- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 新华三人才研学中心
- 关于我们
01-正文
本章节下载: 01-正文 (495.13 KB)
本文介绍的设备是指被SeerEngine-DC纳管的设备。为确保设备正常接入到Underlay网络以及设备与SeerEngine-DC之间IP路由可达,需手动在设备上进行预配置。本文介绍了设备在不同场景下的预配置,方便用户了解使用指定类型的设备前需要在设备上手动预配置哪些功能。
根据设备的载体形态不同,设备可以分为:
· 物理设备:指设备的载体形态是物理设备(例如物理交换机),其根据服务类型又可以分为接入设备、边界设备等。当使用手动上线方式时,用户需在该类型的设备上进行预配置。自动化上线场景下无需进行预配置。
· 虚拟设备:指在物理服务器或物理网络设备(例如M9000)上虚拟出来的虚拟设备(例如VNF设备、NGFW设备等),其根据服务类型又可以分为虚拟网关、虚拟防火墙、虚拟负载均衡器等。根据虚拟设备的创建方式不同,虚拟设备又可以分为:
¡ 手动添加的纳管设备:指已创建的虚拟设备,需要通过手动添加该设备作为SeerEngine-DC的虚拟设备。用户需在该类型的设备上进行预配置。
¡ 从资源池分配的设备:指通过NGFW资源池或VNF资源池分配的虚拟设备。创建该类型设备时需引用对应的模板,预配置会在创建模板时自动生成。用户不需在该类型的设备上进行任何预配置。用户可根据配置项章节的介绍了解模板中预配置的功能,也可根据需求修改模板中的预配置。
本部分介绍了不同类型设备的配置项及配置简介。配置项部分介绍了不同类型设备可能需要配置的所有功能,用户可根据配置简介的配置步骤预配置指定类型的设备,也可参照配置项了解虚拟设备各类型模板都预配置哪些功能。
|
配置项 |
章节 |
接入设备 |
边界设备 |
|
开启设备的L2VPN功能 |
Y |
Y |
|
|
配置本地用户及开启NETCONF服务 |
Y |
Y |
|
|
配置路由协议 |
Y |
Y |
|
|
配置管理接口 |
Y |
Y |
|
|
配置VTEP IP |
Y |
Y |
|
|
配置边界设备的DCI VTEP IP所在接口 |
N |
Y |
|
|
配置Border设备建立IBGP对等体组 |
N |
Y |
|
|
配置AC侧接口 |
Y |
N |
|
|
配置VLAN接口资源预留 |
N |
Y |
|
|
配置与安全设备互联的接口加入同一VLAN |
N |
仅边界设备作为服务网关组的成员设备时需配置 |
|
|
配置IRF桥MAC永久保留 |
Y |
仅IRF模式的边界设备需配置 |
|
|
配置跨VPN转发类型的业务环回组 |
N |
仅数据中心三层互联(防火墙关闭)和外部网络开启路由精简时需配置。 |
|
|
保存配置 |
Y |
Y |
|
配置项 |
章节 |
服务链型防火墙 |
服务网关型防火墙 |
|
配置本地用户及开启NETCONF服务 |
Y |
Y |
|
|
配置路由协议 |
Y |
Y |
|
|
配置管理接口 |
Y |
Y |
|
|
配置IRF集群 |
仅IRF模式的服务链型防火墙需配置 |
仅IRF模式的服务网关型防火墙需配置 |
|
|
配置Track项 |
|||
|
配置冗余组 |
|||
|
配置双机热备相关功能 |
|||
|
配置IRF桥MAC永久保留 |
|||
|
配置防火墙默认放行 |
Y |
Y |
|
|
配置Track和NQA联动监测主备静态路由 |
N |
仅多出口场景且SNAT为开启状态时需要配置 |
|
|
配置专线口(可选) |
N |
Y |
|
|
保存配置 |
Y |
Y |
|
配置项 |
章节 |
服务链型负载均衡器 |
|
配置本地用户及开启NETCONF服务 |
Y |
|
|
配置路由协议 |
Y |
|
|
配置管理接口 |
Y |
|
|
配置IRF集群 |
仅IRF模式的服务链型负载均衡器需配置 |
|
|
配置Track项 |
||
|
配置冗余组 |
||
|
配置双机热备相关功能 |
||
|
配置IRF桥MAC永久保留 |
||
|
配置虚服务器IP所在接口 |
Y |
|
|
保存配置 |
Y |
|
配置项 |
章节 |
双活边界设备 |
|
开启L2VPN 功能 |
Y |
|
|
配置本地用户及开启NETCONF服务 |
Y |
|
|
配置建立BGP邻居的接口 |
Y |
|
|
配置双活网关逃生通道接口 |
Y |
|
|
配置双ED设备虚拟VTEP IP地址 |
Y |
|
|
配置双活网关路由放行策略 |
Y |
|
|
配置VXLAN转发非对称模式 |
Y |
|
|
配置BFD报文封装源IP地址 |
Y |
|
|
配置Router ID |
Y |
|
|
配置OSPF |
Y |
|
|
开启与L3VNI关联的VXLAN隧道的报文统计功能 |
Y |
|
|
配置BGP平滑重启功能 |
Y |
|
|
配置优选路由 |
Y |
|
|
配置双活网关逃生 |
Y |
|
|
配置冗余保护负载分担 |
Y |
|
|
保存配置 |
Y |
开启设备的L2VPN功能。
[Device] l2vpn enable
为了确保安全性,设备需要对SeerEngine-DC发起的连接进行认证和授权。目前在解决方案中一般都采用本地认证和授权的方式,所以要在设备上创建本地用户并配置相关属性。(用户名以sdn为例,密码以123为例)
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
配置设备和SeerEngine-DC之间使用NETCONF over SSH通道进行通信。
[Device] ssh server enable
[Device] netconf ssh server enable
配置设备和SeerEngine-DC之间使用NETCONF over HTTPS通道进行通信。
[Device] ip https enable
[Device] netconf soap https enable
配置用户登录设备时的认证方式。
