Login
- Released At: 21-10-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
AD-Campus 6.3
IPv6 Service Configuration Guide
Document version: 5W101-20230602
Copyright © 2023 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This document provides generic technical information, some of which might not be applicable to your products.
The information in this document is subject to change without notice.
Contents
IPv6 service configuration flowchart
Resource and IP address planning
Configure the IPv6 service for managed devices
Configure automated device deployment
Configure the Microsoft DHCPv6 server
IPv6 service configuration flowchart
Install the Campus component and the vDHCP component on Unified Platform
Configure automated deployment of pure IPv6 devices
Configure the Layer 3 or Layer 2 architecture
IRF stacking of Access devices
Add a DHCPv6 server in the isolation domain
Configure authentication terminals
Introduction
With the advancement of IPv6, campus network users have a high demand for IPv6 services. Therefore, H3C added the IPv6 service related functions, including IPv6 device management, automated IPv6 device deployment, and IPv6 authentication, to the AD-Campus solution.
At present, the controller manages IPv6 services in the following two modes:
· Use IPv4 as the management network and IPv6 as the service network.
· Use IPv6 as the management network and IPv6 as the service network.
For procedures to configure the IPv6 service in the two networking modes, see "IPv4 management network" and "IPv6 management network".
IPv4 management network
Typical networking
Network diagram
Figure 1 Network diagram
In the IPv6 network diagram, the controller still manages devices through IPv4 addresses. Compared with standard IPv4 networking, this networking supports Microsoft DHCPv6 servers and Microsoft DHCP/vDHCP. Microsoft DHCPv6 supports only loose coupling and vDHCP supports both tight coupling and high availability (HA).
Configuration process
The controller manages devices in the network through IPv4 addresses. IPv6 service deployment supports manual deployment and automatic deployment as follows:
IPv6 configuration for managed devices
1. The controller manages devices through IPv4 addresses.
2. Configure IPv6 service settings on the devices manually.
3. Configure IPv6 service settings on the controller page.
4. Configure the DHCPv6 server.
5. Configure the IPv6 security group.
6. A user comes online after authentication and obtains an IPv6 address.
Automated device deployment
1. Configure IPv6 service settings on the controller page.
2. Start automated device deployment, during which the controller deploys the IPv6 configuration on the devices.
3. Configure the DHCPv6 server.
4. Configure the IPv6 security group.
5. A user comes online after authentication and obtains an IPv6 address.
IPv6 service configuration flowchart
Figure 2 IPv6 service configuration flowchart
Configure the IPv6 service
Resource and IP address planning
Table 1 IP address planning
|
Item |
Example |
Description |
|
VLAN 1 network segment (gateway) |
120.1.0.0/24 (120.1.0.1) |
VLAN 1 network for automated deployment |
|
VLAN 4094 network segment (gateway) |
130.1.0.0/24 (130.1.0.1) |
VLAN 4094 network for communication between the controller and devices |
|
VLAN 30 network segment (gateway) |
100.1.0.0/24 (100.1.0.1) |
Network segment used by Unified Platform for communication with PCs |
|
VLAN 1010 network segment (gateway) |
110.1.0.0/24 (110.1.0.1) |
Network segment used by SeerEngine-Campus and vDHCP for communication between the controller and PCs (configured when SeerEngine-Campus uses an independent NIC) |
|
Network address of the underlay IP addresses |
200.1.1.0/24 |
Network segment to which the IP addresses of the loopback interfaces on spine and leaf devices belong |
|
Unified Platform northbound service IP address |
100.1.0.100 |
IP address of logging in to Unified Platform |
|
EIA |
100.1.0.100 |
IP address of the EIA server |
|
SeerEngine-Campus cluster IP address |
110.1.0.100 |
IP address of the SeerEngine-Campus cluster |
|
SeerEngine-Campus node IP address |
Node 1: 110.1.0.101 Node 2: 110.1.0.102 Node 3: 110.1.0.103 |
IP addresses of the three nodes in the SeerEngine-Campus cluster |
|
vDHCP cluster IP address |
110.1.0.104 |
Cluster IP address of the vDHCP server (not used actually) |
|
vDHCP node IP address |
Node 1: 110.1.0.105 Node 2: 110.1.0.106 |
IP addresses of the two nodes in the vDHCP server |
|
VXLAN/VLAN 4094 IPv6 network segment (gateway) |
133::/64 (133::1) |
VXLAN or VLAN 4094 IPv6 network for communication between the controller and devices |
|
DHCPv6 network segment (gateway) |
130::/64 (130::AAAA) |
IPv6 network specified for the DHCPv6 server |
Configure the IPv6 service for managed devices
This configuration task is also applicable to manually managing new devices.
Configure the Layer 3 switch
1. Assign the IPv6 gateway address in the IP address pool to VLAN-interface 4094 on the Layer 3 switch.
#
interface Vlan-interface4094
ip address 130.1.0.1 255.255.255.0
ipv6 address 133::1/64
#
2. Configure the static route.
Configure the static routing or dynamic routing protocol. This configuration is used for interconnection between the user and the server (DHCPv6 or EIA V7) after the user obtains an IPv6 address.
ipv6 route-static :: 0 133::2 // Configure a default route whose next hop is the IPv6 address of VSI-interface 4094 on the spine device.
Configure spine devices
1. Configure the IPv6 address of VSI-interface 4094.
#
interface Vsi-interface4094
ip binding vpn-instance vpn-default
ip address 130.1.0.2 255.255.255.0
local-proxy-arp enable
ipv6 address 133:: 2/64
local-proxy-nd enable
#
2. Configure VPN settings.
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
3. Configure BGP settings.
bgp 100
ip vpn-instance vpn-default
#
address-family ipv6 unicast
import-route direct
import-route static
#
4. Configure a static route to the server. The next hop of the static route is the IPv6 address of VLAN 4094 on the Layer 3 switch.
ipv6 route-static vpn-instance vpn-default 130:: 64 133::1
// The destination IP address is the IPv6 network address of the server.
5. Disable ND learning on VXLAN tunnels globally.
vxlan tunnel nd-learning disable
6. Enable IPv6 for VSI-interface 4092.
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
ipv6 address auto link-local
l3-vni 4092
#
Configure leaf devices
1. Configure VSI-interface 4094.
#
interface Vsi-interface4094
ip binding vpn-instance vpn-default
ip address 130.1.0.3 255.255.255.0
local-proxy-arp enable
arp proxy-send enable
ipv6 address 133:: 3/64
local-proxy-nd enable
#
2. Configure VPN settings.
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
3. Configure BGP settings.
bgp 100
ip vpn-instance vpn-default
#
address-family ipv6 unicast
import-route direct
import-route static
#
4. Configure a static route to the server. The next hop of the static route is the IPv6 address of VLAN 4094 on the Layer 3 switch.
ipv6 route-static vpn-instance vpn-default 130::64 133::1 // The destination IP address is the IPv6 network address of the server.
5. Configure DHCP snooping globally.
ipv6 dhcp snooping enable vlan 2 to 4094
6. Disable ND learning on VXLAN tunnels globally.
vxlan tunnel nd-learning disable
7. Enable IPv6 for VSI-interface 4092.
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
ipv6 address auto link-local
l3-vni 4092
#
8. Configure DHCPv6 snooping in the VSI VXLAN 4094 instance.
#
vsi vxlan4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
arp mac-learning disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
dhcp snooping trust tunnel
ipv6 dhcp snooping trust tunnel
#
9. Enable conversational learning. (This feature is optional and is disabled by default. You can enable it as required.)
If conversational learning is enabled on the leaf device, enable BGP instance vpn-default on the spine device to import direct routes. This configuration ensures that both the leaf and spine devices can import all private routes from endpoints, so the endpoint side, the server side, and the external network side can communicate with each other.
# To save hardware resources, the remote ARP entries synchronized through EVPN are not delivered to hardware by default. They are delivered to hardware only when traffic requests exist.
ip forwarding-conversational-learning // Enable IPv4 conversational learning.
Ipv6 forwarding-conversational-learning // Enable IPv6 conversational learning.
# When no traffic uses a hardware entry, the entry will be deleted after 60 minutes by default. You can use the following command to set the aging time for hardware entries.
[leaf1]ip forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
#
[leaf1]ipv6 forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
|
|
NOTE: Follow these guidelines when you configure the conversational learning feature: · If the device model of the leaf device is S5560X or S6520X, enable this feature. · When the leaf device also acts as a border node, do not enable this feature on the leaf device. |
Configure the access device
1. Configure VLAN-interface 4094.
#
interface Vlan-interface4094
ip address 130.1.0.4 255.255.255.0
ipv6 address 133:: 4/64
#
2. Configure the static route.
When the connection between the spine and Unified Platform is a Layer 3 connection, you need to configure a static route to the server. The next hop of the static route is the IPv6 address of the VLAN-interface 4094 on the L3 switch.
ipv6 route-static 130::64 133::1 // The destination IP address is the IPv6 network address of the server.
Enable IPv6 on the controller page
Access Automation > Campus Network > Network Parameters > Parameter > Controller Global Settings page, and set the IPv6 parameter to Yes.
Figure 3 Enabling IPv6
Configure automated device deployment
For automated device deployment, you only need to add the following configuration on the basis of IPv4 configuration.
Configure the Layer 3 switch
1. Assign the IPv6 gateway address in the IP address pool to VLAN-interface 4094 on the Layer 3 switch.
#
interface Vlan-interface4094
ip address 130.1.0.1 255.255.255.0
ipv6 address 133:: 1/64
#
2. Configure the static route.
Configure the static routing or dynamic routing protocol. This configuration is used for interconnection between the user and the server after the user obtains an IPv6 address.
ipv6 route-static :: 0 133::2 // Configure a default route whose next hop is the IPv6 address of VSI-interface 4094 on the spine device.
3. Enable conversational learning. (This feature is optional and is disabled by default. You can enable it as required.)
If conversational learning is enabled on the leaf device, enable BGP instance vpn-default on the spine device to import direct routes. This configuration ensures that both the leaf and spine devices can import all private routes from endpoints, so the endpoint side, the server side, and the external network side can communicate with each other.
# To save hardware resources, the remote ARP entries synchronized through EVPN are not delivered to hardware by default. They are delivered to hardware only when traffic requests exist.
ip forwarding-conversational-learning // Enable IPv4 conversational learning.
Ipv6 forwarding-conversational-learning // Enable IPv6 conversational learning.
# When no traffic uses a hardware entry, the entry will be deleted after 60 minutes by default. You can use the following command to set the aging time for hardware entries.
[leaf1]ip forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
#
[leaf1]ipv6 forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
|
|
NOTE: Follow these guidelines when you configure the conversational learning feature: · If the device model of the leaf device is S5560X or S6520X, enable this feature. · When the leaf device also acts as a border node, do not enable this feature on the leaf device. |
Configure IPv6 service settings on the controller page
1. Create an IPv6 address pool for VLAN 4094. Access Automation > Campus Network > Network Devices page, and click IP Address Pools.
2. Click Add. Configure the IP address pool as shown in the following figure. Click OK to save the configuration.
¡ Name: Enter an IP address pool name.
¡ Type: Select Campus VLAN4094 Network.
¡ Address Pool: Enter the address pool.
¡ Gateway Address: Enter a gateway address.
Figure 4 Adding an IP address pool
3. Create an automation template. When you create an automation template, add a VLAN 4094 IPv6 address pool in the address pool settings, and add the IPv6 address of the DHCP server to as the IPv6 CIDR.
a. Access Automation > Campus Network > Fabrics page, and click Automatic Deployment. Add an automation template, select fabrics, and then click OK. Select Legacy Automated Deployment and select the IP Pool Settings tab to configure the IP address pool. Parameters are described as follows:
- VLAN4094 IPv6 Pool: Select the previously created IP address pool.
- IPv6 CIDR: Specify the IPv6 server address range for communication with users. During automated device deployment, the controller deploys the static route to this network segment on devices.
Figure 5 Setting the IP address pool
b. After completing the configuration, click OK
to save the settings and go back to the automation template page. Click the preview (
) icon in the Actions
column of the corresponding template to view the added IPv6 configuration.
Figure 6 Previewing the template
Enable IPv6 on the controller page
Access Automation > Campus Network > Network Parameters > Parameter > Global Settings page, and set the IPv6 parameter to Yes.
Figure 7 Enabling IPv6
Configure the DHCPv6 server
Configure the Microsoft DHCPv6 server
Install Microsoft DHCP
For details, see the section about installing Microsoft DHCP services in AD-Campus 6.3 Tight Microsoft DHCP Management Configuration Guide.
Incorporate a DHCPv6 server on the controller
|
|
IMPORTANT: Select Loose as the management mode and do not select High Available because this solution does not support it. |
Access Automation > Campus Network > Network Parameters > DHCP page and click Add. Incorporate a Microsoft DHCP server on the pop-up page.
· Name: Enter a DHCP server name.
· Management Mode: Select Loose.
· IPv6 Address: Enter the IPv6 address of the DHCP server.
Figure 8 Adding a DHCP server
After completing the configuration, click OK. The newly added DHCP server is displayed in the DHCP server list.
Figure 9 Viewing the added DHCP server
Create an IPv6 security group scope
|
|
CAUTION: · No superscope needs to be created for IPv6. · At present, the DHCPv6 server only supports loose coupling and does not support the primary/backup mode. Security group scopes can only be added manually on the DHCP server. |
In a typical network, users obtain IPv4 addresses from vDHCP, so it is not necessary to configure an IPv4 security group scope on the Microsoft DHCP server.
To create a security group IPv6 scope:
1. In the DHCP window, select DHCP > win-g3mq08j081q > IPv6 and then click IPv6. win-g3mq08j081q is used as an example and can be adjusted according to the actual path. Select New Scope from the shortcut menu.
Figure 10 Creating a new scope
2. Enter a scope name and a scope description, and click Next.
Figure 11 Specifying the scope name
3. Access the Scope Prefix page, enter the IPv6 prefix of the addresses that the scope distributes, and click Next.
Figure 12 Specifying the scope prefix
4. Access the Add Exclusions page, enter the IPv6 address range (including the gateway address) that you want to exclude from the given scope, and click Add. The excluded address range is displayed in the Excluded address range area. Click Next.
Figure 13 Adding exclusions
5. Access the Scope Lease page. The ranges for the preferred life time and the valid life time of IPv6 addresses are both from 1 minute to 999 days, 23 hours, and 59 minutes. The preferred life time must be less than or equal to the valid life time.
Figure 14 Configuring the scope lease
6. Keep the default settings for other parameters, and click Next until the scope is activated.
Figure 15 Activated scope
IPv6 management network
Typical networking
Network diagram
Figure 16 Network diagram
Compared with standard IPv4 networking, this networking supports DHCPv6 server. The controller uses only IPv6 addresses to manage IPv6 devices (the IP addresses of VLAN-interface 1, VLAN-interface 4094, and loopback interface on each device are all IPv6 addresses).
