HCIP-Data Center Network V1.0 Training Material
HCIP-Data Center Network V1.0 Training Material
Technologies
Foreword
⚫ In the cloud and big data era, data centers are facing massive construction requirements.
With the development of technologies and the improvement of user requirements,
simplicity, efficiency, and reliability have become a new idea for future data center
development, and the design concept of data centers is changing quietly.
⚫ This course introduces the basic concepts of the data center and data center network.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
4 Huawei Confidential
Why Do We Need a Data Center?
⚫ With the development of enterprises, the amount of data that enterprises need to process every day is increasing.
The processing power of personal computers in offices is no longer enough to meet the needs of enterprises. To
provide more efficient methods for processing information and data, enterprises build or rent data centers to
process massive data in a centralized manner, meeting enterprise development requirements.
Small business using personal PCs As the enterprise grows, more and Data is centrally processed in the data center, and
Processing data more data needs to be maintained. large enterprises use data through the data center
5 Huawei Confidential
What is a Data Center?
⚫ A data center, as the name suggests, is a data center where enterprises process and store massive amounts of data.
⚫ A data center is actually a large-scale equipment room. Enterprises use the existing Internet lines and bandwidth
resources of communications carriers to establish a standardized data center equipment room environment to
provide all-round computing, storage, and security services for enterprises, governments, and individuals. The data
center has the characteristics of high running speed, large storage capacity, and high security.
6 Huawei Confidential
Typical Application Scenarios of Data Centers
Traditional bank Open banking Low efficiency High efficiency Few services More services
and few NMSs and fewer NMSs
Scenario Scale
Loaned Deposited Transfers Loaned Deposited Transfers Efficiency City Towns
100x 100x
10x and towns
Departments
Province
The bank Cars Shopping ? and city
APP APP APP
Government portal
Online transaction data index surges Data isolation between departments Rapid enterprise business development
Build a data center to quickly process Build an integrated data center Build a data center to
data in multiple scenarios. to implement one-click service implement intelligent service
processing. management and control.
7 Huawei Confidential
Overall Data Center Architecture
⚫ For enterprises, the data center is actually an extended version of the personal computer, which is responsible for computing, storing,
and forwarding enterprise data. A modern data center consists of the following parts:
The computing system consists of a large number of servers and is the heart of the data center. It processes massive data in the data center.
A storage system consists of different types of storage devices. A storage device is a place where massive data is stored and is used for information
storage.
The data center network consists of different types of network devices, such as switches and firewalls. It connects the computing and storage systems
in the data center. All data interaction between the computing and storage systems is implemented through the data center network.
Data Center
Network
8 Huawei Confidential
• Key devices in the data center equipment room include servers, network devices,
and storage devices. Small- and medium-sized data centers are key devices, such
as servers, which are characterized by small physical space, small requirements
for network devices, and limited capacity expansion.
Contents
9 Huawei Confidential
Data Center Network
DC2
Internet
/WAN
DC1 Server FW LB
10 Huawei Confidential
• The data center network uses the Spine-Leaf architecture and uses VXLAN.
(Virtual Extensible Local Area Network) Connectivity.
▫ Leaf: A leaf node, which provides VXLAN access for various network devices.
Devices of different roles can be co-deployed based on the device type. (As
shown in the figure, the border leaf node and service leaf node are co-
deployed.) The specific types and functions will be described in detail later.
11 Huawei Confidential
Terms To explain
12 Huawei Confidential
VXLAN-based Data Center Network Layer
VPC1 VPC2
Underlay (Physical network layer) • Basic bearer network for service data forwarding.
Server Leaf Server
13 Huawei Confidential
Underlay and Overlay
Overlay
• VXLAN is a logical network established on the underlay network.
• It has an independent forwarding plane and control protocol.
• The underlay physical network is transparent to the devices that are not
connected to the VXLAN tunnel endpoints.
Host N • The underlay network provides basic capabilities, such as reachability and
reliability, for the upper-layer overlay network.
Host
Underlay Network
• The underlay network has independent control plane protocols and
forwarding plane protocols. Generally, OSPF or EBGP is used as the
N :NVE
control plane protocol, and IPv4 is used as the forwarding plane protocol.
:Data plane
• The underlay network is logically isolated from the overlay network and is
:Overlay control plane
unaware of overlay network routes.
14 Huawei Confidential
Typical Data Center Network Scenarios
VPC1
Logical network of Logical Router
The Agile Controller manages network service 1
devices and forms a network resource pool.
VAS Logical switch
Tenant 1
Border Leaf& One network for
Service Leaf multiple purposes,
VPC2 Logical firewall
allowing tenants to Logical network of
apply for network service 2
resources on demand
Spine External
network domain
Tenants create a VPC
Server Leaf
based on the applied
network resources
and create a logical
Network service layer network in the VPC. VPC3
Logical network of
service 3
Tenant 2
Server
Computing access layer
15 Huawei Confidential
16 Huawei Confidential
Integrated Cabling Equipment Room PoD Data Center Switch
Integrated Cabling
⚫ The integrated cabling of a DC has three important concepts: Top of Rack (ToR), End of Row (EoR), and Middle of
Row (MoR).
Aggregation
Server Server EoR switch
switch
(modular)
Server Server EoR switch
42 U
Server Server
Aggregation Aggregation
switch switch
(modular) (modular)
17 Huawei Confidential
Open Extranet Branch Branch • Network module: responsible for network access, as the core of
Floor-Y Testing Open Testing Open the WAN and LAN. The power consumption varies for different
Open Open devices.
Open Open Low-
density • Storage module: used for housing storage devices in a centralized
mode
Open Network Open Network High-
density • Open server module: used for housing servers in a centralized
Floor-X Network Open Network Open
mode
Open Open Open Open Medium
• Test module: used for housing test devices in a centralized mode
-density
18 Huawei Confidential
• Open server module: used for deploying standard servers in a centralized mode,
including PC servers, blade servers, and small-sized servers. Servers feature high
standardization and high density.
• Testing module: used for deploying test devices in a centralized mode. Testing
modules feature high flexibility, with lower security requirements compared with
production modules. The modules can also be adjusted at any time based on
testing requirements, with low management requirements.
PoD
Data center (as an example)
PoD 1 PoD 2 PoD 3 PoD 4
Spine Spine Spine Spine Spine Spine Spine Spine
Leaf Leaf Leaf Leaf Leaf Leaf Leaf Leaf Leaf Leaf Leaf Leaf
⚫ To facilitate the resource pool-based operation and management of a DC, a DC is divided into one or more physical
partitions and each partition is called a Point of Delivery (PoD). PoD is a common concept of DCs for physical
design and a modular design entity integrating network, storage, and computing.
⚫ PoDs can be defined based on actual service requirements:
In large DCs, equipment room modules can be defined as a PoD.
In midsize DCs, every two or multiple rows of cabinets can be defined as a PoD.
In small DCs, one or more cabinets can be defined as a PoD.
20 Huawei Confidential
• Definitions of the PoD scope vary with different enterprises' user habits. For
example, some large enterprises consider an equipment room module is wider
than a PoD. In an enterprise, a PoD consists of 48 ToR devices and 4 spine
switches.
Integrated Cabling Equipment Room PoD Data Center Switch
GE 10/40 GE 100 GE
100 M FE GE GE GE 10 GE 10 GE 40 GE 100 GE
access access access access access access access access access
DC servers mainly use FE/GE access. DC DC servers mainly use GE/10 GE access. DC DC servers mainly use 10 GE/40 GE access.
switches mainly provide 100 M and GE switches mainly provide GE interfaces, with a Therefore, DC core switches must provide
interfaces, meeting the requirements of few 10 GE access capabilities, meeting the high-density 10 GE/40 GE interfaces to meet
small DCNs made of a few servers. requirements of small- and medium-sized the server access requirement.
DCNs made of GE servers.
21 Huawei Confidential
Integrated Cabling Equipment Room PoD Data Center Switch
22 Huawei Confidential
Contents
23 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
24 Huawei Confidential
• APP: Application.
⚫ The virtualization management platform provides a simple user interface and various functions, such as monitoring and managing
virtual resources, simplifying the creation process of VMs, configuring resource scheduling policies, and executing rules. Mainstream
virtualization platforms in the industry include Huawei VRM, VMware vCenter, and Microsoft System Center.
VM VM VM
VM VM VM
25 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
⚫ OpenStack does not simply mean cloud computing, but a cloud platform as a key component of cloud computing. OpenStack aims
to offer resource management, including managing the computing, storage, and network resource pools of heterogeneous vendors.
Cloud platform
Cloud platform
OpenStack
Infrastructure
Server Storage Network device
26 Huawei Confidential
OpenStack
Compute Network
resource pool Storage resource pool resource pool
Virtualization
SDN controller
management platform
27 Huawei Confidential
• For example, OpenStack cannot independently access and abstract resources, and
needs to work with underlying virtualization software, software-defined storage
(SDS), and software-defined networking (SDN). OpenStack cannot independently
provide comprehensive application lifecycle management capabilities, and needs
to integrate various management software platforms at the upper layer.
OpenStack does not have complete system management and maintenance
capabilities. When OpenStack is put into production, it needs to integrate various
management software and maintenance tools. The man-machine interface
provided by OpenStack is not powerful enough.
• For details, see Technical Principles and Applications of the OpenStack Cloud
Platform.
Virtualization Cloud Computing Container Storage HPC AI
Introduction to Containers
⚫ Container is an OS-level virtualization technology. Containers are more lightweight and efficient than VMs.
⚫ For example, the Linux operating system can be divided into the kernel space and the user space. The kernel of an
operating system supports multiple isolated user space instances. An advantage of the container technology is the
integration of applications and their operating environment. This enables fast transportation of an application and
greatly simplifies the process of development-test-deployment-O&M.
A standard transportation
mode needs to be formulated,
without special attention to
the container content.
running job
filesystem
Container
Container
28 Huawei Confidential
• The Linux operating system and drivers run in the kernel space and applications
run in the user space.
• Container can be more precisely defined as the entity for running a container
image.
• Container image:
▫ The image contains all dependencies required for application running. You
only need to run the image in the isolated sandbox without any
modification or configuration.
VM Container
Hypervisor Host OS
Server Server
29 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
⚫ A mature container management platform should at least contain the following two major functions: application orchestration
management and cluster resource scheduling.
⚫ There are three platforms of cluster resource management scheduling and application orchestration in the industry: Kubernetes,
Swarm, and Mesos.
Container management platform
30 Huawei Confidential
31 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
Distributed storage
⚫ Centralized storage: One or more primary computers form a central ⚫ Distributed storage: The storage system stores data on multiple
node where data is centrally stored and all service units and functions independent devices.
are deployed on a storage system. ⚫ A distributed storage system adopts a scalable system architecture
⚫ In a centralized system, each terminal or client is only responsible for and enables multiple storage servers to share the storage load. This
the input and output of data, while the storage and processing of improves the scalability, reliability, availability, and access efficiency.
data are completely decided by a host.
32 Huawei Confidential
High-Performance Computing
⚫ High Performance Computing (HPC) is a branch of the computer science. HPC improves the computing speed to a
manner of tera operations per second (TOPS) through a cluster architecture, parallel algorithm, and the
parallel/distributed computing of related software, which cannot be achieved by a single computer.
⚫ The HPC system supports software and hardware collaboration. A typical architecture of the system includes
infrastructure, compute nodes, storage and file systems, network switching, cluster management, and resource
scheduling.
HPC cluster
…… Parallel storage
HPC
Compute cluster
33 Huawei Confidential
𝑅𝑚𝑎𝑥
HPL efficiency =
𝑅𝑝𝑒𝑎𝑘
34 Huawei Confidential
Introduction to AI
⚫ AI is a technical science that studies and develops theories, methods, and applications for simulating and extending human
intelligence.
⚫ Machine learning simulates and implements human learning behaviors to obtain new knowledge. It is one of the core research areas
of artificial intelligence.
⚫ Deep learning originates from the research of artificial neural network. A multilayer sensor is a deep learning structure. Deep
learning is a new research field in machine Learning. It simulates the mechanisms of the human brain to interpret data, such as the
recognition of images, voice, and texts.
ARTIFICIAL
INTELLIGENCE
MACHINE
LEARNING
DEEP
LEARNING
35 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
AI Industry Ecosystem
⚫ The four elements of AI are the data, algorithm, computing power, and scenario. To meet the requirements of the
four elements, AI is integrated into cloud computing, big data, IoT, and other industries.
⚫ In the AI industry, networks are expected to provide the high-speed communication between computing nodes.
36 Huawei Confidential
Virtualization Cloud Computing Container Storage HPC AI
⚫ Enterprises, such as Facebook, Baidu, and Alibaba, proactively build the machine learning and deep learning platform, which is
usually built by 100 Gbps and faster network devices. The AI performance test result shows that networks can seriously affect the
computing performance. In model parallel computing, each node computes one part of the algorithm. After the computing is
complete, all data shards need to be transmitted to other nodes.
Machine 1
Machine 2
Network requirements of AI computing:
• High bandwidth, low delay, no packet loss
• Traffic control in the incast scenario
• Congestion control with quick responses
Machine 3
Machine 4
• Fast and efficient load balancing mechanism
• Differentiated scheduling of hybrid traffic
37 Huawei Confidential
1. DC Overview
38 Huawei Confidential
Overview of Key DCN Technologies
NETCONF Telemetry ⚫ There are multiple network technologies applied on
DCNs. This course describes the following key DCN
technologies:
Spine
SLB
VXLAN M-LAG
EVPN
VXLAN
Leaf
EVPN
Telemetry
SLB
NETCONF
Intelligent
Microsegmentation
and lossless
EPG1 EPG2
SFC
network
Intelligent and lossless network technologies
M-LAG SFC
39 Huawei Confidential
⚫ Layer 3 load balancing means IP-based load balancing. Similarly, Layer 4 load balancing means load balancing based on IP
addresses and port numbers and Layer 7 load balancing means load balancing based on the application layer protocol (such as
HTTP).
40 Huawei Confidential
• The IP-based load balancing is called virtual IP in this example and is called
floating IP on OpenStack.
▫ Round robin: Select the first server in the first request list, and scroll the list
downwards in order in a circular manner for conducting preceding requests.
▫ Hash: A hash is created after the hash calculation of the requested source
IP address and requested are sent to a certain server based on the hash.
Server cluster Server cluster 6. The SLB forwards the request to the specified
server.
41 Huawei Confidential
• In the GSLB solution, domain name service providers forward the name server
(NS) records of domain names to GSLB devices with smart DNS resolution
functions and the records are resolved by GSLB devices. If GSLB devices are
deployed in multiple places, they should all be added to the NS record to provide
high availability. GSLB devices perform health checks to back-end servers and
public IP addresses of other DCs. The results will be synchronized between GSLB
devices of different DCs through proprietary protocols. Eventually, GSLB devices
choose the optimal address resolution for DNS servers based on the GSLB policy
and DNS servers send the optimal address to the user.
• Based on the differences of user requests, SLBs in a data center distribute the
requests to multiple, hundreds, or even thousands of devices at the back end and
ensures that the system selects the optimal server to process the requests
according to the previously defined policy, which improves the availability and
scalability of applications to some extent.
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to M-LAG
⚫ Multichassis link aggregation group (M-LAG) is an inter-device link aggregation technology. M-LAG improves link
reliability from the board level to the device level. M-LAG provides traffic load balancing and backup protection.
⚫ In a DC, M-LAG is established through the active/standby negotiation of two ToR switches, responsible for the
access of other devices (such as servers and firewalls).
ToR
Dual-active detection (DAD)
Active/standby negotiation
ToR ToR
Layer 2 traffic forwarding Logical
perspective
Eth-Trunk
M-LAG
42 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Egress
Spine
Leaf
M-LAG
Server Server
43 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to VXLAN
⚫ VXLAN is a VPN technology that can build a Layer 2 virtual network over a physical network with reachable routes. Routed networks
relied on by the underlying VXLAN layer are not limited by the network architecture and support strong scalability.
⚫ VXLAN packets contain some VXLAN network identifier (VNI) fields, which are similar to the VLAN ID and are used to identify
different networks. Between two devices, there is only one VXLAN tunnel, which is similar to the Trunk link and is used to carry the
permitted traffic of all the VNIs between devices.
VNI 6000
VXLAN tunnel
VTEP VTEP
1.1.1.1/32 2.2.2.2/32
NVE NVE
IP network
44 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Leaf
Spine
VXLAN tunnel
Service
access
45 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to EVPN
⚫ Ethernet VPN (EVPN) is initially defined in RFC-7432. The MPLS-based VPN meets the requirements of high
bandwidth and complicated QoS scheduling.
⚫ Virtualization technologies are introduced into cloud DCs. As such, a host can carry multiple VMs which belong to
different tenants. This raises new requirements for the network. As such, the network virtualization overlay (NVO)
solution is adopted.
46 Huawei Confidential
Spine Spine
DCI IP network
VXLAN/EVPN
VXLAN/EVPN VXLAN/EVPN
Leaf Leaf
47 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to Telemetry
⚫ Telemetry, also known as network telemetry, is a technology that remotely collects data from physical or virtual
devices at a high speed.
⚫ Compared with SNMP, the telemetry is at the subsecond level in terms of the collection interval. A telemetry-
enabled device proactively sends information in push mode, implementing real-time, high-speed, and precise data
collection.
"Pull" "Subscription
and push"
48 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
49 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to NETCONF
⚫ Network Configuration Protocol (NETCONF) provides a mechanism for managing network devices. To be specific,
users can use NETCONF to add, modify, and delete configurations of network devices, as well as obtain
configurations and status of network devices.
⚫ Compared with CLI and SNMP, NETCONF has the following advantages in device configuration:
Available only in
Secure transmission Multiple security protocols: SSH, TLS, BEEP/TLS, and SOAP/HTTP/TLS SSH supported
SNMPv3
50 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
NETCONF server
Device
Device 1 Device 2 Device 3
51 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Introduction to Microsegmentation
⚫ Microsegmentation is a security isolation technology that groups DC service units based on certain rules and
deploys policies between groups to implement traffic control.
⚫ Traditionally, subnets are created for DCs based on coarse-grained granularities such as VLAN IDs or VNIs.
Microsegmentation supports more fine-grained and flexible grouping modes, for example, grouping based on IP
addresses, MAC addresses, and VM names. This can further narrow down security zones to implement fine-grained
service isolation and enhance network security.
Server VM Server VM
... ...
Group 1 Group 2
52 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Fabric
Leaf1 Leaf2
53 Huawei Confidential
Introduction to SFC
⚫ Service Function Chaining (SFC) technology provides ordered services for the application layer.
⚫ SFC creates a chain of service functions (SF), usually value-added service (VAS) devices, along which matched traffic
passes through to obtain VASs. Typical VAS devices are firewalls, load balancers, deep packet inspection (DPI)
devices, and intrusion prevention devices.
⚫ iMaster NCE-Fabric can be used to directly orchestrate SFCs, which can be achieved through PBR or NSH.
54 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Border Leaf
External
Spine
• When data packets are transmitted on DCNs, they need
to pass through various service nodes to ensure that
DCNs flexibly divert traffic to the service nodes as
planned, thus providing VASs for users. Typical service
Service Leaf nodes are firewalls, intrusion prevention systems (IPS),
Server Leaf
and load balancers.
Firewall IPS
55 Huawei Confidential
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Application
INC iNoF
acceleration layer
Traffic
LoadBalance Queue scheduling
scheduling layer
Congestion
ECN AI ECN NPCC
control layer
Flow Control layer PFC PFC storm control PFC deadlock prevention
56 Huawei Confidential
• Flow control: matches traffic rates between the sender and the receiver to ensure
zero packet loss.
• Traffic scheduling: implements load balancing for service traffic and network
links to ensure the quality of different service traffic.
Load Balancing M-LAG VXLAN EVPN Telemetry NETCONF Microsegmentation SFC Lossless Network
Leaf
57 Huawei Confidential
Quiz
1. (True or false) iMaster NCE-Fabric sends NETCONF messages to deliver configurations to
network devices and NETCONF messages are encoded in XML format.
A. True
B. False
58 Huawei Confidential
1. A
2. ABCD
Summary
⚫ As the closest area to the network industry and the computing industry, DCNs
should quickly respond to IT requirements, featuring complicated and integrated
structures and rapid technological development.
⚫ This is the first course of the DCN series courses. You will understand what a DC
and a DCN is, as well as their development histories.
⚫ We will analyze more DC technical principles in detail to help you understand the
hyper-converged DCN.
59 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
1. Server Virtualization
◼ Background
▫ Technical Fundamentals
▫ Deployment
2. Network Virtualization
3. Introduction to FusionCompute
4 Huawei Confidential
Overview and Objectives
5 Huawei Confidential
Server virtualization
6 Huawei Confidential
Server Virtualization Definition (2)
⚫ As the clustering technology emerges, server virtualization provides the ability to have multiple physical servers
operated in a cluster, which acts as a virtual resource pool.
⚫ VMs can be migrated between physical servers in a cluster. This further unlocks flexibility, elasticity, and high
availability of server virtualization.
OS OS OS OS VM
VM 1 VM 2 VM 3 VM 4
Resource
pooling
7 Huawei Confidential
Virtualized Server Cluster Management
⚫ As services grow, the number of VMs in a cluster reaches hundreds to thousands. Therefore, a virtualization
management platform is required for centralized management.
⚫ The virtualization management platform provides a simple user interface and various functions, such as monitoring
and managing virtualized resources. It simplifies VM creation and helps users configure and execute resource
scheduling policies.
VM VM VM
VM VM VM
• Different vendors have their own virtualization management platforms since they
use different virtualization technologies, such as vCenter of VMware,
FusionCompute VRM of Huawei, SystemCenter of Microsoft, and RHEV of Red
Hat.
Server Virtualization Benefits
⚫ Increased resource utilization: Without virtualization, servers in a DC use only 5% to 30% of their
resources during normal operation. After virtualization, the utilization of virtualized server resources is
dramatically improved to more than 60%.
⚫ Reduced costs: Server virtualization provides the time-sharing feature for resources and allows dynamic
adjustment of cluster resources. As such, DCs require fewer servers and less equipment room space and
power.
⚫ Improved flexibility: Clustering allows elastic VM provisioning and can flexibly cope with service
requirements in peaks and off-peaks.
⚫ Less system breakdown: High availability (HA) for VMs helps prevent VM services from being affected
due to a faulty physical server.
9 Huawei Confidential
Contents
1. Server Virtualization
▫ Background
◼ Technical Fundamentals
▫ Deployment
2. Network Virtualization
3. Introduction to FusionCompute
10 Huawei Confidential
Server Virtualization Technologies
⚫ There are three kinds of server virtualization: compute virtualization, storage virtualization, and
network virtualization.
⚫ A hypervisor, also known as a virtual machine monitor (VMM), is introduced to compute virtualization.
It abstracts hardware into virtual resources to allow an OS to run directly on each VM. In this way,
multiple OSs can run on a single physical server at the same time.
⚫ A hypervisor virtualizes the following physical resources: CPU, memory, and input/output (I/O)
resources.
VM VM VM • Provides virtual resources abstracted
from hardware for VMs.
VMM/Hypervisor
• Manages all hardware resources
Hardware (CPU, memory, and I/O devices).
11 Huawei Confidential
• A CPU (Central Processing Unit) is one of the main devices of a computer, and a
function of the CPU is to interpret computer instructions and process data in
computer software.
• A hypervisor provides the following basic functions: Identify, capture, and respond
to privileged CPU instructions or protection instructions sent by VMs (the
privileged instructions and protection instructions will be described in the CPU
virtualization section); schedule VM queues and return physical hardware
processing results to related VMs.
Compute Storage Network
Virtualization Virtualization Virtualization
Application Application
Hardware Hardware
Host machine Host machine
12 Huawei Confidential
• A host machine is a physical host that can run multiple VMs, and an OS installed
and running on the host machine is a host OS. VMs running on a host machine
are called guest machines. The OS installed and running on a VM is called a
guest OS. The core of virtualization technologies is a hypervisor between the host
OS and guest OS. It can also be called Virtual Machine Manager (VMM).
App App
VM VM VM App VMM/Hypervisor
VMM/Hypervisor Host OS
Hardware Hardware
13 Huawei Confidential
Compute Storage Network
Virtualization Virtualization Virtualization
⚫ Hierarchical protection domains, often called protection rings, are defined for CPU instructions. A CPU has four rings, numbered from
0 through to 3. Ring 0 is the most privileged level and interacts directly with the hardware. Ring 3, the least privileged ring, is where
most applications reside.
⚫ For example, when Kernel-based Virtual Machine (KVM) is used for CPU virtualization, guest OSs send all instructions to the
hypervisor, and then the hypervisor schedules the instructions to the CPU for execution. Common instructions from applications are
executed at the non-privilege level.
Ring 3 Application
Ring 2
Ring 1 Guest OS
Hardware
* KVM is used as an example.
14 Huawei Confidential
• There are four CPU hierarchical protection domains, also called protection rings,
numbered 0 (most privileged) to 3 (least privileged). Ring 0 has direct access to
the hardware. Generally, only the OS and driver have this privilege. Ring 3 has
the least privileges. All programs can run in Ring 3. To protect computers, some
dangerous instructions can only be executed by the OS, preventing malicious
software from randomly calling hardware resources. For example, if a program
needs to enable a camera, the program must request the driver in ring 0 to
enable the camera. Otherwise, the operation will be rejected.
• The instructions sent by a host OS are classified into two types: privileged
instructions and common instructions.
▫ Privileged instructions: are instructions used to operate and manage key
system resources. These instructions can be executed only at the highest
privilege level, that is, Ring 0.
▫ Common instructions: are instructions that can be executed at the non-
privilege level, that is, Ring 3.
• In a virtualization environment, another special instruction type is called sensitive
instruction. A sensitive instruction is used for changing the operating mode of a
VM or the state of a host machine. The instruction is handled by VMM after a
privileged instruction that originally needs to be run in Ring 0 on the guest OS is
deprived of the privilege.
• CPU virtualization can be further classified into full virtualization, para-
virtualization, and hardware-assisted virtualization. For details, see HCIA-Cloud
Computing.
Compute Storage Network
Virtualization Virtualization Virtualization
VM 1 VM 2 Guest
virtual VA
address
Guest
physical PA
address
Machine
memory MA
Hypervisor address
15 Huawei Confidential
• For details about memory virtualization techniques, such as the shadow page
table and huge page memory, see Huawei Cloud Computing certification courses.
Compute Storage Network
Virtualization Virtualization Virtualization
16 Huawei Confidential
Compute Virtualization
Open-source Close-source
KVM Hyper-V
Huawei FusionSphere
17 Huawei Confidential
⚫ The significant difference between storage virtualization and compute virtualization is that storage virtualization aims to aggregate
resources as a pool, instead of dividing resources as compute virtualization does.
Compute Virtualization Storage Virtualization
OS OS OS OS
18 Huawei Confidential
VM 0 VM 1 VM 2 VM 3
19 Huawei Confidential
⚫ The virtual network provides VMs with various capabilities, such as Layer 2 communication, isolation, Quality of Service (QoS), and
port mirroring.
Application A Application A Application A
Bridge
NAT
Virtual switch
Host Machine
20 Huawei Confidential
1. Server Virtualization
▫ Background
▫ Technical Fundamentals
◼ Deployment
2. Network Virtualization
3. Introduction to FusionCompute
21 Huawei Confidential
Virtualization Management Platform
Server cluster resource management and scheduling, VM operation and life cycle management.
VM VM VM
VM VM VM
Physical switch
23 Huawei Confidential
Server Virtualization Topology
Management plane
Storage plane
Storage Service plane
··· interface
NIC 1 BMC plane
NIC 2
Access
NIC 3 switch Storage device
Management NIC
of controller A
NIC 4
Management NIC
of controller B
NIC 5
24 Huawei Confidential
▫ Plane used by the BMC network port on a host. This plane enables remote
access to the BMC system of a server. It is similar to the management port
of a switch.
• Management plane:
• Storage plane:
• Service plane:
25 Huawei Confidential
Contents
1. Server Virtualization
2. Network Virtualization
◼ Overview
▫ Fundamentals
3. Introduction to FusionCompute
26 Huawei Confidential
Overview and Objectives
⚫ Network virtualization focuses on virtual network configuration and connection inside
servers. Traditional network engineers are unaware of this and cannot understand traffic
forwarding paths from an overall perspective.
⚫ In this section, you will learn the applications and fundamentals of network virtualization
based on service traffic forwarding paths from the perspective of network engineers.
27 Huawei Confidential
Network Virtualization in DCs
⚫ In a DC, network virtualization mostly applies to the network layer and server layer.
⚫ Network virtualization at the network layer is
classified into two types:
Spine Device virtualization: such as stacking, M-LAG,
and virtual system.
Network architecture virtualization: such as a
Leaf large Layer 2 network in the spine-leaf
architecture with VXLAN and BGP EVPN.
28 Huawei Confidential
End-to-End Network Virtualization
⚫ Traffic is forwarded along the following path: VM -> vSwitch -> physical NIC (based on mappings) -> physical
switch -> destination device. This process involves three phases: virtual access, network connection, and network
switching.
Network switching
VXLAN
tunnel
Network connection
Host 1 Host 2
Physical Physical
NIC NIC
29 Huawei Confidential
• VXLAN is used to separate the underlay network from the overlay network so
that physical networks can be reused. In addition, physical switches provide the
virtualization capability.
From a VM to a vSwitch
Host 1 ⚫ A vSwitch inside a server identifies the source VMs of data packets.
Physical
NIC ⚫ A vSwitch provides virtual interfaces for VM access.
⚫ A vSwitch uses local VLANs to distinguish traffic of different VMs.
vSwitch ⚫ Local VLANs take effect only between a vSwitch and a VM.
30 Huawei Confidential
From a vSwitch to a Physical NIC
31 Huawei Confidential
• Bond: The Linux NIC bonding function is used to bond host network ports to
improve network reliability.
From a Physical NIC to an Access Switch
Host 1
Physical ⚫ An access switch connects to physical NICs of a server.
NIC
VLAN 100 VLAN 200 ⚫ In the VXLAN scenario, traffic from different VLANs is forwarded
10.10.10.0/24 10.10.20.0/24
through different Layer 2 sub-interfaces, and directed to different
vSwitch
VXLAN tunnels.
⚫ Access switches can set up a stack or an M-LAG system to improve
VLAN 4 VLAN 5 VLAN 6
reliability.
Local
VLAN
vNIC vNIC vNIC ⚫ If link aggregation is required, the LACP mode set on the access
VM VM VM switch must be the same as that on the physical NICs on the server.
32 Huawei Confidential
From the Local Access Switch to the Remote Switch
BGP EVPN ⚫ VXLAN and BGP EVPN are used between switches to
build a large Layer 2 network.
VXLAN
tunnel ⚫ On the control plane, BGP EVPN is used to transmit IP
and MAC addresses of VMs, establish VXLAN tunnels,
and import external routes.
33 Huawei Confidential
New Traffic Model: Host Overlay
Traditional
⚫ VMs on a host use Open vSwitches (OVSs) to
network differentiate networks. VXLAN tunnels are established
Host 1 Host 2 between OVSs on different hosts to set up the large
Physical Physical Layer 2 network required by VM communication.
NIC NIC
VTEP VTEP
Hardware switches only provide connectivity, and
therefore require only the traditional network
vSwitch VXLAN
vSwitch configuration.
tunnel
34 Huawei Confidential
Contents
1. Server Virtualization
2. Network Virtualization
▫ Overview
◼ Fundamentals
3. Introduction to FusionCompute
35 Huawei Confidential
Server OS Basics
⚫ Compared with network devices, the server OS network works in a different way but still follows the OSI model.
⚫ Use Linux as an example. Linux consists of the user space and kernel space, also referred to as user and kernel
modes, respectively. Simply speaking, the user space is where application programs run whereas the kernel space
controls hardware resources to support program running in the user space. The network protocol stack runs in the
Linux kernel space. Application layer
• Data is encoded, encrypted, and
compressed by applications, layer by
Application program Presentation layer
User space layer, without interactions with the
kernel space.
Session layer
36 Huawei Confidential
How Does a Server NIC Send and Receive Data?
⚫ A physical NIC sends and receives data as follows (when the CPU executes data copying):
Sending data: The kernel reads data from the network protocol stack and writes it to the physical NIC. The NIC then sends the
data to the destination external network.
Receiving data: Upon data receipt, the physical NIC triggers an interrupt to the CPU, which then instructs the kernel to read data
and place it in the memory. The network protocol stack then parses the data.
Application
User space program ⚫ The NIC driver needs to register the physical NIC in the kernel space so
that the NIC can function properly. After registration, an NIC interface
name is available.
Kernel space Network
Buffer
protocol stack ⚫ Interface properties, such as the IP address and mask, can be set for a
Driver physical NIC. These properties are configured in the network protocol
stack of the kernel space.
Hardware NIC ⚫ A physical NIC connects to the network protocol stack in the kernel space
on one end and connects to an external network on the other end.
External
network
37 Huawei Confidential
• Currently, an intelligent server NIC provides the Direct Memory Access (DMA)
function, which allows data to be directly cached to the memory, bypassing the
CPU. As such, the NIC is responsible for data transmission with the network
protocol stack. After the DMA data transfer is complete, the DMA controller
(DMAC) triggers an interrupt to the CPU, indicating that the transfer is
completed. In this process, the CPU does not need to read or write data.
Linux Virtual Network Devices (TUN/TAP)
⚫ The kernel can create virtual NICs (vNICs), which are similar to physical NICs, and provide NIC drivers for these vNICs to complete
registration.
⚫ TAP and TUN are vNICs defined in the Linux kernel. TUN reads and writes Layer 3 IP packets whereas TAP reads and writes Layer 2
Ethernet frames.
⚫ A vNIC connects to the user space on one end and connects to the network protocol stack on the other end. Therefore, vNICs can
neither directly send data packets to nor directly receive data packets from physical NICs.
App 1 App 2 VM 1
User space
vNIC /dev/tun X /dev/tun X /dev/tap Y
Kernel space
Layer 3 packets Layer 3 packets Layer 2 frames
Network stack
NIC
Traffic between apps
App-to-external network traffic
External network
VM-to-external network traffic
38 Huawei Confidential
• TUN and TAP are two types of vNICs in a Linux system and provide packet
reception and transmission functions. Compared with physical NICs, TUN and
TAP provide almost the same functions, except that they do not provide the
hardware functions of physical NICs. In addition, TUN and TAP are responsible
for transferring data between the user space and the network protocol stack in
the kernel space.
• In Linux, the character special files corresponding to TAP and TUN are /dev/tapX
and /dev/tunX, respectively.
• TAP devices are usually used to connect to network devices, such as vSwitches.
TUN devices are usually used to re-encapsulate data sourced from application
programs in the user space, for example, encapsulating data using IPsec VPN.
39 Huawei Confidential
SR-IOV: Improves I/O Performance
⚫ Single Root I/O Virtualization and Sharing Specification (SR-IOV) is a hardware-based virtualization solution that improves
performance and scalability.
⚫ SR-IOV enables efficient sharing of a physical Peripheral Component Interconnect Express (PCIe) device among VMs. This physical
PCIe device can present itself as multiple virtual devices, of which each is directly attached to a VM and has an independent memory
space, queues, interrupts, and command execution capability. As such, the physical PCIe device can perform direct I/O with attached
VMs, achieving I/O performance that is comparable to native performance.
VM VM VM VM VM VM
Physical NIC Physical NIC Queue Queue Physical NIC vNIC vNIC
40 Huawei Confidential
VM VM VM vSwitch
FPGA/ASIC/SoC
vSwitch Smart NIC
CPU
Uses dedicated chips for data forwarding
Host
Releases host’s CPU resources
41 Huawei Confidential
• SoC: System-on-Chip.
VM 0 VM 1
TAP 0 TAP 1
Linux
br0
eth0
Hardware switch
42 Huawei Confidential
• Similar to a physical switch, a Linux Bridge looks up for the outbound port for
forwarding a data frame in the MAC address table and updates the table. As
such, a Linux Bridge can decide whether to forward the data frame to another
interface, discard it, broadcast it, or send it to the upper-layer protocol stack.
• When Linux Bridges are used to set up virtual networks, bridge_netfilter of Linux
Bridges works with iptables to implement the security group function in the cloud
computing scenario.
Single-server environment
43 Huawei Confidential
▫ Supports port bonding, LACP, and tunneling (VXLAN, GRE, and IPsec).
Hypervisor Hypervisor
Server Server
44 Huawei Confidential
DVS Fundamentals
⚫ Key concepts in DVS:
Distributed port group: provides VMs with network connections that span across hosts. A DVS can have multiple distributed port
groups.
Uplink: At the host level, each uplink is connected to a physical NIC. Uplinks are used to configure physical connections of hosts.
Uplink port group: can have one or more uplinks. A DVS can have only one uplink port group.
VM VM VM VM VM VM
TOR switch
45 Huawei Confidential
• A DVS functions as a single virtual switch across all associated hosts. It allows
VMs to maintain consistent network configuration as they migrate across hosts.
How Do DVSs Allow VMs to Communicate
⚫ DVS 1 and DVS 2 are created on the TOR switch, each of which has two port groups in VLANs 10 and 20, respectively. The gateways
for VMs in the two VLANs are located on the TOR switch.
⚫ VMs on the same DVS and in the same VLAN can communicate with each other directly inside the host where they reside. VMs on
the same DVS but in different VLANs, as well as VMs on different DVSs, can communicate with each other only through a physical
switch. Port group 1, in VLAN 10
VM1 VM2 VM4 VM5 VM6
Port group 2, in VLAN 20
DVS1
DVS2
46 Huawei Confidential
• As shown in the figure, DVS 1 has two port groups: port group 1 connecting VM
1, VM 2, and VM 5 and port group 2 connecting VM 4 and VM 6. DVS 2 also has
two port groups: port group 3 connecting VM 3 and port group 4 connecting VM
7. The two DVSs have separate uplinks.
• VMs connected to the same port group can directly communicate with each
other. VMs on the same host and DVS can communicate with each other directly
through the DVS. For example, VM 1 and VM 2 can communicate through DVS 1.
VMs on different hosts but on the same DVS, such as VM 1 and VM 5, can
communicate with each other through uplinks of the DVS.
• VMs connected to different port groups (that is, in different VLANs), no matter
whether they are located on the same DVS or host, can communicate with other
only through the physical switch that allows inter-VLAN communication. For
example, VM 1 in VLAN 10 can communicate VM 4, VM 6, and VM 7 in VLAN 20
only through the TOR switch.
• Traffic between VMs on different DVS but connected to port groups in the same
VLAN (such as VM 1 and VM 3 connected to port groups 1 and 3, or VM 4 and
VM 7 connected to port groups 2 and 4, respectively) is transmitted through DVS
uplinks to the physical switch for forwarding.
OVS Application in Virtualization and Cloud Computing Scenarios
TOR switch
47 Huawei Confidential
• qbr: Linux Bridge, which provides security group services for VMs and implements
security isolation.
• br-int: one of the OVS core bridges. Layer 2 and Layer 3 traffic must pass through
this bridge. Local VLANs help isolate different virtual networks on a host, and
take effect only locally.
• br-phy: a physical bridge, one of the OVS core bridges. Physical NICs of a node
are mounted on this bridge. It encapsulates traffic of different service VLANs
based on the flow table, and then sends encapsulated packets to physical
external networks through physical NICs.
• br-tun: a tunnel bridge, one of the OVS core bridges. This bridge is used to
forward VXLAN traffic. Tunnel-bearing is a VTEP that encapsulates and
decapsulates VXLAN packets.
• Bond: NIC bonding provided by Linux. It bonds the NIC ports on a host to
improve network reliability.
Section Summary
⚫ This section uses the Linux OS as an example to describe traffic forwarding principles and
process on the underlying network deployed with server virtualization.
⚫ This section focuses on the functions and principles of virtual network devices in a Linux
system, such as TAP/TUN, Linux Bridge, and OVS.
49 Huawei Confidential
Contents
1. Server Virtualization
2. Network Virtualization
3. Introduction to FusionCompute
50 Huawei Confidential
Introduction to FusionCompute Virtualization Suite
⚫ Huawei FusionCompute virtualization suite is an industry-leading virtualization solution.
⚫ The FusionCompute virtualization suite deploys virtualization software on servers so that one physical server can
function as multiple servers. Achieve high consolidation ratios by consolidating existing workloads and utilizing
remaining servers to deploy new applications and solutions, which greatly improves the efficiency of the data center
infrastructure.
⚫ The FusionCompute virtualization suite brings the following benefits to customers:
This feature helps customers improve resource utilization of data center infrastructure.
Help customers shorten the service rollout period by multiple times.
Help customers reduce data center energy consumption by multiple times.
With the high availability and strong recovery capability of the virtualized infrastructure, the solution quickly and automatically
recovers services from faults, reducing data center costs and increasing system application uptime.
51 Huawei Confidential
• Application scenario: This scenario applies to the scenario where enterprises use
FusionCompute as the unified O&M management platform to operate and
maintain the entire system. including resource monitoring, resource
management, and system management.
• This section describes the features of the Fusioncompute virtual network. For
details about other features and scenarios, see the FusionCompute Product
Documentation.
FusionCompute Architecture
⚫ Shows the logical architecture of the FusionCompute virtualization suite.
FusionCompute
FusionCompute (Mandatory) Virtualization Suite
Container
management
Host Virtualized file Virtualized (KRM)
virtualization system network (OVS)
Hardware infrastructure
Non-FusionCompute
Virtualization Suite
Server Storage Network & Security
52 Huawei Confidential
• eBackup is a virtual backup software. It works with the snapshot function and
CBT function of FusionCompute to implement the VM data backup solution of
FusionCompute. (eBackup does not support virtualization deployment in
Haiguang scenarios.)
• UltraVR is the DR service management software. It uses the asynchronous remote
replication feature provided by the underlying SAN storage system to protect and
restore key VM data.
• Note: FusionCompute is mandatory, and eBackup and UltraVR are optional. This
section describes only mandatory components.
FusionCompute Logical Architecture
Module Function
53 Huawei Confidential
Physical switch
Uplink Uplink
Distributed virtual switch
Port group Port group Port group Port group Port group Port group
vlan100 vlan200 vlan300 vlan100 vlan200 vlan300
Server Server
54 Huawei Confidential
▫ VLAN mode: No IP address is allocated to the VM NICs that use the port
group. You need to manually allocate IP addresses to the VM NICs.
However, the VMs are connected to the VLAN defined by the port group.
▫ MUX VLAN mode: The Layer 2 traffic isolation mechanism provided by the
MUX VLAN enables some users to communicate with each other and
isolate other users.
• Uplinks are used by the DVS to connect to the physical NICs of hosts and are
used for VM data uplinks.
VM Provisioning (1)
Creation Mode Description
An empty virtual machine is like a blank physical computer without an operating system installed.
When creating an empty VM, you can create it on a host or cluster and customize the CPU, memory, disk, and NIC
Creating an empty VM specifications.
After an empty VM is created, you need to install the OS on the VM. The procedure for installing the operating
system is the same as that for installing the operating system on a physical machine.
Use a template to create VMs similar to the template.
• Use an existing template to create VMs by converting the template to a VM and deploying VMs based on the
template.
• Export the template used by other sites and import the template to create VMs at the site.
When a template is converted to a VM, all attributes of the VM are the same as those of the template. After the
Creating a VM Using a Template conversion, the template does not exist.
When a VM is deployed using a template or a VM is imported using a template, the following attributes are
inherited from the template and other attributes can be customized.
• VM OS type and version
• Number, capacity, and bus type of VM disks
• Number of VM NICs
Clone a VM similar to an existing VM in the system.
During VM cloning, the following attributes are inherited from the original VM. Other attributes can be customized.
• VM OS type and version
Creating a VM Using a VM
• Number, capacity, and bus type of VM disks
• Number of VM NICs
If you have a virtual machine that you want to clone frequently, you can set the virtual machine as a template.
55 Huawei Confidential
• A VM runs on a CNA and obtains required computing resources such as CPUs and
memory, USB devices, network connections, and storage access from the CNA.
Multiple VMs can run on one CNA at the same time. FusionCompute provides
multiple methods for creating VMs.
VM Provisioning (2)
• Create a VM for the first time during the initial deployment of the system.
• If no suitable template or VM is available in the system (the OS and hardware configuration are the same), you
Creating an empty VM need to create an empty VM.
• Create an empty virtual machine, install an operating system on it, and convert or clone the virtual machine to a
template so that you can use the template to create a virtual machine.
• A proper template is available in the system (the operating system and hardware configuration are the same).
Creating a VM Using a Template Using the template to create a VM can save time.
• Export the template of another site and import the template to create VMs at the site.
When deploying multiple similar virtual machines, you can create, configure, and install different software on a
Creating a VM Using a VM single virtual machine, and then clone the virtual machine multiple times instead of creating and configuring each
virtual machine separately.
56 Huawei Confidential
Section Summary
57 Huawei Confidential
Quiz
B. TAP
C. Linux Bridge
D. OVS
58 Huawei Confidential
2. BCD
Summary
⚫ With increasingly wide application of virtualization technologies in DCs, servers are being
integrated into physical networks. Network engineers need to have basic knowledge of
server virtualization.
⚫ This course introduces the principles of server virtualization and server network
virtualization from the perspective of IT engineers, and describes end-to-end traffic
forwarding between servers and physical networks deployed with network virtualization.
⚫ For more information about server and network virtualization principles, visit the websites
on the More Information slide.
59 Huawei Confidential
More Information
⚫ https://www.kernel.org/doc/html/latest/networking/tuntap.html
⚫ https://wiki.linuxfoundation.org/networking/bridge
⚫ https://docs.openvswitch.org/en/latest/intro/what-is-ovs/
60 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
1. Background of VXLAN
4 Huawei Confidential
Technical Background: Virtualization Is Widely Deployed by
Enterprises
⚫ Virtualization technologies reduce IT and O&M costs, and improve service deployment flexibility. More and more
enterprises choose to use cloud computing or virtualization technologies in their DC IT facilities.
⚫ After an enterprise chooses the virtualization architecture, services are deployed on VMs in server clusters.
Hypervisor Hypervisor
Physical network
5 Huawei Confidential
New Network Requirement - Layer 2 Extension
⚫ VMs in a virtualization or cloud computing cluster can be migrated flexibly. As a result, VMs running the same
service (on the same network segment) may run on different servers, or the same VM (with the same IP address)
may run on different servers (physical locations) at different times.
⚫ Physical servers may be distributed in equipment rooms that are geographically distant from each other. Therefore,
Layer 3 connectivity is required.
Layer 2 communication across a Layer 3 network is required.
Layer 2 communication is required for the same service.
Hypervisor Hypervisor
• After servers are virtualized, services are encapsulated on VMs. VMs can be live
migrated to any host in a cluster. One of the features of live migration is that the
network status does not change. This requires that the IP addresses of VMs in
different physical locations remain unchanged. Therefore, a large Layer 2
network is required to solve this problem.
New Network Requirement - Multi-Tenant Isolation
⚫ In cloud-based scenarios, multi-tenancy is supported, that is, different tenants share physical resources. This poses
two requirements on the network: inter-tenant isolation and intra-tenant communication.
Inter-tenant isolation: Tenants may be configured with the same MAC address and IP address. Physical network isolation needs
to be considered, and a large number of users need to be isolated.
Intra-tenant communication: VMs on the same network segment of a tenant can directly communicate with each other at Layer
2, even if they are located in different equipment rooms. Inter-tenant
Intra-tenant Layer 2 communication network isolation
Hypervisor Hypervisor
• After servers are virtualized, the • The VLAN ID field has only 12 bits. • VM migration must be performed on a
number of VMs increases greatly • In large virtualization and cloud Layer 2 network.
compared with the number of computing service scenarios, the • VM migration on a traditional Layer 2
original physical machines. However, number of tenants is much greater network is limited to a small scope.
the MAC address table size of Layer than the number of available VLANs.
2 access devices is small, which
• VLANs on traditional Layer 2 networks
cannot meet the requirements of the
rapidly increasing number of VMs. cannot adapt to dynamic network
adjustment.
802.1Q-tagged frame VMs can be migrated only within a
VLAN. The number of VLANs is limited.
Destination Source 802.1Q Length/
Payload FCS
MAC MAC Tag Type
Each device must have a The 12-bit VLAN IDs can represent End-to-end
large MAC address table. only 4096 logical units. VLAN
8 Huawei Confidential
Overview of VXLAN
⚫ VXLAN is essentially a virtual private network (VPN) technology and can be used to build a Layer 2 virtual network
(overlay network) on any physical network (underlay network) with reachable routes. VXLAN tunnels can be built
between VXLAN gateways to implement communication within a VXLAN network as well as communication
between a VXLAN network and a non-VXLAN network.
⚫ VXLAN utilizes MAC-in-UDP encapsulation to extend Layer 2 networks. It encapsulates Ethernet packets into IP
packets for these packets to be transmitted through routing, without considering the MAC addresses of VMs. In
addition, Layer 3 networks are not limited by the network architecture and support large-scale scalability. VM
migration through routed networks is also not limited by the physical network architecture.
Spine
VXLAN
OSPF
Leaf
Underlay Overlay
9 Huawei Confidential
10 Huawei Confidential
VXLAN Overlay Network Types
⚫ VXLAN overlay networks are classified into network overlay, host overlay, and hybrid overlay networks
based on the types of devices where VTEPs reside.
Spine
VTEPs at both ends of a VXLAN tunnel are VTEPs at both ends of a VXLAN tunnel are A VTEP of a VXLAN tunnel can be either a
physical switches. virtual switches (vSwitches). vSwitch or a physical switch.
Network overlay is classified into centralized Spine and leaf nodes only forward IP packets at
network overlay and distributed network overlay. a high speed.
11 Huawei Confidential
Overlay Protocol Development
⚫ To meet the requirements of multi-tenant and VM migration in cloud DCs, vendors are looking for an overlay protocol with optimal
performance and the most flexible applications. VXLAN proposed in RFC 7348 meets the requirements.
⚫ In the early stage, VXLAN is deployed in static mode, and VXLAN tunnels are manually created, which requires heavy configuration
workload. In addition, VXLAN does not have a control plane. VTEP discovery and host information collection are implemented
through traffic flooding on the data plane. As a result, a large amount of flooding traffic exists on the data center network (DCN).
To address these problems, VXLAN works with Ethernet Virtual Private Network (EVPN) to implement automatic VXLAN tunnel
establishment, automatic VTEP discovery, and host information advertisement.
⚫ To facilitate control and deployment on a large Layer 2 network, an SDN controller is introduced. The controller uses NETCONF to
control devices, automatically creates an overlay network, and collaborates with the cloud platform to implement automatic service
and network deployment.
iMaster NCE
Configuration delivery
Configuration
Spine delivery
EVPN EVPN
Manually configured Created using a protocol Created using a protocol
VTEP VTEP VTEP VTEP VTEP VTEP
VXLAN Tunnel VXLAN Tunnel VXLAN Tunnel
Leaf
12 Huawei Confidential
Contents
1. Background of VXLAN
▫ Fundamentals
13 Huawei Confidential
VXLAN Packet Format
14 Huawei Confidential
NVE VTEP VNI and BD Access Mode Gateway
IP network
PC1 PC2
192.168.1.1/24 192.168.1.2/24
VXLAN tunnel
SW1 (NVE) SW2 (NVE)
15 Huawei Confidential
NVE VTEP VNI and BD Access Mode Gateway
VXLAN tunnel
• The source VTEP encapsulates packets and sends the encapsulated packets to the
destination VTEP through the VXLAN tunnel. After receiving the encapsulated
packets, the destination VTEP decapsulates the packets.
PC1 PC2
BD 20 BD 20
192.168.1.1/24 192.168.1.2/24
L2 VNI 2000 SW1 SW2 L2 VNI 2000
VXLAN tunnel
PC1 PC2
192.168.1.1/24 192.168.1.2/24
SW1 SW2
1
18 Huawei Confidential
• After traffic from a traditional network enters a VXLAN network, the traffic is
bound to a BD through Layer 2 sub-interface or VLAN binding mode. A VXLAN
VNI is specified in the BD to implement mapping from the traditional VLAN
network to the VXLAN network.
• When VLAN binding mode is used for VXLAN access, a BD cannot be configured
with a VBDIF interface. Therefore, this mode applies only to Layer 2 service
access.
NVE VTEP VNI and BD Access Mode Gateway
Layer 2 gateway: forwards traffic to a VXLAN network Layer 3 gateway: is used for inter-subnet
and is used for intra-subnet communication between communication between terminals on a VXLAN
terminals on the same VXLAN network. network and allows terminals to access external
networks (non-VXLAN networks).
19 Huawei Confidential
NVE VTEP VNI and BD Access Mode Gateway
⚫ VLANIF interfaces are used for communication between broadcast domains on a traditional network.
Similarly, VBDIF interfaces are used for communication between BDs on a VXLAN network.
⚫ A VBDIF interface is a Layer 3 logical interface created for a BD on a Layer 3 VXLAN gateway.
⚫ VBDIF interfaces allow users on different network segments to communicate through a VXLAN
network, allow communication between VXLAN and non-VXLAN networks, and implement Layer 2
network access to a Layer 3 network.
20 Huawei Confidential
NVE VTEP VNI and BD Access Mode Gateway
Layer 3 Layer 2
gateway gateway
Layer 2 Layer 2/
Layer 2/
gateway Layer 3
Layer 3
gateway
gateway
The Layer 3 gateway is deployed on one device. All inter-subnet traffic is VTEPs function as both Layer 2 and Layer 3 gateways. Non-gateway nodes
forwarded by the gateway to implement centralized traffic management. are unaware of VXLAN tunnels and only forward VXLAN packets.
Advantage: Inter-subnet traffic is managed in a centralized manner, Advantage: A VTEP only needs to learn ARP entries of terminals
simplifying gateway deployment and management. connected to it. Therefore, the number of ARP entries supported is no
Disadvantage: The forwarding path is not optimal. The number of ARP longer a bottleneck on distributed VXLAN gateways, and the network
entries supported is a bottleneck. Because a centralized Layer 3 gateway is scalability is improved.
deployed, the gateway needs to maintain a large number of ARP entries Disadvantage: Compared with centralized gateway deployment, this
for terminals connected to the VXLAN network. mode is complex to configure and implement.
21 Huawei Confidential
Application of VXLAN in DCs
⚫ VXLAN can be applied to a DCN that uses a two-layer spine-leaf physical architecture.
⚫ It is recommended that a VXLAN network with distributed gateways be deployed in a DC. Spine nodes forward
packets based on routes and are unaware of VXLAN during traffic forwarding. Leaf nodes provide network access
for device resources such as servers, and perform VXLAN encapsulation and decapsulation.
⚫ All services in the DC are carried by the VXLAN network.
Spine Spine
22 Huawei Confidential
Contents
1. Background of VXLAN
23 Huawei Confidential
Tunnel Establishment MAC Address Learning Data Frame Forwarding
24 Huawei Confidential
Tunnel Establishment MAC Address Learning Data Frame Forwarding
VTEP1
1.1.1.1/32
PC2 VTEP2
172.16.2.2/24 interface nve 1 2.2.2.2/32 PC4
source 1.1.1.1 interface nve 1 172.16.2.4/24
vni 100 head-end peer-list 3.3.3.3 source 2.2.2.2
vni 200 head-end peer-list 2.2.2.2 vni 200 head-end peer-list 1.1.1.1
25 Huawei Confidential
• This section describes how to establish VXLAN tunnels in static mode. For details
on how to establish VXLAN tunnels in dynamic mode (BGP EVPN mode), see
"EVPN VXLAN Fundamentals."
Tunnel Establishment MAC Address Learning Data Frame Forwarding
⚫ When a VTEP receives a data frame from the local BD, the VTEP adds the source MAC address of the data frame to the MAC address
table of the BD. The outbound interface in the MAC address entry is the interface that receives the data frame.
⚫ This entry is used to guide the forwarding of data frames sent to terminals connected to the VTEP.
PC1
172.16.1.1/24
0000-0000-000A <S1>display mac-address bridge-domain 10
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-000a -/-/10 GE1/0/1.10 dynamic
S1
<S1>display mac-address bridge-domain 20
-------------------------------------------------------------------------------
PC2 MAC Address VLAN/VSI/BD Learned-From Type
172.16.2.2/24 -------------------------------------------------------------------------------
0000-0000-000B 0000-0000-000b -/-/20 GE1/0/1.20 dynamic
How can data frames be forwarded to the
device connected to the remote VTEP?
26 Huawei Confidential
Tunnel Establishment MAC Address Learning Data Frame Forwarding
27 Huawei Confidential
▫ After receiving the frame, SW1 determines the BD ID, destination VXLAN
tunnel, and VNI of the traffic based on the service access point
configuration. In addition, SW1 learns the MAC address of PC1 and records
the BD ID and the interface that receives the frame in the corresponding
MAC address entry.
▫ SW1 performs VXLAN encapsulation for the ARP request packet and
forwards the encapsulated packet based on the ingress replication list.
▫ After receiving the VXLAN packet, SW2 decapsulates the packet to obtain
the original data frame. In addition, SW2 learns the MAC address of PC1
and binds the MAC address to the VTEP address of SW1.
▫ SW2 floods the ARP packet in the local BD. PC2 then receives the frame
and learns the ARP information of PC1.
Tunnel Establishment MAC Address Learning Data Frame Forwarding
SW1 learns the MAC address of PC2. SW2 learns the MAC address of PC2.
9 MAC Address BD Learned From 7 MAC Address BD Learned From
0000-0000-000A 10 Port1 0000-0000-000A 10 1.1.1.1
0000-0000-000B 10 2.2.2.2 0000-0000-000B 10 Port1
PC1 and PC2 learn the ARP entries of each other, and SW1 and SW2 learn the MAC addresses of PC1 and PC2. This
process is also called flood and learn.
28 Huawei Confidential
▫ SW2 has learned the MAC address of PC1 and forwards the packet in
unicast mode. SW2 learns the source MAC address of PC2 and adds it to
the MAC address table.
▫ SW2 performs VXLAN encapsulation for the ARP reply packet and sends the
encapsulated packet to the remote VTEP with the IP address 1.1.1.1.
▫ After receiving the VXLAN packet, SW1 decapsulates the packet and records
the source MAC address of PC2 in the MAC address table. The outbound
interface of the corresponding MAC address entry is the remote VTEP.
• PC1 and PC2 learn ARP entries of each other, and SW1 and SW2 learn
corresponding MAC addresses.
Tunnel Establishment MAC Address Learning Data Frame Forwarding
SW1 searches its MAC address table for the MAC SW2 searches its MAC address table for the MAC
2 4 address of PC2 and finds the matching entry.
address of PC2 and finds the matching entry.
• Source IP address: 1.1.1.1 VNI: 1000 • Source IP address: 3.3.3.3 VNI: 2000
• Destination IP address: 3.3.3.3 • Destination IP address: 2.2.2.2
30 Huawei Confidential
• PC1 wants to communicate with PC2. After local calculation, PC1 finds that it is
on a different subnet from PC2. PC1 then sends the packet to the gateway.
• The destination MAC address of the data frame from PC1 to PC2 is 00AB-09FF-
1111 (gateway MAC address). After receiving the data frame, SW1 searches the
Layer 2 forwarding table and finds that the outbound interface is the remote
VTEP (Layer 3 gateway). SW1 then adds a VXLAN header (VNI = 1000) to the
data frame and sends the packet to SW3.
• After receiving the packet, SW3 performs VXLAN decapsulation for the packet
and finds that the destination MAC address of the original data frame is 00AB-
09FF-1111, which is the MAC address of VBDIF 10 on SW3. SW3 needs to search
the Layer 3 forwarding table to forward the data frame.
• SW3 searches the routing table and finds that the destination IP address
192.168.2.1 matches the direct route generated by VBDIF 20 on SW3. SW3 then
searches the ARP table for the destination MAC address of the packet and
searches the MAC address table for the outbound interface of the packet. On
SW3, the outbound interface in the MAC address entry corresponding to
192.168.2.1 is the remote VTEP with the IP address 2.2.2.2. SW3 performs VXLAN
encapsulation for the packet and sends the encapsulated packet to SW2.
• After receiving the packet, SW2 performs VXLAN decapsulation for the packet
and finds that the destination MAC address is not the MAC address of any
interface on SW2. SW2 searches the Layer 2 forwarding table and forwards the
packet from a local interface based on the MAC address table.
Tunnel Establishment MAC Address Learning Data Frame Forwarding
PC1
VTEP1
172.16.2.1/24
1.1.1.1/32
VTEP2
2.2.2.2/32 PC3
BUM traffic 172.16.2.3/24
VXLAN header
UDP
31 Huawei Confidential
Contents
1. Background of VXLAN
32 Huawei Confidential
Using BGP EVPN as the Control Plane Protocol
BGP EVPN not used BGP EVPN used as the control plane protocol
RR
Problem 2: The flood and learn mechanism is used to learn MAC In actual deployment, a route reflector (RR) can be used to further
addresses, causing a large amount of flooding traffic. reduce the number of established BGP EVPN peer relationships.
33 Huawei Confidential
• The static VXLAN solution does not have a control plane. VTEP discovery and
learning of host information (including IP addresses, MAC addresses, VNIs, and
gateway VTEP IP addresses) are performed through traffic flooding on the data
plane. As a result, there is a lot of flooding traffic on VXLAN networks. To
address this problem, BGP EVPN is introduced as the control plane of VXLAN.
BGP EVPN allows VTEPs to exchange BGP EVPN routes to implement automatic
VTEP discovery and host information advertisement, preventing unnecessary
traffic flooding.
SW1 SW2
• Type 2 routes (MAC/IP routes): are used to advertise host MAC addresses, ARP entries, and IP routes.
• Type 3 routes (inclusive multicast routes): are used to transmit Layer 2 VNI and VTEP IP address information, implement
automatic VTEP discovery, dynamic VXLAN tunnel establishment, and BUM packet forwarding.
• Type 5 routes (IP prefix routes): are used to advertise host IP routes and external network routes.
34 Huawei Confidential
35 Huawei Confidential
Extended Community
⚫ Similar to MPLS VPN, BGP EVPN uses EVPN instances to control route sending and receiving. Similar to
traditional IP VPN instances, EVPN instances also have RDs and RTs, and the extended community
attribute is used to carry EVPN instance RTs during route transmission.
⚫ In addition to the RT, BGP EVPN adds some new subtypes to the extended community attribute: MAC
Mobility and EVPN Router's MAC Extended Community.
36 Huawei Confidential
• For details about RDs and RTs, see HCIP – Datacom - Advanced Routing &
Switching Technology - 08 MPLS VPN Basics.
EVPN VPN Instance
⚫ After an EVPN instance is bound to a BD, MAC address entries in the BD are transmitted through BGP EVPN routes carrying the
export VPN target (ERT) of the EVPN instance bound to the BD. After receiving the EVPN routes, the remote end compares the
import VPN target (IRT) of the local EVPN instance with the ERT, adds the EVPN routes to the routing table of the corresponding
EVPN instance, parses the EVPN routing table to obtain MAC address entries, and adds the MAC address entries to the MAC address
table of the BD bound to the local EVPN instance.
BGP Update message
EVPN RT = 202:1
EVPN route
VXLAN tunnel
PC1 SW1 SW2 PC2
EVPN RD: 20:1 If the ERT and IRT are not specified EVPN RD: 20:1
EVPN ERT: 202:1 and only the RT is specified, the ERT EVPN ERT: 200:1
EVPN IRT: 200:1 and IRT are the same. EVPN IRT: 202:1
37 Huawei Confidential
Contents
1. Background of VXLAN
38 Huawei Confidential
Type 2 Route Type 3 Route Type 5 Route
Route Distinguisher (8 bytes) Route distinguisher (RD) configured for an EVPN instance.
Ethernet Segment Identifier (10 bytes) Unique ID of the connection between local and remote devices.
Ethernet Tag ID (4 bytes) VLAN ID configured on the local device.
MAC Address Length (1 byte) Length of the host MAC address carried in the route.
MAC Address (6 bytes) Host MAC address carried in the route.
IP Address Length (1 byte) Mask length of the host IP address carried in the route.
IP Address (0, 4, or 16 bytes) Host IP address carried in the route.
MPLS Label1 (3 bytes) Layer 2 VNI carried in the route.
MPLS Label2 (0 or 3 bytes) Layer 3 VNI carried in the route.
39 Huawei Confidential
Type 2 Route Type 3 Route Type 5 Route
Host MAC address advertisement Host ARP advertisement Host IP route advertisement
Route Distinguisher Route Distinguisher Route Distinguisher
Ethernet Segment Identifier Ethernet Segment Identifier Ethernet Segment Identifier
Ethernet Tag ID Ethernet Tag ID Ethernet Tag ID
MAC Address Length = MAC address length MAC Address Length = MAC address length MAC Address Length = MAC address length
MAC Address = MAC address MAC Address = MAC address MAC Address = MAC address
IP Address Length IP Address Length = IP address length IP Address Length = IP address length
IP Address IP Address = IP address IP Address = IP address
MPLS Label1 = VNI (Layer 2) MPLS Label1 = VNI (Layer 2) MPLS Label1 = VNI (Layer 2)
MPLS Label2 MPLS Label2 MPLS Label2 = VNI (Layer 3)
When hosts on the same subnet In a centralized VXLAN gateway When hosts on different subnets
communicate with each other, host scenario, ARP routes containing host IP communicate with each other in a
MAC addresses containing host MAC address information, MAC address distributed gateway scenario, IRB routes
address information and Layer 2 VNIs information, and Layer 2 VNIs are containing host MAC address information,
are advertised. advertised. IP address information, Layer 2 VNIs, and
Layer 3 VNIs are advertised.
