and processes management
information collected from the network, monitors running status of the data center network
and systems, and generates network and system management reports.
Management platform: enables maintenance personnel to access the management server to
diagnose and rectify faults of devices.
Security tools: guarantee system security. Security tools include the RADIUS server, intrusion
detection system (IDS) server, and antivirus server.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Access switch (AS): Huawei CE6800
Firewall (FW): Huawei USG5500
3.1.3.5 Local User Access Area
The following figure shows the local user access area of the level-1 bank branch's data center.
This area is designed to enable communication between various types of user terminals.
The distribution layer of the local user access area uses two-level M-LAG. The two highperformance CE12808 data center switches use 2x10GE inter-card Eth-Trunk links to connect
to each other and function as dual-active gateways. OSPF is enabled on switches at the core
and distribution layers to implement Layer 3 interworking. The access switch CE6800 is dualhomed to the distribution layer through M-LAG.
The egress of the area has firewalls deployed in bypass mode to ensure secure communication
between the open platform area and other functional areas. The firewalls use inter-card EthTrunk links of two GE optical interfaces for uplink and downlink connections.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall (FW): Huawei USG5500
3.1.3.6 MAN/WAN Access Area
The following figure shows the MAN/WAN area of the level-1 bank branch's data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
This area connects upstream and downstream routers, and allows communication between
access switches in the same city.
The distribution layer of this area has two high-performance CE12808 data center switches,
which use inter-card Eth-Trunk links of two GE optical interfaces to connect to each other and
the upstream core switches. The access routers connect to the distribution switches in dualhoming mode.
The MAN/WAN access area is only used for access to the WAN or MAN and has no servers,
so no firewalls need to be deployed in this area. The offices and banking outlets in the same
city or level-2 bank branches deploy the Unified Threat Management (UTM) system for
security guarantee.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access router (AR): Huawei NE40E-X8
3.1.3.7 Extranet Area
The following figure shows the extranet area of the level-1 bank branch's data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
The extranet area provides network connections to partners. To improve security of the area
and prevent Internet users from directly accessing servers of the bank, a two-layer
heterogeneous firewall architecture is used to partition the entire area into three security
subareas of different security levels: extranet area, DMZ, and intranet area. The following
table describes functions of the three security subareas.
Area
Function
Extranet Area
Allows partners to connect to the network
through private lines and translates private
IP addresses of packets sent from partners
into private IP addresses in the DMZ.
DMZ
Deploys front end servers for partners.
Intranet area
Deploys systems on the level-1 bank
branch's data center network.
The access layer, distribution layer, and core layer of the extranet area provide different
network functions, with ascending security levels. The following table describes devices in
the extranet area.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Role
Function
Extranet router
To provide access for partners, two extranet
routers connect to lines of different carriers.
The primary line connects to the master
router, and the backup line connects to the
backup router, implementing link
redundancy.
The routers' interfaces connected to the
external firewalls run the Virtual Router
Redundancy Protocol (VRRP). Generally,
data flows are forwarded through the master
router. If the master router fails, traffic will
be switched to the backup router. VRRP
enhances system reliability through
redundancy and prevents single-point
failures.
If routers are connected to links that do not
support automatic link state detection, for
example, ATM or MSTP links, configure a
link failure detection protocol such as OAM
or BFD on the interfaces. In this case,
ensure that the remote ends also support the
link failure detection protocol.
External firewall
Security policies need to be configured on
the firewalls according to application
requirements to implement logical isolation
and security control between the extranet
area and DMZ.
The two firewalls work in NAT mode and
use the two-node redundancy HA
architecture. Generally, one firewall works
in active mode, and the other works in
standby mode. If the active firewall fails,
traffic can be quickly switched to the
standby firewall, ensuring uninterrupted
data forwarding and normal service
operations.
Access switch
The switches connect to front end servers in
the extranet and connect to each other
through a 2xGE Eth-Trunk link to enhance
reliability.
More access switches can be added to the
extranet based on business requirements.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Role
Function
Internal firewall
Security policies need to be configured on
firewalls according to application
requirements to implement logical isolation
and security control between the DMZ and
intranet.
The two firewalls work in NAT mode and
use the two-node redundancy HA
architecture. Generally, one firewall works
in active mode, and the other works in
standby mode. If the active firewall fails,
traffic can be quickly switched to the
standby firewall, ensuring uninterrupted
data forwarding and normal service
operations.
Distribution switch
The switches connect the extranet to the
LANs on the data center network.
The two switches are interconnected
through two bundled links to enhance
reliability.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE12808
Access router (AR): Huawei NE40E-X8
Firewall (FW): Huawei USG5500
3.1.3.8 Firewall Deployment
The level-1 bank branch's data center network has firewalls deployed in the open platform
area (OP), development and testing area (DT), local user access area (LU), and operation and
management area (OM) to improve network security. Access control policies are configured
on the firewalls to isolate different functional areas, control communication between the
areas, and protect servers in these areas.
The firewalls are connected to distribution switches in bypass mode, as shown in the
following figure.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
l
The firewalls are deployed in the HA architecture and work in preemption mode. When
both firewalls are running normally, FW1 acts as the active firewall, and FW2 acts as the
standby firewall.
l
The two firewalls exchange heartbeat packets through two directly connected interfaces.
l
FW1 and FW2 are connected to the distribution switches in bypass mode.
l
Link aggregation is used between the firewalls and distribution switches. Two or four
uplink interfaces of the active firewall FW1 are bundled into Eth-Trunk 1 and connected
to DS1. Two or four downlink interfaces of FW1 are bundled into Eth-Trunk 2 and
connected to DS1. The number of member interfaces in an Eth-Trunk is determined
based on the requirements in the area. Two or four uplink interfaces of the standby
firewall FW2 are bundled into Eth-Trunk 1 and connected to DS2. Two or four downlink
interfaces of FW2 are bundled into Eth-Trunk 2 and connected to DS2.
l
The firewalls monitor the physical status of Eth-Trunk 1 and Eth-Trunk 2. If either EthTrunk interface fails, an active/standby switchover is triggered. Then FW2 becomes the
active firewall, and FW1 becomes the standby firewall.
l
If both the two firewalls are faulty, manually switch data traffic to the bypass link so that
the traffic does not pass through the firewalls. The bypass link is an independent link
deployed between the uplink and downlink VRF instances.
l
The firewalls communicate with distribution switches using static routes and run the
VRRP protocol.
l
Trusted and untrusted zones are defined on the firewalls, and security policies are
configured based on application requirements to implement isolation and security control
between trusted and untrusted zones.
Core switch (CS): Huawei CE12816
Distribution switch (DS): Huawei CE12808
Access switch (AS): Huawei CE6800
Firewall (FW): Huawei USG5500
3.2 Service Design and Configuration
3.2.1 System Configuration
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
3.2.1.1 Device Login Configuration
Users can log in to the device through a console port, Telnet, or STelnet to perform local or
remote device maintenance. A user must use the console port to log in to the device for the
first time. Telnet or STelnet can be used to implement remote management and maintenance.
The following describes how to log in to the device through the console port and STelnet.
l
Logging in to a device through a console port
Before logging in to the device through a console port, complete the following tasks:
a.
b.
Prepare a console cable.
Install the terminal emulation software on the PC.
NOTE
You can use the built-in terminal emulation software (such as the HyperTerminal of
Windows 2000) on the PC. If no built-in terminal emulation software is available, use the
third-party terminal emulation software. For details, see the software user guide or online
help.
Procedure:
Use the terminal simulation software to log in to the device through a console port.
a.
Insert a DB9 plug of a console cable delivered with the device into a 9-pin serial
socket on a PC, and insert an RJ-45 connector into the console port of the device, as
shown in the following figure.
Figure 3-1 Connecting the PC to the device through the console port
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
Configuration Examples for the Financial Industry
b.
3 M-LAG Data Center Deployment Solution
Start the terminal emulation software on the PC, establish a connection, and set the
connected interface and communication parameters.
NOTE
One PC may have multiple connection interfaces. Select the interface connected to the
console cable. Usually, the interface COM1 is selected.
You must set the communication parameters of the PC to be the same as the changed
communication parameters of the serial interface, and reconnect the PC to the serial
interface.
c.
Press Enter until the system asks you to enter the password. (During AAA
authentication, the system asks you to enter the user name and password. The
following information is for your reference only.)
Login authentication
Password:
You can run commands to configure the device. Enter a question mark (?) whenever
you need help.
l
Logging in to the device using STelnet
Before logging in to the device through STelnet, complete the following tasks:
a.
Configure routes between a terminal and the device.
b.
Install the SSH client software on the terminal.
Procedure:
a.
Configure the STelnet server functions and parameters.
<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (512 - 2048).
NOTE: Key pair generation will take a short while.
Input the bits in the modulus [default = 2048] : 2048 //Starting from
V200R001C00, the device supports only 2048 bits. Manual input is not
required.
[*HUAWEI] stelnet server enable
[*HUAWEI] commit
b.
Configure the SSH user login interface.
[~HUAWEI] user-interface vty 0 4
[~HUAWEI-ui-vty0-4] authentication-mode aaa
[*HUAWEI-ui-vty0-4] protocol inbound ssh
[*HUAWEI-ui-vty0-4] commit
[~HUAWEI-ui-vty0-4] quit
c.
Configure an SSH user.
You need to configure the authentication mode. The device supports the following
authentication modes: RSA, password, password-rsa, DSA, password-dsa, ECC,
password-ecc, and all. The authentication modes are described as follows:
password-rsa: The password and RSA authentication requirements must be met.
password-dsa: The password and DSA authentication requirements must be met.
password-ecc: The password and ECC authentication requirements must be met.
all: The requirements of password, RSA, DSA, or ECC authentication are met.
[~HUAWEI] ssh
[*HUAWEI] ssh
[*HUAWEI] ssh
[*HUAWEI] aaa
[*HUAWEI-aaa]
[*HUAWEI-aaa]
Issue 03 (2017-05-08)
user client001
user client001 authentication-type password
user client001 service-type stelnet
local-user client001 password irreversible-cipher Huawei@123
local-user client001 level 3
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
[*HUAWEI-aaa] local-user client001 service-type ssh
[*HUAWEI-aaa] quit
[*HUAWEI] commit
4. Log in to the device through STelnet.
The PuTTY software is used as an example.
# Use the PuTTY software to log in to the device, enter the device IP address, and select
the SSH protocol type, as shown in the following figure.
Figure 3-2 Logging in to the SSH server through PuTTY in password authentication
mode
# Click Open. Enter the user name and password as prompted, and press Enter. You
have logged in to the SSH server. (The following information is for your reference only.)
login as: client001
Sent username "client001"
client001@10.137.217.203's password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]: n
Info: The max number of VTY users is 21, the number of current VTY users
online is 2, and total number of terminal users online is 2.
The current login time is 2012-08-04 20:09:11+00:00.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
First login successfully.
<HUAWEI>
3.2.1.2 Device Naming Configuration
Devices in this project are named using letters and numbers to facilitate tier-1 branch data
center network implementation and branch network O&M. The name format is field 1_field
2_field 3_nn.
Each field is described as follows according to the tier-1 branch data center network
construction implementation objectives.
Field 1
Identifies the device installation position.
For a tier-1 branch data center, the value is
as follows:
Abbreviation of tier-1 branch area+
abbreviation of local area + bank level
In the format:
1. Bank level
Data center: 0
Tier-1 branch: 1
Tier-2 branch: 2
Tier-3 branch: 3
Reserved: 4
Outlet: 5
Downstream ATM: 6
For example, a branch at Changjiang Road
in Hefei, Anhui province can be identified
as AHCJL3.
Field 2
Identifies a functional area. According to
the network architecture of the tier-1 branch
data center, areas are defined as follows:
1. Core area: CO
2. Open platform area: OP
3. Development and testing area: DT
4. Operation and management area: OM
5. Local user access area: LU
6. Extranet: EP
7. MAN/WAN access area: WN
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
70
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
Field 3
Identifies device functions and is defined as
follows according to the logical hierarchy of
the tier-1 branch data center:
1. Core switch: CS
2. Aggregation switch: DS
3. Access switch: AS
4. WAN access router: AR
5. Firewall: FW
nn
Number of network devices of the same
application system in the same area: 01 to
99
For example, DS 1 in the open platform area of xx Branch is named XX1_OP_DS_01.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] sysname XX1_OP_DS_01
[*HUAWEI] commit
3.2.1.3 Device Management Configuration
Device management configuration includes restarting a device and specifying system startup
files for the next startup.
The recommended configuration is to specify startup files for the next startup.
l
Restarting a Device
To make the specified system software and files take effect, restart the device after
system startup configuration is complete. Devices can be restarted immediately or
periodically.
Example for restarting a device immediately:
<HUAWEI> reboot
Example for restarting a device periodically:
<HUAWEI> schedule reboot at 22:00
Warning: The current configuration will be saved to the next startup savedconfiguration file. Continue? [Y/N]:y
Now saving the current configuration...
Save the configuration successfully.
Info: Reboot system at 22:00:00 2015/07/17 UTC (in 15 hours and 49
minutes).
Confirm? [Y/N]:y
l
Specifying system startup files
Specify the system software and configuration file for system startup so that the device
will start with the specified software and initialize with the specified configuration file. If
a new patch needs to be loaded during system startup, specify a patch file.
Example for specifying the system software for the next startup:
<HUAWEI> startup system-software basicsoft.cc slave-board
The optional parameter slave-board is valid only for switches with two MPUs.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
3.2.1.4 Network Management Configuration
Network management is an important part in the standard configuration. Currently, SNMP is
widely used for network management. SNMP includes three versions: SNMPv1, SNMPv2c,
and SNMPv3. SNMPv1 and SNMPv2c perform authentication using community names,
resulting in security risks. SNMPv3 is recommended because it is more secure.
The following example configures a device to communicate with the NMS using SNMPv3.
1.
Enable the SNMP agent.
<HUAWEI> system-view
[~HUAWEI] snmp-agent
2.
Configure the SNMP version to SNMPv3.
[*HUAWEI] snmp-agent sys-info version v3
NOTE
You can configure the SNMP version according to your requirements while ensuring that the
device and NMS use the same SNMP version. If they use different SNMP versions, the device
cannot connect to the NMS.
3.
Configure user access rights.
# Configure an ACL to allow only the packets with the source IP address 192.168.1.10
to pass through.
[*HUAWEI] acl 2001
[*HUAWEI-acl4-basic-2001] rule permit source 192.168.1.10 0.0.0.0
[*HUAWEI-acl4-basic-2001] quit
# Configure the MIB view as alliso and include the view iso.
[*HUAWEI] snmp-agent mib-view include alliso iso
NOTE
You are advised to configure user access rights according to your requirements.
4.
Set the SNMPv3 user group name to huawei_group, user name to huawei_user, and
security level to privacy, and apply access control.
[*HUAWEI] snmp-agent
[*HUAWEI] snmp-agent
[*HUAWEI] snmp-agent
Please configure the
Enter Password:
Confirm Password:
[*HUAWEI] snmp-agent
Please configure the
Enter Password:
Confirm Password:
5.
group v3 huawei_group privacy write-view alliso acl 2001
usm-user v3 huawei_user group huawei_group
usm-user v3 huawei_user authentication-mode sha
authentication password (8-255)
//Enter an authentication password.
//Confirm the authentication password.
usm-user v3 huawei_user privacy-mode aes256
privacy password (8-255)
//Enter an encryption password.
//Confirm the encryption password.
Configure a trap host.
[*HUAWEI] snmp-agent target-host trap address udp-domain 192.168.1.10 params
securityname huawei_user v3 privacy
[*HUAWEI] commit
3.2.1.5 Information Center Configuration
The operation and management area is the network management and maintenance center. It
collects the device operating status. To monitor the device operating status and locate faults,
you can send logs of devices to the management server in the maintenance and management
area through the information center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Step 1 Enable the information center.
<HUAWEI> system-view
[~HUAWEI] info-center enable
[*HUAWEI] commit
Step 2 Configure the device to output logs to a log host.
[~HUAWEI] info-center loghost 10.1.1.1
[*HUAWEI] commit
----End
3.2.1.6 NTP Configuration
An NTP clock source on a data center network provides clock signals for all network devices.
All network devices in data centers synchronize their clocks with the NTP clock source.
Set the NTP working mode of all network devices to the unicast server/client mode, configure
CS1 as the primary time server, and ensure that CS1 has synchronized its time with an
authoritative clock (global positioning system). Configure CS2, DS, and AS as clients. To
ensure security, you are advised to enable the NTP authentication function.
Configure the NTP master clock, and enable the NTP authentication and NTP server
functions on CS1.
<CS1> system-view
[~CS1] ntp refclock-master 1
[*CS1] ntp authentication enable
[*CS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*CS1] ntp trusted authentication-keyid 42
[*CS1] undo ntp server disable
[*CS1] commit
Specify CS1 as the NTP server on DS1. The other configurations are similar.
<DS1> system-view
[~DS1] ntp authentication enable
[*DS1] ntp authentication-keyid 42 authentication-mode hmac-sha256 Hello@123456
[*DS1] ntp trusted authentication-keyid 42
[*DS1] ntp unicast-server 10.100.1.1 authentication-keyid 42
[*DS1] commit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
3.2.2 Service Configuration
3.2.2.1 Interface Configuration
To ensure network reliability, physical interfaces comply with the following rules:
l
An interface uses the auto-negotiation mode by default.
For example, the common configuration of a 10GE electrical interface is as follows:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo negotiation disable
[*HUAWEI-10GE1/0/1] speed auto 100 1000 10000
[*HUAWEI-10GE1/0/1] commit
l
The physical interface that is not in use must be in shutdown state.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] shutdown
[*HUAWEI-10GE1/0/1] commit
l
An interface has link fault detection enabled.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port crc-statistics trigger error-down
[*HUAWEI-10GE1/0/1] commit
l
The interfaces that are used for device interconnection are enabled in descending order
of interface number, and the interfaces that are used for terminal connections are enabled
in ascending order of interface number.
3.2.2.2 VLAN Configuration
The network is divided into multiple areas based on service types. In each area, there are
multiple types of application systems. Each service involves multiple sub-systems, which
have different service characteristics, protocol types, QoS requirements (such as the delay and
jitter), and security levels.
VLAN assignment needs to be configured to achieve the preceding network architecture.
VLAN technology differentiates services to implement QoS. It also logically isolates services
with different security levels, so that different security policies are enforced for different
VLANs and applications to improve network security.
Here, interface-based VLAN assignment is used. The principles and notes of VLAN
assignment are as follows:
1.
Issue 03 (2017-05-08)
VLAN assignment principles
–
Assign VLANs for interconnection between areas. VLAN IDs are valid only within
an area.
–
Assign a VLAN range in each functional area, and assign VLANs to applications of
different levels within the VLAN range in each area. Reserve some VLANs for
expansion of different application systems in each area.
–
Define different VLAN ranges for different areas and assign different VLANs to
different service systems. Locate servers of the same service system in the same
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
VLAN and assign VLANs in ascending order of VLAN IDs. MAN and WAN users
share VLANs with local users.
2.
VLAN configuration notes
–
In a functional area, all user VLANs are configured on ASs and DSs. AS-DS and
DS-DS Eth-Trunk links allow packets from service VLANs in the local area to pass
through.
–
An Eth-Trunk link cannot allow packets from all VLANs to pass through.
–
All Eth-Trunk links prevents packets from VLAN 1 from passing through.
The following table describes the VLAN design.
Table 3-1 VLAN design
No.
Function
VLAN ID
Remarks
1
Open platform area
200-399
-
2
Development and
testing area
400-499
-
3
Operation and
management area
500-599
-
4
Local User Access
Area
850-949
Multiplexing by MAN
and WAN users
5
Extranet area
650-699
-
6
Network device
interconnection
800-849
-
7
Network device
management
600-649
-
8
Reserved
10-199, 700-799, and
950-1049
-
3.2.2.3 Link Aggregation Configuration
If high-bandwidth and high-reliability links are required, configure link aggregation.
Bundle CS-CS, CS-DS, DS-DS, DS-firewall, AS-DS, and AS-server links, as well as
heartbeat links between firewalls into link aggregation groups to improve bandwidth and
reliability.
Requirements for link aggregation deployment:
l
Deploy member interfaces on different cards to improve link reliability when one card
fails.
l
Configure the manual load balancing mode and use member interfaces of the same rate.
l
Configure member interfaces to work in auto-negotiation mode. (If auto-negotiation
fails, use the forcible mode and enable DLDP.)
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Figure 3-3 Networking diagram of link aggregation
Link aggregation configuration (the DS-DS link is used as an example):
<DS1> system-view
[~DS1] vlan batch 200
[*DS1] interface eth-trunk 1
[*DS1-Eth-Trunk1] trunkport 10ge 1/0/1
[*DS1-Eth-Trunk1] trunkport 10ge 1/0/2
[*DS1-Eth-Trunk1] port link-type trunk
[*DS1-Eth-Trunk1] port trunk allow-pass vlan 200
[*DS1-Eth-Trunk1] undo port trunk allow-pass vlan 1
[*DS1-Eth-Trunk1] quit
[*DS1] commit
[~DS1] interface eth-trunk 2
[*DS1-Eth-Trunk2] trunkport 10ge 1/0/3
[*DS1-Eth-Trunk2] trunkport 10ge 1/0/4
[*DS1-Eth-Trunk2] port link-type access
[*DS1-Eth-Trunk2] port default vlan 200
[*DS1-Eth-Trunk2] undo port trunk allow-pass vlan 1
[*DS1-Eth-Trunk2] quit
[*DS1] commit
By default, an Eth-Trunk works in manual load balancing mode.
3.2.2.4 IP Address Configuration
The IP address design for a new LAN of the branch data center should observe the following
principles:
l
Use IPv4.
l
IP addresses of interconnected interfaces use a 29-bit subnet mask (255.255.255.248) to
allow flexible network expansion and temporary deployment of test devices. One Class
C address space offers 32 interconnected network segments of LANs.
l
Implement route summarization between the head office and branches.
l
The gateway address in a LAN uses the largest IP address on the local network segment.
When VRRP or similar technologies are used, virtual addresses and actual addresses are
allocated in descending order of IP address.
l
The management address (Loopback0) of a network device uses a 32-bit subnet mask
(255.255.255.255), which is used as the ID of a routing protocol such as OSPF. Assign
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
contiguous addresses on a network segment as management addresses of all network
devices based on the network layers where they are located.
l
Assign IP addresses to devices in each area. Apply the IP address plan of an area to the
downlink interfaces of aggregation switches in the area (including interconnection
interfaces of the switches at the distribution layer) and access switches connected to the
downlink interfaces. Apply the IP address plan of the core switching layer to core
switches' interfaces connected to other areas. Apply the MAN/WAN IP address plan to
DS switches' interfaces connected to WAN/MAN devices.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] interface vlanif 201
[*HUAWEI-Vlanif201] ip address 10.1.0.1 255.255.255.0
3.2.2.5 STP Configuration
Loop prevention protocols are important on a Layer 2 network. In multi-level M-LAG
scenarios, the Virtual Spanning Tree Protocol (V-STP) can be used to prevent loops on the
Layer 2 network. V-STP can detect the M-LAG master or backup status. After V-STP is
enabled on the M-LAG master and backup devices and M-LAG master/backup negotiation is
successful, two devices are virtualized into one device for port role calculation and fast
convergence.
When service and reliability requirements are met, simplify configurations as much as
possible to achieve easy deployment and maintenance.
V-STP configuration:
Enable V-STP on the DS and AS.
DS1 and DS2 are used as an example. Assume that DS1 is the M-LAG master device and
DS2 is the M-LAG slave device. The configuration of AS1 and AS2 is the same.
<DS1> system-view
[~DS1] stp mode rstp
[*DS1] stp v-stp enable
[*DS1] commit
<DS2> system-view
[~DS2] stp mode rstp
[*DS2] stp v-stp enable
[*DS2] stp priority 36864
[*DS2] commit
3.2.3 Reliability Configuration
3.2.3.1 M-LAG Configuration
The dual-active system that is set up based on M-LAG provides device-level reliability. MLAG virtualizes two devices into one device. M-LAG prevents loops on a Layer 2 network
and implements redundancy.
Multi-level M-LAG ensures reliability, improves the link use efficiency, and expands the
network scale in dual-homing mode, meeting customer requirements.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Figure 3-4 M-LAG network
DS1 and DS2 constitute an M-LAG, whereas AS1 and AS2 constitute an M-LAG. The peer
link is configured on the Eth-Trunk between DS1 and DS2 to exchange M-LAG
synchronization packets. V-STP is configured between M-LAG devices to prevent loops.
OSPF is configured on DSs and CSs to implement Layer 3 interworking.
M-LAG configuration:
The M-LAG composed of AS1 and AS2 is used as an example. The configuration of DSs is
similar.
1.
Configure IP addresses for main interfaces on AS1 and AS2 to ensure Layer 3
connectivity for transmission of heartbeat packets of M-LAG master and slave devices.
<AS1> system-view
[~AS1] interface meth 0/0/0
[~AS1-MEth0/0/0] ip address 10.1.1.1 24
[*AS1-MEth0/0/0] quit
<AS2> system-view
[~AS2] interface meth 0/0/0
[~AS2-MEth0/0/0] ip address 10.1.1.2 24
[*AS2-MEth0/0/0] quit
2.
Configure a DFS group on AS1 and AS2.
[*AS1] dfs-group 1
[*AS1-dfs-group-1]
[*AS1-dfs-group-1]
[*AS1-dfs-group-1]
[*AS2] dfs-group 1
[*AS2-dfs-group-1]
[*AS2-dfs-group-1]
[*AS2-dfs-group-1]
3.
source ip 10.1.1.1
priority 150
quit
source ip 10.1.1.2
priority 120
quit
Configure a peer link on AS1 and AS2.
[*AS1] interface eth-trunk 0
[*AS1-Eth-Trunk0] trunkport 10ge 1/0/3
[*AS1-Eth-Trunk0] trunkport 10ge 1/0/4
[*AS1-Eth-Trunk0] mode lacp-static
[*AS1-Eth-Trunk0] peer-link 1
[*AS1-Eth-Trunk0] quit
[*AS2] interface eth-trunk 0
[*AS2-Eth-Trunk0] trunkport 10ge 1/0/3
[*AS2-Eth-Trunk0] trunkport 10ge 1/0/4
[*AS2-Eth-Trunk0] mode lacp-static
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
[*AS2-Eth-Trunk0] peer-link 1
[*AS2-Eth-Trunk0] quit
4.
Configure M-LAG member interfaces on AS1 and AS2.
[*AS1] vlan batch 11
[*AS1] interface eth-trunk 20
[*AS1-Eth-Trunk20] mode lacp-static
[*AS1-Eth-Trunk20] port link-type trunk
[*AS1-Eth-Trunk20] port trunk allow-pass vlan 11
[*AS1-Eth-Trunk20] trunkport 10ge 1/0/1 to 1/0/2
[*AS1-Eth-Trunk20] dfs-group 1 m-lag 1
[*AS1-Eth-Trunk20] quit
[*AS1] interface eth-trunk 30
[*AS1-Eth-Trunk30] mode lacp-static
[*AS1-Eth-Trunk30] port link-type trunk
[*AS1-Eth-Trunk30] port trunk allow-pass vlan 11
[*AS1-Eth-Trunk30] trunkport 10ge 1/0/5 to 1/0/6
[*AS1-Eth-Trunk30] dfs-group 1 m-lag 2
[*AS1-Eth-Trunk30] quit
[*AS1] commit
[*AS2] vlan batch 11
[*AS2] interface eth-trunk 20
[*AS2-Eth-Trunk20] mode lacp-static
[*AS2-Eth-Trunk20] port link-type trunk
[*AS2-Eth-Trunk20] port trunk allow-pass vlan 11
[*AS2-Eth-Trunk20] trunkport 10ge 1/0/1 to 1/0/2
[*AS2-Eth-Trunk20] dfs-group 1 m-lag 1
[*AS2-Eth-Trunk20] quit
[*AS2] interface eth-trunk 30
[*AS2-Eth-Trunk30] mode lacp-static
[*AS2-Eth-Trunk30] port link-type trunk
[*AS2-Eth-Trunk30] port trunk allow-pass vlan 11
[*AS2-Eth-Trunk30] trunkport 10ge 1/0/5 to 1/0/6
[*AS2-Eth-Trunk30] dfs-group 1 m-lag 2
[*AS2-Eth-Trunk30] quit
[*AS2] commit
3.2.3.2 Monitor Link Configuration
To prevent traffic loss due to an uplink fault, associate uplink and downlink interfaces with a
Monitor Link group.
As shown in the following figure, when the uplink of DS1 fails, user-side traffic that needs to
be forwarded by DS1 will be discarded. To prevent this problem, associate uplink and
downlink interfaces with a Monitor Link group on DS1. When the uplink interface enters the
Down state, the downlink interface also goes Down so that user-side traffic is not forwarded
by DS1. That is, traffic is forwarded normally by DS2.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Monitor Link configuration:
DS1 is used as an example. The configuration of DS2 is similar.
1.
Associate uplink and downlink interfaces with a Monitor Link group.
[~DS1] monitor-link group 1
[*DS1-mtlk-group1] port eth-trunk 10 uplink
[*DS1-mtlk-group1] port eth-trunk 20 downlink 1
After the Monitor Link group is configured, the uplink interface is monitored in real
time. When the uplink interface fails, all the downlink interfaces in the Monitor Link
group enter the Error-Down state.
The device sets an interface in Error-Down state when detecting a fault on the interface.
The interface then cannot receive or send packets, and the interface indicator is off.
2.
Set the WTR time of the Monitor Link group on DS1.
[*DS1-mtlk-group1] timer recover-time 5
[*DS1-mtlk-group1] quit
[*DS1] commit
To restore the downlink interface in Error-Down state, rectify the fault of the uplink
interface. After the uplink interface goes Up and the WTR time is reached, the downlink
interface is restored.