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
配置OSPF进程。一个进程作为管理网的路由发布域(以进程10为例),另一个进程作为Underlay网络的路由发布域(以进程1为例)。
[Device] ospf 10
[Device] ospf 1
· 用户可根据需求使用其他路由协议,建议使用OSPF协议。
· 必须在接口使能OSPF功能前进行本配置。
· 当设备类型为VNF设备时,不支持使用IS-IS路由协议。
· 从资源池分配的虚拟设备(以VNF设备为例)
¡ 当VNF工作在IRF模式时:创建IRF模式设备的管理接口Reth 999,该接口的IP地址将通过VNF Manager下发。组成IRF的两台VNF的管理接口(以GigabitEthernet1/1/0和GigabitEthernet2/1/0为例)作为冗余接口的成员接口。把冗余接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface Reth 999
[Device-Reth999] member interface GigabitEthernet 1/1/0 priority 100
[Device-Reth999] member interface GigabitEthernet 2/1/0 priority 80
[Device-Reth999] ospf 10 area 0
¡ 当VNF工作在独立模式时:管理接口(以GigabitEthernet1/1/0为例)的IP地址将由VNF Manager下发,把管理接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface GigabitEthernet 1/1/0
[Device-GigabitEthernet1/1/0] ospf 10 area 0
· 物理设备及手动增加的虚拟设备:创建管理接口(以LoopBack 0为例,也可以根据需求使用其他接口)并配置接口的IP地址,把该接口加入到管理网的路由发布域(以OSPF 10区域0为例)。
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
Reth 999接口已被预留作为设备的管理接口,该接口不可再用于其他用途。
创建VTEP IP所在接口,并配置VTEP IP地址。
(1) 创建VTEP IP所在接口Loopback 0,把该接口加入到Underlay网络的路由发布域(以OSPF 1区域0为例)。
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 1 area 0
(2) 配置VTEP IP地址。
[Device-LoopBack0] ip address 10.10.1.10 32
· 当存在Fabric连接时,LoopBack 0接口被预留作为配置VTEP IP的接口,该接口不可再用于其他用途。
· 从VM发出的报文较大,在转发过程中可能由于接口MTU值较小导致报文被丢弃,建议修改接口的MTU值为较大值。
DCI VTEP IP用于创建数据中心连接,需要在边界设备上手动创建DCI VTEP IP所在的接口,并为其配置IP地址。
创建环回口作为DCI VTEP IP所在接口,并配置IP地址,以Loopback 2为例。
[Device] interface LoopBack 2
[Device-LoopBack2] ip address 101.10.1.1 255.255.0.0
该配置需要在边界设备上线前完成,上线后不允许删除和修改。
SeerEngine-DC纳管的网络中的内网流量都在VPN中转发,要实现内外网流量互通,需创建外网VPN并把外网出接口加入到该VPN。(适用于VNF网关和NGFW网关)
(1) 创建外网VPN
[Device] ip vpn-instance external_vpn
external_vpn已被预留作为外网VPN,该VPN不可再用于其他用途。
(2) 配置外网出接口
· 当外网出接口所连接的TOR交换机的接口发送的报文带VLAN Tag(以2为例)时,配置物理子接口进行VLAN终结,同时配置物理子接口作为外网出接口的成员接口(以GigabitEthernet1/5/0.2和GigabitEthernet2/5/0.2为例)。
[Device] interface GigabitEthernet 1/5/0.2
[Device-GigabitEthernet1/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet1/5/0.2] interface GigabitEthernet 2/5/0.2
[Device-GigabitEthernet2/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet2/5/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0.2 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0.2 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
· 当外网出接口所连接的TOR交换机接口发送的报文不带VLAN Tag时,配置物理接口作为外网出接口的成员接口(以GigabitEthernet1/5/0和GigabitEthernet2/5/0为例)。
[Device] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
Reth 1已被预留作为外网出接口或专线口,该接口不可再用于其他用途。如果Reth 1已配置为外网出接口,则不能再作为专线口使用,即不能再配置云专线业务。
通常建立BGP邻居的接口与VTEP IP所在接口为同一接口,当存在双ED设备且配置了ED设备虚拟VTEP IP地址时,需要使用独立的接口建立BGP邻居。
[Device] interface LoopBack0