40 Huawei Confidential
• The contents of the first three fields (RD, Ethernet Segment Identifier, and
Ethernet Tag ID) of BGP EVPN Type 2 routes are the same in different scenarios,
and the contents of the last six fields vary in different scenarios.
Type 2 Route Type 3 Route Type 5 Route
VXLAN tunnel
SW1 (Layer 2 gateway) SW2 (Layer 2 gateway)
PC1 172.16.1.1/24 PC2
0000-0000-0001 BD 10 3 BGP Update message BD 10
L2 VNI 10 L2 VNI 10
1 RD 10:1 EVPN RT = 10:1 RD 20:1
Send traffic.
ERT 10:1 Type 2 route IRT 10:1
RD = 10:1
MAC address = 0000-0000-0001
VNI = 10
41 Huawei Confidential
▫ SW1 obtains the MAC address of PC1 and creates an entry in the MAC
address table to record the MAC address, BD ID, and inbound interface.
▫ SW1 generates a BGP EVPN route based on this entry and sends the route
to SW2. The route carries the RT value (extended community attribute) of
the local EVPN instance and a Type 2 route (MAC route). In the MAC route,
the MAC address of PC1 is stored in the MAC Address field, and the Layer 2
VNI is stored in the MPLS Label1 field.
▫ After receiving the BGP EVPN route from SW1, SW2 checks the RT (similar
to the RT in MPLS VPN) carried in the route. If the RT is the same as the
import RT of the local EVPN instance, SW2 accepts the route. Otherwise,
SW2 discards the route. After accepting the route, SW2 obtains the MAC
address of PC1 and the mapping between the BD ID and the VTEP IP
address (carried in the next hop network address field of MP_REACH_NLRI)
of SW1, and generates the MAC address entry of PC1 in the local MAC
address table. Based on the next hop, the outbound interface of the MAC
address entry recurses to the VXLAN tunnel destined for SW1.
Type 2 Route Type 3 Route Type 5 Route
VXLAN tunnel
SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)
PC1 172.16.1.1/24 BGP Update message
0000-0000-0001 BD 10 BD 10
L2 VNI 10 L2 VNI 10
RD 10:1 2 EVPN RT = 10:1 RD 20:1
ERT 10:1 Type 2 route IRT 10:1
RD = 10:1 3
1 MAC address = 0000-0000-0001
SW1 learns the ARP IP address = 172.16.1.1 The Layer 3 gateway
entry of PC1. L2 VNI=10 SW2 obtains ARP
information of PC1.
When BGP EVPN is used in a centralized gateway scenario, the inter-subnet packet forwarding process is similar to that in a static
VXLAN scenario, and is not described here.
Host MAC address Host ARP Host IP route
advertisement advertisement advertisement
42 Huawei Confidential
• A MAC/IP route can carry both the MAC address and IP address of a host. As
such, this type of route can be used to transmit host ARP entries between VTEPs,
thereby implementing host ARP advertisement. The MAC Address and MAC
Address Length fields identify the MAC address of the host, whereas the IP
Address and IP Address Length fields identify the IP address of the host. In this
case, MAC/IP routes are also called ARP routes. Host ARP advertisement applies
to the following scenarios:
▫ ARP broadcast suppression. After a Layer 3 gateway learns the ARP entry of
a host on its subnet, it generates host information that contains the host IP
and MAC addresses, L2VNI, and gateway's VTEP IP address. The Layer 3
gateway then advertises an ARP route carrying the host information to a
Layer 2 gateway. When the Layer 2 gateway receives an ARP request, it
searches for host information corresponding to the destination IP address in
the request. If the host information exists, the gateway replaces the
broadcast MAC address in the ARP request with the destination unicast
MAC address, and unicasts the packet, thereby implementing ARP
broadcast suppression.
Type 2 Route Type 3 Route Type 5 Route
Inter-subnet forwarding between VLANs through VLANIF interfaces Inter-subnet forwarding between BDs through VBDIF interfaces
VLANIF 10 VLANIF 20
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.1.2/24
44 Huawei Confidential
▫ Based on the local IP address, local mask, and peer IP address, PC1 finds
that PC2 is not on the same network segment as itself. Therefore, PC1
determines that the communication is Layer 3 communication and sends
the traffic destined for PC2 to the gateway. In the data frame sent by PC1,
the source MAC address is MAC1 and the destination MAC is MAC2.
▫ After receiving a packet destined for PC2 from PC1, the switch decapsulates
the packet and finds that the destination MAC address is the MAC address
of VLANIF 10. Therefore, the switch considers that the packet is destined for
itself and sends the packet to the routing module for further processing.
▫ The routing module parses the packet and finds that the destination IP
address is 192.168.20.2, which is not an IP address of a local interface.
Therefore, the packet needs to be forwarded at Layer 3. After the routing
table is searched, a direct route generated by VLANIF 20 is matched.
▫ Because the matched route is a direct route, the packet has reached the
last hop. Therefore, the switch searches the ARP table for 192.168.20.2 to
obtain the MAC address of the host with the IP address 192.168.20.2, and
sends the MAC address to the switching module for re-encapsulation into a
data frame.
Type 2 Route Type 3 Route Type 5 Route
Asymmetric IRB
⚫ Asymmetric IRB: The ingress VTEP searches both the Layer 3 and Layer 2 forwarding tables for traffic forwarding at
the same time, and the egress VTEP searches only the Layer 2 forwarding table for traffic forwarding. This
forwarding mode is called asymmetric forwarding because the ingress and egress VTEPs perform different
Outer IP
operations.
VBDIF 10 UDP VBDIF 10
VBDIF 20 VXLAN header (VNI 100) VBDIF 20
VTEP1 Source MAC address: VBDIF 10 MAC VTEP2
1.1.1.1 Destination MAC address: MAC B 2.2.2.2 6 VTEP2 sends the data
1 VTEP1 sends the data frame to VTEP2 through frame to PC2.
PC1 sends a unicast 4
frame to PC2. the VXLAN tunnel.
VXLAN tunnel
46 Huawei Confidential
• During asymmetric IRB, host IP routes are not advertised between VTEPs. That is,
VTEP1 and VTEP2 do not advertise 32-bit host routes (generated based on ARP
information) generated by the local downstream PCs between them. Therefore,
VTEP1 searches the routing table in step 2, and only the direct route generated
by VBDIF 10 can be matched.
• In step 5, VTEP2 decapsulates the VXLAN packet and finds that the destination
MAC address is not the MAC address of the local VBDIF interface corresponding
to the BD. Therefore, VTEP2 searches the Layer 2 forwarding table for the MAC
address entry of the BD based on the VNI carried in the packet, and then
forwards the packet at Layer 2.
Type 2 Route Type 3 Route Type 5 Route
Symmetric IRB
⚫ Symmetric IRB: Both the ingress and egress VTEPs search the Layer 3 forwarding table for traffic forwarding.
⚫ Compared with asymmetric IRB, the concepts of an IP VPN instance and its bound Layer 3 VNI are added. (In asymmetric IRB, the
VNI in the VXLAN header of packets transmitted between VTEPs is a Layer 2 VNI.) A VBDIF interface needs to be bound to an IP VPN
instance. In this case, route learning and data forwarding of the VBDIF interface are restricted in the IP VPN instance, which is similar
to the implementation in MPLS VPN.
VTEP1 VTEP2
1.1.1.1 2.2.2.2
VXLAN tunnel
VBDIF 20 VBDIF 10
IP Bind VPN-Instance VPN1 IP Bind VPN-Instance VPN1
BD 20 VTEPs exchange IRB routes (with an additional BD 10
Layer 3 VNI). The learning of IRB routes
between BD 20 of VTEP1 and BD 10 of VTEP2 is
IP VPN-Instance VPN1 controlled by the RTs carried in the routes. This IP VPN-Instance VPN1
VXLAN VNI 1000 (L3 VNI) mechanism is similar to that of VPNv4 routes in VXLAN VNI 1000 (L3 VNI)
RD 203:1 MPLS VPN. RD 103:1
RT 10:1
RT 10:1
Host MAC address Host ARP Host IP route
advertisement advertisement advertisement
47 Huawei Confidential
48 Huawei Confidential
• In a BGP EVPN scenario, to use the RTs of an IP VPN instance to control the
sending and receiving of EVPN routes, run the vpn-target evpn command to
configure RTs for the IP VPN instance. Then, the export RT attribute is carried in
the EVPN route to be sent to the remote BGP EVPN peer, the import RT attribute
is used to determine which EVPN routes can be added to the routing table of the
local IP VPN instance address family by matching the import RT attribute with
the RT attribute carried in the EVPN route.
• Note: The RTs configured using the vpn-target evpn command are called RTs
(EVPN).
Type 2 Route Type 3 Route Type 5 Route
VBDIF 20
IP VPN IRT 20:1
VTEP1 VTEP2
BD 20
The RT carried in the
EVPN ERT 20:1 EVPN route route is the same as
3
the IRT of the IP VPN
2 The RT carried in the
instance.
route is the same as the
IRT of the EVPN instance.
49 Huawei Confidential
• VTEP1 sends a Type 2 BGP EVPN route (IRB type). The route carries the ERT
(20:1) of the EVPN instance bound to the BD to which the route belongs.
• After receiving the BGP Update message, VTEP2 checks whether the RT (20:1)
carried in the extended attribute of the BGP Update message is the same as the
IRT of the local EVPN instance and the IRT (EVPN) of the IP VPN instance. If the
IRT is the same as that of the EVPN instance bound to BD 20 and that of the IP
VPN instance bound to VBDIF 20, the device adds the EVPN route to the EVPN
routing table of BD 20 and the IP route contained in the EVPN route to the
routing table of the IP VPN instance corresponding to VBDIF 20.
Type 2 Route Type 3 Route Type 5 Route
VXLAN tunnel
SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)
PC1 172.16.2.1/24 BGP Update message PC2 172.16.1.2/24
MAC D IP VPN-Instance VPN1 MAC A
EVPN RT: 10:1 VXLAN VNI 1000 (L3 VNI)
2 Router MAC: MAC B RD 103:1
1
Destination/ Next Outbound
L3 VNI
Mask Hop Interface RT 10:1 SW2 learns the
Type 2 route ---------------------------
VXLAN ARP entry of PC2
172.16.1.2/32 1000 2.2.2.2 RD 10: 1 BD 10
tunnel
EVPN VPN-Instance BD_10
and generates an
Host route = 172.16.1.2/32 IRB route.
RD 10:1
3 The Layer 3 gateway SW1 obtains MAC address = MAC A L2 VNI 100
the host route containing the router Layer 2 VNI = 100 RT 10:1
MAC address of VTEP2 to PC2. Layer 3 VNI = 1000
BGP EVPN uses the EVPN Router's MAC Extended Community attribute to transmit the
VTEP's router MAC address, which is the MAC address of the NVE interface.
50 Huawei Confidential
Type 2 Route Type 3 Route Type 5 Route
UDP
VXLAN header (L3 VNI 1000)
Source MAC address: VTEP1's system MAC address
VTEP1 Destination MAC address: MAC B
VTEP2 2.2.2.2
1.1.1.1 Router MAC: MAC B
1 VTEP1 sends the data frame to VTEP2 through the 5 VTEP2 sends the data
PC1 sends a unicast 3
frame to PC2. VXLAN tunnel. frame to PC2.
VXLAN tunnel
51 Huawei Confidential
• During symmetric IRB, VTEPs exchange 32-bit host routes generated based on
ARP information. Therefore, VTEP1 searches the routing table for the 32-bit host
route transmitted by VETP2. Even if VBDIF 10 and the corresponding direct route
exist on VTEP1, VTEP1 still forwards packets based on the 32-bit host route
according to the longest match rule.
• In step 4, VTEP2 decapsulates the VXLAN packet and finds that the destination
MAC address of the inner data frame is VTEP2's router MAC address (MAC B).
VTEP2 then determines to search the Layer 3 table for traffic forwarding. VTEP2
finds the corresponding IP VPN instance based on VNI 1000 and searches for the
corresponding route in the routing table of the IP VPN instance. It finds the direct
route matching VBDIF 10, searches the local MAC address table, and sends the
packet to a local host PC2.
Type 2 Route Type 3 Route Type 5 Route
NLRI format IP Address Length (1 byte) Mask length of the local VTEP's IP address carried in the route.
Originating Router's IP Address (4 or 16 bytes) Local VTEP's IP address carried in the route.
52 Huawei Confidential
53 Huawei Confidential
Type 2 Route Type 3 Route Type 5 Route
54 Huawei Confidential
Type 2 Route Type 3 Route Type 5 Route
External network
VTEP 1.1.1.1/32 VTEP 2.2.2.2/32
1.2.3.0/24
VNI 88
SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)
55 Huawei Confidential
• Similar to Type 2 IRB routes, Type 5 routes carry the router MAC address of the
VTEP through the EVPN Router's MAC Extended Community attribute during
route transmission. In addition, Type 5 routes carry only the Layer 3 VNI.
Therefore, the forwarding process is also IRB.
Contents
1. Background of VXLAN
56 Huawei Confidential
ARP Broadcast Suppression
⚫ BGP EVPN Type 2 routes enable VTEPs to learn MAC addresses without depending on communication between
hosts. However, ARP requests between hosts still need to be flooded on the VXLAN overlay network, which
consumes a large number of network resources.
⚫ ARP broadcast suppression can be implemented based on BGP EVPN routes to reduce broadcast traffic.
Search the ARP broadcast
suppression table of BD 20.
2 IP Address MAC VTEP
172.16.2.2 MAC B 2.2.2.2
VXLAN tunnel
PC1 VTEP1 changes the destination MAC address of the PC2
172.16.2.1/24 VTEP1 ARP data frame from all Fs to MAC B, encapsulates VTEP2 172.16.2.2/24
MAC A 1.1.1.1 the data frame into a VXLAN packet, and sends the 2.2.2.2 MAC B
VXLAN packet to VTEP2.
1 3 4
PC1 sends an ARP Original data VTEP2 unicasts the
request packet to IP header UDP header VXLAN header ARP ARP packet to PC2.
frame header
PC2.
• Source IP address: 1.1.1.1 • Source MAC address: MAC A • Source MAC address: MAC A
• Destination IP address: 2.2.2.2 • Destination MAC address: • Destination MAC address: MAC B
MAC B
57 Huawei Confidential
VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
Transmit ARP information through
BGP EVPN Type 2 IRB routes.
1 2 3 VTEP2 uses IRB routes to generate
Enable BGP EVPN host IRB host information entries.
information collection
to generate IRB routes.
58 Huawei Confidential
• An ARP route carries the following valid information: host MAC address, host IP
address, and Layer 2 VNI. An IRB route carries the following valid information:
host MAC address, host IP address, Layer 2 VNI, and Layer 3 VNI. Therefore, IRB
routes include ARP routes and can be used to advertise both host IP routes and
host ARP entries.
Local Proxy ARP (1)
⚫ After BGP EVPN host information collection is enabled on the entire network, the Layer 3 gateway learns 32-bit
host routes of all hosts. In this way, the Layer 3 gateway can use host routes to perform Layer 3 symmetric IRB for
traffic in the same BD.
⚫ You can enable local proxy ARP on the VBDIF interface of the Layer 3 gateway. The VBDIF interface responds to
ARP requests from downstream hosts for IP addresses on the same network segment. The Layer 3 gateway then
performs Layer 3 forwarding for access to the IP addresses on the same network segment.
1 VBDIF 20
PC1 sends an ARP
request packet to PC2. MAC C
172.16.2.254
arp-proxy local enable
2
VBDIF20 functions as a
proxy and sends an
ARP reply packet.
VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
59 Huawei Confidential
VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
VTEP1 finds that the destination MAC address is
its own MAC address, searches the routing table
PC1 sends a data for Layer 3 forwarding, finds a host route, and
frame to PC2. forwards the packet to VTEP2 through VXLAN.
3 4
Ethernet
Payload
header
• Source MAC address: MAC A Local proxy ARP restricts ARP packet transmission within the local
• Destination MAC address: MAC C VTEP and reduces unnecessary traffic exchanged between VTEPs.
60 Huawei Confidential
Anycast Gateway
⚫ When local proxy ARP is enabled, a VTEP only needs to maintain local ARP entries. ARP information
transmitted by other VTEPs through BGP EVPN routes is not used during packet forwarding. In this
case, the VTEP does not need to maintain ARP entries learned from other VTEPs.
⚫ After the distributed gateway function is enabled, the VTEP processes only ARP packets received from
user-side hosts and deletes learned network-side ARP entries.
VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
61 Huawei Confidential
• Generally, the VBDIF interfaces with the same ID on different VTEPs are
configured with the same MAC address. After the distributed gateway function is
enabled, the VBDIF interfaces have the same IP address and MAC address, but no
ARP conflict is reported. In addition, when hosts and VMs are migrated to
different VTEPs, ARP resolution does not need to be performed on the gateway.
MAC Mobility (1)
62 Huawei Confidential
MAC Mobility (2)
63 Huawei Confidential
• The MAC Mobility extended attribute is used to announce the location change of
a host or VM when the host or VM is migrated from one VTEP to another VTEP.
VXLAN QoS (1)
⚫ Certain fields in the packet header record QoS information so that network devices can provide
differentiated services.
⚫ Packets carry different types of precedence field depending on the network type. For example, packets
carry the 802.1p field on a VLAN network, the DSCP field on an IP network, and the EXP field on an
MPLS network. If packets traverse different types of networks, the mapping between the precedence
fields must be configured on the gateway. This configuration ensures that the packet priorities are
retained regardless of the network type.
⚫ VXLAN QoS provides differentiated quality assurance for VXLAN packets based on their internal
priorities, which are assigned by devices to differentiate the service classes of packets. In VXLAN QoS
implementation, devices map QoS priorities carried in original packets to internal priorities, and map
internal priorities to the priorities of VXLAN packets.
64 Huawei Confidential
VXLAN QoS (2)
The internal priority of the packet is
mapped to the QoS priority on a Layer 2
The packet is encapsulated into a VXLAN
sub-interface so that the QoS priority of the
packet, the outer 802.1p or DSCP priority is packet remains unchanged after the packet
mapped from the internal priority, and the passes through the VXLAN network.
packet is forwarded to the VXLAN tunnel. Subsequent packets are transmitted based
2 on the mapped priority.
The device maps the QoS priority of 4
the original packet to the internal 802.1p/DSCP 802.1p/DSCP
priority on a Layer 2 sub-interface
and sends the packet to a queue Inner
based on the internal priority. Payload
802.1p/DSCP
VXLAN Ethernet
1 IP header UDP header
header header
Payload
VXLAN tunnel
65 Huawei Confidential
• In step 2, after the device encapsulates the packet into a VXLAN packet, the QoS
priority of the encapsulated packet is as follows:
▫ By default, the outer DSCP value of the encapsulated packet is 0, and the
inner DSCP value of the encapsulated packet remains unchanged. After the
qos phb marking dscp enable command is configured in the Ethernet
interface view, the outer DSCP value is mapped from the internal priority,
and the inner DSCP value remains unchanged.
• After VXLAN encapsulation is complete, the local VTEP maps the internal priority
based on the DSCP or 802.1p field in the outer packet before the packet arrives
at the remote VTEP.
Contents
1. Background of VXLAN
66 Huawei Confidential
Distributed Gateway (1)
• Networking requirements:
:Border Leaf The entire network uses BGP EVPN to construct a VXLAN network
with distributed gateways. Spines function as RRs to reflect EVPN
:Server Leaf
PE routes to implement Layer 2 and Layer 3 communication between
servers.
M-LAG is configured on all leaf nodes to ensure access link
reliability.
Leaf3A Leaf3B
Configure an egress route on Leaf 3 (Border Leaf) to allow Server 1
on the intranet to access the Internet.
• Configuration procedure:
Spine1 Spine2
Configure the M-LAG on the leaf node. (The configuration is not
mentioned here.)
Configure the interface IP address and OSPF. (The configuration is
Leaf1A Leaf1B Leaf2A Leaf2B not mentioned here.)
Configure BGP and enable BGP EVPN peers.
Configure a VXLAN tunnel.
Configure EVPN and VPN instances.
Server1 Server2 Server3
192.168.1.1/24 192.168.2.1/ 24 192.168.1.2/24 Configure a VXLAN Layer 3 gateway.
Configure service access points and egress routes.
67 Huawei Confidential
Distributed Gateway (2)
X : X value
PE
Y : Y value
• Router ID planning: All devices use the IP address of the
3 Loopback0 interface as the router ID. The IP address planning
Leaf3A Leaf3B is 10.X.X.X, where X indicates the device ID, which is marked on
5 6
the left.
1 2 Question: Why do two leaf nodes in an M-LAG share the same VTEP IP
Leaf1A Leaf1B Leaf2A Leaf2B
1 2 3 4 address?
68 Huawei Confidential
Leaf3A Leaf3B
• Configuration notes:
69 Huawei Confidential
Distributed Gateway (4)
• Configuration procedure:
:Border Leaf
Configure BGP and enable BGP EVPN peers.
:Server Leaf
PE
• The configuration of spine1 is as follows:
70 Huawei Confidential
Distributed Gateway (5)
• Configuration procedure:
:Border Leaf
Configure BGP and enable BGP EVPN peers.
:Server Leaf
PE • The configuration of Leaf1A is as follows:
71 Huawei Confidential
Distributed Gateway (6)
• Configuration roadmap:
:Border Leaf Configure a VXLAN tunnel.
72 Huawei Confidential
Distributed Gateway (7)
• Configuration roadmap:
:Border Leaf Configure EVPN and VPN instances.
:Server Leaf
PE • The configuration of Leaf1 is as follows. The following uses Leaf1A as
an example.
[-Leaf1A] bridge-domain 100 EVPN Instance
Leaf3A Leaf3B [*Leaf1A-bd100] evpn Configuration
[*Leaf1A-bd100-evpn] route-distinguisher 2:2
[*Leaf1A-bd100-evpn] vpn-target 100:1
[*Leaf1A-bd100-evpn] vpn-target 1000:1 export-extcommunity
[*Leaf1A-bd100-evpn] bridge-domain 200
Spine1 Spine2 [*Leaf1A-bd200-evpn] route-distinguisher 3:3
[*Leaf1A-bd200-evpn] vpn-target 200:1
[*Leaf1A-bd200-evpn] vpn-target 1000:1 export-extcommunity
[*Leaf1A-bd200-evpn] commit
Leaf1A Leaf1B Leaf2A Leaf2B
[-Leaf1A] ip vpn-instance vpn1 IP VPN Instance
[*Leaf1A-vpn-instance-vpn1] vxlan vni 10000 Configuration
[*Leaf1A-vpn-instance-vpn1] route-distinguisher 22:22
[*Leaf1A-vpn-instance-vpn1-af-ipv4] vpn-target 1000:1
[*Leaf1A-vpn-instance-vpn1-af-ipv4] vpn-target 1000:1 evpn
Server1 Server2 Server3
[*Leaf1A-vpn-instance-vpn1-af-ipv4] commit
192.168.1.1/24 192.168.2.1/24 192.168.1.2/24
The configuration of Leaf2 and Leaf3 is similar to that of Leaf1. The
configuration details are not mentioned here.
73 Huawei Confidential
• Leaf2 needs to be configured with only the EVPN instance and IP VPN instance of
BD100.
Distributed Gateway (8)
• Configuration roadmap:
:Border Leaf
Configure a VXLAN Layer 3 gateway.
:Server Leaf
PE
• The following figure shows the configuration of Leaf1. The following uses
Leaf1A as an example.
74 Huawei Confidential
Distributed Gateway (9)
• Configuration roadmap:
:Border Leaf
Configure service access points and egress routes.
:Server Leaf
PE Configure an egress route on Leaf3 and import BGP routes. The
following uses Leaf3A as an example.
[-Leaf3A] ip route-static 0.0.0.0 0.0.0.0 100.1.1.2 vpn-instance vpn1
[*Leaf3A] bgp 100
Leaf3A Leaf3B [*Leaf3A-bgp] ipv4-family vpn-instance vpn1 IP address of
[*Leaf3A-bgp-vpn1] default-route imported the port
[*Leaf3A-bgp-vpn1] import-route static connecting
[*Leaf3A-bgp-vpn1] commit Leaf3 to PE
75 Huawei Confidential
Distributed Gateway (10)
• Result verification:
:Border Leaf
:Server Leaf Run the display vxlan tunnel command on Leaf 1A to check the VXLAN
PE tunnel.
[-Leaf1A] display vxlan tunnel
Number of vxlan tunnel: 1
Tunnel ID Source Destination State Type Uptime
Leaf3A Leaf3B
----------------------------------------------------------------------------------------
4026531841 11.1.1.1 11.2.2.2 up dynamic 0032h21m
4026531842 11.1.1.1 11.3.3.3 up dynamic 0032h25m
Spine1 Spine2 After the configuration is complete, Layer 2 and Layer 3 communication
can be implemented between different servers.
Check the egress routes on Leaf1 and Leaf3, for example, Leaf1A.
76 Huawei Confidential
Quiz
1. (True or false) BGP EVPN Type 2 host IP routes can be used to transmit ARP information. ( )
A. True
B. False
2. (Single-answer question) Which of the following statements about BGP EVPN is false? ( )
A. Carrying routes through MP_REACH_NLRI.
D. Carrying the next hop address of a route through the Next_Hop attribute
77 Huawei Confidential
1. A
2. D
Summary
⚫ VXLAN uses a Layer 3 routed network as its underlay network and uses tunnels to build an
overlay virtual network, supporting a large number of tenant networks.
⚫ VXLAN does not define a control plane. To limit the flooding of BUM traffic, VXLAN needs
to use other control plane protocols to optimize BUM traffic forwarding.
⚫ BGP EVPN extends BGP by defining several types of BGP EVPN routes. These BGP EVPN
routes can be used to transmit VTEP addresses, host information, and routing information,
effectively helping VXLAN limit the flooding of BUM traffic.
78 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
⚫ The data center carries core computing functions of enterprise production. The network has
requirements for high-performance load balancing and high service reliability. Important
service systems have requirements for uninterrupted services during device upgrade. This
puts forward a high requirement on the availability of the network system.
⚫ The CloudFabric solution uses Multichassis Link Aggregation Group (M-LAG) and Virtual
eXtensible Local Area Network (VXLAN) to implement end-to-end reliability, ensuring that
service systems can run properly in device failure and upgrade scenarios.
⚫ This document describes the principles and applications of the M-LAG technology.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
1. Overview of M-LAG
2. M-LAG Fundamentals
4. M-LAG Deployment
4 Huawei Confidential
Overview of LAG
⚫ SW1 and SW2 are connected by using multiple links, for example, four links. The four links can be bundled into an Eth-Trunk.
Increase the bandwidth (sum of the bandwidth of the four links)
Improve reliability (where some links are down, other links can take over the forwarding task)
Load balancing (Traffic is allocated to different links based on the 5-tuple hash algorithm to improve bandwidth utilization.)
⚫ However, if SW1 or SW2 fails, the traffic transmitted through SW1 or SW2 is interrupted. In this case, board-level link aggregation
cannot meet reliability requirements.
SW1
Eth-Trunk
SW2
5 Huawei Confidential
• Huawei devices use Eth-Trunk as the link aggregation technology. You can
configure an Eth-Trunk on a device and add multiple interfaces (for example,
four interfaces) to the Eth-Trunk.
Overview of M-LAG
⚫ M-LAG (Multichassis Link Aggregation Group, Inter-Device Link Aggregation Group): A mechanism that implements
inter-device link aggregation. This mechanism improves the reliability of link aggregation from the link level to the
device level. In addition, M-LAG member devices forward traffic through load balancing, forming a dual-active
system.
⚫ M-LAG is also a virtualization technology. From the perspective of the peer device connected to the M-LAG port,
the M-LAG port is connected to a logical switch.
SW1 SW2
Peer-link
SW1 and SW2 are independent devices from a
management perspective
M-LAG M-LAG is configured on SW1 and
SW2.
SW3
6 Huawei Confidential
• There are several options to improve network reliability, such as STP+VRRP and
stacking. However, these options have obvious problems, such as:
▫ STP+VRRP
▪ Fast stack upgrade reduces the service interruption time, but increases
the upgrade time and increases the upgrade risk. The control plane is
centralized, and faults may spread on member devices.
7 Huawei Confidential
Comparison Between M-LAG and Stack
Stacked M-LAG
Management plane
A stack implements virtualization on the management plane, protocol plane M-LAG implements virtualization on some data planes and some protocol
(control plane), and data plane, and member devices are highly coupled. planes (control planes) and has low coupling between member devices.
8 Huawei Confidential
▫ Higher reliability.
1. Overview of M-LAG
2. M-LAG Fundamentals
◼ Basic Concepts of M-LAG
4. M-LAG Deployment
10 Huawei Confidential
• A DFS group consists of a master device and a backup device. Under normal
circumstances, both the master and backup devices forward service traffic and
their forwarding behaviors are the same. The master and backup devices have
different forwarding behaviors only when a fault occurs.
▫ When no fault occurs, both the master and backup devices forward traffic.
▫ When two master devices are detected, service interfaces on the backup
device enter the Error-Down state.
• By default, the peer-link allows packets from all VLANs to pass through. If you do
not want the peer-link to allow packets from some VLANs to pass through, you
need to configure the VLANs separately.
• To improve the reliability of the peer-link, you are advised to add multiple links
to a LAG and configure the aggregated link as the peer-link. However, even if
DAD link
DFS Group
Peer-link • DAD link: A DAD link, also called a heartbeat
SW1 SW2
Master Backup link, is a Layer 3 link used by Master/Backup in an
M-LAG to send DAD packets.
11 Huawei Confidential
• Under normal circumstances, the DAD link does not participate in any traffic
forwarding behaviors in the M-LAG. It is only used to detect whether two master
devices exist when a fault occurs. The DAD link can be an external link, for
example, if the M-LAG is connected to an IP network and the two member
devices can communicate through the IP network, the link that enables
communication between the member devices can function as the DAD link. An
independent link that provides Layer 3 reachability can also be configured as the
DAD link, for example, a link between management interfaces of the member
devices can function as the DAD link.
• Under normal circumstances, the HB DFS master/backup status does not affect
traffic forwarding behaviors in the M-LAG. It is used only in secondary fault
recovery scenarios.
▫ If a fault on the original DFS master device is rectified and the peer-link is
still faulty, the corresponding interfaces on the backup device are triggered
to enter the Error-Down state based on the HB DFS master/backup status.
This mechanism prevents abnormal traffic forwarding in the scenario where
two master devices exist.
Basic Concepts System Setup
M-LAG conditions:
LAG
• Same LACP system ID.
12 Huawei Confidential
L2 Network
Peer-link Peer-link
Loop
STP
blocking
Peer-link
STP STP
Loop Loop Blocking
Blocking
M-LAG
LAG
STP needs to be used to prevent loops when a If physical connections are complete
M-LAG is configurted. physical cables are connected,
port planned for connecting to a port on a server before M-LAG configuration, loops exist on
and a loop occurs on the network. In this case, STP
is incorrectly connected to a switch or uplink of the network. In this case, STP needs to be
needs to be deployed to prevent loops.
the switch is connected to a non-M-LAG member deployed to prevent loops.
interface.
13 Huawei Confidential
Basic Concepts System Setup
Compare
Master/Backup Peer-link
priorities and
device DFS group device System MAC
negotiation information address
Phase 1: Exchange DFS group
de v ice in forma tion. Ph a se 2 : S el ect Ma ster/Backup
DAD Peer-link
Dual-active
detection All types of
Synchronize i n f o r m at i on
Du a l -active de te ction S yn chronizing v a riou s
information and entries
14 Huawei Confidential
Basic Concepts System Setup
M-LAG Pairing
⚫ After the M-LAG configuration is complete on two devices:
DAD link The device first sends a DFS group Hello packet over the peer-link.
After receiving a Hello packet from the remote end, the device
DFS Group
checks whether the DFS group number carried in the packet is the
Peer-link
same as that carried by the local end.
SW1 SW2
If the DFS group numbers of the two devices are the same, the DFS
group pairing is successful.
15 Huawei Confidential
▫ Version: indicates the protocol version, which is used to identify the M-LAG
version of M-LAG member devices.
▫ Slot: indicates the slot ID of the card that needs to receive messages. For a
fixed device, the value is the stack ID.
• The user-defined message header contains the normal packet data, including the
information that needs to be exchanged or synchronized. For example, the DATA
field of a Hello packet contains the DFS group ID, priority, and MAC address of
the device. However, the synchronization packet DATA contains some entries and
status information.
Basic Concepts System Setup
Negotiate Master/Backup
⚫ DFS Group Negotiation Master/Backup
DAD link After the pairing succeeds, the two devices send a DFS group
information packet to the peer through the peer-link. The device
DFS Group determines the Master/Backup status of the DFS group based on the
Peer-link DFS group priority and system MAC address carried in the packet. (If
SW1 SW2 the priority is higher, the device functions as the master. If the
M-LAG priority is the same, the device compares the MAC address of the
M-LAG
Member Member device. If the MAC address is smaller, the device functions as the
interface interface master.)
DFS group Hello packet
In normal cases, the forwarding behavior of the master and backup
devices is the same. The forwarding behavior of the Master/Backup
DFS group device information packet
device is different only in the case of a fault.
16 Huawei Confidential
▫ After the DFS group negotiates the Master/Backup status, the two M-LAG
devices send M-LAG device information packets over the peer-link. The
packets carry the configurations of M-LAG member interfaces. After the
information about the M-LAG member interfaces is synchronized, the
Master/Backup status of the M-LAG member interfaces is determined.
▫ When member interface information is synchronized from the peer end, the
M-LAG member interface whose status changes from Down to Up first
becomes the master M-LAG member interface, and the M-LAG member
interface on the peer end becomes the backup.
Dual-Active Detection
⚫ After the M-LAG Master/Backup is negotiated, the two devices
DAD link send M-LAG DAD packets at an interval of 1s over the DAD
link. Once the device detects a peer-link fault, it sends three
DFS Group DAD packets at an interval of 100 ms to accelerate the
Peer-link
detection. When the two devices can receive the packets from
SW1 SW2
the peer device, the active-active system starts to work properly.
⚫ After the peer-link fails, the DAD determines that the other
DFS Group Hello packet device is running. The service port on the standby device is set
to the Error-down state.
17 Huawei Confidential
• If the peer-link fails and the two member switches continue to run, network
services will be affected.
▫ Forwarding entries (ARP and MAC addresses) on SW1 and SW2 are not
synchronized, which may cause forwarding exceptions.
• To improve the reliability of the M-LAG system, you need to configure DAD.
Normally, DAD links do not participate in any forwarding behavior of the M-LAG.
This command is used only when the DFS group pairing fails or the peer-link
fails. Therefore, the M-LAG does not work properly even if DAD fails. The DAD
link can be carried over an external network. (For example, if M-LAG is
connected to an IP network, two dual-homing devices can communicate with
each other through the IP network. In this case, the interworking link can be used
as a dual-active detection link.) You can also configure a reachable Layer 3 link
as the DAD link (for example, through the management interface).
19 Huawei Confidential
• The synchronization information includes the device name, system MAC address,
software version, M-LAG status, STP status, VRRP priority, DR priority, ACL, and
LACP information.
Basic Concepts System Setup
⚫ Synchronization principles:
SW1 SW2 The entries learned on the M-LAG interface must be synchronized to the peer
Peer-link
device. After receiving the message, the peer device changes the interface
corresponding to the entry to the M-LAG interface on the local device.
Single-homing
interface The entries learned on the isolated port must be synchronized to the peer
device. After receiving the message, the peer device changes the interface
corresponding to the entry to the peer-link.
⚫ Why does the peer-link disable the learning of related entries or protocols?
SW3 SW4 If the peer-link interface learning function is enabled, the peer-link interface
may conflict with the forwarding entry synchronized by the M-LAG DFS
protocol.
By default, non-M-LAG synchronization packets
received from peer-links are not learned, which Because the peer-link interface is disabled from learning related entries or
may conflict with information in M-LAG protocols, the entries learned by the isolated interface need to be
synchronization packets.
synchronized to the peer end.
20 Huawei Confidential
1. Overview of M-LAG
2. M-LAG Fundamentals
▫ Basic Concepts of M-LAG
◼ Basic Features of M-LAG
4. M-LAG Deployment
STP Blocking
SW3 SW3
22 Huawei Confidential
Unidirectional Isolation to Prevent Loops - BUM Packets (1)
BUM
23 Huawei Confidential
Unidirectional Isolation to Prevent Loops - BUM Packets (2)
⚫ When SW3 is connected to M-LAG in active-active mode,
Unidirectional isolation is not configured from
the peer-link to the single-homing port.
global ACL configurations are delivered in the following
sequence by default:
Rule1 Rule 1: Allows Layer 3 unicast packets with the source
SW1 SW2
Rule2 Peer-link interface being the peer-link interface and the destination
interface being the M-LAG member interface to pass through.
Rule 2: All packets with a peer-link interface as the source
interface and an M-LAG member interface as the destination
interface are rejected.
24 Huawei Confidential
▫ When M-LAG master and backup devices are negotiated, the system checks
whether the access device is dual-homed to the M-LAG using M-LAG
synchronization packets. If the access device is dual-homed to the M-LAG,
the two M-LAG devices deliver the unidirectional isolation configuration of
the corresponding M-LAG member interface to isolate traffic from peer-link
interfaces to M-LAG member interfaces. Unidirectional isolation in the M-
LAG loop prevention mechanism takes effect only for flooding traffic such
as broadcast traffic.
▫ If the access device is single-homed to the M-LAG, the M-LAG does not
deliver the unidirectional isolation configuration of the corresponding M-
LAG member interface.
• Canceling unidirectional isolation: When an M-LAG device detects that the local
M-LAG member interface is in Down state, the device sends M-LAG
synchronization packets through the peer-link to instruct the remote device to
revoke the automatically delivered unidirectional isolation ACL rule group of the
corresponding M-LAG member interface.
M-LAG Upgrade in Maintenance Mode
⚫ If SW3 needs to be upgraded in the networking shown in the following figure, switch traffic to SW4 by shutting down the interface or modifying the link
cost of the routing protocol, and then upgrade SW3. After SW3 is upgraded, restore the interface status or the cost value of the routing protocol link and
switch traffic back to SW3. As a result, packet loss occurs in north-to-south traffic due to routing protocol convergence or ECMP path switching, and packet
loss occurs in south-to-north and east-west traffic due to Eth-Trunk interface status changes.
⚫ M-LAG upgrade in maintenance mode allows you to run commands in the maintenance mode view to switch traffic from the device to be upgraded to the
backup device and then restart the device. This reduces the packet loss rate during the upgrade and improves upgrade reliability.
1. Started
2. Preparing for the upgrade (including the device status,
upgrade files, and upgrade tools) L3 Network
3. Traffic switchover DAD
4. Upgrading the Device (You can upgrade the Main Device
first) SW3 SW4
5. Verifying the Upgrade Peer-link
A. After the upgrade succeeds, the traffic is switched back and
the next phase starts.
B. If the upgrade fails, the traffic is switched back. Perform the
upgrade again after the check.
6. After 10 minutes, the device status and services are SW1 SW2
normal, and the other device can be upgraded.
25 Huawei Confidential
1. Overview of M-LAG
2. M-LAG Fundamentals
▫ Basic Concepts of M-LAG
4. M-LAG Deployment
L2 Network L2 Network
STP STP
Blocking Blocking
SW1 SW2 SW1 SW2
Peer-link Peer-link
28 Huawei Confidential
• For east-west Layer 2 traffic, M-LAGs are configured for all devices and no
isolated ports are available. Local Layer 2 traffic is preferentially forwarded
through the M-LAG.
Known Unicast Traffic BUM Traffic Multicast Traffic
L2 Network L2 Network
STP STP
Blocking Blocking
29 Huawei Confidential
Known Unicast Traffic BUM Traffic Multicast Traffic
SW1 SW2
⚫ Traffic from SW4 to SW5:
Peer-link
The packets passing through SW1 are sent to SW2
through the peer-link.
The packets destined for SW2 will be forwarded
directly to the destination through SW2.
30 Huawei Confidential
Known Unicast Traffic BUM Traffic Multicast Traffic
L3 Network L3 Network
SW1 SW2
SW1 SW2 Peer-link
Peer-link
31 Huawei Confidential
• For east-west Layer 3 traffic, M-LAG member devices preferentially forward local
traffic.
Known Unicast Traffic BUM Traffic Multicast Traffic
L3 Network
L3 Network
SW1 SW2
Peer-link
SW1 SW2
Peer-link
32 Huawei Confidential
Known Unicast Traffic BUM Traffic Multicast Traffic
L2 Network
STP
Blocking
SW1 SW2
Peer-link
Unidirectional
isolation
33 Huawei Confidential
• BUM packets refer to broadcast, unknown unicast, and multicast packets. The
Layer 2 forwarding process floods these packets.
• Packets received from the peer-link are flooded only to the single-homing
interface. The unidirectional isolation technology is used to prevent the packets
from being flooded to the dual-homing destination.
Known Unicast Traffic BUM Traffic Multicast Traffic
STP STP
Blocking Blocking
BUM packets from non-M-LAG member interfaces BUM packet from M-LAG member interface
SW1 floods the received traffic. When the traffic reaches SW2, SW2 SW1 floods the received traffic. When the traffic reaches SW2, SW2
does not forward the traffic to SW4 because the peer-link and M-LAG does not forward the traffic to SW4 because the peer-link and M-LAG
member interfaces are isolated unidirectionally. member interfaces are isolated unidirectionally.
34 Huawei Confidential
• The figure on the right shows only the packets sent from SW4 to SW1 and the
packets sent from SW4 to SW2. The M-LAG member ports on SW1 are
unidirectionally isolated.
Known Unicast Traffic BUM Traffic Multicast Traffic
L2 Network L2 Network
If only one copy of traffic is diverted from the network side, the
Traffic from the multicast source is load-balanced device that receives the traffic directly forwards the traffic to the
to the M-LAG Master/Backup. local M-LAG member interface.
35 Huawei Confidential
• When Server A functions as the multicast source and Server B functions as the
multicast group member, the traffic of the multicast source is sent to the M-LAG
Master/Backup through load balancing. Because the upstream interface on the
right M-LAG Master/Backup is blocked, the multicast outbound interface on the
right device points to the peer-link.
• When Server B functions as the multicast source and Server A functions as the
multicast group member, M-LAG Master/Backup can forward multicast traffic.
When only one copy of traffic is diverted from the network side, the device that
receives the traffic directly forwards the multicast traffic to the local M-LAG
member interface.
Known Unicast Traffic BUM Traffic Multicast Traffic
L3 Network L3 Network
36 Huawei Confidential
▫ If the last digit of the multicast group address is an odd number (for
example, 225.1.1.1, FF1E::1, or FF1E::B), the M-LAG device where the master
M-LAG member interface resides forwards the traffic to the multicast group
member.
▫ If the last digit of the multicast group address is an even number (for
example, 225.1.1.2, FF1E::2, or FF1E::A), the M-LAG device where the
backup M-LAG member interface resides forwards the traffic to the
multicast group member.
Contents
1. Overview of M-LAG
2. M-LAG Fundamentals
4. M-LAG Deployment
37 Huawei Confidential
Introduction to M-LAG Failure Protection
⚫ As an inter-device link aggregation technology, M-LAG improves link reliability from the card level to
the device level. If a fault (link, device, or peer-link fault) occurs, M-LAG uses the fault handling
mechanism to ensure that normal services are not affected.
Proper running
38 Huawei Confidential
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
Peer-link Peer-link
• Uplink faults do not affect DAD on the M-LAG Master/Backup or the active-active system.
• In an M-LAG-to-Ethernet scenario, if the uplink of the M-LAG master device fails, all traffic passing through the M-LAG master
device is forwarded through the peer-link, as shown in the right figure.
• If the M-LAG connecting a Layer 3 network and the uplink is faulty, the route is unavailable. In this case, you need to configure best-
effort path forwarding or configure Monitor-Link (which will be shown later) to disable the downlink interface when the uplink fails.
39 Huawei Confidential
• If the DAD link is on a service network and the faulty uplink is the DAD link, the
M-LAG works properly without being affected. If the peer-link also fails, DAD
cannot be performed and packet loss occurs.
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
Peer-link Peer-link
• If a downstream M-LAG member interface fails, the DFS group Master/Backup status does not change. If the faulty M-LAG member interface is in the
master state, the slave M-LAG member interface becomes the master. The MAC address of the faulty M-LAG member interface points to the peer-link
interface.
• The unidirectional isolation mechanism between the peer-link and M-LAG member interfaces is enabled when the M-LAG master member interface fails to
prevent traffic forwarding failure.
• After the faulty M-LAG member interface recovers, the status of the M-LAG member interface remains unchanged, and the M-LAG member interface that
becomes the master remains the master.
40 Huawei Confidential
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
L2 Network L2 Network
41 Huawei Confidential
• As shown in the figure on the right, if the local M-LAG member interface fails,
multicast traffic is forwarded to the member interface of the other M-LAG device
through the peer-link.
• Assume that a multicast source is at the network side and a multicast group
member is at the access side. If the M-LAG member interface on the M-LAG
master device fails, the master device instructs the remote device to update
multicast entries through M-LAG synchronization packets. M-LAG master and
backup devices no longer load balance traffic depending on whether the last
digit of the multicast group address is an odd or even number, and all multicast
traffic is forwarded by the M-LAG backup device on which the M-LAG member
interface is Up. If the M-LAG member interface on the M-LAG backup device fails,
multicast traffic is forwarded in a similar manner.
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
SW1 SW2
being an odd number cannot be forwarded to the M-LAG
Peer-link master device (SW1 in this example) through the peer-link.
Instead, the packets can be forwarded to the M-LAG
master device only through an independent Layer 3 link.
Similarly, if the backup device in the M-LAG system fails,
the multicast packet whose last bit of the multicast
Server A (receiver)
Traffic sent by the multicast source is load-balanced address is an even number may also be forwarded to the
to the Master/Backup in the M-LAG. master device by using the independent layer 3 link.
42 Huawei Confidential
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
DAD Link
continues to forward traffic.
The Eth-Trunk on the M-LAG master device goes
2 Down.
Peer-link
1 The backup
device becomes the
⚫ If the M-LAG backup device is fails:
The original master master device.
device fails. The Master/Backup status of the M-LAG does not
change, and the Eth-Trunk on the M-LAG backup
device goes Down.
M-LAG master device failure
The Eth-Trunk link on the M-LAG master device
remains Up, and the traffic forwarding status
remains unchanged.
43 Huawei Confidential
• When a faulty M-LAG member device recovers, the peer-link goes Up first, and
the two M-LAG member devices renegotiate their master and backup roles. After
the negotiation succeeds, the M-LAG member interface on the faulty M-LAG
member device goes Up and traffic is load balanced. Both the M-LAG master and
backup devices retain their original roles after recovering from the fault.
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
Peer-link Peer-link
44 Huawei Confidential
• You can run a command to configure logical interfaces on the M-LAG backup
device to enter the Error-Down state if the peer-link fails but the DAD heartbeat
status remains normal.
▫ If the peer-link fails but the DAD heartbeat status is normal when M-LAG is
used for dual-homing access on a VXLAN or IP network, the VLANIF
interface, VBDIF interface, loopback interface, and M-LAG member
interface on the M-LAG backup device enter the Error-Down state.
• After logical interfaces are configured to change to Error-Down state when the
peer-link fails but the DAD heartbeat status is normal in an M-LAG, if a faulty
peer-link interface in the M-LAG recovers, the devices restore VLANIF interfaces,
VBDIF interfaces, and loopback interfaces to Up state 6 seconds after DFS group
pairing succeeds to ensure that ARP entry synchronization on a large number of
VLANIF interfaces is normal. If a delay after which the Layer 3 protocol status of
the interface changes to Up is configured, the delay after which VLANIF
interfaces, VBDIF interfaces, and loopback interfaces go Up is the configured
delay plus 6 seconds.
• When the faulty peer-link recovers, the M-LAG member interface in the Error-
Down state automatically restores to the Up state after 240s by default, and the
other interfaces in the Error-Down state automatically restore to the Up state
immediately.
• When the peer-link recovers, the M-LAG interface in the Error Down state
automatically goes Up after 240 seconds by default, and the other M-LAG
interfaces in the Error Down state immediately go Up.
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
DAD Link
The dual-active peer-link fault cannot be identified
Peer-link
⚫ Therefore, If the heartbeat link fails:
The failsafe mechanism is not triggered.
However, an alarm will be generated. You need to
handle the alarm in a timely manner to prevent service
abnormalities if the entire peer-link fault occurs.
46 Huawei Confidential
• After the heartbeat link fault is rectified, a heartbeat fault clear alarm is
generated.
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
47 Huawei Confidential
Service Link and Interface Device Peer-link Heartbeat Link Comprehensive
48 Huawei Confidential
• Device fault rectification: If the fault on the original DFS master device is rectified
but the peer-link fault persists, the following applies:
▫ If the LACP M-LAG system ID is switched to the LACP system ID of the local
device within a certain period, the access device selects only one of the
uplinks as the active link during LACP negotiation. The actual traffic
forwarding is normal.
▫ If the default LACP M-LAG system ID is used, that is, it remains unchanged,
two M-LAG devices use the same system ID to negotiate with the access
device. Therefore, links to both devices can be selected as the active link. In
this scenario, because the peer-link fault persists, M-LAG devices cannot
synchronize information such as the priority and system MAC address of
each other. As a result, two M-LAG master devices exist, and multicast
traffic forwarding may be abnormal. In this case, the HB DFS
master/backup status is negotiated through heartbeat packets carrying
necessary information for DFS group master/backup negotiation (such as
the DFS group priority and system MAC address). Some interfaces (for
details, see Peer-LinkFault) on the HB DFS backup device are triggered to
enter Error-Down state. The HB DFS master device continues to work.
Contents
1. Overview of M-LAG
2. M-LAG Fundamentals
4. M-LAG Deployment
◼ M-LAG Multi-Protocol Deployment
49 Huawei Confidential
Multi-Protocol Deployment - STP Solution 1: Root Bridge
Solution
Physical view STP logical view
50 Huawei Confidential
• Configuration suggestion: When configuring M-LAG based on the root bridge, set
the bridge IDs of the two devices in the M-LAG to the same and set the root
priority to the highest. This ensures that the two devices in the M-LAG are the
STP root bridges.
Multi-Protocol Deployment - STP Solution 2: V-STP Solution
STP logical
⚫ After the V-STP mode is enabled on the M-LAG
Physical view
view Master/Backup, the two devices are virtualized into one
device using V-STP to calculate the port role and fast
Root Bridge Root Bridge convergence once the M-LAG master/backup negotiation is
successful.
Peer-link
⚫ After the V-STP mode is enabled, the M-LAG backup device
needs to synchronize the bridge MAC address and instance
priority information of the M-LAG master device.
Peer-link
⚫ The M-LAG backup device uses the bridge MAC address and
instance priority information synchronized from the M-LAG
master device to perform STP calculation and send and
receive BPDUs. This ensures that the STP calculation
parameters are consistent after the M-LAG master device is
virtualized into one device.
51 Huawei Confidential
Multi-Protocol Deployment - STP Solution Comparison
⚫ The root bridge mode and V-STP mode can be used to build a loop-free network. In root bridge mode,
M-LAG devices must be manually specified as the same bridge. In V-STP mode, protocol information
between M-LAG devices must be synchronized and displayed as one device for STP negotiation.
52 Huawei Confidential
Multi-Protocol Deployment - Dual-Active Gateway (1)
53 Huawei Confidential
Multi-Protocol Deployment - Dual-Active Gateway (2)
54 Huawei Confidential
• M-LAG and VRRP are usually configured together in Data Center Interconnect
(DCI) scenarios.
Multi-Protocol Deployment - Dynamic Routing Protocols
such as OSPF
⚫ M-LAG devices can function as access devices to connect to servers or as egress devices to connect to egress routers
(PEs).
An M-LAG can be configured with a static route to the network segment where a server resides or use OSPF to dynamically
exchange routing information with the server.
An M-LAG can function as a border leaf node and communicate with PE routers through OSPF to exchange routing information
and implement internal and external communication of the data center.
PE
SW1 SW2
OSPF
M-LAG
SW1 SW2
OSPF
M-LAG
Server
LAG
55 Huawei Confidential
• The server is dual-homed to the M-LAG and has static routes configured so that
it can communicate with the M-LAG through Layer 3 routes. However, the
network using static routes is difficult to configure and maintain and is lack of
flexible and fast deployment capabilities, thereby cannot meet the requirements
of rapidly growing services.
• Before configuring OSPF over M-LAG, you need to complete the following tasks:
L3 Network L3 Network
Monitor-link is deployed. If
the uplink interface goes
Down, the downlink interface
SW1 SW2 goes Down. SW1 SW2
Peer-link Peer-link
Monitor-link
Best-effort path
56 Huawei Confidential
1. Overview of M-LAG
2. M-LAG Fundamentals
4. M-LAG Deployment
▫ M-LAG Multi-Protocol Deployment
◼ M-LAG Deployment Scenario
57 Huawei Confidential
Overview of the M-LAG Deployment Solution
⚫ M-LAG deployment modes are as follows:
Connecting to a
Switch access Single-homing access Single-level M-LAG
Layer 2 network
Connecting to a
Server access Dual-homing access Multi-level M-LAG
Layer 3 network
Connecting to a
VAS device access
tunnel network
58 Huawei Confidential
L2 Network
DAD
STP blocking
SW1 SW2
Peer-link
59 Huawei Confidential
M-LAG Access Network Type - Connecting to a Layer 3
Network
⚫ An M-LAG system can access a Layer 3 network. Note the following points:
The M-LAG system functions as the gateway of the access-side device. To function as a logical device, the M-LAG system must
be deployed with active-active gateways.
If the ping test is performed between a device in the M-LAG system and a PE, packet loss may occur due to load balancing
between the PE and the PE. (This is normal and does not affect services.)
PE
SW1 SW2
Peer-link
60 Huawei Confidential
• You are not advised to configure M-LAG member interfaces as main interfaces.
61 Huawei Confidential
• Configuration suggestions:
• Note: For distributed VXLAN gateways, BDIF interfaces on the same network
segment must be configured with the same IP address and MAC address to
support VM migration.
M-LAG Access Device Type - Switch Access
⚫ A switch can function as the access device of the Network
M-LAG system. Generally, the switch is not a data
DAD
source but a Layer 2 transparent transmission
device. In this case, note the following:
SW1 SW2
Peer-link
When a switch is dual-homed to a switch, only link
aggregation can be configured to implement load
balancing. The hash calculation result determines
the device in the M-LAG system to which the switch
sends packets.
If the access switch is not connected to other Layer
2 networks, STP does not need to be configured to
prevent loops. The unidirectional isolation
mechanism prevents loops between the access Server Server
63 Huawei Confidential
• Note: The Linux operating system is used as an example. The operating system
supports seven bonding modes.
▫ 0. round robin and 4.lacp support load balancing between two network
ports. They are two common dual-network-port active-active access
solutions. Link binding must be configured on the peer switch.
Heartbeat line
Peer-link
Peer-link
64 Huawei Confidential
DAD
SW1 SW2
Peer-link
SW3 SW4
65 Huawei Confidential
M-LAG Access Mode - Single-Homing to an M-LAG
⚫ If a device cannot be dual-homed to an M-LAG, preferentially connect the device to another device that has been
dual-homed to the M-LAG.
⚫ If a device cannot be connected to another device that has been dual-homed to the M-LAG, you can connect the
device to the M- LAG master device to prevent the device from being isolated upon failure of the peer-link. (If the
peer-link fails, all interfaces except the stack interface, management interface, and peer-link interface on the
backup device enter Error-Down state.) In addition, you are advised to use the VLAN that is not used by M-LAG
member interfaces.
DAD DAD
Device
66 Huawei Confidential
M-LAG Deployment Mode - Multi-Level M-LAG
⚫ Multi-level M-LAG interconnection is mainly used in large-scale data centers to build large Layer 2
networks. It not only simplifies networking, but also increases the number of dual-homing access
servers while ensuring reliability.
⚫ During the configuration of two-level M-LAG and in various fault scenarios, ensure that no loop occurs.
SW1 SW2
Peer-link
SW3 SW4
Peer-link
67 Huawei Confidential
• In a multi-level M-LAG scenario, you cannot manually configure the root bridge
to prevent STP loops. This is because if the two devices in an M-LAG are
configured as root bridges, other devices cannot run. Therefore, V-STP must be
deployed to synchronize STP status information between M-LAG member devices
in a multi-level M-LAG scenario.
Contents
1. Overview of M-LAG
2. M-LAG Fundamentals
4. M-LAG Deployment
68 Huawei Confidential
M-LAG Deployment Best Practice
Server Peer-link
69 Huawei Confidential
B. ARP entry
C. Routing entry
D. ACL entry
2. (Short-answer question) What are the functions of DAD links in an M-LAG? What are the
deployment considerations?
70 Huawei Confidential
1. AB
71 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
3. Solution Features
4 Huawei Confidential
DC Mission: Shift from a Service Center to a Value Center
5 Huawei Confidential
DCNs Are Evolving to Multi-DC, Multi-cloud Networks
Mobility-based acceleration Ubiquitous services Agile service rollout
Offline -> online, improving Personalized services, enhancing user loyalty Quick business monetization,
the service efficiency accelerating innovation
Online
shopping
Ad Ecosystem Third-party app
Mobile app Supermarket integration … …
placement
Payment by experience shopping
card User
Multiple quick Entertainment profile SDK/API SDK/API SDK/API
Entrusted fee payment methods consumption
deduction ...
Hundreds of Third-party Product
Information
Counter millions of monthly transfer recommendation
push
transfer active users ETC Risk
prevention
Usage and control Data volume: Interconnection Rollout
User scale: 10x 24/7 services
frequency: 10x 200x scenarios: 100x speed: 10x
Centralized -> Distributed Single-DC -> Multi-DC Private cloud -> Hybrid cloud
More complex DC scale increased Virtualization scale
system architecture by 100 times increased by 100 times
6 Huawei Confidential
DCNs Are Evolving Toward All-Ethernet
As-Is To-Be
IT
architecture Server
Centralized 100x scale interconnection
-> distributed over the Ethernet
Centralized Distributed
Computing CPU/GPU
unit 100x
Ethernet Ethernet interconnection
PCIe is
PCIe performance over the Ethernet
replaced
IB or Ethernet
Storage All-flash
media 1000x capacity interconnection
SCSI NVMe
HDD -> SSD over the Ethernet
FC RoCE
(32G) (400G)
7 Huawei Confidential
▫ PCIe buses are being removed from computing units, no matter whether
they are CPUs or GPUs. This aims to break through the bus speed
bottleneck. Instead, Ethernet ports are used to directly provide higher
computing power.
▫ From the perspective of storage media, HDDs are upgrading toward all-
flash, improving storage performance 100-fold. Traditional FC, however,
provides only 32G bandwidth, which cannot meet the high throughput
requirements of all-flash. In this context, the Ethernet with up to 400G
bandwidth becomes the de facto standard for the next-generation storage
network.
• Note:
▫ PCIe: PCI Express
▫ IB: InfiniBand, an Input/Output (I/O) technology
▫ HDD: Hard Disk Drive
▫ SSD: Solid State Disk
Challenge 1: AI-Powered DCs Pose Challenges to Networks
Unified management of compute
Rapid construction of ultra-large Frequent service changes bring a
resource pooling platforms, such as
DCNs large number of network changes
VMs and containers
Requiring fast network Requiring network linkage and rapid Requiring intelligent network
construction evaluation and verification
login and logout
8 Huawei Confidential
Challenge 2: The Network Changes and O&M Have
Exceeded Human Limits
Bank A: The single DC construction volume Bank B: 14,000+ changes in a year Abnormal alarms are generated due to
in 2021 is greater than that in 2020. The network is interrupted for 40 unexpected situations caused by changes.
Deployment and rollout of 30 switches: 3+ minutes because a legacy server port is Network-wide emergency recovery is the top
person-weeks deleted by mistake. priority. Ensure that the network recovery time
> 3 days for rolling out a service, cross-DC, is less than 30 minutes.
N work orders and conferences.
Network-wide Network-wide
snapshot Change rollback
execution
Long service rollout period Error-prone configuration change Slow network recovery
9 Huawei Confidential
Challenge 3: Difficulties Faced by Traditional O&M
Difficult health check Difficult fault locating Difficult network change
Fluctuating securities market, Hundreds of millions of cross-bank Enormous increase in Internet
resulting in the daily needs to cope transactions per day, requiring traffic, requiring network
with service peaks. 24/7 uninterrupted services. changes every week.
0.09 0.63 1.1 1.6 2.0 2.8 6.48
②
Survey on loss caused by fault-triggered
interruptions ①
It takes three person-hours to perform
The complicated architecture
routine inspection before the market About 70% of network faults are
results in difficult fault locating.
opens every day. This increases caused by human errors as changes
It takes 76 minutes on average to
difficulties in confidently keeping up are manually compared and verified.
locate a fault.
with the general market trends.
10 Huawei Confidential
• Note:
(>70 km)
DC A DC B
0.02%
On the traditional Ethernet, the packet As the intra-city long-distance latency The traditional Ethernet lacks effective
loss rate increases exponentially with the increases, it is more difficult to perform O&M methods, and the network is too
number of network nodes. flow control across DCNs on the complex to be handled manually.
traditional Ethernet.
11 Huawei Confidential
▫ Overall Architecture
▫ Application Scenarios
12 Huawei Confidential
Huawei CloudFabric Solution
Full-lifecycle automation
Automated network planning, construction,
maintenance, and optimization
Intent-driven, network as a service (NaaS).
Large
Finance Government
enterprise
Lossless Ethernet
Local and long-distance lossless
data transmission,
Converged computing and
Hyper-converged DCN storage networks.
All-Ethernet Network-wide
intelligent O&M
Compute cluster Service cluster Storage cluster
Predictive maintenance of devices, ports,
optical modules, networks, and services,
GPU CPU Storage ensuring interruption-free services.
13 Huawei Confidential
• Based on the development trends and challenges of DCs, Huawei launches the
CloudFabric Hyper-Converged DCN Solution, which can:
Hyper-converged DCN
Day 2 O&M and monitoring:
Service experience-based network health evaluation,
implementing predictive maintenance.
General-purpose Storage HPC
AI-powered network knowledge graph, implementing "1-
computing
3-5" intelligent O&M.
14 Huawei Confidential
▫ Design phase: The factors that affect network design are broken down into
three evaluation dimensions: resource, quality, and reliability. In this way,
the network solution can be generated and recommended in seconds.
HPC resource Horizontal AI resource Horizontal General-purpose Horizontal Storage • Zero packet loss is the basis for
pool resource pool resource resource pool resource resource pool Low achieving low-latency RDMA.
reuse reuse reuse delay • E2E congestion control reduces the
overall latency.
Computing center 1 Computing center 2
Hardware platform
DCI (Long-
haul lossless
Intelligent and Intelligent and • Chip- and port-level high
transmission) High
lossless network lossless network bandwidth.
throughput • Network-level balanced scheduling.
Computing
center
iNIC interconnection iNIC
HPC computing Storage AI computing Storage
zone zone zone zone • Unified O&M of three networks all
Intelligent built on the Ethernet.
Infrastructure Liquid cooling/Air cooling + power supply Integrated equipment room/DC O&M • Simulation, verification,
monitoring, and optimization.
15 Huawei Confidential
• The intelligent lossless algorithm overcomes the packet loss problem of Ethernet,
which has remained unresolved for 40+ years. This helps to achieve zero packet
loss under 100% throughput, meeting the ultimate network performance
requirements of HPC and high-performance storage services and doubling the
computing power and storage I/O performance at the same cluster scale.
• Note:
"1-3-5" troubleshooting
Passive response Proactive O&M • AI algorithm + expert
Manual fault Automatic experience
locating troubleshooting • Automatic locating of multi-
vendor problems
Multi-DC,
multi-cloud Overall Multi-cloud, multi-DC analysis
Distributed and perspective • Unified multi-DC health evaluation
independent Unified O&M • Visualized service access cross clouds
O&M
16 Huawei Confidential
▫ Application Scenarios
17 Huawei Confidential
CloudFabric Solution Architecture
⚫ The CloudFabric Solution consists of the application layer, control and analysis layer, and forwarding layer.
Application Cloud Container
Cloud OS platform platform
layer
Public cloud
Leaf NGFW/ Third–party ...
vSwitch vNGFW firewall Core
Forwarding
layer Intelligent
and lossless
network Fabric Fabric
gateway gateway
WAN
DC1 DC n
18 Huawei Confidential
• Application layer:
▫ Cloud OS:
▫ Overall Architecture
◼ Application Scenarios
20 Huawei Confidential
Hosting Scenarios Overview
⚫ iMaster NCE and network are deployed without the cloud platform and VMM. The network administrator uniformly
manages networks through the GUI provided by iMaster NCE.
Network
Administrator
vSwitch
Uplink Port
Computing
VM VM VM CE1800V
Agent
Administrator
Host
Hypervisor
21 Huawei Confidential
Network
Administrator
Collaboration
vSwitch
Uplink Port
Computing
VM VM VM CE1800V
Agent
Administrator
Host
Hypervisor
22 Huawei Confidential
DC administrator
23 Huawei Confidential
24 Huawei Confidential
▫ Overall Architecture
▫ Application Scenarios
◼ Core Components and Key Services
25 Huawei Confidential
Core Component: iMaster NCE-Fabric
⚫ iMaster NCE-Fabric is a core component of Huawei CloudFabric
Application Cloud Container
Cloud OS Solution. It implements unified control and dynamic scheduling
layer platform platform
of network resources and fast deployment of cloud services.
RESTful/RPC
⚫ iMaster NCE-Fabric has the following features:
Network controller SecoManager HiSec Insight Automation: Service requirements are translated into logical network
Control and models and network configurations, and are automatically delivered
RESTful
analysis layer to devices in batches, shortening the service rollout period from
SNMP
NETCONF weeks to minutes.
OpenFlow
OVSDB
Reliability: iMaster NCE-Fabric provides highly reliable cluster
Fabric Spine capabilities. The system processes northbound and southbound
VAS Pool
services in load balancing mode. In addition, the active and standby
clusters can be deployed in different regions to implement remote
Leaf NGFW/ Third–party
FW DR, ensuring high reliability of DC services.
vSwitch vNGFW
Forwarding Security: iMaster NCE-Fabric provides security protection at the
layer Intelligent and lossless network minimum granularity for DCNs. It also implements security isolation
at the minimum granularity through microsegmentation defined in
multiple dimensions, such as the IP address, host name, and VM
name, preventing the spread and transfer of threats to the maximum
extent.
26 Huawei Confidential
▪ The two layers are interconnected via RESTful or RPC. The control
layer receives service instructions from the application layer and
returns status information to the application layer.
Construct dynamic baselines, identify device, queue, and port exceptions, and
proactively predict traffic and optical module faults.
28 Huawei Confidential
29 Huawei Confidential
Key Service Overview
⚫ Huawei CloudFabric provides mission-critical services at multiple layers of data centers, efficiently building agile
data centers.
Zero Touch
Device locking and O&M
Provisioning
automatic
Data Center Network Flexible orchestration reconciliation
of multiple services Manage Monitoring Troubleshooting
Management of Configuration Rollback Devices
multiple network types
Spine Management Fault locating
Intent network Intelligent lossless
network Network
Fault recovery
Leaf Intention Simulation Low-latency network Management
vSwitch Multicast service Service restoration Network health Fault closure
Multi-PoD Multi-Site
VAS Pool Service chain
30 Huawei Confidential
Data Center Data Center Data Center Multi-DC
Network Security O&M Interconnection
Application scenario
Service cable
Management • Zero Touch Provisioning (ZTP) allows newly delivered or unconfigured devices to
cable automatically load version files, deploy the underlay network, and be managed
by iMaster NCE-Fabric after they are powered on.
31 Huawei Confidential
Spine Spine
VM VM VM VM VM VM VM VM
32 Huawei Confidential
• In a network overlay network, all overlay devices are physical devices, and VXLAN
tunnels on the overlay network are encapsulated on physical switches. This
networking has the advantages of high forwarding performance and reliability,
and can connect to multiple servers. Servers do not need to support VXLAN
tunnel encapsulation. Network overlay is applicable to new data centers that
have high requirements on forwarding performance and security, and SDN
networks and traditional networks need to communicate with each other.
• On a hybrid overlay network, overlay devices include physical and virtual network
devices. Overlay VXLAN tunnel encapsulation can be implemented on either the
physical switch or the virtual switch where the host server resides. The hybrid
overlay can not only use the high-performance forwarding of physical network
devices, but also improve performance by reusing existing physical network
devices and overlaying physical servers. Therefore, hybrid overlay networking is
more flexible and provides customers with more choices. Hybrid overlay
networking is applicable to scenarios where network capacity expansion,
hardware costs are sensitive, network reuse is emphasized, VXLAN and hardware
decoupling is required, and SDN networks and traditional networks need to
communicate with each other.
Data Center Data Center Data Center Multi-DC
Network Security O&M Interconnection
Three-Level Rollback
Network-wide rollback Tenant snapshot Service-level rollback
• Network-wide rollback is used to resolve • The tenant snapshot function is used to back • Service-level rollback helps quickly restore
major faults on the entire network. For up and restore network service configurations original network configurations to recover
example, if network configurations are by tenant, and apply to multi-tenant services. services when a network exception occurs
deleted due to changes, many services are Backup and restoration operations performed due to a fine-grained single-point service
interrupted. In this case, network-wide by a tenant do not affect the provisioning of provisioning failure.
configurations can be rolled back to those other tenants' services, including backup and • You do not need to manually back up data
before the changes or interruptions, restoration of network service configurations for service-level rollback, but need to
enabling quick service recovery. by other tenants. manually restore data.
• Before changes, you can back up network- • The tenant snapshot function allows a tenant • iMaster NCE-Fabric automatically backs up
wide configurations on iMaster NCE-Fabric. to set a backup point and save all its service each service that is provisioned. When an
When a problem occurs due to changes, configurations at the backup point. If needed, exception occurs, iMaster NCE-Fabric can
the configurations can be quickly restored service configurations can then be restored to quickly restore the service to the status
to the backup point, resolving major a specific snapshot point. Additionally, before the service is provisioned.
network faults. iMaster NCE-Fabric can compare the current
• You can manually save data in real time or configurations with the configurations at the
snapshot point, or compare the
periodically on the GUI. You need to
proactively back up data. configurations from two given snapshot
points, and perform configuration rollback to
eliminate differences.
• The tenant snapshot function supports
manual backup and restoration as well as
automatic and periodic backup.
33 Huawei Confidential
Microsegmentation
34 Huawei Confidential
• End Point Group (EPG): Endpoints (servers) are grouped based on the IP address,
IP network segment, MAC address, VM name, container, and operating system.
An EPG can contain multiple servers.
• Group-based policy (GBP): policy for traffic control within an EPG and between
EPGs. A GBP can be configured based on EPGs, protocol numbers, and port
numbers, which specifies the policies within an EPG, between EPGs, and between
a known EPG and an unknown EPG.
Data Center Data Center Data Center Multi-DC
Network Security O&M Interconnection
Service Chain
35 Huawei Confidential
Data Center Data Center Data Center Multi-DC
Network Security O&M Interconnection
Status
Detail
Mapping
application, logical, Consistency check network network mapping
O&M O&M
and physical networks restoration (web/app/DB)
interconnection interconnection
Loop fault diagnosis End port O&M Service
Controller installation and (locating) Logical switch O&M Application path
Status
Fault
Change
provisioning
deployment visualization
audit
Logical network Logical router O&M (connectivity and
Underlay network connectivity Events, logs,
topology path)
detection Physical firewall and statistics
management Logical SF O&M
Physical resource pool (fabric) Logical resource pool
Software firewall
(resource visualization)
management
Server management
Virtual switch
Physical topology management
Physical switch
ZTP-based switch installation management
36 Huawei Confidential
• iMaster NCE-Fabric centrally manages and controls cloud DCNs and provides
automatic mapping from applications to physical networks, resource pool
deployment, and visualized O&M, helping customers build service-centric
dynamic network service scheduling capabilities.
Multi-DC Service
⚫ With the development of services, more and more applications are deployed in data centers. The resources of a
single data center cannot meet the increasing service requirements. Therefore, multiple data centers are required to
deploy services.
Multi-PoD solution
Multi-site solution
(MDC)
close long
distance distance
DC 1 DC 2 DC 1 DC 2
The computing and network resources of multiple DCs are unified and In the multi-DC scenario, the computing and network resources of each
managed by a cloud platform and a set of iMaster NCE (Fabric). DC are independent resource pools and are managed by the cloud
platform and iMaster NCE (Fabric) in their respective DCs.
37 Huawei Confidential
Contents
38 Huawei Confidential
• This course describes only the computing scenario in detail. For details about
other scenarios, see the related sections of HCIE-DCN.
Solution Networking Service Service
Overview Solution Model Process
Introduction to Computing
Challenge 1 Challenge 2
Service types are becoming more refined, IT resources always seem to be insufficient
and an increasing number of devices are Challenges for enterprise IT while the resource utilization is low. The
deployed, resulting in increasingly high resource utilization is unbalanced, and
configuration and management costs. resources cannot be flexibly scheduled.
Cloud computing provides various advantages such as resource pooling, elastic scaling, and on-demand
self-service provisioning, helping enterprises cope with the preceding challenges.
However, some enterprises cannot fully implement cloud-based services at a time.
• Generally, enterprises have IT department and
Non-technical
• Service systems are complex and have different
network department but no cloud platform
Technical
factors
factors
Some enterprises that cannot achieve cloud computing at a time start with automation reconstruction on networks. That is, they
associate network resources with compute resources, and then gradually transform their networks toward the scenario where a
unified cloud platform will be deployed, which is the Cloud-Network Integration scenario.
39 Huawei Confidential
41 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
Leaf
42 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
Networking Solution
43 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
44 Huawei Confidential
• One network device can be virtualized into multiple logical routers for different
tenants. Multiple tenants can share a network device. For each tenant, a logical
router functions as an independent and real router with independent hardware
and software resources and running space. Services on different logical routers do
not affect each other. In terms of experience, there is no difference between a
logical router and a real router.
• One network device can be virtualized into multiple logical switches for different
tenants. Multiple tenants can share a network device. For each tenant, a logical
switch functions as an independent and real switch with independent software
and hardware resources and running space. Services on different logical switches
do not affect each other. In terms of experience, there is no difference between a
logical switch and a real switch.
Solution Networking Service Service
Overview Solution Model Process
Tenant
• Logical port: functions as an access point for VMs to access the network.
One physical port on a network device can be virtualized into multiple
VPC External VPC
network logical ports for different tenants. For each tenant, a logical port
functions as an independent and real port.
Logical router Firewall
Optional • External network: networks outside the tenant's management, such as
Internet or other tenant networks connected through VPNs.
Logical switch
• Firewall: The firewall function is provided by a physical firewall or virtual
firewall.
Logical Logical
port port
• VM: virtual machine.
45 Huawei Confidential
Service model Service example • Tenant: A tenant can apply for independent
compute, storage, and network resources, and can
be regarded as a service system or department.
Tenant Department 1 Department 2 Department 3
• VPC: Each VPC is a security domain and can be
regarded as a collection of services that have the
Service Service
VPC DMZ service system 1 system 2 same security policy. A VPC is mapped to a VRF.
46 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
External network
Internet
L4-L7
NAT/firewall
Firewall Internet
/IPsec/WAF…
Spine IPsec VPN Firewall
L3 Logical router
VRF
WAF NAT
Layer 3
L2 Logical switch gateway
Leaf Fabric
Layer 2
Bridge gateway
domain
Logical Logical
L1 Sub-
port port
interface VM Physical server
End port VM Physical Firewall
server
VM Physical server
47 Huawei Confidential
• The physical network uses the spine-leaf architecture. VMs, switches, and
firewalls access the network through switches at the leaf layer. VMs and physical
machines function as computing nodes. Firewalls function as network nodes and
provide NAT, IPsec VPN, WAF, and firewall (packet filtering) network services in
SFC.
• Common packets of VMs, physical machines, and firewalls are encapsulated into
VXLAN packets and transmitted on a fabric network constructed by switches at
leaf and spine layers. VXLAN Layer 2 gateways encapsulate the common packets
into VXLAN packets at the access layer. VXLAN Layer 2 gateways provide data
transmission services within a subnet and are called internal gateways.
Computing
discovered between servers and TOR switches
administrator through LLDP before service provisioning in the
computing scenario.
49 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
50 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
51 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
Network 2. iMaster NCE computes and saves the mapping between VLANs and
administrator VNIs based on the VNI range allocated by the administrator. These
configurations and mappings are stored on iMaster NCE and have
not been delivered to switches since VMs have not gone online.
3
3. iMaster NCE connects to the VMM through the WebService
interface and transfers the preceding information. The VMM creates
Uplink port vSwitch
a port group required by the local network on the virtual switch and
Computing
Host agent
Port group VM VM VM
administrator
configuration
Hypervisor
52 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
VM Online Process
Uplink port vSwitch information through the WebService interface, and obtains the
location where the VM goes online.
2 Internal port
1 6. iMaster NCE delivers network configurations to a switch.
Computing After the VM goes online, iMaster NCE automatically delivers the Layer
Host agent
Port group VM VM VM
administrator configuration
2 access configurations and Layer 3 gateway configurations of the VM.
4
Then, the VM can access the network properly.
3 Hypervisor
53 Huawei Confidential
• The VMM synchronizes the port group configurations to the corresponding host
and binds the VM to the port group.
• iMaster NCE detects the VM online and port group binding information through
the WebService interface, and obtains the location where the VM goes online
(including the VM ID and the ID of the host where the VM is located).
Solution Networking Service Service
Overview Solution Model Process
VM Offline Process
The VM offline process is also performed automatically, which cannot be
detected by the network administrator.
2. The VMM queries the database, finds the host to which a specified
4 VM belongs, brings the VM offline, removes the binding between the
VM and the port group, and reclaims compute resources.
Network
administrator 3. iMaster NCE detects the VM offline information and unbinding
between the VM and port group through the WebService interface,
and obtains the location where the VM goes offline.
3 4. iMaster NCE obtains the connection between the host and TOR
switch port through LLDP, queries the database using the port group
vSwitch as the index to obtain the mapping between the local VLAN and VNI,
Uplink port
and checks whether any VM still uses the local VLAN on the same
2 Internal port
1 port. If no VM uses the local VLAN, iMaster NCE removes the
mapping between the local VLAN and VNI through NETCONF.
Computing
Host agent
Port group VM VM VM 5. The VMM checks whether any other VM on the host is bound to the
administrator configuration 5 current port group. If no VM is bound to the port group, the VMM
Hypervisor reclaims the port group configuration.
55 Huawei Confidential
Solution Networking Service Service
Overview Solution Model Process
2. The VMM schedules resources and restarts all VMs of the faulty
host on other hosts.
vSwitch Uplink port vSwitch Uplink port 4. iMaster NCE finds TOR switches and corresponding ports before
Host agent
Hypervisor Hypervisor
56 Huawei Confidential
• Both the computing administrator and network administrator are unaware of the
automatic migration process. The compute resources are automatically migrated
and network configurations are automatically adjusted based on the
collaboration between the VMM and iMaster NCE.
Solution Networking Service Service
Overview Solution Model Process
vSwitch vSwitch 4. iMaster NCE finds TOR switches and corresponding ports before and
Uplink port Uplink port
after the migration through LLDP. It deletes the mapping between
Internal port Internal port VLANs and VNIs on the TOR switches before the migration through
NETCONF (VMs with the same port group do not exist on hosts),
and delivers the mapping between VLANs and VNIs on the new TOR
Host agent
Host agent
VM VM VM VM VM VM
2 switches.
Hypervisor Hypervisor
57 Huawei Confidential
Quiz
B. SecoManager
C. iMaster NCE-FabricInsight
D. MDA
58 Huawei Confidential
1. A
Summary
59 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
4 Huawei Confidential
Typical Networking of The Data Center Network
⚫ Shows the typical data center network networking.
Core
5 Huawei Confidential
• Point of delivery (POD): A data center can be divided into one or more physical
partitions to facilitate resource pooling and management. Each physical partition
is called a POD. A POD is the basic deployment unit of a DC. Each DC can be
deployed with multiple PODs, and a physical device can belong to only one POD.
POD can be a standardized construction of equipment room modules based on
POD or defined based on actual business requirements.
▫ In a large data center, PODs can be defined based on the entire equipment
room module.
▫ A medium-sized data center can define a POD in the unit of two or more
rows of cabinets.
External
DCI network DC 1
network ⚫ A DCN is an infrastructure for carrying DC services.
⚫ Multiple DCNs can connect to branches of enterprises
or organizations in different areas. In addition, DCNs
Border leaf DCI-Leaf
can connect to the Internet or local area networks
Spine VXLAN (LANs).
Server leaf
⚫ The Spine-Leaf architecture is recommended for the
Service leaf
underlay network.
Server Firewall LB
6 Huawei Confidential
• Data Center Interconnect (DCI): Two data center network are interconnected to
implement service interworking and service migration across data centers.
Physical Network Role
A backbone node, which is the core node of the VXLAN fabric network and provides the high-
Spine speed IP forwarding function and connects to functional leaf nodes through high-speed
interfaces.
Leaf node, which provides Layer 4 to Layer 7 value-added services, such as firewall and load
Service Leaf
balance, to access the VXLAN fabric network.
Leaf node, which provides computing resources, such as virtualized and non-virtualized servers,
Server Leaf
to access the VXLAN fabric network.
Leaf node, which connects external traffic of the data center to the VXLAN fabric network of the
Border Leaf
data center and connects to external routers or transmission equipment.
DCI Leaf Leaf node, which provides cross-DC service interworking and migration functions.
7 Huawei Confidential
• DCI leaf nodes are also called DCI gateways or fabric gateways.
Network Layer
Bottom-up Design
VXLAN
External Overlay: A logical network established using the VXLAN
RR Service Leaf FW
network BGP EVPN
protocol on the underlay network. Network resources are
Border Leaf Spine pooled through iMaster NCE. When creating a logical
Overlay Server Leaf network in a VPC, you can invoke the network resources in
Server
Service
the resource pool. A VPC usually represents a department or
network
a service.
Border Leaf Spine
Service Leaf FW Underlay: A physical topology established by physical
OSPF
network devices, such as switches and routers, provides
interconnection capabilities for all services in a data center
Underlay Server Leaf Server
and is the basic bearer network for service data forwarding
in the data center.
Management Switches
Manage
ment or Management network: Manages all physical devices on the
network service network. There are two types of management: in-
8 Huawei Confidential
• Management network:
Network Network
Underlay Overlay Network
architecture management and
network design network design security design
design O&M design
Network
Networking Intra-DC O&M mode
architecture Routing design
design security selection
design
Controller
Inter-DC
Data planning Access design Routing design deployment
security
design
Analyzer
Service
Egress design Firewall deployment
orchestration
design
High
Traffic Security
availability
Forwarding services
design
9 Huawei Confidential
• Note: This course uses this solution design as an example to describe the DCN
design process. The design and deployment parameters and device quantity
involved in this course are examples. You can design a DCN based on actual
service requirements.
Contents
10 Huawei Confidential
Network Architecture Data Planning
11 Huawei Confidential
▫ Generally, two border leaf nodes are deployed. They are configured as a
DFS group to synchronize entries, forming active-active gateways. Multiple
groups of border leaf nodes can be deployed to meet network expansion
requirements. The number of border leaf nodes can be horizontally
expanded to four (two border leaf node groups) based on bandwidth or
reliability requirements.
▫ In the upstream direction, border leaf nodes are connected to PEs or core
nodes of a DC in square looped or dual-homed Layer 3 networking. In the
downstream direction, border leaf nodes are fully meshed to spine nodes.
DC 2
Combination of border Leaf and service leaf nodes
PE
13 Huawei Confidential
• In the converged network, only two roles can be deployed. In addition, three roles
or even four roles can be deployed on the converged network. The investment
depends on the deployment scenario scale and cost.
• Three-role integration: convergence of border leaf, service leaf, and spine nodes.
• Four roles are integrated: border leaf, service leaf, spine, and server leaf nodes.
Network Architecture Data Planning
High
Minor
Scalability Border leaf nodes, spine nodes, and VAS devices can be
Border leaf nodes are scalable, but VAS resource scalability is poor.
expanded independently.
Initial investment Relatively high Relatively low
14 Huawei Confidential
Network Architecture Data Planning
Data
Intranet core
management
15 Huawei Confidential
• Zone description:
▫ Firewalls are connected to the border of each zone in bypass mode for
isolation.
• Note:
Anti-DDoS
WAN AS
AS
WAN access Campus access
zone zone Firewall
Firewall
IPS IPS
Production Non-production
extranet core extranet core
Intranet core
Controller Controller
Non-production node cluster Non-production VTEP
Production intranet fabric intranet fabric O&M management zone Production extranet fabric extranet fabric
16 Huawei Confidential
• Switch positioning:
▫ The resource pool zone uses an architecture where border leaf and service
leaf nodes are combined.
▫ Extranet core switches are connected to the Internet access zone, extranet
access zones, extranet resource pool zone, and DC core switches to control
the advertisement of intranet routes.
• Firewall positioning:
▫ Firewalls are deployed at the border of the resource pool zone and are
connected to the border leaf nodes in bypass mode to perform access
control on all traffic entering and leaving the zone. The cloud platform
drives the SDN controller to automatically deliver the traffic diversion policy
of the border firewalls of the resource pool zone.
▫ Firewalls in the Internet access zone and extranet access zone meet the
two-layer heterogeneous deployment requirements and perform access
control on all traffic entering and leaving the access zones.
Network Architecture Data Planning
VLAN Planning
⚫ The following VLANs need to be planned for the underlay network: interconnection VLANs between some devices,
VLANs reserved for Layer 3 main interfaces, and default reserved VLANs of the system.
⚫ The following VLANs need to be planned for the overlay network: access VLANs (VLANs for VMs and external
networks to access the tenant network) of the tenant network and interconnection VLANs between gateways and
VAS devices. VLAN planning example for the underlay network:
VLAN
Spine Spine VLAN Type Planning Suggestions
Planning
Device
Interconnection Plan interconnection VLANs in advance
interconnection 2 to 30
VLAN based on the actual service design.
VLANs
• Leaf node: Plan 16 VLANs, for example,
VTEP VTEP VTEP VLANs 4047 to 4062.
Reserved VLANs
• Spine node: Plan 63 VLANs, for example,
Access Interconnection Interconnection for Layer 3 main 4000 to 4062
VLANs 4000 to 4062.
VLAN VLAN VLAN interfaces
• The reserved VLANs can be dynamically
adjusted as required.
Server VAS device Egress PE
You are advised to retain the default value.
The reserved VLAN range can be changed
Default reserved
4064 to 4094 on a CE switch using CLI so that the default
VLANs
reserved VLAN range does not overlap with
the planned or existing ones.
18 Huawei Confidential
▫ Reserved VLANs for Layer 3 main interfaces: For some CE series switches
equipped with FD-X series cards, configure a reserved VLAN dedicated for
Layer 3 main interfaces before switching the interface mode to Layer 3.
▫ Default reserved VLANs: These VLANs are used as a channel of the internal
control plane of a switch or a channel for transmitting user service data of
some features.
IP Address Planning
⚫ The IP addresses of the DCN are classified into service, management, and interconnection IP addresses.
19 Huawei Confidential
▫ The network ID with the variable length and host address mask are used
for IP address allocation. Some IP addresses need to be reserved based on
the number of hosts on network segments. This ensures that IP addresses
can be summarized and prevents the waste of IP addresses.
VNI allocation example: If the active DC equipment room is the first enabled cloud network equipment room module, the
possible VNI in the fabric is 1011001.
20 Huawei Confidential
Contents
21 Huawei Confidential
Routing Access Egress HA
22 Huawei Confidential
Routing Access Egress HA
Multi-PoD OSPF
• Solution design:
Super spine ▫ Deploy the entire DC underlay network in the same OSPF
process.
▫ Deploy the interconnection areas between PoDs and between
OSPF 1 Area 0 spine and super spine nodes in Area 0.
▫ Deploy the interconnection area between spine and leaf nodes
in a PoD in a non-backbone OSPF area.
PoD1 Spine Spine PoD2
23 Huawei Confidential
▫ When planning the connections between spine nodes and super spine
nodes, ensure that all nodes in OSPF Area 0 are reachable.
Routing Access Egress HA
24 Huawei Confidential
Routing Access Egress HA
25 Huawei Confidential
Routing Access Egress HA
26 Huawei Confidential
Routing Access Egress HA
PE PE PE
Firewall
Combination of
border leaf and Combination of
service leaf nodes border leaf and
Border Service service leaf nodes
leaf leaf
Spine Spine
Spine
Fabric Fabric
Fabric
Server leaf Server leaf
Server leaf
Server Server Server
• This is a standard architecture and features • This mode has low physical costs but poor • External traffic must pass through the
high scalability. Multiple service leaf node scalability. It is a typical deployment mode firewall, which applies to scenarios with high
groups are supported to connect to more VAS for small- and medium-sized DCs. security requirements.
devices. • A physical device plays multiple roles, • The scalability of the firewall is poor. The
• This mode is recommended if load balancing DCN must keep stable for a certain period of
consuming more resources.
needs to be performed among multiple border time.
leaf nodes on the same egress network.
27 Huawei Confidential
▫ Select the hardware device model and card type of the service leaf or
border leaf node based on the firewall access bandwidth (10G or 40G).
Core switch
The firewall is connected to the BL node in bypass mode and logically
connected between VRF1 and VRF2.
⚫ Route design:
OSPF runs between the border leaf switch and core switch, and service VRF is
used to isolate VPC routes.
28 Huawei Confidential
Routing Access Egress HA
Connecting LBs to service leaf nodes in bypass mode Connecting LBs to border leaf nodes in bypass mode
PE Firewall LB PE Firewall LB
Combination of
border leaf nodes and
Border leaf Service leaf service leaf nodes
Spine Spine
Fabric Fabric
⚫ LBs can be connected to border leaf nodes or service leaf nodes in bypass mode based on their deployment
locations on the network.
⚫ It is recommended that LBs be deployed in the same manner as firewalls.
29 Huawei Confidential
▫ Based on the interface bandwidth of the LB, select the hardware device
model and card type of the service leaf or border leaf node.
30 Huawei Confidential
▫ The floating IP addresses and service VIPs of LBs and server IP address can
be in the same subnet or different subnets. You are advised to deploy them
in the same subnet. In this case, you do not need to configure a static route
destined for a service VIP on a switch.
▫ The client sends a request to the load balancing device at the front end of
the server cluster. The virtual service on the load balancing device receives
the request, selects a real server based on the scheduling algorithm,
translates the destination address of the request packet to the address of
the selected real server, and sends the request to the real server.
▫ The real server sends a response packet to the load balancing device, which
changes the source IP address in the response packet to the VIP, and then
forwards the response packet to the user.
Routing Access Egress HA
Peer-link Peer-link
Active-active Active/standby Active/standby
31 Huawei Confidential
• Consider the following factors when selecting models of and designing server leaf
nodes:
▫ Select an access mode. Servers often use M-LAG, stacking, and standalone
modes. M-LAG active-active deployment is recommended because it can
ensure service continuity during the upgrade of access switches.
▫ Select server leaf nodes (hardware devices) based on the server access
bandwidth (10GE/25GE access) and the ratio of server leaf nodes' uplink
bandwidth to spine nodes' downlink bandwidth.
▫ Determine the number of server leaf nodes based on the number of servers.
Leaf Leaf
Service and Storage switch
management
switch
Server1 Server2
32 Huawei Confidential
• Design scheme:
▫ Servers in adjacent cabinets share two groups of leaf switches, which are
connected to the service and management NICs and storage NICs of the
servers.
▫ The two leaf switches connect to the spine switches in the uplink.
▫ Server SAN storage servers are deployed in storage node cabinets. The
traffic between Server SAN nodes is heavy. It is recommended that storage
nodes be connected to independent storage switches.
• Server NIC planes are divided into the management plane (carrying management
traffic), service plane (carrying service traffic), and storage plane (carrying
storage traffic).
PE PE PE
VRRP
33 Huawei Confidential
▫ The interconnection topology between border leaf nodes and PEs can be
square-shaped (two PEs have at least two physical ports) or dual-homed
(two PEs have at least four physical ports), depending on the number of
ports provided by the PEs. The dual-homed topology is recommended.
▫ PEs can be connected to border leaf nodes through one, two, or four Layer
3 interfaces. It is recommended that PEs be connected to border leaf nodes
through four Layer 3 interfaces.
▫ Border leaf nodes and PEs can interwork through dynamic or static routes.
It is recommended that external routes be summarized and default routes
be advertised within the DC.
• Note: If four Layer 3 interfaces are used, a border leaf node group provides four
Layer 3 interfaces (physical or logical interfaces) to connect to PEs.
Routing Access Egress HA
Independent
⚫ Physical networking design:
PE
deployment
Four interconnection links form a dual-homed topology.
Four independent Layer 3 interfaces need to be configured
on the two PEs. If there are multiple cards, it is
Bypass link recommended that links be deployed across cards.
34 Huawei Confidential
• Solution description:
▫ When border leaf nodes and spine nodes are deployed independently and
there are only a few interconnection interfaces between them, a Monitor
Link group needs to be deployed to associate the interfaces connecting
border leaf nodes to spine nodes with the interfaces connecting the border
leaf nodes to firewalls/LBs and PEs, preventing service interruption caused
by multi-link faults.
▫ Deploy a dynamic routing protocol for the bypass link. The two border leaf
nodes then can advertise egress routing information to each other for
egress link protection.
Routing Access Egress HA
Independent
⚫ Physical networking design:
PE
deployment
A square-looped topology is formed. If there are multiple
cards, it is recommended that links be deployed across
cards.
Bypass link
A Layer 3 bypass link must be deployed.
Border leaf
The M-LAG peer-link has at least two member links across
Layer 3 interface on
a border leaf node cards to ensure reliability and bandwidth, and the member
• Application scenario: Two PEs are independently link cannot be configured as the bypass link.
deployed and provide two Layer 3 interfaces to
connect to active-active border leaf nodes.
35 Huawei Confidential
• Solution description:
▫ When border leaf nodes and spine nodes are deployed independently and
there are only a few interconnection interfaces between them, a Monitor
Link group needs to be deployed to associate the interfaces connecting
border leaf nodes to spine nodes with the interfaces connecting the border
leaf nodes to firewalls/LBs and PEs, preventing service interruption caused
by multi-link faults.
▫ Deploy a dynamic routing protocol for the bypass link. The two border leaf
nodes then can advertise egress routing information to each other for
egress link protection. Fast Reroute (FRR) can be configured to improve the
fault convergence performance.
Routing Access Egress HA
VRRP VRRP
36 Huawei Confidential
• Solution description:
▫ Deploy Virtual Router Redundancy Protocol (VRRP) on the two PEs, and
configure the same virtual IP address for them.
▫ Deploy the border leaf nodes as an M-LAG to connect to PEs and configure
the same IP address for the border leaf nodes.
▫ Configure static routes between PEs and border leaf nodes to implement
connectivity. The next hop of the static route configured on the border leaf
node is the VRRP address of the PEs.
▫ Fast switchover: Associate static routes with NQA to detect the peer PE
status, accelerating route convergence.
▫ When border leaf nodes and spine nodes are deployed independently and
there are only a few interconnection interfaces between them, a Monitor
Link group needs to be deployed to associate the interfaces connecting
border leaf nodes to spine nodes with the interfaces connecting the border
leaf nodes to firewalls/LBs and PEs, preventing service interruption caused
by multi-link faults.
Routing Access Egress HA
HA Design Overview
⚫ As the core department of the customer's IT infrastructure, the DC stores various data, runs a variety of services,
and provides services to external networks. DC faults will cause great loss in every year. Therefore, stable and
reliable running of DCs is critical.
⚫ High availability (HA) design can be divided into three levels:
• The controller and forwarder are loosely coupled. If the controller is faulty, delivered services are
not affected.
Controller
• The controller cluster supports protection against node faults.
• The controller supports active and standby clusters and provides protection against cluster faults.
• The control, monitoring, and management planes are independent of each other, ensuring
system reliability and service continuity.
Device
layer • Main control boards, monitoring boards, switch fabric units, power modules, and fan modules
adopt redundancy design, and components are hot swappable, eliminating single points of failure
(SPOFs).
37 Huawei Confidential
Routing Access Egress HA
Spine HA Design
⚫ Link redundancy: Spine nodes are fully meshed with all leaf
nodes to form a full-mesh architecture.
⚫ Network redundancy:
In the spine-leaf networking architecture, multiple spine nodes are
deployed to construct an IP ECMP load balancing network,
Leaf1 Leaf2 Leaf3 Leaf4 Leaf5 Leaf6
implementing network-level reliability.
38 Huawei Confidential
▫ When the link of a spine node fails, leaf nodes quickly switch traffic to a
normal link through ECMP routes on the underlay network.
▫ If a spine node fails, leaf nodes quickly switch traffic to other spine nodes
through ECMP routes on the underlay network.
Routing Access Egress HA
⚫ Link redundancy:
It is recommended that border leaf nodes be connected to different
core switches and spine nodes, or to the same core switch and spine
node through multiple links across cards.
Core switch
At least two links are deployed between border leaf nodes as an Eth-
OSPF 100
Trunk (used as a peer-link). It is recommended that the links be
deployed across cards.
Bypass link
⚫ Device redundancy: Active-active device groups are deployed on
Border leaf
border leaf nodes to implement device-level reliability.
⚫ Network redundancy:
It is recommended that border leaf nodes be dual-homed to core
switches and be fully meshed with spine nodes to build an IP ECMP
network, eliminating Layer 3 loops.
39 Huawei Confidential
40 Huawei Confidential
▫ Deploy a Monitor Link group. If all uplinks fail, the associated downlink
goes Down, preventing traffic interruptions.
Firewall HA Design
41 Huawei Confidential
▫ Link fault: If any link between the active firewall and a service leaf node
fails, the M-LAG member interface goes Down, and the dual-homing
networking changes to single-homing networking, without affecting traffic
forwarding on the active firewall.
Fault scenario 1: The standby Fault scenario 2: The active Fault scenario 3: The uplink
Leaf NIC or standby link is faulty. NIC or active link is faulty. of a leaf node is faulty.
Active Standby
Normal
Leaf Leaf Leaf
42 Huawei Confidential
Contents
43 Huawei Confidential
Networking Routing Service Orchestration Traffic Forwarding
Distributed Centralized
Spine Spine
Server Leaf Service Leaf Border Leaf Server Leaf Service Leaf Border Leaf
VTEP VETP VETP VETP
VTEP VETP VTEP VTEP VETP VTEP
Physics Virtual Firewall Loaded Egress Physics Virtual Firewall Loaded Egress
Server Server equalizer PE Server Server equalizer PE
44 Huawei Confidential
Spine
Leaf
45 Huawei Confidential
Networking Routing Service Orchestration Traffic Forwarding
Spine
VETP
Leaf
VETP
VSwitch VSwitch VSwitch VSwitch
VM VM VM VM
46 Huawei Confidential
Networking Routing Service Orchestration Traffic Forwarding
47 Huawei Confidential
▫ Run the undo policy vpn-target command on RRs to disable VPN target-
based filtering for VPN routes or label blocks.
▫ Configure a delay for the interface connecting the border leaf node to the
PE to go Up to optimize the traffic switchback performance.
Networking Routing Service Orchestration Traffic Forwarding
48 Huawei Confidential
• One network device can be virtualized into multiple logical routers for different
tenants. Multiple tenants can share a network device. For each tenant, a logical
router functions as an independent and real router with independent hardware
and software resources and running space. Services on different logical routers do
not affect each other. In terms of experience, there is no difference between a
logical router and a real router.
• One network device can be virtualized into multiple logical switches for different
tenants. Multiple tenants can share a network device. For each tenant, a logical
switch functions as an independent and real switch with independent software
and hardware resources and running space. Services on different logical switches
do not affect each other. In terms of experience, there is no difference between a
logical switch and a real switch.
Networking Routing Service Orchestration Traffic Forwarding
Tenant
• Logical port: functions as an access point for VMs to access the network.
One physical port on a network device can be virtualized into multiple
VPC External VPC
network logical ports for different tenants. For each tenant, a logical port
functions as an independent and real port.
Logical router Firewall
Optional • External network: networks outside the tenant's management, such as
Internet or other tenant networks connected through VPNs.
Logical switch
• Firewall: The firewall function is provided by a physical firewall or virtual
firewall.
Logical Logical
port port
• VM: virtual machine.
49 Huawei Confidential
External network
Internet
L4-L7
NAT/firewall
Firewall Internet
/IPsec/WAF…
Spine IPsec VPN Firewall
L3 Logical router
VRF
WAF NAT
Layer 3
L2 Logical switch gateway
Leaf Fabric
Layer 2
Bridge gateway
domain
Logical Logical
L1 Sub-
port port
interface VM Physical server
End port VM Physical Firewall
server
VM Physical server
50 Huawei Confidential
• A logical network provides the following services based on the fabric network:
▫ Logical port: Logical ports are located at the bottom of a logical network
and provide access to the VXLAN network from VMs, physical machines,
NAT devices, IPsec VPNs, firewalls, and WAFs.
▫ Logical switch: Logical switches are located at the second layer of a logical
network and provide the network switching service between logical ports.
▫ Logical router: Logical routers are located at the third layer of a logical
network and provide the network route service between logical ports.
▫ NAT devices, IPsec VPNs, firewalls, and WAFs: They are located at the layer
4 to layer 7 of a logical network and provide advanced services.
Networking Routing Service Orchestration Traffic Forwarding
External External
⚫ Huawei iMaster NCE (Fabric) uses a logical model to define
network network
networks and divide multiple independent logical networks
VAS VAS
R Logical Router R Logical Router based on the physical network to virtualize network functions.
Logical VAS Logical VAS
⚫ Implementation principle:
S S S S
A physical network is divided into multiple logical networks by
Logical switch 1 Logical switch 2 Logical switch 1 Logical switch 2
configuring VRF/BD features.
Logical network orchestration On the Agile Controller-Campus, logical networks are created
Network Map
based on the logical network model that network engineers can
understand and automatically map the logical networks to the
Centralized management and control network features such as VRF and BD on the physical network. In
this way, the Agile Controller-Campus centrally manages and
controls the switches on the physical network.
Physical network
52 Huawei Confidential
Networking Routing Service Orchestration Traffic Forwarding
Solution Advantages
• The drag-and-drop configuration is
intuitive and visible. Each operation step
is guided by configuration, and the
operation interface is user-friendly.
Application Scenario
• This mode is applicable to users who are
not familiar with configuration operations
or manual configuration scenarios with
small service scale.
53 Huawei Confidential
• Create a single service VPC. In the VPC view, drag different logical units to
complete network deployment.
Networking Routing Service Orchestration Traffic Forwarding
54 Huawei Confidential
Networking Routing Service Orchestration Traffic Forwarding
Intra-VPC Communication
⚫ East-west traffic in a VPC is classified into intra-subnet Layer 2 traffic and inter-subnet Layer 3 traffic.
55 Huawei Confidential
Inter-VPC Communication
⚫ A VPC dynamically divides a physical network into logical network resource domains, including logical networks and
logical VASs. Access between VPCs can be implemented through firewalls at two sides, a firewall at one side, or no
firewall based on security access control requirements, which can be flexibly orchestrated on the SDN controller.
Physical model Tenant VPC 1
Server network segment: 10.1.1.0/24 • When traffic passes through the same firewall group at two
sides and border leaf and service leaf nodes are combined:
VRF1 Server leaf
1. In VRF1 on the border leaf node, configure a static route to 10.1.2.0/24
with the next hop being the IP address of the firewall, import the
3 4
Static route to BGP VPN-Instance VRF1, and advertise the route to EVPN.
Firewall 1
route
2. In VRF2 on the border leaf node, configure a static route to 10.1.1.0/24
vSYS1 VRF1
Static route
with the next hop being the IP address of the firewall, import the
Border leaf &
Static route to BGP VPN-Instance VRF2, and advertise the route to EVPN.
2 service leaf
route 3. The border leaf node sends static routes destined for 10.1.2.0/24 and
vSYS2 VRF2
10.1.1.0/24 to the server leaf nodes through BGP EVPN. Each server
leaf node selects a route based on the VPN RT value. The RT value
3 4
varies depending on the VPN.
VRF2 Server leaf 4. The server leaf node sends the host routes destined for 10.1.1.1 and
10.1.2.1 to the border leaf node through BGP EVPN. The border leaf
Tenant VPC 2 node selects a route based on the VPN RT value. The RT value varies
Server network segment: 10.1.2.0/24 depending on the VPN.
56 Huawei Confidential
3. The border leaf node sends static routes destined for 10.1.2.0/24 and
10.1.1.0/24 to the server leaf nodes through BGP EVPN. Each server leaf
node selects a route based on the VPN RT value. The RT value varies
depending on the VPN.
4. The server leaf node sends the host routes destined for 10.1.1.1 and
10.1.2.1 to the border leaf node through BGP EVPN. The border leaf node
selects a route based on the VPN RT value. The RT value varies depending
on the VPN.
Networking Routing Service Orchestration Traffic Forwarding
VRF1
Server leaf
BD1
Tenant VPC 1
Server network segment: 10.1.1.0/24
57 Huawei Confidential
• When traffic passes through firewalls at two sides and the firewalls are
connected to border leaf nodes (combined with server leaf nodes) or service leaf
nodes in bypass mode:
▫ Deliver a static route destined for the external network with the next hop
being the firewall interconnection IP address to the tenant VRF (VRF1) on
the border leaf node. Import the static route to the tenant VRF and
advertise the route to the server leaf node through BGP EVPN.
▫ On the border leaf node, create an external gateway egress VRF (Ext_VRF),
and configure a static route pointing to the network segment of a VM or
server with the next hop being the firewall interconnection address. If the
border leaf and service leaf nodes are deployed independently, the static
route needs to be imported to the egress VRF and advertised to the border
leaf node through BGP EVPN.
▫ Static routes or BGP routes can be used between the external gateway
egress VRF on the border leaf node and the PE.
▫ In the egress vSYS on the firewall, configure a static route pointing to the
tenant vSYS on the firewall and a static route pointing to the egress VRF on
the border leaf node. In the tenant vSYS on the firewall, configure a static
route pointing to the egress vSYS on the firewall and a static route pointing
to the tenant VRF on the border leaf node.
▫ Configure static routes between the tenant VRF and egress VRF on the
border leaf node (service leaf node).
Contents
59 Huawei Confidential
CloudFabric Security Architecture
Internet/WAN
⚫ Security at the network layer of a DC is classified as
Anti-DDoS
follows:
DC border security Intra-DC security: intra-VPC and inter-VPC security
Firewall SVN
Inter-DC security: intra-VPC and inter-VPC security
Vulnerability
scanning
Intra-DC Network
Network Network Cloud Network
security Flow probe Flow probe Firewall Firewall Flow probe
Firewall Firewall platform
SecoManager
WAF Database audit CIS WAF
Virtualization
security Office zone Server zone Management zone DMZ
60 Huawei Confidential
• Virtualization security:
▫ Security groups of the cloud platform are used to protect VMs. The cloud
platform adds VMs that require security control to different security groups
using orchestration and defines security policies between security groups for
access control.
• Intra-DC security:
▫ Office zone:
▫ Server zone:
▪ CIS flow probes can be deployed to collect traffic in the server zone
for in-depth threat detection, preventing intranet threats from being
spread.
Intra-DC Security Deployment
Peer-link
62 Huawei Confidential
Security Deployment Between DCs and External Networks
FW Core(PE)
Service Leaf Border Leaf When a VPC in a data center accesses an external network,
traffic is diverted to a VAS device, such as the firewall and
IPS, for SNAT or secure access control. Then, the VPC in the
Spine data center accesses the external network.
Server Leaf
Peer-Link
63 Huawei Confidential
Inter-DC Security Deployment
Multi-PoD scenario Multi-site scenario
SecoManager iMaster NCE- iMaster NCE- SecoManager iMaster NCE- iMaster NCE-
SecoManager SecoManager
(Active) Fabric (active) Fabric (standby) (standby) Fabric Fabric
In the multi-PoD scenario, the controller cluster manages multiple In the multi-site scenario, two controller clusters independently manage
fabrics, and a unified VXLAN domain exists between fabrics. their DCs. Each DC has its own VXLAN domain and the two DCs
If the centralized egress is used, the situation is the same as that in the implement Layer 2 or Layer 3 communication through segment VXLAN.
single-DC scenario. If the active and standby egresses are used, a group During Layer 3 communication, traffic can be orchestrated to pass
of firewalls in active/standby mirroring mode must be deployed in each through firewalls in one DC or in both DCs, allowing security policies to
of the two fabrics. The controller cluster delivers the security policy to be deployed flexibly.
the two groups of firewalls. Firewalls in different DCs do not
synchronize sessions.
64 Huawei Confidential
• Note:
Cluster/Stack
Link aggregation
Border leaf Border leaf Service packet
⚫ As shown in the figure, firewalls are connected to border leaf nodes in bypass mode. Two firewalls are configured
with the hot standby function and interconnected through heartbeat hot standby links.
⚫ If the active firewall is faulty, the standby firewall takes over services from the active firewall and forwards service
packets.
65 Huawei Confidential
Security Zone Design
⚫ A security zone, also known as a zone, is a collection of networks connected through one or more interfaces, where
users have the same security attributes. There are three typical types of security zones: Trust, DMZ, and Untrust.
The Trust zone is a security zone with a high security level. It is typically used to define the zone where intranet users are
located.
The DMZ is a security zone with a medium security level. It is typically used to define the zone where the servers that need to
provide services for external networks are located.
The Untrust zone is a security zone with a low security level. It is typically used to define insecure networks such as the Internet.
Untrust
Internet WAN Security zone planning
66 Huawei Confidential
• Most security policies are implemented based on security zones. Each security
zone identifies a network, and a firewall connects networks. Firewalls use security
zones to divide networks and mark the routes of packets. When packets travel
between security zones, security check is triggered and corresponding security
policies are enforced. Security zones are isolated by default.
Security Policy Design
⚫ After security zones are created on the firewall, these security zones are isolated from each other by default. To
enable communication between security zones (for example, the campus intranet accesses the Internet), you need
to configure Layer 3 connectivity and security policies on the firewall.
Security policy 2
• Intrusion detection Recommended security policy design for common zones
Internet
• Antivirus
• URL filtering Access Recommended
Access Source Trustworthiness
Zone Security Policies
67 Huawei Confidential
• As shown in the figure, after security policies are configured, virtual networks
(VNs) on the intranet of the DC can communicate with each other, and the
external networks can access servers in the DMZ. In addition, different security
protection policies can be applied to traffic in different security zones.
Security Service Selection
⚫ Huawei security service architecture:
⚫ SecoManager: orchestrates services for Huawei VASs, manages Huawei VAS • Content security detection
devices, and delivers network configurations to them. • Virtual system
⚫ Huawei VAS devices: Huawei firewalls provide service functions such as
security policy, Elastic IP (EIP), SNAT, IPsec VPN, and content security
detection.
68 Huawei Confidential
• SecoManager description:
69 Huawei Confidential
• Service manager mode: iMaster NCE-Fabric manages fabrics and orchestrates the
Layer 2 or Layer 3 interconnection network between Huawei VASs and a fabric.
The third-party management platform orchestrates and delivers L4-L7 policies of
third-party VASs.
• Service policy mode: iMaster NCE-Fabric manages fabrics and VASs, and
orchestrates and delivers L2-L7 policies of third-party VASs.
• Network policy mode: iMaster NCE-Fabric does not manage third-party VAS
devices. It is responsible for orchestrating the unidirectional interconnection
network and traffic diversion from a fabric to third-party VAS devices.
• Note:
▫ iMaster NCE-Fabric uses SNMP to read device and link information and
uses RESTful to deliver service commands to these devices.
Contents
70 Huawei Confidential
In-band Management/Out-of-band Management
In-band management Out-of-band management
VAS VAS
Out-of-band
Spine management Spine
Switch
Out-of-band
Controller cluster Server Server management connection Server Server
• No independent management switch and network are configured. • iMaster NCE-Fabric connects to the out-of-band management
iMaster NCE-Fabric directly connects to the service network through network interfaces on network devices through an
a service switch, and manages and controls network devices through independently deployed out-of-band management switch, and
the underlay layer of the service network. manages and controls the network devices through an
independent out-of-band network.
71 Huawei Confidential
Network O&M Mode Selection
Network configuration Network monitoring and
management management
• NETCONF • NETCONF
• NetStream
• sFlow
Performance
management • Telemetry
Network
monitoring • Syslog
Fault management
• LLDP
• Mirroring
⚫ You can select different network management modes based on DCN O&M requirements.
72 Huawei Confidential
• The Set function of SNMP supports network configuration management, and its
Trap function supports network monitoring management.
Active link
Standby link
73 Huawei Confidential
Network O&M Mode: NETCONF
Management
network devices. With this mechanism, users can
SDN controller
platform add, modify, delete, back up, restore, lock, and
NETCONF client unlock network device configurations. In addition,
NETCONF message NETCONF provides transaction and session operation
Network functions to obtain network device configuration and
status information.
⚫ NETCONF has three objects:
NETCONF server
NETCONF client
Device Device 1 Device 2 Device 3
NETCONF server
NETCONF message
74 Huawei Confidential
Network O&M Mode: Telemetry
Collector Controller
management.
⚫ Advantages of telemetry:
Telemetry- NETCONF-based
Within Supports multiple implementation modes, meeting
based configuration
subseconds
data upload delivery diversified user requirements.
Network device
Collects a wide variety of data with high precision to fully
reflect network status.
1 typical management mode Continuously reports data with only one-time data
subscription.
Locates faults rapidly and accurately.
75 Huawei Confidential
▫ The analyzer analyzes the monitoring data received by the collector and
processes the data, for example, displays the data on the GUI.
76 Huawei Confidential
VXLAN
Management leaf VXLAN Service leaf Storage leaf Management leaf Service leaf Storage leaf
Cloud Control Controller VM PM Storage Storage Cloud Control Controller VM PM Storage Storage
service node cluster service node cluster
node node
• The management leaf nodes managed by the controller are • The management leaf nodes not managed by the controller are
connected to the controller and cloud platform nodes. The connected to the controller and cloud platform nodes and are
management core and service core switches are combined. The deployed on an independent management network. The
management plane and service plane do not need to be isolated. management core and service core switches are deployed
This networking mode is applicable to a single-region single-core independently. The management plane and service plane are
network or multi-region single-core network. physically isolated. This mode is applicable to a single-region dual-
core network or multi-region dual-core network.
77 Huawei Confidential
PE
Spine
VXLAN
iMaster NCE-Fabric VM PM
79 Huawei Confidential
80 Huawei Confidential
▫ Ensures the entire cluster runs normally even if a cluster node fails,
improving reliability.
Third-party site
Primary site Secondary site
Heartbeat link
Arbitration
Product Product
(active) (standby) Primary site Secondary site
Heartbeat link
• Application scenario: Equipment rooms are located at two sites, and • Application scenario: Equipment rooms are located at three sites, and
the status of the active and standby sites is manually monitored. If a the status of the active and standby sites needs to be monitored in
site-level fault occurs, there is no strict requirement on the fault real time. If a site-level fault occurs, an active/standby switchover
recovery time. In this case, manual O&M is required. needs to be quickly implemented to restore services. The arbitration
service is provided by iMaster NCE-Fabric.
81 Huawei Confidential
• If the active DC is faulty, the standby DC and standby controller cluster become
active and continue to provide services, improving DC DR reliability.
iMaster NCE-FabricInsight Deployment Design: Single-Node
System and Standard Cluster
⚫ In single-node system deployment (in-band management) of ⚫ In standard cluster deployment (in-band management) of
iMaster NCE-FabricInsight, the collector and analyzer are iMaster NCE-FabricInsight, the analyzer and collector are
combined. Only one server needs to be connected to the leaf combined. That is, no independent collector server needs to
node. be deployed.
Spine Spine
iMaster-NCE
iMaster-NCE FabricInsight
FabricInsight cluster
Analyzer and collector Analyzer and collector 1-3
82 Huawei Confidential
iMaster NCE-FabricInsight Deployment Design: Advanced
Cluster
⚫ In advanced cluster deployment of iMaster NCE-FabricInsight, the collector and analyzer are deployed separately. It
is recommended that iMaster NCE-FabricInsight be connected to an independent leaf node, preventing link
congestion caused by increased traffic pressure on service links.
In-band management scenario Out-of-band management scenario
iMaster-NCE
FabricInsight
cluster Collector Analyzer-1 Analyzer-2 Analyzer-3 Fabric-1 Analyzer-1 Analyzer-2 Analyzer-3 Fabric-n
collector collector
83 Huawei Confidential
CloudFabric Software Deployment Mode Selection
Deployment
Component Mandatory Description
Mode
Single-node system
The controller is deployed on one node.
deployment
iMaster NCE-Fabric Yes
The controller cluster consists of N nodes.
Cluster deployment
The controller can be installed on PMs or VMs.
In single-node system deployment, the collector and analyzer are combined. Only one
Single-node system
server needs to be connected to the leaf node.
deployment
A maximum of 100 CloudEngine devices can be managed.
iMaster NCE- Standard cluster In standard cluster deployment, the analyzer and collector are combined. That is, no
No deployment independent collector server needs to be deployed.
FabricInsight
In advanced cluster deployment, the collector and analyzer are deployed separately.
Advanced cluster It is recommended that iMaster NCE-FabricInsight be connected to an independent
deployment leaf node, preventing link congestion caused by increased traffic pressure on service
links.
Independent
SecoManager is deployed on a server or VM as independent software.
deployment
SecoManager No
Combined with SecoManager and iMaster NCE-Fabric are deployed on the same physical server or
iMaster NCE-Fabric VM.
84 Huawei Confidential
Quiz
1. (True or false) On a CloudFabric data center network with more than 200 switches, OSPF
is recommended on the underlay network. ( )
A. True
B. False
85 Huawei Confidential
1. B
2. ABCD
Summary
⚫ This course describes the planning and design of the CloudFabric DCN,
including the network architecture design, underlay and overlay network
design, network security design, network management and O&M design.
⚫ On completion of this course, you will understand the typical methods of
designing a DCN and be able to plan and design a DCN.
86 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
2. Pre-configuration
3. Service Provisioning
4. Easy Deployment
4 Huawei Confidential
Architecture of the Computing Scenario
Leaf
5 Huawei Confidential
• The architecture and deployment process of the rack leasing scenario are similar
to those of the computing linkage scenario. This chapter uses the computing
scenario as an example to describe the architecture and deployment process of
the solution.
Deployment Process in the Computing Scenario
Underlay
iMaster NCE Interconnecting SecoManager SecoManager Service
Started Network Ending
Preconfiguration with iMaster NCE Preconfiguration interconnection provisioning
Configuration
6 Huawei Confidential
2. Pre-configuration
◼ Underlay Network Pre-configuration
3. Service Provisioning
4. Easy Deployment
7 Huawei Confidential
Underlay Network Pre-configuration
⚫ An underlay network is the basic network for constructing a virtual extensible local area network (VXLAN) service
network, which is an overlay network.
⚫ The underlay network can be configured in ZTP or manual mode.
VXLAN
Underlay
8 Huawei Confidential
• Server leaf nodes support Multichassis Link Aggregation Group (M-LAG) and
standalone networking, which are applicable to different server access scenarios.
M-LAG networking is recommended because high reliability is achieved when
servers are dual-homed to the M-LAG. In addition, each M-LAG device has its
own control plane, simplifying upgrade and maintenance.
ZTP Manual Configuration
Out-of-band
Root device management
switch
M-LAG M-LAG
Management traffic and subsequent service traffic of devices to be iMaster NCE-Fabric uses an independent management network to manage
brought online by iMaster NCE-Fabric are transmitted on the same management traffic of each device to be brought online.
network. The management network and service network share service ZTP out-of-band networking is recommended, which is used as an
network interfaces, and no independent management network is available. example in this course.
10 Huawei Confidential
▫ iMaster NCE-Fabric: used to execute ZTP tasks and manage the devices to
be brought online.
▫ Root device: a device that has been managed by iMaster NCE-Fabric and
connects to the devices to be brought online. The root device functions as
the DHCP relay agent of the devices to be brought online and applies for a
temporary IP address from the DHCP server for these devices. The root
device is involved in in-band networking and needs to be manually
managed.
▫ Spine and leaf nodes: CE switches that need to be brought online through
ZTP. Currently, spine and server leaf nodes can be brought online through
ZTP. To bring a border leaf node online through ZTP, bring the border leaf
node online as a server leaf node and configure an external gateway for the
border leaf node on iMaster NCE-Fabric.
1 Syslog server
Obtain the IP address, intermediate file
Resolve the domain
server address, and intermediate file
name.
name through DHCP.
2 DNS server
Obtain the intermediate file in .ini or Provide the
Python format, which contains the version intermediate file.
file address and version file name.
3 Intermediate file server
.cc Provide version
Obtain version files, including the system .cfg files.
software, configuration file, and patch file, Built in
and load the version files. Version file server
12 Huawei Confidential
• If the intermediate file is in .ini format, the device downloads the version files
based on the version file server address and version file names contained in the
intermediate file. If the intermediate file is a Python script, the device
automatically runs the script to download the version files.
• The intermediate file server or version file server can be a standard SFTP server
or the SFTP service built in iMaster NCE-Fabric.
• The DNS server is optional. If domain name resolution is not required, the DNS
server does not need to be deployed.
ZTP Manual Configuration
Yes
Is there a Is a USB flash Yes Obtain the intermediate file from
Start configuration file? drive inserted? the USB flash drive and parse it.
No No
No Obtain the temporary IP address No Can the
Is ZTP deployment file information
and intermediate file server
terminated? be obtained?
address through DHCP.
Yes Yes
The process ends, and the device Obtain the intermediate file from Obtain version files from the USB
starts with empty configuration. the file server. flash drive.
13 Huawei Confidential
• The process of using the controller to bring devices online through ZTP is slightly
different from this process and will be described later.
▫ After the device is powered on, if the device has a configuration file, the
device properly starts with the configuration file; if the device has no
configuration file, the ZTP process starts.
▫ If you have logged in to the device without a configuration file through the
console port, you can choose whether to terminate the ZTP process as
prompted. If you choose to terminate the ZTP process, the device starts
with empty configuration.
• Obtaining the intermediate file and version files from the USB flash drive:
▫ After the ZTP process starts, the unconfigured device first tries to obtain the
intermediate file from the USB flash drive. If the device obtains the
intermediate file, it parses the file and obtains information about the
version files to be downloaded. After downloading the version files, the
device restarts to complete automatic deployment. The device enters stage
3 if any of the following conditions occur: no USB flash drive is installed; the
USB flash drive does not contain a required intermediate file; the device
fails to obtain the version files.
ZTP Manual Configuration
Network Manager • Application scenario: The Controller has been physically connected to the device
(Huawei CE switch), the device license of the device has been imported to the
1 Controller, and the root device has been manually managed.
• Process:
1. The network administrator clicks to start the ZTP task.
2. The iMaster NCE-Fabric advertises DHCP packets.
3. The device to go online obtains the temporary IP address and southbound IP
2 3 4 address of the iMaster NCE-Fabric from the DHCP packet sent by the iMaster
5 6 7 NCE-Fabric.
4. The device to go online uses the built-in certificate to initiate authentication
to the iMaster NCE-Fabric.
5. After the authentication succeeds, the iMaster NCE-Fabric determines the
Spine
device role (Spine/Leaf) based on the device model.
6. The iMaster NCE-Fabric delivers configurations such as the management IP
VXLAN address, SNMP, and NETCONF to devices to go online. After the devices to go
online are restarted, the iMaster NCE-Fabric implements formal
Leaf
management using the management IP address.
Underlay 7. The controller delivers interconnection configurations, OSPF configurations,
and BGP configurations to newly online devices through LLDP links.
8. Devices on the entire network go online successfully and all links are
established. The network topology is displayed on the iMaster NCE-Fabric.
15 Huawei Confidential
16 Huawei Confidential
ZTP Manual Configuration
Applies to the scenario where the customer has no Applies to the scenario where the customer has a network
Scenario
network plan. plan.
17 Huawei Confidential
ZTP Manual Configuration
Management
Basic IP address Basic IP address Interface
interface LLDP
configuration configuration configuration
configuration
Security Eth-Trunk
Overlay route Overlay route Underlay route
hardening configuration
External network
Security policy
interconnection
Virtual system
18 Huawei Confidential
• This section describes the scenario where the border leaf and service leaf nodes
are combined.
ZTP Manual Configuration
Management interface
19 Huawei Confidential
• Configure an ACL to match the controller IP address and run the ssh server acl
acl-number command to perform SSH security hardening.
ZTP Manual Configuration
L0 11.0.X.X
L1 11.0.0.X
Interconnection interface
• Plan a 30-bit network segment for interconnection
5 6 interfaces.
Spine
3
Loopback0
10.0.0.0/30
(Example) • Configure the same VTEP address for the two spine
1 2 nodes and the same VTEP address for the server leaf
Leaf
1 2 3 4 nodes configured in an M-LAG.
Loopback1
• Configure an independent router ID for each device.
20 Huawei Confidential
• In this example, the spine, border leaf, and service leaf nodes are combined.
ZTP Manual Configuration
Spine #
ospf 1 router-id 11.3.3.3
OSPF Area 0 stub-router on-startup 600 include-stub
area 0
network 10.1.1.1 0.0.0.0
Leaf
...
#
interface 10GE1/0/20
undo portswitch
ip address 10.1.1.54 255.255.255.252
ospf network-type p2p
21 Huawei Confidential
ZTP Manual Configuration
BGP EVPN
BGP EVPN
RR RR • Use the IP address of Loopback1 as the source address
Border leaf & spine VTEP to establish a BGP EVPN peer relationship. Spine nodes
function as RRs, and leaf nodes function as RR clients.
• Configure the IP address of Loopback0 as the VTEP
Server leaf address, and configure the same source MAC address
VTEP VTEP
for NVE interfaces on the active-active gateways.
22 Huawei Confidential
ZTP Manual Configuration
Eth-Trunk M-LAG:
• Configure Eth-Trunk interfaces as the peer-link
interfaces and set the spanning tree mode to V-STP.
• Configure an M-LAG and establish links between the
border leaf nodes and firewalls and between the
Layer 3 link border leaf nodes and external routers.
Border leaf
& spine Peer-link
23 Huawei Confidential
Active-active gateways
Spine
• Deploy active-active gateways between server leaf
nodes, configure a DFS group, and enable the active-
active function.
Server leaf
M-LAG
• Configure an M-LAG based on the server access mode,
such as access in LACP mode, active/standby mode, or
single-homing mode.
Bond in LACP Active/standby Single-homing
mode mode access
24 Huawei Confidential
• An M-LAG does not need to be configured on server leaf nodes when servers
access in active/standby or single-homing mode. You can configure an Eth-Trunk
with a single member interface on the access device or not configure
aggregation.
ZTP Manual Configuration
Firewall
⚫ Perform the following pre-configurations on firewalls.
1 Interface IP address Configure an IP address for hot standby heartbeat interfaces and the management interface.
Configure Eth-Trunks for connecting to border leaf nodes and allow packets from the
2 Eth-Trunk
corresponding service VLANs to pass through.
Add the hot standby heartbeat interfaces to the DMZ, Eth-Trunk and Virtual-if0 to the Untrust
Security domain and
3 zone, and management interface to the Trust zone.
security policy
Set the action in the security policy to permit by default.
Configure hot standby, enable the quick session backup function, configure a firewall to restart
4 Hot standby with the basic hot standby configuration and synchronize normal service configurations from
the other normal firewall, and enable certain functions of the standby firewall.
25 Huawei Confidential
ZTP Manual Configuration
Switch: Configure SSH, enable the NETCONF function, and enable the SNETCONF service.
2 NETCONF Firewall: Configure an API user, enable the NETCONF interface service, and configure the
NETCONF port number.
You need to enable LLDP globally on CE switches and firewalls so that the controller can
3 LLDP
discover links using LLDP.
26 Huawei Confidential
Contents
2. Pre-configuration
▫ Underlay Network Pre-configuration
◼ iMaster NCE-Fabric Pre-configuration
3. Service Provisioning
4. Easy Deployment
27 Huawei Confidential
Importing a License to iMaster NCE-Fabric
⚫ Obtain the license file of iMaster NCE-Fabric and import it to iMaster NCE-Fabric.
28 Huawei Confidential
To add the server and the links between the server and devices to iMaster NCE (Fabric), you need to configure the link
Pre-configured Server
discovery protocol on the server and check whether the host name is duplicate.
Configure a global policy for device management on iMaster NCE (Fabric). (for example, synchronizing device online
data, saving device configurations periodically, and verifying device SSH fingerprints.) Then, iMaster NCE-Fabric discovers
Device management and manages network devices based on SNMP and NETCONF.
After the management is complete, you need to create a device group to manage all-active devices and collect device
alarms so that iMaster NCE-Fabric can successfully manage the target devices and device groups.
iMaster NCE-Fabric can learn the topology structure between devices and obtain the network connectivity status based on
the link status and link details.
Link management iMaster NCE-Fabric supports automatic discovery, manual creation, and batch import. Automatic discovery is based on the
fact that the devices at both ends of a link support the link automatic discovery protocol, such as LLDP. To manually create
or import a file in batches, you need to enter the port information of the devices at both ends.
(Optional) When CheckPoint, Palo Alto, Fortinet, and F5 load balancing are used, you can use iMaster NCE-Fabric to
Managing Third-Party VAS manage the devices in the computing interworking scenario. In this way, when VAS services are provisioned, iMaster
Devices NCE-Fabric can automatically deliver configurations such as service routes to the interconnection ports between the NCE
and switches.
29 Huawei Confidential
• After the license file is loaded, you need to perform the following pre-
configurations to prepare for service provisioning.
iMaster NCE-Fabric Pre-configuration (2)
Task Name Task Description
Creating a fabric: After device management and link discovery are successful, you need to create a fabric resource pool on
iMaster NCE-Fabric and specify the egress gateway and DCI gateway (multi-DC scenario) to prepare for service
provisioning. This scenario supports the creation of distributed network overlay (recommended) and centralized network
overlay fabrics.
Configure the best-effort link for the active-active CE device group: If the border leaf node functions as the active-active CE
switch, configure the best-effort link to improve the reliability of the egress network.
Setting the role of the firewall link: For the service interconnection link between the firewall and switch, you can set the role
to internal, external, or internal and external links (recommended).
Creating third-party L4-L7 resource pools: If third-party VAS devices are used, create third-party L4-L7 resource pools on
iMaster NCE (Fabric).
Resource pool management Associating fabrics with L4-L7 resource pools: Associate the created fabric with L4-L7 resource pools so that L4-L7 services
can be associated with L2-L3 services when services are provisioned. If you need to associate Huawei L4-L7 resource pools,
perform this operation only after the resource pools are created on the SecoManager.
Configuring interconnection resources: When cross-VPC interconnection services pass through the firewall, you need to
specify the value range of the interconnection VLAN and IP address between the switch and the firewall. iMaster NCE-Fabric
automatically selects the VLAN and IP address from the range to deliver configurations. When a best-effort link is
configured, iMaster NCE-Fabric automatically selects the interconnection IP addresses of the two ends of the best-effort link
and delivers the IP addresses to devices.
Configuring global resources: During service provisioning, iMaster NCE-Fabric uses a series of variable parameters. (such as
the BD, global VNI, global VLAN, public IP address, and interworking IP address). Therefore, you need to set these
parameters globally in advance so that iMaster NCE-Fabric can invoke the parameters.
30 Huawei Confidential
iMaster NCE-Fabric Pre-configuration (3)
31 Huawei Confidential
iMaster NCE-Fabric Interconnection Commissioning
⚫ After iMaster NCE-Fabric is preconfigured, you need to interconnect with the VMM on the computing virtualization
platform to deliver computing services and network services.
To enable iMaster NCE-Fabric to detect VM login, logout, and migration through FusionCompute and
Interconnecting with
implement automatic network service deployment, you need to configure interconnection between iMaster
FusionCompute
NCE-Fabric and FusionCompute.
(Optional) If iMaster NCE-Fabric and iMaster NCE (FabricInsight need to implement data association for
Configuring FabricInsight
intelligent fault handling, you need to interconnect them with each other.
(Optional) iMaster NCE-Fabric can interconnect with multiple systems through northbound interfaces to
implement the following functions:
Interconnecting with • iMaster NCE-Fabric interconnects with eSight through the northbound SNMP protocol. After the
Northbound Services interconnection is complete, eSight can synchronize internal alarms of iMaster NCE-Fabric.
• iMaster NCE-Fabric interconnects with the Syslog server to transfer iMaster NCE-Fabric logs to the Syslog
server for centralized storage.
(Optional) Interconnect with the LDAP server and RADIUS server.
• To enable users on the LDAP server or AD server to log in to iMaster NCE-Fabric, you need to configure
Interconnecting with interconnection between iMaster NCE-Fabric and these servers.
Southbound Services • To enable users in the user group on the RADIUS server to authenticate logins to iMaster NCE-Fabric, you
need to configure interconnection between iMaster NCE-Fabric and the RADIUS server.
32 Huawei Confidential
33 Huawei Confidential
Contents
2. Pre-configuration
3. Service Provisioning
◼ Deploying Layer 2 and Layer 3 Basic Services
4. Easy Deployment
34 Huawei Confidential
Service Provisioning Overview
⚫ Service provisioning refers to allocating appropriate network and computing resources to carry service
applications. A data center administrator needs to allocate certain resources to tenants based on the
service plan. Then the tenant administrator can configure and deploy network and computing services
based on the resources.
⚫ Service provisioning involves two steps: L2-L3 basic service invoking and other advanced services.
Layer 2 and Layer 3 basic services: Constructs the VPC basic network and associates with the VMM to connect
VMs to the network.
Other advanced services: Invokes various advanced services, such as VPC interworking, value-added services, and
service chain, based on service requirements.
Pre-configuration
underlay network and L2-L3 basic services Advanced services
iMaster NCE-Fabric
Prerequisite
35 Huawei Confidential
Overview of L2-L3 Basic Services
⚫ Basic L2-L3 services refer to the basic networks created by the tenant administrator in the VPC,
including logical routers and switches. Logical ports and user ports can be created in the following
scenarios:
Computing association: VMs are connected to the network through VMM mapping, and logical ports and user
ports are automatically generated.
Rack leasing: Manually create logical ports and user ports and specify the actual parameters for connecting
servers to server leaf nodes.
36 Huawei Confidential
• Configuration roadmap:
▫ Create a logical router in the VPC of the tenant and create a subnet list.
▫ Create a logical switch in the tenant's VPC and associate it with a logical
router and subnet.
▪ In the rack leasing scenario, create a logical port and a user port and
set parameters respectively.
Creating a Tenant and VPC
Data Center Administrator • Creating a Tenant and • Creating a VPC and Authorizing
Allocating Resources Related Resource Pools
Spine
Fabric
Leaf
37 Huawei Confidential
38 Huawei Confidential
Orchestration Server Access (1)
⚫ Create VMM mappings for accessing VMs.
39 Huawei Confidential
• The name of a port group is in the following format: tenant name|logical switch
name|VDS name|VLAN ID.
Orchestration Server Access (2)
⚫ The computing administrator creates a VM on the VMM and selects a port group to access the network. After the
VM is started, iMaster NCE-Fabric automatically detects the logical port and user port connected to the VM.
40 Huawei Confidential
Contents
2. Pre-configuration
3. Service Provisioning
▫ Deploying Layer 2 and Layer 3 Basic Services
◼ Deploying the VPC Interconnection Service
4. Easy Deployment
41 Huawei Confidential
VPC Interconnection Service Overview
⚫ By default, subnets under a VPC's logical routers communicate with each other at Layer 2 and Layer 3.
However, networks between different logical routers, VPCs, and tenants cannot communicate with
each other. To achieve such communication, you need to configure VPC interconnection.
⚫ Based on the mutual access requirements, the VPC interworking scenarios are as follows:
Traffic not passing through the firewall.
Traffic passing through the firewall in only one direction.
Traffic passing through the firewall in both directions.
42 Huawei Confidential
Traffic Model for Communication Between VMs Across VPCs
(When Traffic Does Not Pass Through a Firewall)
Tenant
Network
Administrator
VPC1 VPC2
VPC
Interconnection
Logic Router1 Logic Router2
Instance
Leaf
Logic Port Logic Port Logic Port
43 Huawei Confidential
Key Configurations for Communication Between VMs Across
VPCs (When Traffic Does Not Pass Through a Firewall)
Network
Administrator Key configuration: Configure VPC communication on iMaster NCE.
Spine
Leaf
44 Huawei Confidential
Configuring Communication Between VMs Across VPCs
(When Traffic Passes Through a Firewall)
Network
Scenario Description
Administrator
⚫ A tenant deploys two different service systems that belong to different
VPC logical networks. In terms of services, the two VPCs need to
communicate with each other, and the inter-VPC traffic needs to pass
through the firewall in one VPC. Therefore, the cross-VPC access service
needs to be deployed.
Configuration roadmap
Spine 1. Create two VPCs and orchestrate the basic L2 and L3 networks in the
VPCs. (For example, logical routers, logical switches, VMM mapping,
and VM online).
Leaf
2. Create an external network domain and a logical firewall in VPC1, and
configure internal and external links for the logical firewall.
192.168. 1.0 / 24 192.168. 2.0 / 24 4. Create a VPC interworking instance and specify the logical firewall in
VPC1 VPC2 VPC1 to implement interworking.
45 Huawei Confidential
• If both firewalls need to pass through the firewall, configure the logical firewall
in VPC2. The operations are the same as those in VPC1.
Logical Model for Configuring Communication Between VMs
Across VPCs (When Traffic Passes Through a Firewall)
VPC1 External network Tenant
Network domain
Administrator VPC2
Logical firewall
VPC
Logic Router1 Interconnection Logic Router2
Instance
(Through a
single wall)
Logic Switch1 Logic Switch2
Leaf
Logic Port Logic Port Logic Port
46 Huawei Confidential
Key Configurations for Configuring Communication Between
VMs Across VPCs (When Traffic Passes Through a Firewall)
Network
Administrator
Key configuration: When configuring VPC communication on iMaster NCE, you
Spine
Leaf
47 Huawei Confidential
Configuring Communication Between VMs Across VPCs
(When Traffic Passes Through Firewalls)
Network Scenario Description
Administrator
⚫ A tenant deploys two different service systems that belong to different
VPC logical networks. In terms of services, the two VPCs need to
communicate with each other, and the inter-VPC traffic needs to pass
through the firewall in one VPC. Therefore, the cross-VPC access
service needs to be deployed.
Configuration roadmap:
Spine 1. Create two VPCs and orchestrate the basic L2 and L3 networks in the
VPCs. (For example, logical routers, logical switches, VMM mapping,
and VM online).
Leaf
2. Create an external network domain and a logical firewall in VPC1, and
configure internal and external links for the logical firewall.
192.168. 1.0 / 24 192.168. 2.0 / 24 4. Create a VPC interworking instance and specify the logical firewall in
VPC1 VPC2 the VPC to implement interworking.
48 Huawei Confidential
Logical Model for Configuring Communication Between VMs
Across VPCs (When Traffic Passes Through Firewalls)
External network Tenant External network
VPC1 VPC2
Network domain
domain
Administrator
Logical firewall Logical firewall
VPC
Logic Router1 Interconnection Logic Router2
Instance
(crossing the
double wall)
Logic Switch1 Logic Switch2
Leaf
Logic Port Logic Port Logic Port
49 Huawei Confidential
Key Configurations for Configuring Communication Between
VMs Across VPCs (When Traffic Passes Through Firewalls)
Network
Administrator
Key configuration: When configuring VPC communication on iMaster NCE, you
Spine
Leaf
50 Huawei Confidential
Contents
2. Pre-configuration
3. Service Provisioning
▫ Deploying Layer 2 and Layer 3 Basic Services
4. Easy Deployment
51 Huawei Confidential
Deploying the SNAT Service: Intranet VMs Access the Internet
Network
Administrator Internet
Scenario Description
Leaf
VM1
192.168. 1.0 / 24
52 Huawei Confidential
Configuration roadmap:
1. Create a tenant and a tenant VPC on iMaster NCE (Fabric).
2. Create a logical router in the tenant VPC and add an IPv4 subnet.
3. Create a logical switch in the tenant VPC and associate it with the logical router
and subnet.
4. Create VMM mappings in the tenant VPC and associate them with different
logical switches.
5. Create a VM on the VMM and connect the VM to the corresponding network.
6. Create a logical VAS (firewall) in the tenant VPC and configure internal links.
7. Create an external network domain in the tenant VPC, associate the domain with
the created external gateway, and configure external links.
8. Create an SNAT policy in the tenant VPC and specify the SNAT type, source
IP address, destination IP address, and public IP address.
9. Create a security policy in the tenant VPC to allow the subnets or addresses
for which SNAT needs to be performed.
• Prerequisite:
▫ Fabric and L4-L7 resource pools have been created, associated with the
resource pools, and roles of inter-device links have been configured.
▫ An external gateway (of the L3 shared egress type) has been created and a
public IP address has been configured for VM address translation.
▫ iMaster NCE-Fabric has been interconnected with VMM.
Deploying the SNAT Service: Configuring SNAT Policies and
Security Policies
For SNAT access to the Internet, you need to configure security
1 On the VPC1 orchestration page, click the FW Service tab and create
2 policies to permit traffic. In the Tenant View, click the Security tab to
an SNAT policy for the logical firewall.
go to the Security page.
53 Huawei Confidential
Scenario Description
Floating IP address
10.10.10.12
⚫ The internal host (IP address: 192.168.1.1) in the data center of
company A provides services externally. The external network
Spine accesses the floating IP address 10.10.10.12 to access the
services provided by the internal host.
Leaf
VM1
54 Huawei Confidential
• Configuration roadmap:
1. Create a tenant and tenant VPC on iMaster NCE (Fabric).
2. Create a logical router in the tenant VPC and add a subnet.
3. Create a logical switch in the tenant VPC and associate the logical router with
the corresponding subnet.
4. Create VMM mappings in the tenant VPC and associate them with different
logical switches.
5. Create a VM on the VMM and connect the VM to the corresponding network.
6. Create a logical VAS (firewall) in the tenant VPC and configure internal links.
7. Create an external network domain in the tenant VPC, associate the domain
with the created external gateway, and configure external links.
8. Create an EIP policy in the tenant VPC and specify the working mode,
floating IP address, and fixed IP address of the EIP.
9. Create a security policy in the tenant VPC to allow the subnet or IP address
for which the EIP needs to be executed.
• EIP is also called floating IP address.
• Prerequisite:
▫ Device discovery, global resource configuration, and interconnection
resource configuration have been completed.
▫ Fabric and L4-L7 resource pools have been created, associated with the
resource pools, and roles of links between devices have been configured.
▫ An external gateway (of the L3 shared egress type) has been created, and a
public IP address has been configured for VM address translation.
▫ iMaster NCE-Fabric has been interconnected with VMM.
Deploy EIP: Configure EIP Policies and Security Policies
On the VPC1 orchestration page, click the FW Service tab and In the EIP scenario, you need to configure security policies to permit
1 2 traffic. In the tenant view, click the Security tab to go to the Security
configure an EIP policy for the logical firewall.
page.
55 Huawei Confidential
2. Pre-configuration
3. Service Provisioning
▫ Deploying Layer 2 and Layer 3 Basic Services
4. Easy Deployment
56 Huawei Confidential
Microsegmentation Overview
⚫ Microsegmentation is a security isolation technology that groups DC services based on certain rules and deploys policies between
groups to implement traffic control.
⚫ Traditionally, subnets are created for DCs based on coarse-grained granularities such as VLAN IDs or VNIs. Microsegmentation
supports more fine-grained and flexible grouping modes, for example, grouping based on IP addresses, MAC addresses, and VM
names. This can further narrow down security zones to implement more fine-grained service isolation and enhance network security.
⚫ Microsegmentation implements service isolation between different servers of a VXLAN network and ensures secure management and
control for the VXLAN network. In addition, the configuration and maintenance of microsegmentation are simple, significantly
reducing the configuration and maintenance costs.
Server VM Server VM
GBP
Subnet IP Subnet IP
Action: Permit/Deny
MAC VM MAC VM
... ...
57 Huawei Confidential
Basic Concepts of Microsegmentation - EPG
⚫ End point group (EPG): A group of entities that carry services, such as servers and VMs. EPGs can be
defined based on IP addresses, MAC addresses, VM names, and applications.
⚫ After service entities on a network are allocated to EPGs, the VMs are classified based on the EPG:
Unknown EPG member: VMs that do not belong to any EPG (for example, VM5 and VM6).
EPG member: VMs that belong to any EPG (for example, VM1, VM2, VM3, and VM4).
Members in the same EPG: VMs that belong to the same EPG (for example, VM1 and VM2, or VM3 and VM4).
Members in different EPGs: VMs that belong to different EPGs (for example, VM1 and VM3).
58 Huawei Confidential
Basic Concepts of Microsegmentation - GBP
⚫ Group-based policy (GBP): policy for traffic control within an EPG and between EPGs. A GBP can be
configured based on EPGs, protocol numbers, and port numbers, which specifies the policies within an
EPG, between EPGs, and between a known EPG and an unknown EPG.
Access control policy for members in an EPG Access control policy for unknown EPG members
59 Huawei Confidential
Basic Concepts of Microsegmentation - Default GBP Policies
Access control policy for members in different EPGs
Access control policy for members in an EPG Access control policy for unknown EPG members
① By default, the access control policy for an unknown EPG member is permit. That is, unknown EPG members can communicate with
each other, and an unknown EPG member and a known EPG member can also communicate with each other.
② By default, the access control policy for an EPG member is deny. That is, members in different EPGs cannot communicate with each
other.
③ The default access control policy for members in an EPG varies according to CE switch models.
60 Huawei Confidential
Fabric
Leaf1 Leaf2
61 Huawei Confidential
Configuring Microsegmentation
Scenario description:
Logical switch LS1 Logical switch LS2
⚫ To isolate two VMs (such as VM1 and VM2) that are not
dependent on firewalls within a VPC network, you can use
iMaster NCE-Fabric to deploy microsegmentation. Associate
VM1 with EPG1 and VM2 with EPG2.
VM1 VM2 ⚫ If necessary, you can create a service chain policy to allow
192.168. 10.2 192.168. 20.2
mutual access between specified protocols and ports.
EPG1 EPG2
62 Huawei Confidential
• Configuration roadmap:
3. Create a logical switch in the tenant VPC and associate the logical router with
the corresponding subnet.
4. Create VMM mappings in the tenant VPC and associate them with different
logical switches.
1 Creating an EPG
VM1 VM2
192.168. 10.2 192.168. 20.2
2 Allocate VM1 to EPG1 based on the device
EPG1 EPG2 IP address type in the microsegmentation.
63 Huawei Confidential
• Repeat the same steps to create another EPG and add VM2 as a member.
Creating a Service Chain
⚫ To allow certain protocols and ports to pass between two VMs, create a service chain and related policies. When a
microsegmentation-based SFC is created, SF nodes cannot be used between the source EPG and the destination
EPG. That is, no value-added service is supported.
64 Huawei Confidential
Service Chain Overview
⚫ Service function chain (SFC) is a technology that provides ordered services for the application layer.
⚫ After the SFC path is defined, the matching traffic can pass through the specified VAS device in sequence. (e.g.,
firewall, load balancing, in-depth detection, intrusion prevention, etc.) so as to obtain corresponding value-added
services in turn.
⚫ Service chains are orchestrated on the Agile Controller-DCN, and may be implemented by using Policy-Based
Routing (PBR) or Network Service Header (NSH).
VXLAN tunnel
Traffic diversion point
65 Huawei Confidential
Basic Concepts of SFC
SFF
• SF: SFs are devices that provide VASs, such as
Service Leaf
Server Leaf firewalls and load balancers.
SC
• Service function forwarder (SFF): An SFF
forwards the packets received from a network to
its associated SFs.
SF SF
Firewall IPS • SFP: An SFP is a packet path calculated based on
configurations.
66 Huawei Confidential
• SFC domain: An area that includes an SFC device may be referred to as an SFC
domain.
• EPG: EPGs can be defined based on external network domains, logical routers,
and logical switches. Users can specify source EPGs, destination EPGs, and service
nodes between them based on service requirements.
• Classifier: It is located at the border ingress of the SFC domain. After a packet
enters the SFC domain, the traffic classification is performed first. The
classification granularity is determined by the capability of the classifier and the
SFC policy. The classification rules can be rough or detailed. For example:
▫ In general, all packets on a port meet an SFC rule and are transmitted
through SFP A.
▫ For details, only the packets meeting the 5-tuple requirements can meet an
SFC rule and pass through SFP B.
• Service node: An incomplete SF list includes the firewall, load balancer,
application accelerator, validity interception, and NAT. One SFC domain may
have multiple SFs.
• Service chain forwarding node: forwards packets received from the network to
SFs associated with the SFF based on the NSH-encapsulated information. (In the
NSH implementation mode, if the PBR implementation mode is used, the PBR
forwarding is based on the traffic information.) After the SF processing, the
packet is returned to the same SFF. The SFF determines whether to send the
packet back to the network.
• Service chain path: A packet path calculated based on the configuration can be
used to accurately specify the location of each SF.
SFC Application Scenarios
Security protection between the data center network
and external networks is the core of network security.
The external north-south access traffic can be flexibly
External
diverted to different SFs (marked by the green line)
based on the defined SFC to implement functions such
as address translation and security filtering for internal
and external networks.
67 Huawei Confidential
• You can use a switch alone or use a switch and iMaster NCE-Fabric together to
implement SFC. The controller orchestrates SFs, configures an SFP, and delivers
the SFP configurations to the SC and SFFs (Huawei CE series switches) through
NETCONF interfaces.
Configuring a Service Chain
Scenario description:
When intranet users need to access the Internet, the traffic orchestrated by
External EPG2 intranet users passes through the core firewall for value-added service operations
Network
such as service isolation and security control, and then enters the border firewall
for address translation.
Configuration roadmap:
Border FW 1. On iMaster NCE (Fabric), create tenants and tenant VPCs and orchestrate
logical networks.
2. Create a service chain template for intranet users to access the Internet. The
template passes through Firewall 1 (the core firewall provides security policy
Core FW
filtering) and then through Firewall 2 (the border firewall provides SNAT).
3. Create an EPG in the tenant VPC, set logical switches 1 and 2 as EPG1
(source EPG), and set the external network domain as EPG2 (destination
WAF
EPG).
4. Create an SFC, associate it with an SFC template, and redirect traffic to the
logical firewall.
EPG1
5. Configure security filtering policies on logical firewall 1 and SNAT on logical
VM1
firewall 2.
68 Huawei Confidential
• When orchestrating logical networks, you need to create logical firewall 1 and
configure internal links between the and logical routers. Create a domain
between logical firewall 2 and the external network, and configure internal links
between logical firewall 2 and the logical router and external links between
logical firewall 2 and the external network domain.
Creating a Service Chain Template
⚫ Creating an SFC template is to set the SFC path, that is, the service nodes that the source EPG server passes through
and the sequence of the service nodes that the source EPG server passes through the destination EPG server.
⚫ Create a service chain template and drag the required VAS node icons between two EPG servers based on service
requirements. In this example, drag the firewall node icons between two EPG servers.
69 Huawei Confidential
Creating an EPG
⚫ Take EPG1 as an example. Enter EPG1 in Name and select SW1 as the source EPG of the service chain. Create EPG2
in the same way. In the topology, select the external network domain Ext1 as the source EPG of the service chain.
70 Huawei Confidential
Creating a Service Chain
⚫ When creating a service chain, select the created template and set related parameters.
71 Huawei Confidential
Similarities and Differences Between the Service Models &
Basic Concepts of Microsegmentation and SFC
EPG Service Model
72 Huawei Confidential
• The configuration models of microsegmentation and SFC vary in that the SFC
model adopts 5-tuple-based policies, while the microsegmentation model uses
EPG–based policies.
Contents
2. Pre-configuration
3. Service Provisioning
4. Easy Deployment
73 Huawei Confidential
Overview of Easy Mode (1)
⚫ The preceding figure shows the traditional deployment process. To facilitate quick network deployment, Huawei
CloudFabric solution provides the Easy deployment function. That is, you can go to the dedicated page for Easy in
iMaster NCE-Fabric. Based on the navigation tree, you can complete zero-touch deployment (ZTP) for switches,
create tenants and VPCs, and provision basic network services in the VPC.
Spine
Leaf
74 Huawei Confidential
Overview of Easy Mode (2)
⚫ When the Easy deployment mode is used, the network planning scheme can be automatically generated based on
the number of devices and cable connections.
Network
Administrator
Spine
Leaf
75 Huawei Confidential
Easy Mode vs Manual Mode
Comparison Item Easy Mode Manual Mode
Layer 2 and Layer 3 Basic Service Orchestration in a VPC Directly orchestrate on the Easy page. Orchestrate on the Service Provisioning page.
76 Huawei Confidential
Deployment Process
⚫ The following figure shows the deployment process in Easy mode.
Expanding the
Access Port Capacity
77 Huawei Confidential
B. Root device
C. iMaster NCE-Fabric
78 Huawei Confidential
1. ACD
Summary
⚫ In the CloudFabric computing scenario, the network administrator is only responsible for
network setup and service orchestration, and the VMM platform is managed and
maintained by the computing management personnel.
79 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.
2 Huawei Confidential
Objectives
3 Huawei Confidential
Contents
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
4 Huawei Confidential
DCN Evolution to a Multi-Cloud and Multi-DC Mode
Mobility-based acceleration Ubiquitous services Agile service rollout
Offline -> online, improving Personalized services, enhancing user loyalty Quick business monetization,
the service efficiency accelerating innovation
Online
shopping
Ad Ecosystem Third-party app
Mobile app Supermarket integration … …
placement
Payment by experience shopping
card User
Multiple quick Entertainment profile SDK/API SDK/API SDK/API
Entrusted fee payment methods consumption
deduction ...
Hundreds of Third-party Product
Information
Counter millions of monthly transfer recommendation
push
transfer active users ETC Risk
prevention
Usage and control Data volume: Interconnection Rollout
User scale: 10x 24/7 services
frequency: 10x 200x scenarios: 100x speed: 10x
Centralized -> distributed Single-DC -> multi-DC Private cloud -> hybrid cloud
More complex DC scale increased Virtualization scale
system architecture by 100 times increased by 100 times
5 Huawei Confidential
• Note:
②
Survey on loss caused by fault-triggered
interruptions ①
It takes three person-hours to perform
The complicated architecture
routine inspection before the market About 70% of network faults are
results in difficult fault locating.
opens every day. This increases caused by human errors as changes
It takes 76 minutes on average to
difficulties in confidently keeping up are manually compared and verified.
locate a fault.
with the general market trends.
6 Huawei Confidential
▫ To improve user experience and ensure high reliability of key services, faults
need to be located and rectified in real time.
• Note:
Smart Predictability
sensing Network health status can be detected in real time to
proactively identify potential network risks before a fault occurs.
Self-maintenance
Smart
Network
controller + Network
analyzer
Vision analysis
Faults can be proactively detected, with intelligent
analysis on network fault causes as well as
automatic, closed-loop fault rectification.
Self-optimization
Smart Automatic network optimization is implemented based
optimization on service intents, maximizing service running efficiency.
7 Huawei Confidential
Overall Architecture of CloudFabric Intelligent DCN O&M
Solution
iMaster NCE
and subscribe to
iMaster NCE-Fabric iMaster NCE-FabricInsight
configurations.
configurations
incremental
O&M entry
Obtain full
Service O&M entry Troubleshooting entry
Management Troubleshooting Network health evaluation Fault troubleshooting
and monitoring
Service
Hardware Fault Fault
component NE management Fault locating Link Entry
component detection locating
Network Fault System Application
management rectification Protocol Fault impact analysis
Subscribe to resource flow
ARP/FIB
Database (DB) service: unified inventory (alarm, Analysis: common services of the big data
entries AI engine
configuration, and low-speed state performance) platform
Unified
Low-speed state High-speed
southbound Configuration Traffic Log
performance performance
collection management collection collection
collection collection
service
8 Huawei Confidential
9 Huawei Confidential
• An intelligent O&M system consists of the controller and analyzer. This course
describes some O&M features.
Contents
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
10 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
iMaster NCE-Fabric
iMaster NCE-Fabric O&M panorama
Status
Detail
Mapping
application, logical, Consistency check network network mapping
O&M O&M
and physical networks restoration (web/app/DB)
interconnection interconnection
Loop fault diagnosis End port O&M Service
Controller installation and (locating) Logical switch O&M Application path
Status
Fault
Change
provisioning
deployment visualization
audit
Logical network Logical router O&M (connectivity and
Underlay network connectivity Events, logs,
topology path)
detection Physical firewall and statistics
management Logical SF O&M
Physical resource pool (fabric) Logical resource pool
Software firewall
(resource visualization)
management
Server management
Virtual switch
Physical topology management
Physical switch
ZTP-based switch installation management
11 Huawei Confidential
• iMaster NCE-Fabric centrally manages and controls cloud DCNs and provides
automatic mapping from applications to physical networks, resource pool
deployment, and visualized O&M, helping customers build service-centric
dynamic network service scheduling capabilities.
12 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
13 Huawei Confidential
14 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
When the Execution Result is Packet Loss Ratio 0%, the source node and destination node are reachable to each other and network connectivity between
the source and destination nodes is normal.
When the Execution Result is Fail Go to Single-path Detection, the source node and destination node are unreachable to each other and the path
between the source node and destination node may be disconnected. Click Single-path Detection. The system then automatically switches to the
single-path detection page to perform path detection.
15 Huawei Confidential
▫ MAC ping uses ARP request packets to check whether an ARP probe system
is normal.
• Prerequisites:
▫ The source and destination IP addresses must be on the same subnet when
MAC ping is used to check whether the ARP probe system is normal.
▫ When both the source and destination VMs and the devices that VMs are
connected to are physical CE devices, the source and destination VMs
cannot be on the same subnet of the same host if MAC ping or IP ping is
used to check connectivity.
▫ When devices are the type of source NEs, the devices need to have VMs
connected.
Single-path, multi-path, and network detection • iMaster NCE-Fabric can display the real
Actual physical path physical paths of services based on
application and logical networks. When
5-tuple-based
packet filtering the physical network is decoupled from
the logical network, iMaster NCE-Fabric
can quickly locate network faults, and
detect and rectify unexpected service
interruptions.
• Service path visualization provides the
following functions:
▫ Single-path detection
▫ Multi-path detection
▫ Network loop detection
100% path visualization, from physical links to
logical links and from a single path to multiple paths
16 Huawei Confidential
• The service path visualization feature supports the filtering of path information
based on 5-tuple information and the display of hop-by-hop path information,
enabling users to view service path information as needed.
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
• Single-path detection traces the actual physical paths between VMs, • Multi-path detection traces multiple physical
BMSs, containers, or network devices, and checks whether service flows paths between NVE devices to check whether the
are interrupted. service flows are interrupted.
• Detection principle: iMaster NCE-Fabric sends a Packet-Out message to • Detection principle: The implementation of
the source CE switch through an OpenFlow channel. This message multi-path detection is similar to that of single-
simulates a service flow. 5-tuple information (including source IP path detection. The only difference is that a
address, destination IP address, source port, destination port, and single detection packet is sent during single-path
protocol) and MAC address of this service flow are encapsulated into the detection while the number of packets sent
message. The source CE switch forwards the Packet-Out message during multi-path detection is configurable.
according to the service forwarding path. All devices that receive the iMaster NCE-Fabric also can filter out duplicate
Packet-Out message in the path report a Packet-In message to iMaster paths.
NCE-Fabric. iMaster NCE-Fabric then parses the Packet-In message and
calculates the detection path based on the actual links.
17 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
⚫ Task result:
If Status is displayed as Finished, the
detection is successful and the paths are
normal.
If Status is displayed as Failed, the detection
task cannot be executed due to the failure to
find the source node or other causes.
If Status is displayed as Timeout, the
detection task is executed, but packet
forwarding fails because the path is
incomplete or interrupted.
18 Huawei Confidential
• Customer requirements:
• Prerequisites:
⚫ Task result:
If Status is displayed as Finished, the
detection is successful and the paths are
normal.
If Status is displayed as Failed, the
detection task cannot be executed due to
the failure to find the source node or
other causes.
If Status is displayed as Timeout, the
detection task is executed, but packet
forwarding fails because paths between
the source device and destination device
are incomplete or interrupted.
19 Huawei Confidential
• Customer requirements:
• Prerequisites:
Yes
Loop elimination
Check the loop.
Manual operations on
iMaster NCE-Fabric
Eliminate the loop.
20 Huawei Confidential
• When detecting loops, CE switches generate alarms. The alarms can be classified
into different types, including the traffic threshold-crossing alarm, VLAN MAC
address flapping alarm, and VXLAN MAC address flapping alarm. iMaster NCE-
Fabric samples ARP packets based on the alarms reported by interfaces or sub-
interfaces of CE switches and displays all suspected loops in a list.
▫ When collecting multiple same packets within a specific period of time,
iMaster NCE-Fabric determines a loop occurs and displays the loop
information on the loop detection page and provides elimination
suggestions. Only the local interface where the loop occurs is displayed in
the loop detection result.
▫ If a device interface or sub-interface sends a large number of normal
packets, iMaster NCE-Fabric may fail to collect multiple same packets, and
therefore cannot determine whether a loop exists. In this case, you can log
in to the device and manually confirm whether a loop exists based on the
suspected loop information.
• Customer requirements:
▫ On a fabric network, traffic service exceptions may occur due to improper
networking or network attacks. Customers require a traffic monitoring
technology that samples packets on device interfaces to monitor the traffic
status in real time and promptly find abnormal traffic as well as the source
of attack traffic.
• Prerequisites:
▫ iMaster NCE-Fabric is running properly.
▫ The device to be monitored has been added to the fabric network and has
available ACL resources.
▫ Loop alarm reporting has been enabled on the device.
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
⚫ Information about the confirmed loops is listed on the Loop Device tab page. Users can view the details and perform port isolation.
21 Huawei Confidential
• Loop elimination:
▫ Current records:
▫ Historical records: display the status of suspected loops that have been
processed so that loop interfaces that have gone offline can be
reconnected. On the Historical Record page, the status of a suspected loop
can be one of the following:
Consistency Check
⚫ iMaster NCE-Fabric sends a configuration query request to a forwarder and detects configuration inconsistencies
between iMaster NCE-Fabric and the forwarder to facilitate subsequent inconsistency elimination. As such, you can
perform either data reconciliation (synchronizing configurations from iMaster NCE-Fabric to the forwarder) or data
synchronization (synchronizing configurations from the forwarder to iMaster NCE-Fabric).
23 Huawei Confidential
▫ During full inconsistency discovery, iMaster NCE-Fabric collects all the data
on the forwarder. During incremental inconsistency discovery, iMaster NCE-
Fabric collects only the forwarder data that differs from the data collected
last time.
24 Huawei Confidential
⚫ Eliminate data inconsistencies for instances. (Data that exists on iMaster NCE-Fabric but not on the forwarder
is synchronized to the forwarder.)
Click the arrow in front of the desired device to check inconsistent features and data types.
Click . On the page that is displayed, click Expand All to view inconsistent data.
In the Data from the controller area, select the data to be overwritten and click Sync To. Data that exists on iMaster
NCE-Fabric but not on the forwarder is delivered to the forwarder.
25 Huawei Confidential
26 Huawei Confidential
If Status is displayed as Invalid inconsistent data and Failure Reason is displayed as Device re-attachment is performed, the
active node link of the device has been switched and the inconsistent service data is invalid. In this case, perform inconsistency
discovery and reconciliation again to resolve the issue.
27 Huawei Confidential
Three-Level Rollback
Network-wide rollback Tenant snapshot Service-level rollback
• Network-wide rollback is used to resolve • The tenant snapshot function is used to back • Service-level rollback helps quickly restore
major faults on the entire network. For up and restore network service configurations original network configurations to recover
example, if network configurations are by tenant, and apply to multi-tenant services. services when a network exception occurs
deleted due to changes, many services are Backup and restoration operations performed due to a fine-grained single-point service
interrupted. In this case, network-wide by a tenant do not affect the provisioning of provisioning failure.
configurations can be rolled back to those other tenants' services, including backup and • You do not need to manually back up data
before the changes or interruptions, restoration of network service configurations for service-level rollback, but need to
enabling quick service recovery. by other tenants. manually restore data.
• Before changes, you can back up network- • The tenant snapshot function allows a tenant • iMaster NCE-Fabric automatically backs up
wide configurations on iMaster NCE-Fabric. to set a backup point and save all its service each service that is provisioned. When an
When a problem occurs due to changes, configurations at the backup point. If needed, exception occurs, iMaster NCE-Fabric can
the configurations can be quickly restored service configurations can then be restored to quickly restore the service to the status
to the backup point, resolving major a specific snapshot point. Additionally, before the service is provisioned.
network faults. iMaster NCE-Fabric can compare the current
• You can manually save data in real time or configurations with the configurations at the
snapshot point, or compare the
periodically on the GUI. You need to
proactively back up data. configurations from two given snapshot
points, and perform configuration rollback to
eliminate differences.
• The tenant snapshot function supports
manual backup and restoration as well as
automatic and periodic backup.
28 Huawei Confidential
29 Huawei Confidential
• If the task fails, click > to view details about the backup task and failure cause.
Then locate and rectify the fault based on the failure cause to back up the data
again.
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
30 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
31 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
32 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
33 Huawei Confidential
• Design state:
One-click
rollback
34 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
Troubleshooting
⚫ iMaster NCE-Fabric provides the intent-driven intelligent event function, which supports device monitoring, application and service
fault monitoring, as well as display of fault details, rectification suggestions or plans. You can perform closed-loop management of
faults based on user intents. The intelligent event function helps users quickly locate and rectify faults, shortening the time for fault
locating and troubleshooting as well as enhancing service continuity.
35 Huawei Confidential
• Currently, the intelligent event function supports the following types of fault
events: device fault, application fault, and service fault. iMaster NCE-Fabric needs
to collaborate with iMaster NCE-FabricInsight to solve application and device
faults, while iMaster NCE-Fabric can solve service faults independently.
▫ Service fault: A new host access link is set up due to incorrect interface
connection or server migration. In this case, the status of the existing host
access link becomes unknown. When detecting the unknown host access
link, iMaster NCE-Fabric generates a fault event.
• Note:
1. iMaster NCE-FabricInsight collects syslogs, device 1. iMaster NCE-Fabric sends the 1. When detecting an unknown host access link,
configurations, and device flow information to created key assurance flow task iMaster NCE-Fabric sends the fault
automatically detect faults, and analyze the faults information to iMaster NCE- information to the fault remediation module
and their impacts. FabricInsight. using closed-loop troubleshooting.
2. iMaster NCE-FabricInsight sends fault details, root 2. iMaster NCE-FabricInsight monitors 2. The fault remediation module analyzes the
causes, and fault impacts to iMaster NCE-Fabric. the traffic status of a specified task. network configuration associated with an
3. iMaster NCE-Fabric analyzes fault information and When a flow exception is detected, unknown link.
it sends the exception information
provides suggestions as well as a fault rectification 3. Fix the logical switch configuration associated
to iMaster NCE-Fabric.
plan and its impacts. with the unknown link. After the rectification
is successful, the network configuration
4. iMaster NCE-Fabric delivers a rectification plan. After
associated with the existing link will be
detecting that the fault is rectified, iMaster NCE-
migrated to a new port.
FabricInsight updates the event status.
4. After the unknown link is cleared, the status
of the fault event is updated to Solved.
36 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
⚫ In the dialog box that is displayed, click Handle on the Switch Routing Hardware Table Loss tab page to view the
fault details.
37 Huawei Confidential
38 Huawei Confidential
O&M Three-Layer Network Connectivity Service Path Consistency Three-Level Troubleshooting
Panorama Visualization Detection Visualization Check Rollback
⚫ After the fault is rectified, the event status changes to Solved. Click Close Event to close the event.
39 Huawei Confidential
• If you need to roll back the rectification plan after it is successfully delivered, click
Roll Back on the Solution 1 tab page.
Contents
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
◼ Overview
▫ Fault Locating
▫ Change Assurance
40 Huawei Confidential
iMaster NCE-FabricInsight
Network health Minute-level Key service
O&M service app ⚫ Based on the Huawei-developed
evaluation troubleshooting assurance
• Multi-DC and multi-cloud • "1-3-5" big data analytics platform, iMaster
network health evaluation troubleshooting for 75 • Service intent • IP address
verification visualization NCE-FabricInsight receives data
• Capacity/Traffic risk types of typical faults
O&M prediction • Automatic root cause • Data plane • Network change from network devices in telemetry
service app • Unified health inference modeling comparison
mode and uses AI algorithms to
management of multi- • One-click flow • Service intent • Network search
vendor DCNs troubleshooting management analyze network data.
Network telemetry
Fabric
41 Huawei Confidential
▫ Network devices:
Device Analyzer
After data subscription, the collection service module collects data in seconds. The high-throughput distributed message
system is used to buffer and distribute the collected data. Service modules perform data analysis and calculation based on
the AI algorithm and expert experience, and save the processed data to the fast and column-oriented distributed data
storage system. You can access the page to view the data and functions.
43 Huawei Confidential
• Note:
▫ Kafka: the messaging middleware for storing and distributing data reported
by devices.
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
▫ Overview
◼ Network Visualization and Health Evaluation
▫ Fault Locating
▫ Change Assurance
44 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
45 Huawei Confidential
Data
Simple statistics collection with analysis Intelligent data analysis with
manual decision-making automatic troubleshooting
Transport
Unstructured data with low format GPB binary encoding and decoding
encoding and decoding efficiency with high transmission efficiency
<Pull> <Push+gRPC>
Data
Request-response mode with a Continuous data push with only one-
collection
large sampling interval time data subscription
5/15 min
Minute-level polling cycle, failing Data Near Realtime
to meet the service requirements generation Quasi-real-time data acquisition
of real-time management
Intuitive status
Intelligent exception detection
based on dynamic baselines,
intuitively displaying historical
trends and facilitating network
optimization
48 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Queue Number of sent/received PFC frames, number of PFC deadlock detection times,
number of PFC deadlock recovery times, Headroom buffer in use, and Guaranteed 1 min
buffer in use
Optical link Transmitted/received optical power, current, voltage, and temperature 1 min
Packet loss behavior Forwarding packet discarding and congestion-triggered packet loss 1 min
Entry Details of FIB/ARP/ND entries Dynamic subscription
49 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Value stability metric scenario Differentiated stability metric scenario Period stability metric scenario
If values at sampling points are out of the If salient differences exist in time points before If salient differences exist between the
valid range, they are called outliers. and after the sampling, it is called link sampling interval series and the overall trend,
comparison exception. it is called parallel comparison exception.
Input: Time series data of metrics Functions: ⚫ Period stability metric algorithm: Functions: ⚫ Number of exceptions
(value, time) time series decomposition ⚫ Suppression and
Functions: ⚫ Automatic identification of
⚫ Value stability metric algorithm: combination of problems
collection frequencies Gaussian regression ⚫ Problem notification
⚫ Automatic filling of missing data
⚫ Baseline boundary construction
⚫ Noise reduction data: noise based on algorithms
reduction of abnormal data
⚫ Baseline sensitivity adjustment
⚫ Special adaptation: extra data
processing during holidays
⚫ Prediction for the top and bottom
Output: ⚫ Data features (value stability or Output: Output: ⚫ Exception
baseline boundaries of the next
period stability)
collection interval
⚫ Metric collection interval
50 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
51 Huawei Confidential
▫ Baseline Offset: applies to the dynamic baseline and is used to adjust the
dynamic baseline detection range.
▫ Repetitive Times: indicates the number of times that the dynamic baseline
or static threshold is exceeded consecutively.
• When a baseline exception occurs on an interface, you can view associated flow
information.
▫ You can adjust the static threshold and number of repetitions. You can also
adjust the sensitivity of dynamic baseline detection based on detected
exceptions.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
52 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
⚫ Every Sunday, AI predicts the inbound and outbound bandwidth usage trends of interfaces in the next 12 weeks based on the
historical data of the last 66 days. If the data of the last 66 days is incomplete, traffic prediction reliability decreases, or even no
prediction result is generated (the number of days in which historical data is stored is less than the threshold).
53 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
⚫ The Overview tab page displays statistics on devices and hosts in the current system, including the host access mode, top 10
switches to which hosts are connected, top 10 gateways to which hosts are connected, top 10 fabrics by IP address usage, top 10
subnet usage, online IP address statistics and change trend, as well as invalid IP address statistics.
⚫ Top 10 subnets by IP address usage ⚫ Top 10 devices connected to online hosts
54 Huawei Confidential
• Use the analyzer of V100R021 as an example. Choose Toolbox > IP 360 to access
the IP address visualization page.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
55 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
⚫ In addition, you can filter items by the IP address, MAC address, fabric, access device, access interface, virtual routing and forwarding
(VRF), VLAN ID, active status, and access type of a VM.
56 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
⚫ Scenario:
During dynamic VM migration, the network team cannot
determine whether the location of the switch to which the
VM is connected has changed. As a result, the VM cannot
be accessed to the network before dynamic VM migration Virtual machine ARP update message
manager (VMM) (telemetry)
and it is difficult to locate the fault.
Leaf-1 Leaf-2 Leaf-3 Leaf-4
⚫ Solution:
iMaster NCE-FabricInsight uses telemetry to collect ARP
update information (including the added, deleted, and
VM migration
modified information) of network-wide devices, and
supports full-lifecycle visualization of VM login, logout, and
migration records based on fabric information.
57 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
58 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
59 Huawei Confidential
• iMaster NCE-FabricInsight monitors all logs from level 0 to level 4, with statistics
collected in different dimensions, such as the device name, IP address, module,
severity level, and type, so as to quickly master the distribution of abnormal logs
on the network.
• The system analyzes and displays fault logs on devices and allows you to filter
logs by the device name, device IP address, module, severity, type, and details.
Log severities include Emergencies, Alert, Critical, Error, and Warning.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Occasional/New log analysis View the trend chart of the number of exception logs and
Count the abrupt change of logs and the the distribution of logs by severity in each time period.
type, module, level, and quantity of new
logs to quickly identify key check points.
Network-wide log
event visualization
Display the trend, distribution statistics, and
details of logs from level 0 to level 4 in
multiple dimensions to present intuitive
insights into network-wide log events.
60 Huawei Confidential
• Application scenario:
▫ iMaster NCE-FabricInsight identifies exception logs that increase sharply on
a network. By performing dynamic baseline exception detection,
compressing logs, and comparing logs generated before and after
exceptions, iMaster NCE-FabricInsight helps O&M personnel to quickly
identify root causes of exceptions.
• Exception identification principles:
▫ iMaster NCE-FabricInsight checks whether the number of exception logs on
the entire network increases sharply based on the dynamic baseline.
▫ It then analyzes the logs that increase sharply by log type and frequency to
identify log distribution and check whether there are occasionally generated
logs.
▫ iMaster NCE-FabricInsight performs multi-dimensional clustering analysis
on the analysis result and automatically generates an issue, prompting
users to solve the issue in a timely manner.
• View the trend of the number of exception logs and details about exception logs:
The trend chart displays the trend of exception logs in the current time window,
top 10 devices and features by the number of exception logs, and log distribution
by severity.
▫ Move the pointer to a time period in the trend chart and view data in the
time period.
▫ Move the pointer to a device, feature, or log severity to view the
corresponding statistics.
▫ Click Top 10 Devices, Top 10 Features, or Logs by Severity to display the
corresponding exception log statistics and log list.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Network traffic composition Connectivity fault analysis SLA detection based on TCP,
analysis based on traffic sampling based on service flow and UDP, and multicast flows
network association
Analyze the network traffic, traffic trend Implement one-click troubleshooting of Monitor major services based on quality
statistics, and traffic characteristics from connectivity issues based on correlation analysis on the connectivity and packet
multiple dimensions based on the analysis between TCP services and loss/latency of specified services, and
NetStream traffic sampling technology to networks through flow path visualization, quickly locate fault points after poor-QoE
identify abnormal network traffic and hop-by-hop latency awareness (feature issues such as packet loss occur.
allocate resources properly. packets), and abnormal traffic analysis.
61 Huawei Confidential
• Note:
62 Huawei Confidential
• That is, packets are periodically sampled within the specified packet interval (1–
65535). For example, if the interval is 100 packets, one random packet is sampled
from every 100 packets.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
63 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
64 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
65 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
66 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
67 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
68 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
69 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
SYN
Three-way 2 SYN
handshake
for link SYN, ACK Spine
establishment
ACK ERSPAN
3 SYN 1 2 3
FIN, ACK 1 SYN
70 Huawei Confidential
• iMaster NCE-FabricInsight can obtain the following information about a TCP flow:
▫ Exception: latency >1 ms, TCP Flags exception (RST), TCP retransmission,
TTL < 3, etc.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
71 Huawei Confidential
Coprocessor
Periodical export in every 10 seconds
or instant export after TCP flow aging
TCP/UDP traffic analysis
Traffic statistics: 4-tuple/start and end
time of flows/traffic volume
Flow exception: packet loss/RTT ⚫ User scenario:
1:1 data packet analysis of specified flows (configurable), including
Incoming and outgoing traffic TCP/UDP (unicast) traffic.
(specified) is copied and sent.
Original
⚫ Output traffic information:
packet Forwarding chip Traffic visualization (5-tuple and port)
ACL for matching a specific TCP/UDP flow
Traffic statistics (packet/byte)
72 Huawei Confidential
• Note:
▫ RTT: Round-Trip Time, indicating the total latency from the time when the
transmit end sends data to the time when the transmit end receives an
acknowledgment from the receive end (the receive end sends an
acknowledgment immediately after receiving the data).
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
When the protocol is TCP, IPv4 and IPv6 (IPv6 overlay) are
supported and the device configuration items include ACL number,
whether to match VXLAN packets, whether to match packets
containing one-layer VLAN tags, whether to configure aging of TCP
termination packets, aging time of active items, aging time of
inactive items, unidirectional flow matching sequence number, and
unidirectional flow matching mask. Latency settings include the
RTT threshold. Zero window settings include the zero window
threshold.
73 Huawei Confidential
• When the protocol is UDP, only IPv4 is supported and the device configuration
items include ACL number, whether to match VXLAN packets, whether to match
packets containing one-layer VLAN tags, and aging time of inactive items.
Latency settings include the latency threshold.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Basic information
Analysis conclusion
Event list
74 Huawei Confidential
▫ Basic information: displays the number of sessions with packet loss, total
number of sessions, number of lost packets in the request directions, total
number of packets in the request directions, number of lost packets in the
response directions, total number of packets in the response directions,
total traffic in the request direction, total traffic in the response direction,
number of zero windows in the request direction, and number of zero
windows in the response direction.
▫ Analysis conclusion: displays the packet loss rate analysis results, packet loss
node analysis results, average RTT analysis results in the request and
response directions, and analysis results for the maximum number of zero
windows in the request and response directions.
75 Huawei Confidential
76 Huawei Confidential
Network-wide
resource status check
You can view network-wide
underlay/overlay network resources
and collected KPI metric data, and
compare the data collected
yesterday with that collected today.
Five-layer health
evaluation system
You can view detailed analysis from
dimensions such as device, network,
protocol, service, and overlay to
check whether the network health
status is normal.
77 Huawei Confidential
• Health evaluation refers to the evaluation on the overall health status of the
current network based on identified network issues, helping you quickly and
accurately identify and rectify faults.
▫ This portlet displays the overall health status of the network based on
multiple metrics such as the number of service assurance objects, network
connectivity intent verification, average transmission latency, and packet
loss rate. It also displays the distribution and growth of abnormal data
from dimensions such as device and telemetry.
▫ This portlet displays the number of pending issues, events, and resources
from dimensions such as device, network, protocol, overlay, and service. You
can click each layer to view the total number of events, resources, and
events unassociated with issues of network entities.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Category Issue
Switch CPU threshold exceeded, switch memory threshold exceeded, service affected by switch interface congestion,
firewall CPU or IPv4 session threshold exceeded, abnormal switch CPU usage increase, abnormal switch memory
usage increase, abnormal firewall CPU usage increase, abnormal firewall memory usage increase, abnormal drop
Performance
packet increase, abnormal error packet increase, abnormal unicast packet increase, abnormal multicast packet
increase, abnormal broadcast packet increase, abnormal bandwidth usage change, abnormal huge page memory
usage increase, and abnormal forwarding core usage increase
Switch ARP entry threshold exceeded, switch ND entry threshold exceeded, switch MAC entry threshold exceeded,
switch storage space threshold exceeded, switch ACL resource threshold exceeded, switch SFU forwarding
performance insufficiency, switch FIB4 entry threshold exceeded, switch FIB6 entry threshold exceeded, number of
routes received from a BGP peer exceeding the limit, abnormal switch ARP entry increase, abnormal switch ND entry
Capacity increase, abnormal switch FIB4 entry increase, abnormal switch FIB6 entry increase, abnormal switch MAC entry
increase, predicted traffic threshold exceeding, switch BD threshold exceeded, switch VRF entry threshold exceeded,
switch Layer 2 sub-interface threshold exceeded, abnormal TCAM rule usage increase, predicted forwarding core
usage threshold exceeding, abnormal EMC entry usage increase, abnormal ND-suppress entry usage increase,
abnormal ARP-suppress entry usage increase, and abnormal virtual port usage increase
78 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Category Issue
Switch LPU exception, repeated switch LPU exception, switch MPU exception, switch SFU exception, repeated switch
SFU exception, switch fan exception, switch power exception, link port status flapping, unidirectional link connectivity
fault on the network side of a switch, routing loop, switch port Error-Down, suspected subhealthy optical link,
suspected switch entry change, switch ARP entry loss, switch routing table loss, BGP peer status flapping, access-side
IP address conflict on the VXLAN network, suspected Layer 2 loop, optical module type mismatch, repeated switch
Status
MPU exception, repeated switch restart, switch fault, switch disconnection, switch M-LAG dual-active state, switch
chip soft failure, VXLAN tunnel interruption, license file expiration, OSPF router ID conflict, physical switch port
suspension, OSPF DR IP address conflict, OSPF neighbor status change, BGP peer status change, stack fault, host IP
address conflict, IP address conflict on the network side, access-side port blocked by STP, license file about to expire,
and abnormal increase of exception logs
Policy TCP SYN flood attack, ARP attack, ND attack, and invalid ARP packet received by a switch
Single IP address fault on the access side, server access fault, TCP service port not enabled, TCP service port fault, and
Connection
service interruption caused by BD deletion, sub-interface shutdown, or sub-interface deletion
Inconsistent link and port metrics, routing loop on the entire network, routing blackhole on the entire network, service
Intent
reachability intent verification failure, and service isolation intent verification failure
79 Huawei Confidential
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
80 Huawei Confidential
• Network overview:
• KPI details:
• Report details:
▫ Display the health status from five dimensions in detail and identify
exceptions in a timely manner to provide optimization suggestions.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
IP network
FabricInsight1: FabricInsight 2:
single-node/cluster deployment standalone/cluster deployment
81 Huawei Confidential
Cross-DC/-fabric application
access traffic
Cross-fabric application interaction
traffic and trend are displayed to
quickly identify abnormal traffic
changes, facilitating fault locating
and capacity expansion.
Cross-DC/-fabric network
evaluation
The composition of north-south
DC, east-west DC, and intra-DC
traffic at peak hours is analyzed to
identify the applications with high
traffic at peak hours, and evaluate
the overall network health status.
82 Huawei Confidential
• The health evaluation function evaluates the overall health status of the current
network based on identified network issues, helping customers quickly and
accurately identify and rectify faults.
▫ Traffic distribution: You can click View Details to view details about the
composition of north-south and east-west traffic on the entire network,
including the traffic statistics, bandwidth usage, and health evaluation
statistics.
Network KPI Network IP Address Network Log Network Traffic Health Risk
Visualization Visualization Visualization Visualization Assessment
Category Issue
Capacity Cross-fabric routes received from BGP peers exceeding the threshold
Change of BGP peer status between fabric gateways, BGP peer relationship
Status flapping between fabric gateways, cross-fabric host IP address conflict, and
VXLAN tunnel interruption
Link port metrics inconsistency, routing loop on the entire network, routing
Intent blackhole on the entire network, service reachability intent verification failure,
and service isolation intent verification failure
83 Huawei Confidential
Contents
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
▫ Overview
▫ Change Assurance
84 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
85 Huawei Confidential
• The passive troubleshooting based on personal experience evolves into the AI-
based automatic locating of closed loops.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
86 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
87 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
88 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
89 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
90 Huawei Confidential
• Note:
91 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
92 Huawei Confidential
• Handling suggestions:
▫ Step 1: Run the display qos queue statistics interface port-type port-
number command on the switch to check whether packet loss occurs on
each interface queue.
▫ Step 3: If the traffic trend does not comply with the historical trend and the
traffic increases sharply, keep checking for 30 minutes and check whether
any application fault is reported. If no fault is reported, close this issue.
6
• Construction of a knowledge • Automatically associate logs, • Fault inference and root cause • Manual marking of inference
base for 40+ objects, 300+ metrics, and flow events with aggregation. results.
attributes, and other specified network objects. • Mining and display of fault • Algorithm-based graph
relationships. • Dynamic graph update and propagation chains. similarity matching.
• Compatible with third-party automatic locating triggering. • Automatic generation of fault • Dynamic maintenance of case
access devices. descriptions based on inference libraries based on customer
results. concerns.
93 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
Event list
94 Huawei Confidential
• On the Health page, you can click a specific network entity to view its details and
the icon in the Operation column is blue. You can click this icon to go to the
knowledge graph page and view the exception analysis about the associated
event.
• This portlet displays possible root causes and fault propagation paths. You can
click an NE to view associated events.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
vs.
95 Huawei Confidential
▫ Source tracing failure: unable to identify the fault impact scope, resulting in
difficult root cause tracing.
• Intelligent O&M:
▫ Path visualization: fault propagation path display and fault impact scope
identification.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
96 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
97 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
98 Huawei Confidential
• The Pending Issues list displays all issues that are not cleared or acknowledged.
The Historical Issue list displays all cleared and acknowledged issues. You can
view issue details, including basic issue information and issue impact scope.
• Issues of the MDA health evaluation function and issues of the iMaster NCE-
FabricInsight health evaluation function are independent of each other. The two
kinds of issues cannot be cleared at the same time or the acknowledgment status
of them cannot be conducted at the same time.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
A B C1 D2 A B C2 D2
When an exception occurs, the forwarding path of an abnormal packet and those of a normal one are compared to quickly
detect their differences.
A B C2 D2
◼ Scenario 1: The path is incomplete.
99 Huawei Confidential
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
Layer 2 Layer 3 …
interconnection interconnection
…
…
The breakpoint device has the ARP The breakpoint device does not have the …
entry of the destination IP address. ARP entry of the destination IP address.
⚫ For SYN/SYN ACK packets whose Status is displayed as TCP Retransmission or Flow events in which packet status is abnormal TTL,
you can switch to the fault inference diagram as well as automatic and intelligent troubleshooting.
• By default, only abnormal flow events (TCP retransmission, abnormal TTL, TCP
RST, and abnormal TCP flag) and long flows (TCP flows that are not terminated
within 10 seconds) are displayed.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
• Click Fault Reasoning to view the logical topology passed by the event. Compare
the current abnormal flow paths with the previous normal flow paths.
• After the paths are calculated for normal flows and abnormal flows, you can
click No Troubleshooting or Timely Troubleshooting to select a
troubleshooting mode. Troubleshooting can be performed only when abnormal
flow paths exist. By default, No Troubleshooting is used, indicating that
troubleshooting is not performed. If normal flow paths exist and Timely
Troubleshooting is selected, the system performs troubleshooting for log issues
based on the timestamps of normal flow paths and abnormal flow paths, and
performs troubleshooting for entry, configuration change, and firewall policy
blocking issues based on the timestamps of normal flow paths and current
timestamps. If no normal flow path exists and Timely Troubleshooting is
selected, the system performs troubleshooting based on the timestamps of
abnormal flow paths and current timestamps. Before performing troubleshooting
for configuration change and firewall policy blocking issues, the system
automatically synchronizes the latest configurations.
Proactive Fault Identification and Analysis Service Assurance and Fault Locating
⚫ In the traditional O&M system, information is isolated and no association exists between configurations, entries, KPIs, and logs,
requiring multiple searches and manual matching. Intelligent network search improves the searching efficiency of network data,
including network resource data, device configuration files, device forwarding entries, "1-3-5" troubleshooting issues, device
exception logs, KPIs, and intent verification data. 4 Search service
Index Knowledge
graph
Data replication service 1
• Technical principles:
• Note:
• The network search function searches for resources, entries, configuration files,
issues, and other objects on the network in a unified manner and displays
information such as metrics, associated applications, and entries of target objects,
as well as the recommended correlation analysis result. The search function can
efficiently search for target objects and their associated data, improving O&M
efficiency.
▫ Searches for objects such as devices, boards, interfaces, power modules, fan
modules, optical modules, ARP entries, routing table entries, configuration
files, and issues.
▫ Displays the physical topology and hierarchical topology of target objects.
▫ Displays the recommended correlation analysis result of target objects.
▫ Searches for issues and displays issue details.
▫ Searches for entries and configuration files.
• Scenario:
▫ In an enterprise, the network department receives a fault report from the
service department that an IP service is interrupted, requiring joint
troubleshooting.
• Solution: Search the VM IP address and obtain the comprehensive information
about the VM to quickly locate the failure point. The information includes:
▫ VM access location.
▫ VM access interface status.
▫ Whether congestions occur on the interface connected to the VM.
▫ Whether changes occur in the configurations of gateways connected to the
VM.
▫ Whether the incoming and outgoing traffic of the VM changes sharply.
▫ Whether the VM frequently goes online and offline.
Contents
2. iMaster NCE-Fabric
3. iMaster NCE-FabricInsight
▫ Overview
▫ Fault Locating
◼ Change Assurance
⚫ The network snapshot refers to the data backup file running on a device at a specified time point. The first snapshot is the
synchronization of the full device data. A new snapshot is created based on incremental changes.
⚫ Changes of resources, protocols, configurations, entries, and KPI trends are managed in real time based on telemetry and network
changes are rapidly detected based on the comparison between snapshots at different time points.
• Note:
Create snapshot collection tasks before a change and provide snapshots of multiple performance metrics, such as device configurations, ARP entries,
ND entries, RIB entries, CPU usage, memory usage, and interface bandwidths.
Automatically synchronize and analyze device configurations and entry snapshots after a change, supporting manual snapshot synchronization.
Compare and analyze data snapshots before and after a change, visualizing the differences of each device.
Display detailed comparisons of configured entries and other dimensions of snapshots before and after a change, identifying configuration changes.
• DPV builds a model based on the data plane information on the DCN. The data
plane information includes forwarding entries of network devices, such as routing
forwarding entries, ARP entries, VXLAN tunnel connection relationships and
status, VXLAN peer connection relationships and status, as well as physical link
relationships and status on the underlay network. This information reflects the
actual forwarding behavior on the DCN.
Network topology
Underlay network External access to the internal
information:
network without passing
underlay and overlay
through a firewall
…
[Overlay] East-west reachability verification within a PoD or across PoDs on the same subnet Customized
[Overlay] East-west reachability verification within a PoD or across PoDs within a VPC on different
Customized
subnets
[Overlay] East-west reachability verification within a PoD or across PoDs between different VPCs,
Customized
without passing through a firewall
[Overlay] East-west reachability verification within a PoD or across PoDs between different VPCs,
Customized
passing through a firewall
[Overlay] North-south reachability verification within a PoD or across PoDs: communication between IP
Customized
Reachability addresses of hosts on a fabric and external IP addresses of a fabric
[Underlay] Communication between IP addresses within a fabric or across fabrics Customized
[Underlay] Traffic forwarding according to underlay routes within a fabric, such as communication
Customized
between BGP peers and between VTEPs of a VXLAN tunnel
Constraint-based forwarding path passing through one node to N nodes Customized
Verification and display of ECMP reachability Customized
Verification of route reachability between BGP peers on the entire network Preset
Verification of route reachability between VTEPs of VXLAN tunnels on the entire network Preset
Isolation Verification of whether two subnets (or IP addresses) are isolated from each other Customized
Verification of whether routing loops occur on the network Preset
Existence
Verification of whether routing blackholes exist on the network Preset
Verification of whether interface configurations on both sides of a link are the same, including the
Consistency maximum transmission unit (MTU) information, rate, duplex mode, auto-negotiation mode, working Preset
mode, VLAN ID, and IP subnet
• Isolation intent: checks whether the source and destination IP addresses are
isolated. Isolation intents are generally used for verifying the network policy
compliance. For example, they can be used to check whether the security policies
of firewalls are as expected. The page for creating an isolation intent rule is
similar to that for creating a reachability intent rule, except that you do not need
to set the transit node on the former page.
Network Snapshot Analysis Intent Verification
• Intent verification result overview: The overview area on the Intent Verification
Overview tab page displays the intent pass rate, distribution, and trend. The
intent pass rate distribution is displayed in terms of reachability, isolation,
existence, and consistency. You can switch the time range to view the intent pass
rate trend in a specified time range.
• User-defined reachability intent: In the Intents list, you can click a reachability
intent verification result link to view the detailed verification result.
Quiz
B. Device
C. Network
D. Interface
E. Protocol
1. ABCE
Summary
⚫ Currently, with the rapid increase of services and traffic, it is a must-have to implement
effective, flexible, and fast O&M. CloudFabric intelligent DCN O&M solution enables O&M
engineers to implement O&M in an intelligent way rather than by themselves.
⚫ This course describes the multi-dimensional, refined, and visualized O&M capabilities
provided by iMaster NCE-Fabric, helping to solve the problems of mixed physical and virtual
devices, blurred O&M boundaries of network and IT devices, and decoupling of physical and
logical networks. Various intelligent O&M functions provided by iMaster NCE-FabricInsight
are also introduced, including network visualization, network health evaluation, "1-3-5"
troubleshooting, service flow analysis and troubleshooting, and intent verification, with an
aim to solve problems such as traditional passive O&M and difficult fault locating, and
provide ubiquitous application and network assurance.
120 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.