3.2.3.3 Dual-Active Gateway Configuration
Generally, all hosts on a network are configured with the same default route that points to the
egress gateway so that the hosts can communicate with external networks. When the egress
gateway fails, the communication between the hosts and external networks is interrupted.
M-LAG virtualizes master and slave devices into one logical device and uses the IP address of
the logical device as the default gateway to implement communication with external
networks. When one gateway fails, M-LAG can select a new gateway to transmit data traffic,
ensuring network reliability.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Figure 3-5 Dual-active gateway configuration
You can use the following methods to configure the dual-active gateway:
l
Configure VRRP. Create a VRRP group on VLANIF interfaces corresponding to MLAG member interfaces of M-LAG master and slave devices and configure the same
virtual IP address and virtual MAC address for the VLANIF interfaces.
l
Configure the IP address and MAC address for each VLANIF interface. Configure
the same IP address and MAC address for VLANIF interfaces.
Configure the M-LAG dual-active gateway between DSs.
DS1 is used as an example. The configuration of DS2 is similar.
1.
Configure VRRP groups on VLANIF interfaces of DSs as the dual-active gateways of
M-LAG master and slave devices.
[~DS1] interface vlanif 11
[*DS1-Vlanif11] ip address 10.2.1.1 24
[*DS1-Vlanif11] vrrp vrid 1 virtual-ip 10.2.1.111
[*DS1-Vlanif11] vrrp vrid 1 priority 120
[*DS1-Vlanif11] quit
[*DS1] commit
2.
Configure the same IP address and MAC address for VLANIF interfaces on DSs as the
dual-active gateways of M-LAG master and slave devices.
[~DS1] interface vlanif 11
[*DS1-Vlanif11] ip address 10.2.1.1 24
[*DS1-Vlanif11] mac-address 0000-5e00-0101
[*DS1-Vlanif11] quit
[*DS1] commit
When the same IP address and MAC address are configured for VLANIF interfaces, an
IP address conflict alarm will be generated. To disable the alarm, run the undo snmpagent trap enable feature-name arp trap-name hwethernetarpipconflictevent
command.
3.2.4 Routing Configuration
The following figure shows routing design for a tier 1 branch data center.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Data center design consists of LAN design and MAN&WAN design.
Entire Routing Design
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2
branches and uses OSPF as an IGP within itself.
In the LAN, the core area and other areas use OSPF to provide service routes, except that the
extranet uses static routes between the DS and AR.
EBGP
The tier 1 branch is planned as an independent autonomous system (AS) and uses a private
AS number.
IBGP
The WAN area of the tier 1 branch runs IBGP. OSPF 300 ensures connectivity for IBGP
between the WN_DSs and WN_ARs in the WAN area.
Three OSPF processes are designed on the network: OSPF 300, OSPF 400, and OSPF 500.
OSPF 300
OSPF 300 ensures IBGP connectivity between the WN_DSs and WN_ARs in the WAN area.
Links between the devices in the WAN area belong to Area 0.
OSPF 400
OSPF 400 ensures that there are reachable routes between the MAN/WAN area of the tier 1
branch and intra-city organizations. Interconnected links belong to Area 0.
OSPF 500
OSPF 500 ensure that there are reachable routes between the LAN area of branches and
WN_DSs. Interconnected links belong to Area 0 to transmit services of the tier 1 branch.
Static:
The EP_AR in the extranet and external FW, external FW and internal FW, as well as internal
FW and EP_DS use static routes to communicate.
Routing Protocol Preference/Distance Design
Preferences of routing protocols to be used on all network devices are planned to ensure
consistent route selection between routing protocols on devices of different vendors.
Issue 03 (2017-05-08)
Protocol
Preference
Static route
5
OSPF
10
IBGP
170
EBGP
170
OSPF ASE
190
Floating static route
200
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
3.2.4.1 LAN Routing Configuration
Routing Design and Basic Function Configuration
Figure 3-6 LAN routing design diagram
In a data center LAN shown in the figure, ASs are access devices, LAN_DSs are aggregation
devices in the LAN, gateways are configured on the aggregation devices, VRRP is configured
on downlink interfaces of the LAN_DSs to ensure reliability. CSs are core forwarding
devices, and WAN_DSs are aggregation devices in the MAN/WAN area to connect LAN core
devices and network egress routers.
This example uses OSPF to ensure intra-area connectivity.
OSPF Area Partition
The entire network uses OSPF process 500. Only a small number of devices run OSPF in the
LAN. Therefore, OSPF 500 uses only the backbone area Area 0. The following interfaces and
IP address need to be advertised in OSPF process 500:
l
Virtual IP address of the VRRP group on downlink interfaces of LAN_DSs
l
Interconnected interfaces between LAN_DSs and CSs, and between WAN_DSs and CSs
l
Loopback interface whose IP address will be used as a router ID (This interface does not
need to participate in OSPF calculation and so is configured as a silent interface.)
OSPF Router ID Design
In each OSPF process, a router must have a unique router ID to identify itself. By default, the
largest loopback interface IP address is used as the router ID. To ensure a stable OSPF router
ID, specify the IP address of Loopback 0 as a router ID when configuring an OSPF process.
Basic OSPF Function Configuration
Here, LAN_DS_01 is used as an example:
<LAN_DS_01> system-view
[~LAN_DS_01] interface loopback 0
[*LAN_DS_01-LoopBack0] ip address 172.16.1.1 32
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
[*LAN_DS_01-LoopBack0] quit
[*LAN_DS_01] ospf 500 router-id 172.16.1.1
[*LAN_DS_01-ospf-500] silent-interface loopback 0
[*LAN_DS_01-ospf-500] area 0
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[*LAN_DS_01-ospf-500-area-0.0.0.0] commit
Here, CS_01 is used as an example:
<CS_01> system-view
[~CS_01] interface loopback 0
[*CS_01-LoopBack0] ip address 172.16.1.2 32
[*CS_01-LoopBack0] quit
[*CS_01] ospf 500 router-id 172.16.1.2
[*CS_01-ospf-500] silent-interface loopback 0
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] network 10.2.2.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.2.4.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] network 10.2.5.0 0.0.0.255
[*CS_01-ospf-500-area-0.0.0.0] commit
Routing Protocol Performance, Reliability, and Security Design and
Configuration
Here, CS_01 is used as an example. The configurations of other devices are similar to that of
CS_01.
OSPF Interface Network Type Design
By default, the network type of OSPF interfaces on an Ethernet network is broadcast. In this
example, every two OSPF neighbors are interconnected. To speed up OSPF neighbor
relationship establishment and route convergence, you can set the network type of non-silent
OSPF interfaces to point-to-point.
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf network-type p2p
OSPF Timer Design
Unless special requirements need to be met, default OSPF timer values are recommended.
This example uses all OSPF timer values. If you need to modify timer parameter values,
ensure that neighbors use the same OSPF timer parameter values.
For example, you can use the following commands to change the interval for sending Hello
packets to 20s:
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf timer hello 20
OSPF Metric Design
By default, the metric of an OSPF interface is automatically calculated using the formula:
Reference bandwidth/Interface bandwidth. The reference bandwidth can be modified and the
default value is 100 Mbit/s.
In this example, to facilitate maintenance and management, you can manually configure and
design the OSPF metric of each link without using the preceding formula.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
Table 3-2 OSPF metric design
No.
Link
Metric
1
East-to-west links between CSs, and
between DSs
100
2
South-to-north links between CSs and
DSs
100
3
DS service interfaces
1000
4
CS/DS loopback interfaces
0 (no need to configure)
To set the metric of the link between CSs to 100, use the following commands:
<CS_01> system-view
[~CS_01] interface 10ge 1/0/1
[~CS_01-10GE1/0/1] undo portswitch
[*CS_01-10GE1/0/1] ospf cost 100
BFD for OSPF
In BFD for OSPF, a BFD session is associated with OSPF. The BFD session quickly detects a
link fault and then notifies OSPF of the fault. This speeds up OSPF's response to the change
of the network topology.
A dynamic BFD session established between all non-silent OSPF interfaces and neighbors
can implement millisecond-level detection of faults on the links between OSPF neighbors and
associate fast OSPF neighbor status switching to trigger route convergence calculation. The
link faults include physical link faults and upper-layer forwarding faults.
All BFD sessions use the following parameters.
Table 3-3 BFD for OSPF parameter design
Parameter
Parameter Description
Recommended Value
min-rx-interval
Specifies the minimum
interval at which BFD
packets are received from
the remote end.
1000 ms
min-tx-interval
Specifies the minimum
interval for sending BFD
packets to the remote end.
1000 ms
detect-multiplier
Specifies the local detection
multiplier.
3
<CS_01> system-view
[~CS_01] bfd
[*CS_01-bfd] quit
[*CS_01] ospf 500
[*CS_01-ospf-500] bfd all-interfaces enable
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
[*CS_01-ospf-500] bfd all-interfaces min-tx-interval 1000 min-rx-interval 1000
detect-multiplier 3
OSPF Smart Timer Design
On an unstable network, route calculation may be performed frequently, which consumes a
great number of CPU resources. Especially on an unstable network, LSAs that describe
unstable topology will be generated and advertised frequently. Processing such LSAs
frequently affects network stability. The OSPF smart timer controls the route calculation, LSA
generation, and receiving of LSAs to speed up network convergence.
The OSPF smart timer speeds up network convergence in the following modes:
l
On a network where routes are frequently calculated, the OSPF smart timer dynamically
adjusts the interval for calculating routes according to the user configuration and the
exponential backoff technology. In this manner, the number of route calculations is
reduced, and so CPU resource consumption is reduced. Routes are calculated after the
network topology becomes table.
l
On an unstable network, if a router generates or receives LSAs due to frequent topology
changes, the OSPF smart timer can dynamically adjust the interval for calculating routes.
No LSA is generated or handled within an interval, which prevents invalid LSAs from
being generated and advertised in the entire network.
OSPF smart timer uses the following parameters.
Table 3-4 OSPF smart timer design
Smart Timer
Description
Recommended Value
spf-schedule-interval
Specifies the
interval for
calculating
OSPF routes.
The default value is recommended. That is,
the maximum interval for SPF calculation is
10000 ms, the initial interval is 500 ms, and
the base interval is 1000 ms.
lsa-arrival-interval
Specifies the
interval for
receiving OSPF
LSAs.
The default value is recommended. That is,
the maximum interval for receiving OSPF
LSAs is 1000 ms, the initial interval is 500
ms, and the base interval is 500 ms.
lsa-originate-interval
Specifies the
interval for
updating OSPF
LSAs.
The default value is recommended. That is,
the maximum interval for updating OSPF
LSAs is 5000 ms, the initial interval is 500
ms, and the base interval is 1000 ms.
<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] lsa-arrival-interval intelligent-timer 1000 500 500
[*CS_01-ospf-500] lsa-originate-interval intelligent-timer 5000 500 1000
[*CS_01-ospf-500] spf-schedule-interval intelligent-timer 10000 500 1000
OSPF Route Authentication
To prevent unauthorized devices from access an OSPF network to obtain network routing
information, configure the OSPF route authentication function. In this example, OSPF area
authentication is configured, the authentication mode is MD5, and the authentication
password is not provided here, which can be specified according to your requirements.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
<CS_01> system-view
[~CS_01] ospf 500
[*CS_01-ospf-500] area 0
[*CS_01-ospf-500-area-0.0.0.0] authentication-mode md5 1 cipher xxxxxxxx
3.2.4.2 Extranet Routing Configuration
Figure 3-7 Extranet routing design diagram
The extranet connects the data center to other service areas. Because fine-grained control is
required for access rights, the extranet uses the in-line firewall connection for networking.
In routing design, the extranet uses static specific routes and static default routes and is
separated from the LAN in routes. The following provides key configuration of each device.
Aggregation Switches (EP_DSs) in the Extranet
Aggregation switches (EP_DSs) in the extranet use OSPF to communicate with CSs of the
LAN and need to have static specific routes to all extranet service network segments
configured on downlink interfaces. The next-hop address of the routes is the uplink VRRP
virtual address of firewalls (EP_FWs). For details about the configuration of OSPF 500 and
VRRP, see "LAN Routing Configuration." The following provides only the static specific
route configuration of EP_DS_01. The configuration of EP_DS_02 is the same as that of
EP_DS_01.
<EP_DS_01> system-view
[~EP_DS_01] ip route-static 172.16.1.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.2.0 24 10.3.1.1
[*EP_DS_01] ip route-static 172.16.3.0 24 10.3.1.1
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
Firewall (EP_FW)
EP_FWs communicate with uplink devices using static default routes with the next-hop
address as the downlink VRRP virtual address of EP_DS. EP_FWs have static specific routes
to all extranet service network segments configured on downlink interfaces. The next-hop
address of the routes is the uplink VRRP virtual address of access devices (EP_ASs) in the
extranet. The following provides only the static route configuration of EP_FW_01. The
configuration of EP_FW_02 is the same as that of EP_FW_01.
<EP_FW_01> system-view
[~EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
[*EP_FW_01] ip route-static
172.16.1.0 24 10.1.1.1
172.16.2.0 24 10.1.1.1
172.16.3.0 24 10.1.1.1
0.0.0.0 0 10.4.1.1
Access Devices (EP_ASs) in the Extranet
EP_ASs communicate with uplink devices using static default routes with the next-hop
address as the downlink VRRP virtual address of EP_FW. EP_ASs have static specific routes
to all extranet service network segments configured on downlink interfaces. The next-hop
address of the routes is the IP address of the interface on the directly connected peer device.
The following provides the static route configuration of EP_AS_01, in which x.x.x.x indicates
the IP address of the interface on the directly connected peer device.
<EP_AS_01> system-view
[~EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
[*EP_AS_01] ip route-static
172.16.1.0 24 x.x.x.x
172.16.2.0 24 x.x.x.x
172.16.3.0 24 x.x.x.x
0.0.0.0 0 10.2.1.1
3.2.4.3 MAN/WAN Routing Configuration
The MAN/WAN area uses BGP to exchange service routes with the head office and tier 2
branches.
3.2.5 Security Configuration
3.2.5.1 ACL-based Antivirus Configuration
To prevent viruses with Layer 3 and Layer 4 characteristics, it is recommended that you
configure ACLs on network devices to filter data flows, improving network security. The
recommended antivirus configuration is as follows:
[*HUAWEI]acl number 3000
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
Issue 03 (2017-05-08)
0 deny tcp destination-port eq 445
1 deny udp destination-port eq 445
2 deny tcp destination-port eq 135
3 deny tcp destination-port eq 136
4 deny tcp destination-port eq 137
5 deny tcp destination-port eq 138
6 deny tcp destination-port eq 139
7 deny udp destination-port eq 135
8 deny udp destination-port eq 136
9 deny udp destination-port eq netbios-ns
10 deny udp destination-port eq netbios-dgm
11 deny udp destination-port eq netbios-ssn
12 deny udp destination-port eq 1434
13 deny udp destination-port eq 6667
14 deny udp destination-port eq 7626
15 deny udp destination-port eq 6789
16 deny udp destination-port eq 5800
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
3 M-LAG Data Center Deployment Solution
Configuration Examples for the Financial Industry
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
[*HUAWEI-acl4-advence-3000]rule
17
18
19
20
21
22
23
24
25
26
deny
deny
deny
deny
deny
deny
deny
deny
deny
deny
udp
tcp
tcp
tcp
tcp
tcp
tcp
udp
udp
udp
destination-port
destination-port
destination-port
destination-port
destination-port
destination-port
destination-port
destination-port
destination-port
destination-port
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
5900
5900
5800
1999
5554
9995
9996
12345
1057
2616
3.2.5.2 Broadcast Storm Suppression Configuration
A broadcast storm will greatly affect the network. The broadcast storm suppression function
reduces the impact on a network.
The antivirus effect is better when broadcast storm suppression is configured on the network
devices closer to users. Therefore, configure it on the downstream interfaces of aggregation
switches and all interfaces of access switches.
When the average packet rate exceeds 5000 kbit/s, the devices discard excess packets.
Run the following commands on the downstream interfaces of aggregation switches,
interconnected interfaces between aggregation switches, and upstream interfaces of access
switches:
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] storm suppression broadcast cir 5000
3.2.5.3 MAC Address Flapping Detection
MAC address flapping means that a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later replaces the earlier one.
MAC address flapping detection enables devices to check whether MAC address flapping has
occurred. When detecting a MAC address flapping, the devices report an alarm to the NMS
for maintenance personnel to locate the fault.
Common configuration:
<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection
3.2.5.4 MAC Address Triggered ARP Entry Update
A network device needs to search for the ARP table for Layer 3 forwarding, and forwards the
packets matching entries. When logical locations of user terminals change (for example, an
active/standby switchover occurs between the network adapters of a server), the interfaces
matching the changed IP addresses also change.
The outbound interfaces in the MAC address table are updated after certain packets are
received. The outbound interfaces in the ARP table are updated after the aging time expires.
Therefore, the outbound interfaces in the MAC address and ARP tables may be inconsistent.
For example, the outbound interfaces in the MAC address table are updated before the
outbound interfaces in the ARP table are updated.
To resolve this problem, you need to enable the function of MAC address triggered ARP entry
update so that the outbound interfaces in the ARP table are updated immediately when the
outbound interfaces in MAC address table are updated.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
Common configuration:
<HUAWEI> system-view
[~HUAWEI] mac-address update arp enable
3.2.5.5 Loopback Detection on a Single Interface
STP cannot detect loops on a single interface. Loopback detection needs to be enabled on a
single interface.
Run the following commands on the downstream interface of an access switch:
<HUAWEI> system-view
[~HUAWEI] interface ge 1/0/1
[~HUAWEI-GE1/0/1] loopback-detect enable
3.2.5.6 ARP Attack Defense Configuration
l
Configure ARP rate limiting.
If a host sends a large number of IP packets with unreachable destination IP addresses to a
network device, the device is greatly affected.
Configure ARP rate limiting in the system view:
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit 200
Configure ARP rate limiting in the VLAN view:
<HUAWEI> system-view
[~HUAWEI] vlan 201
[*HUAWEI-vlan201] arp anti-attack rate-limit 200
l
Configure ARP rate limiting based on source IP addresses.
Considering the special requirements of some users, you can configure a different ARP
rate limit for these users.
NOTE
By default, the source IP address-based ARP rate limit is 30 pps. When the gateway requests MAC
addresses of many users on the network segment and the rate of ARP packets from the gateway IP
address exceeds 30 pps, you must increase the source IP address-based ARP rate limit; otherwise, the
ARP packets exceeding 30 pps will be discarded, causing a long delay on the gateway to learn ARP
entries. If an ARP scanning attack occurs, reduce the source IP address-based ARP rate limit.
Configure ARP rate limiting for any source IP address.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip maximum 100
Configure rate limit for the ARP packets from 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack rate-limit source-ip 10.1.1.1 maximum 100
When both the preceding configurations are performed, the later configuration takes
precedence. That is, if the source IP address of received ARP packets matches the IP address
specified in rate limiting, the rate limit specified in the later configuration takes effect. If the
source IP address of received ARP packets does not match the specified one, the rate limit in
the previous configuration takes effect.
l
Configure ARP Miss rate limiting based on source IP addresses.
Considering the special requirements of some users, you can configure a different ARP
Miss rate limit for these users.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
NOTE
By default, the source IP address-based ARP Miss rate limit is 30 pps. If a source IP address needs
to frequently trigger ARP Miss messages of which the rate will exceed 30 pps, increase the source
IP address-based ARP Miss rate limit. Otherwise, excessive ARP Miss messages from this source
IP address will be discarded within 5 seconds after the rate limit is exceeded. As a result, this
source IP address cannot trigger ARP learning.
Configure ARP Miss rate limiting for any source IP address.
<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip maximum 60
Configure rate limiting for the ARP Miss messages from a specified IP address.
<HUAWEI> system-view
[~HUAWEI] arp miss anti-attack rate-limit source-ip 10.0.0.1 maximum 60
When both the preceding configurations are performed, the later configuration takes
precedence. That is, if the source IP address of the IP packets triggering ARP Miss
messages matches the IP address specified in rate limiting, the rate limit specified in the
later configuration takes effect. If the source IP address of the IP packets does not match
the specified one, the rate limit in the previous configuration takes effect.
l
Configure strict ARP learning.
Strict ARP learning allows a device to learn ARP entries from only the ARP Reply
packets in response to the ARP Request packets sent by itself.
Configure strict ARP learning globally.
<HUAWEI> system-view
[~HUAWEI] arp learning strict
Configure strict ARP learning on an interface.
<HUAWEI> system-view
[~HUAWEI] interface vlanif 201
[~HUAWEI-Vlanif201] arp learning strict force-enable
l
Configure ARP anti-spoofing.
To prevent ARP anti-spoofing attack, enable ARP entry fixing.
<HUAWEI> system-view
[~HUAWEI] arp anti-attack entry-check fixed-mac enable
l
Prevent Man-in-the-Middle (MITM) attacks.
To prevent MITM attacks, configure ARP packet checking on interfaces or in VLANs. If
the packets received on an interface match a binding entry, the packets are forwarded;
otherwise, the packets are discarded.
In addition, you can configure the alarm function. When the number of discarded packets
exceeds the threshold, an alarm is generated.
NOTE
This function applies only to DHCP users. The binding entries can be automatically generated
after DHCP snooping is enabled.
Enable dynamic ARP inspection to check ARP packets against binding entries.
<HUAWEI> system-view
[~HUAWEI] vlan 201
[*HUAWEI-vlan201] arp anti-attack check user-bind enable
Configure check items for ARP packets.
[*HUAWEI-vlan201] arp anti-attack check user-bind check-item ip-address
To allow the ARP packets matching only one or two items in a binding entry to pass
through, configure the device to match ARP packets against only one or two items.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
92
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
NOTE
The specified check items do not take effect for the users with static binding entries configured.
That is, the device still checks ARP packets against the static binding entries.
3.2.6 Firewall Configuration
Firewalls are connected in bypass mode in the open platform area, development and testing
area, operation and management area, and area egress to implement secure access between the
local area and other functional areas.
VRF instances are created on the aggregation layer to separate service network routes and
public network routes. Firewalls are connected in bypass mode to ensure secure access
between different areas, and firewalls work in hot standby mode to ensure high reliability.
VRF-A is created on the DS, service interfaces and downlink interfaces connected to firewalls
are bound to VRF-A, and the default route of VRF-A points to the downlink VRRP virtual IP
address of firewalls. Static routes from DSs to service network segments are configured, and
the next hop IP address is the uplink VRRP virtual IP address of firewalls.
Static routes are configured between firewalls and DSs. Firewalls are configured with the
Huawei Redundancy Protocol (HRP) and security policies based on application requirements.
1.
M-LAG is configured between DS1 and DS2, and the VRRP group is used as the userside gateway and next hop of the firewall. A VRRP group is configured on VLANIF 200
as the next hop of uplink traffic on the firewall, and a VRRP group is configured on
VLANIF 300 as the next hop of downlink traffic on the firewall.
2.
Create VRF-A on DS1, bind VLANIF 200 and VLANIF300 connected to the downlink
interface of the firewall to VRF-A. The default route of VRF-A points to the downlink
VRRP virtual IP address of firewalls.
NOTE
When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore,
you need to reconfigure the IP address.
[~DS1] ip vpn-instance VRF-A
[*DS1-vpn-instance-VRF-A] ipv4-family
[*DS1-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[*DS1-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[*DS1-vpn-instance-VRF-A-af-ipv4] quit
[*DS1-vpn-instance-VRF-A] quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
[*DS1] interface vlanif 200
[*DS1-Vlanif200] ip binding vpn-instance VRF-A
[*DS1-Vlanif200] ip address 10.10.1.1 24
[*DS1-Vlanif200] quit
[*DS1] interface vlanif 300
[*DS1-Vlanif300] ip binding vpn-instance VRF-A
[*DS1-Vlanif300] ip address 10.10.2.1 24
[*DS1-Vlanif300] quit
[*DS1] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5
[*DS1] commit
3.
Configure a static route from DS1 to the service network segment. The next hop address
is the uplink VRRP virtual IP address of firewalls. Run OSPF between DS1 and CS and
import the static route to OSPF.
[~HUAWEI] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5
[*HUAWEI] ospf 100
[*HUAWEI-ospf-100] area 0
[*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255
[*HUAWEI-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255
[*HUAWEI-ospf-100-area-0.0.0.0] quit
[*HUAWEI-ospf-100] import-route static
[*HUAWEI-ospf-100] quit
[*HUAWEI] commit
4.
5.
Perform basic configurations including the device name, interface, and IP address on
firewalls. The configurations are not provided here.
Configure zones on FW1.
[FW1] firewall zone trust
[FW1-zone-trust] add interface eth-trunk 3
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface eth-trunk 2
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface eth-trunk 1
[FW1-zone-dmz] quit
6.
Configure zones on FW2.
[FW2] firewall zone trust
[FW2-zone-trust] add interface eth-trunk 3
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface eth-trunk 2
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface eth-trunk 1
[FW2-zone-dmz] quit
7.
Configure a static route on FW1. The next hop address in the route used for access from
the internal network to the external network is the IP address of VLANIF 300 that
connects to the uplink interface of the firewall. The next hop address in the route used
for access from the external network to the internal network is the IP address of VLANIF
200 that connects to the downlink interface of the firewall.
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
[FW1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
8.
Configure a static route on FW2.
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
[FW2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
9.
Configure HRP on FW1.
[FW1] interface eth-trunk 3
[FW1-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 master
[FW1-Eth-Trunk3] quit
[FW1] interface eth-trunk 2
[FW1-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 master
[FW1-Eth-Trunk2] quit
[FW1] hrp interface eth-trunk 1 remote 10.1.1.2
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
10. Configure HRP on FW2.
[FW2] interface eth-trunk 3
[FW2-Eth-Trunk3] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave
[FW2-Eth-Trunk3] quit
[FW2] interface eth-trunk 2
[FW2-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave
[FW2-Eth-Trunk2] quit
[FW2] hrp interface eth-trunk 1 remote 10.1.1.1
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
NOTE
After the HRP configuration is complete, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active firewall FW1.
11. Configure the security policy and intrusion prevention system (IPS).
NOTE
Before configuring IPS, ensure that the IPS signature database uses the latest version.
When configuring IPS, use the default IPS configuration file default.
HRP_M[FW1] policy interzone trust untrust outbound
HRP_M[FW1-policy-interzone-trust-untrust-outbound] policy 1
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0
mask 24
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] action permit
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] profile ips default
HRP_M[FW1-policy-interzone-trust-untrust-outbound-1] quit
HRP_M[FW1-policy-interzone-trust-untrust-outbound] quit
HRP_M[FW1] policy interzone trust untrust inbound
HRP_M[FW1-policy-interzone-trust-untrust-inbound] policy 1
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy destination
10.10.1.0 mask 24
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] policy service serviceset ftp http
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] action permit
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] profile ips default
HRP_M[FW1-policy-interzone-trust-untrust-inbound-1] quit
HRP_M[FW1-policy-interzone-trust-untrust-inbound] quit
HRP_M[FW1] ips enable
12. Configure attack defense.
NOTE
The attack defense thresholds in this example are only for reference. Configure the thresholds
according to the traffic volume on your network.
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
HRP_M[FW1]
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
firewall
defend syn-flood enable
defend syn-flood zone untrust max-rate 20000
defend udp-flood enable
defend udp-flood zone untrust max-rate 1500
defend icmp-flood enable
defend icmp-flood zone untrust max-rate 20000
blacklist enable
defend ip-sweep enable
defend ip-sweep max-rate 4000
defend port-scan enable
defend port-scan max-rate 4000
defend ip-fragment enable
defend ip-spoofing enable
13. Configure ASPF. FTP is used as an example. If there are other applications on the
internal network, enable ASPF.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
Configuration Examples for the Financial Industry
3 M-LAG Data Center Deployment Solution
HRP_M[FW1] firewall interzone trust untrust
HRP_M[FW1-interzone-trust-untrust] detect ftp
HRP_M[FW1-interzone-trust-untrust] quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
Configuration Examples for the Financial Industry
4
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
DCN Deployment Solution Based on the
Agile Controller and Integrated Hardware
Overlay Network
4.1 Overview
4.2 Network Deployment
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
97
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
4.1 Overview
4.1.1 Purpose
This document provides a detailed data center design for a level-1 bank branch, covering the
network architecture, IP address and VLAN planning, routing design, security design,
network reliability design, and network management system design for the data center. You
can use this document as a reference for data center project implementation.
4.1.2 Typical Networking
4.1.2.1 Logic Architecture
The following figure shows the logical topology of the level-1 bank branch's data center
network, which is divided into multiple areas depending on the functions provided.
The following describes the functional areas.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Area
Function and Positioning
Accessible To
Open platform area: OP
Provides access to running
open systems, including the
accounting system as well as
other accounting relevant
and irrelevant service
systems. This area is a major
business area for
communication between
production and office
departments.
Clients and servers
Operation and management
area: OM
Has servers deployed for
system operations,
monitoring, and
maintenance. This area is
responsible for network and
system management and
maintenance.
Only a few authorized
maintenance users
Development and testing
area: DT
Accommodates servers of
systems that have not been
put into use, including the
hosts and open platform
systems that are under
development or testing.
Clients and servers
MAN/WAN access area
(WN/MN)
Connects the level-1 bank
branch to the head office
and its data center,
downstream level-2
branches and outlets, as well
as offices, branches, and
outlets in the local city. This
area provides connections to
the level-1 bank branch's
LANs and subordinate
branches.
ATM machines, POS
machines, teller terminals,
maintenance users, office
terminals, and terminals in
business centers
Local user access area: LU
Allows access of various
user terminals.
Local maintenance users,
local office terminals, and
terminals in local business
centers
DMZ Extranet: EP
Implements interconnection
with business platforms of
partners, major accounts,
and agents through lines of
carriers.