[Device-LoopBack0] ip address 1.1.1.1 255.255.255.255
[Device-LoopBack0] ospf 11 area 0.0.0.0
[Device] interface LoopBack0
[Device-LoopBack0] ip address 1.1.1.1 255.255.255.255
[Device-LoopBack0] ospfv3 11 area 0.0.0.0
[Device-LoopBack0] ipv6 address 1::1/128
如需使用集中式虚拟路由器连接功能,当防火墙状态为关闭时,需要提前配置Border设备和数据中心内其他设备建立名称为“evpn”的IBGP对等体组。
[Device] bgp 100
[Device-bgp-default] peer 195.0.0.241 group evpn
在网络云双活网关场景下,当出现单点故障时,需要通过逃生通道接口链路保障业务不中断。
· IPv4组网
[Device] interface Ten-GigabitEthernet2/0/19 GW1和GW2互联接口,使能mpls相关功能
[Device-Ten-GigabitEthernet2/0/19] port link-mode route
[Device-Ten-GigabitEthernet2/0/19] ip address 22.0.0.1 255.255.255.0
[Device-Ten-GigabitEthernet2/0/19] ospf 11 area 0.0.0.0
[Device-Ten-GigabitEthernet2/0/19] mpls enable
[Device-Ten-GigabitEthernet2/0/19] mpls ldp enable
· IPv6组网
[Device] interface Ten-GigabitEthernet2/0/19
[Device-Ten-GigabitEthernet2/0/19] ospfv3 1 area 0.0.0.0
[Device-Ten-GigabitEthernet2/0/19] ospfv3 network-type p2p
[Device-Ten-GigabitEthernet2/0/19] mpls enable
[Device-Ten-GigabitEthernet2/0/19] mpls ldp ipv6 enable
[Device-Ten-GigabitEthernet2/0/19] mpls ldp transport-address 40:10::1
[Device-Ten-GigabitEthernet2/0/19] ip forwarding
[Device-Ten-GigabitEthernet2/0/19] ipv6 address 40:10::1/64
为了提高ED的可靠性,避免单点故障,在数据中心的边缘可以部署两台ED设备与其他数据中心互联。可将两台ED虚拟成一台ED设备,采用虚拟IP地址与VTEP、远端ED建立隧道,以实现冗余保护和负载分担。
双ED设备的虚拟VTEP IP地址需要预先配置在接口上,建议使用LoopBack接口,两台ED设备需要配置相同的虚拟VTEP IP地址。
· IPv4组网
[Device] interface LoopBack1
[Device-LoopBack1] ip address 100.0.0.1 255.255.255.255
[Device-LoopBack1] ospf 11 area 0.0.0.0
· IPv6组网
[Device] interface LoopBack1
[Device-LoopBack1] ospfv3 11 area 0.0.0.0
[Device-LoopBack1]ipv6 address 11::11/128
为实现设备的高可靠性,可配置设备工作在IRF模式。指定设备的成员编号及在IRF中的成员优先级,配置IRF端口与物理接口绑定,数据通道和控制通道分别对应不同的物理接口。(适用于IRF模式的VNF设备)
[DeviceA] irf member 1
[DeviceA] irf member 1 priority 32
[DeviceA] irf-port 1
[DeviceA-irf-port1] port group interface GigabitEthernet1/2/0 type data
[DeviceA-irf-port1] port group interface GigabitEthernet1/3/0 type control
[DeviceB] irf member 2
[DeviceB] irf member 2 priority 31
[DeviceB] irf-port 2
[DeviceB-irf-port2] port group interface GigabitEthernet2/2/0 type data
[DeviceB-irf-port2] port group interface GigabitEthernet2/3/0 type control
Track项用于监测外网出接口、下行接口或管理接口的状态。
接口名称可根据实际组网需求修改。本配置项举例中,GigabitEthernet1/1/0和GigabitEthernet2/1/0作为管理接口Reth 999的成员接口;GigabitEthernet1/4/0和GigabitEthernet2/4/0作为下行接口Reth2的成员接口;GigabitEthernet1/5/0和GigabitEthernet2/5/0作为上行接口Reth1的成员接口。
· 虚拟网关设备负责内网流量的三层转发以及内外网流量互通,需监测三种类型的接口。(适用于VNF网关和NGFW网关)
[Device] track 1 interface GigabitEthernet 1/1/0
[Device] track 2 interface GigabitEthernet 1/4/0