Configuration process
The controller manages devices through IPv6 addresses. IPv6 service deployment supports manual deployment and automatic deployment as follows:
Manually configure devices
1. Configure IPv6 service settings on devices manually.
2. Manually incorporate the devices on the controller page.
3. Configure the DHCPv6 server.
4. Configure the IPv6 security group.
5. A user comes online after authentication and obtains an IPv6 address.
Automated device deployment
1. Configure automated device deployment on the controller page (including DHCPv6 server configuration).
2. Configure the IPv6 security group.
3. A user comes online after authentication and obtains an IPv6 address.
IPv6 service configuration flowchart
Figure 17 IPv6 service configuration flowchart
Configure the IPv6 service
Resource and IP address plans
Figure 18 IP address planning
|
Item |
Example |
Description |
|
Unified Platform northbound service IP address |
190::195 |
Unified Platform northbound service IP address |
|
EIA |
190::204 |
IP address of the EIA server |
|
SeerEngine-Campus cluster IP address |
130::195 |
IP address of the SeerEngine-Campus cluster |
|
SeerEngine-Campus node IP address |
Node 1: 130::190 Node 2: 130::191 Node 3: 130::192 |
IP addresses of the three nodes in the SeerEngine-Campus cluster |
|
vDHCP |
Node 1: 130::6 Node 2: 130::7 |
IP addresses of the two nodes in the vDHCP server |
|
VLAN 1 gateway |
132::1 |
VLAN 1 gateway for automated deployment |
|
VLAN 4094 gateway |
133::1 |
VLAN 4094 gateway for communication between the controller and devices |
|
VLAN 50 gateway |
130::AAAA |
VLAN 50 gateway of the network segment at which the controller and the vDHCP server are located. |
|
VLAN 150 gateway |
190::AAAA |
VLAN 150 gateway of the network segment at which Unified Platform and the EIA server are located. |
Typical connection mode
When you deploy SeerEngine-Campus, select the Layer 3 access solution to connect the spine device and the controller. This solution allows Unified Platform and SeerEngine-Campus to share a network adapter. You can choose whether to reuse the network adapter of Unified Platform as required.
The Layer 3 access solution uses one or two network adapters. If you use one network adapter for deployment, SeerEngine-Campus and Unified Platform share the same network adapter. If you use two network adapters, SeerEngine-Campus and Unified Platform use different network adapters.
Install the Campus component and the vDHCP component on Unified Platform
|
|
NOTE: The vDHCP component supports IPv4&IPv6 dual-stack deployment and SeerEngine-Campus supports only single-stack deployment. |
1. Log in to Unified Platform. On the top navigation bar, click System. From the left navigation pane, select Deployment Management. Click Upload to upload packages.
Figure 19 Uploading the vDHCP package
2. Click Next after the packages are uploaded.
3. On the Select Component page, select Controller > Campus Network, and then select Converged EIA.
Figure 20 Selecting components 1
On the Select Component page, select Public Service > vDHCP Server, and then select Southbound Dual Protocol.
Figure 21 Selecting components 2
4. After selecting the components to be installed on the Select Component page, click Next.
On the Settings page, click Next directly.
On the Configure Network page, create IPv4 and IPv6 networks and their subnets for address assignment to the controller and vDHCP.
Figure 22 Configuring networks
|
|
NOTE: The VLAN field is left blank by default. To configure this field, you need to configure the port that connects the Layer 3 switch to the network adapter as a trunk port. The PVID of this port must differ from the VLAN configured here. (As a best practice, do not configure this field.) |
5. After completing the configuration, click Next. On the Bind to Nodes page, click Next to bind networks and subnets to the desired component as follows:
¡ Specify an IPv6 subnet as the management network of the SeerEngine-Campus component.
¡ Specify an IPv4 subnet as the management network of the SeerEngine-Campus component and specify an IPv4 subnet as the default network of the SeerEngine-Campus component.
Figure 23 Binding networks and subnets to nodes
6. After you bind networks and subnets to components on the Bind Network page, assign IP addresses to the components by using the address pools associated with the bound subnets.
After completing the configuration, click Next. When deploying the vDHCP sever, you need to manually enter the VRRP group number with a value range of 1 to 255. The VRRP group number must be unique in the same network.
After confirming the parameter settings, click Deploy to start deployment.
Figure 24 Confirming parameters 1
Figure 25 Confirming parameters 2
7. After the deployment is complete, click the 
icon
on the left of the component name to display component information, or click the Details icon 
to
view detailed component information.
Figure 26 Viewing component details
Manually configure devices
The following describes the basic configuration procedures for manual configuration when the spine devices, leaf devices, and access devices are not automatically deployed. After underlay configuration is complete, the SeerEngine-Campus controller can incorporate devices and deploy overlay configuration.
Configure the Layer 3 switch
1. Enable DHCP and STP globally.
# Enable DHCP.
dhcp enable
#
# Enable STP.
stp global enable
#
2. Configure VLAN-interface 1 and VLAN-interface 4094.
#
interface Vlan-interface1
ipv6 address 132:: 1/64
ipv6 dhcp select relay // This DHCP relay configuration is used for automated device deployment. If spine/leaf/access devices are manually managed, you can skip. DHCP relay configuration.
ipv6 dhcp relay server-address 130::106 // IP address of a vDHCP server node
ipv6 dhcp relay server-address 130::107
#
vlan 4094
#
#
interface Vlan-interface4094
ipv6 address 133:: 1/64
#
3. Create VLAN-interface 50 and VLAN-interface 150.
#
vlan 50
vlan 150
#
#
interface Vlan-interface 50
ipv6 address 130::AAAA/64
#
#
interface Vlan-interface 150
ipv6 address 190::AAAA/64
#
4. Configure the interface connecting to the spine device.
#
interface Ten-GigabitEthernet1/0/49
description to_jieruSpine
port link-type trunk
port trunk permit vlan 1 4094
#
5. Add the interface connecting to Unified Platform to VLAN 150.
#
interface GigabitEthernet1/0/37
port access vlan 150
stp edged-port
#
6. Add the interface connecting to SeerEngine-Campus and vDHCP to VLAN 50.
#
interface GigabitEthernet1/0/30
port access vlan 50
stp edged-port
#
7. Add the default route. Set its next hop to the IP address of the VSI-interface 4094 on the spine device for interconnection between authenticated users and EIA.
#
ipv6 route-static :: 0 133::2
#
Configure the spine device
1. Configure the Spine role and sysname.
# For a device whose role is Spine by default, you do not need to configure the role of the device. Otherwise, configure the device as a spine device first and restart the device for the configuration to take effect.
vcf-fabric role spine
#
sysname spine
#
2. Configure LLDP (to determine the topology).
#
lldp global enable
#
3. Configure STP.
#
undo stp vlan 2 to 4094 enable
stp mode pvst
stp global enable
stp vlan 1 priority 0 // Set the STP priority value of the Spine device.
#
4. Configure SNMP, NETCONF, Telnet, and SSH.
# Configure SNMP. The following provides the default configuration, and you can adjust SNMP communities based on the actual condition.
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
# Configure NETCONF.
netconf soap http enable
netconf soap https enable
netconf ssh server enable
restful https enable
#
# Configure Telnet.
telnet server enable
#
# Configure SSH.
ssh server enable
#
5. Configure the username and password of Telnet and SSH.
# Set the username to admin and password to H3C1234567.
local-user admin class manage
local-user admin class manage
password simple H3C1234567 // Make sure the password
meets the complexity requirements. The password must be 10 to 63 characters in
length and contains at least two of the following character types: digit,
uppercase letter, lowercase letter, and special character. Chinese characters
are not supported and the password cannot contain the question mark (?), space,
username, or username in reverse order.
service-type telnet http https ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
#
6. Create VLAN 4094 and VLAN-interface 1.
# Create VLAN 4094.
vlan 4094
#
# (Optional) Create VLAN-interface 1.
interface Vlan-interface1
ipv6 address 132:: 4/64
7. Configure OSPF.
#
ospfv3 1
router-id 66.0.0.2
non-stop-routing
area 0.0.0.0
#
8. Configure the loopback interface.
#
interface LoopBack0
ospfv3 1 area 0.0.0.0
ipv6 address 51::3/128 // Configure OSPF.
#
9. Configure the downlink interfaces of the spine device. If there are multiple downlink interfaces, create multiple VLAN interfaces.
# Create a VLAN.
vlan 3496
#
# Create a VLAN interface.
interface Vlan-interface3496
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
ipv6 address auto link-local
#
# Execute the port trunk permit command on each downlink interface of the spine device.
#
interface GigabitEthernet1/0/35
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 3496 // You do not need to execute permit vlan 1 for spine/leaf/access devices that are deployed manually.
#
|
|
CAUTION: The default VLANs automatically delivered by SeerEngine-Campus include: · VLAN 100: BFD detection of automated IRF setup. · VLANs 101 to 2800: Access switches. · VLANs 2801 to 3000: Static access ACs. · VLANs 3001 to 3500: Interconnect links for spine and leaf devices for automated device deployment. · VLANs 3501 to 4000: Security groups. · VLANs 4092 to 4094: Reserved. · VLANs 1 to 99 and VLANs 4001 to 4091: Not assigned automatically. · VLANs 4051 to 4060: Authentication-free VLANs. As a best practice, use VLANs 2 to 99, VLANs 4001 to 4050, and VLANs 4061 to 4091 when configuring VLAN interfaces for routing for VLAN interfaces in route advertisement. At present, the VLAN range can be customized and planned according to specific scenarios. The multiple links between spine and leaf devices are ECMP links. As VLAN 1 is enabled with STP, a spine-leaf link might be in discarding status, which is normal. |
10. Enable L2VPN.
#
l2vpn enable
#
11. Configure vpn-target, the IP addresses of VSI VXLAN 4094 and VSI-interface IP address, and L3 VNI for connectivity of the control channel.
# Create vpn-default. Configure the RD and RT manually. Configure the RD and RT as 1:1 in the whole network.
#
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
# Configure the IP address of VSI-interface 4094.
interface Vsi-interface4094
ip binding vpn-instance vpn-default
local-proxy-arp enable
arp proxy-send enable
ipv6 address 133:: 3/64
local-proxy-nd enable // Enable the ARP request proxy sending feature, so endpoints can still connect to the server when they cannot obtain the server's ARP information upon network connection timeout.
#
# Configure a VSI-interface and an L3 VNI for Layer 3 forwarding.
# The ip address unnumbered command is used to configure this interface to borrow the IP address of the specified interface. When a security group is created in instance vpn-default, the source IP of the packets is specified as the interface IP of VSI-interface 4094.
# Create VSI-interface 4092 to configure the L3 VNI of instance vpn-default.
interface Vsi-interface4092
description SDN_VRF_VSI_Interface_4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
ipv6 address auto link-local
l3-vni 4092
#
# Configure the VSI VXLAN 4094 instance.
vsi vxlan4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
arp mac-learning disable
nd mac-learning disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
ipv6 dhcp snooping trust tunnel
loopback-detection action block
loopback-detection enable vlan 4094
#
12. Configure BGP EVPN.
# Configure BGP. If there are multiple leaf nodes, you need to configure multiple peers.
# The manually configured AS number must be the same as that configured for the fabric in SeerEngine-Campus.
#
bgp 100
non-stop-routing
router-id 66.0.0.2 // The router ID of each device cannot be the same.
peer 51::2 as-number 100 // Configure the BGP peer. The IP address is the IP address of the loopback interface on the leaf device.
peer 51::2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 51::2 enable
peer 51::2 reflect-client // Configure a route reflector for forwarding routes between different leaf devices.
#
ip vpn-instance vpn-default
#
address-family ipv4 unicast
import-route direct // Import direct routes. The configuration is required if IPv4 conversational learning is enabled on the leaf device.
import-route static // Import a static route.
#
address-family ipv6 unicast
import-route direct // Import direct routes. If conversational learning for IPv6 is enabled on a leaf device, this configuration is required.
import-route static // Import static routes.
#
13. Configure the uplink interface (the one connecting to the Layer 3 switch) of the Spine device as the AC interface and bind it to VSI VXLAN 4094.
#
interface Ten-GigabitEthernet1/0/52
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 4094
service-instance 4094 // Create service instance 4094.
encapsulation s-vid 4094 // Match VLAN tag 4094.
xconnect vsi vxlan4094 // Bind VSI VXLAN 4094.
#
14. Configure static routes.
# When the connection between the spine device and Unified Platform is a Layer 3 connection, you need to configure static routes to the servers of Unified Platform, the controller, EIA, and other services. The next hop of these static routes is the IP address of VLAN-interface 4094 on the L3 switch.
ipv6 route-static vpn-instance vpn-default 130:: 64 133::1 // The destination IP is the network address of the controller, vDHCP, and EIA.
#
ipv6 route-static vpn-instance vpn-default 190:: 64 133::1 // The destination IP is in the network address of Unified Platform.
#
# Disable MAC address learning and ARP learning on the VXLAN tunnels.
# Disable ARP and ND learning on the VXLAN tunnels to prohibit ARP learning and MAC address learning for remote packets.
vxlan tunnel arp-learning disable
vxlan tunnel nd-learning disable
#
# Disable MAC address learning of the VXLAN tunnel.
vxlan tunnel mac-learning disable
#
# Configure NTP.
#
clock timezone beijing add 08:00:00
#
# The IP address is the IP address of the NTP server.
ntp-service enable
ntp-service unicast-server 190::195 vpn-instance vpn-default
#
|
|
CAUTION: If a built-in NTP server is configured with during Unified Platform deployment, as a best practice, configure the NTP server IP as the cluster northbound service IP of Unified Platform. If an external NTP server is configured with during Unified Platform deployment, make sure the NTP server can communicate with the controller and Unified Platform. |
15. Do not change the bridge MAC address of a spine IRF fabric.
If the spine device is an IRF fabric, use the following command to ensure that the bridge MAC address of the device remains unchanged during a master/subordinate switchover.
#
irf mac-address persistent always
#
Configure the Leaf device
|
|
IMPORTANT: If an S5560X switch or S6520X switch is used as a leaf device, set the switch mode to VXLAN and restart the device for the configuration to take effect. |
Before incorporating a leaf device to SeerEngine-Campus, manually perform the following operations:
# View the switch mode and make sure it is VXLAN mode.
dis switch-mode status
Switch-mode in use: VXLAN MODE.
Switch-mode for next reboot: VXLAN MODE.
#
# View supported switch modes.
[Leaf11]switch-mode ?
0 NORMAL MODE(default)
1 VXLAN MODE
2 802.1BR MODE
3 MPLS MODE
4 MPLS-IRF MODE
#
# Set the switch mode to VXLAN, and then restart the device for the configuration to take effect.
switch-mode 1
#
To configure a leaf device:
1. Configure the Leaf role and sysname.
# For a device whose role is Leaf by default, you do not need to configure the role of the device. Otherwise, configure the device as a leaf device first and restart the device for the configuration to take effect.