Partners, international
branches, off-bank devices
(3G/2G/PSTN), telephone
banking systems, and
customer service centers
Different from traditional DCN deployment solution, this DCN deployment solution is based
on the cloud platform, Agile Controller, and integrated hardware overlay network. It uses
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Software-Defined Networking (SDN) technology to implement large-scale pooling of
computing, storage, and network resources. Additionally, this solution uses a cloud platform
to implement unified management on level-1 bank branch networks and invoke resources in
resource pools as required to support functions of each area, enabling flexible network
deployment and enhancing shared resource usage.
4.1.2.2 Physical Architecture
The solution is based on the three-layer architecture and allows firewall management. Figure
4-1 shows the physical topology of this solution.
Figure 4-1 Physical topology of the three-layer architecture firewall management solution
l
Servers: Virtualization platform servers, physical servers, cloud platform servers, and
AC-DCN servers access the network through leaf switches.
l
Leaf nodes: Servers are connected to leaf nodes through stacking or Multichassis Link
Aggregation Group (M-LAG). Leaf nodes and spine nodes communicate at Layer 3. A
stack or M-LAG consisting of leaf nodes functions as a virtual tunnel end point (VTEP)
to guide server traffic transmission on the VXLAN.
l
Spine nodes: A spine node connects to leaf nodes and gateways. Routing protocols are
used to ensure that routes are reachable at Layer 3. The spine node does not function as a
VTEP.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
l
GWs: Two gateways constitute an M-LAG, and serve as dual-active gateways. The
gateways and spine nodes communicate at Layer 3, and connect to external routers
Router-1 and Router-2.
l
FWs: Two firewalls are configured to work in active/standby mirroring mode and
connected to the two gateways in bypass mode.
l
LBs: The cloud platform manages LBs deployed by vendors. In SDN scenarios, LBs
access the network at Layer 2 and share the same VBDIF gateway with member servers
that process services. Therefore, it is recommended LBs be deployed in the same access
mode as member servers to facilitate O&M. That is, connect the two LBs to leaf devices
through Eth-Trunks. The floating IP addresses of the LBs are on the same subnet of the
member servers, and the VBDIF gateway is shared by member servers and LBs. If LBs
are connected to a CE12800 series gateway, FD and FDA cards, and SFUFs and SFUGs
are required.
4.1.3 Version Support
Table 4-1 describes products and version mapping involved in the networking.
Table 4-1 Version Support
Category
Product
Version
Cloud platform
FusionSphere OpenStack
V100R006C00 +
V100R006C00SPC001
OpenStack
Kilo
Controller
Agile Controller-DCN
V200R001C00SPC705
LB
Hardware F5 BIG-IP
Software version: 11.6.1
Plug-in versions:
l 1.0.12.hw.fs.001 (for
interconnection with
FusionSphere)
l 1.0.12.hw.os.001 (for
interconnection with
OpenStack)
FW
L3
Issue 03 (2017-05-08)
Centrali
zed
VXLAN
gateway
Eudemon E8000E-X (provided
by the carrier)
V500R002C00SPC300
Eudemon E1000E-N (provided
by the carrier)
V500R002C00SPC300
USG6600
V500R001C30SPC300
USG9500
V500R001C30SPC300
CE12800
V200R001C00SPC700+
V200R001SPH001
CE7850/CE8860
V200R001C00SPC700
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
101
Configuration Examples for the Financial Industry
Category
L2
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Product
Version
TOR
switch
CE7850/ CE6855HI /
CE6851HI/CE6850HI
V200R001C00SPC700
vSwitch
VDS
vSphere 6.0
Hyper-V vSwitch
2012-R2
VMware vCenter
vSphere 6.0
Microsoft System Center
2012-R2
VMM
(not applicable when
FusionSphere OpenStack is
connected)
Virtualization
platform
VMware ESX
vSphere 6.0
Microsoft Hyper-V
2012-R2
(not applicable when
FusionSphere OpenStack is
connected)
NOTE
The AC-DCN does not manage Load balancers (LBs), and only manages firewalls provided by Huawei.
4.1.4 Solution Restrictions
There are some restrictions in the networking of the solution. Consider these restrictions when
planning a network.
SDN Restrictions
l
When open-source OpenStack is connected, different VPCs cannot directly communicate
with each other. In this scenario, VPCs can only communicate with each other through
elastic IP addresses (EIPs).
l
At one POD, CE series switches of V100R006 and V200R001 cannot be used together.
l
When OpenStack or FusionSphere OpenStack connects to F5, pay attention to the
following items:
l
HTTPS load balancing service in Secure Socket Layer (SSL) offloading mode is not
supported. HTTPS load balancing service in default bypass mode is supported.
l
Weighted Round Robin (WRR) scheduling is not supported, whereas Round Robin (RR)
scheduling is supported.
l
The AC-DCN cannot deliver user name and password configurations of the Simple
Network Management Protocol (SNMP) to firewalls through NETCONF. The SNMP
user name and password need to be manually configured on firewalls.
AC-DCN Restrictions
l
Issue 03 (2017-05-08)
The AC-DCN only manages the Admin-VS.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
102
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
l
The AC-DCN does not support all-active gateway group in which more than two
gateways are active. However, multiple groups of dual-active gateways are supported.
l
An external network cannot be bound to multiple gateway groups.
l
You can deploy networking through the AC-DCN or the CLI. Do not use the two
methods simultaneously because manually configured CLIs may conflict with
commands delivered by the AC-DCN. If this occurs, services cannot be automatically
provisioned.
l
In full-meshed scenario where virtual private network (VPN) isolation is not configured
for service gateways, IP addresses of tenant subnets cannot overlap, and firewalls and
VPN services cannot be configured.
l
On the nodes in an AC-DCN cluster, the system time of the AC-DCN node server cannot
be manually modified. If the system time of the AC-DCN node server is manually
modified, the time of different AC-DCN nodes cannot be synchronized and system
exceptions occur. The AC-DCN uses the Network Time Protocol (NTP) to synchronize
time. NTP needs to be configured before you install the AC-DCN to implement clock
synchronization.
l
When an AC-DCN cluster is running, the cluster capacity cannot be increased or
decreased. Plan the cluster scale and deploy the cluster in the network construction
phase.
l
When adding F5 LBs to the AC-DCN, set the device name to the default value
F5LBAAS. If not, LB services cannot be delivered.
l
When firewalls work in active/standby mirroring mode, the AC-DCN manages them
through Layer 3 main ports or Eth-Trunks, but not loopback or management (Meth)
interfaces on the firewalls.
l
When multiple IP addresses are configured for a VM on the network interface card
(NIC), only one IP address is displayed on the AD-DCN. That is, the AC-DCN only
supports single path detection for a VM.
l
Paths can be detected only when VXLAN-enabled Huawei CE series switches are
deployed on the paths.
l
The rollback function of the AC-DCN has the following restrictions: If function check
(such as device auditing) or new service delivery cannot be implemented after a version
upgrade, these two functions are unavailable after the version is rolled back. You are
advised to reinstall the source AC-DCN version according to the upgrade guide, and
implement rollback by restoring the database.
Firewall Restrictions
l
Virtual system (VSYS) license shall be loaded on firewalls.
l
Firewalls can be physically connected to centralized VXLAN Layer 3 gateways directly
or in bypass mode.
l
Non-firewall mode and 1+1 mirroring mode (same interface configurations are set for
two firewalls, and the standby device does not provide services) are supported. 1+1
active/standby mode with Virtual Router Redundancy Protocol (VRRP) switchover and
1+1 dual-active mode are not supported.
l
Software distributed firewalls are not supported.
LB Restrictions
In the cloud-network integration scenario, F5 can be managed by FusionSphere OpenStack
and open-source OpenStack after corresponding plug-ins are installed.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
103
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
LB devices can only access the network at Layer 2. If only FD and FDA interface cards, and
SFUFs and SFUGs are configured for CE12800 series switches, LBs can be connected to
VXLAN Layer 3 gateways in bypass mode. If other interface cards or SFUs are configured,
LBs can only be connected to service leaf nodes or spine devices.
CE Series Switch Restrictions
l
No licenses are required in deploying VXLANs for CE12800 series switches. Licenses
are required in deploying VXLANs for CE8800, CE7800, and CE6800 series switches.
l
VXLAN packets cannot be fragmented or reassembled on CE devices. When both CE
and non-CE devices are deployed on a VXLAN, VXLAN packets may be fragmented on
non-CE devices. However, CE devices cannot reassemble these packets, resulting in a
forwarding failure. To prevent this problem, you are advised to set the frame length
threshold of packets to 1400 bytes on the server or increase the maximum transmission
unit (MTU) value for non-CE devices that VXLAN packets pass through.
l
On a CE device, Multiprotocol Label Switching (MPLS) encapsulation cannot be
implemented on packets after VXLAN encapsulation. The reverse encapsulation order is
not supported either. This problem can be prevented by configuring a specific
networking solution. For example, configure device A to implement VXLAN
encapsulation on packets and forward the packets to device B, and configure device B to
implement MPLS encapsulation.
l
The combination usage of EA and GE cards with EC, ED, EF, EG, FD, or FDA cards
with VXLAN services deployed is not recommended. If so, the VXLAN packet
forwarding performance of all EA, EC, ED, EF, EG, and GE cards on the device will
decrease by around 50%. The performance will not be affected if only traditional VLAN
services are deployed.
l
To configure a TOR fixed switch as a VXLAN Layer 3 gateway, you are advised to use
the CE7855EI and CE6870EI. To configure the CE8860EI, CE7850EI, CE6850HI,
CE6851HI, or CE6850UHI as a VXLAN Layer 3 gateway, you need to set some service
interfaces to external loopback interfaces. These service interfaces cannot be used in
other services, and optical modules and cable connection are not required. The
bandwidth of a loopback interface shall double the bandwidth of a VXLAN Layer 3
gateway. The CE7855 and CE6855 do not require external loopback interfaces.
l
In the AC-DCN firewall management scenario, the CE6855 that works in single-node or
stacking mode, or functions as a parent switch on a Super Virtual Fabric (SVF) system
cannot be used as a VXLAN Layer 3 gateway. (When the CE6855 functions as a Layer 3
gateway, it can be connected to firewalls and routers only through VBDIF interfaces, but
not VLANIF or main interfaces. However, when the AC-DCN manages firewalls, it
automatically configures a VLAN on the interface of the gateway and creates a VLANIF
interface for connecting to firewalls.) Therefore, the CE7855 and CE6870 are
recommended.
l
EC, ED, EF, and EG cards do not support the concurrent Layer 2 and Layer 3 VXLAN
scenario. In this scenario, both VXLAN Layer 2 sub-interface access and VXLAN tunnel
access are enabled on a gateway, and the bridge domains (BDs) on the tunnel side
correspond to the VBDIF interfaces on the gateway. To enable this scenario, configure
the loopback mode through the CLI. However, in loopback mode, the VXLAN packet
forwarding performance of EC, ED, EF, and EG cards will decrease by around 50%.
l
When an SVF system consisting of fixed switches functions as a leaf node, only paths
between VTEPs can be detected, but not paths between VMs. The CE5810EI should not
be used as a leaf device in an SVF system consisting of fixed switches. You are advised
to configure the CE5855EI as a leaf device, which will provide GE access to servers.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
104
Configuration Examples for the Financial Industry
l
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
In the three-layer network architecture, spine devices in the middle must be Huawei
devices as well. If not, some O&M functions such as AC path detection may not be
available.
4.2 Network Deployment
4.2.1 Network Deployment Panorama
After hardware devices are installed and cables are connected, network engineers deploy the
network. Figure 4-2 shows the network deployment process.
Figure 4-2 Network deployment process
Table 4-2 describes tasks in each phase.
Table 4-2 Tasks in each network deployment phase
Issue 03 (2017-05-08)
Task
Description
Checking Software and
Hardware Environments
Check whether hardware and software versions and licenses
are the same as planned. If not, upgrade or replace the
hardware, software, or license.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
105
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Task
Description
Deploy the underlay
network.
Configure the management network and basic fabric network
to enable the AC-DCN to manage the fabric network.
Install the AC-DCN.
Install the AC-DCN software on physical servers in a cluster.
Pre-configure the ACDCN.
Activate the AC-DCN license, configure the AC-DCN to
automatically discover resources, create PODs, and preconfigure the resources for the overlay network deployment.
Interconnect the AC-DCN
with a cloud platform.
Perform configurations on the AC-DCN and a cloud
platform to connect the AC-DCN to the cloud platform,
preparing for the overlay network deployment.
Deploy the overlay
network.
Create and deliver services on the AC-DCN portal as
required.
Perform common
operations.
Use the AC-DCN to expand device capacity, or replace and
delete devices as required.
4.2.2 Checking Software and Hardware Environments
Before deployment, check whether hardware and software versions as well as patches meet
requirements. For details about the requirements as described in section 4.1.3 Version
Support. If not, replace or upgrade the devices.
Checking CE Series Switch Version, License, and Running Status
Step 1 Run the display version command to check the version of a CE series switch.
<HUAWEI> display version //Check whether the current switch version is
V200R001C00SPC700.
Huawei Versatile Routing Platform Software
VRP (R) software, Version 8.13 (CE12800 V200R001C00SPC700)
Copyright (C) 2012-2016 Huawei Technologies Co., Ltd.
HUAWEI CE12804 uptime is 0 day, 1 hour, 55 minutes
<HUAWEI> display patch-information
//Check whether the switch has loaded the
latest patch.
Patch Package Name
:flash:/CE12800-V200R001SPH003.PAT
Patch Package Version : V200R001SPH003
Patch Package State :Running
//Check whether the patch is running.
Patch Package Run Time:2016-11-09 17:57:27
Step 2 Run the display license command to check information about the CE series switch license.
<HUAWEI> display license //TOR switches need VXLAN licenses, but CE series
switches do not.
MainBoard:
Active License
: flash:/CloudEngine7800.dat
License state
: Demo
Revoke ticket
: No ticket
RD of Huawei Technologies Co., Ltd.
Product name
: CloudEngine 7800
Product version : V200R001
License Serial No : LIC201411261KSH50
Creator
: Huawei Technologies Co., Ltd.
Created Time
: 2016-11-09 17:57:27
Feature name
: CELIC
Authorize type
: demo
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
106
Configuration Examples for the Financial Industry
Expired date
Trial days
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
: 2017-02-20
: -
Item name
Item type
Value
Description
------------------------------------------------------------CE-LIC-VXLAN
Function
YES
CE-LIC-VXLAN
Step 3 To check the running status of the CE series switch, run the display device command to check
whether all cards have been registered and run the display alarm active command to check
the current active alarms.
<HUAWEI> display device
//If Registered is displayed under Register and Normal
under Alarm, the switch is running properly.
CE12804's Device status:
--------------------------------------------------------------------Slot Card Type
Online Power Register
Alarm
Primary
--------------------------------------------------------------------3
CE-L24LQ-EA
Present On
Registered Normal
NA
4
CE-L24XS-EA
Present On
Registered Normal
NA
5
CE-MPUA
Present On
Registered Normal
Master
7
CE-CMUA
Present On
Registered Normal
Master
13
CE-SFU04C
Present On
Registered Normal
NA
PWR2 Present On
Registered Normal
NA
FAN3 Present On
Registered Normal
NA
FAN4 Present On
Registered Normal
NA
FAN5 Present On
Registered Normal
NA
FAN7 Present On
Registered Normal
NA
FAN8 Present On
Registered Normal
NA
FAN9 Present On
Registered Normal
NA
--------------------------------------------------------------------<HUAWEI> display alarm active
--------------------------------------------------------------------Sequence AlarmId
Severity Date Time Description
--------------------------------------------------------------------20
0x8520003 Major
2013-12-26 The interface status changes. (ifName=
09:10:31 Eth-Trunk19, AdminStatus=UP, OperStatu
s=DOWN, Reason=The conditions for the
activation of the interface are not me
t, mainName=Eth-Trunk19)
---------------------------------------------------------------------
----End
Checking Firewall Version, License, and Running Status
Step 1 Run the display version command to check the version of a firewall.
<USG9000> display version //Check whether the current firewall version is
correct.
Huawei Technologies Versatile Security Platform Software
Software Version: USG9520&9560&9580 V500R001C30 (VRP (R) Software, Version
5.70)
Copyright (C) 2007-2013 Huawei Technologies Co., Ltd. All rights reserved.
Secospace USG9580 uptime is 0 day, 23 hours, 35 minutes
USG9580 version information:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Step 2 Run the display license command to check the firewall license.
<USG9000> display license
//Check whether VSYS is enabled.
MainBoard:
Device ESN is: 030KKR10B1003130
The file activated is: cfcard:/license.dat
The time when activated is: 2014/04/08 10:11:47
Firewall default Performance per cpu: 40Gbps
Number of VPN Tunnels-R: 1000000
Number of Virtual Systems: 4095
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
107
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
GTP: Enable
6RD Session Scale: 1280M
NAT64 Session Scale: 1280M
DS-Lite Session Scale: 1280M
Firewall Upgrade Additional Performance: 1280Gbps
Expiration Date of The IPS Update Service: 2014-05-18
SlaveBoard:
Device ESN is: 030KKR10B1000131
The file activated is: cfcard:/license.dat
The time when activated is: 2014/04/08 10:11:47
Firewall default Performance per cpu: 40Gbps
Number of VPN Tunnels-R: 1000000
Number of Virtual Systems: 4095
GTP: Enable
6RD Session Scale: 1280M
NAT64 Session Scale: 1280M
DS-Lite Session Scale: 1280M
Firewall Upgrade Additional Performance: 1280Gbps
Expiration Date of The IPS Update Service: 2014-05-18
Step 3 To check the running status of the firewall, run the display device command to check whether
all cards have been registered and run the display alarm active command to check the current
active alarms.
<USG9000> display device //If Registered is displayed under Register and Normal
under Alarm, the firewall is running properly.
USG9580's Device status:
Slot #
Type
Online
Register
Status
Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1
LPU
Present Registered
Normal
NA
5
LPU
Present Registered
Normal
NA
6
SPU
Present Registered
Normal
NA
9
MPU
Present Registered
Normal
Master
10
MPU
Present Registered
Normal
Slave
13
SFU
Present Registered
Normal
NA
14
SFU
Present Registered
Normal
NA
15
CLK
Present Registered
Normal
Master
16
CLK
Present Registered
Normal
Slave
17
PWR
Present Registered
Normal
NA
19
FAN
Present Registered
Normal
NA
<USG9000> display alarm all
---------------------------------------------------------------------------Index Level
Date
Time
Info
1
Emergency
abnormal.[LPU 5]
11-07-05
11:25:40
The 48 V power supply for the board was
----End
Checking the AC-DCN Software Package
In most cases, an AC-DCN software package consists of the following files:
l
An operating system image (.iso file)
l
An AC-DCN installation package (Install_Pkg)
l
An AC-DCN configuration package (Config_Pkg)
l
AC-DCN plug-in (eSDK) for interconnecting with a cloud platform
l
Cloud platform plug-ins (OPS_Plugin and FSP_Plugin) for interconnection
l
The Breeze iDeploy installation tool
l
Signature verification files (.asc files) of all the preceding files
Step 1 Check whether the software versions are correct.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
108
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 2 Verify integrity of the files. You are advised to use Huawei PGPVerify. For details on how to
use the PGPVerify tool, see File Signature Verification Guide Using Huawei PGPVerify.
----End
4.2.3 Underlay Network Configuration
4.2.3.1 Configuring Network Management
Network management modes include in-band management and out-of-band management
networks:
l
Out-of-band management indicates that devices are managed on the dedicated
management interface, which isolates management and control. This method is
recommended.
This topic uses out-of-band management as an example. The customer management
VLAN ID is 20 and network devices for out-of-band management include switches,
firewalls, and load balancers (LBs). The management interfaces of network devices are
connected to the management switches, and management addresses are configured for
the management interfaces for remote login. For details about the management interface
configuration and NE login configuration, see product documentation.
The AC-DCN out-of-band management indicates that the BMC interface of the ACDCN is connected to the management switch and the IP address, mask, and management
network segment are configured for the BMC interface for remote login. The
management network segment configuration is similar to that of the AC-DCN.
l
In-band management indicates that devices are managed on the service interfaces. If
errors occur on a service network, users may fail to log in to the devices.
In-band management of network devices does not need additional costs. In this example,
the loopback IP address of the Router-ID for each device can be used as the in-band
management IP address. The details are not described in this topic. Configuring a TOR
Stack
4.2.3.2 Configuring TOR Stack Working Group
Configure Leaf-CE6851HI-1 and Leaf-CE6851HI-2 to set up a stack. The configuration
roadmap is as follows:
1.
Establishing a stack: Configure a stack and dual-active detection (DAD), restart the
devices, and connect cables to make the stack take effect.
2.
Configuring IP addresses: On the leaf nodes, configure IP addresses for the Layer 3
interfaces that connect to the spine nodes, the Loopback0 interfaces (the IP address is
used as the Router-ID and VTEP IP address), the management interfaces Meth0/0/0, and
the NVE1 interfaces (the IP address is the VTEP IP address).
3.
Configuring server access: Configure Leaf-CE6851HI-1 and Leaf-CE6851HI-2 to enable
service servers and the AC-DCN to access the stack.
4.
Configuring routes: Configure BGP dynamic routes on the stack to connect the stacked
switches to two spine devices and ensure that the routes between the stack and spine
devices are reachable at Layer 3.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
109
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Establishing a Stack
Step 1 On Leaf-CE6851HI-1, set the stack member ID to 1, stack priority to 150, and stack domain
ID to 10.
<HUAWEI> system-view
[~HUAWEI] sysname Leaf-CE6851HI-1
[*HUAWEI] commit
[~Leaf-CE6851HI-1] stack
[~Leaf-CE6851HI-1-stack] stack member 1 priority 150
[*Leaf-CE6851HI-1-stack] stack member 1 domain 10
[*Leaf-CE6851HI-1-stack] quit
[*Leaf-CE6851HI-1] commit
Step 2 On Leaf-CE6851HI-2, set the stack domain ID to 10.
<HUAWEI> system-view
[~HUAWEI] sysname Leaf-CE6851HI-2
[*HUAWEI] commit
[~Leaf-CE6851HI-2] stack
[*Leaf-CE6851HI-2-stack] stack member 1 domain 10
[*Leaf-CE6851HI-2-stack] quit
[*Leaf-CE6851HI-2] commit
Step 3 Configure stack interfaces.
# On Leaf-CE6851HI-1, add 40GE1/0/1 through 40GE1/0/2 to Stack-Port1/1.
[~Leaf-CE6851HI-1] interface stack-port 1/1
[*Leaf-CE6851HI-1-Stack-Port1/1] port member-group interface 40ge 1/0/1 to 1/0/2
Warning: The interface(s) (40GE1/0/1-1/0/2) will be converted to stack mode and
be configured with the port crc-statistics trigger error-down command if the
configuration does not exist. After the configuration is complete, these
interfaces may go Error-Down (crc-statistics) because there is no shutdown
configuration on the interfaces. [Y/N]: y
[*Leaf-CE6851HI-1-Stack-Port1/1] quit
[*Leaf-CE6851HI-1] commit
[~Leaf-CE6851HI-1] quit
# On Leaf-CE6851HI-2, add 40GE1/0/1 through 40GE1/0/2 to Stack-Port1/1.
[~Leaf-CE6851HI-2] interface stack-port 1/1
[*Leaf-CE6851HI-2-Stack-Port1/1] port member-group interface 40ge 1/0/1 to 1/0/2
Warning: The interface(s) (40GE1/0/1-1/0/2) will be converted to stack mode and
be configured with the port crc-statistics trigger error-down command if the
configuration does not exist. After the configuration is complete, these
interfaces may go Error-Down (crc-statistics) because there is no shutdown
configuration on the interfaces. [Y/N]: y
[*Leaf-CE6851HI-2-Stack-Port1/1] quit
[*Leaf-CE6851HI-2] commit
[~Leaf-CE6851HI-2] quit
Step 4 Configure DAD on Leaf-CE6851HI-1 and Leaf-CE6851HI-2 to avoid that the network has
two network devices with conflicting configurations in case that the stack splits.
# Configure DAD on Leaf-CE6851HI-1.
[~Leaf-CE6851HI-1] interface Meth0/0/0
[~Leaf-CE6851HI-1-MEth0/0/0] dual-active detect enable
[*Leaf-CE6851HI-1-MEth0/0/0] commit
# Configure DAD on Leaf-CE6851HI-2.
[~Leaf-CE6851HI-2] interface Meth0/0/0
[~Leaf-CE6851HI-2-MEth0/0/0] dual-active detect enable
[*Leaf-CE6851HI-2-MEth0/0/0] commit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
110
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
NOTE
If in-band management is used on the network, you need to configure service interfaces on the switches
and use DAD in direct mode. At least two direct links are required to ensure reliability. To implement
DAD in direct mode on service interfaces, the configuration is as follows:
[~Leaf-CE6851HI-1&CE6851HI-2] interface 10GE1/0/30
[~Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/30] description "for DAD"
[*Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/30] dual-active detect mode
[*Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/30] interface 10GE1/0/31
[*Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/31] description "for DAD"
[*Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/31] dual-active detect mode
[*Leaf-CE6851HI-1&CE6851HI-2-10GE1/0/31] interface 10GE2/0/30
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/30] description "for DAD"
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/30] dual-active detect mode
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/30] interface 10GE2/0/31
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/31] description "for DAD"
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/31] dual-active detect mode
[*Leaf-CE6851HI-1&CE6851HI-2-10GE2/0/31] commit
direct
direct
direct
direct
Step 5 Save the configuration and restart a switch.
# Save the configuration on Leaf-CE6851HI-1 and restart the switch. Configurations on other
TOR devices are similar to the configuration on Leaf-CE6851HI-1, and are not mentioned
here.
<Leaf-CE6851HI-1> save
Warning: The current configuration will be written to the device. Continue? [Y/
N]: y
<Leaf-CE6851HI-1> reboot
Warning: The system will reboot. Continue? [Y/N]:y
Step 6 Connect Leaf-CE6851HI-1 and Leaf-CE6851HI-2 using stack cables to set up a stack.
Step 7 After the stack is set up, save the configuration.
----End
Configuring IP Addresses
Step 1 Configure IP addresses for the interconnection interfaces.
NOTE
Before switching the working mode of interfaces on a CE6855HI or CE7855EI series switch to Layer 3,
run the vlan reserved for main-interface startvlanid to endvlanid command to specify a dedicated
reserved VLAN for each Layer 3 main interface.
[~Leaf-CE6851HI-1] sysname Leaf-CE6851HI-1&CE6851HI-2
[*Leaf-CE6851HI-1] commit
[~Leaf-CE6851HI-1&CE6851HI-2] interface 40GE1/0/3
[~Leaf-CE6851HI-1&CE6851HI-2] description "to_Spine-CE12804-1-40GE1/0/0"
[~Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/3] undo portswitch
[*Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/3]ip address 11.254.40.157 30
[*Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/3]commit
[~Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/3]quit
[~Leaf-CE6851HI-1&CE6851HI-2] interface 40GE1/0/4
[~Leaf-CE6851HI-1&CE6851HI-2] description "to_Spine-CE12804-2-40GE1/0/1"
[~Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/4] undo portswitch
[*Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/4]ip address 11.254.40.165 30
[*Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/4]commit
[~Leaf-CE6851HI-1&CE6851HI-2-40GE1/0/4]quit
[~Leaf-CE6851HI-1&CE6851HI-2] interface 40GE2/0/3
[~Leaf-CE6851HI-1&CE6851HI-2] description "to_Spine-CE12804-2-40GE1/0/0"
[~Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/3] undo portswitch
[*Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/3]ip address 11.254.40.161 30
[*Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/3]commit
[~Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/3]quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
111
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[~Leaf-CE6851HI-1&CE6851HI-2] interface 40GE2/0/4
[~Leaf-CE6851HI-1&CE6851HI-2] description "to_Spine-CE12804-1-40GE1/0/1"
[~Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/4] undo portswitch
[*Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/4]ip address 11.254.40.169 30
[*Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/4]commit
[~Leaf-CE6851HI-1&CE6851HI-2-40GE2/0/4]quit
Step 2 Configure an IP address for the loopback interface.
[~Leaf-CE6851HI-1&CE6851HI-2] interface loopback0
[~Leaf-CE6851HI-1&CE6851HI-2] description "VTEP&Router-ID"
[*Leaf-CE6851HI-1&CE6851HI-2-LoopBack0] ip address 11.11.11.11 32
[*Leaf-CE6851HI-1&CE6851HI-2-LoopBack0] commit
[~Leaf-CE6851HI-1&CE6851HI-2-LoopBack0] quit
Step 3 Configure an IP address for the management interface.
[~Leaf-CE6851HI-1&CE6851HI-2] interface Meth0/0/0
[*Leaf-CE6851HI-1&CE6851HI-2-Meth0/0/0] ip address 100.125.94.2 24
[*Leaf-CE6851HI-1&CE6851HI-2- Meth0/0/0] commit
[~Leaf-CE6851HI-1&CE6851HI-2- Meth0/0/0] quit
Step 4 Configure the VTEP IP address.
[~Leaf-CE6851HI-1&CE6851HI-2] interface NVE1
[*Leaf-CE6851HI-1&CE6851HI-2-Nve1] source 11.11.11.11
[*Leaf-CE6851HI-1&CE6851HI-2-Nve1] commit
[~Leaf-CE6851HI-1&CE6851HI-2-Nve1] quit
----End
Configuring Server Access
Configure Leaf-CE6851HI-1 and Leaf-CE6851HI-2 to enable service servers and the ACDCN server to access the stack.
Step 1 Configure common service server access instances on Leaf-CE6851HI-1 and LeafCE6851HI-2.
# Configure common service servers to access the stack in load balancing mode.
[*Leaf-CE6851HI-1&CE6851HI-2] interface eth-trunk 1
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] mode lacp-static
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] port link-type trunk
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] undo port trunk allow-pass vlan 1
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] trunkport 10ge 1/0/1
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] trunkport 10ge 2/0/1
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk1] quit
[*Leaf-CE6851HI-1&CE6851HI-2] commit
# When common service servers access the stack in active/standby mode, interface
configurations will be delivered by the AC-DCN after physical network cables are connected.
Step 2 To connect the AC-DCN to the network through the M-LAG, see section 4.2.3.3 Configuring
a TOR M-LAG . To connect the AC-DCN to the network through the TOR stack, configure
as follows:
1.
Configure an IP address for the AC-DCN service gateway.
[~Leaf-CE6851HI-1&CE6851HI-2] VLAN 10
[*Leaf-CE6851HI-1&CE6851HI-2-vlan10] interface vlan 10
[*Leaf-CE6851HI-1&CE6851HI-2-Vlanif10] ip address 100.125.100.2 24
[*Leaf-CE6851HI-1&CE6851HI-2-Vlanif10] commit
2.
Configure AC-DCN server access instances on Leaf-CE6851HI-1 and LeafCE6851HI-2. (The following uses the load balancing mode as an example.)
[*Leaf-CE6851HI-1&CE6851HI-2] interface eth-trunk 100
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk100] mode lacp-static
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk100] port default vlan 10
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
112
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk100] trunkport 10ge 1/0/46
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk100] trunkport 10ge 2/0/46
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk100] quit
[*Leaf-CE6851HI-1&CE6851HI-2] commit
[*Leaf-CE6851HI-1&CE6851HI-2] interface eth-trunk 101
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk101] mode lacp-static
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk101] port default vlan 10
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk101] trunkport 10ge 1/0/47
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk101] trunkport 10ge 2/0/47
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk2] quit
[*Leaf-CE6851HI-1&CE6851HI-2] commit
[*Leaf-CE6851HI-1&CE6851HI-2] interface eth-trunk 102
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk102] mode lacp-static
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk102] port default vlan 10
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk102] trunkport 10ge 1/0/48
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk102] trunkport 10ge 2/0/48
[*Leaf-CE6851HI-1&CE6851HI-2-Eth-Trunk102] quit
[*Leaf-CE6851HI-1&CE6851HI-2] commit
----End
Configuring Routes
Configure BGP routes on the stack to interconnect the switches with the spine devices.
[~Leaf-CE6851HI-1&CE6851HI-2] BGP 65021
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] router-id 11.11.11.11
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] timer keepalive 10 hold 30
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] group Spine-CE12804-1 external
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer Spine-CE12804-1 as-number 65009
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.158 as-number 65009
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.158 group_Spine-CE12804-1
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.170 as-number 65009
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.170 group Spine-CE12804-1
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] group Spine-CE12804-2 external
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer Spine-CE12804-2 as-number 65010
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.166 as-number 65010
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.166 group Spine-CE12804-2
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.162 as-number 65010
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] peer 11.254.40.162 group Spine-CE12804-2
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] ipv4-family unicast
[*Leaf-CE6851HI-1&CE6851HI-2-bgp-af-ipv4] preference 20 200 10
[*Leaf-CE6851HI-1&CE6851HI-2-bgp-af-ipv4] network 11.11.11.11 255.255.255.255
[*Leaf-CE6851HI-1&CE6851HI-2-bgp-af-ipv4] network 100.125.100.0
255.255.255.0 //If the AC-DCN accesses the network through the stack and service
network segments are configured for the stack, advertise the network segments
where the AC-DCN is located in BGP.
[*Leaf-CE6851HI-1&CE6851HI-2-bgp-af-ipv4] maximum load-balancing 32
[*Leaf-CE6851HI-1&CE6851HI-2-bgp-af-ipv4] quit
[*Leaf-CE6851HI-1&CE6851HI-2-bgp] quit
[*Leaf-CE6851HI-1&CE6851HI-2] commit
NOTE
To access the AC-DCN server from an external network, configure static or dynamic routes on TOR
switches to advertise the service address of the AC-DCN server, so that external networks can access
this server and TOR switches can access external networks through the routes.
4.2.3.3 Configuring a TOR M-LAG
Configure Leaf-CE6851HI-3 and Leaf-CE6851HI-4 to set up an M-LAG. The configuration
roadmap is as follows:
1.
Issue 03 (2017-05-08)
Configuring IP addresses: On the leaf nodes, configure IP addresses for Layer 3
interfaces that connect to the spine nodes, the Loopback0 interfaces (the IP address is
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
113
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
used as the VTEP IP address), the Lookback1 interfaces (the IP address is used as the
Router-ID), the management interfaces Meth0/0/0, the NVE1 interfaces (the same IP
address shall be configured for the two devices, and the IP address is the VTEP IP
address), and gateways of the AC-DCN (if the AC-DCN accesses the network through
the M-LAG).
2.
Configuring an M-LAG: On the switches, configure a global M-LAG, DFS groups, and
peer-links, connect common service servers and the AC-DCN to the M-LAG, and
associate uplink and downlink interfaces with the Monitor Link group.
3.
Configuring routes: Configure BGP dynamic routes on the M-LAG to connect the
switches to two spine devices and ensure that the routes between the M-LAG and spine
devices are reachable at Layer 3.
Configuring IP Addresses
Step 1 Configure IP addresses for the interconnection interfaces on Leaf-CE6851HI-3 and LeafCE6851HI-4.
NOTE
Before switching the working mode of interfaces on a CE6855HI or CE7855EI series switch to Layer 3,
run the vlan reserved for main-interface startvlanid to endvlanid command to specify a dedicated
reserved VLAN for each Layer 3 main interface.
[~HUAWEI] sysname Leaf-CE6851HI-3
[*Leaf-CE6851HI-3] commit
[~Leaf-CE6851HI-3] interface 40GE1/0/3
[~Leaf-CE6851HI-3-40GE1/0/3] description "to_Spine-CE12804-1-40GE1/0/2"
[~Leaf-CE6851HI-3-40GE1/0/3] undo portswitch
[*Leaf-CE6851HI-3-40GE1/0/3] ip address 11.254.41.157 30
[*Leaf-CE6851HI-3-40GE1/0/3] commit
[~Leaf-CE6851HI-3-40GE1/0/3] quit
[~Leaf-CE6851HI-3] interface 40GE1/0/4
[~Leaf-CE6851HI-3-40GE1/0/3] description "to_Spine-CE12804-2-40GE1/0/3"
[~Leaf-CE6851HI-3-40GE1/0/4] undo portswitch
[*Leaf-CE6851HI-3-40GE1/0/4] ip address 11.254.41.165 30
[*Leaf-CE6851HI-3-40GE1/0/4] commit
[~Leaf-CE6851HI-3-40GE1/0/4] quit
[~HUAWEI] sysname Leaf-CE6851HI-4
[*Leaf-CE6851HI-4] commit
[~Leaf-CE6851HI-4] interface 40GE1/0/3
[~Leaf-CE6851HI-4-40GE1/0/3] description "to_Spine-CE12804-1-40GE1/0/2"
[~Leaf-CE6851HI-4-40GE1/0/3] undo portswitch
[*Leaf-CE6851HI-4-40GE1/0/3] ip address 11.254.41.169 30
[*Leaf-CE6851HI-4-40GE1/0/3] commit
[~Leaf-CE6851HI-4-40GE1/0/3] quit
[~Leaf-CE6851HI-4] interface 40GE1/0/4
[~Leaf-CE6851HI-4-40GE1/0/3] description "to_Spine-CE12804-2-40GE1/0/3"
[~Leaf-CE6851HI-4-40GE1/0/4] undo portswitch
[*Leaf-CE6851HI-4-40GE1/0/4] ip address 11.254.41.161 30
[*Leaf-CE6851HI-4-40GE1/0/4] commit
[~Leaf-CE6851HI-4-40GE1/0/4] quit
Step 2 Configure IP addresses for the loopback interfaces. The IP address of Loopback0 is used as
the VTEP IP address and IP address of Loopback1 is used as the Router-ID.
[~Leaf-CE6851HI-3] interface
as the VTEP IP address.
[*Leaf-CE6851HI-3-LoopBack0]
[*Leaf-CE6851HI-3-LoopBack0]
[~Leaf-CE6851HI-3-LoopBack0]
[~Leaf-CE6851HI-3] interface
[*Leaf-CE6851HI-3-LoopBack1]
[*Leaf-CE6851HI-3-LoopBack1]
[~Leaf-CE6851HI-3-LoopBack1]
Issue 03 (2017-05-08)
loopback0
//IP address of this interfaces is used
ip address 11.11.11.12 32
commit
quit
loopback1
ip address 13.13.13.13 32
commit
quit
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
114
Configuration Examples for the Financial Industry
[~Leaf-CE6851HI-4] interface
also the VTEP IP address.
[*Leaf-CE6851HI-4-LoopBack0]
[*Leaf-CE6851HI-4-LoopBack0]
[~Leaf-CE6851HI-4-LoopBack0]
[~Leaf-CE6851HI-4] interface
[*Leaf-CE6851HI-4-LoopBack1]
[*Leaf-CE6851HI-4-LoopBack1]
[~Leaf-CE6851HI-4-LoopBack1]
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
loopback0
//IP address of this interfaces is
ip address 11.11.11.12 32
commit
quit
loopback1
ip address 14.14.14.14 32
commit
quit
Step 3 Configure IP addresses for the management interfaces.
[~Leaf-CE6851HI-3]
[*Leaf-CE6851HI-3[*Leaf-CE6851HI-3[~Leaf-CE6851HI-3-
interface Meth0/0/0
Meth0/0/0] ip address 100.125.94.3 24
Meth0/0/0] commit
Meth0/0/0] quit
[~Leaf-CE6851HI-4]
[*Leaf-CE6851HI-4[*Leaf-CE6851HI-4[~Leaf-CE6851HI-4-
interface Meth0/0/0
Meth0/0/0] ip address 100.125.94.4 24
Meth0/0/0] commit
Meth0/0/0] quit
Step 4 Configure the VTEP IP address. Configure the same IP address for interfaces on the two
devices.
[~Leaf-CE6851HI-3] interface NVE1
[*Leaf-CE6851HI-3-Nve1] source 11.11.11.12
[*Leaf-CE6851HI-3-Nve1] commit
[~Leaf-CE6851HI-3-Nve1] quit
[~Leaf-CE6851HI-4] interface NVE1
[*Leaf-CE6851HI-4-Nve1] source 11.11.11.12
[*Leaf-CE6851HI-4-Nve1] commit
[*Leaf-CE6851HI-4-Nve1] quit
Step 5 Configure IP addresses for the AC-DCN service gateways.
[~Leaf-CE6851HI-3] VLAN 10
[*Leaf-CE6851HI-3-vlan10] interface vlanif 10
[*Leaf-CE6851HI-3-Vlanif10] ip address 100.125.100.2 24
[*Leaf-CE6851HI-3-Vlanif10] vrrp vrid 1 virtual-ip 100.125.100.1
[~Leaf-CE6851HI-3-Vlanif10] commit
[~Leaf-CE6851HI-4] VLAN 10
[*Leaf-CE6851HI-4-vlan10] interface vlanif 10
[*Leaf-CE6851HI-4-Vlanif10] ip address 100.125.100.3 24
[*Leaf-CE6851HI-4-Vlanif10] vrrp vrid 1 virtual-ip 100.125.100.1
[*Leaf-CE6851HI-4-Vlanif10] commit
----End
Configuring an M-LAG
Step 1 Configure an M-LAG.
<Leaf-CE6851HI-3> system-view
[~Leaf-CE6851HI-3] stp mode rstp
[*Leaf-CE6851HI-3] stp v-stp enable
[*Leaf-CE6851HI-3] commit
[~Leaf-CE6851HI-3] lacp m-lag system-id 00e0-fc00-0001
[*Leaf-CE6851HI-3] commit
<Leaf-CE6851HI-4> system-view
[~Leaf-CE6851HI-4] stp mode rstp
[*Leaf-CE6851HI-4] stp v-stp enable
[*Leaf-CE6851HI-4] commit
[~Leaf-CE6851HI-4] lacpm-lag system-id 00e0-fc00-0001
Step 2 Configure DFS groups of the M-LAG on Leaf-CE6851HI-3 and Leaf-CE6851HI-4.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
115
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[~Leaf-CE6851HI-3] dfs-group 1
[*Leaf-CE6851HI-3-dfs-group-1] source ip 13.13.13.13
[*Leaf-CE6851HI-3-dfs-group-1] priority 150
[*Leaf-CE6851HI-3-dfs-group-1] quit
[*Leaf-CE6851HI-3] commit
[*Leaf-CE6851HI-4] dfs-group 1
[*Leaf-CE6851HI-4-dfs-group-1] source ip 14.14.14.14
[*Leaf-CE6851HI-4-dfs-group-1] priority 120
[*Leaf-CE6851HI-4-dfs-group-1] quit
[*Leaf-CE6851HI-4] commit
Step 3 Configure peer-links of the M-LAG on Leaf-CE6851HI-3 and Leaf-CE6851HI-4.
[~Leaf-CE6851HI-3] interface eth-trunk 0
[*Leaf-CE6851HI-3-Eth-Trunk0] trunkport 40ge 1/0/1
[*Leaf-CE6851HI-3-Eth-Trunk0] trunkport 40ge 1/0/2
[*Leaf-CE6851HI-3-Eth-Trunk0] mode lacp-static
[*Leaf-CE6851HI-3-Eth-Trunk0] peer-link 1
[*Leaf-CE6851HI-3-Eth-Trunk0] quit
[*Leaf-CE6851HI-3] commit
[*Leaf-CE6851HI-4] interface eth-trunk 0
[*Leaf-CE6851HI-4-Eth-Trunk0] trunkport 40ge 1/0/1
[*Leaf-CE6851HI-4-Eth-Trunk0] trunkport 40ge 1/0/2
[*Leaf-CE6851HI-4-Eth-Trunk0] mode lacp-static
[*Leaf-CE6851HI-4-Eth-Trunk0] peer-link 1
[*Leaf-CE6851HI-4-Eth-Trunk0] quit
[*Leaf-CE6851HI-4] commit
Step 4 Configure servers to access the M-LAG.
# Configure the member interfaces of the M-LAG (servers connect to the M-LAG in load
balancing mode) on Leaf-CE6851HI-3 and Leaf-CE6851HI-4.
[*Leaf-CE6851HI-3] interface eth-trunk 1
[*Leaf-CE6851HI-3-Eth-Trunk1] mode lacp-static
[*Leaf-CE6851HI-3-Eth-Trunk1] port link-type trunk
[*Leaf-CE6851HI-3-Eth-Trunk1] undo port trunk allow-pass vlan 1
[*Leaf-CE6851HI-3-Eth-Trunk1] trunkport 10ge 1/0/1
[*Leaf-CE6851HI-3-Eth-Trunk1] dfs-group1 m-lag 1
[*Leaf-CE6851HI-3-Eth-Trunk1] quit
[*Leaf-CE6851HI-3] commit
[*Leaf-CE6851HI-4] interface eth-trunk 1
[*Leaf-CE6851HI-4-Eth-Trunk1] mode lacp-static
[*Leaf-CE6851HI-4-Eth-Trunk1] port link-type trunk
[*Leaf-CE6851HI-4-Eth-Trunk1] trunkport 10ge 1/0/1
[*Leaf-CE6851HI-4-Eth-Trunk1] undo port trunk allow-pass vlan 1
[*Leaf-CE6851HI-4-Eth-Trunk1] dfs-group1 m-lag 1
[*Leaf-CE6851HI-4-Eth-Trunk1] quit
[*Leaf-CE6851HI-4] commit
# If servers connect to the M-LAG in active/standby mode, the interface on the access switch
connecting to the server cannot be a member interface of the M-LAG. The AC-DCN delivers
all access configurations of ports.
Step 5 Configure the member interfaces of the M-LAG (if the AC-DCN connects to the network in
load balancing mode) on Leaf-CE6851HI-3 and Leaf-CE6851HI-4.
[~Leaf-CE6851HI-3] interface eth-trunk 100
[*Leaf-CE6851HI-3-Eth-Trunk100] mode lacp-static
[*Leaf-CE6851HI-3-Eth-Trunk100] port default vlan 10
[*Leaf-CE6851HI-3-Eth-Trunk100] trunkport 10ge 1/0/44
[*Leaf-CE6851HI-3-Eth-Trunk100] dfs-group1 m-lag 40
[*Leaf-CE6851HI-3-Eth-Trunk100] quit
[*Leaf-CE6851HI-4] interface eth-trunk 100
[*Leaf-CE6851HI-4-Eth-Trunk100] mode lacp-static
[*Leaf-CE6851HI-4-Eth-Trunk100] port defaultvlan 10
[*Leaf-CE6851HI-4-Eth-Trunk100] trunkport 10ge 1/0/44
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
116
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Leaf-CE6851HI-4-Eth-Trunk100] dfs-group1 m-lag 40
[*Leaf-CE6851HI-4-Eth-Trunk100] quit
[*Leaf-CE6851HI-4] commit
[~Leaf-CE6851HI-3] interface eth-trunk 101
[*Leaf-CE6851HI-3-Eth-Trunk101] mode lacp-static
[*Leaf-CE6851HI-3-Eth-Trunk101] port defaultvlan 10
[*Leaf-CE6851HI-3-Eth-Trunk101] trunkport 10ge 1/0/45
[*Leaf-CE6851HI-3-Eth-Trunk101] dfs-group1 m-lag 41
[*Leaf-CE6851HI-3-Eth-Trunk101] quit
[*Leaf-CE6851HI-4] interface eth-trunk 101
[*Leaf-CE6851HI-4-Eth-Trunk101] mode lacp-static
[*Leaf-CE6851HI-4-Eth-Trunk101] port default vlan 10
[*Leaf-CE6851HI-4-Eth-Trunk101] trunkport 10ge 1/0/45
[*Leaf-CE6851HI-4-Eth-Trunk101] dfs-group1 m-lag 41
[*Leaf-CE6851HI-4-Eth-Trunk101] quit
[*Leaf-CE6851HI-4] commit
[~Leaf-CE6851HI-3] interface eth-trunk 102
[*Leaf-CE6851HI-3-Eth-Trunk102] mode lacp-static
[*Leaf-CE6851HI-3-Eth-Trunk102] port default vlan 10
[*Leaf-CE6851HI-3-Eth-Trunk102] trunkport 10ge 1/0/46
[*Leaf-CE6851HI-3-Eth-Trunk102] dfs-group1 m-lag 42
[*Leaf-CE6851HI-3-Eth-Trunk102] quit
[*Leaf-CE6851HI-4] interface eth-trunk 102
[*Leaf-CE6851HI-4-Eth-Trunk102] mode lacp-static
[*Leaf-CE6851HI-4-Eth-Trunk102]port default vlan 10
[*Leaf-CE6851HI-4-Eth-Trunk102] trunkport 10ge 1/0/46
[*Leaf-CE6851HI-4-Eth-Trunk102] dfs-group1 m-lag 42
[*Leaf-CE6851HI-4-Eth-Trunk102] quit
[*Leaf-CE6851HI-4] commit
NOTE
If the AC-DCN connects to the M-LAG in active/standby mode, the interface on the access switch
connecting to the AC-DCN cannot be a member interface of the M-LAG. Only VLAN needs to be
configured on the ports.
Step 6 Associate uplink and downlink interfaces with a Monitor Link group on Leaf-CE6851HI-3
and Leaf-CE6851HI-4 to prevent a user-side traffic forwarding failure on a device in case all
uplinks on the device fail.
[~Leaf-CE6851HI-3] monitor-link group 1
[*Leaf-CE6851HI-3-mtlk-group1] port 40GE1/0/3 uplink
[*Leaf-CE6851HI-3-mtlk-group1] port 40GE1/0/4 uplink
[*Leaf-CE6851HI-3-mtlk-group1] port 10GE1/0/1 downlink 1
[~Leaf-CE6851HI-4] monitor-link group 1
[*Leaf-CE6851HI-4-mtlk-group1] port 40GE1/0/3 uplink
[*Leaf-CE6851HI-4-mtlk-group1] port 40GE1/0/4 uplink
[*Leaf-CE6851HI-4-mtlk-group1] port 10GE1/0/1 downlink 1
----End
Configuring Routes
Step 1 Configure BGP routes on Leaf-CE6851HI-3 to interconnect Leaf-CE6851HI-3 with the spine
devices.
[~Leaf-CE6851HI-3]BGP 65022
[*Leaf-CE6851HI-3-bgp] router-id 13.13.13.13
[*Leaf-CE6851HI-3-bgp] timer keepalive 10 hold 30
[*Leaf-CE6851HI-3-bgp] group Spine-CE12804-1 external
[*Leaf-CE6851HI-3-bgp] peer Spine-CE12804-1 as-number 65009
[*Leaf-CE6851HI-3-bgp] peer 11.254.41.158 as-number 65009
[*Leaf-CE6851HI-3-bgp] peer 11.254.41.158 group Spine-CE12804-1
[*Leaf-CE6851HI-3-bgp] group Spine-CE12804-2 external
[*Leaf-CE6851HI-3-bgp] peer Spine-CE12804-2 as-number 65010
[*Leaf-CE6851HI-3-bgp] peer 11.254.41.166 as-number 65010
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
117
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Leaf-CE6851HI-3-bgp] peer 11.254.41.166 group Spine-CE12804-2
[*Leaf-CE6851HI-3-bgp] ipv4-family unicast
[*Leaf-CE6851HI-3-bgp-af-ipv4] preference 20 200 10
[*Leaf-CE6851HI-3-bgp-af-ipv4] network 11.11.11.12 255.255.255.255
[*Leaf-CE6851HI-3-bgp-af-ipv4] network 100.125.100.0 255.255.255.0
[*Leaf-CE6851HI-3-bgp-af-ipv4] network 13.13.13.13 255.255.255.255
[*Leaf-CE6851HI-3-bgp-af-ipv4] maximum load-balancing 32
[*Leaf-CE6851HI-3-bgp-af-ipv4] quit
[*Leaf-CE6851HI-3-bgp] quit
[*Leaf-CE6851HI-3] commit
Step 2 Configure BGP routes on Leaf-CE6851HI-4 to interconnect Leaf-CE6851HI-4 with the spine
devices.
[~Leaf-CE6851HI-4]BGP 65023
[*Leaf-CE6851HI-4-bgp] router-id 14.14.14.14
[*Leaf-CE6851HI-4-bgp] timer keepalive 10 hold 30
[*Leaf-CE6851HI-4-bgp] group Spine-CE12804-1 external
[*Leaf-CE6851HI-4-bgp] peer Spine-CE12804-1 as-number 65009
[*Leaf-CE6851HI-4-bgp] peer 11.254.41.170 as-number 65009
[*Leaf-CE6851HI-4-bgp] peer 11.254.41.170 group Spine-CE12804-1
[*Leaf-CE6851HI-4-bgp] group Spine-CE12804-2 external
[*Leaf-CE6851HI-4-bgp] peer Spine-CE12804-2 as-number 65010
[*Leaf-CE6851HI-4-bgp] peer 11.254.41.162 as-number 65010
[*Leaf-CE6851HI-4-bgp] peer 11.254.41.162 group Spine-CE12804-2
[*Leaf-CE6851HI-4-bgp] ipv4-family unicast
[*Leaf-CE6851HI-4-bgp-af-ipv4] preference 20 200 10
[*Leaf-CE6851HI-4-bgp-af-ipv4] network 11.11.11.12 255.255.255.255
[*Leaf-CE6851HI-4-bgp-af-ipv4] network 100.125.100.0 255.255.255.0
[*Leaf-CE6851HI-4-bgp-af-ipv4] network 14.14.14.14 255.255.255.255
[*Leaf-CE6851HI-4-bgp-af-ipv4] maximum load-balancing 32
[*Leaf-CE6851HI-4-bgp-af-ipv4] quit
[*Leaf-CE6851HI-4-bgp] quit
[*Leaf-CE6851HI-4] commit
NOTE
To access the AC-DCN server from an external network, configure static or dynamic routes on TOR
switches to advertise the service address of the AC-DCN server, so that external networks can access
this server and TOR switches can access external networks through the routes.
----End
4.2.3.4 Configuring Spine Nodes
Configure addresses and routes for the uplink and downlink interconnection interfaces on the
two spine nodes to enable the underlay network communication at Layer 3. The configuration
roadmap is as follows:
1.
Configuring IP addresses: On the spine nodes, configure IP addresses for interfaces that
connect to the leaf nodes and gateways, the management interfaces Meth0/0/0, and the
loopback interfaces (the IP address is used as the Router-ID).
2.
Configuring routes: Configure BGP dynamic routes on the spine nodes to connect the
spine devices to the two stacked switches (leaf nodes), two M-LAG switches (leaf
nodes), and two M-LAG gateways. Ensure that the routes are reachable at Layer 3.
Configuring IP Addresses
Step 1 Configure IP addresses for interconnection the interfaces.
# Configure IP addresses for interfaces on Spine-CE12804-1.
[~HUAWEI] sysname Spine-CE12804-1
[*Spine-CE12804-1] commit
[~Spine-CE12804-1] interface 40GE1/0/0
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
118
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[~Spine-CE12804-1-40GE1/0/0] undo portswitch
[*Spine-CE12804-1-40GE1/0/0] ip address 11.254.40.158 30
[*Spine-CE12804-1-40GE1/0/0] commit
[~Spine-CE12804-1-40GE1/0/0]quit
[~Spine-CE12804-1] interface 40GE1/0/1
[~Spine-CE12804-1-40GE1/0/1] undo portswitch
[*Spine-CE12804-1-40GE1/0/1] ip address 11.254.40.170 30
[*Spine-CE12804-1-40GE1/0/1] commit
[~Spine-CE12804-1-40GE1/0/1] quit
[~Spine-CE12804-1] interface 40GE1/0/2
[~Spine-CE12804-1] description "to-Leaf-CE6851-3-40GE1/0/3"
[~Spine-CE12804-1-40GE1/0/2] undo portswitch
[*Spine-CE12804-1-40GE1/0/2] ip address 11.254.41.158 30
[*Spine-CE12804-1-40GE1/0/2] commit
[~Spine-CE12804-1-40GE1/0/2] quit
[~Spine-CE12804-1] interface 40GE1/0/3
[*Spine-CE12804-1] description "to-Leaf-CE6851-4-40GE1/0/4"
[~Spine-CE12804-1-40GE1/0/3] undo portswitch
[*Spine-CE12804-1-40GE1/0/3] ip address 11.254.41.170 30
[*Spine-CE12804-1-40GE1/0/3] commit
[~Spine-CE12804-1-40GE1/0/3] quit
[~Spine-CE12804-1] interface 40GE1/0/4
[~Spine-CE12804-1-40GE1/0/4] undo portswitch
[*Spine-CE12804-1-40GE1/0/4] ip address 11.254.42.157 30
[*Spine-CE12804-1-40GE1/0/4] commit
[~Spine-CE12804-1-40GE1/0/4] quit
[~Spine-CE12804-1] interface 40GE1/0/5
[~Spine-CE12804-1-40GE1/0/5] undo portswitch
[*Spine-CE12804-1-40GE1/0/5] ip address 11.254.42.161 30
[*Spine-CE12804-1-40GE1/0/5] commit
[~Spine-CE12804-1-40GE1/0/5] quit
# Configure IP addresses for interfaces on Spine-CE12804-2.
[~HUAWEI] sysname Spine-CE12804-2
[*Spine-CE12804-2] commit
[~Spine-CE12804-2] interface 40GE1/0/0
[~Spine-CE12804-2-40GE1/0/0] undo portswitch
[*Spine-CE12804-2-40GE1/0/0] ip address 11.254.40.162 30
[*Spine-CE12804-2-40GE1/0/0] commit
[~Spine-CE12804-2-40GE1/0/0] quit
[~Spine-CE12804-2] interface 40GE1/0/1
[~Spine-CE12804-2-40GE1/0/1] undo portswitch
[*Spine-CE12804-2-40GE1/0/1] ip address 11.254.40.166 30
[*Spine-CE12804-2-40GE1/0/1] commit
[~Spine-CE12804-2-40GE1/0/1] quit
[~Spine-CE12804-2] interface 40GE1/0/2
[*Spine-CE12804-2] description "to-Leaf-CE6851-4-40GE1/0/3"
[~Spine-CE12804-2-40GE1/0/2] undo portswitch
[*Spine-CE12804-2-40GE1/0/2] ip address 11.254.41.162 30
[*Spine-CE12804-2-40GE1/0/2] commit
[~Spine-CE12804-2-40GE1/0/2] quit
[~Spine-CE12804-2] interface 40GE1/0/3
[*Spine-CE12804-2] description "to-Leaf-CE6851-3-40GE1/0/4"
[~Spine-CE12804-2-40GE1/0/3] undo portswitch
[*Spine-CE12804-2-40GE1/0/3] ip address 11.254.41.166 30
[*Spine-CE12804-2-40GE1/0/3] commit
[~Spine-CE12804-2-40GE1/0/3] quit
[~Spine-CE12804-2] interface 40GE1/0/4
[~Spine-CE12804-2-40GE1/0/4] undo portswitch
[*Spine-CE12804-2-40GE1/0/4] ip address 11.254.43.157 30
[*Spine-CE12804-2-40GE1/0/4] commit
[~Spine-CE12804-2-40GE1/0/4]quit
[~Spine-CE12804-2] interface 40GE1/0/5
[~Spine-CE12804-2-40GE1/0/5] undo portswitch
[*Spine-CE12804-2-40GE1/0/5] ip address 11.254.43.161 30
[*Spine-CE12804-2-40GE1/0/5] commit
[~Spine-CE12804-2-40GE1/0/5] quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
119
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 2 Configure IP addresses for the management interfaces.
[~Spine-CE12804-1]
[*Spine-CE12804-1[*Spine-CE12804-1[~Spine-CE12804-1-
interface Meth0/0/0
Meth0/0/0] ip address 100.125.94.5 24
Meth0/0/0] commit
Meth0/0/0] quit
[~Spine-CE12804-2]
[*Spine-CE12804-2[*Spine-CE12804-2[~Spine-CE12804-2-
interface Meth0/0/0
Meth0/0/0] ip address 100.125.94.6 24
Meth0/0/0] commit
Meth0/0/0] quit
Step 3 Configure IP addresses for the loopback interfaces.
[~Spine-CE12804-1] interface
[*Spine-CE12804-1-LoopBack0]
[*Spine-CE12804-1-LoopBack0]
[~Spine-CE12804-1-LoopBack0]
loopback0
ip address 11.11.11.14 32
commit
quit
[~Spine-CE12804-2] interface
[*Spine-CE12804-2-LoopBack0]
[*Spine-CE12804-2-LoopBack0]
[~Spine-CE12804-2-LoopBack0]
loopback0
ip address 11.11.11.15 32
commit
quit
----End
Configuring Routes
Step 1 Configure BGP routes on Spine-CE12804-1.
[~Spine-CE12804-1]BGP 65009
[*Spine-CE12804-1-bgp] router-id 11.11.11.14
[*Spine-CE12804-1-bgp] timer keepalive 10 hold 30
[*Spine-CE12804-1-bgp] group Leaf-CE6851HI-1&CE6851HI-2 external
[*Spine-CE12804-1-bgp] peer Leaf-CE6851HI-1&CE6851HI-2 as-number 65021
[*Spine-CE12804-1-bgp] peer 11.254.40.157 as-number 65021
[*Spine-CE12804-1-bgp] peer 11.254.40.157 group Leaf-CE6851HI-1&CE6851HI-2
[*Spine-CE12804-1-bgp] peer 11.254.40.169 as-number 65021
[*Spine-CE12804-1-bgp] peer 11.254.40.169 group Leaf-CE6851HI-1&CE6851HI-2
[*Spine-CE12804-1-bgp] group Leaf-CE6851HI-3 external
[*Spine-CE12804-1-bgp] peer Leaf-CE6851HI-3 as-number 65022
[*Spine-CE12804-1-bgp] peer 11.254.41.157 as-number 65022
[*Spine-CE12804-1-bgp] peer 11.254.41.157 group Leaf-CE6851HI-3
[*Spine-CE12804-1-bgp] group Leaf-CE6851HI-4 external
[*Spine-CE12804-1-bgp] peer Leaf-CE6851HI-4 as-number 65023
[*Spine-CE12804-1-bgp] peer 11.254.41.169 as-number 65023
[*Spine-CE12804-1-bgp] peer 11.254.41.169 group Leaf-CE6851HI-4
[*Spine-CE12804-1-bgp] group Gateway-CE12808-1 external
[*Spine-CE12804-1-bgp] peer Gateway-CE12808-1 as-number 65000
[*Spine-CE12804-1-bgp] peer 11.254.42.158 as-number 65000
[*Spine-CE12804-1-bgp] peer 11.254.42.158 group Gateway-CE12808-1
[*Spine-CE12804-1-bgp] group Gateway-CE12808-2 external
[*Spine-CE12804-1-bgp] peer Gateway-CE12808-2 as-number 65001
[*Spine-CE12804-1-bgp] peer 11.254.42.162 as-number 65001
[*Spine-CE12804-1-bgp] peer 11.254.42.162 group Gateway-CE12808-2
[*Spine-CE12804-1-bgp] ipv4-family unicast
[*Spine-CE12804-1-bgp-af-ipv4] preference 20 200 10
[*Spine-CE12804-1-bgp-af-ipv4] network 11.11.11.14 255.255.255.255
[*Spine-CE12804-1-bgp-af-ipv4] maximum load-balancing 32
[*Spine-CE12804-1-bgp-af-ipv4] quit
[*Spine-CE12804-1-bgp] quit
[*Spine-CE12804-1] commit
Step 2 Configure BGP routes on Spine-CE12804-2.
[~Spine-CE12804-2]BGP 65010
[*Spine-CE12804-2-bgp] router-id 11.11.11.15
[*Spine-CE12804-2-bgp] timer keepalive 10 hold 30
[*Spine-CE12804-2-bgp] group Leaf-CE6851HI-1&CE6851HI-2 external
[*Spine-CE12804-2-bgp] peer Leaf-CE6851HI-1&CE6851HI-2 as-number 65021
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
120
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Spine-CE12804-2-bgp] peer 11.254.40.165 as-number 65021
[*Spine-CE12804-2-bgp] peer 11.254.40.165 group Leaf-CE6851HI-1&CE6851HI-2
[*Spine-CE12804-2-bgp] peer 11.254.40.161 as-number 65021
[*Spine-CE12804-2-bgp] peer 11.254.40.161 group Leaf-CE6851HI-1&CE6851HI-2
[*Spine-CE12804-2-bgp] group Leaf-CE6851HI-3 external
[*Spine-CE12804-2-bgp] peer Leaf-CE6851HI-3 as-number 65022
[*Spine-CE12804-2-bgp] peer 11.254.41.165 as-number 65022
[*Spine-CE12804-2-bgp] peer 11.254.41.165 group Leaf-CE6851HI-3
[*Spine-CE12804-2-bgp] group Leaf-CE6851HI-4 external
[*Spine-CE12804-2-bgp] peer Leaf-CE6851HI-4 as-number 65023
[*Spine-CE12804-2-bgp] peer 11.254.41.161 as-number 65023
[*Spine-CE12804-2-bgp] peer 11.254.41.161 group Leaf-CE6851HI-4
[*Spine-CE12804-2-bgp] group Gateway-CE12808-1 external
[*Spine-CE12804-2-bgp] peer Gateway-CE12808-1 as-number 65000
[*Spine-CE12804-2-bgp] peer 11.254.43.158 as-number 65000
[*Spine-CE12804-2-bgp] peer 11.254.43.158 group Gateway-CE12808-1
[*Spine-CE12804-2-bgp] group Gateway-CE12808-2 external
[*Spine-CE12804-2-bgp] peer Gateway-CE12808-2 as-number 65001
[*Spine-CE12804-2-bgp] peer 11.254.43.162 as-number 65001
[*Spine-CE12804-2-bgp] peer 11.254.43.162 group Gateway-CE12808-2
[*Spine-CE12804-2-bgp] ipv4-family unicast
[*Spine-CE12804-2-bgp-af-ipv4] preference 20 200 10
[*Spine-CE12804-2-bgp-af-ipv4] network 11.11.11.15 255.255.255.255
[*Spine-CE12804-2-bgp-af-ipv4] maximum load-balancing 32
[*Spine-CE12804-2-bgp-af-ipv4] quit
[*Spine-CE12804-2-bgp] quit
[*Spine-CE12804-2] commit
----End
4.2.3.5 Configuring a Gateway M-LAG
Configure Gateway-CE12808-1 and Gateway-CE12808-2 to set up an M-LAG. The
configuration roadmap is as follows:
1.
Configuring IP addresses: Configure IP addresses for interfaces that connect to the spine
nodes, the management VLANs of the firewalls, the Loopback0 interfaces (the IP
address is used as the VTEP IP address), the Loopback1 interfaces (the IP address is
used as Router-ID), the management interfaces Meth0/0/0, and the NVE1 interfaces (the
same IP address shall be configured for the two devices, and the IP address is the VTEP
IP address).
2.
Configuring the M-LAG: On the gateways, configure a global M-LAG, a DFS group,
and peer-links, and configure VLANs for management and interconnection interfaces,
and service links between the M-LAG and firewalls.
3.
Configuring routes: Configure BGP dynamic routes on the gateways to connect the
gateways to the spine devices and ensure that the routes are reachable at Layer 3.
Configure routes between the gateways and external routers.
4.
Configuring a MAC address flapping whitelist: On the gateways, configure a whitelist
for the MAC addresses of the Layer 3 interfaces on the gateways that connect to the
spine devices. MAC address flapping detection will not be performed for the MAC
addresses in the whitelist.
5.
Configure interconnection between the gateways and external routers to form a squareshaped ring egress network: Set interface addresses to interconnect the gateways with the
external routers, set interface addresses to interconnect the gateways, and set egress
routing protocols on the gateways. (The configurations on the external routers are similar
to those on the gateways, and are not provided here.)
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
121
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuring IP Addresses
Step 1 Configure IP addresses for gateway interfaces.
# Configure IP addresses for interfaces on Gateway-CE12808-1.
[~Gateway-CE12808-1] interface 40GE1/0/0//Connect the interface to a spine node.
[~Gateway-CE12808-1-40GE1/0/0] undo portswitch
[*Gateway-CE12808-1-40GE1/0/0] ip address 11.254.42.158 30
[*Gateway-CE12808-1-40GE1/0/0] commit
[~Gateway-CE12808-1-40GE1/0/0]quit
[~Gateway-CE12808-1] interface 40GE1/0/1 //Connect the interface to another spine
node.
[~Gateway-CE12808-1-40GE1/0/1] undo portswitch
[*Gateway-CE12808-1-40GE1/0/1] ip address 11.254.43.162 30
[*Gateway-CE12808-1-40GE1/0/1] commit
[~Gateway-CE12808-1-40GE1/0/1] quit
[*Gateway-CE12808-1] vlan batch 11
[~Gateway-CE12808-1] interface vlanif 11//Configure the VLAN for management and
interconnection between the gateway and firewalls.
[*Gateway-CE12808-1-vlanif11] description "to firewall-1~2"
[*Gateway-CE12808-1-vlanif11] ip address 11.254.45.154 29
[*Gateway-CE12808-1-vlanif11] vrrp vrid 1 virtual-ip 11.254.45.153
[*Gateway-CE12808-1-vlanif11] commit
[~Gateway-CE12808-1-vlanif11] quit
# Configure IP addresses for interfaces on Gateway-CE12808-2.
[~Gateway-CE12808-2] interface 40GE1/0/0//Connect the interface to a spine node.
[~Gateway-CE12808-2-40GE1/0/0] undo portswitch
[*Gateway-CE12808-2-40GE1/0/0] ip address 11.254.42.162 30
[*Gateway-CE12808-2-40GE1/0/0] commit
[~Gateway-CE12808-2-40GE1/0/0]quit
[~Gateway-CE12808-2] interface 40GE1/0/1 //Connect the interface to another spine
node.
[~Gateway-CE12808-2-40GE1/0/1] undo portswitch
[*Gateway-CE12808-2-40GE1/0/1] ip address 11.254.43.158 30
[*Gateway-CE12808-2-40GE1/0/1] commit
[~Gateway-CE12808-2-40GE1/0/1] quit
[~Gateway-CE12808-2] vlan batch 11
[*Gateway-CE12808-2] interface vlanif 11//Configure the VLAN for management and
interconnection between the gateway and firewalls.
[*Gateway-CE12808-2-vlanif11] description "to firewall-1-2"
[*Gateway-CE12808-2-vlanif11] ip address 11.254.45.155 29
[*Gateway-CE12808-2-vlanif11] vrrp vrid 1 virtual-ip 11.254.45.153
[*Gateway-CE12808-2-vlanif11] commit
[*Gateway-CE12808-2-vlanif11] quit
Step 2 Configure IP addresses for the loopback interfaces.
[~Gateway-CE12808-1] interface
IP address.
[*Gateway-CE12808-1-LoopBack0]
[*Gateway-CE12808-1-LoopBack0]
[~Gateway-CE12808-1-LoopBack0]
[~Gateway-CE12808-1] interface
[*Gateway-CE12808-1-LoopBack1]
[*Gateway-CE12808-1-LoopBack1]
[~Gateway-CE12808-1-LoopBack1]
[~Gateway-CE12808-1] interface
[*Gateway-CE12808-1-LoopBack2]
[*Gateway-CE12808-1-LoopBack2]
[~Gateway-CE12808-1-LoopBack2]
[~Gateway-CE12808-2] interface
IP address.
[*Gateway-CE12808-2-LoopBack0]
[*Gateway-CE12808-2-LoopBack0]
[~Gateway-CE12808-2-LoopBack0]
[~Gateway-CE12808-2] interface
[*Gateway-CE12808-2-LoopBack1]
Issue 03 (2017-05-08)
loopback0
//The IP address is used as the VTEP
ip address 11.11.11.16 32
commit
quit
loopback1
ip address 18.18.18.18 32
commit
quit
loopback2
ip address 21.21.21.21 32
commit
quit
loopback0
//The IP address is used as the VTEP
ip address 11.11.11.16 32
commit
quit
loopback1
ip address 19.19.19.19 32
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
122
Configuration Examples for the Financial Industry
[*Gateway-CE12808-2-LoopBack1]
[~Gateway-CE12808-2-LoopBack1]
[~Gateway-CE12808-2] interface
[*Gateway-CE12808-2-LoopBack2]
[*Gateway-CE12808-2-LoopBack2]
[~Gateway-CE12808-2-LoopBack2]
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
commit
quit
loopback2
ip address 22.22.22.22 32
commit
quit
Step 3 Configure IP addresses for the management interfaces.
[~Gateway-CE12808-1] interface Meth0/0/0
[*Gateway-CE12808-1-Meth0/0/0] ip address 100.125.94.7 24
[*Gateway-CE12808-1- Meth0/0/0] commit
[~Gateway-CE12808-1- Meth0/0/0] quit
[~Gateway-CE12808-2] interface Meth0/0/0
[*Gateway-CE12808-2-Meth0/0/0] ip address 100.125.94.8 24
[*Gateway-CE12808-2- Meth0/0/0] commit
[~Gateway-CE12808-2- Meth0/0/0] quit
Step 4 Configure the VTEP IP address.
[~Gateway-CE12808-1] interface NVE1
[*Gateway-CE12808-1-Nve1] source 11.11.11.16
[*Gateway-CE12808-1-Nve1] commit
[~Gateway-CE12808-1-Nve1] quit
[~Gateway-CE12808-2] interface NVE1
[*Gateway-CE12808-2-Nve1] source 11.11.11.16
[*Gateway-CE12808-2-Nve1] commit
[~Gateway-CE12808-2-Nve1] quit
----End
Configuring an M-LAG
Step 1 Configure an M-LAG.
< Gateway-CE12808-1>
[~Gateway-CE12808-1]
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
system-view
stp mode rstp
stp v-stp enable
lacp m-lag priority 10
[~Gateway-CE12808-1] lacp m-lag system-id 00e0-fc00-0101 //You are advised to set
system-id to the MAC address of the system on the master device of the M-LAG. Set
system-id on the remote device to the same value. You can run the display system
mac-address command to check the MAC address of a system.
[*Gateway-CE12808-1] commit
<Gateway-CE12808-2> system-view
[~Gateway-CE12808-2] stp mode rstp
[*Gateway-CE12808-2] stp v-stp enable
[*Gateway-CE12808-2] commit
[*Gateway-CE12808-1] lacp m-lag priority 10
[~Gateway-CE12808-2] lacp m-lag system-id 00e0-fc00-0101
[*Gateway-CE12808-2] commit
Step 2 Create DFS groups and configure Gateway-CEE12808-1 and Gateway-CEE12808-2 to work
in dual-active mode.
[~Gateway-CE12808-1] dfs-group 1
[*Gateway-CE12808-1-dfs-group-1] source ip 18.18.18.18
[*Gateway-CE12808-1-dfs-group-1] priority 150
[*Gateway-CE12808-1-dfs-group-1] active-active-gateway
[*Gateway-CE12808-1-dfs-group-1-active-active-gateway] peer 19.19.19.19
[*Gateway-CE12808-1-dfs-group-1-active-active-gateway] quit
[*Gateway-CE12808-1-dfs-group-1] quit
[*Gateway-CE12808-1] commit
[*Gateway-CE12808-2] dfs-group 1
[*Gateway-CE12808-2-dfs-group-1] source ip 19.19.19.19
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
123
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Gateway-CE12808-2-dfs-group-1] priority 120
[*Gateway-CE12808-2-dfs-group-1] active-active-gateway
[*Gateway-CE12808-1-dfs-group-1-active-active-gateway] peer 18.18.18.18
[*Gateway-CE12808-2-dfs-group-1-active-active-gateway] quit
[*Gateway-CE12808-2-dfs-group-1] quit
[*Gateway-CE12808-2] commit
Step 3 Configure peer-links of the M-LAG on Gateway-CE12808-1 and Gateway-CE12808-2.
[*Gateway-CE12808-1] interface eth-trunk 0
[*Gateway-CE12808-1-Eth-Trunk0] trunkport 40ge 1/0/23
[*Gateway-CE12808-1-Eth-Trunk0] trunkport 40ge 2/0/23
[*Gateway-CE12808-1-Eth-Trunk0] mode lacp-static
[*Gateway-CE12808-1-Eth-Trunk0] peer-link 1
[*Gateway-CE12808-1-Eth-Trunk0] quit
[*Gateway-CE12808-1] commit
[*Gateway-CE12808-2] interface eth-trunk 0
[*Gateway-CE12808-2-Eth-Trunk0] trunkport 40ge 1/0/23
[*Gateway-CE12808-2-Eth-Trunk0] trunkport 40ge 2/0/23
[*Gateway-CE12808-2-Eth-Trunk0] mode lacp-static
[*Gateway-CE12808-2-Eth-Trunk0] peer-link 1
[*Gateway-CE12808-2-Eth-Trunk0] quit
[*Gateway-CE12808-2] commit
Step 4 Configure the M-LAG member interfaces (interconnecting with firewall instances) on
Gateway-CE12808-1 and Gateway-CE12808-2.
# Configure interconnection between Gateway-CE12808-1 and the firewalls.
[*Gateway-CE12808-1] interface eth-trunk 20
[*Gateway-CE12808-1] description "to-FW-USG9560-1-GE1/0/1"
[*Gateway-CE12808-1-Eth-Trunk20] port default vlan 11
[*Gateway-CE12808-1-Eth-Trunk20] trunkport 10ge 3/0/0
[*Gateway-CE12808-1-Eth-Trunk20] dfs-group 1 m-lag 1
[*Gateway-CE12808-1-Eth-Trunk20] quit
[*Gateway-CE12808-1] interface eth-trunk 30
[*Gateway-CE12808-1] description "to-FW-USG9560-2-GE1/0/1"
[*Gateway-CE12808-1-Eth-Trunk30] port default vlan 11
[*Gateway-CE12808-1-Eth-Trunk30] trunkport 10ge 3/0/1
[*Gateway-CE12808-1-Eth-Trunk30] dfs-group 1 m-lag 2
[*Gateway-CE12808-1-Eth-Trunk30] quit
[*Gateway-CE12808-1] commit
[*Gateway-CE12808-1] interface eth-trunk 21 //Configure service links between the
gateway and firewalls. The AC-DCN delivers the interconnection IP addresses,
VLANs, and routes. You need to connect the cables and configure Eth-Trunks and
the M-LAG.
[*Gateway-CE12808-1] description "to-FW-USG9560-1-GE1/0/3"
[*Gateway-CE12808-1-Eth-Trunk21] port link-type trunk
[*Gateway-CE12808-1-Eth-Trunk21] undo port trunk allow-pass vlan 1
[*Gateway-CE12808-1-Eth-Trunk21] trunkport 10ge 3/0/2
[*Gateway-CE12808-1-Eth-Trunk21] dfs-group 1 m-lag 3
[*Gateway-CE12808-1-Eth-Trunk21] quit
[*Gateway-CE12808-1] interface eth-trunk 31
[*Gateway-CE12808-1] description "to-FW-USG9560-2-GE1/0/3"
[*Gateway-CE12808-1-Eth-Trunk31] port link-type trunk
[*Gateway-CE12808-1-Eth-Trunk31] undo port trunk allow-pass vlan 1
[*Gateway-CE12808-1-Eth-Trunk31] trunkport 10ge 3/0/3
[*Gateway-CE12808-1-Eth-Trunk31] dfs-group 1 m-lag 4
[*Gateway-CE12808-1-Eth-Trunk31] quit
[*Gateway-CE12808-1] commit
# Configure interconnection between Gateway-CE12808-2 and the firewalls.
[*Gateway-CE12808-2] interface eth-trunk 20
[*Gateway-CE12808-2] description "to-FW-USG9560-1-GE1/0/2"
[*Gateway-CE12808-2-Eth-Trunk20] port default vlan 11
[*Gateway-CE12808-2-Eth-Trunk20] trunkport 10ge 3/0/0
[*Gateway-CE12808-2-Eth-Trunk20] dfs-group 1 m-lag 1
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
124
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Gateway-CE12808-2-Eth-Trunk20] quit
[*Gateway-CE12808-2] interface eth-trunk 30
[*Gateway-CE12808-2] description "to-FW-USG9560-2-GE1/0/2"
[*Gateway-CE12808-2-Eth-Trunk30] port default vlan 11
[*Gateway-CE12808-2-Eth-Trunk30] trunkport 10ge 3/0/1
[*Gateway-CE12808-2-Eth-Trunk30] dfs-group 1 m-lag 2
[*Gateway-CE12808-2-Eth-Trunk30] quit
[*Gateway-CE12808-2] commit
[*Gateway-CE12808-2] interface eth-trunk 21 //Configure service links between the
gateway and firewalls. The AC-DCN delivers the interconnection IP addresses,
VLANs, and routes. You need to connect the cables and configure Eth-Trunks and
the M-LAG.
[*Gateway-CE12808-2] description "to-FW-USG9560-1-GE1/0/4"
[*Gateway-CE12808-2-Eth-Trunk21] port link-type trunk
[*Gateway-CE12808-2-Eth-Trunk21] trunkport 10ge 3/0/2
[*Gateway-CE12808-2-Eth-Trunk21] dfs-group 1 m-lag 3
[*Gateway-CE12808-2-Eth-Trunk21] quit
[*Gateway-CE12808-2] interface eth-trunk 31
[*Gateway-CE12808-2] description "to-FW-USG9560-2-GE1/0/4"
[*Gateway-CE12808-2-Eth-Trunk31] port link-type trunk
[*Gateway-CE12808-2-Eth-Trunk31] trunkport 10ge 3/0/3
[*Gateway-CE12808-2-Eth-Trunk31] dfs-group 1 m-lag 4
[*Gateway-CE12808-2-Eth-Trunk31] quit
[*Gateway-CE12808-2] commit
NOTE
In an SDN scenario where firewalls interconnect with gateways in M-LAG mode, the LAG mode can
only be manual load balancing mode.
----End
Configuring Routes
Step 1 Configure BGP routes on Gateway-CE12808-1 to set up routes for the underlay network.
[~Gateway-CE12808-1]BGP 65000
[*Gateway-CE12808-1-bgp] router-id 18.18.18.18
[*Gateway-CE12808-1-bgp] timer keepalive 10 hold 30
[*Gateway-CE12808-1-bgp] group Spine-CE12804-1 external //Configure the route to
connect the gateway to Spine-CE12804-1.
[*Gateway-CE12808-1-bgp] peer Spine-CE12804-1 as-number 65009
[*Gateway-CE12808-1-bgp] peer 11.254.42.157 as-number 65009
[*Gateway-CE12808-1-bgp] peer 11.254.42.157 group Spine-CE12804-1
[*Gateway-CE12808-1-bgp] group Spine-CE12804-2 external
[*Gateway-CE12808-1-bgp] peer Spine-CE12804-2 as-number 65010
[*Gateway-CE12808-1-bgp] peer 11.254.43.161 as-number 65010
[*Gateway-CE12808-1-bgp] peer 11.254.43.161 group Spine-CE12804-2
[*Gateway-CE12808-1-bgp] ipv4-family unicast
[*Gateway-CE12808-1-bgp-af-ipv4] preference 20 200 10
[*Gateway-CE12808-1-bgp-af-ipv4] network 11.11.11.16 255.255.255.255
[*Gateway-CE12808-1-bgp-af-ipv4] network 18.18.18.18 255.255.255.255
[*Gateway-CE12808-1-bgp-af-ipv4] network 11.254.45.152 255.255.255.248
[*Gateway-CE12808-1-bgp-af-ipv4] maximum load-balancing 32
[*Gateway-CE12808-1-bgp-af-ipv4] quit
[*Gateway-CE12808-1-bgp] quit
[*Gateway-CE12808-1] commit
Step 2 Configure BGP routes on Gateway-CE12808-2 to set up routes for the underlay network.
[~Gateway-CE12808-2]BGP 65001
[*Gateway-CE12808-2-bgp] router-id 19.19.19.19
[*Gateway-CE12808-2-bgp] timer keepalive 10 hold 30
[*Gateway-CE12808-2-bgp] peer Spine-CE12804-1 as-number 65009
[*Gateway-CE12808-2-bgp] peer 11.254.42.161 as-number 65009
[*Gateway-CE12808-2-bgp] peer 11.254.42.161 group Spine-CE12804-1
[*Gateway-CE12808-2-bgp] group Spine-CE12804-2 external
[*Gateway-CE12808-2-bgp] peer Spine-CE12804-2 as-number 65010
[*Gateway-CE12808-2-bgp] peer 11.254.43.157 as-number 65010
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
125
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Gateway-CE12808-2-bgp] peer 11.254.43.157 group Spine-CE12804-2
[*Gateway-CE12808-2-bgp] ipv4-family unicast
[*Gateway-CE12808-2-bgp-af-ipv4] preference 20 200 10
[*Gateway-CE12808-2-bgp-af-ipv4] network 11.11.11.16 255.255.255.255
[*Gateway-CE12808-2-bgp-af-ipv4] network 19.19.19.19 255.255.255.255
[*Gateway-CE12808-2-bgp-af-ipv4] network 11.254.45.152 255.255.255.248
[*Gateway-CE12808-2-bgp-af-ipv4] maximum load-balancing 32
[*Gateway-CE12808-2-bgp-af-ipv4] quit
[*Gateway-CE12808-2-bgp] quit
[*Gateway-CE12808-2] commit
----End
Configuring a MAC Address Flapping Whitelist
In Layer 3 architecture, when VXLAN traffic reaches a gateway through a spine device, a
MAC address flapping alarm is generated because an incorrect MAC address is learned on the
gateway due to product constraints. You need to configure a MAC address flapping whitelist
on gateways and add MAC addresses of Layer 3 interfaces that connect spine devices to
gateways to the whitelist. MAC address flapping detection will not be performed for the
MAC addresses in the whitelist. The MAC addresses work as the outer source IP addresses of
tunnel packets and cannot be learned. Therefore, the adjustment does not affect services.
Step 1 Check the MAC addresses of Layer 3 interfaces that connect the two spine devices to
gateways.
[~Spine-CE12804-1] interface 40GE1/0/4 //Obtain the MAC address of the Layer 3
interface that connects Spine-CE12804-1 to a gateway.
[*Spine-CE12804-1-40GE1/0/4] undo portswitch
[~Spine-CE12804-1-40GE1/0/4] commit
[~Spine-CE12804-1-40GE1/0/4] display this interface | include Hardware address
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 200b-c732-d202
[~Spine-CE12804-1-40GE1/0/4] quit
[~Spine-CE12804-1] interface 40GE1/0/5
[*Spine-CE12804-1-40GE1/0/5] undo portswitch
[~Spine-CE12804-1-40GE1/0/5] commit
[~Spine-CE12804-1-40GE1/0/5] display this interface | include Hardware address
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 200b-c732-d202
[~Spine-CE12804-1-40GE1/0/5] quit
[~Spine-CE12804-2] interface 40GE1/0/4 //Obtain the MAC address of the Layer 3
interface that connects Spine-CE12804-2 to a gateway.
[*Spine-CE12804-2-40GE1/0/4] undo portswitch
[~Spine-CE12804-2-40GE1/0/4] commit
[~Spine-CE12804-2-40GE1/0/4] display this interface | include Hardware address
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 346a-c246-be01
[~Spine-CE12804-2-40GE1/0/4] quit
[~Spine-CE12804-2] interface 40GE1/0/5
[*Spine-CE12804-2-40GE1/0/5] undo portswitch
[~Spine-CE12804-2-40GE1/0/5] commit
[~Spine-CE12804-2-40GE1/0/5] display this interface | include Hardware address
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 346a-c246-be01
[~Spine-CE12804-2-40GE1/0/5] quit
Step 2 Configure a whitelist and add the MAC addresses obtained in Step 1.
[~Gateway-CE12808-1] mac-address flapping detection exclude 200b-c732-d202 48
[~Gateway-CE12808-1] mac-address flapping detection exclude 346a-c246-be01 48
[~Gateway-CE12808-2] mac-address flapping detection exclude 200b-c732-d202 48
[~Gateway-CE12808-2] mac-address flapping detection exclude 346a-c246-be01 48
----End
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
126
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuring Interconnection Between the Gateways and External Routers
Step 1 Configure interfaces on the gateways to interconnect the gateways with external routers.
# Configure an interface on Gateway-CE12808-1 to connect Gateway-CE12808-1 to
Router-1.
[~Gateway-CE12808-1] interface Eth-Trunk1 //Configure the interface to connect
the gateway to an external PE device (Router-1).
[*Gateway-CE12808-1-Eth-Trunk1] trunkport 10GE 3/0/4
[*Gateway-CE12808-1-Eth-Trunk1] trunkport 10GE 3/0/5
[*Gateway-CE12808-1-Eth-Trunk1] undo portswitch
[*Gateway-CE12808-1-Eth-Trunk1] ip address 11.254.44.157 30
[*Gateway-CE12808-1-Eth-Trunk1] commit
[~Gateway-CE12808-1-Eth-Trunk1] quit
# Configure an interface on Gateway-CE12808-2 to connect Gateway-CE12808-2 to
Router-2.
[~Gateway-CE12808-2] interface Eth-Trunk1 //Configure the interface to connect
the gateway to an external PE device (Router-2).
[*Gateway-CE12808-2-Eth-Trunk1] trunkport 10GE 3/0/4
[*Gateway-CE12808-2-Eth-Trunk1] trunkport 10GE 3/0/5
[*Gateway-CE12808-2-Eth-Trunk1] undo portswitch
[*Gateway-CE12808-2-Eth-Trunk1] ip address 11.254.44.161 30
[*Gateway-CE12808-2-Eth-Trunk1] commit
[~Gateway-CE12808-2-Eth-Trunk1] quit
Step 2 Configure Layer 3 interconnection interfaces on gateways to form a square-shaped ring
network.
# Configure an interface on Gateway-CE12808-1 to connect Gateway-CE12808-1 to
Gateway-CE12808-2.
[~Gateway-CE12808-1] interface 10GE3/0/6 //Configure the interface to connect
the gateway to Gateway-CE12808-2.
[*Gateway-CE12808-1-10GE3/0/6] undo portswitch
[*Gateway-CE12808-1-10GE3/0/6] ip address 11.254.44.165 30
[*Gateway-CE12808-1-10GE3/0/6] commit
[~Gateway-CE12808-1-10GE3/0/6] quit
# Configure an interface on Gateway-CE12808-2 to connect Gateway-CE12808-2 to
Gateway-CE12808-1.
[~Gateway-CE12808-2] interface 10GE 3/0/6 //Configure the interface to connect
the gateway to Gateway-CE12808-1.
[*Gateway-CE12808-2-10GE3/0/6] undo portswitch
[*Gateway-CE12808-2-10GE3/0/6] ip address 11.254.44.166 30
[*Gateway-CE12808-2-10GE3/0/6] commit
[~Gateway-CE12808-2-10GE3/0/6 1] quit
Step 3 Configure routes between the Loopback addresses of the gateways and those of external
routers. Here, OSPF routes are configured.
# Configure OSPF routes on Gateway-CE12808-1.
[~Gateway-CE12808-1] ospf 1 router-id 18.18.18.18
[~Gateway-CE12808-1-ospf-1] area 0
[~Gateway-CE12808-1-ospf-1-area-0.0.0.0] network 11.254.44.156 0.0.0.3
[~Gateway-CE12808-1-ospf-1-area-0.0.0.0] network 22.22.22.21 0.0.0.0
[~Gateway-CE12808-1-ospf-1-area-0.0.0.0] commit
[~Gateway-CE12808-1-ospf-1-area-0.0.0.0] quit
# Configure OSPF routes on Gateway-CE12808-2.
[~Gateway-CE12808-2] ospf 1 router-id 19.19.19.19
[~Gateway-CE12808-2-ospf-1] area 0
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
127
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[~Gateway-CE12808-2-ospf-1-area-0.0.0.0]
[~Gateway-CE12808-2-ospf-1-area-0.0.0.0]
[~Gateway-CE12808-2-ospf-1-area-0.0.0.0]
[~Gateway-CE12808-2-ospf-1-area-0.0.0.0]
network 11.254.44.160 0.0.0.3
network 22.22.22.22 0.0.0.0
commit
quit
Step 4 Configure gateways to establish EBGP peer relationships with the external routers and the
remote gateways.
# On Gateway-CE12808-1, configure EBGP routes to Router-1 and Gateway-CE12808-2,
respectively.
[~Gateway-CE12808-1] BGP 65000
[*Gateway-CE12808-1-bgp] router-id 18.18.18.18
[*Gateway-CE12808-1-bgp] timer keepalive 10 hold 30
[*Gateway-CE12808-1-bgp] group Router-1 external
//Configure the route to
connect the gateway to Router-1.
[*Gateway-CE12808-1-bgp] peer Router-1 as-number 65047
[*Gateway-CE12808-1-bgp] peer Router-1 ebgp-max-hop 10
[*Gateway-CE12808-1-bgp] peer Router-1 connect-interface LoopBack2 //Configure
the local Loopback2 interface to establish a BGP peer relationship with Router-1.
[*Gateway-CE12808-1-bgp] peer 21.21.21.22 as-number 65047
[*Gateway-CE12808-1-bgp] peer 21.21.21.22 group Router-1
[*Gateway-CE12808-1-bgp] group GW-2 external
//Establish an EBGP peer
relationship with Gateway-CE12808-2.
[*Gateway-CE12808-1-bgp] peer GW-2 as-number 65001
[*Gateway-CE12808-1-bgp] peer 11.254.44.166 as-number 65001
[*Gateway-CE12808-2-bgp] peer 11.254.42.166 group GW-2
[*Gateway-CE12808-2-bgp] commit
[*Gateway-CE12808-2-bgp] quit
# On Gateway-CE12808-2, configure EBGP routes to Router-2 and Gateway-CE12808-1,
respectively.
[~Gateway-CE12808-2] BGP 65001
[*Gateway-CE12808-2-bgp] router-id 19.19.19.19
[*Gateway-CE12808-2-bgp] timer keepalive 10 hold 30
[*Gateway-CE12808-2-bgp] group Router-2 external //Configure the route to
connect the gateway to Router-2.
[*Gateway-CE12808-2-bgp] peer Router-2 as-number 65048
[*Gateway-CE12808-2-bgp] peer Router-2 ebgp-max-hop 10
[*Gateway-CE12808-2-bgp] peer Router-2 connect-interface LoopBack2 //Configure
the local Loopback2 interface to establish a BGP peer relationship with Router-2.
[*Gateway-CE12808-2-bgp] peer 22.22.22.23 as-number 65048
[*Gateway-CE12808-2-bgp] peer 22.22.22.23 group Router-2
[*Gateway-CE12808-1-bgp] group GW-1 external
//Establish an EBGP peer
relationship with Gateway-CE12808-1.
[*Gateway-CE12808-1-bgp] peer GW-1 as-number 65000
[*Gateway-CE12808-1-bgp] peer 11.254.44.165 as-number 65000
[*Gateway-CE12808-2-bgp] peer 11.254.42.165 group GW-2
[*Gateway-CE12808-2-bgp] commit
[*Gateway-CE12808-2-bgp] quit
Step 5 Configure interconnections on Router-1 and Router-2 as follows:
l
Configure interfaces to interconnect with the gateways.
l
Configure interfaces to interconnect with the other external routers.
l
Configure OSPF routes between the loopback addresses of the external routers and those
of the gateways.
l
Configure EBGP routes to establish EBGP peer relationships with the gateways.
----End
4.2.3.6 Configuring Firewalls
Connect FW-USG9560-1 and FW-USG9560-2 to the gateways through service interfaces and
configure management network segments to enable communications between the firewalls
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
128
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
and the AC-DCN. Connect the firewalls to the gateways through other service interfaces to
establish service links. The two firewalls work in active/standby mirroring mode.
Internal and external links can use one physical link or two independent physical links. In this
chapter, one physical link is used as the internal and external links.
The configuration roadmap is as follows:
1.
Configure the heartbeat interfaces between two firewalls.
2.
Configure two firewalls in hot standby mode.
3.
Configure mirroring mode and hot standby management interfaces.
4.
Run the hrp base config enable command and restart the firewalls.
5.
Configure the interfaces for management and interconnection between the firewalls and
gateways.
6.
Configure the interfaces for service interconnection between the firewalls and gateways.
7.
Add interfaces to security zones and configure a default inter-zone security policy.
Figure 4-3 Interconnection between the firewalls and gateways
NOTE
Two firewalls in active/standby mirroring mode must use the same ports to connect to a gateway. For
example, if FW-USG9560-1 connects to Gateway-CE12808-1 through GE1/0/1, FW-USG9560-2 shall
connect to Gateway-CE12808-1 through GE1/0/1.
Firewalls cannot connect to the AC-DCN through management Meth interfaces using NETCONF.
The following configurations are automatically delivered by the AC-DCN, and no manual configuration
is required: VLANs and addresses for interconnection between service links and gateways, routes and
traffic diversion between the root firewall (public system) and virtual firewalls, and security zones,
elastic IP addresses (EIPs), Source Network Address Translation (SNAT), and security policies for
virtual firewalls.
A default route cannot be configured on the root firewall (public system); otherwise, the configured
default route will conflict with the default route delivered by the AC-DCN.
Procedure
Step 1 Configure the management interfaces that connect to the CE12808 series switches.
<FW-USG9560-1> system-view
[FW-USG9560-1] interface Eth-Trunk11
[FW-USG9560-1-Eth-Trunk11] description To-GW-CE12808
[FW-USG9560-1-Eth-Trunk11] ip address 11.254.45.156 29
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
129
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[FW-USG9560-1-Eth-Trunk11] trunkport GigabitEthernet 1/0/1 to 1/0/2
[FW-USG9560-1-Eth-Trunk11] undo service-manage enable
[FW-USG9560-1-Eth-Trunk11] quit
<FW-USG9560-2> system-view
[FW-USG9560-2] interface Eth-Trunk11
[FW-USG9560-2-Eth-Trunk11] description To-GW-CE12808
[FW-USG9560-2-Eth-Trunk11] ip address 11.254.45.157 29
[FW-USG9560-2-Eth-Trunk11] trunkport GigabitEthernet 1/0/1 to 1/0/2
[FW-USG9560-2-Eth-Trunk11] undo service-manage enable
[FW-USG9560-2-Eth-Trunk11] quit
Step 2 Configure the service interfaces that connect to the CE12808 series switches.
<FW-USG9560-1> system-view
[FW-USG9560-1] interface Eth-Trunk1
[FW-USG9560-1-Eth-Trunk1] description To-CE12808
[FW-USG9560-1-Eth-Trunk1] portswitch
[FW-USG9560-1-Eth-Trunk1] trunkport GigabitEthernet 1/0/3 to 1/0/4
[FW-USG9560-1-Eth-Trunk1] undo service-manage enable
[FW-USG9560-1-Eth-Trunk1] quit
<FW-USG9560-2> system-view
[FW-USG9560-2] interface Eth-Trunk1
[FW-USG9560-2-Eth-Trunk1] description To-CE12808
[FW-USG9560-1-Eth-Trunk1] portswitch
[FW-USG9560-2-Eth-Trunk1] trunkport GigabitEthernet 1/0/3 to 1/0/4
[FW-USG9560-2-Eth-Trunk1] undo service-manage enable
[FW-USG9560-2-Eth-Trunk1] quit
Step 3 Configure heartbeat interfaces on the firewalls to implement dual-node hot-standby.
# Configure heartbeat interfaces on FW-USG9560-1.
<FW-USG9560-1> system-view
[FW-USG9560-1] interface Eth-Trunk0
[FW-USG9560-1-Eth-Trunk0] ip address 1.1.1.1 255.255.255.252
[FW-USG9560-1-Eth-Trunk0] quit
[FW-USG9560-1] interface GigabitEthernet7/1/0
[FW-USG9560-1-GigabitEthernet7/1/0] description FW-HRP
[FW-USG9560-1-GigabitEthernet7/1/0] undo shutdown
[FW-USG9560-1-GigabitEthernet7/1/0] eth-trunk 0
[FW-USG9560-1-GigabitEthernet7/1/0] quit
[FW-USG9560-1] interface GigabitEthernet7/1/1
[FW-USG9560-1-GigabitEthernet7/1/1] description FW-HRP
[FW-USG9560-1-GigabitEthernet7/1/1] undo shutdown
[FW-USG9560-1-GigabitEthernet7/1/1] eth-trunk 0
[FW-USG9560-1-GigabitEthernet7/1/1] quit
# Configure heartbeat interfaces on FW-USG9560-2.
<FW-USG9560-2> system-view
[FW-USG9560-2] interface Eth-Trunk0
[FW-USG9560-2-Eth-Trunk0] ip address 1.1.1.2 255.255.255.252
[FW-USG9560-2-Eth-Trunk0] quit
[FW-USG9560-2] interface GigabitEthernet7/1/0
[FW-USG9560-2-GigabitEthernet7/1/0] description FW-HRP
[FW-USG9560-2-GigabitEthernet7/1/0] undo shutdown
[FW-USG9560-2-GigabitEthernet7/1/0] eth-trunk 0
[FW-USG9560-2-GigabitEthernet7/1/0] quit
[FW-USG9560-2] interface GigabitEthernet7/1/1
[FW-USG9560-2-GigabitEthernet7/1/1] description FW-HRP
[FW-USG9560-2-GigabitEthernet7/1/1] undo shutdown
[FW-USG9560-2-GigabitEthernet7/1/1] eth-trunk 0
[FW-USG9560-2-GigabitEthernet7/1/1] quit
Step 4 Enable dual-node hot-standby on the firewalls.
# Enable dual-node hot-standby on FW-USG9560-1.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
130
Configuration Examples for the Financial Industry
<FW-USG9560-1>
[FW-USG9560-1]
[FW-USG9560-1]
[FW-USG9560-1]
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
system-view
hrp interface Eth-Trunk0 remote 1.1.1.2
hrp mirror config enable
hrp enable
# Enable dual-node hot-standby on FW-USG9560-2.
<FW-USG9560-2>
[FW-USG9560-2]
[FW-USG9560-2]
[FW-USG9560-2]
system-view
hrp interface Eth-Trunk0 remote 1.1.1.1
hrp mirror config enable
hrp enable
Step 5 Configure function items for dual-node hot-standby.
# Perform the following configurations on FW-USG9560-1:
HRP_M[FW-USG9560-1] hrp track interface Eth-Trunk1 //Configure the monitoring
interface of the VRRP Group Management Protocol (VGMP) group as the service
interface. This configuration will be synchronized to the standby Huawei
Redundancy Protocol (HRP) firewall.
HRP_M[FW-USG9560-1] hrp mgt-interface Eth-Trunk11 //Configure the management
interface for dual-node hot-standby. This configuration will be synchronized to
the standby HRP firewall.
HRP_M[FW-USG9560-1] hrp mirror session enable //Enable session fast backup. This
configuration will be synchronized to the standby HRP firewall.
HRP_M[FW-USG9560-1] hrp standby config enable //Enable execution of some
commands on the standby firewall.
Step 6 Configure the firewalls to restart with the basic configuration for dual-node hot-standby and
synchronize correct service configurations from the other firewalls.
# Run the hrp base config enable command.
HRP_M[FW-USG9560-1] hrp base config enable
# Restart the firewall to make the configuration take effect.
HRP_M<FW-USG9560-1> reboot
System will reboot! Do you want to save the running configuration? [Y/N]: y
System will reboot! Continue? [Y/N]: y
HRP_S<FW-USG9560-2> reboot
System will reboot! Do you want to save the running configuration? [Y/N]: y
System will reboot! Continue? [Y/N]: y
Step 7 Add interfaces to security zones and configure a default action for security policies.
# Add a Virtual-if0 interface to a security zone to enable traffic diversion between the root
firewall (public system) and virtual firewalls.
HRP_M[FW-USG9560-1] firewall zone untrust
HRP_M[FW-USG9560-1-zone-untrust] add interface Virtual-if0
HRP_M[FW-USG9560-1-zone-untrust] quit
# Add the management network interface and heartbeat interface to a demilitarized zone
(DMZ).
HRP_M[FW-USG9560-1] firewall
HRP_M[FW-USG9560-1-zone-dmz]
network interface to the DMZ
HRP_M[FW-USG9560-1-zone-dmz]
interface to the DMZ zone.
HRP_M[FW-USG9560-1-zone-dmz]
zone dmz
add interface eth-trunk11
zone.
add interface eth-trunk0
//Add the management
//Add the heartbeat
quit
# Set the default action of security policies to permit.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
131
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
HRP_M[FW-USG9560-1] security-policy
HRP_M[FW-USG9560-1-security-policy] default action permit
----End
4.2.3.7 Configuring SNMP
You need to configure SNMP parameters on devices so that the devices can be added to and
discovered by the AC-DCN using SNMP. The SNMP parameters must be configured the
same as those configured on the AC-DCN.
Configurations of the SNMP parameters on CE series switches and firewalls are different.
NOTE
The port configuration is different from the configuration of other SNMP protocol parameters. On a
device, the number of the port connecting to the AC-DCN is set to 161 by default. On the AC-DCN, the
number of the port connecting to the device is set to 1666 by default.
The AC-DCN supports SNMP v3 that boasts higher security to implement SNMP connection with
devices.
The ISO-level MIB trees supported by the AC-DCN include nt iso, rd iso, wt iso, and iso-view iso.
Before configuring SNMP parameters on a device, ensure that info-center is enabled. If infocenter is disabled, the device cannot report trap messages to the AC-DCN.
Run the display info-center command to check whether info-center is enabled.
l
If Information Center : enable is displayed, info-center is enabled. You can configure
SNMP parameters.
l
If Information Center : disable is displayed, info-center is not enabled. Run the infocenter enable command to enable info-center.
Configuring CE Switches
Configure the following SNMP v3 parameters on CE series switches for interconnection with
the AC-DCN.
Issue 03 (2017-05-08)
Parameter
Value (Example)
Description
snmp-agent udp-port
161
Indicates the UDP port
number used for
interconnection between the
SNMP agent (a CE series
switch) and the AC-DCN.
The default value is 161.
snmp-agent group
dc-admin
Indicates the SNMP v3 user
group name.
snmp-agent usm-user
admin
Indicates the SNMP v3 user
name.
snmp-agent usm-user
authentication-mode
SHA
Indicates the user
authentication mode.
authentication password
Huawei@123
Indicates the user
authentication password.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
132
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
Parameter
Value (Example)
Description
privacy-mode
AES128
Indicates the encryption
algorithm that is used during
authentication.
privacy password
Huawei@123
Indicates the encryption
password.
Configure Gateway-CE12808-1 as follows. Configurations on other CE series switches are
similar.
Step 1 Run the system-view command to enter the system view.
Step 2 Change the number of the port that connects the SNMP agent to the AC-DCN. By default, the
SNMP agent and the AC-DCN are connected over port 161.
[~Gateway-CE12808-1] snmp-agent udp-port 161
Step 3 Configure an SNMP v3 user and a user group, and set the authentication mode and encryption
algorithm. For example, set the user group name to dc-admin, user name to admin,
authentication mode to SHA, and encryption algorithm to AES128.
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
Please configure the
Enter Password:
Huawei@123.
Confirm Password:
Huawei@123.
[*Gateway-CE12808-1]
Please configure the
Enter Password:
Huawei@1234.
Confirm Password:
Huawei@1234.
snmp-agent usm-user v3 admin group dc-admin
snmp-agent usm-user v3 admin authentication-mode sha
authentication password (8-255)
//Enter the authentication password, for example,
//Confirm the authentication password, for example,
snmp-agent usm-user v3 admin privacy-mode aes128
privacy password (8-255)
//Enter the encryption password, for example,
//Confirm the encryption password, for example,
Step 4 Configure the gateway to report alarm trap packets to the AC-DCN using SNMP v3.
[*Gateway-CE12808-1] snmp-agent trap enable feature-name trunk
[*Gateway-CE12808-1] snmp-agent trap enable
//Enable the trap packet
sending function on the gateway.
[*Gateway-CE12808-1] snmp-agent trap source loopback0 //The interface name is the
name of the gateway interface connecting to the AC-DCN. Configure an IP address
for the interface.
[*Gateway-CE12808-1] commit
Step 5 Configure a MIB view and add the MIB view to the attributes of a user group so that the user
group obtains the read, write, and alarm reporting rights.
NOTE
The AC-DCN obtains LLDP link information from an MIB view specified by SNMP. In this case, the
SNMP-specified MIB view must be iso-view, and the OID MIB sub-tree of the specified MIB object
must be iso.
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
[*Gateway-CE12808-1]
Issue 03 (2017-05-08)
snmp-agent
snmp-agent
snmp-agent
snmp-agent
snmp-agent
mib-view
mib-view
mib-view
mib-view
group v3
included
included
included
included
dc-admin
iso-view iso
nt iso
rd iso
wt iso
privacy read-view rd write-view
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
133
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
wt notify-view nt
[*Gateway-CE12808-1] commit
----End
Configuring Firewalls
Configure the following SNMP v3 parameters on firewalls for interconnection with the ACDCN.
Issue 03 (2017-05-08)
Parameter
Value (Example)
Description
snmp-agent udp-port
161
Indicates the UDP port number
used for interconnection between
the SNMP agent (a CE series
switch) and the AC-DCN. The
default value is 161.
snmp-agent group
dc-admin
Indicates the SNMP v3 user
group name.
snmp-agent usm-user
admin
Indicates the SNMP v3 user
name.
snmp-agent usm-user
authentication-mode
SHA
Indicates the user authentication
mode.
authentication password
Huawei@123
Indicates the user authentication
password.
privacy-mode
AES128
Indicates the encryption
algorithm that is used during
authentication.
privacy password
Huawei@123
Indicates the encryption
password.
snmp-agent group
ACTRAP
Indicates the trap user group
name.
snmp-agent usm-user
ACTrapUser
Indicates the trap user name.
snmp-agent usm-user
authentication-mode
SHA
Indicates the user authentication
mode.
authentication password
Public@1234
Indicates the user authentication
password.
privacy-mode
AES128
Indicates the encryption
algorithm that is used during
authentication.
privacy password
Admin@5678
Indicates the encryption
password.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
134
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Parameter
Value (Example)
Description
snmp-agent trap source
Eth-Trunk6
Indicates the name of the device
interface connecting to the ACDCN.
snmp-agent target-host trap
addr
100.125.100.10/24
Indicates IP addresses of nodes
in the AC-DCN cluster.
100.125.100.11/24
100.125.100.12/24
Configure FW-USG9650-1 as follows. The configuration on FW-USG9650-2 is similar.
Step 1 Change the number of the port that connects the SNMP agent to the AC-DCN. By default, the
SNMP agent and the AC-DCN are connected over port 161.
HRP_M[FW-USG9650-1] snmp-agent udp-port 161
Step 2 Configure an SNMP user group.
HRP_M[FW-USG9650-1] snmp-agent group v3 ACTRAP privacy read-view rd write-view wt
notify-view nt
Step 3 Configure an SNMP v3 user and a user group, and set the authentication mode and encryption
algorithm. For example, set the user group name to dc-admin, user name to admin,
authentication mode to SHA, and encryption algorithm to AES128.
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 admin group dc-admin
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 admin authentication-mode sha
Please configure the authentication password (8-255)
Enter Password:
//Enter the authentication password, for example,
Huawei@123.
Confirm Password:
//Confirm the authentication password, for example,
Huawei@123.
HRP_M[FW1] snmp-agent usm-user v3 admin privacy-mode aes128
Please configure the privacy password (8-255)
Enter Password:
//Enter the authentication password, for example,
Priva@1234.
Confirm Password:
//Confirm the encryption password, for example,
Priva@1234.
Step 4 Configure SNMP parameters. For example, set the user name to ACTrapUser, the
authentication mode and password to SHA and Public@1234, respectively, and the
encryption algorithm and password to AES128 and Admin@5678, respectively. After the
configuration, the AC-DCN can obtain the firewall system start time using SNMP.
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 ACTrapUser
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 ACTrapUser group ACTRAP
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 ACTrapUser authentication-mode sha
cipher Public@1234 //In this example, the authentication password is Public@1234.
HRP_M[FW-USG9650-1] snmp-agent usm-user v3 ACTrapUser privacy-mode aes128 cipher
Admin@5678
//In this example, the encryption password is Admin@5678.
Step 5 Configure the firewall to report alarm trap packets to the AC-DCN using SNMP v3.
HRP_M[FW-USG9650-1] snmp-agent trap enable feature-name trunk
HRP_M[FW-USG9650-1] snmp-agent trap enable//Enable the trap packet sending
function on the firewall.
HRP_M[FW-USG9650-1] snmp-agent trap source Eth-trunk 6 //interface-type interfacenumber indicates the name of the interface to which the IP address belongs.
HRP_M[FW-USG9650-1]snmp-agent target-host trap address udp-domain 100.125.100.10
udp-port 1666 params securityname ACTrapUser v3 privacy
//The IP address is an IP address of the AC-DCN.
HRP_M[FW-USG9650-1]snmp-agent target-host trap address udp-domain 100.125.100.11
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
135
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
udp-port 1666 params securityname ACTrapUser v3 privacy
HRP_M[FW-USG9650-1] snmp-agent target-host trap address udp-domain 100.125.100.12
udp-port 1666 params securityname ACTrapUser v3 privacy
Step 6 Configure a MIB view and add the MIB view to the attributes of a user group so that the user
group obtains the read, write, and alarm reporting rights.
HRP_M[FW-USG9650-1]
HRP_M[FW-USG9650-1]
wt notify-view nt
HRP_M[FW-USG9650-1]
HRP_M[FW-USG9650-1]
HRP_M[FW-USG9650-1]
snmp-agent mib-view included iso-view iso
snmp-agent group v3 dc-admin privacy read-view rd write-view
snmp-agent mib-view included nt iso
snmp-agent mib-view included rd iso
snmp-agent mib-view included wt iso
----End
4.2.3.8 Configuring NETCONF
You need to configure NETCONF parameters on devices so that the AC-DCN can deliver
service configurations to the devices and obtain information about the devices using
NETCONF. NETCONF parameters must be configured the same as those configured on the
AC-DCN.
Configurations of NETCONF parameters on CE series switches and firewalls are different.
Configuring CE Switches
Configure the following NETCONF parameters on CE series switches for interconnection
with the AC-DCN.
Parameter
Value (Example)
Description
local-user
client@huawei.com
Indicates the SSH user
name.
local-user password
irreversible-cipher
Huawei@123
Indicates the SSH user
authentication password.
Configure Gateway-CE12808-1 as follows. Configurations on other CE series switches are
similar.
Step 1 Configure SSH on the VTY CLI.
<Gateway-CE12808-1> system-view
[~Gateway-CE12808-1] user-interface vty 0 4
[~Gateway-CE12808-1-ui-vty0-4] authentication-mode aaa
[~Gateway-CE12808-1-ui-vty0-4] protocol inbound ssh
[~Gateway-CE12808-1-ui-vty0-4] commit
[~Gateway-CE12808-1-ui-vty0-4] quit
NOTE
After SSH is configured on a device, the device automatically disables the Telnet function. Telnet poses
security risks. You are not advised to run the protocol inbound all command to enable SSH and Telnet
simultaneously.
Step 2 Deploy SSH.
1.
Issue 03 (2017-05-08)
Create an SSH user.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
136
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
# Create a local user, and set the user name to Client, domain name to huawei.com, and
password to Huawei@123.
[~Gateway-CE12808-1] aaa
[~Gateway-CE12808-1-aaa]
cipher Huawei@123
[~Gateway-CE12808-1-aaa]
[~Gateway-CE12808-1-aaa]
[~Gateway-CE12808-1-aaa]
[~Gateway-CE12808-1-aaa]
2.
local-user client@huawei.com password irreversiblelocal-user client@huawei.com service-type ssh
local-user client@huawei.com level 3
commit
quit
Generate a local RSA key pair.
[~Gateway-CE12808-1] rsa local-key-pair create
The key name will be: netconf-agent_Host
The range of public key size is (512 ~ 2048).
NOTE: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus [default = 512] :
[~Gateway-CE12808-1] commit
After the key pair is generated, run the display rsa local-key-pair public command to
query the public key information about the key pair.
NOTE
The generated key pair is stored on the device and will not be lost after the device restarts.
The rsa local-key-pair create command is not stored in the configuration file.
3.
Set the SSH user authentication mode to password.
[~Gateway-CE12808-1] ssh user client@huawei.com authentication-type password
[~Gateway-CE12808-1] commit
4.
Set the SSH user service type to SNETCONF.
[~Gateway-CE12808-1] ssh user client@huawei.com service-type snetconf
[~Gateway-CE12808-1] commit
Step 3 Enable the NETCONF function and SNETCONF service. The NETCONF service on the SSH
server will be enabled on a port.
[~Gateway-CE12808-1] snetconf server enable
[~Gateway-CE12808-1] commit
----End
Configuring Firewalls
Configure the following NETCONF parameters on firewalls for interconnection with the ACDCN.
Parameter
Value (Example)
Description
local-user
netconf-admin
Indicates the SSH user
name.
local-user password
irreversible-cipher
Huawei@123
Indicates the SSH user
authentication password.
Configure FW-USG9650-1 as follows. The configuration on FW-USG9650-2 is similar.
Step 1 Configure access management for the management interface and enable NETCONF.
HRP_M<FW-USG9650-1> system-view
HRP_M[FW-USG9650-1] interface eth-trunk6 //Connect this interface to an interface
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
137
Configuration Examples for the Financial Industry
on a management network, which
HRP_M[FW-USG9650-1-Eth-Trunk6]
HRP_M[FW-USG9650-1-Eth-Trunk6]
HRP_M[FW-USG9650-1-Eth-Trunk6]
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
can be an Eth-Trunk interface or a port.
service-manage enable
service-manage all permit
quit
Step 2 Configure the administrator, service type, level, and authentication mode.
HRP_M[FW-USG9650-1] aaa
HRP_M[FW-USG9650-1-aaa] manager-user netconf-admin
HRP_M[FW-USG9650-1-aaa-manager-user-netconf-admin]
Enter Password:
Confirm Password:
HRP_M[FW-USG9650-1-aaa-manager-user-netconf-admin]
HRP_M[FW-USG9650-1-aaa-manager-user-netconf-admin]
HRP_M[FW-USG9650-1-aaa-manager-user-netconf-admin]
admin_local
HRP_M[FW-USG9650-1-aaa-manager-user-netconf-admin]
password
service-type api
level 15
authentication-scheme
quit
Step 3 Configure the NETCONF interface and enable NETCONF.
HRP_M[FW-USG9650-1] api
HRP_M[FW-USG9650-1-api] api netconf enable
HRP_M[FW-USG9650-1-api] quit
----End
4.2.3.9 Configuring LLDP
Enable Link Layer Discovery Protocol (LLDP) globally on the CE series switches, so that the
AC-DCN can discover links using LLDP.
Configure LLDP on Gateway-CE12808-1 as follows. LLDP configurations on other CE series
switches are similar.
Step 1 Enable LLDP and MAC Address Discovery Neighbor (MDN).
[~Gateway-CE12808-1] lldp enable
[*Gateway-CE12808-1] lldp mdn enable
[*Gateway-CE12808-1] commit
Step 2 Enable LLDP on the servers that connect to TOR switches.
NOTE
Some servers do not support link discovery. Links between these servers and neighbor nodes shall be
manually added to the AC-DCN.
----End
4.2.3.10 Configuring VXLAN
By default, the NVO3 extension function is disabled on CE12800 series switches. If you
configure other ACL-consuming services (such as MQC, simplified ACL, traffic policing, BD
traffic statistics collection, and DHCP) on a device that has been configured with NVO3
services, the other ACL-consuming services may fail to be configured.