[Device] track 3 interface GigabitEthernet 1/5/0
[Device] track 4 interface GigabitEthernet 2/1/0
[Device] track 5 interface GigabitEthernet 2/4/0
[Device] track 6 interface GigabitEthernet 2/5/0
· 服务链节点负责本服务链内的流量转发,不负责内外网流量互通,不需配置外网出接口。(服务链模式vFW和服务链模式vLB)
[Device] track 1 interface GigabitEthernet 1/1/0
[Device] track 2 interface GigabitEthernet 1/5/0
[Device] track 3 interface GigabitEthernet 2/1/0
[Device] track 4 interface GigabitEthernet 2/5/0
冗余组功能仅在IRF模式下支持,一个冗余组最多且必须包含主备两个节点,每个冗余组节点和一台IRF成员设备绑定,两个节点形成设备级备份,且保证了业务报文的接收、处理和发送都在同一台成员设备上进行。
· 冗余组添加各冗余接口作为成员接口。创建Node 1,为主节点,绑定IRF中成员设备slot 1,关联Track项1、2和3;创建Node 2,为备节点,绑定IRF中的成员设备slot 2,关联Track项4、5和6。当slot 1的上下行链路、管理链路或设备故障时,流量切换到slot 2,当故障恢复时,流量再切回。(适用于VNF网关和NGFW网关)
[Device] redundancy group reth
[Device-redundancy-group-reth] member interface Reth1
[Device-redundancy-group-reth] member interface Reth2
[Device-redundancy-group-reth] member interface Reth999
[Device-redundancy-group-reth] node 1
[Device-redundancy-group-right-node1] bind slot 1
[Device-redundancy-group-right-node1] priority 100
[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0
[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0
[Device-redundancy-group-right-node1] track 3 interface GigabitEthernet1/5/0
[Device-redundancy-group-right-node1] quit
[Device-redundancy-group-reth] node 2
[Device-redundancy-group-right-node2] bind slot 2
[Device-redundancy-group-right-node2] priority 80
[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/1/0
[Device-redundancy-group-right-node2] track 5 interface GigabitEthernet2/4/0
[Device-redundancy-group-right-node2] track 6 interface GigabitEthernet2/5/0
· 冗余组添加各冗余接口作为成员接口。创建Node 1,为主节点,绑定IRF中成员设备slot 1,关联Track项1和2;创建Node 2,为备节点,绑定IRF中的成员设备slot 2,关联Track项3和4。当slot 1的下行链路、管理链路或设备故障时,流量切换到slot 2,当故障恢复时,流量再切回。(适用于服务链模式vFW和服务链模式vLB)
[Device] redundancy group reth
[Device-redundancy-group-reth] member interface Reth999
[Device-redundancy-group-reth] member interface Reth2
[Device-redundancy-group-reth] node 1
[Device-redundancy-group-right-node1] bind slot 1
[Device-redundancy-group-right-node1] priority 100
[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0
[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0
[Device-redundancy-group-right-node1] quit
[Device-redundancy-group-reth] node 2
[Device-redundancy-group-right-node2] bind slot 2
[Device-redundancy-group-right-node2] priority 80
[Device-redundancy-group-right-node2] track 3 interface GigabitEthernet2/1/0
[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/4/0
当虚拟设备工作在IRF模式时,需要在两个虚拟设备上都配置双机热备的相关功能。
(1) 开启会话双机热备功能(适用于vFW、vLB、VNF网关和NGFW网关)
[Device] session synchronization enable
