< Home

Creating a Virtual System and Allocating Resources

This section describes how to create a virtual system and allocate resources to it.

Context

A resource class must be specified for a virtual system to allocate resources, such as policy and concurrent sessions quota.

In addition, public IP addresses, interfaces and VLANs must be allocated as required after a virtual system has been added.

Procedure

  1. Optional: Set the public interface in the interface view.

    In cross-virtual system forwarding, the Virtual-if interface is a public interface by default.

    set public-interface

    When you configure bandwidth management, you need to set an interface as the public interface in the public system to collect traffic statistics of virtual systems and then assign the interface to virtual systems.

    After the configuration is complete, the traffic entering virtual systems from this interface is inbound traffic, and the traffic exiting virtual systems from this interface is outbound traffic. If a virtual system has multiple public interfaces, the traffic entering the virtual system and the traffic exiting the virtual system from these public interfaces is the entire traffic.

  2. In the system view, create a virtual system and access the management view of the virtual system.

    vsys name vsys-name

  3. Optional: Configure the description of a virtual system.

    description description

    The description must clearly indicate the function of the virtual system so that virtual systems can be easily searched for.

  4. Bind a resource class to the virtual system.

    assign resource-class resource-class-name

  5. Allocate a public IP address, interface, or VLAN to the added virtual system.

    • Allocate a public IP address to the added virtual system.

      assign global-ip start-address end-address { exclusive | free }

      Source NAT, NAT Server or NAT64 configured in virtual systems require public IP addresses.

      After a public IP address is assigned in exclusive or free mode to a virtual system, the public system cannot use the address any more.

    • Allocate an interface to the added virtual system.

      assign interface interface-type interface-number

      The interface must be an available Layer-3 Ethernet interface, Layer-3 Ethernet subinterface, Layer-3 Eth-Trunk interface, Layer-3 Eth-Trunk subinterface, Tunnel interface, WAN interface, Loopback interfaces, or Virtual-Template interface.

      The management interface cannot be assigned to virtual system.

      You cannot directly configure VT interfaces for virtual systems. Instead, you can bind resources to virtual systems. To be specific, configure a VT interface in the root system and run the assign interface command in the virtual system administrator view to bind the VT interface to the virtual system. A maximum of 10 VT interfaces can be bound to a virtual system.

    • Allocate a VLAN to the added virtual system.

      assign vlan vlan-id

      The VLANIF interface corresponding to the VLAN is also assigned to the virtual system.

      In a QinQ traffic diversion scenario, to implement traffic distribution based on inner VLANs, run the firewall transparent vsys-binding inside-vlan enable command to enable the function of allocating virtual systems based on inner VLANs of QinQ packets in Layer 2 transparent transmission scenarios, and then allocate inner VLANs to virtual systems.

    • Allocate a VNI to the added virtual system.

      assign vni vni-id

      The Vbdif interface corresponding to the VNI is also assigned to the virtual system.

  6. Optional: Configure usage permissions of content security features (antivirus, intrusion prevention, and URL filtering) for the virtual system based on service operation requirements.

    To configure usage permissions of a feature for the virtual system, the administrator that logs in to the root system must have the read and write permissions of this feature.

    • Enable the antivirus function.

      assign function av

      By default, this function is enabled.

      You can use the undo assign function av command to disable the antivirus function for the virtual system. After you disable this function, configurations related to the antivirus profile in the virtual system become invalid. However, the system retains all configuration information. You can delete the existing antivirus profile but not the default profile. In addition, you can no longer add, copy, or modify an antivirus profile.

    • Enable the intrusion prevention function.

      assign function ips

      By default, this function is enabled.

      You can use the undo assign function ips command to disable the intrusion prevention function for the virtual system. After you disable this function, configurations related to the intrusion prevention profile in the virtual system become invalid. However, the system retains all configuration information. You can delete the existing intrusion prevention profile but not the default profile. In addition, you can no longer add, copy, or modify an intrusion prevention profile.

    • Enable the URL filtering function.

      assign function url-filter

      By default, this function is enabled.

      You can use the undo assign function url-filter command to disable the URL filtering function for the virtual system. After you disable this function, configurations related to the URL filtering profile in the virtual system become invalid. However, the system retains all configuration information. You can delete the existing URL filtering profile but not the default profile. In addition, you can no longer add, copy, or modify a URL filtering profile. URL category related configurations are not affected. You can continue to perform URL category related configurations, such as adding and modifying a URL category or adding URLs to a URL category.

      After configuring the usage permission of URL Filtering for the virtual system, the virtual system can also obtain the usage permission of DNS Filtering function.

  7. Optional: Set a guaranteed value for the log buffer on a virtual system

    assign logbuffer reserved-size reserved-size-value

    By default, the guaranteed value of a log buffer on a virtual system is not set, indicating that the log buffer size of a virtual system is not guaranteed.

    The configured guaranteed value takes effect for both system logs and service logs. Based on the guaranteed value, the device assigns log buffer resources that cannot be preempted for system logs and service logs for the virtual system. These resources are exclusive to the virtual system.

  8. Save the current configuration in the user view.

    save [ configuration-file ]

    You are advised to save the current configuration after the virtual system is created.

Follow-up Procedure

After configurations are complete, perform the following:

  • Run the display vsys [ verbose ] [ vsys-name ] command to view the configuration of the created virtual system.
  • Run the display resource resource-usage vsys vsys-name command to view the resources used by the virtual system.
  • Run the switch vsys vsys-name command in the system view to access the virtual system view and configure services on the virtual system.
  • Run the undo vsys name vsys-name command in the system view to delete a virtual system. All configurations of the deleted virtual system are cleared, and all resources allocated to the virtual system are reclaimed.
Parent Topic: Deploying a Virtual System Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >