VLAN Centralized Management Protocol (VCMP) You should know

In production environments, we often configure VLANs. However, as the number of devices increases, it is not only a large workload but also inefficient for each person to configure each device manually. Huawei devices provide us with a VLAN Central Management Protocol (VCMP), which is Huawei's private protocol. It is similar to Cisco's VTP. Today, let's take a look at Huawei's private protocol VCMP.

definition

VLAN Central Management Protocol (VCMP) can realize centralized maintenance and management of VLANs. VCMP is a Huawei proprietary protocol that works at the link layer and provides a way to propagate VLAN configuration information in a Layer 2 network, thereby ensuring that VLAN configuration information is consistent throughout the Layer 2 network. Compared with manual configuration, VCMP has the advantages of less maintenance workload and consistent VLAN configuration.

Basic Concepts

VCMP uses a domain to manage switches. This domain is called a VCMP management domain. It also uses role definitions to determine device attributes, which are called VCMP roles. VCMP defines four roles: Server, Client, Transparent, and Silent.

VCMP management domain

A VCMP management domain consists of a group of switches with the same domain name interconnected through Trunk or Hybrid link interfaces. Each switch in the same domain must use the same domain name, and a switch can only join one VCMP management domain. Switches in different domains cannot synchronize VLAN information.

The VCMP management domain determines the scope of VCMP management devices. All switches added to the domain will be managed by the management device in the domain. There can be only one management device in a domain, but there can be multiple managed devices.

The role of VCMP

1. Server

As a management role of the VCMP management domain, it is responsible for synchronizing VLAN information to other devices in the same domain through VCMP messages.

The information about creating or deleting VLANs and modifying VLAN names and descriptions on the server will be propagated throughout the domain.

2. Client

As a managed role in a VCMP management domain, it belongs to a specific VCMP management domain and synchronizes VLAN information to the local device based on VCMP messages sent by the server.

The information about creating or deleting VLANs and modifying VLAN names and descriptions on the client will not be propagated within the domain, but will be overwritten by the VLAN information sent by the server.

3. Transparent

As a transparent transmission role, it is not affected by VCMP management behavior and does not affect other devices in the VCMP management domain.

Transparent directly forwards VCMP messages (only to Trunk or Hybrid links).

The creation and deletion of VLANs and the modification of VLAN names and descriptions on the Transparent are not affected by the Server and will not be propagated within the domain.

This can meet the needs of some devices that do not want to be managed by VCMP but need to forward VCMP messages.

4. Silent

Deployed at the edge of a VCMP management domain, it is not affected by VCMP management behaviors and does not affect other devices in the VCMP management domain. It can be used to isolate the VCMP management domain.

After receiving a VCMP message, Silent directly discards it instead of forwarding it.

The creation and deletion of VLANs and the modification of VLAN names and descriptions on Silent are not affected by the Server and will not be propagated within the domain.

Configuration Examples

The branch network of an enterprise is a Layer 2 network, with SW1 as its aggregation switch and SW2~SW3 as access switches, of which SW2 is used to access external visitors. As the scale of enterprise branches grows, network administrators need to configure and maintain a large amount of VLAN information on each switch, which is a lot of work and prone to errors. Therefore, the administrator hopes to reduce the workload of VLAN configuration and maintenance, but the permissions for external visitors to access the branch network need to be restricted, and the administrator hopes that the VLAN on SW2 can be independently configured and maintained.

Configuration Roadmap

VCMP can be deployed in this enterprise branch network, and the aggregation switch AGG can be set as the server, and the access switches ACC2~ACC3 can be set as the client. In order to prevent ACC1 from being managed by VCMP, it can be set as Silent. In this way, you only need to modify the VLAN information on AGG, and the information will be automatically sent to ACC1~ACC3 in the enterprise branch network. ACC2~ACC3 will automatically synchronize the VLAN information on AGG, and ACC1 will not be affected by VCMP, thus reducing the workload of modifying the same VLAN information on multiple switches and ensuring the VLAN independence of ACC1.

At the same time, to avoid the trouble of manually setting the link type, configure automatic negotiation of the link type through LNP.

The configuration roadmap is as follows:

• Configure LNP to implement automatic link type negotiation and simplify user configuration.
• Assign roles to each device to determine the VCMP management scope and management and managed objects.
• Configure VCMP parameters on the server and client devices, including the authentication password and device ID, to ensure secure communication and identity recognition between the server and client.
• Enable VCMP to make the VCMP function take effect.