#vcf-fabric role leaf
#
# Configure the sysname.
sysname leaf1
#
2. Configure LLDP (to determine the topology).
#
lldp global enable
#
3. Configure STP.
#
undo stp vlan 2 to 4094 enable
stp mode pvst
stp global enable
stp vlan 1 priority 4096
#
# Enable stp tc-restriction on the Leaf downlink interface.
int GigabitEthernet1/0/13
#
stp tc-restriction #
|
|
IMPORTANT: Use the stp tc-restriction command to enable TC-BPDU transmission restriction on the downlink interface of the leaf device. If it is directly connected to the endpoint, execute the stp edged-port command. |
4. Configure SNMP, NETCONF, Telnet, and SSH.
# Configure SNMP. The following is the default configuration. You can configure SNMP communities as needed.
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
# Configure NETCONF.
#
netconf soap http enable
netconf soap https enable
netconf ssh server enable
restful https enable
#
# Configure Telnet.
telnet server enable
#
# Configure SSH.
ssh server enable
#
5. Configure the username and password of Telnet and SSH.
# Set the username to admin and password to H3C1234567.
local-user admin class manage
local-user admin class manage
password simple H3C1234567 // Make sure the password meets the complexity requirements. The password must be 10 to 63 characters in length and contains at least two of the following character types: digit, uppercase letter, lowercase letter, and special character. Chinese characters are not supported and the password cannot contain the question mark (?), space, username, or username in reverse order.
service-type telnet http https ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
#
6. Create VLAN 4094 and VLAN-interface 1.
# Create VLAN 4094.
vlan 4094
#
# Create VLAN-interface 1.
interface Vlan-interface1
ipv6 address 132:: 5/64
#
7. Configure OSPF.
#
ospfv3 1
router-id 66.0.0.3
non-stop-routing
area 0.0.0.0
#
8. Configure the loopback interface.
#
interface LoopBack0
ipv6 address 51::2/128 // Establish a BGP peer for the spine device.
ospfv3 1 area 0.0.0.0
#
9. Configure an L3 VLAN interface for interconnection with the spine device.
# Create a VLAN.
vlan 3496 // It must be the same as the VLAN on the Spine device. For details, see "Configuring the IPv6 service for managed devices."
#
# Create a VLAN interface.
interface Vlan-interface3496
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
ipv6 address auto link-local
#
# Configure the port trunk permit vlan command on the leaf uplink interface.
#
interface GigabitEthernet5/0/19
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 3496
#
|
|
CAUTION: The default VLANs automatically delivered by SeerEngine-Campus include: · VLAN 100: BFD detection of automated IRF setup. · VLANs 101 to 2800: Access switches. · VLANs 2801 to 3000: Static access ACs. · VLANs 3001 to 3500: Interconnect links for spine and leaf devices for automated device deployment. · VLANs 3501 to 4000: Security groups. · VLANs 4092 to 4094: Reserved. · VLANs 1 to 99 and VLANs 4001 to 4091: Not assigned automatically. · VLANs 4051 to 4060: Authentication-free VLANs. As a best practice, use VLANs 2 to 99, VLANs 4001 to 4050, and VLANs 4061 to 4091 when configuring VLAN interfaces for routing for VLAN interfaces in route advertisement. At present, the VLAN range can be customized and planned according to specific scenarios. The multiple links between spine and leaf devices are ECMP links. As VLAN 1 is enabled with STP, a spine-leaf link might be in discarding status which is normal. |
10. Enable L2VPN.
# Enable L2VPN.
l2vpn enable
#
11. Configure instance vpn-default, VSI VXLAN 4094 and VSI-interface IP, and L3 VNI, and configure the service instance (binding VXLAN 4094) on the downlink AC interface (the one connecting to the Access device), for connectivity of the control channel.
# Create vpn-default. Configure the RD and RT manually. Configure the RD and RT as 1:1 in the whole network.
#
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
# Configure the IP address of VSI-interface 4094.
#
interface Vsi-interface4094
ip binding vpn-instance vpn-default
local-proxy-arp enable
arp proxy-send enable // This new command enables the controller to connect to the access device when the access device's ARP information is absent on the leaf device. In this case, VSI-interface 4094 of the leaf device must be configured.
ipv6 address 133:: 6/64
local-proxy-nd enable
#
# Configure a VSI-interface and an L3 VNI for Layer 3 forwarding.
# The ip address unnumbered command is used to configure this interface to borrow the IP address of the specified interface. When a security group is created in instance vpn-default, the source IP of the packets is specified as the interface IP of VSI-interface 4094.
#
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
ipv6 address auto link-local
l3-vni 4092#
# Configure the VSI VXLAN 4094 instance.
#
vsi vxlan4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
arp mac-learning disable
nd mac-learning disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
dhcp snooping trust tunnel
ipv6 dhcp snooping trust tunnel
loopback-detection action block
loopback-detection enable vlan 4094
#
# Configure the downlink interface of the Leaf device connecting to the Access device as an AC interface.
interface GigabitEthernet1/0/13
port link-type trunk
port trunk permit vlan 1 to 99 101 to 4094
link-aggregation mode dynamic
stp tc-restriction
mac-based ac
#
service-instance 4094
encapsulation s-vid 4094
#
12. Configure BGP EVPN.
# Configure BGP 100 and specify a spine device as a BGP peer.
#
bgp 100
non-stop-routing
router-id 66.0.0.3 // The router ID of each device cannot be the same. As a best practice, configure the ID as the IP address of the loopback interface.
peer 51::3 as-number 100
peer 51::3 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 51::3 enable
#
ip vpn-instance vpn-default
#
address-family ipv6 unicast
#
13. Configure static routes.
# When the connection between the spine device and Unified Platform is a Layer 3 connection, you need to configure static routes to the servers of Unified Platform, the controller, EIA, and other services. The next hop of these static routes is the IP address of VLAN-interface 4094 on the L3 switch.
ipv6 route-static vpn-instance vpn-default 130:: 64 133::1 // The destination IP is the network address of the controller.
#
ipv6 route-static vpn-instance vpn-default 190:: 64 133::1 // The destination IP is the network address of Unified Platform.
#
Configure DHCP snooping.
#
ipv6 dhcp snooping enable vlan 2 to 4094
#
14. Configure the IP source guard as filter-free for VLAN 1 and VLAN 4094.
# The configuration is required when IP source guard is configured for the leaf downlink interface. The service is not affected when IP source guard is not configured.
ip verify source exclude vlan 1
ip verify source exclude vlan 4094
#
15. Disable MAC address learning and ARP/ND learning on the VXLAN tunnels.
# Disable ARP or ND learning on the VXLAN tunnels.
vxlan tunnel arp-learning disable
vxlan tunnel nd-learning disable
#
# Disable MAC address learning on the VXLAN tunnels.
vxlan tunnel mac-learning disable
#
16. Enable conversational learning. (This feature is optional and disabled by default. You can enable it as required.)
If conversational learning is enabled on the leaf device, enable BGP instance vpn-default on the spine device to import direct routes. This configuration ensures that both the leaf and spine devices can import all private routes from endpoints, so the endpoint side, the server side, and the external network side can communicate with each other.
# To save hardware resources, the remote ARP entries synchronized through EVPN are not delivered to hardware by default. They are delivered to hardware only when traffic requests exist.
ip forwarding-conversational-learning // Enable conversational learning.
# When no traffic uses a hardware entry, the entry will be deleted after 60 minutes by default. You can use the following command to set the aging time for hardware entries.
[leaf1]ip forwarding-conversational-learning aging ?
INTEGER<60-1440> Aging time in (minutes)
#
|
|
IMPORTANT: · It is recommended that S5560X-HI and S6520X-HI devices should be enabled with conversational learning. · It is not recommended to configure conversational learning when the leaf device works as a border device at the same time. |
17. Configure NTP.
#
clock timezone beijing add 08:00:00
#
# The IP address is the IP address of the NTP server.
ntp-service enable
ntp-service unicast-server 190::195 vpn-instance vpn-default
#
|
|
IMPORTANT: If a built-in NTP server is configured with during Unified Platform deployment, as a best practice, configure the NTP server IP as the cluster northbound service IP of Unified Platform. If an external NTP server is configured with during Unified Platform deployment, make sure the NTP server can communicate with the controller and Unified Platform. |
18. Verify the configuration.
After finishing the above configuration tasks, check whether those tasks are successfully configured. The following information can be viewed from both the spine and leaf devices:
[leaf1] display interface Vsi-interface brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
Vsi4092 UP UP -- SDN_VRF_VSI_Interface_4092// VSI-interface 4092 is successfully created.
Vsi4094 UP UP --
[leaf1]
[leaf1]dis l2vpn vsi
Total number of VSIs: 2, 1 up, 1 down, 0 admin down
VSI Name VSI Index MTU State
Auto_L3VNI4092_4092 0 1500 Down // Automatically generated.
vxlan4094 1 1500 Up
[leaf1]
[leaf1] display interface Tunnel brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
Tun1 UP UP -- // Tunnel in UP state.
[leaf1]
[leaf1] display interface Tunnel
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 4038
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 51::2, destination 51::3
Tunnel protocol/transport UDP_VXLAN/IPv6
Last 300 seconds input rate: 521 bytes/sec, 4168 bits/sec, 3 packets/sec
Last 300 seconds output rate: 1021 bytes/sec, 8168 bits/sec, 4 packets/sec
Input: 18304 packets, 2831888 bytes, 0 drops
Output: 21089 packets, 5695406 bytes, 0 drops
[leaf1]
[leaf1] ping ipv6 -vpn-instance vpn-default 130::AAAA // Gateway of the controller and the DHCP server.
Ping6(56 data bytes) 133::6 --> 130::AAAA, press CTRL+C to break
56 bytes from 130::AAAA, icmp_seq=0 hlim=63 time=3.276 ms
56 bytes from 130::AAAA, icmp_seq=1 hlim=63 time=2.374 ms
56 bytes from 130::AAAA, icmp_seq=2 hlim=63 time=2.327 ms
56 bytes from 130::AAAA, icmp_seq=3 hlim=63 time=2.455 ms
56 bytes from 130::AAAA, icmp_seq=4 hlim=63 time=2.296 ms
--- Ping6 statistics for 130::AAAA in VPN instance vpn-default ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.296/2.546/3.276/0.369 ms
[leaf~133::6]%Mar 5 07:23:21:372 2021 leaf~133::6 PING/6/PING_VPN_STATISTICS: Ping6 statistics for 130::AAAA in VPN instance vpn-default: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.296/2.546/3.276/0.369 ms.
[leaf1]
19. Do not change the bridge MAC address of a leaf IRF fabric composed.
If the leaf device is an IRF fabric, use the following command to ensure that the bridge MAC address of the device remains unchanged during a master/subordinate switchover.
#
irf mac-address persistent always
#
Configure the access device
1. Configure the Access role and sysname of the device.
# For a device whose role is Access by default, you do not need to configure the role of the device. Otherwise, configure the device as a access device first and restart the device for the configuration to take effect.
#
vcf-fabric role access
#
#
sysname access1
#
2. Configure LLDP (to determine the topology).
#
lldp global enable
#
3. Configure STP.
#
stp global enable
#
4. Configure SNMP, NETCONF, Telnet, and SSH.
# Configure SNMP. The following is the default configuration. You can configure SNMP communities as needed.
#
snmp-agent
snmp-agent community write private
snmp-agent community read public
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
# Configure NETCONF.
netconf soap http enable
netconf soap https enable
netconf ssh server enable
restful https enable
#
# Configure Telnet.
telnet server enable
#
# Configure SSH.
ssh server enable
#
5. Configure the username and password of Telnet and SSH.
# Set the username to admin and password to H3C1234567.
local-user admin class manage
local-user admin class manage
password simple H3C1234567 // Make
sure the password meets the complexity requirements. The password must be 10 to
63 characters in length and contains at least two of the following character
types: digit, uppercase letter, lowercase letter, and special character.
Chinese characters are not supported and the password cannot contain the
question mark (?), space, username, or username in reverse order.
service-type telnet http https ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
#
6. Execute the permit vlan all command on the uplink interface that connects the access device to the leaf device.
# Execute the permit vlan all command on the uplink interface of the access device.
interface Ten-GigabitEthernet1/0/52
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
7. Create a VLAN.
#
vlan 4093 to 4094
#
8. (Optional) Configure the L3 interface of VLAN 1.
#
interface Vlan-interface1
ipv6 address 132:: 2/64
#
9. Configure the L3 interface of VLAN 4094, through which SeerEngine-Campus can manage access devices.
#
interface Vlan-interface4094
ipv6 address 133:: 5/64
#
10. Configure static routes.
# When the connection between the spine device and Unified Platform is a Layer 3 connection, you need to configure static routes to the servers of Unified Platform, the controller, EIA, and other services. The next hop of these static routes is the IP address of VLAN-interface 4094 on the L3 switch.
ipv6 route-static 130:: 64 133::1 // The destination IP address is the network address of the controller.
ipv6 route-static 190:: 64 133::1 // The destination IP address is the network address of Unified Platform.
11. Configure the NTP server.
#
clock timezone beijing add 08:00:00
#
# The IP address is the IP address of the NTP server.
ntp-service enable
ntp-service unicast-server 190::195
#
|
|
IMPORTANT: If a built-in NTP server is configured during Unified Platform deployment, as a best practice, configure the NTP server IP as the cluster northbound service IP of Unified Platform. If an external NTP server is configured during Unified Platform deployment, make sure the NTP server can communicate with the controller and Unified Platform. |
12. Do not change the bridge MAC address of an access IRF fabric.
If the access device is an IRF fabric, use the following command to ensure that the bridge MAC address of the device remains unchanged during a master/subordinate switchover.
#
irf mac-address persistent always
#
Manually incorporate a device
After manually deploying Underlay configurations of the device, perform the following tasks to configure the fabric and DHCP server:
1. Configure a fabric.
a. Access Automation > Campus Network > Fabrics page, and click Add.
b. Configure a fabric on the Fabric Configuration page. Parameters are described as follows:
- Name: Enter the name with no limitation.
- AS Number: The value is an integer in the range of 1 to 4294967295. When a device is manually deployed and managed, make sure the AS number set in the fabric is the same as the BGP AS number manually configured on the device.
- Networking Model: Use the default setting. The default setting is VXLAN.
- Virtual Auto Online And Business Follow: It is On by default. It is used to control the authorization of the VXLAN network and the authorization of access policies between security groups.
- Isolation Domain: Select the isolation domain of the fabric.
- Multicast Network: Select Off, because this parameter does not support IPv6.
- QoS: Select Off, because this parameter does not support IPv6.
- Lock Underlay: It is Off by default. After automated device deployment is complete, you can select On if necessary.
- Delayed Access Interface PVID Assignment: It is Off by default and the controller will automatically assign a PVID when the device is activated. If you select On, the controller will not assign any PVID when the device is activated, and you can manually assign a PVID to the device after the device is activated.
- DHCP Snooping Enable VLAN Range: The default VLAN range is 2 to 4094.
- Gratuitous ARP Learning: This feature is enabled by default.
Figure 27 Configuring a fabric
c. Click OK. The added fabric is displayed on the Fabrics page.
2. Incorporate a device.
Access Automation > Campus Network > Network Device > Add Device page, and specify the parameters.
¡ In the Basic Info area:
- Fabric: Select a fabric.