You can use one of the following methods to configure an NVO3-enabled device to reduce
service deployment failure risks.
l
Issue 03 (2017-05-08)
In the system view of a gateway, run the assign forward nvo3 service extend enable
command to enable the NVO3 extension function. This command can reduce service
deployment failure risks on a gateway if the gateway is not configured with the
following cards: CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CEL24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA, and CE-L24LQ-EA.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
138
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
NOTE
The assign forward nvo3 service extend enable command is ineffective when the following
cards are configured: CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CEL24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA, and CE-L24LQ-EA.
When this command is executed, packets of 230 bytes to 294 bytes transmitted over NVO3
tunnels from other cards cannot be sent to these cards. The path detection function takes effect on
cards except the following: CE-L48GT-EA, CE-L48GT-EC, CE-L48GS-EA, CE-L48GS-EC, CEL24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XS-EA, and CE-L24LQ-EA.
l
In the system view of a gateway, run the assign forward nvo3 acl extend enable
command to enable the NVO3 ACL extension function.
NOTE
You can run the assign forward nvo3 acl extend enable command on the admin-VS only. After
execution, the configuration takes effect for all the VSs.
After running this command on a device, restart the device to make the configuration take effect.
l
By default, the enhanced mode of the NVO3 gateway is not configured on a CE12800
series switch and the switch works in loopback mode. That is, the switch first loops back
packets that are encapsulated with the NVO3 header, and then forwards the packets.
When the line card of a gateway forwards packets encapsulated or decapsulated using
VXLAN at Layer 3 at a rate that exceeds 50% of its forwarding performance, packet loss
may occur. To solve this problem, configure the enhanced mode for the NVO3 gateway.
In the system view of an NVO3 gateway, run the assign forward nvo3-gateway
enhanced command to configure the Layer 3 enhanced mode.
NOTE
Before running the assign forward nvo3-gateway enhanced command on a device, run the
assign forward nvo3 service extend enable command to enable the NVO3 extension function.
Ensure that the device is not configured with the following cards: CE-L48GT-EA, CE-L48GT-EC,
CE-L48GS-EA, CE-L48GS-EC, CE-L24XS-BA, CE-L24XS-EA, CE-L48XS-BA, CE-L48XSEA, and CE-L24LQ-EA. If the device is configured with any of the preceding cards, ensure that
the card does not carry VXLAN services.
If VXLAN services are carried on the CE-L24XS-EC, CE-L48XS-EC, CE-L24LQ-EC, CEL48XT-EC, CE-L24LQ-EC1, CE-L08CC-EC, CE-L02LQ-EC, or CE-L06LQ-EC card, the device
encapsulates packets in a VXLAN tunnel only based on the host ARP table, and cannot
encapsulate packets in a VXLAN tunnel based on longest-match routes.
Servers are dual homed to access switches using active/standby NICs. A stack needs to be set up
with two access switches. If a server is dual homed to an access switch of an M-LAG, the interface
that connects to the server cannot be an M-LAG member interface.
l The assign forward nvo3 service extend enable command is optional for CE8800/CE7800/
CE6800 series switches.
Theassign forward nvo3 service extend enable command is optional for FD/FDA cards.
l Other VXLAN functions are automatically delivered by the AC-DCN, but not manually
configured.
NOTICE
When VMs on a device are online, do not run the commands on the device to modify
configurations delivered by the AC-DCN; otherwise, the VXLAN services cannot run
properly. For example, do not run a command to delete a BD, cancel the mapping
between a VNI and BD, modify a VTEP IP address, or delete a VBDIF interface on a
Layer 3 gateway. Do not change the IP address of a VBDIF interface when the VMs are
online.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
139
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
4.2.3.11 (Optional) Configuring Load Balancers
Load balancer (LB) vendors complete configurations on the user interfaces of LBs. After the
configuration of an LB is completed, a floating IP address will be generated as planned to
function as the service IP address for external systems. The floating IP address is on the same
subnet as the IP addresses of the member servers that process services. LBs connect to the
stack or M-LAG comprised of the leaf switches through Eth-Trunk interfaces. The LB
floating IP address and IP addresses of member servers that process services are on the same
subnet. The LBs and the member servers use the same VBDIF interface as the gateway.
LB Connects to Downstream Leaf Devices
The LB connects to the stack system or Multichassis Link Aggregation Group (M-LAG)
comprised of the leaf devices through Eth-trunk interfaces. The LB floating IP address is on
the same subnet as the member server that processes services. The LB and this member server
use the same VBDIF interface as the gateway.
NOTE
When a CE12800 gateway uses an EC/ED/EF/EG card to process VXLAN gateway services, LBs
cannot connect to the gateway through a VXLAN Layer 2 sub-interface.
The roadmap of connecting LBs to the M-LAG comprised of Leaf-CE6851HI-3 and LeafCE6851HI-4 is as follows:
1.
Configure the M-LAG on Leaf-CE6851HI-3 and Leaf-CE6851HI-4 for connection to
LB-F5-1 and LB-F5-2.
2.
On the Layer 2 sub-interfaces on Leaf-CE6851HI-3 and Leaf-CE6851HI-4, set the
access mode to untag, and determine the BD number.
Step 1 Configure the M-LAG interfaces. The DFS group and peer-link configurations of the M-LAG
are globally used, and they have been configured on Leaf-CE6851HI-3 and LeafCE6851HI-4.
[~LEAF-CE6851HI-3] interface eth-trunk 20
//Connect this interface to LB-F5-1.
[*LEAF-CE6851HI-3-Eth-Trunk20] mode lacp-static
[*LEAF-CE6851HI-3-Eth-Trunk20] trunkport 10ge 1/0/47
[*LEAF-CE6851HI-3-Eth-Trunk20] dfs-group 1 m-lag 50
[*LEAF-CE6851HI-3-Eth-Trunk20] quit
[*LEAF-CE6851HI-3] interface eth-trunk 30 //Connect this interface to LB-F5-2.
[*LEAF-CE6851HI-3-Eth-Trunk30] mode lacp-static
[*LEAF-CE6851HI-3-Eth-Trunk30] trunkport 10ge 1/0/48
[*LEAF-CE6851HI-3-Eth-Trunk30] dfs-group 1 m-lag 51
[*LEAF-CE6851HI-3-Eth-Trunk30] quit
[*LEAF-CE6851HI-3] commit
[~LEAF-CE6851HI-4] interface eth-trunk 20 //Connect this interface to LB-F5-1.
[*LEAF-CE6851HI-4-Eth-Trunk20] mode lacp-static
[*LEAF-CE6851HI-4-Eth-Trunk20] port link-type trunk
[*LEAF-CE6851HI-4-Eth-Trunk20] trunkport 10ge 1/0/47
[*LEAF-CE6851HI-4-Eth-Trunk20] dfs-group 1 m-lag 50
[*LEAF-CE6851HI-4-Eth-Trunk20] quit
[*LEAF-CE6851HI-4] interface eth-trunk 30 //Connect this interface to LB-F5-2.
[*LEAF-CE6851HI-4-Eth-Trunk30] mode lacp-static
[*LEAF-CE6851HI-4-Eth-Trunk30] port link-type trunk
[*LEAF-CE6851HI-4-Eth-Trunk30] trunkport 10ge 1/0/48
[*LEAF-CE6851HI-4-Eth-Trunk30] dfs-group 1 m-lag 51
[*LEAF-CE6851HI-4-Eth-Trunk30] quit
[*LEAF-CE6851HI-4] commit
Step 2 Configure access interfaces. After the AC-DCN delivers services to Leaf-CE6851HI-3 and
Leaf-CE6851HI-4, the BD that the AC-DCN assigns to member servers that process services
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
140
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
can be determined. Configure access interfaces only after the BD is determined (for example,
BD 2000).
[~LEAF-CE6851HI-3] interface Eth-Trunk20.1 mode l2
[~LEAF-CE6851HI-3-Eth-Trunk20.1] encapsulation untag
[~LEAF-CE6851HI-3-Eth-Trunk20.1] bridge-domain 2000
[~LEAF-CE6851HI-3-Eth-Trunk20.1] commit
[~LEAF-CE6851HI-3] interface Eth-Trunk30.1 mode l2
[~LEAF-CE6851HI-3-Eth-Trunk30.1] encapsulation untag
[~LEAF-CE6851HI-3-Eth-Trunk30.1] bridge-domain 2000
[~LEAF-CE6851HI-3-Eth-Trunk30.1] commit
[~LEAF-CE6851HI-4] interface Eth-Trunk20.1 mode l2
[~LEAF-CE6851HI-4-Eth-Trunk20.1] encapsulation untag
[~LEAF-CE6851HI-4-Eth-Trunk20.1] bridge-domain 2000
[~LEAF-CE6851HI-4-Eth-Trunk20.1] commit
[~LEAF-CE6851HI-4] interface Eth-Trunk30.1 mode l2
[~LEAF-CE6851HI-4-Eth-Trunk30.1] encapsulation untag
[~LEAF-CE6851HI-4-Eth-Trunk30.1] bridge-domain 2000
[~LEAF-CE6851HI-4-Eth-Trunk30.1] commit
NOTE
LBs and member servers that process services use the same VBDIF interface as the gateway. The ACDCN automatically delivers configurations of the gateway.
----End
4.2.4 Installing the AC-DCN
Perform the following operations to install the AC-DCN.
Step 1 Configure a RAID.
RAID configurations must be completed before the operating system is installed. A RAID is
configured to ensure hard disk reliability.
For details on how to configure a RAID, access Agile Controller-DCN Product
Documentation and choose Installation and Underlay Network Configuration > Software
Installation > Configuring a RAID.
Step 2 Install the operating system. You are advised to use the system image provided by the ACDCN to install the operating system.
For details on how to install the operating system, accessAgile Controller-DCN Product
Documentation and choose Installation and Underlay Network Configuration > Software
Installation > Installing the Operating System(Using the ISO Images Provided by the
AC-DCN).
Step 3 Configure NICs. Based on the planned NIC working mode, bind NICs, specify IP addresses,
subnet masks, and gateways for the bounded NICs, and configure the working mode of the
physical NICs. After the configuration takes effect, the AC-DCN can connect to the network.
For details on how to configure the server NICs, access Agile Controller-DCN Product
Documentation and choose FAQ > AC-DCN Installation > Server > How Do I Configure
NIC Binding and Networks on a Page for SUSE11 SP3.
Step 4 Install the AC-DCN. Use iDeploy to install the AC-DCN installation and configuration
packages.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
141
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
For details on how to install the AC-DCN, access Agile Controller-DCN Product
Documentation and choose Installation and Underlay Network Configuration > Software
Installation > Installing the AC-DCN.
----End
4.2.5 Pre-configuring the AC-DCN
4.2.5.1 Logging In to the AC-DCN
Start a web browser on a client, log in to the AC-DCN, and perform configurations. Ensure
that at least one of the following browsers is installed on the client.
l
Internet Explorer 11
l
Google Chrome 29
l
Mozilla Firefox 22
Step 1 Start a web browser, enter https://x.x.x.x:18002 in the address box, and press Enter. If a
security warning page is displayed, select trust and continue.
x.x.x.x indicates the IP address of the northbound proxy (Nginx server) or the floating IP
address of the northbound proxy in a cluster.
Step 2 On the login page, enter the default administrator name admin and default password
Changeme123, and click GO.
Step 3 After logging in to the system, change the password as prompted.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
142
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 4 After the password is changed, the login page will be displayed in 5 seconds. Use the new
password to re-log in to the AC-DCN.
----End
4.2.5.2 Applying For and Loading a License File
Step 1 Choose System > License Management > License Information, click Get ESN, and copy
the ESN in the Get ESN dialog box.
Step 2 Click Confirm.
Step 3 Apply for and download a license file using the ESN.
Apply for a license file on Huawei Electronic Software Delivery Platform (ESDP). The
platform address is http://app.huawei.com/isdp/. For details on how to apply for a license
file, click Help on the webpage. (You need to obtain the project contract number in advance.)
Step 4 Choose System > License Management > License Information and click Upload.
Step 5 Click Browse to upload the license file to the client.
Step 6 Click Confirm. After the license file is successfully uploaded, the license status and license
resource control information are displayed.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
143
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
----End
4.2.5.3 Discovering Network Devices
The AC-DCN discovers network devices and then manages the devices. The prerequisites of
configuring the AC-DCN to discover network devices are as follows:
l
The AC-DCN can properly communicate with network devices.
l
SNMP parameters have been configured on network devices. For details, see section
Configuring SNMP.
Step 1 Choose Network > Physical Resource > Network Device.
Step 2 Click Automatic Discovery, enter the device management IP address range, and configure
SNMP v3 parameters the same as those configured on the network devices.
Step 3 Click Start. When the AC-DCN successfully discovers a device, it displays a discovery
success message, and information about the discovered device is displayed in the device list.
Step 4 Click Finish.
Step 5 Configure the AC-DCN to discover devices on other network segments in the same manner.
----End
4.2.5.4 Creating and Configuring a POD
A POD is the basic physical network unit of a data center. A physical device cannot be added
to different PODs. A data center can consist of multiple PODs. The computing and storage
resources of each POD can be allocated to tenants or projects.
The prerequisites of performing the operations are as follows:
l
Issue 03 (2017-05-08)
NETCONF parameters have been pre-configured on network devices. For details, see
section Configuring NETCONF.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
144
Configuration Examples for the Financial Industry
l
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
The AC-DCN has discovered related network devices.
Step 1 Choose Network > POD Management > POD. The POD management page is displayed.
Step 2 Click
(the icon indicates to create.) in the navigation tree on the left, and configure a POD
name and attributes.
NOTE
To check the description of a parameter on the Create POD page, move the cursor to the question mark
(?) on the right of the parameter or over the parameter button.
You are advised to set ARP broadcast suppression to No.
Step 3 Click Create to add network devices.
Step 4 Click Add Device, enter IP addresses in Start IP address and End IP address, and click
Search. Select the network devices to be added to the POD, and click Add to POD.
Step 5 Click Next. The devices are added to the POD.
NOTE
l A device can be added to one POD only.
l Before transferring a device from a POD to another POD, delete the device from the POD to which
it currently belongs.
Step 6 Configure NETCONF parameters to enable the AC-DCN to deliver network service
configurations to devices using NETCONF.
1.
Choose Connection Parameters > NETCONF, configure the parameters the same as
the NETCONF parameters configured on the devices.
2.
Click Check Connection to check NETCONF connections between the AC-DCN and
the devices.
3.
Click Next and then click Confirm.
NOTE
The default NETCONF port number of CE series switches is 22, and that of firewalls is 830.
Therefore, CE series switches and firewalls cannot be discovered simultaneously. To establish
NETCONF connections between the AC-DCN and the firewalls, perform the following
operations.
4.
Access the POD page, click the Device tab, and click Firewall. Click Netconf under
Operation of the firewall of which NETCONF parameters need to be configured.
5.
In the Netconf Configure dialog box that is displayed, enter the pre-configured
authentication mode, user name, and password, set Port to 830, and click Check
Connection.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
145
Configuration Examples for the Financial Industry
6.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Click Confirm Update.
----End
4.2.5.5 Discovering and Adding Links
After links are discovered and added, the AC-DCN displays a topology of links between
devices. Link status and details about the links can be checked. Links can be automatically
discovered and manually created.
l
l
Automatic discovery: The AC-DCN automatically discovers links between CE series
switches.
Manual creating: The AC-DCN cannot automatically discover links between gateways
and firewalls using LLDP. You need to create the links manually.
Step 1 The AC-DCN automatically discovers links.
1.
2.
Choose Network > Link Management > Link List.
Click Link Discover, select devices, set LLDP Enable to ON, and click Find.
The AC-DCN automatically discovers links between the devices and displays each link it
discovers.
Step 2 Create links manually.
1.
2.
Issue 03 (2017-05-08)
Choose Network > Link Management > Link List.
Click Create, set Type to Layer 2 Link, and configure other parameters.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
146
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
NOTE
To add a link, add the physical link. When the AC-DCN automatically discovers links, it detects
the relationship between an Eth-Trunk and the corresponding physical link. After a physical link is
added, the AC-DCN automatically associates the port of the physical link with the correct EthTrunk and directly delivers configurations through the Eth-Trunk.
----End
4.2.5.6 Defining Network Device Roles
Define roles of network devices on the AC-DCN, such as access switch, aggregation switch,
and gateway, so that the AC-DCN can identify the devices.
You can specify a role for a device in a POD using either of the following methods:
l
(Recommended) On the TOPO page of the POD, right-click the device to be configured
and specify a role for the device.
For example, right-click Spine-CE12804-1 and click Set as AGG.
l
On the Device page of the POD, select Physical Network Device and define roles of
devices in the physical network device list.
For example, select Spine-CE12804-1, click Set as AGG, and then click Save the
Configuration.
4.2.5.7 Configuring an Access Switch Group, Gateway Group, and Firewall
Group
On an underlay network, if gateways and access switches work in dual-active mode (for
example, M-LAG), configure a gateway group and access switch group. If the devices work
in stacking mode, the groups are not required.
If firewalls work in active/standby mode, configure a firewall group.
Step 1 Configure an access switch group.
1.
Choose Network > POD Management > POD and click the Device tab.
2.
Click Switch and click the TOR tab.
3.
Select the switches to be added to an all-active access switch group, click Add To
Group, and enter information about the group.
Set IP to the NVE IP address of the group. After the configuration, the two switches
have the same NVE IP address.
Step 2 Configure a gateway group.
1.
Choose Network > POD Management > POD and click the Device tab.
2.
On the Device tab page, click Gateway.
3.
Select the switches to be added to an all-active gateway group, click Add To Group, and
enter the group name, VTEP IP address, and virtual MAC address.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
147
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
NOTE
The virtual MAC address of a gateway group cannot be the same as that of a firewall group. In this
document, the VRRP VRID of firewalls is set to 1, so that the virtual MAC address of the
firewalls is 0000-5e00-0101. The MAC address of centralized all-active gateways can be set to
0000-5e00-0100 (MAC addresses of CE series switches range from 0000-5e00-0100 to
0000-5e00-01ff).
Step 3 Configure a firewall group.
1.
Choose Network > POD Management > POD and click the Device tab.
2.
On the Device tab page, click Firewall.
3.
Select two firewalls, click Add To Group, and enter the group name.
4.
Click Confirm.
----End
4.2.5.8 Adding LBs and Links
After adding LBs and links to the AC-DCN, you can check status and links of the LBs on the
TOPO page of the AC-DCN. The AC-DCN does not manage LBs, and does not deliver
configurations to LBs.
Step 1 Add LBs.
1.
Choose Network > POD Management > POD and click the Device tab.
2.
Click the LB icon and then click Add.
3.
In the Add window that is displayed, configure the name and IP address of the LB to be
added.
4.
–
Device Name: Use the value of self.agent_host of an F5 agent, but not the actual
device name. By default, this parameter is set to F5LBAAS.
–
Device IP: Set the value to the IP address of F5 for connecting to the cloud
platform.
After the LB is successfully added to the AC-DCN, the number 2 is displayed next to the
LB icon.
Step 2 Add links for the LB.
1.
Issue 03 (2017-05-08)
Choose Network > Link Management > Link List and click Create.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
148
Configuration Examples for the Financial Industry
2.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Create links between the LB and gateways manually.
After the links are successfully created, choose Network > POD Management > POD
and check the LBs and links displayed on the TOPO tab page.
----End
4.2.5.9 Configuring NVE Nodes
Checking NVE Node Information
If NVE information has been configured on the VTEP devices using basic underlay network
configuration commands, you do not need to configure the NVE information on the AC-DCN
again. You only need to check whether the VTEP IP address on the AC-DCN is the same as
the manually configured address.
Step 1 Choose Network > POD Management > POD.
Step 2 On the Device tab page, select NVE.
Step 3 Select a device, click Read Device VTEP IP, and check whether the obtained VTEP IP
address is the same as the existing VTEP IP address on the AC-DCN.
l
If so, the information is correct.
l
If not, click Set, enter the obtained VTEP IP address, and click Confirm.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
149
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
----End
Configuring NVE Node Information
If NVE information is not configured on the VTEP devices, configure the NVE nodes using
the following method. If NVE information has been configured, skip steps in this section.
Step 1 Choose Network > POD Management > POD.
Step 2 On the Device tab page, select NVE.
Step 3 Add or import NVE nodes using either of the following methods.
l
Manually add nodes.
1.
Select an NVE node to be added, and click Add NVE.
For example, select Leaf-CE6851HI-1, and set Management IP to 11.1.1.100 and
VTEP IP to 11.1.1.1.
2.
Click Confirm.
3.
Click Set Device VTEP IP.
4.
Configure NVE information for other NVE nodes in the POD in the same manner.
5.
After the configuration is completed, click Read Device VTEP IP and check whether
the current configuration is the same as the planned configuration.
l
Import NVE nodes in batches.
1.
Click Export to download an NVE template table.
2.
Set parameters in the table. The following table is used as an example.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
150
Configuration Examples for the Financial Industry
3.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Device
Name
Node
Type
(TOR,
GW or
VSWITC
H)
IP
Address
VTEP
IP
Address
(AC)
VTEP
IP
Address
(Device
)
Gateway
IP
Address
(Necessar
y Only
When
Node
Type Is
VSWITC
H)
Mask
(Necessar
y Only
When
Node
Type Is
VSWITC
H) (1-31)
LeafCE6851
HI-1
and
LeafCE6851
HI-2
TOR
100.125.9
4.2
11.11.11.
11
11.11.11.
11
-
-
Click Import to upload the configured NVE template table to the AC-DCN.
----End
4.2.5.10 Configuring Internal and External Links Between Firewalls and
Gateways
When firewalls are connected to gateways in bypass mode, specify internal and external links
between the firewalls and gateways.
l
Internal link: carries traffic from a tenant VRF (on a gateway) to a tenant virtual firewall
(VSYS).
l
External link: carries traffic from the root firewall to the root VRF (on a gateway).
Physical Link Used as Internal and External Links
When one physical link is used as the internal and external links between the firewalls and
gateways, configure the AC-DCN to automatically deliver configurations of the internal and
external links.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the TOPO tab page of the POD.
Step 3 Set Auto to ON under GW and FW link configuration in the lower right corner.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
151
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
----End
Independent Physical Links Used as Internal and External Links
When independent physical links are used as internal and external links between the firewalls
and gateways, specify the internal and external links on the AC-DCN.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the TOPO tab page of the POD.
Step 3 Set Auto to OFF under GW and FW link configuration in the lower right corner.
Step 4 On the topology, right-click a link between a firewall and gateway and set the link to internal
link or external link as required.
NOTE
If firewalls are connected to gateways in in-line mode, configure all links between the firewalls and
gateways (excluding the management link) as internal links.
----End
4.2.5.11 Configuring Resources for Interface Interconnection
The AC-DCN delivers configurations of interface interconnections and routing between
firewalls and gateways as well as LBs and gateways. This section describes how to configure
ranges of the VLANs and network segments that are used for the interconnections.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Choose Global Configuration > Port Interconnection Resources. Reserve VLANs and IP
addresses for the interfaces on the gateways, firewalls, and LBs.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
152
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
1.
Enter the range of VLANs that are used for interconnections in VLAN, and click
2.
Enter the range of IP addresses that are used for interconnections in IP address section,
.
and click
3.
.
Click Apply.
----End
4.2.5.12 Configuring Available VNI, VLAN, and BD Ranges
VMs or physical servers connect to a VXLAN network through VTEP interfaces. When
packets from a server reach a VTEP interface, the VLAN tagged or untagged packets are
mapped to a VNI through a BD, so that the VTEP can encapsulate correct VXLAN frames.
The mapping configurations on VTEP interfaces are delivered by the AC-DCN. This section
describes how to configure available VNI, VLAN, and BD ranges for the AC-DCN to deliver
mapping configurations.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Choose Global Configuration > Configure VNI/VLAN/BD.
l
Issue 03 (2017-05-08)
If the AC-DCN interconnects with FusionSphere OpenStack, only VLAN and BD ranges
need to be configured. Select Deliver VNI.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
153
Configuration Examples for the Financial Industry
l
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
If the AC-DCN interconnects with an open-source OpenStack, only VNI and BD ranges
need to be configured. Select Deliver VLAN.
----End
4.2.5.13 Configuring a PXE Network
When bare metal servers are planned for the network, you need to configure a Preboot
Execution Environment (PXE) network to connect the bare metal servers to the DCN.
Step 1 Choose Network > POD Management > POD. In the POD list that is displayed, select a
specified POD to access the POD management page.
Step 2 On the Global Configuration tab page, select PXE Network and configure the VLAN and
VNI of the PXE network.
The configuration of the VNI must be consistent with that of the PXE network on the PXE
server.
Step 3 Enter the VNI and click Create. Select interfaces on the access switches to connect to the
bare metal servers and click OK.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
154
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
----End
4.2.6 Interconnecting the AC-DCN with FusionSphere OpenStack
When the AC-DCN is interconnected with FusionSphere OpenStack, the AC-DCN delivers
Layer 2 Bridge (L2BR) port group configurations to create a VXLAN management network.
Install interconnection plug-ins on the AC-DCN and FusionSphere OpenStack, and create a
northbound interface operator to connect the two platforms.
4.2.6.1 Creating a Management Network for FusionSphere
Generally, the interconnection between the AC-DCN and FusionSphere OpenStack uses the
in-band management mode. That is, the AC-DCN delivers L2BR port group configurations to
create a management network for FusionSphere OpenStack.
The AC-DCN accesses the network through VLANs, and creates Layer 3 VLANIF interfaces
on TOR switches or gateways to add the management network segments of the AC-DCN and
FusionSphere OpenStack to routing domains, so that the routes between the management
planes of the AC-DCN and FusionSphere OpenStack can be enabled.
Further, the AC-DCN delivers L2BR port group configurations to connect to the management
networks of all nodes on FusionSphere OpenStack. The following table lists an example of
network plane planning (IT product line planning) for FusionSphere OpenStack.
Issue 03 (2017-05-08)
L2BR
Port
Group
Name
Type and
Name
Access
Type
VNI
VLAN
Gateway
Type
Gateway
Address
Fsp
External_OM
dot1q
29901
1998
Single-node
10.100.2.2
54/24
External_API
dot1q
29900
1999
Single-node
10.100.1.2
54/24
Internal_base
Untag
29902
NA
NA
NA
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
155
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 1 Choose Network > POD Management > POD. In the POD list, select a specified POD to
access the POD management page.
Step 2 On the Service Configuration tab page, select L2BR Port Group, and click Create to create
an L2BR port group.
Step 3 On the Set Basic Information page, enter the L2BR port group name and description, and
click Next.
Step 4 On the Select Port page, select the interfaces for connecting FusionSphere nodes to TOR
switches, and click Next.
Step 5 On the VXLAN page, click Create. Configure VXLAN information, and click Next.
NOTE
The VLAN ID must be within the range specified in section 4.2.5.12 Configuring Available VNI,
VLAN, and BD Ranges"4.2.5.12 Configuring Available VNI, VLAN, and BD Ranges."
Step 6 Click Finish.
Step 7 On the gateways, advertise the management network segments of FusionSphere OpenStack in
the routing protocol.
[~Gateway-CE12808-1] BGP 65000
[*Gateway-CE12808-1-bgp] ipv4-family unicast
[*Gateway-CE12808-1-bgp-af-ipv4] network 10.100.1.0 255.255.255.0
[*Gateway-CE12808-1-bgp-af-ipv4] network 10.100.2.0 255.255.255.0
[*Gateway-CE12808-1-bgp-af-ipv4] quit
[*Gateway-CE12808-1-bgp] quit
[*Gateway-CE12808-1] commit
[~Gateway-CE12808-2] BGP 65001
[*Gateway-CE12808-2-bgp] ipv4-family unicast
[*Gateway-CE12808-2-bgp-af-ipv4] network 10.100.1.0 255.255.255.0
[*Gateway-CE12808-2-bgp-af-ipv4] network 10.100.2.0 255.255.255.0
[*Gateway-CE12808-2-bgp-af-ipv4] quit
[*Gateway-CE12808-2-bgp] quit
[*Gateway-CE12808-2] commit
----End
4.2.6.2 Installing and Configuring FusionSphere OpenStack
Huawei IT engineers install and configure FusionSphere OpenStack.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
156
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
For details on how to install and configure FusionSphere OpenStack, see "Installation and
Configuration" in FusionSphere Product Documentation (Cloud Data Center).
4.2.6.3 Installing Interconnection Plug-ins
Install plug-ins on the AC-DCN and FusionSphere OpenStack for interconnection.
Information about the plug-ins is as follows:
Installation End
Plug-in Category
Plug-in Name
(Example)
Plug-in Release
Source
AC-DCN
eSDK plug-in for
interconnection with
FusionSphere
hw_plugin_ac.zip
AC-DCN
FusionSphere
OpenStack
Layer 2 service
package
ACMECHANISMD
RIVERV100R006C
00RC3.tar.gz
FusionSphere
Layer 3 service
package
ACROUTERAGEN
TV100R006C00RC
3.tar.gz
FusionSphere
Layer 4 to Layer 7
service package
NEUTRONACPLU
GINV100R001C00
B752.tar.gz
AC-DCN
Step 1 Install the plug-in on the AC-DCN.
For details, access Agile Controller-DCN Product Documentation and choose Installation
and Underlay Network Configuration > Software Installation > Installing Plug-ins >
Network Service Provisioning Collaborating with the FusionSphere > Installing Plug-ins
on the AC-DCN.
Step 2 Install plug-ins on FusionSphere.
For details, access FusionSphere Product Documentation (Cloud Data Center) and choose
Software Installation Guide > Installation and Configuration > (Optional) Configuring
Connection Between FusionSphere OpenStack and an Agile Controller.
Step 3 Verify the connection. On the FusionSphere OpenStack host, run the neutron net-create XXX
command to create a network.
XXX indicates a user-defined network name.