Procedure

1. Configure automatic negotiation of link type through LNP.

Enable the link type auto-negotiation function on the interface. The configuration of ACC1, ACC2, and ACC3 is similar to that of AGG and is not mentioned here.

 [AGG] interface GigabitEthernet 1/0/1
 [AGG-GigabitEthernet1/0/1] undo port negotiation disable
 [AGG-GigabitEthernet1/0/1] port link-type negotiation-desirable
 [AGG-GigabitEthernet1/0/1] quit
 [AGG] interface GigabitEthernet 1/0/2
 [AGG-GigabitEthernet1/0/2] undo port negotiation disable
 [AGG-GigabitEthernet1/0/2] port link-type negotiation-desirable
 [AGG-GigabitEthernet1/0/2] quit
 [AGG] interface GigabitEthernet 1/0/3
 [AGG-GigabitEthernet1/0/3] undo port negotiation disable
 [AGG-GigabitEthernet1/0/3] port link-type negotiation-desirable
 [AGG-GigabitEthernet1/0/3] quit

2. Specify the role of each device

# Configure the AGG role as Server.

 [AGG] vcmp role server

# Configure the role of ACC1 as silent.

 [ACC1] vcmp role silent

# Configure the role of ACC2 as Client.

 [ACC2] vcmp role client

# Configure the role of ACC3 as Client.

 [ACC3] vcmp role client

3. Configuring VCMP parameters on the server and client

# Configure the VCMP management domain, device ID, and authentication password on the AGG.

 [AGG] vcmp domain vd1
 [AGG] vcmp device-id server
 [AGG] vcmp authentication sha2-256 password Hello

# Configure the VCMP management domain and authentication password on ACC2.

 [ACC2] vcmp domain vd1
 [ACC2] vcmp authentication sha2-256 password Hello

# Configure the VCMP management domain and authentication password on ACC3.

 [ACC3] vcmp domain vd1
 [ACC3] vcmp authentication sha2-256 password Hello

4. Enabling VCMP

By default, VCMP is enabled on the interface and does not need to be enabled again. However, to prevent VCMP packets from affecting PC terminals, you can disable VCMP on the interface that connects the client to the PC terminal.

 [ACC2] interface GigabitEthernet 1/0/2
 [ACC2-GigabitEthernet1/0/2] vcmp disable
 [ACC2-GigabitEthernet1/0/2] quit
 [ACC3] interface GigabitEthernet 1/0/2
 [ACC3-GigabitEthernet1/0/2] vcmp disable
 [ACC3-GigabitEthernet1/0/2] quit

5. Verifying the configuration

After the above configuration is complete, run the display vcmp status command to view VCMP configuration information, including the VCMP management domain name, device role, device ID, configuration serial number, and domain password.

Take AGG display as an example:

 [AGG] display vcmp status
 VCMP information:
 Domain : vd1
 Role : Server
 Server ID : server
 Configuration Revision: 0x239c0000
 Password: ******

Run the vlanvlan-id command on AGG to create VLAN 10. Run the display vlansummary command on ACC1 to ACC3 respectively, and you can see that ACC2 and ACC3 have synchronized the VLAN information on AGG, but ACC1 has not synchronized the VLAN information on AGG.

 [AGG] vlan 10
 [AGG-vlan10] quit
 [AGG] display vlan summary
 Static vlan:
 Total 2 static vlan.
 1 10
 Dynamic vlan:
 Total 0 dynamic vlan.
 Reserved vlan:
 Total 0 reserved vlans.

View on ACC1

 [ACC1] display vlan summary
 Static vlan:
 Total 1 static vlan.
 1
 Dynamic vlan:
 Total 0 dynamic vlan.
 Reserved vlan:
 Total 0 reserved vlan

View on ACC2

 [ACC2] display vlan summary
 Static vlan:
 Total 2 static vlan.
 1 10
 Dynamic vlan:
 Total 0 dynamic vlan.
 Reserved vlan:
 Total 0 reserved vlans.

View on ACC3

 [ACC3] display vlan summary
 Static vlan:
 Total 2 static vlan.
 1 10
 Dynamic vlan:
 Total 0 dynamic vlan.
 Reserved vlan:
 Total 0 reserved vlans.