- Device Role: There are three roles for option, namely, Spine, Leaf, and Access. Select the role according to the actual role of the device in the topology, and make sure the selected role is the same as that configured on the device.
- Management IP: Enter the IP address of VXLAN-interface 4094/VLAN-interface 4094.
- Underlay IP: Enter the IP address of the loopback interface of the device.
- Device Series: Select the product series corresponding to the device model.
- Other parameters: Retain the default settings.
Figure 28 Incorporating a device
¡ In the Add Control Protocol Template area, edit the default template or add a template:
- Read-Only Community: According to the SNMP parameters set in the above device settings, enter public here.
- Read and Write Community: According to the SNMP parameters set in the above device settings, enter private here.
- Username: According to the username of local-user set in the above device settings, the username here is admin.
- Password: Enter the password of the local-user set in the above device settings. The password must be 10 to 63 characters in length and contains at least two of the following character types: digit, uppercase letter, lowercase letter, and special character. Chinese characters are not supported and the password cannot contain the question mark (?), space, username, or username in reverse order.
Figure 29 Control protocol template
Figure 30 Adding a control protocol template
3. After the device is added, the initial Device State is Inactive because a period of time is needed for data synchronization. After the data is synchronized, click Refresh. If the device state becomes Active, the device is successfully connected.
Figure 31 Activating a device
4. After devices are incorporated, you can use the display openflow instance 1 controller command to view detailed information about the spine and leaf devices connected to the SeerEngine-Campus controller.
[Leaf1]display openflow instance 1 controller
Instance 1 controller information:
Reconnect interval: 60 (s)
Echo interval : 5 (s)
Controller ID : 1
Controller IPv6 address : 130::191
Controller port : 6633
Local IPv6 address : 133::3
Controller role : Master
Connect type : TCP
Connect state : Established
Packets sent : 44
Packets received : 163
SSL policy : --
Control SSL policy : --
VRF name : vpn-default
Controller ID : 2
Controller IPv6 address : 130::192
Controller port : 6633
Local IPv6 address : 133::3
Controller role : Slave
Connect type : TCP
Connect state : Established
Packets sent : 42
Packets received : 161
SSL policy : --
Control SSL policy : --
VRF name : vpn-default
5. Configure the DHCPv6 server.
a. Access Automation > Campus Network > Network Parameters > DHCP page and click Add. Configure the vDHCP server on the pop-up page as shown in the following figure.
- Name: Enter the name.
- Management Mode: Select Tight because vDHCP only supports this mode.
- High Availability: Enable this feature in a cluster environment. You do not need to enable this feature in a single-node environment.
- IPv4/IPv6 Dual Stack: Enable this feature.
- First IPv6 Address and Second IPv6
Address: Enter the IPv6 addresses assigned during vDHCP deployment. It can
be viewed on the vDHCP deployment page. Access System > Deployment
Management, expand Public Service page, and click the 
icon
to view the details.
- Vendor: Select H3C.
Figure 32 Adding the DHCP server
a. After completing the configuration, click OK. The newly added DHCP server is displayed in the DHCP list.
Figure 33 Viewing the DHCP server
Automated device deployment
For details, see Configure automated deployment of pure IPv6 devices.
Configure automated deployment of pure IPv6 devices
There is no difference between the IPv6 service and IPv4 service in terms of the networking architecture, precautions for configuration, and supported device models. For details, see AD-Campus 6.3 Automation Configuration Guide.
Configuration workflow
Figure 34 Underlay automated deployment flowchart
The automated underlay deployment workflow is as follows:
1. Perform initial configuration such as automation parameter configuration on the controller page.
2. Restart the devices with the initial configuration, obtain the corresponding automation template for each device, and deploy it to the related device.
3. After the primary RR MAC address is specified on the controller, BGP configuration is deployed automatically, and a VXLAN Tunnel is created between the spine device and the leaf device.
4. When the controller incorporates these devices automatically and adds them to the corresponding device group and interface group, automated underlay deployment is complete.
Configure the Layer 3 or Layer 2 architecture
Configure the Layer 3 switch
1. Configure VLAN 1 and VLAN 4094 for communication with devices.
#
vlan 1
#
vlan 4094
#
interface Vlan-interface1
ipv6 dhcp select relay
ipv6 dhcp relay server-address 130::6 // IP address of the primary vDHCP node
ipv6 dhcp relay server-address 130::7 // IP address of the backup vDHCP node
ipv6 address 132:: 1/64
undo ipv6 nd ra halt #
#
interface Vlan-interface4094 // The device management IP address is assigned by the controller, and you do not need to configure any DHCP relay agent.
ipv6 address 133:: 1/64
undo ipv6 nd ra halt
#
2. Configure VLAN-interface 50. The IP address of this interface acts as the gateway address for the network segment on which the SeerEngine-Campus controller and the DHCP server operate.
#
vlan 50
#
interface Vlan-interface50
ipv6 address 130::AAAA/64
#
3. Configure VLAN-interface 150. The IP address of this interface acts as the gateway address for the network segment on which Unified Platform and the EIA server are located.
#
interface Vlan-interface150
ipv6 address 190::AAAA/64
#
4. Configure the interface connecting to the spine device.
#
interface Ten-GigabitEthernet1/0/6
description to_spine
port link-type trunk
port trunk permit vlan all
ipv6 dhcp snooping trust
#
5. Configure the interface of the external device (Layer 3 switch) connecting to the server.
#
interface GigabitEthernet1/0/7 // Connect to the network adapters of SeerEngine-Campus and vDHCP.
port access vlan 50
#
interface GigabitEthernet1/0/37 // Connect to the network adapters of Unified Platform and EIA.
description eth1-ipv6
port access vlan 150
#
Configure the controller
Configure basic settings
1. Log in to the system, and then access Automation > Campus Network > Network Parameters > Parameter > Global Settings page, and set the IPv6 parameter to Yes (default).
Figure 35 Enabling IPv6
2. Access Guide > Campus Wizard > Device Online Planning > Configure Basic Info page, click the Select Fabric drop-down menu, and select Add Fabric. Specify the following parameters and click OK.
Figure 36 Configuring a fabric
¡ Name: a maximum string of 255 characters (case-sensitive).
¡ Network Type: VXLAN by default.
¡ AS Number: The value is an integer in the range of 1 to 4294967295. For multi-fabric networking, each fabric must have a unique AS number. During automated deployment, the SeerEngine-Campus controller delivers the BGP AS number to the device added to the fabric based on the AS number set in the fabric.
¡ Service Automation: Enable this feature and select an isolation domain.
¡ Business Follow: Enable this feature to control the authorization of the VXLAN network.
¡ Multicast Network: Not supported for the IPv6 service and Off is selected here.
¡ Lock Underlay: It is Off by default. Disable it during automated device deployment, and enable it as required after automated device deployment is completed.
¡ Delayed Access Interface PVID Assignment: It is Off by default and the controller will automatically assign a PVID when the device is activated. If you select On, the controller will not assign any PVID when the device is activated, and you can manually assign a PVID to the device after the device is activated.
¡ DHCP Snooping Enable VLAN Range: The default VLAN range is 2 to 4094.
¡ Voice VLAN: This feature is enabled by default.
3. The Use Optimized Automated Deployment parameter is set to No by default since the optimized automated deployment is not supported for the IPv6 service.
4. Enable the TFTP service.
5. Enter the bridge MAC address of the spine device in the RR MAC field. You do not need to enter the RR MAC address if the fabric uses the single-leaf architecture. Click Next.
Figure 37 Configuring the RR MAC address
|
|
NOTE: If the spine device is an IRF fabric, enter the bridge MAC addresses of all main processing units on member devices in the RR MAC field, separated by commas (,). |
6. To view the bridge MAC address of the spine device, use either of the following methods:
¡ Method 1: Execute the display device manuinfo command.
[leaf~133::4]dis device manuinfo slot 1
Slot 1 CPU 0:
DEVICE_NAME : S5560X-54C-EI
DEVICE_SERIAL_NUMBER : 210235A1XCM195A000QK
MAC_ADDRESS : 4CE9-E498-16CB
MANUFACTURING_DATE : 2019-05-20
VENDOR_NAME : H3C
Fan 1:
DEVICE_SERIAL_NUMBER : NONE
Fan 2:
DEVICE_SERIAL_NUMBER : NONE
Power 1:
DEVICE_NAME : LSPM2150A
DEVICE_SERIAL_NUMBER : 210231A1U0H195001022
MANUFACTURING_DATE : 2019-05-07
VENDOR_NAME : H3C
¡ Method 2: Execute the debug stack show memberinfo command in probe view.
[leaf~133::4-probe]debug stack show memberinfo slot 1
=============================================================
Member Information of STACK Module
=============================================================
MemID:1, LocalSlotID:1, Priority:1, Mode:90
MaxMemNum:10, MaxPortMemberPort:4, StackCapability:5
BridgeMac:4c:e9:e4:98:16:cb CpuMac:f0:10:90:db:74:02 DeviceInfo:S5560X-EI
Get the Wrong Packet Number :0.
Configure address pools
1. To configure an address pool, bind the DHCP server first. Click the drop-down arrow of DHCP Server, and select Add DHCP Server. On the pop-up page, specify the related parameters of H3C vDHCP.
Figure 38 Adding the DHCP server
Figure 39 DHCP
¡ Name: Enter the name.
¡ Management Mode: Select Tight because vDHCP only supports this mode.
¡ High Availability: Enable this feature in a cluster environment. You do not need to enable this feature in a single-node environment.
¡ IPv4/IPv6 Dual Stack: Enable this feature.
¡ First
IPv6 Address and Second IPv6 Address: Enter
the IPv6 addresses assigned during vDHCP deployment. It can be viewed on the
vDHCP deployment page. Access System > Deployment Management,
expand Public Service page, and click the 
icon to view the
details.
¡ Vendor: Select H3C.
|
|
NOTE: · The IP address is the IP address assigned for public network deployment. To view the IP address of vDHCP, access System > Deployment Management > Public Service, and click Details. · The DHCP server for automated device deployment must be an H3C vDHCP server. |
2. Add the address pool for VLAN 1. In the Address Pool field, enter the network segment of VLAN 1 (132::/64) set on the Layer 3 switch. In the Gateway Address field, enter the IP address of VLAN 1 set on the Layer 3 switch.
Figure 40 VLAN 1
3. Add an address pool for VLAN 4094. In the Address Pool field, enter the network segment of VLAN 4094 (133::/64) set on the Layer 3 switch. In the Gateway Address field, enter the IP address of VLAN 4094 set on the Layer 3 switch.
Figure 41 Adding an address pool for VLAN 4094
4. Controller and Other Server Subnets: During automated device deployment, the SeerEngine-Campus controller deploys the static routes to the configured IP address segment on the device. You need to add the management network segment of the controller and the subnet addresses of other servers. The network address of the controller is 130::/64 and the network address of the EIA server is 190::/64. When you add multiple network segments, separate them by commas (.).
|
|
NOTE: Multiple network segments need to be added if Unified Platform, the controller, and EIA reside in different network segments. |
Figure 42 Configuring the IPv6 management network segment of the server
|
|
NOTE: The configurations of VLAN 4094 IPv4 address pool and IPv4 network segment are not necessary for automated deployment of pure IPv6 Underlay without the IPv4 service. To use IPv4 addresses, you need to add an IPv4 DHCP server. This document does not describe the configuration related to the IPv4 service. For related information, see AD-Campus 6.3 Automation Configuration Guide. |
Configure device role templates
Configuring a device role template is to configure an automation template.
· Local Username and Local Password: If the username on the Configure Template page is the same as that configured for the NETCONF protocol in Control Protocol Template, the passwords of the two must be the same. The local username and password of the two templates can differ from each other. The username and password configured for the NETCONF protocol in Control Protocol Template are used for the controller to access devices. The local username and password here are used for the Spine device to access the Leaf device. You can click Edit Template to enter the page for editing the control protocol template.
· NTP Server: If a built-in NTP server is configured when Unified Platform is deployed, as a best practice, configure the IP address of the NTP server as the cluster northbound service IP address of Unified Platform. You can enter the IP address of the NTP time server in the customer network to ensure network connectivity.
· Master Spine MAC: Specify the bridge MAC address of the master spine device to assign the Underlay IP address and Underlay VLAN. (If the Spine device is an IRF fabric, the spine device corresponding to the bridge MAC specified in this template is the master device.)
· Auto-Allocate Underlay IP: Yes (default).
¡ Yes: The Spine device automatically assigns IP addresses to the loopback interface 0 of the Spine and Leaf devices according to the address segment of the Underlay IP Range set in the template.
¡ No: You need to manually assign IP addresses to the loopback interface 0 of the Spine and Leaf devices. If you set this to No, set Enable Whitelist to Yes for the Leaf template and Spine template, and must specify the Underlay IP address in the device list.
· Underlay IP Range: Specify the IP address range. It is used to assign IP addresses to loopback interface 0.
· Underlay VLAN Range: Specify the available VLAN range to establish Underlay OSPF neighbors. As a best practice, use the default settings.
· Uplink Interface: The full name of the uplink interface of the spine device (that is, the interface directly connecting to the Layer 3 switch) needs to be specified. During automated device deployment, the controller allocates the AC configuration information of VLAN 4094-VXLAN 4094 to this interface. The interface is used for service interaction between devices and the controller.
· Enable Whitelist:
¡ When it is No:
- If the serial number of the specified device is in the device list, the automated deployment of the device is carried out based on the information specified in the device list, and the device is incorporated by the controller with the specified device label.
- If the serial number of the specified device is not in the device list, the automated deployment of the device is carried out by using the default role, and the default label is "role name + IP address of VLAN 4094".
¡ When it is Yes:
- If the serial number of the specified device is in the device list, the automated deployment of the device is carried out based on the information specified in the device list, and the device is incorporated by the controller with the specified device label.
- If the serial number of the specified device is not in the device list, the automated device deployment fails.
|
|
NOTE: If the spine device is an IRF fabric, the master spine MAC in the spine template is the bridge MAC address of the master device. |
Figure 43 Configuring device role template
Figure 44 Spine template
Figure 45 Leaf template
Figure 46 Access template
Configure a device list for automated deployment
The device list is used to support the device whitelist feature. The device serial number is a unique identifier of each device. By associating the device serial numbers in the device list with different device roles, you can formulate a device role plan.
· If the device list is used during automated device deployment and the device whitelist feature is enabled, the controller will match the serial number of a device against the device whitelist:
¡ If the device serial number is in the device list, the device can obtain an automation template and perform automated deployment.
¡ If the device serial number is not in the device list, the device cannot obtain an automation template and cannot perform automated deployment.
· If the device list is used during automated device deployment and the device whitelist feature is not enabled,
¡ If the device serial number of a device is in the device list, the device performs automated deployment firstly with the role set in the whitelist.
¡ If the device serial number of a device is not in the device list, the device performs automated deployment with the default role.
· If the device list is used when the SeerEngine-Campus controller incorporates a device, the controller needs to match the device against the whitelist. If the device does not match the whitelist, the controller cannot incorporate the device.