(2) 开启NAT双机热备功能(适用于VNF网关和NGFW网关)
[Device] nat port-block synchronization enable
(3) 开启IPsec双机热备功能(适用于VNF网关和NGFW网关)
[Device] ipsec redundancy enable
虚服务器是负载均衡设备上面向用户业务的虚拟载体,只有匹配上虚服务器的报文才需要进行负载均衡处理。创建Loopback 127,该接口作为虚服务器的IP地址所在接口。SeerEngine-DC界面上配置的虚服务器IP地址将自动下发到该接口。(适用于vLB)
[Device] interface LoopBack 127
Loopback 127接口已被预留作为虚服务器IP所在接口,该接口不可再用于其他用途。
有些防火墙(例如通过VNF Manager创建的vFW或通过NGFW Manager在M9K设备上虚拟出来的vFW)默认丢弃未匹配安全策略的报文,这样可能导致Underlay网络或管理网不通。通过把放行报文的接口加入到SDN默认安全域,并配置域内接口间报文默认动作为permit和域间策略的处理动作为pass,可放行Underlay数据链路报文和管理报文,实现网络互通。
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
· SDN_ZONE_DEFAULT安全域已被预留作为SDN默认放行域,该安全域不可再用于其他用途。
· SDN_POLICY_DEFAULT对象策略已被预留作为SDN默认放行策略,该对象策略不可再用于其他用途。
(1) 配置AC侧接口。接入设备上连接VM或物理服务器的接口称为AC侧接口(以Ten-GigabitEthernet2/0/5为例)。为了在SeerEngine-DC上显示并控制AC侧接口,必须在接入设备上配置以下命令:
[Device] interface Ten-GigabitEthernet2/0/5
[Device-Ten-GigabitEthernet2/0/5] vtep access port
由于产品芯片(例如S12500-X的F系列芯片)限制,在创建除VLAN接口外的其它类型三层接口/子接口前或配置需要使用三层接口硬件资源的特性前,需要先配置本功能预留VLAN接口资源。
当VXLAN隧道工作在三层转发模式时,在VSI视图创建VXLAN前,需要先配置全局类型VLAN接口资源预留。每创建一个VXLAN,需要预留一个全局类型VLAN接口资源。
<Sysname> system-view
[Sysname] reserve-vlan-interface 3400 to 3500 global
当用户的组网方案中使用服务网关组时,需配置服务网关组的成员设备连接安全设备(例如防火墙、负载均衡器)的所有物理接口(以接口GigabitEthernet11/0/13为例)加入同一个VLAN,以保证成员设备与安全设备二层互通。
[Device] interface GigabitEthernet 11/0/13
[Device-GigabitEthernet11/0/13] port link-mode bridge
[Device-GigabitEthernet11/0/13] port link-type trunk
[Device-GigabitEthernet11/0/13] port trunk permit vlan all
当从物理安全设备虚拟出来的防火墙资源(即Context)需部署DPI各业务(例如:IPS、防病毒、URL过滤等)时,需在物理安全设备上执行命令激活设备的DPI功能,否则SeerEngine-DC不能向该设备上的Context成功下发DPI各业务配置。
[Device] inspect activate
当设备为IRF模式时,需要配置IRF桥MAC永久保留。进行该配置后,无论IRF桥MAC拥有者是否离开IRF,IRF桥MAC始终保持不变,保证业务正常运行。
[Device] irf mac-address persistent always
对于安全纳管组网的服务网关,可通过配置Track和NQA联动探测静态路由的有效性,实现主备静态路由的自动切换。
创建并配置ICMP-echo类型的NQA测试组(管理员为admin,操作标签为test1)。
[Device] nqa entry admin test1
[Device-nqa-test-test] type icmp-echo
[Device-nqa-test-test-icmp-echo] destination ip 10.2.2.2
[Device-nqa-test-test-icmp-echo] frequency 1000
[Device-nqa-test-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trap-only
[Device-nqa-test-test-icmp-echo] vpn-instance external_vpn_22
[Device-nqa-test-test-icmp-echo] quit
[Device] nqa schedule test test start-time now lifetime forever
配置Track与NQA联动。
[Device] track 1 nqa entry admin test reaction 1
SeerEngine-DC创建云专线业务前,需在防火墙设备上手动配置专线口(适用于服务网关型防火墙)。VNF类型的防火墙资源不支持通过VNFM资源模板指定专线口,默认使用接口Reth1。
创建默认专线口:
[Device] interface Reth 1
Reth 1已被预留作为外网出接口或专线口,该接口不可再用于其他用途。如果Reth 1已作为专线口被云专线业务使用时,不能再作为外网出接口。
(1) 配置发布到vBGP的路由团体属性。
[Device] ip community-list 199 permit 2019:824
(2) 配置发布匹配团体属性的二类和三类EVPN路由策略。