If the following command output is displayed, the network is successfully created. The ACDCN and FusionSphere are connected.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
157
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
----End
4.2.6.4 Creating a Northbound Interface Operator
A northbound interface operator configures the interconnection between the AC-DCN and
FusionSphere OpenStack. The user name and password of the northbound interface operator
must be configured the same on the AC-DCN and FusionSphere OpenStack.
Step 1 Log in to the AC-DCN using the admin account, and choose System > Administrator >
Administrator.
Step 2 Click Create and configure basic information about the northbound interface operator.
Step 3 Enter a user name (fsp@huawei.com is recommended) and password.
NOTE
The user name of the northbound interface operator must be same as the value of ac_username that is
configured on FusionSphere for interconnection with the AC-DCN.
The password cannot be the same as the planned final password. The system will ask you to change the
password, as described in Step 8.
Step 4 Select Northbound Interface Operator from the Role drop-down list box.
Step 5 Click Confirm.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
158
Configuration Examples for the Financial Industry
Step 6 Click
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
in the upper right corner of the page to log out the current account.
Step 7 Re-log in to the AC-DCN as the northbound interface operator.
Step 8 Change the password to a new value (for example, Huawei@123) as prompted.
NOTE
The new password must be same as the value of ac_password that is configured on FusionSphere for
interconnection with the AC-DCN.
Step 9 After the password is changed, the login page will be displayed in 5 seconds. Use the new
password to re-log in to the AC-DCN as the northbound interface operator to check whether
the password is correct.
If the following dialog box is displayed, the northbound interface operator is successfully
created, and the password is changed.
----End
4.2.6.5 Configuring a Cloud Platform
Create a cloud platform on the AC-DCN and configure information about the cloud platform
to be connected.
Step 1 Choose System > System Settings > Cloud Platform and click Create.
Step 2 Configure parameters for connecting to the cloud platform.
l
Agent Name: Name of the physical network of FusionSphere. By default, the parameter
is set to physnet1. Set the parameter to the value of ac_service_name that is configured
on the cloud platform. To check this value, log in to FusionSphere OpenStack web client,
and choose Configuration > Network > Configure Physical Network.
l
Account: User name of the northbound interface operator, for example,
fsp@huawei.com.
l
Driver Plug-in IP and Cloud Platform IP: These two parameters can be set to the
reverse proxy IP address of the cloud platform.
----End
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
159
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
4.2.6.6 Binding the Cloud Platform to a POD
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Access the Global Configuration tab page. Under Connect to Cloud Platform, select the
agent name of the cloud platform and click Apply.
----End
4.2.6.7 Adding Servers to the POD
After installing and deploying FusionSphere and FusionCompute, enable LLDP on all
FusionSphere nodes, CAN nodes, and virtualization platform servers. The AC-DCN rediscovers links between access switches and servers, and adds discovered servers to the POD.
l
After installing FusionSphere, enable LLDP for all FusionSphere nodes, so that the ACDCN can automatically re-discover links.
l
For physical servers and other servers on which LLDP is disabled, associate them with
corresponding TOR switches manually.
The AC-DCN Automatically Discovering and Adding Nodes
Step 1 Choose Network > Link Management > Link List.
Step 2 Click Link Discover and select all devices. Set LLDP Enable to ON. Then click Find.
Step 3 When the progress bar reaches 100%, click Finish. The AC-DCN discovers all links between
the switches and servers.
Step 4 Choose Network > Physical Resource > Server. On the page that is displayed, select the
servers to be added to the POD. Then click Add to POD.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
160
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
NOTE
All cloud platform servers and virtualization platform servers shall be added to the POD.
----End
Adding Servers Manually
If LLDP is disabled or not supported on servers (for example, physical servers), configure the
mappings between TOR switches and servers on the AC-DCN manually.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Click Switch, and click the TOR-Host tab. Then click Add.
Step 4 In the Add dialog box that is displayed, configure the corresponding TOR switch, port, and
server name, then click Confirm.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
161
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 5 After adding a server, click
next to the name of the corresponding TOR switch, and check
whether the link between the TOR switch and the server is configured correctly.
----End
Adding Bare Metal Servers
When bare metal servers are planned on the network, pre-configure PXE network parameters
on the interfaces that connect the bare metal servers and access switches. The PXE network is
the initial network for provisioning services of the bare metal servers.
Prerequisites:
l
The bare metal services have been deployed on FusionSphere CPS and connected to
FusionSphere OpenStack.
l
The bare metal servers have connected to the PXE network. Information about BMC
Base and Provision networks has been configured.
Configure the PXE network on the AC-DCN as follows:
Step 1 Choose Network > POD Management > POD. In the POD list that is displayed, select a
specified POD to access the POD management page.
Step 2 On the Global Configuration tab page, select PXE Network and configure the VLAN and
VNI of the PXE network.
The configuration of the VNI must be consistent with that of the PXE network on the PXE
server.
Step 3 Enter the VNI and click Create. Select interfaces on the access switches to connect to the
bare metal servers and click OK.
----End
4.2.6.8 Configuring External Networks
There are two types of external networks: Internet and private network. In the cloud-network
integration scenario, only the Internet can be added.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
162
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Adding the Internet
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Accessthe Service Configuration tab page. Under External Network, click Create.
Step 4 Configure basic information about an external network. Click Next.
Step 5 Configure gateway information. Click Next.
l
Set Gateway type to Gateway Group.
l
Set Group name to the gateway group name.
l
Select gateway IP addresses.
Step 6 Check the configuration.
Step 7 Multiple external networks can be added to one cloud platform. For an external network, the
name defined on the AC-DCN must be used as the prefix of the name defined on the cloud
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
163
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
platform. For example, when the name of an external network is ext on the AC-DCN, you can
set the name of this external network to ext01 or ext02 on the cloud platform.
----End
4.2.6.9 Interconnecting FusionSphere with a VMM
The vCenter provider uses the vCenter as a virtual resource pool and connects it to
FusionSphere OpenStack, so that FusionSphere OpenStack can uniformly manage virtual
resources.
Step 1 Install a VMM.
For example, install the vCenter. The installation process involves ESXi host installation and
configuration, vCenter installation and configuration, vSphere distributed switch (vDS)
creating, and shared storage configuration. For details, visit VMware official website and
choose SUPPORT > Support Resources > Technical Papers.
NOTE
When installing the ESXi host, remember the configured ESXi host login password. You will use this
password to log in to the vCenter as the root user. If you forget the password, you cannot reset it. You
can only reinstall the ESXi host and re-configure a password.
Step 2 Interconnect FusionSphere with the vCenter.
For details, access FusionSphere Product Documentation (Cloud Data Center) and choose
Software Installation Guide > Installation and Configuration > (Optional) Connecting
vCenter to FusionSphere OpenStack.
----End
4.2.7 Interconnecting the AC-DCN with Open-Source OpenStack
4.2.7.1 Creating a Management Network for OpenStack
Generally, the interconnection between the AC-DCN and OpenStack uses the in-band
management mode. That is, the AC-DCN delivers L2BR port group configurations to create a
management network for OpenStack.
The AC-DCN accesses the network through VLANs, and creates Layer 3 VLANIF interfaces
on TOR switches or gateways to add the management network segments of the AC-DCN and
OpenStack to routing domains, so that the routes between the management planes of the ACDCN and OpenStack can be enabled.
Further, the AC-DCN delivers L2BR port group configurations to connect to the management
networks of all nodes on OpenStack.
The following table lists an example of network plane planning for OpenStack.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
164
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Configuration Examples for the Financial Industry
L2BR
Port
Group
Name
Type and
Name
Access
Type
VNI
VLAN
Gateway
Type
Gateway
Address
Ops
External_
OM
untag
29901
1998
All-active
10.100.2.2
54/24
Step 1 Choose Network > POD Management > POD. In the POD list, select a specified POD to
access the POD management page.
Step 2 On the Service Configuration tab page, select L2BR Port Group, and click Create to create
an L2BR port group.
Step 3 On the Set Basic Information page, enter the L2BR port group name and description, and
click Next.
Step 4 On the Select Port page, select the interfaces for connecting OpenStack nodes to TOR
switches. Click Next.
Step 5 On the VXLAN page, click Create. Configure VXLAN information, and click Next.
NOTE
If the access type is tag, the VLAN ID must be within the range specified in section Configuring
Available VNI, VLAN, and BD Ranges.
Step 6 Click Finish.
Step 7 On the gateways, advertise the management network segments of OpenStack in the routing
protocol.
[~Gateway-CE12808-1] BGP 65000
[*Gateway-CE12808-1-bgp] ipv4-family unicast
[*Gateway-CE12808-1-bgp-af-ipv4] network 10.100.2.0 255.255.255.0
[*Gateway-CE12808-1-bgp-af-ipv4] quit
[*Gateway-CE12808-1-bgp] quit
[*Gateway-CE12808-1] commit
[~Gateway-CE12808-2]BGP 65001
[*Gateway-CE12808-2-bgp] ipv4-family unicast
[*Gateway-CE12808-2-bgp-af-ipv4] network 10.100.2.0 255.255.255.0
[*Gateway-CE12808-2-bgp-af-ipv4] quit
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
165
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
[*Gateway-CE12808-2-bgp] quit
[*Gateway-CE12808-2] commit
----End
4.2.7.2 Installing and Configuring OpenStack
NOTE
In most cases, the open-source OpenStack cloud platform is installed and operated by a customer or
third-party cloud platform provider.
Step 1 Install an operating system on the server.
Step 2 Modify network configurations of the server.
1.
Log in to the system as the root user.
2.
Run the following command to compile the network configuration file.
vi /etc/sysconfig/network-scripts/ifcfg-ens33 //ens33 is the physical NIC name.
3.
Press A to enter the editing mode. Press left and right arrows to move the cursor, and
modify the file as follows:
–
Change the value of BOOTPROTO to static.
–
Change the value of ONBOOT to yes.
–
Configure the values of IPADDR, NETMASK, and GATEWAY.
4.
Press Esc to exit the editing mode.
5.
Run the :wq! command to save the file.
6.
Run the reboot command to restart the system.
Step 3 Configure the host.
1.
Log in to the operating system as the root user. Use the Secure File Transfer Protocol
(SFTP) tool (such as XSHELL) to copy the openstack-centos-kilo package to the root
directory.
2.
Run the bash /root/openstack-centos-kilo/host_config.sh script to configure the host.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
166
Configuration Examples for the Financial Industry
3.
Select a role for the server.
–
4.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
If you enter 2 or 3, enter the IP address of the control node.
After the configuration is complete, run the reboot command to restart the server.
Step 4 Run the bash /root/openstack-centos-kilo/openstack_setup.sh script to install OpenStack.
Step 5 Select a role for the server. The value should be the same as that set in Step 3.
For details about the installation, access the logs in the /var/log/opsinstall directory.
----End
4.2.7.3 Installing Interconnection Plug-ins
Step 1 Install the interconnection plug-in on the AC-DCN.
For details, access Agile Controller-DCN Product Documentation and choose Installation
and Underlay Network Configuration > Software Installation > Installing Plug-ins >
Network Service Provisioning Collaborating with the OpenStack > Installing Plug-ins on
the AC-DCN.
Step 2 Install the interconnection plug-ins on OpenStack.
For details, access the path described in Step 1.
----End
4.2.7.4 Configuring the Interconnection on OpenStack
Step 1 Use Open vSwitch (OVS) to create a bond NIC interface. (Perform this step on all computing
and network nodes, and connect the server to the TOR switch through dual NICs).
1.
Set the NIC interface to be bound to the active status.
The configuration commands may vary in different systems and system versions. The
following uses Ubuntu 14.04.1 as an example. (If there is no NIC configuration file, skip
this step and go to Step 2.)
2.
Run the vi /etc/network/interfaces command to compile the NIC configuration file.
3.
Modify the configurations of eth1 and eth2.
auto eth1
iface eth1 inet manual
auto eth2
iface eth2 inet manual
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
167
Configuration Examples for the Financial Industry
4.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Save the configurations and run the sudo /etc/init.d/networking restart command to
restart the network service.
–
If the configurations do not take effect, run the following command to restart the
NICs one by one.
ifdown eth1
ifup eth1
–
If the configurations still fail to take effect, restart the system.
Step 2 Run the following commands on the OVS to bind bond NICs to ports.
1.
Run the ovs-vsctl del-br br-eth1 command to delete the default bridge br-eth1.
2.
Run the ovs-vsctl add-br br-bond1 command to create a bridge br-bond1.
3.
Run the ovs-vsctl add-bond br-bond1 bond1 eth1 eth2 command to bind the created
bridge to the ports. (If the active/standby mode is used, go to Step 3)
4.
(Optional) If the load balancing mode is used, run the vs-vsctl set Port bond1
bond_mode=balance-slb lacp=active command.
5.
Run the ovs-vsctl show command to check the OVS configurations.
Step 3 Set the bridge of OpenStack services to br-bond1.
1.
Back up the Modular Layer 2 (ML2) configuration file.
2.
Run the vi /etc/neutron/plugins/ml2/ml2_conf.ini command, and modify the ML2
configuration file as follows:
3.
Locate the bridge_mappings configuration.
bridge_mappings = physnet1:br-eth1
Set physnet1 to br-bond1.
bridge_mappings = physnet1:br-bond1
If the preceding statement does not exist, add the following statement:
bridge_mappings = physnet1:br-bond1
Set local_ip to the local IP address. Ensure that the statement is under [ovs], as shown in
the following figure.
4.
Run the service neutron -openvswitch-agent restart command to restart the neutronopenvswitch-agent service.
5.
Run the ovs-appctl bond/show command. If the following information is displayed, the
service is successfully configured.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
168
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 4 Configure br-int on one NIC for all network and computing nodes.
1.
Run the ovs-vsctl list-br command to check whether br-eth1 exists.
–
If br-eth1 does not exist, run the ovs-vsctl add-br br-eth1 command to add the
bridge. Then run the ovs-vsctl list-br command to check the result.
2.
Run the ovs-vsctl del-br br-tun command to delete the bridge interface br-tun.
3.
Run the vi /etc/neutron/plugins/ml2/ml2_conf.ini command, and modify the ML2
configuration file.
4.
Locate the bridge_mappings configuration, and set physnet1 to br-eth1. If the
statement does not exist, add the following statement:
5.
Set local_ip to the local IP address.
6.
Run the service neutron -openvswitch-agent restart command to restart the neutronopenvswitch-agent service.
Step 5 Enable LLDP on computing and network nodes.
1.
Upload the .rpm packages of LLDP to the computing and network nodes.
2.
Access the directory where the packages are saved, and run the following commands in
sequence to install the packages.
rpm -ivh libconfig-1.4.9-5.el7.x86_64.rpmrpm -ivh libconfigdevel-1.4.9-5.el7.x86_64.rpmrpm -ivh lldpad-0.9.46-10.el7.x86_64.rpmrpm -ivh
lldpad-devel-0.9.46-10.el7.x86_64.rpm
3.
After executing the preceding commands, run the following command to enable LLDP
on corresponding network interfaces. enp2s0f2 is the NIC name.
lldpad -dlldptool set-lldp -i enp2s0f2 adminStatus=rxtxlldptool -T -i
enp2s0f2 -V sysName enableTx=yeslldptool -T -i enp2s0f2 -V portDesc
enableTx=yeslldptool -T -i enp2s0f2 -V sysDesc enableTx=yes
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
169
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
If dual NICs are used for connecting to a TOR switch, run the preceding command on
both NICs. Change enp2s0f2 to the name of the NIC connected to the switch.
Step 6 Change the network type to deliver VXLAN configurations.
1.
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a control node, and
modify the configuration file as follows:
2.
Run the systemctl restart neutron-server.service command to restart the service.
3.
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a network node, and
modify the configuration file as follows (set local_ip to the local IP address):
4.
Run the systemctl restart neutron-openvswitch-agent.service command to restart the
service.
5.
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a computing node,
and modify the configuration file as follows (set local_ip to the local IP address):
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
170
Configuration Examples for the Financial Industry
6.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Run the systemctl restart neutron-openvswitch-agent.service command to restart the
service.
Step 7 Change the network type to deliver VLAN configurations.
1.
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a control node, and
modify the configuration file as follows:
2.
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a network node, and
modify the configuration file as follows (set local_ip to the local IP address):
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
171
Configuration Examples for the Financial Industry
3.
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Run the vim /etc/neutron/plugins/ml2/ml2_conf.ini command on a computing node,
and modify the configuration file as follows (set local_ip to the local IP address):
----End
4.2.7.5 Creating a Northbound Interface Operator
When open-source OpenStack is used as the cloud platform, the user name and password of
the northbound interface operator are saved in the configuration file of the cloud platform
plug-in. Therefore, the two parameters must be set to esdk@huawei.com and Huawei@123,
respectively.
Step 1 Log in to the AC-DCN using the admin account.
Step 2 Choose System > Administrator > Administrator.
Step 3 Create a northbound interface operator. Click Create and configure basic information about
the user.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
172
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
l
Set Account to esdk@huawei.com.
l
Set Password to Admin@1234.
NOTE
If the northbound interface operator is created for the first time, the initial password can be any value,
except the value of the planned final password Huawei@123. The AC-DCN requires that the password
be changed upon first login.
l
Set Confirm Password to Admin@1234.
l
Set Role to Northbound Interface Operator.
l
Click Confirm.
Step 4 Click
in the upper right corner of the page to log out the current account.
Step 5 Re-log in to the AC-DCN as the northbound interface operator.
Step 6 Change the password to a new value (for example, Huawei@123) as prompted.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
173
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 7 After the password is changed, the login page will be displayed in 5 seconds. Use the new
password to re-log in to the AC-DCN as the northbound interface operator to check whether
the password is correct.
If the following dialog box is displayed, the northbound interface operator is successfully
created, and the password is changed.
----End
4.2.7.6 Configuring a Cloud Platform
Bind the cloud platform to a POD of the AC-DCN, so that network services of the cloud
platform can be automatically deployed through the AC-DCN.
Step 1 Choose System > System Settings > Cloud Platform and click Create.
Step 2 Configure parameters for connecting to the cloud platform.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
174
Configuration Examples for the Financial Industry
l
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Agent Name: Agent name of OpenStack (Kilo). The value should be the same as that in
the config.ini configuration file in the root directory of the control node of OpenStack
(Kilo). Run the following command to check the agent name in the file.
[root@controller neutron] # more /etc/neutron/config.ini
[opensdk]
service_name=physnet1
By default, the agent name in the OpenStack (Kilo) configuration file is physnet1. If you
need to use another name, the value in the configuration file shall be changed
simultaneously. To change the agent name in the root directory of the control node of
OpenStack (Kilo), perform the following operations:
1.
Run the # vim /etc/neutron/config.ini command to enter the root directory of the control
node.
2.
Press I to enter the editing mode. Change the value of service_name to the actual agent
name.
3.
Press Esc to exit the editing mode.
4.
Run the :wq! command to save the configuration.
–
Account: User name of the northbound interface operator. Set the value to
esdk@huawei.com.
–
Driver Plug-in IP: If the AC-DCN interconnects with the cloud platform through a
plug-in, set the parameter to the IP address of the server where the plug-in is
installed. If no plug-in is used, you can set the value to the IP address of the cloud
platform.
–
Cloud Platform IP: IP address of the cloud platform.
----End
4.2.7.7 Binding the Cloud Platform to a POD
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Access the Global Configuration tab page. Under Connect to Cloud Platform, select the
agent name of the cloud platform and click Apply.
----End
4.2.7.8 Adding Servers to the POD
After installing and deploying the cloud platform, enable LLDP on all physical servers and
virtualization platform servers. The AC-DCN re-discovers links between access switches and
servers, and adds discovered servers to the POD.
l
After installing OpenStack, enable LLDP for all OpenStack nodes to allow the AC-DCN
to automatically re-discover links.
l
For physical servers and other servers on which LLDP is disabled, associate them with
corresponding TOR switches manually.
The AC-DCN Automatically Discovering and Adding Nodes
Step 1 Choose Network > Link Management > Link List.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
175
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 2 Click Link Discover and select all devices. Set LLDP Enable to ON. Then click Find.
Step 3 When the progress bar reaches 100%, click Finish. The AC-DCN discovers all links between
the switches and servers.
Step 4 Choose Network > Physical Resource > Server. On the page that is displayed, select the
servers to be added to the POD. Then click Add to POD.
NOTE
All cloud platform servers and virtualization platform servers shall be added to the POD.
----End
Adding Servers Manually
If LLDP is disabled or not supported on servers (for example, physical servers), configure the
mappings between TOR switches and servers on the AC-DCN manually.
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Click Switch, and click the TOR-Host tab. Then click Add.
Step 4 In the Add dialog box that is displayed, configure the corresponding TOR switch, port, and
server name, then click Confirm.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
176
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 5 After adding a server, click
next to the name of the corresponding TOR switch, and check
whether the link between the TOR switch and the server is configured correctly.
----End
4.2.7.9 Configuring External Networks
There are two types of external networks: Internet and private network. For details, see the
following figure. In the cloud-network integration scenario, only the Internet can be added.
Adding the Internet
Step 1 Choose Network > POD Management > POD.
Step 2 In the POD list, select a specified POD to access the POD management page.
Step 3 Access the Service Configuration tab page. Under External Network, click Create.
Step 4 Enter an external network name, and set the external network type to Internet. Click Next.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
177
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Step 5 Configure gateway information. Select the all-active gateway group and click Next.
Step 6 Check the configurations.
Step 7 Multiple external networks can be added to one cloud platform. For an external network, the
name defined on the AC-DCN must be used as the prefix of the name defined on the cloud
platform. For example, when the name of an external network is ext on the AC-DCN, you can
set the name of this external network to ext01 or ext02 on the cloud platform.
----End
4.2.7.10 Interconnecting OpenStack with a VMM
This operation is performed by a customer or a third-party cloud platform provider. Visit
OpenStack official website to obtain related documents.
4.2.8 Deploying the Overlay Network
Create and deliver networks and services on the cloud platform portal as required.
l
If Huawei FusionSphere OpenStack is used, IT personnel perform web page operations
on the ManageOne. For details, see ManageOne 3.0 Operation Guide 01 of ManageOne
3.0 Product Documentation 01.
l
If open-source OpenStack is used to deliver services, a customer or a third-party cloud
platform provider deploys the overlay network. To obtain related documents, visit
OpenStack official website.
4.2.9 Common Operation Guide
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
178
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
4.2.9.1 Adding a TOR Node
Step 1 Log in to the AC-DCN, choose Network > Physical Resource > Network Device, and click
Automatic Discovery.
Step 2 Enter network segment where the device to be added is located, set parameters under SNMP
V3 Protocol, and click Start. The AC-DCN automatically discovers devices.
Step 3 Choose Network > Physical Resource > Network Device, select the discovered TOR node,
and click Add to POD.
Step 4 In the Add to POD dialog box, enter the name of the POD to which the node will be added
and click Add.
Step 5 Choose Network > Link Management > Link List, click Link Discover, select all devices,
and click Find. The AC-DCN rediscovers the device links.
Step 6 Access the created POD, click the Device tab, and click Switch. Click Netconf after the
added TOR node, and set NETCONF parameters (set the port number to 22).
Step 7 Specify a role for the TOR node in the POD.
You can specify a role for a device in a POD using either of the following methods:
l
(Recommended) On the TOPO page of the POD, right-click the device to be configured
and specify a role for the device.
For example, right-click the added TOR node and click Set as AGG.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
179
Configuration Examples for the Financial Industry
l
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
On the Device page of the POD, select Physical Network Device and define roles of
devices in the physical network device list.
For example, select the added TOR node, click Set as AGG, and then click Save the
Configuration.
Step 8 Choose Network > POD Management > POD. On the Device tab page, select NVE, then
select the added device, and click Read Device VTEP IP.
----End
4.2.9.2 Replacing a Device
The prerequisites for replacing a device are as follows:
l
Hardware information such as device model and ports about the new device is the same
as that of the old device.
l
The software version of the new device is the same as or later than that of the old device.
l
A license has been installed on the new device and the license specifications are the
same as or higher than those on the old device.
l
The new device is not connected to the AC-DCN and not managed by the AC-DCN.
l
The new device has sufficient memory to store latest configuration files.
Device replacement consists of the old device going offline and the new device going online.
For the AC-DCN, the process is the same as the restart process of a device.
Step 1 Log in to the AC-DCN, choose Network > Physical Resource > Network Device, select the
device to be replaced, and click Replace. The Device replace page is displayed.
Step 2 Check the new device based on the preceding prerequisites, and click Next.
Step 3 Log in to the old device, display the CLI window, and backup the device configuration files.
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
180
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
CAUTION
After the configuration files are saved, power off and remove the old device immediately. Do
not deliver a service to the old device; otherwise, the service that is not saved in the
configuration files cannot be restored. Do not modify the configuration files. If VSs are
created, back up and restore the configuration files of the VSs except VS0.
Step 4 Power off the old device and remove it from the network.
Step 5 On the Device replace page, click Clear Public Key.
Step 6 Connect the new device to the network. Ensure that all physical cable connections are the
same as those of the old device.
Step 7 Power on the new device, import the backed-up configuration files, and specify the
configuration files for the next startup.
Step 8 Restart the new device without saving the current configuration. After the new device restarts,
it automatically goes online on the AC-DCN.
NOTE
After you restart a device, the device automatically restores configurations, which takes a period of time.
Wait for 5 minutes to 10 minutes.
Step 9 After configurations restore on the new device, run the rsalocal-key-pair create command to
generate a local RSA key pair for the NETCONF connection between the AC-DCN and the
device. The RSA key pair will not be lost after the device restarts.
Run the display rsa local-key-pair public command to view the public key information.
Step 10 On the Device replace page, click Clear Public Key.
Step 11 On the Device replace page, click Check Connection, check whether the NETCONF
connection between the AC-DCN and the device is normal, and click Next.
NOTE
If the NETCONF connection between the AC-DCN and the device fails to be established, perform the
following operations:
l Set NETCONF parameters on the device.
l Log in to the AC-DCN, choose Network > POD Management > POD and click the Device tab.
l Click the Switch or TOR tab based on the role of the device, find the target device, and click
Netconf.
l On the Netconf Configure page, set connection parameters to the same as those configured on the
device.
Step 12 Click Device Audit to check the audit result. Ensure that the services are restored.
l
If the audit result is normal, the services are successfully restored on the new device.
l
If the audit result is abnormal, check configurations on the device in sequence and
determine whether to modify the configurations.
----End
4.2.9.3 Deleting a Device
If a physical device on a user network is no longer used, delete the device from the POD.
Before deleting the device from the POD, delete corresponding upper-layer services to release
Issue 03 (2017-05-08)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
181
Configuration Examples for the Financial Industry
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
device resources that are occupied by the upper-layer services. When you delete a network
device from a POD, the system will display resources of the device that are occupied by
services. Delete resources based on Table 4-3.
Table 4-3 Resource release guide
Resource
Service
Operations to Release Resources
VLAN
DHCP Neutron port
service
1. Log in to the AC-DCN and choose Tenant
> Tenant Management > Tenant.
2. Click the tenant name and select Port.
3. Check the access device information in port
details. If the access device is the device to
be deleted, record the port name.
4. Log in to the cloud platform and delete the
recorded port.
Bare metal server Neutron
port service
Release the bare metal server on the cloud
platform.
VM Neutron port service
Choose Network > POD Management > POD
> Device > vSwitch and check the switches to
which VMs are connected.
Delete the VMs that are connected to the
switch to be deleted.
LB Neutron port service
Log in to the AC-DCN and choose Tenant >
Tenant Management > Tenant.
Click the tenant name and select Port.
Check the access device information in port
details. If the access device is the device to be
deleted, record the port name.
Log in to the cloud platform and delete the
recorded port.
BD
L2BR port service
Delete the L2BR port that is associated with the
device to be deleted.
PXE pre-configuration
port service
Delete the PXE port that is associated with the
device to be deleted.
DHCP Neutron port
service
1. Log in to the AC-DCN and choose Tenant
> Tenant Management > Tenant.
2. Click the tenant name and select Port.
3. Check the access device information in port
details. If the access device is the device to
be deleted, record the port name.
4. Log in to the cloud platform and delete the
recorded port.
Bare metal server Neutron
port service
Issue 03 (2017-05-08)
Release the bare metal server on the cloud
platform.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
182
Configuration Examples for the Financial Industry
Resource
4 DCN Deployment Solution Based on the Agile Controller
and Integrated Hardware Overlay Network
Service
Operations to Release Resources
VM Neutron port service
1. Choose Network > POD Management >
POD > Device > vSwitch and check the
switches to which VMs are connected.
2. Delete the VMs that are connected to the
switch to be deleted.
LB Neutron port service
1. Log in to the AC-DCN and choose Tenant
> Tenant Management > Tenant.
2. Click the tenant name and select Port.
3. Check the access device information in port
details. If the access device is the device to
be deleted, record the port name.
4. Log in to the cloud platform and delete the
recorded port.
vFM
L2BR port service
Delete the L2BR port that is associated with the
device to be deleted.
PXE pre-configuration
port service
Delete the PXE port that is associated with the
device to be deleted.
Internal interfaces
associated with the
vRouter
Delete the internal interfaces associated with
the vRouter.
External gateways
associated with the
vRouter
1. Delete the vFM services, including EIP,
SNAT, VPN, and security policies.
vFM services (including
EIP, SNAT, VPN, and
security policies)
Interface
interconnec
tion
External gateways
associated with the
vRouter
vFM services (including
EIP, SNAT, VPN, and
security policies)
VPN
Creating VPC
External gateways
associated with the
vRouter
Internal interfaces
associated with the
vRouter
Issue 03 (2017-05-08)
2. Cancel associations between external
gateways and the vRouter.
1. Delete the vFM services, including EIP,
SNAT, VPN, and security policies.
2. Cancel associations between external
gateways and the vRouter.
1. Delete the vFM services, including EIP,
SNAT, VPN, and security policies.
2. Cancel associations between external
gateways and the vRouter.
3. Cancel associations of internal interfaces
and the vRouter.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
183