Figure 47 Device list
To add a device serial number to the device list, you can either click Add to manually add it or click Import to download the import template for batch import.
· Network Type: VXLAN (default).
· WebSocket: Select No.
· Device Serial Number: Enter the unique identifier of the device. You can obtain it by executing the following commands.
To confirm which series a device belongs to, contact Technical Support.
¡ Modular device: Fill in the serial number of the chassis and the serial number of each main processing unit. If there are multiple serial numbers, separate them with commas (,).
¡ Command for querying information about the chassis and main processing unit of the S10500X/S10500 series: display device manuinfo chassis * slot *
¡ Command for querying information about the main processing unit of the S7500E series: display device manuinfo chassis * slot *
¡ Fixed-port device (S6550XE/S6525XE/6520X/S5560X series): display license device-id slot 1
¡ Command for querying information about the main processing unit of the S7500X series: display device manuinfo chassis * slot *
¡ Fixed-port device (S51 series): display device manuinfo slot 1
· Device Role: Spine, Leaf, or Access. During automated device deployment, the device role will be modified automatically according to the role information configured in the device list.
· Device Label: Sysname of the device, which will be modified automatically according to the configured device label.
· Device System Name: System name of the device. The controller can identify devices by their system names.
· Management IP: (Optional) Specify the IP address of the VSI/VLAN 4094 after the device is deployed automatically.
¡ If the management IP address is configured, after the device comes online automatically, the SeerEngine-Campus controller will assign an IP address to the device according to the IP addresses configured.
¡ If the management IP address is not configured, the SeerEngine-Campus controller will automatically assign an IP address to the device from the IP address pool of VLAN 4094.
· Underlay IP: You must fill in this field if you select No in the Auto-Allocate Underlay IP option in the automation template of Spine device. If you select Yes, you do not need to fill in this field.
· Site Name: Select the site of the device as required. If you need to use the dashboard function, you must configure a site name.
Figure 48 Device list
Configure the policy configuration template
The policy configuration template does not affect automated device deployment and is related to user services. For more information, see AD-Campus 6.3 Basic Configuration Guide.
Single-leaf architecture
Configure the Layer 3 switch
For details about how to configure the Layer 3 switch in the single-leaf architecture, see "Configure the Layer 3 switch." The following describes how to use leaf devices to form an IRF fabric in the single-leaf architecture.
1. Connect the leaf devices to the Layer 3 switch via a cable, and interconnect all leaf devices.
2. Configure the aggregate interface as the uplink interface in the single-leaf template.
3. Manually configure port aggregation on the Layer 3 switch.
#
interface Ten-GigabitEthernet0/0/48
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port link-aggregation group 102
#
interface Ten-GigabitEthernet0/0/47
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port link-aggregation group 102
#
interface Bridge-Aggregation102
port link-type trunk
port trunk permit vlan all
link-aggregation mode dynamic
#
4. The leaf devices obtain information about VLAN 1, and then an IRF fabric is successfully formed.
5. Connect the leaf devices to the Layer 3 switch via another cable, and manually configure uplink interface aggregation on the leaf devices.
Configure the controller
The following describes the difference in configuration between the single-leaf network and spine-leaf-access network.
1. On the Configure Basic Info page, you do not need to configure any RR MAC.
2. On the Configure Template page:
¡ Unselect Spine Template, select only Leaf Template/Single Leaf Template and Access Template, and select Single Leaf Template on the Leaf Template/Single Leaf Template page.
¡ Configure the uplink interface as the interface connecting the leaf device to the Layer 3 switch.
Figure 49 Configuring device role template
Automated device deployment
Single spine device
Start up the spine device with the initial configuration
If a spine device starts up with the initial configuration, it can obtain the spine configuration template after obtaining an IP address.
Automatic configuration attempt: 3.
Interface used: Vlan-interface1.
Enable DHCP client on Vlan-interface1.
Set DHCP client identifier: 542bdead45f8-VLAN0001
Vlan-interface1 failed to obtain IP address.
Set DHCP6 client identifier: 542bdead45f8-VLAN0001
Obtained configuration file name h3c.template and TFTP server IPv6 address 130::195.// IP address of the TFTP server on the controller page
Obtained an IPv6 address for Vlan-interface1: 132::8.
INFO: Get device tag file device_tag.csv success.
INFO: Read role spine from tag file.
Successfully downloaded file hefei_spine.template.// Name of the spine template on the controller page
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
Press ENTER to get started.
Automatic spine device configuration
Wait for the automatic configuration of the spine device. The device is automatically configured based on the downloaded template hefei_spine.template. The IP address of VSI-interface 4094 is not included in the automatic configuration here. Use the following commands to view the automatic deployment result:
[spine~133::3]dis vcf-fabric underlay autoconfigure
success command:
#
system
clock timezone beijing add 08:00:00
#
system
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 both
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
#
system
lldp global enable
#
system
interface Vlan-interface1
ip address dhcp-alloc
#
system
ospfv3 1
non-stop-routing
area 0.0.0.0
#
system
interface LoopBack0
#
system
netconf soap https enable
netconf ssh server enable
restful https enable
#
system
ssh server enable
#
system
stp mode pvst
stp vlan 1 enable
undo stp vlan 2 to 4094 enable
stp global enable
stp vlan 1 priority 0
#
……
Automatic AC interface configuration
After the automation template is obtained, the physical port that connects the spine device to the server is automatically configured as the AC interface. After the AC interface configuration is complete, the IP address of VSI-interface 4094 can be obtained.
#
interface Ten-GigabitEthernet1/0/52
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
View main configurations of the spine device
During automatic device configuration, you can use commands on the device to check whether the device has obtained IP addresses. As shown below, the IP addresses of loopback interface 0, VLAN 1, and VSI 4094 have been obtained. If a link exists between the spine device and the downlink leaf device, VLAN 3500 is created. (The VLAN range is determined by the underlay VLAN range specified in the automation template.)
[spine~133::3]dis ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
LoopBack0 up up(s) 51::2
M-GigabitEthernet0/0/0 down down Unassigned
Tunnel0 up up Unassigned
Tunnel1 up up Unassigned
Vlan-interface1 up up 132::8
Vlan-interface3496 up up FE80::562B:DEFF:FEAD:460A
Vlan-interface3500 up up FE80::562B:DEFF:FEAD:460E
Vsi-interface4092 up up FE80::562B:DEFF:FEAD:461E
Vsi-interface4094 up up 133::3
View information on the controller page
On the Automation > Campus Network > Network Device page, you can see that the IP address of the spine device has been switched to 133::3, which is the IP address of VSI 4094. The system has managed the spine device and has added it to the spine device group.
Figure 50 Devices
Figure 51 General device groups
Complete automatic configuration deployment
According to the automatic deployment process, when a single spine device is deployed first, the controller does not deploy BGP configuration on the spine device. The controller deploys BGP configuration on the spine device only when the leaf device is automatically deployed, the OSPF underlay of the leaf device is established, and the IP address of the loopback interface 0 is obtained. The deployed BGP configuration only includes dynamic BGP peer configuration. Basic BGP configuration is deployed together with the automation template. You can use the dir command to view template file hefei_spine.template and the more hefei_spine.template command to view more detailed information. For more details, see "Spine device configurations".
Stacking of Spine devices
Automatic stacking of Spine devices
Prerequisites:
· The two devices support stacking.
· The two devices have an interconnection between 10 GE (or higher) ports.
· The two devices act as the same role.
To use two automatically deployed devices to form an IRF fabric:
1. Interconnect the master Spine device with the controller via a Layer 3 switch.
2. Interconnect one Spine device with the other one.
3. Deploy the device with a larger bridge MAC address first.
|
|
NOTE: It is not necessary to connect the Spine devices added later to the Layer 3 switch. You only need to connect them via the stacking links of the Spine devices that have been deployed. If you want to connect the subsequent IRF fabric of Spine devices to the Layer 3 switch, you need to manually configure the interface aggregation on the Layer 3 switch, and specify the trunk port as the uplink interface in the Spine template. |
Spine device 1:
%Feb 19 08:09:58:256 2021 spine~133::8 VCF/4/VCF_FAILED_ADD_IRFPORT: In phase 2.0.10, device with MAC address 542b-dead-45f8 add IRF port GigabitEthernet1/0/7 has failed three times.
%Feb 19 08:10:40:251 2021 spine~133::8 VCF/5/VCF_IRF_START: In phase 2.0.2, device with MAC address 542b-dead-45f8 started IRF configuration: Current member ID 1, new member ID 1, priority 2, ['Ten-GigabitEthernet1/0/49'] bound to IRF-port 1, [None] bound to IRF-port 2.
%Feb 19 08:10:14:711 2021 spine~133::8 VCF/5/VCF_IRF_FINISH: In phase 2.0.3, device with MAC address 542b-dead-45f8 finished IRF configuration with peer 4ce9-e498-16cb. The result is 0.
Spine device 2:
<spine-132::4>%Feb 19 08:10:18:362 2021 spine-132::4 VCF/5/VCF_IRF_START: In phase 2.0.2, device with MAC address 4ce9-e498-16cb started IRF configuration: Current member ID 1, new member ID 5, priority 1, [None] bound to IRF-port 1, ['GigabitEthernet1/0/2', 'Ten-GigabitEthernet1/0/49'] bound to IRF-port 2.
%Feb 19 08:10:59:621 2021 spine-132::4 VCF/5/VCF_IRF_FOUND: In phase 2.0.1, device with MAC address 4ce9-e498-16cb found peer 542b-dead-45f8 with the same role spine. Availability of IRF configuration is 0.
%Feb 19 08:11:20:874 2021 spine-132::4 VCF/5/VCF_IRF_FINISH: In phase 2.0.3, device with MAC address 4ce9-e498-16cb finished IRF configuration with peer 542b-dead-45f8. The result is 0.
After the standby device restarts, the IRF fabric is set up successfully.
%Feb 19 08:11:25:241 2021 spine-132::4 VCF/5/VCF_REBOOT: Phase 2.0.4, Device 542b-dead-45f8 will reboot. Reason: IRF fabric setup success.
%Feb 19 08:11:27:488 2021 spine-132::4 SYSLOG/5/LOGFILE_USAGEHIGH: The usage of log-file flash:/logfile/logfile.log reaches 80%.
%Feb 19 08:11:28:371 2021 spine-132::4 DEV/5/SYSTEM_REBOOT: System is rebooting now.
%Feb 19 08:15:49:712 2021 spine~133::8 VCF/5/VCF_IRF_ALREADY: In phase 2.0.10, device with MAC address 542b-dead-45f8 has been irf successfully, standby Mac 4ce9-e498-16cb.
<spine~133::8>dis irf
MemberID Role Priority CPU-Mac Description
*+1 Master 2 f010-90db-7402 ---
5 Standby 1 f010-90db-7406 ---
--------------------------------------------------
* indicates the device is the master.
+ indicates the device through which the user logs in.
The bridge MAC of the IRF is: 542b-dead-45f8
Auto upgrade : yes
Mac persistent : always
Domain ID : 0
After the IRF fabric is successfully set up, the system automatically starts BFD configuration.
%Feb 19 08:17:13:491 2021 spine~133::8 IFNET/3/PHY_UPDOWN: Physical state on the interface Vlan-interface100 changed to up.
%Feb 19 08:17:13:500 2021 spine~133::8 IFNET/5/LINK_UPDOWN: Line protocol state on the interface Vlan-interface100 changed to up.
%Feb 19 08:18:14:574 2021 spine~133::8 BFD/5/BFD_MAD_INTERFACE_CHANGE_STATE: BFD MAD function enabled on Vlan-interface100 changed to the normal state.
When there is more than one stacking link on the device, one of the links is used as the BFD detection link, and the following configuration is delivered to the physical port.
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 100
undo stp enable
#
interface GigabitEthernet5/0/2
port link-mode bridge
port access vlan 100
undo stp enable
#
Configure VLAN-interface 100, configure MAD IP addresses for all member devices in the IRF, and bind them with member numbers.
#
interface Vlan-interface100
mad bfd enable
mad ip address 192.168.100.1 255.255.255.0 member 1
mad ip address 192.168.100.2 255.255.255.0 member 5
#
Enable BFD MAD globally on the devices.
[spine~133::8]mad bfd enable
Multiple links between Spine and Leaf devices
If there are multiple links between Spine devices and Leaf devices, the multiple links are automatically configured with ECMP, regardless of the timing.
[spine~133::8]dis ll n l | include leaf
GE5/0/29 b0f9-63b3-20fe GigabitEthernet5/0/20 leaf~133::C
GE5/0/37 b0f9-63b3-20fe GigabitEthernet5/0/33 leaf~133::C
[spine~133::8]display vcf-fabric underlay autoconfigure
Downlink interface:
GigabitEthernet5/0/29
GigabitEthernet5/0/37
IRF allocation:
Self Bridge Mac: 542b-dead-45f8
IRF Status: Yes
Member List: [5, 1]
BFD Mad-port pairs: GE1/0/7 , GE5/0/2
VLAN ID Allocation:
VLAN range: 3001-3500
VLAN exist and system reserved:
[1]
Interface VLAN ID
GigabitEthernet5/0/37 3497
GigabitEthernet5/0/29 3498
View the routing table where equal-cost routes have been generated.
[spine~133::8]dis ipv6 routing-table
Destinations : 10 Routes : 11
Destination: ::/0 Protocol : Direct
NextHop : FE80::562B:DEFF:FED6:BB83 Preference: 80
Interface : Vlan1 Cost : 0
Destination: ::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 51::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 51::2/128 Protocol : O_INTRA
NextHop : FE80::B2F9:63FF:FEB3:2111 Preference: 10
Interface : Vlan3497 Cost : 1
Destination: 51::2/128 Protocol : O_INTRA
NextHop : FE80::B2F9:63FF:FEB3:2112 Preference: 10
Interface : Vlan3498 Cost : 1
Single Leaf device
Start up the Leaf device with no configuration
If a Leaf device starts up with no configuration, it can obtain the Leaf configuration template after obtaining the IP address.
Automatic configuration attempt: 1.
Interface used: Vlan-interface1.
Enable DHCP client on Vlan-interface1.
Set DHCP client identifier: 4ce9e49816cb-VLAN0001
Vlan-interface1 failed to obtain IP address.
Set DHCP6 client identifier: 4ce9e49816cb-VLAN0001
Obtained configuration file name hefei.template and TFTP server IPv6 address 130::195.// The TFTP address of the controller.
Obtained an IPv6 address for Vlan-interface1: 132::A.
INFO: Get device tag file device_tag.csv success.
INFO: Read role leaf from tag file.
Successfully downloaded file hefei_leaf.template.// Name of the Leaf template on the controller page.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
Press ENTER to get started.
Wait for automatic configuration of the Leaf device. The device delivers the automatic configuration commands based on the hefei_leaf.template. You can use the dir command to view hefei_leaf.template and the more hefei_leaf.template command to view more detailed information. For more details, see "Leaf device configurations".
Deliver configurations to the interface on the leaf device
Deliver the corresponding configuration to the uplink and downlink interfaces that are dynamically identified.