[Device] route-policy SDN_PREDEF_vbgp_suppress_policy permit node 0
[Device-SDN_PREDEF_vbgp_suppress_policy-0] if-match community 199
[Device-SDN_PREDEF_vbgp_suppress_policy-0] quit
[Device] route-policy SDN_PREDEF_vbgp_suppress_policy permit node 1
[Device-SDN_PREDEF_vbgp_suppress_policy-1] if-match route-type bgp-evpn-mac-ip
[Device-SDN_PREDEF_vbgp_suppress_policy-1] quit
[Device] route-policy SDN_PREFEF_vbgp_suppress_policy permit node 2
[Device-SDN_PREDEF_vbgp_suppress_policy-2] if-match route-type bgp-evpn-imet
[Device-SDN_PREDEF_vbgp_suppress_policy-2] quit
(3) 配置向vBGP发布匹配路由策略的路由信息,vBGP的IP地址以4.4.4.4为例。对于IPv6组网,将IPv4地址替换为IPv6地址即可。
[Device] bgp 100
[Device-bgp-default] peer 4.4.4.4 as-number 100
[Device-bgp-default] peer 4.4.4.4 connect-interface LoopBack1
[Device-bgp-default] peer 4.4.4.4 graceful-restart timer restart extra no-limit
[Device-bgp-default] address-family l2vpn evpn
[Device-bgp-default-evpn] peer 4.4.4.4 route-policy SDN_PREDEF_vbgp_suppress_policy export
[Device-bgp-default-evpn] peer 4.4.4.4 advertise-community
在网络云双活网关场景下,需要在双活网关上配置VXLAN转发为非对称模式,网关上将使用L2VNI封装VXLAN报文。
[Device] evpn irb asymmetric
BFD echo报文的源IP地址用户可以任意指定。为了避免对端发送大量的ICMP重定向报文造成网络拥塞,建议配置BFD echo报文的源IP地址不属于该设备任何一个接口所在网段。
在网络云双活网关场景下,推荐将两个网关配置为不同的源IP地址。
· IPv4组网
[Device] bfd echo-source-ip 1.1.1.2
· IPv6组网
[Device] bfd echo-source-ipv6 1::2
在网络云双活网关场景下,需要为两个网关手动指定不同的Router ID,以避免两个网关自动生成相同的Router ID。
[Device] router id 1.1.1.1
[Device] bgp 100
[Device-bgp-default] router-id 1.1.1.1
在网络云双活网关场景下,需要通过配置OSPF实现Underlay路由故障切换。
· IPv4组网
[Device] ospf 11 router-id 1.1.1.1
[Device-ospf-11] stub-router include-stub on-startup wait-for-bgp 1200
[Device-ospf-11] fast-reroute lfa ecmp-shared
[Device-ospf-11] area 0.0.0.0
· IPv6组网
[Device] ospfv3 11
[Device-ospfv3-11] router-id 1.1.1.1
[Device-ospfv3-11] non-stop-routing
[Device-ospfv3-11] lsa-generation-interval 1 10 10
[Device-ospfv3-11] spf-schedule-interval 1 10 10
[Device-ospfv3-11] fast-reroute lfa
[Device-ospfv3-11] stub-router r-bit on-startup wait-for-bgp 1200
[Device-ospfv3-11] area 0.0.0.0
开启本功能后,设备会统计与L3VNI关联的VXLAN隧道上转发的流量。
[Device] tunnel statistics vxlan auto
[Device] tunnel statistics vxlan l3-vni
[Device] l2vpn statistics interval 5
通过配置BGP平滑重启功能,可实现在主备倒换或BGP协议重启时保证转发业务不中断。
[Device] bgp 100
[Device-bgp-default] graceful-restart
[Device-bgp-default] graceful-restart peer-reset all
通过配置优选路由,可通过BGP协议发布和接收多条路由,实现流量的负载分担。
[Device] bgp 100
[Device-bgp-default] address-family l2vpn evpn
[Device-bgp-default-evpn] additional-paths select-best 64
[Device-bgp-default-evpn] vpn-route cross multipath
[Device-bgp-default-evpn] peer 4.4.4.4 enable