Uplink interface: Configure VLAN 3496. If there are multiple uplink interfaces, ECMP is configured.
#
interface GigabitEthernet1/0/7
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 3496
#
Downlink interface: After the Access device is deployed automatically, the downlink interface is configured as a trunk port and bound to service instance 4094.
#
interface GigabitEthernet1/0/29
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 99 101 to 4094
stp tc-restriction
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
View main configurations of the Leaf device
During automated device deployment, you can view related commands to check whether the IP addresses are obtained. The Leaf device obtains the IP addresses of VLAN 1 and the loopback interface. VLAN is automatically assigned to the interconnect interface between the Leaf device and the Spine device, and its IP address uses the IP address of the loopback interface. (The VLAN range is determined by the Underlay VLAN range in the automation template.)
View the IP addresses on the device to see if they are successfully obtained.
[leaf~133::5]dis ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
LoopBack0 up up(s) 51::3
M-GigabitEthernet0/0/0 down down Unassigned
Tunnel0 up up Unassigned
Tunnel1 up up Unassigned
Vlan-interface1 up up 132::A
Vlan-interface3496 up up FE80::4EE9:E4FF:FE98:16DD
Vsi-interface4092 up up FE80::4EE9:E4FF:FE98:16F1
Vsi-interface4094 up up 133::5
Check the peer establishment status between the Leaf device and Spine device after the OSPFv3 configuration in the automation template is delivered.
#
interface Vlan-interface3496
mtu 4094
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
ipv6 address auto link-local
#
[leaf~133::5]dis ospfv3 peer
OSPFv3 Process 1 with Router ID 66.0.0.5
Area: 0.0.0.0
-------------------------------------------------------------------------
Router ID Pri State Dead-Time InstID Interface
66.0.0.1 1 Full/ - 00:00:36 0 Vlan3500
After discovering the Leaf device via the master RR device (the specified Spine device), the system will automatically assign the configuration of BGP 100 to the Spine device and Leaf device, and establish BGP peers. The corresponding BGP configuration on the Leaf device is as follows:
#
bgp 100
non-stop-routing
router-id 66.0.0.5
peer 51::2 as-number 100
peer 51::2 connect-interface LoopBack0
#
address-family l2vpn evpn
peer 51::2 enable
#
ip vpn-instance vpn-default
#
address-family ipv4 unicast
#
address-family ipv6 unicast#
Establish EVPN peers between the Leaf device and Spine device.
[leaf~133::4]display bgp peer l2vpn evpn
BGP local router ID: 66.0.0.5
Local AS number: 100
Total number of peers: 1 Peers in established state: 1
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
51::2 100 20 17 0 14 00:09:54 Established
VSI 4094 can obtain the IP address of the DHCP server only when the EVPN peers are successfully established and the VXLAN tunnels are UP. Finally, the IP addresses on the device are successfully obtained.
View information on the controller page
After the IP address of VSI 4094 is successfully obtained, view leaf device configuration on the Automation > Campus Network > Network Device page. You can see that the Leaf device, whose IP address has been switched to that of VSI 4094, has been managed by the controller. In addition, the device has been added to the Leaf device group and the Leaf device group will automatically deploy VLAN 101 to VLAN 3000 to the new device.
The IP address of the Leaf device switches from VLAN 1 to VSI 4094 to be managed by the system.
Figure 52 Device
The device is automatically added to the Leaf device group.
Figure 53 Leaf device group
The Leaf interface is automatically added to the Leaf downlink interface group.
Figure 54 Leaf downlink interface group
VLAN 101 to VLAN 3000 and VLAN 3496 are allocated on the Leaf device.
[leaf~133::4]dis vlan
Total VLANs: 2903
The VLANs include:
1(default), 101-3000, 3496, 4094
Multiple Leaf devices
For automated deployment of multiple Leaf devices, pay attention to the deployment of BGP configurations. For users, the configuration deployment is an automated process. Therefore, the users only need to view the management state of the devices on the controller page. EVPN neighbors and VXLAN tunnels will be automatically established after the BGP configurations are deployed on the devices.
The following provides the EVPN neighbor status on the Spine devices after automated deployment of two Leaf devices:
[spine~133::3]display bgp peer l2vpn evpn
BGP local router ID: 66.0.0.1
Local AS number: 100
Total number of peers: 2 Peers in established state: 2
* - Dynamically created peer
^ - Peer created through link-local address
Peer AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State
51::1 100 47 55 0 3 00:39:03 Established
51::3 100 15 18 0 5 00:08:01 Established
VXLAN tunnel status viewed on the Spine device:
[spine~133::3]dis interface Tunnel
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 4038
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 51::2, destination 51::1
Tunnel protocol/transport UDP_VXLAN/IPv6
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 134 packets, 11750 bytes, 0 drops
Output: 11 packets, 1278 bytes, 0 drops
Tunnel1
Current state: UP
Line protocol state: UP
Description: Tunnel1 Interface
Bandwidth: 64 kbps
Maximum transmission unit: 4038
Internet protocol processing: Disabled
Last clearing of counters: Never
Tunnel source 51::2, destination 51::3
Tunnel protocol/transport UDP_VXLAN/IPv6
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
IRF stacking of Leaf devices
Automatic IRF stacking of Leaf devices
Prerequisites:
· The two devices support stacking.
· The two devices have an interconnection between 10 GE (or higher) ports.
· The two devices act as the same role.
To use two automatically deployed devices to form an IRF fabric:
1. Interconnect the Leaf devices with the Spine devices.
2. Interconnect one Leaf device with the other one.
3. Clear the configurations of the two devices and restart them.
If Leaf device 1 detects a connection with a rate of 10 GE or higher to Leaf device 2, and the two devices have the same role, the two devices form an IRF fabric automatically.
Leaf device 1:
%Mar 5 09:57:12:753 2021 H3C VCF/5/VCF_IRF_FOUND: In phase 2.0.1, device with MAC address 4ce9-e498-1803 found peer b0f9-63b3-20fe with the same role leaf. Availability of IRF configuration is 0.
%Mar 5 09:57:40:810 2021 H3C VCF/5/VCF_IRF_START: In phase 2.0.2, device with MAC address 4ce9-e498-1803 started IRF configuration: Current member ID 1, new member ID 5, priority 1, [None] bound to IRF-port 1, ['GigabitEthernet1/0/43', 'Ten-GigabitEthernet1/0/49'] bound to IRF-port 2.priority 1, [None] bound to IRF-port 1, ['Ten-GigabitEthernet5/1/17'] bound to IRF-port 2.
%Mar 5 09:58:42:135 2021 leaf-132::9 VCF/5/VCF_IRF_FINISH: In phase 2.0.3, device with MAC address 4ce9-e498-1803 finished IRF configuration with peer b0f9-63b3-20fe. The result is 0.
Leaf device 2:
%Mar 5 09:56:14:280 2021 H3C VCF/5/VCF_IRF_FOUND: In phase 2.0.1, device with MAC address b0f9-63b3-20fe found peer 4ce9-e498-1803 with the same role leaf. Availability of IRF configuration is 0.
%Mar 5 09:56:54:556 2021 H3C VCF/5/VCF_IRF_START: In phase 2.0.2, device with MAC address b0f9-63b3-20fe started IRF configuration: Current member ID 1, new member ID 1, priority 2, ['GigabitEthernet1/0/13', 'Ten-GigabitEthernet1/0/49'] bound to IRF-port 1, [None] bound to IRF-port 2.
%Mar 5 09:57:55:845 2021 leaf-132::8 VCF/5/VCF_IRF_FINISH: In phase 2.0.3, device with MAC address b0f9-63b3-20fe finished IRF configuration with peer 4ce9-e498-1803. The result is 0.
After the standby device restarts, the IRF fabric is set up successfully.
%Mar 5 09:58:46:607 2021 leaf-132::9 VCF/5/VCF_REBOOT: Phase 2.0.4, Device b0f9-63b3-20fe will reboot. Reason: IRF fabric setup success.
%Mar 5 09:58:49:102 2021 leaf-132::9 SYSLOG/5/LOGFILE_USAGEHIGH: The usage of log-file flash:/logfile/logfile.log reaches 80%.
%Mar 5 09:58:50:428 2021 leaf-132::9 DEV/5/SYSTEM_REBOOT: System is rebooting now.
<leaf~133::C>dis irf
MemberID Role Priority CPU-Mac Description
*1 Master 2 f010-90db-7402 ---
+5 Standby 1 f010-90db-7406 ---
--------------------------------------------------
* indicates the device is the master.
+ indicates the device through which the user logs in.
The bridge MAC of the IRF is: b0f9-63b3-20fe
Auto upgrade : yes
Mac persistent : always
Domain ID : 0
After the IRF fabric is successfully set up, the system automatically starts BFD configuration:
%Mar 5 10:04:03:440 2021 leaf-132::8 LLDP/6/LLDP_CREATE_NEIGHBOR: -Slot=5; Nearest bridge agent neighbor created on port GigabitEthernet5/0/43 (IfIndex 295), neighbor's chassis ID is b0f9-63b3-20fe, port ID is GigabitEthernet1/0/13.
%Mar 5 10:04:03:497 2021 leaf-132::8 LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent neighbor created on port GigabitEthernet1/0/13 (IfIndex 13), neighbor's chassis ID is b0f9-63b3-20fe, port ID is GigabitEthernet5/0/43.
%Mar 5 10:04:16:401 2021 leaf-132::8 IFNET/3/PHY_UPDOWN: Physical state on the interface Vlan-interface100 changed to up.
%Mar 5 10:04:16:401 2021 leaf-132::8 IFNET/5/LINK_UPDOWN: Line protocol state on the interface Vlan-interface100 changed to up.
%Mar 5 10:05:17:211 2021 leaf-132::8 BFD/5/BFD_MAD_INTERFACE_CHANGE_STATE: BFD MAD function enabled on Vlan-interface100 changed to the normal state.
One of the stacking links on the device is used as the BFD detection link, and the following configuration is delivered to the physical port:
#
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 100
undo stp enable
undo lldp enable
#
interface GigabitEthernet5/0/43
port link-mode bridge
port access vlan 100
undo stp enable
undo lldp enable
#
Configure L3 VLAN-interface 100, configure MAD IP addresses for all member devices in the IRF, and bind them with member numbers.
#
interface Vlan-interface100
mad bfd enable
mad ip address 192.168.100.1 255.255.255.0 member 1
mad ip address 192.168.100.2 255.255.255.0 member 5
#
Enable BFD MAD globally on the devices.
[leaf~133::C]mad bfd enable
Add links between Leaf and Spine devices
After using Spine and Leaf devices to form an IRF fabric, ECMP is automatically configured if new links are added between these devices. After links are added, the link information is as follows:
[leaf~133::C]dis ipv6 routing-table
Destinations : 10 Routes : 11
Destination: ::/0 Protocol : Direct
NextHop : FE80::562B:DEFF:FED6:BB83 Preference: 80
Interface : Vlan1 Cost : 0
Destination: ::1/128 Protocol : Direct
NextHop : ::1 Preference: 0
Interface : InLoop0 Cost : 0
Destination: 51::1/128 Protocol : O_INTRA
NextHop : FE80::562B:DEFF:FEAD:460B Preference: 10
Interface : Vlan3497 Cost : 1
Destination: 51::1/128 Protocol : O_INTRA
NextHop : FE80::562B:DEFF:FEAD:460C Preference: 10
Interface : Vlan3498 Cost : 1
[leaf~133::C]dis vlan
Total VLANs: 2905
The VLANs include:
1(default), 100-3000, 3497-3498, 4094
[leaf~133::C]dis vcf-fabric underlay autoconfigure
Uplink interface:
GigabitEthernet5/0/20
GigabitEthernet5/0/33
IRF allocation:
Self Bridge Mac: b0f9-63b3-20fe
IRF Status: Yes
Member List: [5, 1]
BFD Mad-port pairs: GE1/0/13 , GE5/0/43
VLAN ID Allocation:
Interface VLAN ID
GigabitEthernet5/0/33 3497
GigabitEthernet5/0/20 3498
Add links between Leaf and Access devices
|
|
NOTE: The number of auto-aggregated links is limited to two physical links. |
If you add a link between Leaf and Access devices, multiple links are automatically aggregated.
%Mar 5 12:58:55:405 2021 access-132::9 LAGG/6/LAGG_ACTIVE: Member port GE1/0/13 of aggregation group BAGG1024 changed to the active state.
%Mar 5 12:59:02:833 2021 access-132::9 IFNET/3/PHY_UPDOWN: Physical state on the interface Bridge-Aggregation1024 changed to up.
%Mar 5 12:59:02:842 2021 access-132::9 IFNET/5/LINK_UPDOWN: Line protocol state on the interface Bridge-Aggregation1024 changed to up.
%Mar 5 12:58:59:630 2021 access-132::9 VCF/6/VCF_AGGR_CREATE: In phase 2.0.5, device with MAC address b0f9-63b3-20fe created aggregation group 1024. The member port list is GigabitEthernet1/0/13,GigabitEthernet1/0/21.
[leaf~133::5]dis ll n l | include access
GE5/0/35 b0f9-63b3-20fe GigabitEthernet1/0/13 access~133::2
GE5/0/41 b0f9-63b3-20fe GigabitEthernet1/0/21 access~133::2
The controller will automatically delete the configuration of the original member port and deploy the configuration of the downlink interface of the Leaf device on the aggregation port.
#
interface GigabitEthernet5/0/35
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 99 101 to 4094
port link-aggregation group 1024
#
interface GigabitEthernet5/0/41
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 99 101 to 4094
port link-aggregation group 1024
#
interface Bridge-Aggregation1024
port link-type trunk
port trunk permit vlan 1 to 99 101 to 4094
link-aggregation mode dynamic
stp tc-restriction
#
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
Single Access device
|
|
NOTE: · Before the automated deployment of the Access device, the Leaf device connecting to its uplink interface must complete automated deployment and be activated first. · If the Access device is incorporated manually, the Leaf device connecting to its uplink interface must be incorporated and activated first. · If the automated device deployment fails, clear the configuration of the device and perform automated deployment again. |
Start up the Access device with no configuration
If the Access device starts up with no configuration, it obtains the IP address of VLAN 1 via the Leaf device and then obtains the automated deployment template.
Automatic configuration attempt: 1.
Interface used: Vlan-interface1.
Enable DHCP client on Vlan-interface1.
Set DHCP client identifier: 4ce9e4981803-VLAN0001
Vlan-interface1 failed to obtain IP address.
Set DHCP6 client identifier: 4ce9e4981803-VLAN0001
Obtained configuration file name hefei.template and TFTP server IPv6 address 130::195. // The TFTP address of the controller.
Obtained an IPv6 address for Vlan-interface1: 132::3.
INFO: Get device tag file device_tag.csv success.
INFO: Read role access from tag file.
Successfully downloaded file hefei_access.template.//Device template.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
Press ENTER to get started.
Complete automatic configuration of the Access device
Wait for automatic configuration of the Access device, which executes the automatic configuration command based on the hangzhou_access.template. Each downlink interface of the Access device is allocated with a unique PVID during automated deployment. If the device is a switch that supports PoE, the PoE function is enabled for ports. You can use the dir command to view hefei_access.template and the more hefei_access.template command to view more detailed information. For more details, see "Access device configurations".
View main configuration of the Access device
Wait for the automated deployment of the Access device. The IP addresses of VLAN 1 and VLAN 4094 are successfully obtained.
[access~133::8]dis ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
M-GigabitEthernet0/0/0 down down Unassigned
Vlan-interface1 up up 132::3
Vlan-interface4094 up up 133::8
The uplink interface of the Access device is set to Trunk all.
#
interface GigabitEthernet1/0/20
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
If the device supports PoE, the PoE function is enabled for all interfaces. If an AP device is detected, VLAN 4093 will be configured and the downlink interface of the Access device is configured with PVID 4093.
#
interface GigabitEthernet1/0/20
port link-mode bridge
port link-type trunk
port trunk permit vlan all
poe enable
#
View information on the controller page
When you view device information on the Automation > Campus Network > Network Device page, you can see the following configuration:
· The IP address of the access device has changed from VLAN-interface 1 address to VLAN-interface 4094 address.
· The access device has been managed by the controller.
Figure 55 Device
The device is also automatically added to the access device group.
Figure 56 Access device group
IRF stacking of Access devices
Automatic IRF stacking of Access devices
To use two automatically deployed devices to form an IRF fabric:
1. Interconnect the Access devices with the Leaf device.
2. Interconnect the two devices via one cable.
3. Clear the configurations of the two devices and restart them.
After adding another Access device for automated deployment, the two devices automatically form an IRF fabric if Access device 1 detects a 10 GE connection with Access device 2 and the two devices have the same role.
[access~133::7]dis irf
MemberID Role Priority CPU-Mac Description
*+1 Master 2 f010-90db-7402 ---
5 Standby 1 f010-90db-7406 ---
--------------------------------------------------
* indicates the device is the master.
+ indicates the device through which the user logs in.
The bridge MAC of the IRF is: b0f9-63b3-20fe
Auto upgrade : yes
Mac persistent : always
Domain ID : 0
|
|
NOTE: At present, the IRF stacking of Access devices does not support automated configuration of BFD MAD. If necessary, you need to manually configure BFD MAD. |
To manually configure BFD MAD:
4. After an IRF is formed, ensure that the physical port of BFD is down, and configure BFD on the physical ports of the IRF fabric composed of Access devices.
#
vlan 100 // Dedicated for BFD MAD.
#
#
interface Ten-GigabitEthernet 1/0/49
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
undo stp enable
stp edged-port //The controller will audit the difference if this command is not configured.
undo lldp enable
#
#
interface Ten-GigabitEthernet 5/0/49
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 100
undo stp enable
stp edged-port //The controller will audit the difference if this command is not configured.
undo lldp enable
#
#
interface Vlan-interface100
mad bfd enable
mad ip address 192.168.100.1 255.255.255.0 member 1
mad ip address 192.168.100.5 255.255.255.0 member 5
#
5. Interconnect the two ports that need to configure BFD and check the state of BFD MAD.
[5130s-hi-down]disp mad verbose
Multi-active recovery state: No
Excluded ports (user-configured):
Excluded ports (system-configured):
IRF physical interfaces:
Ten-GigabitEthernet1/0/49
Ten-GigabitEthernet5/0/49
BFD MAD interfaces:
GigabitEthernet1/0/13
GigabitEthernet5/0/43
Vlan-interface100
MAD ARP disabled.
MAD ND disabled.
MAD LACP disabled.
MAD BFD enabled interface: Vlan-interface99
MAD status : Normal
Member ID MAD IP address Neighbor MAD status
1 192.168.100.1/24 5 Normal
5 192.168.100.5/24 1 Normal
Automatic link aggregation between Leaf and Access devices
|
|
NOTE: The number of auto-aggregated links is limited to two physical links. |
[access~133::2]dis ll n l | include leaf
GE1/0/13 4ce9-e498-16cb GigabitEthernet5/0/35 leaf~133::5
GE1/0/21 4ce9-e498-16cb GigabitEthernet5/0/41 leaf~133::5
[access~133::2]dis vlan brief
Brief information about all VLANs:
Supported Minimum VLAN ID: 1
Supported Maximum VLAN ID: 4094
Default VLAN ID: 1
VLAN ID Name Port
1 VLAN 0001 BAGG1024(U) GE1/0/13(U)
GE1/0/21(U)
101 VLAN 0101 BAGG1024(U) GE1/0/1(D)
GE1/0/13(U) GE1/0/21(U)
102 VLAN 0102 BAGG1024(U) GE1/0/2(D)
GE1/0/13(U) GE1/0/21(U)
[access~133::2]dis link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1024
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, b0f9-63b3-20fe
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/13 S 32768 1 1 {ACDEF}
GE1/0/21 S 32768 2 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/13(R) 32768 1 1 0x8000, 4ce9-e498-16cb {ACDEF}
GE1/0/21 32768 2 1 0x8000, 4ce9-e498-16cb {ACDEF}
Cascading of Access devices
If the Access device needs to be cascaded, the GE port must be used for cascading. The Access device directly connected to the Leaf device is called the level-1 Access device, and the Level-1 Access device is cascaded with the level-2 Access device, and so on. The current version supports up to three levels of cascading. The automated deployment process of the level-2 Access device is similar to that of the level-1 Access device.
|
|
NOTE: · During automated deployment of the level-1 Access device, the downlink interface is automatically configured as a PVID started from 101 (101 to 3000). However, if a level-2 Access device is cascaded to the level-1 Access device, the PVID will be restored to 1 once the level-1 Access device detects that the downlink interface is UP and the device is an H3C switch, to ensure the automated deployment of the level-2 Access device. If the device is a non-H3C device, manually set PVID to 1. · The number of auto-aggregated links of the cascading Access device is limited to two physical links. |
Start up the cascaded Access devices with no configuration
If the cascaded Access devices start up with no configuration, the automated deployment process is as follows:
Startup configuration file doesn't exist or is invalid.
Performing automatic configuration... Press CTRL_C or CTRL_D to break.
Automatic configuration attempt: 1.
Interface used: Vlan-interface1.
Enable DHCP client on Vlan-interface1.
Set DHCP client identifier: b0f963b320fe-VLAN0001
Vlan-interface1 failed to obtain IP address.
Set DHCP6 client identifier: b0f963b320fe-VLAN0001
Obtained configuration file name hefei.template and TFTP server IPv6 address 130::195.
Obtained an IPv6 address for Vlan-interface1: 132::7.
INFO: Get device tag file device_tag.csv success.
INFO: Read role access from tag file.
Successfully downloaded file hefei_access.template.
Executing the configuration file. Please wait...
Automatic configuration successfully completed.
Line aux0 is available.
Press ENTER to get started.
View and check the deployment information
View the obtained IP addresses of VLAN-interface 1 and VLAN-interface 4094.
<access~133::9>dis ipv6 interface brief
*down: administratively down
(s): spoofing
Interface Physical Protocol IPv6 Address
M-GigabitEthernet0/0/0 down down Unassigned
Vlan-interface1 up up 132::7
Vlan-interface4094 up up 133::9
On the Automation > Campus Network > Network Device page, you can see that the added level-2 Access device has been managed.
Figure 57 Device
The level-2 Access device is also automatically imported to the Access device group.
Figure 58 Access device group
Configure the security group
Add a DHCPv6 server in the isolation domain
Access
Automation > Campus Network > Isolation Domain > Isolation
Domain page, and click Add to add an isolation domain, or click the Edit
icon 
in the actions column to edit the
isolation domain. This document takes the editing of the isolation domain as an
example.
Click the Edit icon 
in the actions column corresponding to isolate_domain1
in the list. Click the drop-down arrow of DHCPv6 Server to select the
DHCPv6 server to be configured, and then click OK to save the
configuration.
Figure 59 Binding loose Microsoft DHCP
Figure 60 Configuring Microsoft DHCPv6
Figure 61 Binding vDHCP
Figure 62 DHCP
Add a Layer 2 network domain
1. Access Automation > Campus
Network > Private Network > Layer 2 Network Domain
page, and click Add to add a Layer 2 network domain, or click the Edit
icon 
in the actions column to edit the Layer 2 network domain. This
document takes the editing of a Layer 2 network domain as an example.
2. For the Layer 2 network domain whose type is normal, configure the IPv6 subnet in the Subnets area at the bottom of the page. When IPv6 Address Allocation is set to SLAAC or Stateless DHCPv6, only global unicast addresses with a prefix length of 64 bits are supported.
Figure 63 Configuring subnets
For IPv6 address allocation, the following modes are supported:
¡ Manual: Manually configure static IPv6 addresses on user terminals.
¡ SLAAC: Short for Stateless Address Autoconfiguration. SLAAC enables an interface to automatically generate an IPv6 global unicast address by using the address prefix in the received RA message and interface ID.
¡ Stateful DHCPv6: The user obtains the IPv6 address via the DHCPv6 server and configures other network parameters based on DHCPv6 server messages. If both M (Managed Address Configuration) flag and O (Other Configuration) flag in the RA message received by the user are set to 1 bit, the DHCPv6 client will automatically enable the stateful DHCPv6 configuration function.
¡ Stateless DHCPv6: The DHCPv6 server assigns other network configuration parameters to clients that already have IPv6 addresses/prefixes, a process known as DHCPv6 stateless configuration. If the M (Managed Address Configuration) flag in the RA message is set to 0 bit, and O (Other Configuration) flag to 1 bit, the DHCPv6 client will automatically enable the stateless DHCPv6 configuration function to obtain other network configuration parameters except addresses/prefixes.
Figure 64 IPv6 address allocation
3. Switch to the Advanced tab to enable DHCPv6 Snooping or IPv6 ND Snooping. DHCPv6 snooping ensures that the client obtains IPv6 addresses or IPv6 prefixes from valid servers, and can record the correspondence between IPv6 addresses or IPv6 prefixes of the DHCPv6 client and MAC addresses. IPv6 ND Snooping is a security monitoring technique to prevent ND attacks.
Figure 65 Advanced configuration
4. After completing the configuration, click OK to save the settings.
Configure the security group
1. Access Automation > Campus
Network > Security Group > User Security Group
page, and click Add to add a security group, or click the Edit
icon 
in the actions column. This document takes the editing of the
security group as an example.
2. Switch to the Layer 2 Network Domain
Information tab, and click Add. Select Layer 2 Network Domain
in the Optional Layer 2 Network Domain area, click the 
icon
to add the Layer 2 network domain to the Selected Layer 2 Network Domain
area, click OK to save the configuration, and the result is shown in the
figure below.
Figure 66 Adding a Layer 2 network domain
Figure 67 Layer 2 network domain information
3. After completing the configuration, click OK to save the settings.
Configure IPv6 authentication
To configure IPv6 authentication, use either of the following methods:
· Deploy dual-stack IPv4 and IPv6 networks on Unified Platform. The EIA component borrows dual-stack IPv4 and IPv6 addresses from Unified Platform.
Figure 68 Deploying dual-stack IPv4 and IPv6 networks on Unified Platform
· Add an H3C EIA (IMC EIA) server on the controller. IPv6 is supported.
To add an H3C EIA (IMC EIA) server on the controller, perform the following task:
1. Access Automation > Campus Network > Network Parameters > AAA page to add an EIA server. For more information, see AD-Campus 6.3 Basic Configuration Guide.
If you add an EIA V9 server, the system does not display its IP address. When you an AAA policy, the system automatically obtains EIA V9 server address information.
Figure 69 Adding an EIA V7 server
Figure 70 Adding an EIA V9 server
2. Create an AAA policy template.
a. Access Automation > Campus Network > Network Device > General Device Groups page, and click Policy Templates. Click Add, and select Device Policy Template from the drop-down list.
b. Select AAA as the template type, and click Add in the Radius Scheme Settings area. On the pop-up page, enter the IPv6 addresses in Primary Auth Server IP and Secondary Auth Server IP.
Figure 71 Adding a Radius scheme (EIA V7)
Figure 72 Adding a Radius scheme (EIA V9)
c. After completing the configuration, click OK to save the configuration, and the result is shown in the figure below.
Figure 73 Configuration result
d. Click Add in the ISP Domain Settings area to access the Add ISP Domain page. Select Radius Scheme, set Is A Default Domain to Yes, click OK, and then you will return to the page for adding the device policy template. Click OK to save the template.
Figure 74 Adding an ISP domain
3. Create a MAC/MAC Portal policy template.
a. Access Automation > Campus Network > Network Device > General Device Groups page, and click Policy Templates. Click Add, and select Device Policy Template from the drop-down list.
b. Select MAC/MAC Portal Authentication as the template type, and click Add in the Authentication-Free IPs area. On the pop-up page, enter the IPv6 addresses of the primary and secondary servers.
Figure 75 Authentication exemption information
c. After completing the configuration, click OK to save the template.
4. Create an 802.1X policy template.
a. Access Automation > Campus Network > Network Device > General Device Groups page, and click Policy Templates. Click Add, and select Device Policy Template from the drop-down list.
b. Select 802.1X as the template type and EAP as the authentication method.
Figure 76 Adding an 802.1X device policy template
c. After completing the configuration, click OK to save the template.
5. Add the new AAA policy template, 802.1X policy template, and MAC/MAC Portal policy template of IPv6 to its corresponding device group and interface group.
a. Access Automation > Campus
Network > Network Device > General
Device Groups page, and click the Edit icon 
in the
actions column corresponding to the name Leaf Device Group.
b. Switch to the Policy tab, and click Add. In the Available Policy Templates area, select AAA as the template type. In the Available AAA Policy area, select the AAA policy template of IPv6 to be added, and click Add to add the template to the Selected Policies area. Repeat the above operations to complete the addition of 802.1X policy template and MAC/MAC Portal policy template. Click OK after the addition of the three policy templates, and then the newly added policies are displayed in the policy list.
Figure 77 Adding policy templates
Figure 78 Adding general policy groups
c. After completing the configuration, click OK to save the settings.
6. To use IPv6 MAC Portal authentication, create a single-stack IPv6 BYOD Layer 2 network domain and a single-stack IPv6 security group.
|
|
IMPORTANT: BYOD Layer 2 network domain subnets can only be configured with either IPv4 or IPv6. When a user comes online via MAC Portal authentication, configure an IPv4 subnet in the BYOD Layer 2 network domain for IPv4 EIA authentication and an IPv6 subnet in the BYOD Layer 2 network domain for IPv6 EIA authentication. |
Access Automation > Campus Network > Private Network > Layer 2 Network Domain page, and click Add. Click drop-down arrow of DHCPv6 Server to select the DHCPv6 server to be configured. Switch to the Subnets tab, click Add to configure subnets, and the result is as shown in the figure below.
Figure 79 Adding a Layer 2 network domain
7. (Optional.) On the EIA V7 page, access User > Access Policy Management > Service Parameter Settings > System Settings > System Parameter Settings page to enable IPv6, and the other settings are the same as those for enabling IPv4.