[Device-bgp-default-evpn] peer 4.4.4.4 additional-paths receive send
[Device-bgp-default-evpn] peer 4.4.4.4 advertise additional-paths best 64
(1) 配置双活网关之间开启LDP功能,且只向对方发布VPNv4/VPNv6下一跳邻居地址。
· IPv4配置
[Device] ip prefix-list gw1-gw2 index 10 permit 1.1.1.1 32
[Device] mpls lsr-id 1.1.1.1
[Device] mpls ldp
[Device-ldp] advertise-label prefix-list gw1-gw2
· IPv6配置
[Device] ipv6 prefix-list gw1-gw2 index 20 permit 7::7 128
[Device] mpls lsr-id 1.1.1.1
[Device] mpls ldp
[Device-ldp] ipv6 advertise-label prefix-list gw1-gw2
(2) 为防止路由环路,配置路由策略,使双活网关间相互不发布缺省路由。
· IPv4组网
[Device] ip prefix-list SDN_PREFIXLIST_default index 10 permit 0.0.0.0 0
[Device] route-policy SDN_PREDEF_dcgw_deny_IPv4_backup deny node 10
[Device-SDN_PREDEF_dcgw_deny_IPv4_backup-10] if-match ip address prefix-list SDN_PREDEF_default
[Device-SDN_PREDEF_dcgw_deny_IPv4_backup-10] if-match tag 2019091122
[Device-SDN_PREDEF_dcgw_deny_IPv4_backup-10] quit
[Device] route-policy SDN_PREDEF_dcgw_deny_IPv4_backup permit node 20
· IPv6组网
[Device] ipv6 prefix-list SDN_PREFIXLIST_default index 10 permit :: 0
[Device] route-policy SDN_PREDEF_dcgw_deny_IPv6_backup deny node 10
[Device-SDN_PREDEF_dcgw_deny_IPv6_backup-10] if-match ipv6 address prefix-list SDN_PREDEF_default
[Device-SDN_PREDEF_dcgw_deny_IPv6_backup-10] if-match tag 2019091122
[Device-SDN_PREDEF_dcgw_deny_IPv6_backup-10] quit
[Device] route-policy SDN_PREDEF_dcgw_deny_IPv6_backup permit node 20
(3) 配置双活网关间建立VPNv4和VPNv6邻居,用于双活网关间路由备份。以IPv4地址为例,对于IPv6组网,将IPv4地址替换为IPv6地址即可。
[Device] bgp 100
[Device-bgp-default] flush suboptimal-route
[Device-bgp-default] labeled-route ignore-no-tunnel
[Device-bgp-default] peer 2.2.2.2 as-number 100
[Device-bgp-default] peer 2.2.2.2 connect-interface LoopBack0
[Device-bgp-default] address-family vpnv4
[Device-bgp-default-vpnv4] peer 2.2.2.2 enable
[Device-bgp-default-vpnv4] peer 2.2.2.2 route-policy SDN_PREDEF_dcgw_deny_IPv4_backup export
[Device-bgp-default-vpnv4] address-family vpnv6
[Device-bgp-default-vpnv6] peer 2.2.2.2 enable
[Device-bgp-default-vpnv6] peer 2.2.2.2 route-policy SDN_PREDEF_dcgw_deny_IPv6_backup export
为了提高ED的可靠性,避免单点故障,在数据中心的边缘可以部署两台ED设备与其他数据中心互联。可将两台ED虚拟成一台ED设备,采用虚拟IP地址与VTEP、远端ED建立隧道,以实现冗余保护和负载分担。
· IPv4组网
[Device] evpn edge group 100.0.0.1
· IPv6组网:
[Device] evpn edge group 11::11
数据中心三层互联(防火墙关闭)和外部网络开启路由精简时只指定目的VPN的静态路由。此类静态路由依赖跨VPN转发类型的业务环回组进行流量转发。
[Device] service-loopback group 5 type inter-vpn-fwd
[Device] interface GigabitEthernet 1/0/1
[Device-GigabitEthernet1/0/1] port service-loopback group 5
为了防止SeerEngine-DC纳管设备前设备异常重启配置丢失,或设备一直无法激活SeerEngine-DC无法正常触发设备保存配置,建议用户配置完所有预配置后手工保存设备配置。
<Device> save force
Validating file. Please wait....