Figure 80 Enabling IPv6 on the EIA V7 page
|
|
IMPORTANT: The IPv6 address of EIA V7 needs to be configured during the installation of EIA. If you need to enable the IPv6 function of EIA after completing the configuration of EIA, you can modify the configuration file ( the server-addr file in the path C:\Program File\iMC\common\conf) by changing the IPv6 address segment in the file to 190::204 and restarting the IMC service (modifying the configuration file is not recommended). |
Figure 81 Logging in to the management interface at the IPv6 address
8. (Optional and applicable to EIA V7) After the AAA policy template is bound to the Leaf device group, the controller pushes the access device to EIA V7. On EIA system, access User > Access Service > Access Device Management > Access Device page to view information about the access device.
Figure 82 Viewing the information about the access device
Configure authentication terminals
For a user terminal with a Windows system, when obtaining IPv6 addresses during stateless address autoconfiguration (including stateless DHCPv6 and SLAAC), the user terminal automatically generates two IPv6 addresses: public IPv6 address and temporary IPv6 address.
· Public IPv6 address: Includes the address prefix in the received RA message and a fixed interface ID generated based on the MAC address.
· Temporary IPv6 address: Includes the address prefix in the RA message and a random interface ID generated through MD5.
The IPv6 address with a random interface ID generated during stateless address autoconfiguration decreases network vulnerability. If there is a temporary IPv6 address, the user interacts with external networks via this address.
To enable or disable the temporary IPv6 address, execute the following commands in the Windows terminal command line interface:
netsh interface IPv6 set privacy state=enable
netsh interface IPv6 set privacy state=disable
|
|
CAUTION: When the user comes online via IPv6 MAC Portal authentication, the user needs to open a web page on the user PC in a non-DNS environment and enter any IPv6 address, for example, 23:1::1, so that the user portal can automatically redirect to the default BYOD portal. |
User online
The user online service of IPv6 is the same as that of IPv4, except that IPv6 subnets are used and the user obtains an IPv6 address. For details, see "User authentication and online" in AD-Campus 6.3 Basic Configuration Guide.
O&M monitoring
For details, see AD-Campus 6.3 Operations Monitoring Deployment Guide,.
Appendix
Spine device configurations
##
## Please note:The following variable names are used by the internal system,please do not use
## _underlayIntfUp _underlayIntfDown _all_leaf _master_spine
## _master_spine_mac _underlayIPRange
##
##NEW_VERSION
#USERDEF
##Template version
template_version = 5.0
##BACKUP_SERVER
##Local user: Username
_username = h3c
##Local user: Password
_password = campus1234
## User roles
_rbacUserRole = network-admin
##MAC address of the master spine device
_master_spine_mac = 542b-dead-45f8
##MAC address of the master spine device and address range of loopback interfaces
##Format: 1122-3344-5566:10.100.0.0/16, AABB-CCDD-EEFF:10.101.0.0/16
##MAC address and VLAN ID range of the spine device
##Format: 1122-3344-5566:2-100 ,AABB-CCDD-EEFF:101-200
_underlayVLANRange = 542b-dead-45f8:3001-3500
##IP address of the log host
_loghost_ip = 130::195
##is_ipv6_begin_var
##Device is automatically online by ipv6
_is_ipv6 = true
##is_ipv6_end_var
##Out of band
_OOB = False
##SSH enabled
_SSH = True
##Disable automatic IRF setup
_irf_disable = false
##Enabling whitelist filtering (False by default)
_white_list_check = true
##Disabling automatic allocation of an underlay IP (False by default)
_ip_disable = false
##Enabling automatic IRF mode switching
_irf_mode_auto_convert = True
##MAD BFD
_mad_vlan = 100
_mad_ip = 192.168.100.1, 192.168.100.2
##BGP AS number
bgp_as_campus = 100
[H3CS5560X]
driver = 5560X
_switch_mode = 1
[H3CS6520X]
driver = 6520X
_switch_mode = 1
[H3CS125??G-AF]
driver = 125GAF
_tcam_resource = arp
_vxlan_resource = l3gw
_routing_mode_resource = ipv6-128
##
#STATICCFG
#
clock timezone beijing add 08:00:00
#
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 both
##address_family_evpn_begin
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
##address_family_evpn_end
##address_family_ipv6_begin
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
##address_family_ipv6_end
#
lldp global enable
#
interface Vlan-interface1
ip address dhcp-alloc
#
ospfv3 1
non-stop-routing
area 0.0.0.0
#
##loopback0_begin_all
interface LoopBack0
##loopback0_end_all
#
interface $$_underlayIntfDown
ipv6 address auto link-local
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
mtu 4094
#
netconf soap https enable
netconf ssh server enable
restful https enable
#
ssh server enable
#
info-center loghost $$_loghost_ip
#
stp mode pvst
stp vlan 1 enable
undo stp vlan 2 to 4094 enable
stp global enable
stp vlan 1 priority 0
#
local-user $$_username
password simple $$_password
service-type http https ssh
authorization-attribute user-role $$_rbacUserRole
#
line vty 0 63
authentication-mode scheme
user-role $$_rbacUserRole
#
bgp $$bgp_as_campus
non-stop-routing
address-family l2vpn evpn
ip vpn-instance vpn-default
##address_family_ipv4_unicast_begin
address-family ipv4 unicast
import-route static
##address_family_ipv4_unicast_end
##address_family_ipv6_unicast_begin
address-family ipv6 unicast
import-route static
##address_family_ipv6_unicast_end
#
l2vpn enable
#
vlan 4094
#
interface Vsi-interface4094
ip binding vpn-instance vpn-default
local-proxy-arp enable
##local-proxy-nd_enable_begin
local-proxy-nd enable
##local-proxy-nd_enable_end
mtu 4094
#
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
##ipv6_address_auto_link_local_begin
ipv6 address auto link-local
##ipv6_address_auto_link_local_end
l3-vni 4092
description SDN_VRF_VSI_Interface_4092
#
vsi vxlan4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
nd mac-learning disable
arp mac-learning disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
##ipv6_dhcp_snooping_trust_tunnel_begin
ipv6 dhcp snooping trust tunnel
##ipv6_dhcp_snooping_trust_tunnel_end
loopback-detection action block
loopback-detection enable vlan 4094
#
vxlan tunnel mac-learning disable
vxlan tunnel arp-learning disable
vxlan tunnel nd-learning disable
#
vcf-fabric topology enable
#
vxlan default-decapsulation source interface LoopBack 0
#
##ipv6_static_route_begin_all
ipv6 route-static vpn vpn-default 130:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static vpn vpn-default 190:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static 130:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
ipv6 route-static 190:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
#
##ipv6_static_route_end_all
#
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
telnet server enable
#
netconf soap https enable
netconf soap http enable
local-user h3c
password simple campus1234
service-type telnet ssh http https
authorization-attribute user-role network-admin
#
Leaf device configurations
##
## Please note:The following variable names are used by the internal system,please do not use
## _underlayIntfUp _underlayIntfDown _all_leaf _master_spine _backup_spine
## _master_spine_mac
##
##NEW_VERSION
#USERDEF
##Template version
template_version = 5.0
##Local user: Username
_username = h3c
##Local user: Password
_password = campus1234
## User roles
_rbacUserRole = network-admin
##master_leaf_mac_begin_var
##MAC address of the master leaf device
_master_leaf_mac =${master_leaf_mac}
##master_leaf_mac_end_var
##IP address of the log host
_loghost_ip = 130::195
##is_ipv6_begin_var
##Device is automatically online by ipv6
_is_ipv6 = true
##is_ipv6_end_var
##Out of band
_OOB = False
##Supporting aggregation (True by default)
_lagg_enable = True
##Enforcing aggregation
_lagg_force = True
##Do not delete aggregation group
_lagg_fake_delete = True
##SSH enabled
_SSH = True
##Disable automatic IRF setup
_irf_disable = false
##Enabling whitelist filtering (False by default)
_white_list_check = true
##Enabling automatic IRF mode switching
## Enable OLT interface
_olt = true
## auto IRF mode convert
_irf_mode_auto_convert = True
##MAD BFD
_mad_vlan = 100
_mad_ip = 192.168.100.1, 192.168.100.2
##BGP AS number
bgp_as_campus = 100
##Disable lldp function when MAD BFD
_mad_undo_lldp=True
[H3CS5560X]
driver = 5560X
_switch_mode = 1
[H3CS6520X]
driver = 6520X
_switch_mode = 1
[H3CS125??G-AF]
driver = 125GAF
_tcam_resource = mix
_vxlan_resource = l3gw
_routing_mode_resource = ipv6-128
[UNISS5600X]
driver = 5560X
_switch_mode = 1
[UNISS6600X]
driver = 6520X
_switch_mode = 1
##
#STATICCFG
#
clock timezone beijing add 08:00:00
#
ip vpn-instance vpn-default
route-distinguisher 1:1
vpn-target 1:1 both
##address_family_evpn_begin
address-family evpn
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
##address_family_evpn_end
##address_family_ipv6_begin
address-family ipv6
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
##address_family_ipv6_end
#
lldp global enable
#
dhcp snooping enable vlan 2 to 4094
#
interface Vlan-interface1
ip address dhcp-alloc
#
ospfv3 1
non-stop-routing
area 0.0.0.0
#
##loopback0_begin_all
interface LoopBack0
##loopback0_end_all
#
stp mode pvst
stp vlan 1 enable
undo stp vlan 2 to 4094 enable
stp global enable
stp vlan 1 priority 8192
#
netconf soap https enable
netconf ssh server enable
restful https enable
#
ssh server enable
#
info-center loghost $$_loghost_ip
#
local-user $$_username
password simple $$_password
service-type http https ssh
authorization-attribute user-role $$_rbacUserRole
#
line vty 0 63
authentication-mode scheme
user-role $$_rbacUserRole
#
bgp $$bgp_as_campus
non-stop-routing
address-family l2vpn evpn
ip vpn-instance vpn-default
##address_family_ipv4_unicast_begin
address-family ipv4 unicast
##address_family_ipv4_unicast_end
##address_family_ipv6_unicast_begin
address-family ipv6 unicast
##address_family_ipv6_unicast_end
#
interface $$_underlayIntfUp
ipv6 address auto link-local
ospfv3 1 area 0.0.0.0
ospfv3 network-type p2p
mtu 4094
#
interface $$_underlayIntfDown
port link-type trunk
port trunk permit vlan all
undo port trunk permit vlan $$_mad_vlan
stp tc-restriction
service-instance 4094
encapsulation s-vid 4094
xconnect vsi vxlan4094
#
interface $$_underlayIntfGe
poe enable
#
interface $$_underlayIntfONU
port link-type trunk
port trunk permit vlan all
undo port trunk permit vlan $$_mad_vlan
#
interface $$_underlayIntfRONU
port link-type trunk
port trunk permit vlan all
undo port trunk permit vlan $$_mad_vlan
#
l2vpn enable
#
vlan 4094
#
interface Vsi-interface4094
ip binding vpn-instance vpn-default
local-proxy-arp enable
##local-proxy-nd_enable_begin
local-proxy-nd enable
##local-proxy-nd_enable_end
arp proxy-send enable
mtu 4094
#
interface Vsi-interface4092
ip binding vpn-instance vpn-default
ip address unnumbered interface Vsi-interface4094
##ipv6_address_auto_link_local_begin
ipv6 address auto link-local
##ipv6_address_auto_link_local_end
l3-vni 4092
description SDN_VRF_VSI_Interface_4092
#
vsi vxlan4094
gateway vsi-interface 4094
vxlan 4094
evpn encapsulation vxlan
mac-advertising disable
nd mac-learning disable
arp mac-learning disable
route-distinguisher auto
vpn-target auto export-extcommunity
vpn-target auto import-extcommunity
##ipv6_dhcp_snooping_trust_tunnel_begin
ipv6 dhcp snooping trust tunnel
##ipv6_dhcp_snooping_trust_tunnel_end
dhcp snooping trust tunnel
loopback-detection action block
loopback-detection enable vlan 4094
#
ip verify source exclude vlan 1
ip verify source exclude vlan 4094
#
vxlan tunnel mac-learning disable
vxlan tunnel arp-learning disable
vxlan tunnel nd-learning disable
#
vcf-fabric topology enable
#
vxlan default-decapsulation source interface LoopBack 0
#
##ipv6_static_route_begin_all
ipv6 route-static vpn vpn-default 130:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static vpn vpn-default 190:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static 130:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
ipv6 route-static 190:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
#
##ipv6_static_route_end_all
#
##ipv6_dhcp_snooping_enable_begin
ipv6 dhcp snooping enable vlan 2 to 4094
#
##ipv6_dhcp_snooping_enable_end
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
telnet server enable
#
netconf soap https enable
netconf soap http enable
local-user h3c
password simple campus1234
service-type telnet ssh http https
authorization-attribute user-role network-admin
#
Access device configurations
##
## Please note:The following variable names are used by the internal system,please do not use
## _underlayIntfUp _underlayIntfDown _all_leaf _master_spine _backup_spine
## _master_spine_mac
##
#USERDEF
##Template version
template_version = 5.0
## User roles
_rbacUserRole = network-admin
##IP address of the log host
_loghost_ip = 130::195
##is_ipv6_begin_var
##Device is automatically online by ipv6
_is_ipv6 = true
##is_ipv6_end_var
##Out of band
_OOB = False
##Supporting aggregation (True by default)
_lagg_enable = True
##Enforcing aggregation
_lagg_force = True
##Do not delete aggregation group
_lagg_fake_delete = True
##SSH enabled
_SSH = True
##Disable automatic IRF setup
_irf_disable = false
##Enabling whitelist matching (False by default)
_white_list_check = true
##Disable lldp function when MAD BFD
_mad_undo_lldp=True
#STATICCFG
#
clock timezone beijing add 08:00:00
#
lldp global enable
#
stp global enable
#
netconf soap https enable
netconf ssh server enable
restful https enable
#
interface Vlan-interface1
ip address dhcp-alloc
#
ssh server enable
#
info-center loghost $$_loghost_ip
#
line vty 0 63
authentication-mode scheme
user-role $$_rbacUserRole
#
interface $$_underlayIntfUp
port link-type trunk
port trunk permit vlan all
port link-aggregation group auto 1
#
interface $$_underlayIntfDown
port link-type trunk
port trunk pvid vlan 4093
port trunk permit vlan all
#
interface $$_underlayIntfGe
poe enable
#
vlan 4093
#
vlan 4094
#
interface Vlan-interface4094
#
#
vcf-fabric topology enable
#
#
##ipv6_static_route_begin_all
ipv6 route-static 130:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static 190:0:0:0:0:0:0:0 64 133:0:0:0:0:0:0:1
ipv6 route-static 130:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
ipv6 route-static 190:0:0:0:0:0:0:0 64 132:0:0:0:0:0:0:1
#
##ipv6_static_route_end_all
#
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version all
snmp-agent packet max-size 4096
#
telnet server enable
#
netconf soap https enable
netconf soap http enable
local-user h3c
password simple campus1234
service-type telnet ssh http https
authorization-attribute user-role network-admin
#