Saved the current configuration to mainboard device successfully.
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] ip https enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] quit
[Device] interface GigabitEthernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0/1] ospf 10 area 0
[Device-GigabitEthernet1/0/1] quit
[Device] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] quit
[Device] interface GigabitEthernet 2/0/1
[Device-GigabitEthernet2/0/1] ip address 111.0.9.126 255.255.0.0
[Device-GigabitEthernet2/0/1] mtu 9216
[Device-GigabitEthernet2/0/1] ospf 1 area 0
[Device-GigabitEthernet2/0/1] ospf cost 1
通过VNF Manager或NGFW Manager创建指定类型的设备时,SeerEngine-DC会根据设备引用的模板类型不同向设备下发不同的预配置。用户可根据本章了解SeerEngine-DC下发了哪些预配置。
本章节介绍的预配置只是设备要实现功能的最简配置,根据用户配置模板时使用的接口不同,下发的预配置可能不同。
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
session synchronization enable
nat port-block synchronization enable
ipsec redundancy enable
ip vpn-instance external_vpn
interface GigabitEthernet 1/5/0.2
vlan-type dot1q vid 2
interface GigabitEthernet 2/5/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 1/5/0.2 priority 100
member interface GigabitEthernet 2/5/0.2 priority 80
ip binding vpn-instance external_vpn
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
track 4 interface GigabitEthernet 2/1/0
track 5 interface GigabitEthernet 2/4/0
track 6 interface GigabitEthernet 2/5/0
redundancy group reth
preempt-delay 0
member interface Reth1
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
node 2
bind slot 2
priority 80
track 4 interface GigabitEthernet 2/1/0
track 5 interface GigabitEthernet 2/4/0
track 6 interface GigabitEthernet 2/5/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface LoopBack 127
interface Reth 2
mtu 9216
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
redundancy group reth
preempt-delay 0
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface Reth2
mtu 9216
security-zone name SDN_ZONE_DEFAULT
import interface Reth2
import interface Reth999
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
interface Reth2
member interface GigabitEthernet 1/4/0 priority 100
member interface GigabitEthernet 2/4/0 priority 80
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
redundancy group reth
preempt-delay 0
member interface Reth2
member interface Reth999
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/1/0
track 4 interface GigabitEthernet 2/4/0
ospf 1
non-stop-routing
interface Reth2
ospf 1 area 0
interface LoopBack 1
ospf 1 area 0
interface LoopBack 127
interface Reth2
mtu 9216
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
interface LoopBack 127
session synchronization enable
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
import interface GigabitEthernet3/0
import interface GigabitEthernet3/0.2
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
nat port-block synchronization enable
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
session synchronization enable
ipsec redundancy enable
nat port-block synchronization enable
ip vpn-instance external_vpn
ospf 1 vpn-instance external_vpn
import-route direct
import-route static
area 0.0.0.0
interface LoopBack2
ip binding vpn-instance external_vpn
interface Ten-GigabitEthernet2/0/4
description internal
interface Ten-GigabitEthernet2/0/9
description external
ip binding vpn-instance external_vpn
ospf 1 area 0.0.0.0
interface Ten-GigabitEthernet2/0/15
description management
security-zone name SEC_ZONE_DEFAULT
import interface Ten-GigabitEthernet2/0/15
object-policy ip SEC_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SEC_POLICY_DEFAULT
ip route-static 0.0.0.0 0 192.168.67.254
session synchronization enable
nat port-block synchronization enable
session synchronization http
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface LoopBack 127
session synchronization enable
nat port-block synchronization enable
session synchronization http
interface LoopBack127
interface GigabitEthernet1/0/1
description management
interface Ten-GigabitEthernet1/0/26
description internal
interface Ten-GigabitEthernet1/0/27
description external
ip route-static 0.0.0.0 0 192.168.67.254
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device]interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ip address 21.0.6.126 255.255.255.255
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] interface LoopBack 127
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type ssh
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ssh server enable
[Device] netconf ssh server enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
配置设备管理接口IP地址,并配置该地址与SeerEngine-DC的IP地址路由互通,具体配置略。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
售前咨询
售后咨询
人工在线咨询
